The Strange Case of Child Pornography

And so this morning I read about a case in which a man, whose last name is the improbable Sodomski, was busted for having child pornography on his computer. Normally I have no sympathy for such people and I have even reported an online peddler of such material to the authorities when he attempted to send some my way. Homey don't play dat.

However; this case caught my attention because of the underlying privacy concern that it brought up. If you read about most child porn stings you will find that they usually involve a lengthy investigation in which people are caught using some kind of darknet in order to trade in such material. In some cases it involves snail mail. In other words the users involved have thoroughly shown that they have in fact either created, traded in, and purposefully owned child pornography. This is important. Going back to my statement on reporting an online peddler, In that case I was, in fact in possession of child pornography. I didn't ask for it, but it arrived. Knowing how the internet works, there was no doubt that there was a record of that transfer on someone's log and for a times there was a copy on my hard drive. Since I had not done a low level format or a "secure erase". The file, though "deleted" was still in fact on my drive for as long as it took for the OS to decide to write something else to that space. This time depends on the level of usage of the computer. This is somewhat important as we look at the case.

The man involved here brought his computer to Circuit City in order to have a DVD drive installed in his computer. At some point during this "install" the "tech" person did a search of the Hard drive and found "stuff that looked like adult material". the "tech" decided to click on the file to see what it was and discovered the child porn at issue. A judge ruled that the man's privacy was not infringed because he could not expect that the contents of his HD would not be looked at while the computer was out of his possession. I work with computers for a living so I know the process and this ruling is pretty bad.

Firstly, I'm not clear as to what Circuit City's policy towards their customers private data but I would be extremely disturbed, to the point of not using their "service" if they did not have a policy of "do not touch and do not look at" customer data. Furthermore I would be equally shocked if, unlike any other corporation I know about, Circuit City does not have a "no viewing of adult content" policy in effect as well. Let's assume for a minute that Circuit City does not have such policies on the books. Does this mean that Circuit City Techs are free to peruse user data which would inevitably include personal information of all kinds? Do they understand the inherent security risk this entails? If a customer has their identity stolen after having service at Circuit City, Circuit City could find itself at the receiving end of a lawsuit for knowingly allowing third parties to access user data. It's called willful negligence. That's not good.

But moving on from there. The process of installing and testing a DVD burner does not include a windows search. The only software portion of the install is the driver for the DVD drive (if needed, some drives already have the drivers in the host OS). After installing said software the machine would be rebooted and a test burn of a DVD would be performed. The tech ought to have a file they can test on a USB drive. In other words there is no good reason to do a search of the users system. So the question here is why were the techs performing this search? And why were they interested in the porn on the system? That's like having your car in for new tires and since the shop has a sign that the shop is not responsible for items left in the vehicle, the mechanics go through your glove box, digs in your seats for change or makes a few phone calls on your built in phone. After all, you left the car in their possession so you couldn't actually expect that they would limit their use of your vehicle to only that which is required to perform the service requested.

That is what bothers me about the ruling. Does Circuit City inform their customers that their data will be accessed? Does Circuit City inform their customers that their data will NOT be accessed? If either of these are the case then Circuit City would be in breech of a legal contract and a) ought to be sued. and b) the evidence ought not be admitted. I don't like option "b" but because I prefer that the law fail on the side of the citizen rather than the state I have to offer that option up.