X

Police blotter: Trojan horse leads to porn convictions

In this week's installment, judge upholds conviction instigated by a hacker who reported incriminating files.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read
"Police blotter" is a weekly News.com report on the intersection of technology and the law.

What: Alabama man tries again to throw out his conviction instigated by a hacker who broke into his computer and found child pornography.

When: U.S. District Judge W. Harold Albritton rules on Aug. 2.

Outcome: Albritton denies a request for a new trial.

What happened, according to court documents:
In early 2000, a computer hacker who used the now-defunct e-mail address unknownuser1069@hotmail.com seeded a Usenet newsgroup called alt.binaries.pictures.erotica.pre-teen with a clever bit of malicious Windows software.

The Trojan horse program, called SubSeven or Sub7, can look innocuous. But once installed, it installs a backdoor in the victim's computer and can allow files to be extracted and a keystroke logger to be installed.

SubSeven did its job. On July 16, 2000, "1069" sent e-mail to the Montgomery, Ala., Police Department saying, "I found a child molester on the Net." The e-mail included an attached photograph of what looked like a girl no older than 6 being sexually abused.

At the urging of Montgomery Police Capt. Kevin Murphy, "1069" eventually turned over more and more information that led back to a computer owned by Bradley Joseph Steiger, who had worked as an emergency room physician in Alabama. The hacker's finds included information from Steiger's AT&T WorldNet account, records from his checking account, and a list of directories on his computer's hard drive where sexually explicit photographs were stored.

"1069" refused to be identified, saying he was living in Istanbul, Turkey, and did not want to be involved in any court proceedings. During Steiger's trial, the prosecutor said "we have not seen anything to indicate that this person is other than?a citizen of Turkey." That turned out not to be entirely true: The FBI actually had made contact with "1069" through a U.S. phone number. (Click here for PDF.)

A year later, "1069" fingered another man, William Adderson Jarrett, who lived in the Richmond, Va., area. He again contacted Murphy, who started an investigation that led to Jarrett's arrest.

That's when an odd thing happened. Instead of informing "1069" that he was committing federal felonies and should cease immediately, Murphy and the FBI encouraged the hacker to continue. The FBI wrote "1069" in January 2002: "The FACT still stands that you are not a citizen of the United States and are not bound by our laws. Our federal attorneys have expressed NO desire to charge you with any CRIMINAL offense. You have not hacked into any computer at the request of the FBI or other law (enforcement) agency. You have not acted as an agent for the FBI or other law enforcement agency. Therefore, the information you have collected can be used in our criminal trials."

Steiger was convicted of sexual exploitation of children, possession of a computer containing child pornography, and receipt of child pornography. He was sentenced to more than 17 years in prison. In January 2003, the 11th Circuit Court of Appeals upheld his conviction, saying that Congress had left a loophole open in federal privacy law that lets hackers like "1069" get away with turning information over to the government and having it used in court. (The 11th Circuit called it a "legislative hiatus in the current laws purporting to protect privacy in electronic communications.")

Jarrett, the Richmond-area man, also went to Club Fed. In May 2004, a federal judge accepted his guilty plea and sentenced him to more than 19 years in prison. That was after the 4th Circuit Court of Appeals rejected his argument that "1069" was effectively acting illegally with the government's blessing. (The judges said that "1069" apparently had that kind of "relationship" with the government "going forward," but not at the time the illegal intrusions took place.)

Since his conviction, Steiger has been trying to overturn it, first with the help of a federal public defender and then by filing legal briefs that he wrote himself. His latest one was filed last month, alleging that FBI agents who testified may have withheld evidence relating to the identity of "1069" and that a new trial is necessary.

Albritton, the U.S. District judge, rejected the request on Aug. 2. Albritton ruled: "There is simply no basis from which to conclude that Unknown User 1069 was acting as an informant of the FBI so as to allow for discovery as to whether the FBI concealed information."

Excerpt from the court's opinion in the Jarrett case:
At some point after sending the e-mail message, Agent Duffy, working with Agent Faulkner, composed a list of questions to ask Unknownuser in the event that Agent Duffy was able to talk with Unknownuser.

A few days after sending the e-mail, Duffy received a phone call in response to the message. The caller had a Turkish accent and identified himself as "Unknownuser." Agent Duffy spoke with Unknownuser and asked him the list of questions he had prepared with Agent Faulkner. Unknownuser responded that he would get back to Agent Duffy with the answers. They also discussed the method by which Unknownuser searched Steiger's computer, with Unknownuser explaining that he used a Subseven Trojan Horse virus and describing his activity as "hacking" into the computer.

Also during the telephone conversation, Agent Duffy thanked Unknownuser for what he had done, stated that he appreciated what Unknownuser had done, and told Unknownuser that he had possibly saved two young girls. Agent Duffy asked Unknownuser to reach out to him because Agent Duffy (wanted) to speak with and meet with Unknownuser. Agent Duffy claims that he did not provide directions to Unknownuser or encourage him to do additional searches. The written evidence in Agent Duffy's e-mails as described herein indicates otherwise, however, and the Court does not give great weight to this assertion by Agent Duffy.

On November 28, 2000, Unknownuser called Agent Duffy's office a second time, but Agent Duffy missed the call.

Agent Duffy sent another email on Nov. 29, 2000. In this message, titled "Good news," Agent Duffy confirms that the United States authorities do not desire to prosecute Unknownuser and that they would like to interview Unknownuser. Agent Duffy suggests a date to meet at the United States Consulate and asks Unknownuser to "please answer this request." Agent Duffy further states, again, that "(you) will not be arrested--that is a promise. You have helped to save at least two lives in the U.S. and (you) should be proud of that fact."