INTERNET LAW - Browser Hijacking as a Defense in Legal Proceedings

Ira Piltz, Greenpoint Technologies 

A number of criminal cases have been tried in the past, where those accused of viewing illicit Websites, such as those containing child pornography, defended themselves by alleging that it was a browser hijacker who was responsible for illegal downloads on their computers. In most cases, the police and the courts have been unsympathetic to such defenses, due to the fact that the evidence of browser hijacking is difficult to establish and because this defense is the most “convenient” type of defense in such cases.
In September 2002, police arrested a former Soviet Union refugee on the grounds that he accessed child pornography from his employer’s computer. Since then, “Jack” – a fictitious name used by this person to hide his identity – has been convicted by the U.S. courts, fired from his job, and left destitute due to a combination of unemployment and mounting legal fees of trying to obtain an acquittal. In his defense, Jack alleged that his browser must have been maliciously hijacked, as he is completely innocent of the allegations launched against him and has not accessed the illicit Websites that the prosecution accused him of accessing on his computer.

The defense of browser hijacking also was used in another widely reported case in which a 40 year-old substitute teacher, Julie Amaro, was fired by her school and convicted of criminal charges when her computer displayed pornographic pop-ups during class time, exposing a number of 12 year-old children to explicit images. In that case, Amaro alleged that the computer must have contained malicious software before she began teaching at the school. Although expert evidence seemed to support her claim, the jury nevertheless voted to convict.

The above cases bring to light the potential danger of browser hijacking and raise issues regarding the ability of the courts and law enforcement authorities to prosecute such cases fairly. This is because in order to determine adequately whether browser hijacking is responsible for infecting the suspect’s computer and for placing illicit images in such a computer, courts and investigators must examine technical evidence in fields where they often do not possess adequate expertise or familiarity.

Browser hijacking is a real phenomenon, which can become manifest through unwanted pop-ups, new ‘favorites’ that a user cannot delete, a new home page, and other forms of loss of control over one’s computer. At the same time, browser hijacking is not always responsible for the presence of unwanted spyware and other malware. A common culprit for the transmission of these viruses is the downloading of otherwise innocent material such as games or news from disreputable Websites that infect users’ computers with spyware and viruses, and that, in certain cases, direct users to illegal or sexually explicit Websites.
 
What are the symptoms of a “browser hijacking”?
According to Neil Barrett, the technical director of security consultancy group, IRM, and a veteran expert witness in numerous computer crime cases, “[i]t is straightforward to determine if the possession of illegal content is caused by browser hijacking… Unless there is an exploit, material would only appear within the browser context. If illicit material was found on a PC [sic] a prosecution could be initiated but analysis is straightforward. It would leap up at a computer forensics expert that a pop-up was responsible for the content found.”
 
What role does technical evidence play in browser hijacking cases?
Despite the apparent ease of determining whether a browser has been hijacked, the presentation of evidence surrounding browser hijacking in court has not been straightforward or consistent. In the case of Julie Amaro, police did not check for the presence of malicious software on the computer in question because the defense failed to raise this possibility at the pretrial phase. The one expert who testified for the defense at trial and who conducted a thorough forensic analysis of the computer’s hardware, did find a great amount of malicious software on the subject computer that existed prior to the substitute teacher’s arrival at the school, but, apparently, his evidence did not persuade the jury.

In Jack’s case, the security experts that conducted a forensic analysis of his computer said that it was “possible that a browser hijacker could have been the reason porn images were found on Jack’s computer”. However, the evidence was not straightforward and there were a number of inconsistencies in the evidence presented by the defense.

As may be seen from the above examples, although some experts maintain that evidence of browser hijacking can be established with relative ease; in reality, technical evidence presented before the courts is often conflicting and does not always lead to a clear-cut conclusion as to the guilt or innocence of the accused, especially in light of the lack of the familiarity of the courts and law enforcement authorities with related technologies.
 
Why are courts, juries, and law enforcement authorities reluctant to accept defenses that allege that a virus or a hijacker was responsible for accessing illegal sites?
The reluctance of suspects and accused persons to admit to visiting illegal sites, combined with the relative ease of adducing the defense of “the computer did it” make law enforcement authorities, courts, and juries suspicious of computer hijacking defenses and create potential hurdles for real victims of browser hijacking to present their defenses before a fair and impartial forum.