
Man charged after media storage site Dropbox finds child porn in his account - woranl
http://www.publicopiniononline.com/story/news/crime/2017/09/02/man-charged-after-media-storage-site-dropbox-finds-child-porn-his-account-police-say/626862001/?cookies=&from=global
======
kyledrake
This isn't surprising. Most service providers (including Facebook and Google)
actively scan for known PhotoDNA hashes of CP provided by NCMEC and other
groups, and will report if they detect and then verify any of them. I recall
someone getting charged after using Gmail in a similar way. This isn't a legal
mandate, they do this voluntarily.

This isn't "Dropbox employees digging through everybody's files hunting for
CP". It's all automated, likely triggered by uploads of certain types of files
(images/videos). They almost certainly have a human verify the validity before
reporting (which is probably a 100% manual process). They're required by law
to report it once they have reasonable suspicion.

An interesting abuse edge case here I've pondered for a while: someone hacks
into your account and intentionally posts bad stuff to get you in trouble. It
could be pretty difficult to prove that someone did this if the company's logs
were inadequate. A similar flavor of this: someone sent Brian Krebs heroin in
the mail, and then "tipped off" the police. Fortunately, it didn't work
[https://krebsonsecurity.com/2015/10/hacker-who-sent-me-
heroi...](https://krebsonsecurity.com/2015/10/hacker-who-sent-me-heroin-faces-
charges-in-u-s/)

~~~
pier25
> This isn't "Dropbox employees digging through everybody's files hunting for
> CP". It's all automated.

If a script can access users' data what's the difference?

~~~
danso
How would Dropbox function if their scripts couldn't access user data?

~~~
dorfsmay
For the storage functionality, they could encrypt/decrypt on the frontend, and
store encrypted data only.

~~~
FooHentai
Can't do de-duplication if you're encrypting. No way Dropbox's storage back-
end remains viable without de-dupe.

~~~
mercer
Is that true though? I use Tarsnap and as I understand it, it does de-
duplication server-side AND client-side encryption.

That said, the point probably still stands that encryption is probably not
feasibly with Dropbox feature set (or while maintaining a certain
performance).

~~~
cperciva
Tarsnap deduplicates your data _with respect to your data_. It can't compare
your data with everybody else's data, because your data is encrypted with keys
which only you hold.

Dropbox deduplicates _everybody 's data_, so that they'll be able to take
advantage when you and someone else both store the same file. (Of course, this
trivially means they can recognize when someone stores a file which the FBI
has previously provided to them.)

~~~
mercer
Ah, of course! Thanks for clearing that up (I was hoping you would chime in).

Oh, and thanks for a product that does what I need it to do. I'd maybe have
liked a bit more documentation (for example, how to speed up retrieving a
backup), but other than that I'm very happy with it!

------
quuquuquu
Yikes. Ok, let's abstract the topic to debate it.

Dropbox scans user accounts. It alerts the police that objectionable material
appears on an account.

The police attempt to associate the account with a person. Social media
profiles and IP adresses turn up a name and general geographic location.

Police find a person's name associated with said profiles, email, and IP.

They show up at his address, and ask him, hey, are these accounts yours?

"Maybe, why?"

The police then execute a warrant, confiscate his phone.

The phone contains an app, which is logged into an account with objectionable
material on it.

You are now charged with possession of child porn.

Child porn is a terrible and heinous crime. Put that aside for a moment.

What happens if someone illegally accessed your account and placed those
images there?

~~~
ivebeenframed
That objection applies to almost any possible evidence gathering technique.
Framing someone has always been a possibility. It's the subject of many
stories, and more than a few real life cases. But we don't know or (IMO) have
reason to believe it's become more common in the digital age. You need motive
and ability to do it still, and those often don't come together.

~~~
quuquuquu
The duty of law is to prove guilt "beyond a reasonable doubt".

Is it unreasonable for my account to have been hacked and used to hold illegal
material?

There are accounts of mine that I don't even remember existing.

Multiple use multiple devices of mine from time to time.

Should my dad be hauled to prison when I use his computer, and I catch a virus
that stores child porn in his dropbox account from 5 years ago?

~~~
danso
Getting charged with a crime is definitely not nothing, and the age of
automation brings with it new kinds of problems (or at least, ones of
different scale). But as the prior comment points out, the possibility of
getting framed applies to virtually every other kind of evidentiary process.
Such as eye-witness testimony, which is why (ideally), you aren't convicted
based on that evidence alone.

If it's the case that someone illegally accessed your account and stored child
porn on it, there would presumably be evidence to show that illegal access,
such as IP addresses that you don't use that _were_ used to upload that porn.

~~~
quuquuquu
I do mostly agree with you. What if someone roots my machine and uploads from
my house?

What if it was (somehow) accidentally uploaded byy little brother who
torrents?

Technical evidence, is difficult to associate with meatspace users.

I'm not trying to give criminals potential defenses---

I am trying to prevent people from going to jail for malleable evidence.

------
pier25
I find it surprising that Dropbox has access to its users files. I thought
cloud storage companies kept everything encrypted, or at least access.

My company uses Dropbox extensively for storing documents with sensitive
information.

~~~
wmil
Dropbox is actually pretty invasive. They save space and bandwidth by
recognizing media files that other people have stored and just copying
internally instead of uploading from your computer.

~~~
pier25
Any source on that?

~~~
wmil
No, this is from memory, I could be wrong.

Specifically I recall a story that pirates were using their api to just upload
the hash and basically use it as a file transfer service. They had to start
requesting random chunks of files to make sure you actually had the file you
were trying to sync.

Edit - I found a link: [http://www.wired.co.uk/article/dropbox-dmca-
position](http://www.wired.co.uk/article/dropbox-dmca-position)

------
spork12
Easy solution to the privacy issue here - Use encfs
([https://github.com/vgough/encfs](https://github.com/vgough/encfs))

That's how I store all of my illegal content on dropbox.

~~~
magamind
I much prefer using the $5 wrench anyways.

------
hiisukun
Most companies that host content have a "report" function. You might have once
reported a post on facebook, a file link on dropbox, or an image on imgur (to
take a few examples) for being bad in some way.

If the reason for your report is that the content involves child abuse, then
the company is generally accountable for checking it out. This means different
things depending on the type of content, the country, and lots of other moving
parts, but it is the "safety of the children" argument at work. In practice,
often an American content host will let NCMEC know, since they compile and
forward on reports to law enforcement. Sometimes content will simply be
removed. Again, it depends on the details.

This is indeed one of those cases where your privacy, and the rights you have
over your property, are impinged upon as a regular person. The courts where I
live (Australia) take this quite seriously and are aware that a balance must
be struck. I get nervous and uncomfortable when the "think of the children"
argument is misused during discussions involving encryption, intellectual
property violations, and general freedoms - but I'm aware that on some
occasions it is important.

A lot of work goes into identifying and where possible rescuing the children
involved in this stuff, and preventing more. That is always the focus, in my
experience.

A final note - the child protection industry is keen to remove the word
pornography from the lexicon, and to refer to this type of material as "child
abuse" or "child exploitation" material. I think it would be good to reflect
that in the headline, because while most everyone knows what child porn means,
calling it such mentally associates it with the pornography aspect (the end
user) rather than the victim (the child).

