The Javascript Defense

The Ninth Circuit handed down an interesting decision yesterday regarding what it means to "possess" digital content, the gist of which is that it doesn't count as possession if you don't know that you have the content. Orin Kerr goes on to comment on the case, saying

If you don't know an image is there, you can't possess it. In most cases this isn't an issue: a suspect who seeks out an image and knowingly retrieves it will be guilty of knowing receipt, and there will usually be some evidence of dominion and control other than presence in the browser cache.

Assuming that Orin is correct it would seem to me that this ruling has made it substantially more difficult to prosecute people caught with unauthorized digital content. In particular I'd like to focus on the following phrases in Orin's post: "seeks out an image and knowingly retrieves it" and "evidence of dominion and control". "seeks out an image and knowingly retrieves it": All of the most popular web browsers Javascript, and many of them support additional host-based mechanisms for the generation of dynamic content such as Flash or ActiveX. Someone with unsecure browsing habits¹ can easily have their browser mis-directed; you click on the "online Viagra" add (a legitimate, though sketchy, activity) and before you know it you've got a gazillion pop-ups for call services and online casinos. How, in such an environment, do you prove that a particular piece (or pieces, for that matter) of digital content was deliberately sought out and downloaded? The information available to computer forensicists in such cases (logs on the system serving content and local storage on the receiving system) doesn't provide them with enough information to determine whether a particular HTTP request was initiated by the user or by malicious software. "evidence of dominion and control": If the mere presence of content in the browser cache doesn't count, what does? The next level of certainty, it would seem, would be digital content located outside of the browser cache; such content has traditionally saved to local storage only at the request of the user. However, there are about a gazillion and one browser exploits that operate by causing the browser to download and execute content without the user's knowledge or permission. It would be a fairly trivial matter to write a program which downloaded unauthorized content to the user's hard drive and placed that content outside of the browser cache². One can argue, in fact, that this demonstrates even less "dominion and control" that the cache example: a browser storing content in its cache is expected behavior (with corresponding configuration options in many browsers) whereas exploiting a browser to store content outside of the cache is unexpected behavior. It follows that a user has more "dominion and control" over expected behavior than unexpected behavior. This leads, in fact, to an interesting scenario: someone could deliberately infect a computer system with malware (the more the better) and then use that system to view unauthorized content. In such a case the presence of any amount of questionable material could convincingly be attributed to the malware. The trick, I think, would be for the perpetrator to be computer savvy enough to implement this tactic, but not so computer savvy that the prosecution can plausibly claim that they were deliberately using an infected system. The dilemma here basically boils down to proving that a user (as opposed to malware or malicious third parties) deliberately received and stored content. If the mere presence of contraband isn't sufficient then they have to do something truly egregious like print out pictures or set them as wallpaper or some similar activity, one which demonstrates conclusively that the defendant was aware that the content was on their system.

---

1 By definition, anyone who leaves child porn lying around in their browser cache. 2 This isn't that far-fetched a scenario; black hats often use hacked machines as convenient file storage.