A South Carolina law is forcing IT workers to join the fight against child pornography, but some wonder if that's fair.
What would you do if you found what appeared to be child pornography on someone's computer at work? That delicate ethical question has taken on legal ramifications. A new law in South Carolina holds IT professionals accountable for reporting suspected child porn if they discover it stored on computers they handle.
The law, signed July 20 by Gov. Jim Hodges, mandates that "computer technicians who view such images when working on a computer" give law-enforcement officials the names and addresses of the PC user or owner. "It has to be somebody's responsibility to report it to the authorities," explains South Carolina Sen. Thomas Alexander, a co-sponsor of the legislation, which has roots in an existing state law that requires film processors to report child pornography.
The requirement is spelled out, somewhat incongruously, in an amendment to a law that mandates education standards for day-care workers. Among other things, the amendment addresses the use of computers in criminal activity, making it a felony to send child pornography via E-mail, for example. The law doesn't require that IT workers actively search for illegal material, but it does require them to report it if they find it.
But are PC technicians, systems administrators, help-desk specialists, and other IT staffers prepared to take on the highly sensitive social responsibility that's been assigned to them? Do they have the background required to make that call? What happens if they comply with the law but mistakenly accuse an innocent customer or co-worker? "There's a problem whenever you ask civilians to enforce the law," says Parry Aftab, a lawyer specializing in privacy and security and executive director of Cyberangels, an advocacy group that fights child pornography on the Internet. "You don't want this to be a witch-hunt."
It would make more sense to assign responsibility to legal professionals in a company, says David Shomette, IT director with the Public Broadcasting Service, a nonprofit TV network in Alexandria, Va. "I'm not sure that a technician is at the professional level to determine if what they're seeing is in violation of the law," he says.
The law doesn't establish specific penalties for techies who neglect to report child pornography, but that's merely an oversight, says Sharon Gunter, staff attorney for the South Carolina Senate. When the state Legislature resumes next year, she expects that the law will be changed to include the same penalties faced by film developers who fail to comply: up to six months in jail and a $500 fine.
There are other legal precedents that require people in a variety of jobs, including teachers and social workers, to report illegal or suspicious behavior. And Internet service providers and Web portals are required to report the trafficking of child porn on public message boards they manage. Jim Dempsey, deputy director at the Center for Democracy and Technology in Washington, says he isn't aware of any other laws that put a burden of responsibility specifically on IT workers. Dempsey worries that some IT staffers, nervous about the consequences of inaction, might overreact. "I think the law would force people to err on the side of reporting," he says.
However, a technology VP with a large South Carolina bank, who requested anonymity, welcomes the law. It's consistent, he says, with the bank's aggressive internal policies on computer usage. The bank monitors employee E-mail and Web traffic and uses a firewall to prevent access to pornographic sites. The executive says the new law will give his company more ammunition against misuse of corporate communication tools and computers.
The South Carolina law is aimed at electronically stored images of minors "engaging in sexual conduct, sexual performance, or a sexually explicit posture." But determining what constitutes child pornography isn't always easy, experts say. A New Jersey woman was arrested in February after an employee at a film-processing store alerted police to suspicious photos. She was released after authorities determined the images were harmless pictures of her grandchildren after a bath.
South Carolina's child-pornography reporting requirement took many people by surprise, including one of the amendment's co-sponsors, South Carolina Sen. Phil Leventis, who says he didn't notice it in the 17-page amendment. The subject of holding IT workers responsible never came up during legislative debate of the amendment, which was introduced a couple of days before the session ended. Leventis says he learned about the reporting requirement for the first time last week. "I don't like it," he says. "I'm afraid it may generate more problems than it solves." He questions whether individuals with "untrained, inexperienced eyes" should be forced to make such sensitive and potentially controversial decisions.
It's unknown whether other states will follow South Carolina's lead, but some legal experts say it's a distinct possibility. Mark Schreiber, an attorney with Boston law firm Palmer & Dodge LLP, says this legislation is part of a larger trend in which state and federal legislators are placing law-enforcement duties on companies and individuals.
John Winter, a technology analyst with Quantumlynx, an application service provider in Saskatchewan, Canada, is concerned Canadian lawmakers could adopt similar laws. The South Carolina law "upsets me greatly," he says. Among his concerns: Pressure to comply will result in innocent people being accused and the potential for authorities to use computer records to identify PC technicians who don't turn in offenders.
Outside of South Carolina, the issue of child pornography in the workplace is one that business and technology managers can't ignore. Aftab estimates she learns of 20 cases a month of child pornography in the workplace. "The number is clearly growing," she says. "I'd bet 80% of the companies in this country have at least one employee with child pornography on their computer. With high-speed access and big hard drives at work, that's where the stuff is going." If companies find out employees are trading child pornography and don't do anything about it, they can be held liable for not taking steps to control illegal behavior, Aftab says.
In his job as a technical services supervisor with a Santa Clara, Calif., Comp USA retail store, Perry Castagnetto says he's come across some "very unusual and bizarre stuff" when working on customers' PCs, but not child pornography. If Castagnetto viewed what he thought was an illegal photo, he'd go to his manager and call the police if the manager decided that was appropriate. "It's a tough call, and I guess it depends on the subject matter," he says. "There are some people who construe innocent family photos as pornography."
As a matter of policy, some IT departments routinely check files and programs on employee computers. Carl Handlin, director of MIS for Ozark Salad Co., a Baxter Springs, Kan., maker of packaged salads and spreads, maintains it's in a company's best interest to make sure its equipment is being used only for business purposes. While Handlin hasn't been faced with an instance of child pornography on any of the company's computers, he says his first move would be to report such an incident to the company's human-resources department.
Ozark Salad has about 100 employees, so Handlin is able to do manual checks of the company's PCs to en-sure there's no inappropriate content. "We've been doing random drug test-ing in our plant for the past several years, and we do random testing of our IT assets," he says. "Monitoring needs to take place even without a law."
Quick & Reilly Inc., a New York investment company, monitors employee E-mail and Web usage. The pecking order is such that managers monitor employees, while the HR department monitors managers. If inappropriate use is identified, verbal warnings are the first step, followed by written warnings, then possibly termination. The company may also curtail an employee's use of E-mail or the Web if the rules are broken. But Edward Gary, VP of CRM solutions with Quick & Reilly, says IT professionals shouldn't act alone. "It's not just an IT department's responsibility," he says. "There have to be policies set up by HR."
In fact, the South Carolina law will likely force some IT professionals to bring their own personal ethics to bear in the workplace to a degree they've never done before. PBS's Shomette says he would feel "totally comfortable" reporting child pornography, both internally and to legal authorities. "My obligations to society outweigh any obligation I have to my company," he says.
At the same time, Shomette would prefer that senior company officials, not IT staff, make the tough decisions about singling out offenders. "If Virginia had a law in place such as the one in South Carolina, we would make sure our technicians understood their obligations," he says. "South Carolina should provide some instruction to the technicians as to what constitutes child pornography and how to report it."
For the law to work, some kind of educational outreach to IT workers seems essential. But even antipornography activists such as Aftab question whether the new law is a good idea. Among the risks: evidence will be mishandled, jeopardizing child-pornography prosecution rather than helping it. Says Aftab, "In the same way as drugs, you can't turn enforcement over to vigilantes and neighborhood watches. That's what law-enforcement agencies are for."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.