How the FBI uses the Web as a child porn honeypot

"The hidden side of your soul": How the FBI uses the Web as a child porn honeypot

By Nate Anderson | Published 38 minutes ago

The e-mail arrived in James Charles Cafferty's inbox on July 14, 2011. Unlike most unsolicited e-mail on the Internet, the message did not pitch mortgages, get rich quick scams, or penis pills. Instead, it provided a link to an under-the-radar child pornography website and the password needed to access it. Cafferty, a diplomatic security officer working for the US government at its London embassy, waited for three days, then clicked on the link. This is what he saw:

"Welcome to the hidden side of yur soul, where you view the yung and innocent. We have been around since 2002, offering the best of private and series Child Pornography (CP), (hardcore/soft core) all for FREE! All you have to do, enter in the password, and you'll be viewing free CP for days. We move around when we have to... congratulations for finding us. Yur old password won't work, so get the new one and you are IN!!!"

The e-mail picked its target well; Cafferty did have a hidden side of his soul. An online dating profile he created at the site Plenty of Fish said that he was looking for "a relationship with someone who can enjoy the 'simple' things of life such as walking in the park, enjoying a nice sunset, engaging in good conversation or go people watching at a café." But he also craved child pornography. Cafferty owned a Drobo backup device that he stuffed with twin Western Digital hard drives in a RAID configuration to guard against data loss. On the drives, he kept his tens of thousands of child porn files.

Sometimes he did more than look at them, too. Cafferty would also fire up image editing software on his computer and splice his image into some scenes.

Below the website's promotional copy sat a “law enforcement note”; the kind that used to feature on warez sites as a talisman that might keep the cops at bay. "If you happen to be in Law enforcement, FBI or Interpol and are viewing this website, it's called free speech," it said. "There is nothing illegal about this website. Our servers are located in a country that has no Child Pornography laws. Even if you are able to shut us down, we pop up again somewhere else..."

Cafferty stared at the screen, then typed in the password found in the e-mail. He was in. Another page popped up listing 35 free videos with names like "Full version of known video. 3 10-12 y.o. girls and man" and an explicit description of the action. Beside each video was a "download" button that provided one-minute previews of each video. Forty-nine seconds after entering his password, Cafferty clicked on video number four, a 71-minute file that claimed to feature a "9-10 y.o. girl and man." A third webpage opened to display the video, which appeared to buffer—but the connection soon slowed and then stopped altogether. Eventually, Cafferty abandoned the site.

But thousands of miles away, deep in the belly of a data center, his online visit had tripped a silent alarm. That click on the "download" button had logged his IP address, the video file he attempted to view, and the number of times he tried to watch site videos. The law enforcement warning on the site's front page had done nothing to keep the FBI away; indeed, the FBI ran the site.

And now they had Cafferty.

Totally a legitimate website

Spear-phishing, FBI style

The e-mail had not arrived in Cafferty's inbox by accident. Back in 2006, Immigration and Customs Enforcement (ICE) had opened a major investigation into a string of child porn websites. As part of that work, ICE learned that the sites used PayPal to receive money and disguised the nature of the purchases by using odd subject identifiers. A website called Sick Child Room 2005, for instance, used as its PayPal subject identifier the phrase "SickCR Package v.5.06 Build 3638"—which makes it sound like a software purchase. Instead, the site served up sections with names like "Door 1," "Door 5," and "Medic's Corner." Behind the doors waited 150 videos and 20,000 child porn images.

Cafferty's mug shot

Pinellas County, Florida

ICE went to Paypal and obtained a list of 5,000 people who had subscribed to these sites. The priority was of course getting at those who ran the sites, but the subscribers weren't off the hook. One of the e-mail addresses that had purchased access to the Sick Child Room was Travelerva88@yahoo.com. Investigators served an administrative subpoena to Yahoo, which turned over subscriber information for the account. It belonged to someone who also used the address caffertyj@gmail.com and who worked in London—but who listed a Largo, Florida home address. The information from Yahoo also contained, surprisingly enough, a link to the user's Facebook profile.

Putting Cafferty's name to the account wasn't particularly difficult after this. Investigators eventually realized that their target was a US government employee working as a Bureau of Diplomatic Security Special Agent in London. But by this point it was July 2011, and the child porn purchases had happened 5+ years before. Investigators decided that, before pursuing Cafferty, they wanted to know if he was still involved in the CP scene.

The case went to Corey Monaghan, a detective in the Largo, Florida police department and a member of the FBI's nationwide Innocent Images Task Force. On July 14, 2011, Monaghan contacted his colleagues at the FBI's Innocent Images Operations Unit in Maryland and asked them to deploy an "investigative tool" to determine Cafferty's continued interest in child porn. In initial court documents, all descriptions of the tool were redacted—but the Smoking Gun got its hands on the unredacted original and published several key pages.

The FBI had set up its fake CP site for precisely this situation. When investigators had a lead on someone specific, they e-mailed the person with a custom password and the site URL. The strangely explicit front page discussion about the "Child Pornography" within made sure that visitors could have no confusion about what they were accessing. As Monaghan's unredacted affidavit makes clear, "nowhere on the website home page indicates [sic] any adult pornography or anything other than child pornography is available through this website." In reality, the site offered no child porn; the video loading screen had been purpose-built to fail in such a way that visitors believed their Internet connections to be the culprits.

Soon after Cafferty's visit to the site, the Innocent Images task force knew they had found their man. Not only had he used his custom password—he had logged in with a London IP address. Time to pay him a visit.

Confession

On August 12, Cafferty boarded a Delta Airlines flight from London to Florida and returned to the US. Monaghan didn't know exactly where Cafferty was, however, and the home address he used in Largo belonged to a long-time friend. Had Cafferty come to stay in Largo right away?

Monaghan used an administrative subpoena on local Internet provider Knology to learn that the Largo home had an Internet connection with an IP address of 216.186.194.208 between August 13 and August 23. A subpoena to Yahoo then revealed that Travelerva88@yahoo.com had logged in from that very IP address on multiple occasions during those 10 days. Cafferty certainly appeared to be staying at the house.

"You can't use it at a public library; you can't use it if you go to another residence. You cannot use the Internet anywhere."

On August 29, Monaghan drove out to the small white home with the red awnings over the windows and found Cafferty inside. Monaghan had brought a search warrant, but before he executed it, Cafferty agreed to talk. He copped to everything. He admitted to using Travelerva88@yahoo.com, he admitted to using Paypal to subscribe to 8 or 10 child porn websites back in 2005 and 2006, and he admitted to "'photo-shopping' himself into scenes where child pornography is depicted," according to the arrest warrant affidavit.

On his flight from London to Tampa, Cafferty had carried along three external hard drives. He shipped his Drobo and its two drives separately. When investigators hauled all five drives to a forensics lab and combed through them, they found more than 30,000 total child porn files.

Cafferty was arrested. At a bond hearing the next day, the government worried that Cafferty posed a flight risk, since he had "traveled to 69 different countries and has substantial ties to the UK." Given that Cafferty had no criminal record, the judge let him off with a $50,000 cash bond and forced him to wear a GPS monitor that restricted him to the Tampa Bay area.

Cafferty's friend, who owned the Largo house, appeared and expressed his shock at what had been happening—and his unhappiness that some of it had been happening in his house. "It's put me in a bad position and I can't be in that position anymore," the friend said. Until the search warrant team had arrived, he "had no idea" about Cafferty's darker interests.

"You shall be prohibited from using the Internet,” the judge told Cafferty at the end of the hearing. “Not only can you not use it at home, and the home's Internet service will have to be disconnected, but you can't use it anywhere. You can't use it at a public library; you can't use it if you go to another residence. You cannot use the Internet anywhere.” But everyone needs the Internet these days, and the judge eventually granted two specific requests. Cafferty needed to provide friends' e-mail addresses to his lawyer in order to request character references, and he needed to go online to get his W-2 in order to file his taxes. In both cases, his friend was authorized to get the information under Cafferty's direction.

On January 4, 2012, Cafferty's case wound down as most federal prosecutions do: with a plea bargain. Saying that he was pleading guilty “because he is in fact guilty,” Cafferty publicly admitted to it all. His sentencing is scheduled for April 26 at the federal courthouse in Tampa Bay, Florida.

Cafferty in happier days

From Plenty of Fish

Old school

Child pornography existed 30 years ago, of course. While investigators used some of the same techniques seen in the Cafferty case today, digital technology in general (and the Internet in particular) means that investigators are really playing a whole new ballgame even when they draw from the same playbook.

For instance, consider one famous case from the 1980s. In February 1984, a middle-aged Nebraska farmer ordered two magazines, called Bare Boys I and Bare Boys II, from a California bookstore. When the store was raided soon afterwards, the farmer's name—Keith Jacobson—appeared on the store's mailing list. The government decided to gauge Jacobson's interest in child pornography and embarked on an astonishingly complex and lengthy campaign against him.

In January 1985, a Postal Inspector mailed Jacobson a letter from the (fake) American Hedonist Society, which included a questionnaire about sexual interests. Jacobson "enrolled" in this organization.

In May 1986, another inspector created a bogus research company, Midlands Data Research, which asked for responses from those who "believe in the joys of sex and the complete awareness of those lusty and youthful lads and lasses of the neophite [sic] age." Jacobson wrote back, "Please feel free to send me more information, I am interested in teenage sexuality. Please keep my name confidential."

The government then created another fake group called "Heartland Institute for a New Tomorrow" which included yet another survey. Jacobson wrote back, "Not only sexual expression but freedom of the press is under attack. We must be ever vigilant to counter attack right wing fundamentalists who are determined to curtail our freedoms."

At this point, without any actual evidence that Jacobson was trafficking in child porn, Customs got involved and used his name for a separate sting operation of their own, based on lists of names gleaned from the Postal Inspectors. "Operation Borderline" used yet another fake company, the Canada-based "Produit Outaouais," to mail Jacobson a flyer advertising photos of young boys having sex. Jacobson placed an order; it was never filled.

The Postal Inspectors were still targeting him, too. They created still another fictitious company, the "Far Eastern Trading Company Ltd," which claimed to have a method of delivering illicit content through the mail without government interference. The Trading Company also told prospective buyers to swear that they were "not a law enforcement officer or agent of the US Government acting in an undercover capacity for the purpose of entrapping Far Eastern Trading Company, its agents or customers." Jacobson responded, eventually ordering a magazine called Boys Who Love Boys. When it was delivered, Jacobson was finally arrested.

At his trial, Jacobson said that he had only placed the last order because all the government mailings had aroused his curiosity. In fact, a search of his home turned up no other child pornography apart from the materials mailed by the government. The case eventually went all the way to the Supreme Court, which famously ruled in 1992 that Jacobson had been entrapped by the government.

"In their zeal to enforce the law, however, Government agents may not originate a criminal design, implant in an innocent person's mind the disposition to commit a criminal act, and then induce commission of the crime so that the Government may prosecute," the Court wrote.

By the time petitioner finally placed his order, he had already been the target of 26 months of repeated mailings and communications from Government agents and fictitious organizations. Therefore, although he had become predisposed to break the law by May 1987, it is our view that the Government did not prove that this predisposition was independent and not the product of the attention that the Government had directed at petitioner since January 1985.

The magazine that had kicked off all of the investigations, Bare Boys, did not show conclusively an interest in child porn. Its depictions of nudity weren't explicitly sexual and were in any case not known to Jacobson when he ordered (he said that he believed the boys would be over 18).

A whole new world

The Cafferty case differs from Jacobson in two key ways. First, the government's initial evidence of interest in child pornography was much stronger—"Sick Room" was far more obviously illegal than anything in Bare Boys at the time. The government wasn't creating desire here.

But more interesting for our purposes is the amount of effort required in the two cases. To communicate with Jacobson back in the 1980s, investigators had to create documents, corporate logos, brochures, surveys—all bogus and all made without computers. All of this material then had to be mailed, and investigators could wait for weeks hoping their target would mail back a response. Finally, they had no easy way to see what non-government activities Jacobson was up to through the mail without an invasive and expensive search of all his incoming mail.

But with Cafferty, everything had become so much simpler. PayPal had initially turned over the information that gave the feds a juicy 5,000-name digital database of people to run down. The e-mails collected there made targeting simple, and the government could build a single website that it could use for many different people. Everything could be logged and tracked, and responses might be almost immediately compared to the years the government spent mailing Jacobson its surveys and catalogs.

Most importantly, search warrant and subpoenas now give the government access to incredible caches of information. Want to know what else a target is up to online? Search his e-mail. Want to find someone hidden? Use the fake site to log his IP address, then use an ISP to find the account holder. Want to track someone's movements? Watch the changing IP addresses he uses to log into online services. Need to socially engineer some aspect of your investigation? Find his Facebook and dating site profiles. Need evidence for a trial? Simply search someone's computer, which contains everything from browser logs to file storage to archived e-mail and instant messaging.

In the Jacobson case, investigators could only obtain their initial list by raiding a bookstore. Followups consisted of direct communications between the government and the suspect. Today, most of the information comes from third parties who are not themselves targets of suspicion: PayPal (money), Yahoo (e-mail), Facebook (social networking), Google (search history, Android phone unlocks, e-mail), Verizon (phone location tracking, text messages), etc. Each of these companies has dedicated units that exist to answer government orders for such information, and they provide it rapidly. In addition, investigators can conduct their searches without tipping off suspects.

While it took them a few years to shift to a digital mindset, cops everywhere now have real savvy about getting the information they need. It doesn't take some elite federal squad of "cyber" police. In case after case today, we see even local detectives using cell phone tracking, e-mail searches, and more. And when they need the big guns, they know how to call in "tools" like the fake child porn site.

In combination, the digital techniques available offer incredible customization in investigating a target. While stories about online crime often tell tales of invisible bad guys using their elite skills from some untraceable Batcave, the Internet provides real benefits to law enforcement, too. If it has made it simpler for child pornographers to find each other and to build globe-spanning communities, it has also given creative investigators powerful tools of their own.

Photo illustration by Aurich Lawson