By Paulo Fagundes, Director, Federal Police of Brazil, Brasilia, Distrito Federal
illions of children are developing virtual friendships around the world by connecting through the Internet. It is in this innocent environment that pedophiles are also aggressively targeting the relationship sites, instant messages, chat rooms, and file exchanges as tools to solicit children and teenagers. Law enforcement agencies all over the world have been detecting a massive and growing volume of file exchanges of content containing images of children or teenagers in pornographic or sex poses as pedophiles use the Internet to establish their illegal connections. Primarily these file exchanges today are occurring in the Peer-to-Peer (P2P) networks.1
Today, P2P networks are among the most popular applications on the Internet to facilitate file exchange among users, and the number of users participating in these networks keeps growing. In Brazil alone, it’s estimated that 9.4 million people download music, movies, and TV shows utilizing P2P networks. Investigations have shown that these P2P networks, originally created for legal purposes, are heavily utilized to exchange illicit files such as child pornography and copyrighted material.
The attraction of P2P networks to the criminal is an unintentional consequence of the technical aspect between P2P technology and the conventional file exchange. P2P technology enables users to exchange files directly among themselves, without any support from, or connection to, a central server. This lack of a central hub has complicated investigations and facilitated illicit activities. When a central hub is used, the investigation focuses on the exchanges through the hub. With P2P, at any given time millions of computers could be connected to P2P networks, and this decentralization poses a great challenge to investigators.
The Brazilian police received complaints about the illicit use of P2P networks, and an examination of these networks confirmed the severity of the child pornography problem using this technology. Not only are the P2P files exchanged among the pedophiles, these files are readily available to anyone. It is very easy to use simple keyword searches to find and download illicit content. Many files are named or tagged with apparently innocent keywords like “child” and “teen” which draws innocent users to the content. Parents have found that children and teenagers unintentionally download illicit content obtained through keyword searches. Juvenile users of P2P are at significant risk of inadvertent exposure to pornography.
The scenario in Brazil is very similar to those reported in a study published by the U.S. Government Accountability Office called Peer-to-Peer Networks Provide Ready Access to Child Pornography.2 This study, published more than six years ago, reported that child pornography is easily found and downloaded from P2P networks. In one search using 12 keywords known to be associated with child pornography, 42 percent of the files were associated with child pornography images and 34 percent of the files were classified as adult pornography.
According to experts, pornographers have traditionally exploited and sometimes pioneered emerging communication technologies from the dial-in bulletin board systems of the 1970s to the World Wide Web in order to access, trade, and distribute pornography, including child pornography. Pornographers have driven the development of Internet technologies, including systems to verify online financial transactions and digital watermarking technology to prevent the unauthorized use of online images.3
Brazil’s Law Enforcement Solution
Stemming from several allegations received by the police, Brazilian officers started an investigation that confirmed the increase in the utilization of P2P networks for the exchange of child pornography. Aiming to curb this problem, the Brazilian Federal Police, utilizing the available expertise of its computer forensic examiners, developed the “EspiaMule” (SpyMule) tool, a software application capable of monitoring the pedophilia file exchanges in P2P networks. The software works primarily as a spy agent, sweeping the World Wide Web in search of people sharing pornographic content files involving children or teenagers, although any other type of files could be searched as well.
This tool, developed in-house by the Brazilian Federal Police computer forensic experts, is based on the networks utilized by the “eMule” application, which is highly popular in Brazil. The team realized the need for an automated and more efficient way of tracking online pedophiles and started developing a tracking tool that could aid future investigations. Because eMule is an open source application, the Brazilian Federal Police modified the source code to allow the filtering and identification of computers sharing files with illicit content. With a list of files proven to contain child pornography, the developed tool can be used to discover all computers presently connected to the eMule network sharing such files, anywhere around the world.
Two large operations, which became known as Carrossel I and II, were deployed based on the information gathered by the EspiaMule application. These operations were very successful and became references for employing a new paradigm in internal and international cooperation.
Internally, the collaboration among the Brazilian Federal Police members, represented by their criminologists (in this case computer forensic experts) and the investigative team made the difference. This collaborative work enabled the deployment of a very complex operation that was highly technical and very successful.
Internationally, several countries deployed similar operations as a result of records sent to Interpol by the Brazilian Federal Police, reaping excellent results in other countries as well.
When it comes to online crimes, especially child pornography over the Internet, international cooperation is required because the Internet boundaries are vague, at best. Outlawing the traffic of such files in a given country is useless, since the files will remain readily available through the Internet on computers located in other nations.
The results of these two large operations deployed in Brazil are reflected in many other countries. The information collected by the EspiaMule application was sent to Interpol, and over 400 search warrants were served worldwide. More than 100 arrests were reported, and at least four children were saved from sexual abuse by adults—in addition to the confiscation of hundreds of thousands of illicit content files.
Table 1 shows the results obtained by the EspiaMule search tool in March 2008 when more than a hundred files containing child pornography were searched. This table also illustrates the magnitude of this problem, given the large number of computers worldwide sharing these types of files.
In total, almost 200,000 unique users were found in a 12-day search period worldwide. In the case of the Carrossel I and II operations, specific filters were used so only the most relevant users (active and with the highest number of shared files) for this investigation were selected.
The results above do not necessarily indicate that a given country has a greater number of people sharing child pornography than other countries because in some countries the eMule network is more popular than in others. In these countries there are many pedophiles using the eMule P2P network to share child pornography. The eMule network is most popular in Asiatic countries, South America, and European countries (except England), while in the United States, Canada, England, and some other countries, alternative P2P network protocols for file sharing have become more popular, such as those implemented by the “LimeWire” application.4
Even before the development of EspiaMule, the Brazilian Federal Police was working in cooperation with other law enforcement agencies in the fight against Internet child pornography. For example, in February 2006, the Azahar Operation was deployed stemming from information received from the Guardia Civil of Spain. This operation was also deployed internationally and simultaneously in more than 20 countries.
In Brazil, 30 search warrants were served in 11 states, Sergipe being one of them. In this state, two hard disks were submitted to technical forensic examination in 2006, in which 39 photos and drawings and 13 videos contained child pornography.
In 2008, the Federal Attorney General in Sergipe (MPF/SE) requested an additional forensic examination, which took a whole month to complete. With new tools and techniques, other incriminating files were found: 2,074 photos, 448 drawings, 3,841 miniature photos and drawings, and 228 videos with pornographic content involving children or teenagers. In addition, traces of evidence were discovered indicating that the eDonkey2000 application was used in the transmission of pornographic material involving children and teenagers. eDonkey2000 was first released in 2000 with versions available for Microsoft Windows and Linux as freeware.
Compared to earlier P2P file-sharing programs, eDonkey2000 introduced the “swarming” downloads concept: clients could download different pieces of a single file from many different peers. The eMule and other open source and commercial applications implement the protocol introduced by eDonkey2000 called “ed2k.” eDonkey2000 uses a binary proprietary file format to store the downloaded/uploaded history. Since there is no public documentation of this file format, computer forensic examiners at the Brazilian Federal Police had to use reverse engineering techniques to identify the files that were transferred by the suspects.
Based on the analysis of the new evidence, computer forensic experts decided to develop yet another tool to specifically extract transmission history data, producing the necessary proofs that the transmission of pornographic material involving children and teenagers were performed by the suspects. At that time, only production and dissemination of this type of material were considered crimes in Brazil. Possession did not become criminalized until November 2008.
In June 2008, the Federal Attorney General in Sergipe indicted two people. In December of the same year, one of them was convicted and sentenced to four years, seven months, and 15 days in prison, while the other was acquitted.
Cooperation Is the Key
In a great example of initiative and ingenuity, the Brazilian Federal Police developed an innovative application to aid in its investigations and evidence collection, allowing the gathering of information to subsidize large operations in the fight against Internet child pornography file sharing.
The development of this application and its utilization in large operations have proved to be key ingredients to the success obtained through partnership and collaborative work between criminalistics, represented by the federal criminology experts of the Brazilian Federal Police and investigations, enabling police operations in areas that required advanced technical knowledge.
Besides the example of internal collaboration and synergy, the international collaboration, through Interpol, was crucial in this fight against Internet child pornography and many other crimes.
There is still much to do, for instance, expand the software to support other file-sharing networks and become useful in other countries where different networks have become more popular.
The EspiaMule application is made available to foreign law enforcement by request only. ■
1Peer-to-peer is a network made up of individuals who make their resources, that is, processing power, disk storage space, available directly to their peers. The individuals in peer-to-peer networks are both suppliers and consumers of resources, which is a step in a different direction from the client/server networks where only the server provides and the client consumes. An example of this type of network was made famous by Napster in the late 1990s, an online music file-sharing service.
2U.S. Congress, Report to the Chairman and Ranking Minority Member, Committee on Government Reform, House of Representatives, File-Sharing Programs: Peer-to-Peer Networks Provide Ready Access to Child Pornography, United States General Accounting Office, February 2003, GAO-03-351, http://www.gao.gov/new.items/d03351.pdf (accessed July 22, 2009).
3Frederick E. Allen, “When Sex Drives Technological Innovation and Why It Has To,” American Heritage Magazine 51, no. 5 (September 2000): 19, http://www.americanheritage.com/articles/magazine/ah/2000/5/2000_5_19.shtml (accessed July 22, 2009).
4LimeWire is a free peer-to-peer file-sharing client for the software platform Java. The program can run on any computer that has Java Virtual Machine installed. The sharing program allows users on the Internet to make music, video, and so forth, available for consumption by other users. LimeWire also allows individuals to look up desired content on other users’ computers for download. Basically, LimeWire directly transfers files from the hard drive of one user to the hard drive of another user.