By Greg Allinich1 & Susan Kreston.2

Introduction

Computer-facilitated child sexual exploitation has become a pervasive crime. With the number of investigations and arrests increasing dramatically, the need to conduct skilled interviews of suspects is being recognized as a new area of expertise for law enforcement. Specifically, the new issues relevant to gathering computer evidence must be incorporated into the interview to give law enforcement the best chance of amassing the optimal amount of digital evidence from the suspect. To assist law enforcement in this new area, the following suggestions are offered.

Preparing for the Interview

Investigators will find that during the interview phase, they are pitting their knowledge of computers and the Internet against that of the offenders, just as computer forensic examiners pit their knowledge against that of the offender in the areas of password protection, graphic editing software, encryption, steganography and the hiding of digital information.

Investigators should consider the following when determining what approach to use when interviewing a suspect in a computer-facilitated child sexual exploitation case: assess their own computer knowledge to avoid trying to bluff a suspect who knows more than they do, assess the computer knowledge of the suspect from all other evidence to determine who you are up against and get as much information as possible concerning the hardware and software used by the suspect. Going into the suspect interview, the investigator may have obtained some of the following information: suspect’s user name or user identification, suspect’s on-line profile, suspect’s Internet Service Provider (ISP), suspect’s account information and the time of day or night the suspect is usually on-line.

It is best to conduct the suspect interview in a private room away from the location of the execution of the search warrant. This will secure the scene, establish a control dynamic, focus the attention of the suspect and maximize officer safety. The suspect interview should be audio and video recorded in order to protect the detective and his/her department, and to provide important evidence for later presentation at trial. Note of caution - any telephone call the suspect is allowed to make may result in the removal or destruction of digital or other evidence. Many computers can be accessed remotely. Alternatively, the suspect may request the person called destroy the contents of the computer either by physically removing the computer(s) involved, or by accessing the suspect’s computer and destroying the evidence at the source.

Interview Techniques

The are many approaches to conducting an interview with a computer crimes suspect, which include: Big Brother, Tell Me More and Detective Clueless. Factors that influence which of these styles to use include the investigator’s level of computer expertise, the level of computer competency the suspect has and the particular facts of the case.

The Big Brother approach calls for the investigator to convey an omniscient, “knows all and sees all air.” The investigator will imply that he/she has been watching suspect’s actions and knows what has been going on in the suspect’s planning and execution of the crime. This approach mandates that the investigator display a superior knowledge of computers, the Internet culture and all aspects of the cyberspace environment. This can be accomplished at the beginning of the interview by discussing the detective’s background in investigating this crime in particular, general computer crimes and specific computer-facilitated crimes against children. Any further credentials, such as training attended or courses taught, conviction rate or other specialized knowledge of these crimes and those who commit them should also be brought out to establish the expertise of the investigator in this subject matter.

Next is the Tell Me More approach. Through this approach, the investigator understates his/her actual computer literacy and portrays him/herself in the student role of wanting to learn more about the area of computers from the suspect. The investigator acts fascinated with the suspect’s computer knowledge (“Really! Tell me more.”), never allowing the suspect to know his/her actual level of knowledge.

Finally, there is the Detective Clueless approach. Here, the investigator presents him/herself as totally computer illiterate. One way to accomplish this is to convey the impression that the interviewing investigator is just filling in for somebody else, or has only recently been assigned to the computer crimes area and is barely knowledgeable of computers. The investigator then takes the tack of being in awe of the suspect’s knowledge and wanting to learn about computers from the suspect. As the ego of suspects is often their downfall, many will discuss their computer system, and their knowledge of computers and the Internet. This in turn may help preclude defenses that could be raised later.

Question Areas

The following questions should be prefaced with appropriate language consistent with the approach chosen. They should also be adapted to reflect the type of exploitation that occurred (e.g., on-line luring and abduction vs. computer-facilitated child pornography).

Search and Seizure Information. The initial interview is usually the best opportunity to gather basic information from the suspect on the computer(s) he/she used and how they may be protected from external scrutiny. By inquiring into what hardware and software the suspect used on a regular basis, and how he/she used them, this information may assist the forensic examiner with his/her analysis of the computer(s). By inquiring into how many computers the suspect had access to, and where they are located, probable cause may be gathered to search and seize additional computers or peripherals. If it is an on-line luring case, the prosecutor should find the number and location of computers the victim used to receive e-mails from the suspect should also be asked. Additional questions in this area would include how many computers were used to correspond with the child(ren) in this case or to create and/or distribute the child pornography, and how many individual e-mail accounts the victim and suspect each have.

Password and Encryption Issues. A password is a secret series of characters that enables a user to access a computer, program, or file. The password helps ensure that unauthorized users do not access these areas. The investigator should ask if the computer, programs, or files are password protected and, if so, what are the passwords and who else has knowledge or access to those passwords. If the password protected information contains incriminating evidence, then this shows knowledge and intent on the suspect’s part to hide or conceal the information.

Encryption is a technique that renders a message unintelligible by anyone other than the intended recipient. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. The investigator should ask if any of the computer files have been encrypted and if so, what the names of the files are, what encryption software was used and what the keys or passwords are to decrypt the files. This information can then be provided to the forensic examiner for the recovery of the encrypted files. Again, if the encrypted files contain incriminating evidence, this will show knowledge and intent on the suspect’s part to hide or conceal the information.

Defeating the Some Other Dude Did It (SODDI) Defense. Attendant to the basic information discussed above, the next line of questions may preemptively preclude the defendant raising the SODDI defense. Questions within this area should include: “Who else uses the computer(s)?” “Who else goes on the Internet from the suspect’s computer(s)?” “Who else goes on the Internet using the suspect’s user name?” By getting the defendant to admit exclusive dominion over the computer(s) and his user name, later claims that another person was the wrongdoer may be avoided.

Defusing Entrapment Defenses. Solicit information regarding the suspect’s Internet usage and habits. Questions here include: “What do you do on the Internet?” “What Web sites do you visit?” “What newsgroups do you subscribe to?” “What chatrooms do you visit?” “Who do you chat with and about what topics?” “What Web sites or news groups do you have book-marked or saved as a favorite?” By setting out this information now, later defenses that center around the concept of entrapment may be precluded by the defendant’s own statement. By asking questions about when the suspect is normally on the computer, the answers may assist prosecutors in showing that the suspect was the person at the computer at the time in question.

Storage Location. One aspect that needs to be remembered is that not all images are necessarily stored on-site in the suspect’s computer(s). It is entirely possible that off-site storage exists. Ask first about where the images are stored on the computer (which files, folders, and directories). The specific question, “Where else do you store pornographic images and where are these devices?” should then be asked. Answers might include floppy disks, CDs, CD-ROMs, tapes, Palm technology and cell phones. Questions regarding the possibility of an offsite storage site, located in a different city, state, or even country should also be asked. Several sites now exist that allow an individual user to “upload” both text and graphic files to a remote “storage site.” These sites normally offer any where from 5 to 50 MB of storage for free and offer larger amounts of storage for an additional price. A warrant must be obtained for the remote site once it is discovered within the course of the investigation.

Adult Pornography. Detectives may make the transition from the general information discussed above to the specifics of the case at hand by asking about possessing or distributing adult pornography. While there is nothing illegal about having adult pornographic images on the computer, those images may also be subject to seizure as corroborative evidence. Most suspects realize that possession of adult pornography is not illegal and will therefore answer the investigator’s questions as to their possession and distribution of these images. Questions here include: “How often do you view pornography on the Internet?” “Do you have your own Web site or home page?” “How many pornographic pay sites do you belong to?” “Do you have any adult pornography stored on your computer, floppy diskettes or other media? “What percentage of the pornographic images are adult images?” “Tell me about some of the adult images.”

Child Pornography. Suspects may attempt to paint themselves as having a wide variety of adult pornographic images, but be unaware of any child pornography being in their “collection.” To ward off the “inadvertent possessor/no requisite mens rea” defense, ask the suspect “What percentage of your images contain children?” “How did you obtain these images?” “Where do you store these images (home, office, rented storage locker, etc.)?” “How many of these images do you currently have saved to your computer hard drive, floppy diskettes, off-site storage or other media?” “Did you show any of these images to anyone else?” “Were you offended by these images?” “Did you delete any of these images from your computer, floppy diskettes or other media? “Tell me about some of the images that are currently on your computer.” “How old do you think the children are in these images?”

Identifying Exploited Children. Identifying the children exploited through pornography is one of the most difficult and frustrating aspects of law enforcement’s job. In the overwhelming majority of cases, actually being able to identify the child being abused may not be possible. However, as child pornography can now be made in the privacy of the abuser’s house and with technology that is readily available to the general public, it may be possible to gain information regarding who the child is. Questions in that vein include: “Who are these children?” “Do you know who took the pictures?” “Do you know when or where the pictures were taken?”

Putting the Suspect Behind the Computer. The identity of whoever loaded the images onto the computer should also be asked. Whether this is the suspect or someone else, law enforcement will be able to follow up this information with a view to amassing all those involved in the possession, distribution or production of the child pornography.

Internet Child Pornography Culture. Finally, showing that the suspect was fully aware of the Internet child pornography culture will help establish that he fully understood the types of images that he was looking for and would receive in any given chatroom, newsgroup, mailing list or Web site. Questions in this vein would include: “What does the term “lolita” mean?” “What does the term “pre-teen” mean?” “What do the terms “young” and “younger” mean?”

Conclusion

No one set of suggestions or guidelines can ever completely anticipate and respond to all circumstances that may arise during a suspect interview. However, by having a plan mapped out regarding both style and substance of the interview, law enforcement will increase the effectiveness of this crucial aspect of investigating and prosecuting these crimes against children.3

1 Detective, Crimes Against Children, Phoenix Police Department.
2 Deputy Director, APRI’s National Center for Prosecution of Child Abuse.
3 APRI’s National Center for Prosecution of Child Abuse can provide technical assistance to investigators and prosecutors to enhance their knowledge of both best investigative and forensic practices. Please contact the Center via susan.kreston@ndaa-apri.org for assistance in these areas.