Recently, the FBI used this point of law to open up investigations into people who click on a Web site falsely advertising unlawful content but never actually receive it. In reality, the Web site is actually maintained and operated by the FBI itself -- a fact hidden behind a spoofed address.

It is the ultimate honeypot which poses a trap for the unwary. Merely clicking on the hyperlink -- and receiving no actual content -- is sufficient to warrant not only an armed raid on your home and seizure of your computers, but a lengthy term in prison as well. While this "click-crime" technique has been used by police to catch people downloading child pornography, it's likely that the next step will be to use it as a tool in other investigations, such as music and movie piracy.

To Catch a Porn Collector

In a recent case, the FBI posted hyperlinks to a forum which purportedly allowed those who clicked through to obtain sexually explicit materials related to minors. In reality, clicking on the link led the person to an FBI undercover Web site and delivered no actual content.

The FBI recorded the IP addresses of all those who clicked the link and used the information to obtain a search warrant for the person's system. In each case, the FBI successfully prosecuted the owners of the computers for attempting to obtain child pornography by "clicking on an illegal hyperlink." These prosecutions raise significant questions both about evidentiary requirements for convictions, the law of "attempt," and the extent to which the government may actively entice or encourage the commission of criminal activity.

Moreover, now that this technique has proven successful, we can anticipate that the government will use it in a host of other online arenas.

The technique the FBI reportedly employed was to infiltrate a "known" child pornography site, called the Ranchi forum (now defunct). The agents posted a hyperlink on that forum advertising various illicit images (e.g., toddler sex with father). If the hyperlink was clicked, an FBI Web site would record the IP address, but deliver no content. Once the IP address was resolved to an individual, the FBI would obtain a search warrant, seize the computer, and an arrest or prosecution would follow.

Overall, the technique itself and its use under the circumstances are under sound legal footing. In many ways, it is not dissimilar to undercover agents posing as drug dealers in "high narcotics areas" offering for sale "cocaine" but delivering instead lactose powder. The "purchaser" may still be prosecuted for conspiracy or attempt to purchase a controlled substance.

By posting the hyperlink on a site frequently used by child pornographers, the FBI may have overcome one of the hurdles to the so-called "entrapment" defense -- that is, establishing a likelihood of predisposition to commit a criminal offense. It's reasonable to ask why the defendant was in a forum dedicate to the distribution of child pornography.

However, it is unlikely that this technique, successful in the area of child pornography, will remain limited. The government, and potentially private parties, will use this technique to post all kinds of potentially "interesting" information online -– from copyrighted materials (music and video) to personal information, to trade secrets, and even links to hacker tools or techniques. These enticing links resolve not into useful information, but rather into potential civil or criminal liability.

Who Clicked Where?

Of course there are evidentiary problems with any online prosecution, and these honeypot prosecutions are no different.

At best, through the hyperlink you obtain an IP address, but you still have to demonstrate to a jury that the individual defendant was attempting to download the illicit content. If the IP address leads to an open WiFi network, for example, there is the possibility that neighbors or others have piggybacked on the network.

Yet, the illegality of certain content could also lead to potential attacks on individuals. Click crime could be used to frame adversaries, in much the same way as so-called "swatting" has been used to induce a police response. An adversary can hack into your system (or use a Trojan to obtain access) and cause your system to access the FBI honeypot. Some time thereafter, federal agents armed with warrants kick in your door, seize your computers, and you are left having to explain why you are NOT guilty of some computer crime. One click trouble.

Another problem is the assumption that people click on links because they want the thing that is on the other end of the link. We know from the spread of viruses and worms that people are inherently trusting and will click on just about anything –- often without reading it.

Indeed, in the wake of one highly publicized virus, I tried an experiment, e-mailing a hyperlink to about 100 IT security professionals which contained the exact wording of the recent email propagating the virus, together with what purported to be a hyperlink. Within minutes I received e-mails from many of these professionals complaining that the link didn’t work.

Indeed, were you to send a mass mailing out to millions of users with a hyperlink and a statement that "by clicking this link you agree to wipe the entire contents of your computer," some percentage of the recipients will invariably click the link. Thus, basing a criminal conviction on a single mouse click is dubious at best. Merely clicking a link may not be indicative of anything more than curiosity, bad judgment, bad computer hygiene, or foolishness.

Moreover, some researchers maintain sites that are designed to automatically click on links. Should this lead to a search warrant and possible prosecution? While some mouse clicks represent intentional, volitional conduct, many more do not. The FBI’s "click-crime" system does not adequately distinguish between the two, particularly for obtaining a search warrant.

In addition, there is the problem of the client-side honeypot. These client side products may scan inbound communications and attempt to resolve links in the communications in a secure manner to make sure that the links do not expose the company to malware or liability. In the case of the FBI undercover operation, the links would ultimately not resolve to anything, and might be allowed through. However, to determine this, the client-side honeypot would have already clicked the link, creating the potential for civil or criminal liability at worst and a swift kick in the door at best.

Today, Pornography; Tomorrow?

The recent cases are not likely to engender much sympathy, as few in society are willing to be seen as coddling or protecting child pornographers. Moreover, the government’s efforts here seem, at first blush, to be both reasonable and appropriate.

However, it will not likely be long before the click-crime honeypot technique may be applied to other cases. Once law enforcement agents are successful in using the honeypot technique in child pornography cases, it is unlikely that they will stop there.

The government could, for example load peer-to-peer sites with advertisements for pirated music or video -- going well beyond what companies like MediaDefender has done -- and prosecute those who merely seek the unlicensed materials, even if only for purposes that could legitimately fall under the "fair use" doctrine. A mere click on the link with no actual infringement might lead to a conspiracy charge or attempted prosecution.

In Germany, where the use of certain security tools is illegal, the government could place hacking and security tools on a site available for download and a mouse click on any of the links could lead to a criminal prosecution. The government could flood online classified sites, such as Craigslist, with links to undercover government sites posing as "erotic services," and arrest those clicking the links for solicitation of prostitution -– or at least attempted solicitation. Links to eBay sites might be used for prosecution for attempted receipt of stolen property.

The problem is exacerbated when one considers how much of online activities are potentially criminal. For example, the FBI could set up Web sites offering to sell or give away software or services to "crack" CDs, game systems, DVDs or BluRay disks, to unlock iPhones, or to otherwise supply technologies that might be helpful in circumventing a "technological protection designed to protect a copyrighted work" under the Digital Millennium Copyright Act (DMCA). The law's trafficking provisions makes it illegal to:

. . . traffic in any technology, product, service, device, component, or part thereof, that is primarily designed or produced for the purpose of circumventing protection ...

Clicking a link makes you liable for attempted trafficking.

Indeed, there are literally thousands of things that are illegal to possess -- from certain kinds of information, such as classified data, credit information and bank secrets to burglar’s tools and certain kinds of cheese. Law enforcement would not have to wait for the unwary to actually obtain any of this contraband. Instead, they would merely have to lure potential buyers to click on a link that purports to lead to the contraband.

Mouse trapped

There is also the genuine issue of entrapment.

Any future use of a click-crime technique must ensure that it has taken steps to make sure that the suspects they are catching are people who intended to commit a crime and not simply those ensnared by the trap.

In 1984, a 56 year-old veteran from Nebraska named Keith Jacobson ordered some magazines from an adult bookstore in California. Jacobson believed he was ordering adult pornography, but instead was -- in his words -- "shocked" to find magazines with naked images of minors. Under the law at the time, purchasing the magazines was perfectly legal.

Yet, when the bookstore’s offices were later raided by the FBI and Jacobson’s name was found on the mailing list, the U.S. Postal service then began sending Jacobson surveys about his sexual predilections from fictitious companies they created, such as "Midlands Data Research" and "Heartland Institute for a New Tomorrow." The government, through an undercover agent, began to engage in a dialogue with Jacobson about his sexual preferences. Nearly three years after Jacobson had allegedly ordered the magazines, the U.S. Customs Service set its eyes on Jacobson, creating a fictitious Canadian company and mailing Jacobson a brochure advertising the sale of photographs of young boys engaging in sex. At the same time, the U.S. Postal Service created a company called the "Far Eastern Trading Company" also encouraging Jacobson to buy child pornography. His curiosity "piqued," Jacobson responded and ordered a magazine from the Far Eastern Trading Company and was promptly arrested.

The United States Supreme Court struck down his conviction noting:

In their zeal to enforce the law, however, Government agents may not originate a criminal design, implant in an innocent person's mind the disposition to commit a criminal act, and then induce commission of the crime so that the Government may prosecute. Where the Government has induced an individual to break the law and the defense of entrapment is at issue, as it was in this case, the prosecution must prove beyond reasonable doubt that the defendant was disposed to commit the criminal act prior to first being approached by Government agents. 

…[A]n agent deployed to stop the traffic in illegal drugs may offer the opportunity to buy or sell drugs and, if the offer is accepted, make an arrest on the spot or later. In such a typical case, or in a more elaborate "sting" operation involving government-sponsored fencing where the defendant is simply provided with the opportunity to commit a crime, the entrapment defense is of little use, because the ready commission of the criminal act amply demonstrates the defendant's predisposition. Had the agents in this case simply offered petitioner the opportunity to order child pornography through the mails, and petitioner - who must be presumed to know the law - had promptly availed himself of this criminal opportunity, it is unlikely that his entrapment defense would have warranted a jury instruction. But that is not what happened here.

By the time petitioner finally placed his order, he had already been the target of 26 months of repeated mailings and communications from Government agents and fictitious organizations. Therefore, although he had become predisposed to break the law by May, 1987, it is our view that the Government did not prove that this predisposition was independent, and not the product of the attention that the Government had directed at petitioner since January, 1985.

In essence, under the law of entrapment in the United States, if the government merely provides an opportunity for an otherwise predisposed individual to commit a crime, the sting operation passes muster, but if they essentially plant the idea of criminal conduct in a person who is otherwise not predisposed to commit a crime, it may constitute entrapment.

To make matters more complicated, the U.S. courts have routinely permitted law enforcement agents to engage in what has been called "sentencing entrapment," where a person interested in, for example, looking at a single piece of child pornography, might be induced to look at several hundred, or a person seeking a single marijuana "joint" might be told that he can have a kilogram of THC for the same price. The unwary bargain seeker may then lawfully be prosecuted for the multiple images or the kilo of pot, entrapment notwithstanding.

In Canada, the courts have precluded what they call random virtue testing, which is essentially where they ask people if they are willing to do something that constitutes an offense, and Australian, England, and New Zealand courts have exercised their inherent powers to prevent a prosecution from going forward if there is entrapment.

In the future, we can expect the government to set up more and more of these criminal honeypots to try to catch citizens engaging in all sorts of improper and potentially illegal conduct. Indeed, this will likely be done at all levels of law enforcement and by all sorts of regulatory and intelligence agencies.

This may or may not be a good thing. For those who support strict enforcement of all laws, the lesson is essentially a cross between caveat emptor and "don’t do the crime if you can’t do the time." However, future cases will likely prove that there must be more to a crime than simply clicking a link and more evidence of intent to commit an actual crime than simply curiosity.