Occasionally, organisations may have to deal with allegations of serious misuse of computers, where indecent images of children (as defined by the Protection of Children Act 1978 and subsequent amendments) or extreme pornographic images (as defined by section 63 of the Criminal Justice and Immigration Act 2008) may be present on the organisation's computers. The possession of such images is a serious criminal offence and must be reported to the Police as soon as possible. Until the material can be handed to the Police, organisations need to act very carefully to avoid harm to their users or potential criminal liability for the organisation or its staff. JANET(UK) has developed Guidelines, with assistance from JANET sites and the Home Office, to assist sites in this situation. The University of Oxford endorses these Guidelines.
These guidelines are intended to help and protect computer support staff who may be requested to respond to reports of the presence of illegal images (whether indecent images of children or extreme pornographic images) on computers at the University. The Protection of Children Act 1978 and subsequent legislation makes the possession, making or publishing of indecent images of children a serious criminal offence; the Criminal Justice and Immigration Act 2008 introduces a similar crime of possession of extreme pornographic images. Images of either type must be reported to the police as soon as possible, with the minimum interference, for them to investigate. However, there may occasionally be an urgent requirement to confirm an allegation, to secure evidence or to remove material from view, and in these cases authorised site staff may be best placed to do the minimum necessary to achieve this. Any such action, and any information obtained as a result, must be handled in strict confidence both to protect the evidence and those persons involved: malicious allegations have sometimes been made against innocent parties.
Viewing or handling indecent images of children will normally be a serious criminal offence. However, section 46 of the Sexual Offences Act 2003 provides a limited defence for those who can prove that they needed to do so for the purposes of the prevention, detection or investigation of crime. The CPS (Crown Prosecution Service) and ACPO (the Association of Chief Police Officers) have agreed an MoU (Memorandum of Understanding) setting out the factors they will consider when deciding whether this defence may be available in any specific case.
The Sexual Offences Act 2003 is available at: http://www.legislation.hmso.gov.uk/acts/acts2003/20030042.htm
The MoU is available at: http://www.cps.gov.uk/publications/docs/mousexoffences.pdf
Sections 63 and 68 and Schedule 14 of the Criminal Justice and Immigration Act 2008 provide a similar "good reason" defence to possession of extreme pornographic images and it is expected that this would be subject to similar tests.
The Criminal Justice and Immigration Act 2008 is available at: http://www.opsi.gov.uk/acts/acts2008/ukpga_20080004_en_1
Staff who have been properly authorised and instructed to respond to reports of the presence of illegal images and who satisfy all the tests should not have to fear that they will be prosecuted. The MoU recommends that organisations adopt written procedures for such activities to protect their staff.
These guidelines set out a procedure that is believed to be in accordance with the ACPO/CPS Memorandum of Understanding. Following this procedure should therefore give authorised staff some protection against prosecution by demonstrating that they have acted reasonably and professionally (MoU principle 5).
Any report or allegation of the presence of illegal material on a University system must be immediately recorded in writing and passed to The Authorizer responsible for that system. Only they can authorise further action. The written record must include how the presence of the material was detected: in particular staff must never proactively seek out illegal material.
The Authorizer will contact University Personnel in the Central Offices (or the college equivalent) if a staff member is involved or the Proctors if a student is involved to inform them of the action being undertaken.
Normally, The Authorizer will report the matter to the police and be guided by them in all further activities. If The Authorizer is not available, call the police and inform The Authorizer as soon as possible.
Reports of material elsewhere on the Internet, for example on public websites, should normally be passed to the Internet Watch Foundation: http://www.iwf.org.uk
The only situation involving illegal material that need not be immediately reported to the police is where there has been an unverified allegation that a member of the organisation has been accessing such material. Unfortunately there have been cases where such allegations have been made falsely and maliciously. If there is real doubt over the accuracy of a report, The Authorizer may need to authorise appropriately skilled members of staff to perform the minimum checks necessary to confirm the presence of such material on University systems or elsewhere.
If you are authorised to deal with an allegation, you will be informed in writing by The Authorizer. The authorisation should identify you, and the authorising manager, by name and job title. All actions to deal with the allegation must always be performed by two authorised staff working together.
As soon as it seems likely that illegal material is present,
this must be reported to The Authorizer for them to contact
the police. No further investigation must be done unless authorised
by the police and then following their instructions to the letter.
Staff must not attempt to identify how material came to be on the
system, or which users may have accessed it, as doing so is almost
certain to damage the credibility of evidence that may need to be
presented in court.
The purpose of the organisation's actions is only to confirm whether illegal material is likely to be present on a computer. This should involve the least possible handling of computer files and disks, both to reduce the risk of exposing staff to harmful material and to do the least possible damage to evidence.
Every action taken must be recorded in writing (ink, not electronic), with every mouse click, command or URL recorded. Where a complex command needs to be recorded this may be printed out in addition to writing it down but the printout must be signed and dated immediately and inserted into the written record.
Often, checking a list of filenames or URLs visited will be sufficient to confirm suspicions: viewing files or visiting websites should be regarded as an absolute last resort. If it is necessary to visit a suspect web site then this should be done with a text-only browser, or at least with all image downloads turned off (ensure you know how to do this before starting the investigation). The text or filenames of a site will often indicate the nature of the content.
The most effective way to protect evidence is to remove power from the computer on which the illegal material is stored (pull the power lead out of the back of the computer, not the mains socket: do not perform a shutdown as this may overwrite evidence).
If, however, the computer cannot be taken out of service for an indefinite period then a backup copy of at least some of the illegal material must be taken before making it inaccessible to users. Ideally this should be a forensic-quality copy of the disk using, for example, the UNIX® 'dd' command or a recognised commercial forensic package. If this is not possible for reasons of space or skill then a directory listing and a selection of files should be copied to a secure medium, e.g. CD-ROM. Such copying should be the minimum necessary to indicate the scale and nature of the illegal material.
In either case the evidence - computer, disk or backup copies - must be sealed, labelled, signed and dated, and placed in a secure, locked location until it can be handed to the police. Details of the location and its security measures must be recorded in writing. All those with access to the location must be identified and any actual entry into the location recorded and signed.
The incident must not be discussed with colleagues. The material must not be shown to anyone other than, if absolutely necessary, those authorising and performing the investigation. Doing so may compromise the individual and jeopardise any subsequent police investigation.
If the computer containing the material is not taken out of service, then action must be taken to prevent deliberate or accidental access to the material. Such action must make the least possible change to any remaining evidence; advice should normally be taken from the police on appropriate measures. These may include changing the permissions on directories or files to make them inaccessible, or deleting them.