Technology companies partner to stop CP, phishing scams

Two recent partnerships of technology companies are working to combat cybercrime in the areas of phishing schemes and child pornography. Here's a brief overview of what they are doing.

PhotoDNA

Microsoft began working with NCMEC in 2009 to create software that could create a hash value for images of child pornography and then track that image despite being edited. The PhotoDNA technology divides the photo into a grid and develops gradient patterns to find it's "DNA." Currently, the software can be used to search all images on Bing, SkyDrive (Microsoft's cloud storage service), Hotmail, and Facebook.

The obvious problem with PhotoDNA is that it does not discover new images of child pornography. NCMEC is using its already known images to form the hash values from which the software searches.

It will be interesting to see how the law develops with regard to services like PhotoDNA. Of course, the Stored Communications Act provides for a NCMEC exception under 18 USC § 2702(b)(6). However, if a person has a reasonable expectation of privacy in their e-mail account, for example, Microsoft (in this situation) could potentially become an agent of the government (see, e.g., United States v. Jarrett, 338 F.3d 339 (4th Cir. 2003)). Therefore, PhotoDNA may violate the Fourth Amendment in jurisdictions adopting the Warshak logic of the Sixth Circuit as the NCMEC exception would be unconstitutional. On the other hand, courts have held that there is no property right in child pornography so the Fourth Amendment doesn't apply (United States v. Hicks, 438 Fed. Appx. 216 (4th Cir. 2011)).

DMARC
Partnership of Bank of America, Facebook, Google, Microsoft, Paypal, and others formed to help thwart phishing scams. In a typical scam, a person receives an e-mail telling them to click a link and enter their account information for their bank, e-mail account, or social media account. When they click it, they are not being sent to the actual website, but to an identical site meant to trick them. Once they enter their login information, the scammer can use their real account for fraudulent purposes.

The DMARC partnership creates a new system of authentication that seeks to prevent phishing e-mails from ever making it to an e-mail account (most now wind up in the user's SPAM folder). It's very easy to send an e-mail appearing to be from an account such as "customer.service@bankofamerica.com" when the true sender wasn't associated with BOA. The proposed system would require a signature on the e-mail in order for it to be processed.

The agreement also provides reporting of phishing tactics to organizations whose accounts are being attacked.