In 2004, a substitute teacher—a person with little or no experience with computers—became a victim. Julie Amero was a victim of a lingerie and possible porn advertising flood caused by something downloaded from the Internet. Further, she was, and continues to be, the victim of ignorance, negligence, and a pervasive somebody-has-to-pay mentality.
Julie Amero, 41, was substitute teaching in Norwich, Connecticut when a classroom PC began displaying what Amero described as Victoria Secret-like ads she couldn't stop. Amero told the full story in an IDG News Service interview. The short version? She tried to stop the flood of inappropriate ads and she informed school officials about what happened. However, pressure from parents caused the school to report the incident to the authorities. Ignorance of how technology works apparently played a role in her being tried and convicted in 2007 of four felony counts of endangering minors.
So after almost two years, pressure from Sunbelt Software, which took up Amero's cause, prosecutors settled on a plea agreement in which Amero was required to plead guilty to a misdemeanor disorderly conduct charge, pay a $100 fine, and forfeit her state teaching license (Yahoo.Tech). (Forfeiture of the teaching license was just a formality, since no one would hire her as a teacher after the 2004 incident.)
I have a problem with this entire issue, including the final plea bargain. The facts about this incident have been public knowledge for some time. Nothing points to Amero intentionally visiting questionable sites or knowingly allowing her students to do so. So who was really to blame in this case?
When this incident occurred, technology existed to restrict students from visiting unsuitable Web sites. Why wasn't it installed at the school? When Amero reported the incident, why wasn't it immediately investigated by the school and steps taken to prevent it from happening again? Why did it take pressure from understandably concerned parents to push the school to do something? And why when the school decided to do something did the finger swing toward the substitute teacher instead of school administrators?
In my opinion, school and network administrators were negligent, allowing unfettered access to an Internet known to contain content unsuitable for students. Here is a lesson to be learned by schools and businesses alike: if it's available on the Web, students or employees will find it, either intentionally or by accident. Protect them from themselves, and your business or school from liability, by filtering and controlling access.
And then there are the prosecutors. Apparently they have nothing better to do in Norwich, Connecticut than use apparently limited knowledge of cyber-crime—or how computers, the Internet, and spyware work for that matter—to prosecute someone who looks like she might have, sort of, you know, exposed children to unsuitable content. After all, she had a lot of control over acceptable use policies, network controls, and security safeguards to protect her students…
Even if we allow some latitude (i.e., cut the prosecutors some slack) because they might have been a little behind relative to cyber-law and related crimes, it's hard to overlook their unwillingness to just let this one go. Instead of admitting a mistake, they forced Amero to accept a plea bargain before allowing her to continue with what is left of her life.
Maybe we need to look beyond our traditional definition of cyber criminal and look at those who can destroy the life of an innocent person, a person guilty only of being in the wrong place (a school using unprotected Internet access) at the wrong time (when unwanted software just happened to strike). If it isn't a crime to use public ignorance of technology to shift responsibility for acts of cyber-negligence, maybe it should be.
What do you think?
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.