Questionable Conviction of Connecticut Teacher in Pop-up Porn Case

Julie Amero, a 40-year-old substitute teacher from Connecticut is facing up to 40 years in prison for exposing her seventh grade class to a cascade of pornographic imagery. Amero maintains that she is a victim of a malicious software infestation that caused her computer to spawn porn uncontrollably.

Adware, spyware and other infectious software are known hazards to security and privacy -- and when lax cybersecurity meets anti-porn hysteria, a mailware infection can even land you in jail. Malicious coders are getting more sophisticated all the time, but law enforcement and the criminal justice system aren't keeping up. A criminal conviction can hang on the difference between a deliberate mouse click and an involuntary redirect on an infested computer. Too often, even so-called experts can't tell the difference.

On the morning of Oct. 19, 2004, Julie Amero's life changed forever when pornographic ads flooded her web browser during a class. According to the prosecuting attorney, David Smith, Amero's computer began displaying images of naked men and women, couples performing sexual acts, and "bodily fluids."

Chances are, these kids had seen porn pop-ups before. Family Safe Media estimates that boys 12 to 17 consume more internet porn than any other group. The adults at Kelly Middle School, however, were shocked and scandalized. The next week, the school sent home a notice telling parents why Amero would never teach in the district again. She was arrested shortly thereafter and charged with multiple felonies.

At trial, six of Amero's former students testified that they saw pornographic images on her monitor, either from their seats, or when they came up to her desk. One student told the court that Amero pushed his face away from the screen when she saw him looking at the racy ads.

Millions of PCs worldwide are infected with some form of malicious software. An internal Microsoft report found that four million Windows machines were infected with some form of malicious software ("malware") in mid-2006.

Spyware, adware, worms and viruses are parasitic programs that can hijack web browsers, launch unsolicited pornographic ads, and even report the inner workings of a computer to a remote observer. Users routinely download these programs without realizing they've been infected.

Amero's attorney, John F. Cocheo, argued that malware was responsible for the pornographic images, not his client.

Detective Mark Lounsbury, a computer crimes officer at the Norwich Police Department testified as an expert witness for the prosecution. He maintained that Amero was intentionally surfing for pornography while her seventh grade class busied itself with language arts.

Lounsbury told the court that Amero musts have "physically clicked" on pornographic links during class time in order to unleash the pornographic pictures. However, he admitted under cross-examination that the prosecution never even checked the computer for malware.

Why didn't the police check for malicious software? According to prosecutor David Smith, the police didn't check for malware because the defense didn't raise the possibility of a malware attack during the pretrial phase, as required by law. Defense attorney Cocheo could not be reached for comment as of press time.

Herb Horner, the proprietor of the consulting firm Contemporary Computing Consultants, testified as an expert witness for the defense. His exhaustive independent forensic analysis of Amero's hard drive showed that the machine had been infected with multiple pieces of malicious software before she arrived at the school, and that these hidden programs were responsible for the pornographic deluge.

Horner arrived in court with two laptops filled with the voluminous records of his investigation. However, the judge only let him present two slides. Prosecutor Smith objected because his team hadn't been previously informed about the malware defense.

On Jan. 5, 2007, a Norwich jury found Amero guilty of four felony counts of "injury or risk of injury to, or impairing morals of, children." Each count carries a maximum sentence of 10 years and while it is unlikely that Amero will receive the maximum penalty, incarceration remains a very real possibility. Even if Amero avoids jail, she will be stripped of her teaching credentials unless the convictions are reversed.

News of the guilty verdict sparked widespread outrage, particularly in the IT community. How could a 40-year-old woman with no prior criminal record be facing such serious charges over a few pop-up ads?

"The fact that the machine was never scanned for spyware by the investigating authorities is outrageous. In fact, this alone should have resulted in the case being dismissed, as the defense found a major spyware infection by their expert forensic evidence," wrote Alex Eckelberry, the president of Sunbelt Software, a Florida-based firm that makes anti-spyware products.

In fairness, nobody involved with the case seems happy about the outcome, either.

Since the verdict, the Norwich Police Department has been bombarded with irate calls and emails from readers who accusing them of railroading an innocent person.

"We're getting pretty much everything short of death threats," detective Lounsbury said. "I'm getting thrashed," People read a news article, and they think they know what's going on, but they're missing 99 percent of it."

According to Lounsbury, some of parents whose children were exposed to the porn demanded an aggressive police response.

"You know what people need to understand?" Lounsbury continued. "These were 12-year-olds. They reported [the porn] to their teachers, the teachers went to the administrators who brought the complaints to the network administrators. Of course, the kids told their parents. Complaints were lodged with the police. This isn't China. This isn't North Korea ... we're not Big Brother."

In the end, Amero's fate hinged on the dueling opinions of the two expert witnesses. Unfortunately, the legal system was ill-equipped to weigh their respective opinions.

The witness for the prosecution is a police officer who has to follow a very simple investigative algorithm. By all accounts, he executed his duties faithfully. Unfortunately, those responsible for evaluating his reports weren't sufficiently tech-savvy to place his findings in the proper context. ComputerCOP Pro, the software the police used to audit Amero's computer, is an automated user-friendly tool search tool designed for routine monitoring. It is not designed to definitively distinguish between user-generated clicks and the effects of malware.

Furthermore, the defense's expert witness was not allowed to share with the jury more of the evidence he had amassed. Herb Horner has 40 years of experience as a software engineer and an IT consultant. Over the past few decades, Horner has traveled the world to investigate computer glitches. His clients include a Swiss bank, a major airline and a national chain of hardware stores.

"I like to get to the bottom of things," Horner told AlterNet. "If there's a plane crash, I say don't just bury the bodies and take the trash to the dump. Find out what happened."

If the defense had told the prosecution about Horner's findings earlier, the prosecution might have been able to forestall problems by choosing an expert witness who was qualified to address Horner's testimony. Instead, the prosecution moved to suppress evidence that it wasn't prepared to handle.

Compared to Horner, the prosecution's expert witness has little formal IT training. Detective Lounsbury has completed two two-week FBI training seminars on computer security and other continuing education programs. He is also a certified user of the computer monitoring software ComputerCOP Pro.

Allison Whitney, ComputerCOP's director of communications, explained how her company certifies police officers to use the software:

"They get a full hour of training, and then they're tested," Whitney said. "A lot of these people don't have any kind of training. Their [superior] officers may give them some kind of low-level training. Most of the time we do the training over the phone."

ComputerCOP scans the hard drive and reports on when each file was created or modified. Lounsbury says he is satisfied that Amero intentionally viewed porn in class because the logs show that her computer accessed various inappropriate sites while she was sitting at the computer.

"I take that at face value," Lounsbury told Alternet. "It's evidence. It speaks for itself. The pop-up defense is a Twinkie defense."

Lounsbury said that Amero must have navigated to pornographic sites in order to have infected her computer with obscene popups. "You've got to get that ball rolling," he said.

Horner's analysis of Amero's hard drive cast doubt on Lounsbury's conclusions. Horner found that the computer had been infected with malware before she arrived.

"She was set up days or weeks before she ever sat down," Horner said.

Here are just a few of the red flags Horner discovered in course of his laborious forensic reconstruction: Anti-virus software triggered security alerts as soon as he started copying the hard disk for testing. The computer's Norton activity log showed that by the time Amero came to Kelly, her computer was already infected with spyware from notorious websites including marketscore.com and new.net.

One piece of spyware had been already been tracking the computer for about a month.

Horner also discovered that someone, presumably the computer's regular user, had been accessing eHarmony.com before Amero's visit. As he noted, dating sites are notorious for spreading porn-related adware.

Another program called Pasco showed that malware had automatically redirected Amero's browser. Horner stressed that this particular form of hijacking is invisible to ComputerCOP Pro.

On Oct. 19, someone did an online job search shortly after 8:00 a.m., activating several different malware apps. At approximately 8:15 a.m., someone accessed www.hair-styles.org, Horner suspects student involvement, in part because the next visit was to Crayola's homepage. Over the next several minutes, still more malware came alive, most likely triggered by the hair site.

The user kept surfing, and by this point, "crap was pouring into the computer at the speed of electricity," Horner said. The real point of no return was when the computer received a huge porn-filled Java file. From that point on, the machine was locked in an endless porn loop.

Note that Amero's class started around 9 a.m. Neither the prosecutor nor detective Lounsbury was able to tell AlterNet whether the room had been locked before class, or exactly what time Amero sat down at her desk.

At trial, it emerged that the school IT department offered no protection against obscene content or invasive software. The Kelly Middle School's firewall license had expired, leaving the whole system unguarded. To make matters worse, Amero was working on a very old Gateway PC running Windows 98, an extremely vulnerable setup.

"Anyone could send anything they wanted to any computer on the site," Horner said.

In the course of his investigation, Horner became convinced of Amero's innocence. After she was convicted, he sent a letter to her attorney offering his services pro bono for her upcoming appeal.

"This whole trial was so unfair," Horner said. "When Julie was convicted, I went home that night. I was eating dinner, and I started crying. I just cried my eyes out. This was a total travesty of justice."