Frank Svetlik
Child Pornography Defense Attorney
Contact us for a free consultation

Child pornography investigations based on unreliable computer identification techniques

Article by Attorney Frank Svetlik
January 29, 2023

Law enforcement in child pornography investigations bases accusations on proven to be unreliable computer identification techniques.

Child pornography investigations carried out by the Internet Crimes Against Children computers and law enforcement personnel rely upon matching what they claim is a unique SHA-1 Hash Value of the information in a torrent used on the BitTorrent network (identified by Torrents in Public Spaces TIPS and COPS software) and on the hash value of a group of files identified as files of interest which may be child pornography or child exploitative but not actually child pornography or neither of the above. These libraries of categorized files are maintained by law enforcement and government supported agencies cooperating with one another.

Due to its known weaknesses and the availability of stronger hashing algorithms, SHA-1 has been phased out in many industries and organizations. For example, SHA-1 has been officially deprecated by NIST (National Institute of Standards and Technology) since 2011 and is no longer considered a secure algorithm for digital signatures, certificate validation, or other applications that rely on the integrity of the hashed data. Additionally, major browsers and operating systems have also phased out support for SHA-1 SSL/TLS certificates. The differences in SHA-1 hash values produced by various vendor's software may be due to implementation details, such as the way data is padded or the specific algorithms used to perform certain operations within the SHA-1 algorithm. The existence of collisions using the SHA-1 hash value algorithm was predicted in 2005 and proven to exist in 2017. In 2016 and 2017 articles appeared in the literature describing SHA-1 as insecure and in a shambles. Thereafter and certainly in 2021, in the universe of computer applications the use of SHA-1 is discouraged because of weaknesses which have been found and it is considered as broken and it is recommended to use other algorithms such as SHA-256 or SHA-3.

These facts have not dissuaded affiants in search warrant application affidavits from asserting that the SHA-1 identifier for a file is unique and can be relied upon to prove that the file contains the associated image which has been categorized by law enforcement as prohibited. The magistrate reviewing the submission by the affiant for a search warrant may rely upon the affiant’s assertions of uniqueness based upon the SHA-1 identifier and grant the search warrant when the information about the flaws in the SHA-1 hash value algorithm are withheld from and not revealed to the magistrate. An example of two files which have the same hash value and are demonstrably not identical can be found in the paper by Marc Stephens, Pierre Karpman, Thomas Peyrin, published in the proceedings if the 2017 CHES conference entitled “Freestart Collision for Full SHA-1.”