Teacher Convicted for Getting Spyware

I found this to be particularly interesting when I read it this morning. In case you didn’t see the story, the rundown is the following:

Her story:

- A school has content filtering software installed, but they don’t maintain the license, so it stops working
- A schoolmarm visits a hair-styling website which has advertising content
- Schoolmarm’s machine receives a piece of spyware that downloads arbitrary ads
- Advertisements for pornographic websites are displayed on the screen
- Children see pornographics ads

Their story:

- She’s an evil schoolmarm; a particularly nasty breed that gets their sick jollies by showing kids pictures of naked people

Clearly showing little kids pictures of couples copulating is totally unacceptable. Now, I have to admit that I’m biased in that I happen to believe her story; of course, there could always be facts that aren’t in the press that establish her guilt beyond question. In other words, there could be more to it and it could be that she is a sicko. Either way, though, I’m astonished that this conviction took place. Specifically, even if the woman is a sicko, I don’t understand how a jury could hear both the above stories (phrased differently, of course) and come to the conclusion that she is culpable for this. Part of establishing that she is culpable is expert testimony on the part of the prosecution that her active involvement was required to bring up the images. Now, most of us with a familiarity with spyware could debate the veracity of this, but again we don’t have the facts in this case. Maybe her involvement was required. Without information about what expert testimony (if any) was on the defense side or what the details of the forensic evidence (if any) there was, it’s all up in the air from our point of view. But what if… What if her story is the real one? What if the defense was underprepared and couldn’t refute the expert testimony of the prosecution? What if she really didn’t do it on purpose?

So this is all titillating and stuff, but there’s really a reason that I’m bringing it up. Specifically, I’ve made the point in the past that the legal community and the information security community are being drawn more and more closely together. The FRCP, Zubulake, breach disclosure laws, and so on are all making it so that information security professionals have to understand something about the law and lawyers have to understand something about information security. And if they don’t? Then you get cases like this… or maybe this teacher’s just a sicko. Could go either way.