Identifying Those Responsible for a “Living Horror” and Its Signficance for Proposed Federal Law

In what can only be described as the worst side of humanity, the bulletin board Dreamboard hosted a members-only sharing of child pornography, particularly of children under 12.  New members could join the board only if they posted child pornography.  Members had to continue to post images of child porn every 50 days or face removal.  The rules of the board, printed in English, Russian, Japanese, and Spanish, included: (1) “Keep the girls under 13, in fact, I really need to see 12 or younger to know your[sic] a brother,” (2) “don’t avoid nudity in previews. I will NOT accept you if there’s no nudity.  And my definition of nudity is pussy or anal in the shot.  You just waste your own time if you don’t do this.  Because you will not get in, if you don’t follow the rules.”  One section of Dreamboard was titled “Super Hardcore,” and the rules required images and videos of “very young kids, getting fucked, and preteens in distress, and or crying. . . . If a girl looks totally comfortable, she’s not in distress, and it does NOT belong in this section.”  This part of the site featured images of adults having violent sexual intercourse with very young children, including infants.  One file was entitled “2yo assfuck she cries for mommy nasty pthc pedo 1 yo 3 yo 4 yo.”  The board amassed over 120 terabytes of violent sexual rape and abuse of children.

According to the rules of the site, members were to use encryption technologies to prevent detection.  The rules specified precisely which encryption technologies and proxy servers should be used and which should be avoided.  Members did not use their real names, but instead screen names to conceal their identities.  All of this suggests that the board went to great lengths to secure their anonymity.

Early this month, Attorney General Eric Holder, Jr. announced that federal investigators has charged 72 people for violating child pornography laws and more than 50 people have been arrested in the United States.  The defendants included doctors, lawyers, police officers, and a Navy commander, according to the Ellis County Observer.  Thirteen of those charged have pled guilty, and four members have been sentenced between 20 and 30 years.  Around 600 people from around the world were members of the bulletin board, which has been shut down.  The bulletin board used a server in Atlanta.  As Assistant Attorney General Lanny Breuer explained, the site “was a living horror.”  John Morton, director of Immigration and Customs Enforcement, declined to say how investigators overcame the technological precautions used by some of the members.  He did tell the New York Times: “To those inclined to abuse small children, know this: this isn’t a place on the Internet or the planet in which you are truly safe.  It may take us some time, it may take us some effort, but we will find you regardless of a screen name, a proxy server or an encryption effort, period.”

The Dreamboard bulletin board hosted a pernicious cyber mob, whose members egged each other on to commit more and more depraved acts.  They provided tips on the steps involved in grooming a child, and lauded members who hosted particularly violent sexual abuse on very young children.  The younger, and more distressed the child, the greater applause and access to the site.  Some of the worst of the worst of humanity, making it difficult to even describe.

The DOJ executed the recent arrests just days after the House Judiciary Committee approved the Protecting Children from Internet Pornographers Act of 2011 (“the Act”), which would require ISPs to implement certain data retention requirements.  Under the bill, ISPs would be required to keep the IP addresses assigned to their subscribers for at least a year to help authorities track down individuals who were violating child pornography laws.  As the Atlantic’s Conor Friedersdorf explains, police can access an individual’s Internet history if the person is suspected of a crime, no probable cause is needed.

The Dreamboard indictments, arriving on the heels of the Act’s house committee approval, raise a number of questions, ones that implicate my advocacy of traceable anonymity (which took cues from Dan Solove’s Future of Reputation) and Paul Ohm‘s important criticism that trading traceability anonymity for section 230 immunity would be like throwing Napalm when a surgical strike would do, or something creative like that.  A key question is whether the arrests show that the Act’s data retention requirements may be unnecessary.  Does the Act buy us too little and cost us too much?  As the arrests show, law enforcement can find child pornographers, even those who engage in the most sophisticated practices to remain hidden.  Conor Friedersdorf argues that the Act may lead us down a slippery slope to J. Edgar Hoover and the potential for government abuse of the massive ISP databases.  He also wisely worries that massive mandated databases are rife for the picking by the group Anonymous, which by my lights isn’t more than a group of bigoted thugs who have fooled the media into believing they are “hacktivists.” (More on Anonymous on the blog and my future book Cyber Civil Rights: Combating Hate in the Information Age).  Does this discussion cast doubt on the notion that Internet intermediaries should retain IP addresses in order to enjoy Section 230’s immunity from liability for the postings of others?  Should we instead think about a notice and track regime, with a proviso to punish those who seek to abuse the privilege?

You may also like...

7 Responses

  1. Ken Rhodes says:

    Many years ago I worked on software for the U.S. military to use for computing manpower requirements. The manpower requirements document for an activity was not highly classified, being labeled simply “for official use only.” The aggregation of those manpower requirements documents into a manpower requirements data base, however, was classified SECRET. The reason was, and is, that there is a much greater downside when a large accumulation of data is exposed to potential compromise.

    By analogy, I would be strongly resistent to a practice of accumulating my life into a single data base, and I see that as a risk our younger generation does not appreciate. (Facebook comes quickly to mind.)

    My impression is that our Federal Government has resources to overcome even some pretty sophisticated attempts at secrecy. I’m sure, for example, that both the FBI and NSA have to deal with cyber-hiding and cyber-deceipt from foreign agencies and agents far more highly developed than any public BBS could possibly mobilize. I believe, therefore, that in the war againse domestic cyber-crime, technology should be our weapon of first choice, rather than data accumulation.

  2. Orin Kerr says:


    Thanks for posting on these interesting questions.

    I’m curious, though, how can one set of arrests suggest that the Act’s data retention requirements may be unnecessary? In a country of 300 million people, does the fact that 50 people have been arrested (and not yet convicted, as I understand it) really provide evidence that a law is being sufficiently enforced? To be clear, I’m not taking a position one way or another on the data retention law: I’m just not sure why you think this one case sheds light on the question.

    Also, why is Section 230 relevant, given that Section 230 doesn’t apply to criminal investigations? See 230(d)(1)(“Nothing in this section shall be construed to impair the enforcement of section 223 of this Act, chapter 71 (relating to obscenity) or 110 (relating to sexual exploitation of children) of title 18, United States Code, or any other Federal criminal statute.”)

    Finally, on the law itself, does the law really say that ISPs would also be required to track subscribers’ Internet activity, address, and credit card numbers? Based on a quick read, the version I looked at only appears to say that temporary IP addresses have to be retained. See section 4. Or is that an outdated version of the bill? I haven’t actually looked at the language until now, so maybe I’m just misreading this.

  3. Ken Arromdee says:

    If you could catch child pornographers by searching random people on the street without warrants, would that justify it?

  4. Danielle Citron says:

    Thanks to you both for responding. Ken puts his finger on what I am using the case for–the likelihood (or seeming likelihood, empirically contestable of course) that government will find criminal defendants, even those most determined to evade detection, under current data retention practices. The Act seems premised on the notion that law will be under-enforced because government can’t pierce encryption/proxy servers and that changing data retention will change that. So is that right, maybe Ken can speak specifically to that. I raised Section 230 because part of law’s under-enforcement relates to the inability to find defendants. Civil plaintiffs don’t have the resources of the government and they likely can’t afford computer forensic experts, if they can afford to sue. Recall the AutoAdmit case. The plaintiffs could only find nine of the 39 posters–the site does not log IP addresses and that mattered as did data retention practices of ISPs. Orin, you are absolutely right to point out the different considerations with section 230 but I thought I would raise other areas in which the question is whether data retention’s costs are worth its benefits. And thanks for the catch on the law–I took that from the Atlantic piece so I will delete it. Thanks so much, both of you!

  5. Orin Kerr says:


    Thanks for replying, Danielle.

    I think the difficulty is that enforcement of the law is always relative: We need to know how much crime is out there, how often the law is successfully enforced, and how that might change if the retention rules were changed.
    My thinking was that a group of arrests doesn’t shed ny light on that: It rules out the possibility that the law is NEVER enforced, but it doesn’t say how much retention rules might improve enforcement, or how many more bad guys would be caught if enforcement were improved.

  6. PrometheeFeu says:

    I think the primary problem here is that suspicion is the standard for release of the information. I think that a much more reasonable law would require probable cause and prior judicial review. Yes it does mean that some bad people (or monstrous people in this case) will get away, but that’s the price to pay for living in a free society. I am honestly very much concerned that law enforcement agencies could use this law to track down and harass citizens engaging in perfectly legal though unpopular activities.

  7. There is no question anonymity can be used for evil. But we must remember that for every sociopath hiding their steps, there is a human right worker somewhere in the world using the same technology to protect themselves and loved ones from retaliation by totalitarian governments or criminal organizations. This is related I think to the American legal ideals of due process that would rather not risk violating a single innocent simply to punish every person of guilt. In the end, anonymity is not just a sometime-requirement for free speech, but a hallmark of political freedom, right down to the ballot box.