Identity Theft

Ever since we had that incident with a spammer trying to use our web site to generate emails, I’ve been checking our web server logs every week. Not only does this allow me to keep tabs on the site to make sure that no-one’s trying to hack it, but it also lets me see what search queries have resulted in people arriving here, and who has been hyperlinking to this site.

Most of these inbound links are from search engines, but some also come from places like movabletype.org, where I have participated on the message boards and left behind my name and a URL. But every now and then I’ll find someone who has seen fit to post a link to one of my weblog entries on his (or her) own blog. That’s cool. It’s always fun to see that someone has enjoyed something I’ve written, and these server logs are sometimes the only way to find out about that.

When I was looking through the server logs yesterday evening, I saw the URL of a site I didn’t recognize. Naturally, I copied the address into a new browser window, and visited the page. What I saw shocked me: it was a picture of my son Alex that I’d taken just a few days after he was born. And not just that. There were about a dozen other baby pictures there as well. And all of them had captions that indicated they were photos of a child called “Felix”.

What the hell was this?

I right-clicked on the picture of Alex, and looked at the image properties. It told me that the picture file was located on my server–which is why I had seen this site’s URL in the referer log. When I viewed the source for the page, it was immediately clear that this whole page of photos dedicated to “Felix” was actually linking to photos on totally different web sites and servers.

I stripped one of the image URLs down to give me the basic site address, and then had a look at that page. This was a genuine web page, run by a woman in the US. It contained lots of photos of her, her husband, and her young son. The offending web site was pointing to pictures of this child as if he were this “Felix”.

I then went to another page on the offending site (which I will call “Site A”–no way am I posting the URL here). On it, the author had put up pictures of some of “Felix’s” cousins. No prizes for guessing that these photos were not located on Site A. I followed the image URLs to their source web site and found that they were pictures of yet another child.

I am quite seriously freaked out at this point.

A look at another couple of web pages revealed a page with a photo of “Felix’s” mother (snatched), some information about these parents (the mother is apparently a dentist, and the father is an electrician), a page giving “Felix’s” height and weight at birth (50cm, 3.15kg on 5th January 2003, supposedly), and even a page with pictures (also pilfered) of their pets.

So what’s going on here?

When I told Abi, she suggested that this might be the work of an artist, who was putting together a project about an imaginary child. It’s possible, but seems unlikely. Another innocent possibility would be that these are genuine parents, who have used other people’s pictures as placeholders until they can put up their own. After all, “Felix” was supposedly born just a few weeks ago, so maybe they haven’t had their first rolls of film developed yet.

Nuh-uh. I don’t buy it.

None of the pictures involve any nudity on the part of the children, and none of the images could be described as prurient. My own first thought was that the author of Site A is a disturbed individual who wants to believe that they have a baby. Perhaps they’d had a miscarriage, and aren’t coping with the loss of their child. I was desperately trying to think of some innocent explanation for this site. But no matter how you innocent a spin you try to put on it, this is just plain wrong.

So I looked up the contact information for the parents of the children whose images had been stolen, and I sent them an email telling them what I’d found. And then I sent an email to the management of the web host where Site A is located, and asked them to get the site’s owner to remove the links to these photos. (Site A does list an email address, but it looks bogus.) I also removed the photos being linked to on my web site, so that they no longer show up on Site A.

This morning I got email back from the parents I emailed, but I haven’t heard back from Site A’s hosts yet. One of the parents has replaced their linked photos with an “under construction” image, so that’s another nail in Site A’s coffin.

But what about the bigger picture?

I found Site A because they were linking to pictures on my site. If my web host supported mod_rewrite in Apache (they don’t), I could stop people from doing this. The technique is mostly used for preventing bandwidth theft, but the principle is the same. But that wouldn’t stop anyone from stopping by here on Sunpig.com, doing a “Save As…” on my photos, and then hosting copies on their own site.

I could password-protect Alex’s part of the web site, and all of his photos. I could distribute user names and passwords to all my family, and friends whom I know take an interest. Anyone else would be presented with the option to email me for a login, provided they could give me a good reason why I should let them in. This wouldn’t even be that difficult to set up, but it would stop people from finding the site by chance and seeing Alex’s pages.

With the explosion in weblogging, I have stumbled across dozens of blogs by parents who enjoy writing about being parents, and about what their kids are doing. It always warms my heart whenever I find a site so clearly filled with love. There’s a pleasant kind of solidarity between parents–especially new parents. When we’re dragging screaming toddlers down the street by their wrist, we exchange weary, knowing glances. While our kids are playing on the swings or slides, we smile at each other to acknowledge how happy they can make us. We strike up spontaneous conversations with complete strangers on bus rides.

I don’t want to take the step of putting Alex’s pages behind a brick wall, and assume that anyone we don’t already know is some kind of pervert. That’s not what parenting is about. I don’t want to raise Alex to be mistrustful of the world. Careful, yes; paranoid, no.

So I’m back to the question: what do I do? I’ve been thinking about this a lot today. I’ve talked it through with some folk at work, and bounced it around with some friends on-line. Responses have ranged from the serious (“contact the police”), via the vigilante-ist (“we’re big lads–let’s find their address and pay them a visit”), to the humorous (“replace the images with spoof pictures”).

This evening after I put Alex to bed, I had another look at Site A. I tracked down the web site where one of the “pets” pictures was hosted. And what do I find? A web site belonging to a young girl. She’s clearly been having fun with FrontPage, but at the top of the page was this message in big letters:

FAIR WARNING. My web site is currently being monitored by the R.C.M.P. for identity theft. Your IP address has now been recorded and is being kept in a permanent file.

Great. Now I’ve got the Mounties after me.

This could mean that I’m not the first one to discover Site A. A more disturbing (and, regrettably, more likely) explanation is that this isn’t the only site that has stolen part of this poor girl’s identity. Yet another option is that the whole thing is part of an elaborate honeypot operation.

What this has decided for me is that I am going to contact the police about this matter. I doubt very much if they will do anything about this particular instance. Their possible lines of attack would be identity theft, or violation of Copyright. I’m not sure if identity theft is a crime in Britain, and in any case the Sunpig.com server is located in the USA, and Site A is hosted in another country altogether. The Copyright option is possibly even weaker, because they only used one image from sunpig.com, which could (conceivably) be claimed as “fair use”.

I do, however, want the police to have me on record as having made a complaint to them. I don’t want to end up in a Pete Townshend situation. And even if they can’t do anything about this instance, it may help them in some other, wider inquiry. (So if you’re involved with “Felix”, here’s fair warning to you: the sunpig.com server logs are being burned to CD and sent to the rozzers.)

This does bring me onto a side note about Copyright, and the Creative Commons licenses that seem to be so popular with webloggers these days. These licenses are designed for people who want to share their work, and donate some of their rights back to the public domain. You can pick and choose what rights you want to give up. For example, you can say that others can “… copy, distribute, display, and perform your copyrighted work–and derivative works based upon it–but only if they give you credit.”

This is a laudable project, run by extremely clever people. But I am concerned about people applying these licenses without thinking through all of the consequences. It may sound like a noble thing to say that others can copy your images, so long as they give proper attribution, but are you really happy with anyone using your words, pictures, or music? Sure, you’d probably be happy for a fellow weblogger to take your photo and display it on his home page with your name displayed prominently beneath it. But what if it were a neo-nazi, or a white supremacist web site? Would you be just as happy to see your name in lights there?

And what if your children’s photos were reproduced on a complete stranger’s web site? Someone who thinks it’s a cracking idea to pass them off as his own children?

For the moment, I’m keeping my Copyrights to myself. I am usually more than happy to let you use my photos or text, but you have to ask me first, and I reserve the right to say “no” if I think you’re a sick freak. “Fair use” is fair, but I don’t think this exemption extends to identity theft.

1 comment

  1. I am working on a research paper for my computer class. Originally I leaned more towards Corprate problems, however after reading your article I decided to discuss identity theft. This story really scared me into thinking. How many stories are there out there were it may not have turned out as it did for you and your family. God bless you and yours. elleina

Comments are closed.