Operation Ore

A few years ago the UK police carried out Operation Ore. It was a major operation targeting online child pornography. Some 7,272 British residents were added to a police database of people who paid to view child porn online. 4,283 homes were searched, 3,744 people were arrested, 1,451 were convicted. It was a major blow against pedophiles.

Or at least, that was the theory.

The US had a similar operation, Operation Avalanche. They assembled 35,000 entries in their database. Curiously, though, they only charged 100. If the US police could only justify prosecuting less than 1% of their suspects, how could the UK police be arresting more than half of theirs?

The answer is that many of the UK cases are based entirely on use of credit cards to sign up for suspected child porn web sites. Unfortunately, many of the credit cards were stolen. Oh, and many of the web sites contained only legal material. Minor details to the UK police.

The problem comes from the fact that many small porn sites use online transaction processors to handle their credit card transactions, rather than setting up their own merchant accounts. In particular, a company called Landslide in Texas provided credit card subscription services to a large network of affiliate porn sites.

It’s estimated that up to half the money Landslide collected actually ended up in the hands of a ring of Indonesian credit card scammers operating the familiar “small charge” fraud. Also (ab)using the service was a Brazilian hacker who “signed up” more than 3,000 stolen credit card numbers.

Before long, Landslide found itself on the receiving end of thousands of chargebacks from irate credit card owners. The company went bankrupt. Clearly the owner had been a victim of fraud just as the credit card holders had. That wasn’t a good enough excuse for federal prosecutors, though; he ended up in federal prison serving a 180 year sentence.

Meanwhile, UK police were swooping on houses, smashing down doors, seizing computer equipment, and arresting thousands of people on the basis that their credit card numbers had been found on Landslide’s hard drives. Never mind the massive amount of fraud that had pulled Landslide under; never mind whether the affiliate site the credit card holder had supposedly paid to see was legal or not. The police reasoning was apparently: At least one affiliate site held child porn; Landslide membership theoretically allowed users access to all the affiliate sites; John Doe’s credit card was used to sign up via Landslide; therefore John Doe signed up to view child porn.

The problem with the hysteria around child pornography and pedophilia is that if you’re accused, your life can be ruined even if you’re innocent. Plenty of employers will fire anyone as soon as they’re accused. The alleged pedophile finds himself jobless, with all his computer equipment seized by police, who have no obligation ever to return it.

For example, consider the case of naval officer Commodore David White. He was suspended from the navy, who feared that the case would hit the newspapers. It did anyway, but not in the way they expected—the commodore committed suicide by drowning. It turned out that he was totally innocent.

So far, 39 people have committed suicide as a definite result of Operation Ore. The true number may be higher, as not everyone leaves a suicide note. Maybe a few of the dead were guilty, but I’d place bets that the majority were innocent.

A web site has been set up covering the unraveling of Operation Ore. The police must realize things are starting to look bad for them, as they have apparently pressured Google to remove the site from searches. Another web site has information about the forensic investigation of Landslide’s computers. Journalist Duncan Campbell has been acting as an expert witness in some of the defence cases, and has written about Operation Ore in The Guardian. A recent Slashdot article has some first hand experience in the comments.

Update 2007-04-26: More from the Guardian and from Ross Anderson.