Child Pornography Charges in Florida: Can Malware Set Someone Up?

June 25, 2025 Don Pumphrey, Jr. Criminal Defense, Sex Crimes Social Share

In Florida, possession of child pornography is a very serious felony offense. It is generally considered a third-degree felony, punishable by up to 5 years in prison and a $5,000 fine per image or exhibit. However, some cases may involve charges of aggravated possession – a second-degree felony punishable by up to 15 years in prison and a $10,000 fine.

But what happens if someone does not seek out child sex abuse material (CSAM) – yet it ends up on their device anyway due to factors outside their control, such as malware attacks? This blog will explore the very real dangers of malware, remote access exploits, botnets, and other methods of infiltration by which CSAM may end up on someone’s device without their knowledge – yet still lead to their arrest and conviction.

Fla. Stat. Section 827.071(5) regulates the offense of possession of child sexual abuse material (child pornography) in Florida. To secure a conviction, the State must prove the following elements beyond a reasonable doubt:

• The defendant knowingly and intentionally possessed, controlled, or viewed a photograph, video or digital file that includes sexual conduct by a child
• The defendant knew or should have known the content involved a minor

In Florida, there are two key theories surrounding possession of CSAM and other illegal material: actual possession and constructive possession. In CSAM cases, an argument of actual possession is very rare – unless police catch someone directly viewing the illegal materials or seize it from their person, there is no direct evidence that they knowingly possessed it.

The vast majority of CSAM cases proceed on a theory of constructive possession. To prove that someone constructively possessed CSAM, the State must prove all of the following beyond a reasonable doubt:

• The defendant had knowledge of the contraband (CSAM)
• The defendant had the ability to exercise control or dominion over the contraband
• The defendant had knowledge of the illegal nature of the contraband 

If this cannot be proven with circumstantial evidence and no evidence of actual possession is introduced, someone cannot be convicted of possessing CSAM (or other contraband, such as illegal drugs) under Florida law. Nugent v. State, 275 So.3d 721 (Fla 2d. DCA 2019). 

Because of the nature of constructive (indirect) possession cases, the State is often forced to rely heavily upon circumstantial evidence to prove their case. Prosecutors may argue the presence of CSAM files on someone’s device proves their guilt. But while a constructive possession argument may make it easier to secure a conviction, it also makes it easier for someone to potentially be set up and wrongly convicted for allegedly possessing CSAM.

Various software infiltration vectors (malware) exist that can lead to the installation of CSAM on a device without the knowledge of the user. The following are some common examples.

The first of these is Trojan horse viruses. Trojan horses may be installed on someone’s device as a program that masquerades as legitimate software. However, Trojan horses secretly allow unauthorized downloads in the background of a device – which can modify image or file directories invisibly, including in a device’s cache.

This is particularly relevant when CSAM is discovered in the cache of someone’s device. A cache is an area of the device that downloads temporary files, often for the purpose of improving user experience. It essentially acts as a “subconscious” component of your phone or computer – the vast majority of users generally do not access the cache, but it is always operating and saving files.

In addition to typical Trojan horse viruses, Remote Access Trojans (RATs) allow for complete control of a computer or device without the user’s knowledge. Someone other than the user of a device can download, rename, and hide illegal content on the device – including in its cache. However, if this content is flagged and reported to law enforcement, the user of the device may be arrested and charged for possessing CSAM.

Other avenues by which CSAM may arrive on someone’s device without their knowledge include web browser exploits and cache contamination. The most frequent forms of these include:

• Drive-by downloads
• Malicious ads (maladvertising)
• Exploit kits such as Blackhole and Neutrino

Drive-by downloads can occur simply by clicking a link on a compromised website – and may result in CSAM being streamed to someone’s device (including to their cache or temporary files folder) without their knowledge. Maladvertising and exploit kits also allow unlawful images or videos to automatically download to devices without the knowledge of the user.

Yet another method by which CSAM may arrive on a device is through messaging and social media application exploits – most commonly on platforms such as WhatsApp, Telegram and Signal. By enabling certain settings (some of which may be default settings on the application), a user may have media automatically saved to their camera roll from these applications.

If someone is added to a group chat on one of these platforms with or without their knowledge, and CSAM files are shared with a group without the knowledge of that person, those files may end up on someone’s device without them consciously acting to put them there. 

Other methods by which CSAM files may arrive on someone’s device without their knowledge or intent may include browser hijacking extensions and botnets. These also have the capability to remotely install illegal content into the cache of a device – generally inaccessible to the average user of a cell phone or computer.

In addition to digital malware, physical malware can also be used to install CSAM on a device without a user’s knowledge. A prominent example of this is a “Rubber Ducky.” A Rubber Ducky is a physical USB drive that can be plugged into someone’s computer or other device. 

It appears to be a normal flash drive at first glance. However, a Rubber Ducky is actually an avenue by which malware can be physically introduced onto someone’s device by a third party – simply by plugging in a thumb drive. Typical uses of a Rubber Ducky in the context of CSAM may include:

• Opening Powershell or another task automation system on a computer and downloading CSAM files silently from the web
• Launching a remote access tool (RAT) that allows another user to install CSAM remotely onto someone’s device
• Creating hidden directories in which to place illegal files
• Setting up self-destruct or log-wiping scripts
• Placing CSAM on a device (which may trigger law enforcement involvement) then removing evidence of the attack

A key issue in CSAM cases is that law enforcement and prosecutors are likely to do sufficient forensic analysis to confirm the presence of illegal files on a device – but not enough to adequately detect malware or other third-party installation methods. As a result, a theory of “constructive possession” may lead to a wrongful conviction in many CSAM cases – because knowledge and intent are assumed by virtue of a user’s proximity to the images.

Unless extensive forensic analysis is conducted to examine a device for malware, many of these digital or physical infiltrations (which may result in the placement of CSAM on someone’s device without their knowledge or intent) are likely to go undetected. This lack of due diligence may lead to a wrongful charge or even a wrongful conviction based on a theory of constructive CSAM possession. 

Various defenses are available if someone is arrested and charged with alleged CSAM possession. These defenses may include:

• Lack of knowledge or intent to view the content (files in cache, thumbnails, and lack of user interaction)
• Shared devices or IP attribution issues (no clear link between user activity and file download)
• Malware or remote access
• Challenging hash matches or metadata
• Illegal searches and seizures
• Daubert challenges to digital forensic evidence

In sum, possession of child pornography (CSAM) is a very serious felony offense in Florida. Each exhibit found may be charged as a second- or third-degree felony, depending on the facts of a case. The vast majority of CSAM-related cases proceed on a theory of constructive possession. 

This may lead to someone’s conviction even if the State does not provide tangible evidence that the person knowingly viewed, downloaded or possessed CSAM – and is generally established by the sole fact of the material’s presence on a device. An erroneous verdict in such cases is made even more likely by the wide variety of physical and digital malware that can install CSAM on a device without a user’s knowledge – and avoid detection by basic forensic examination.

If someone is arrested and charged in a case involving possession or distribution of child pornography, it is critical to find experienced and trusted legal representation as soon as possible. This decision could make the difference in whether or not someone faces a lengthy prison term and hefty fines.

Criminal Defense Attorney in Tallahassee, FL

Don Pumphrey, Jr. is a Former Prosecutor, Former State Police Officer, Lifetime Member of the Florida Association of Criminal Defense Lawyers; for over 25 years as a private defense attorney who is Trusted, Experienced, Aggressive in Criminal Defense as a Trial Attorney, Criminal Lawyer, Criminal Defense Lawyer for the accused in Florida State Courts located in Tallahassee, Florida but handling cases throughout the State of Florida.

Don Pumphrey, Jr. and the Tallahassee criminal defense lawyers at Pumphrey Law have decades of experience fighting drug charges on behalf of clients and winning. Call Pumphrey Law now at (850) 681-7777 to learn more about what we can do for you. Our lawyers will be happy to provide you with a free consultation.

  Social Share