New York state Attorney General Andrew Cuomo is raising the eyebrows of defense attorneys over his recently exposed plans to pay the controversial anti-piracy firm MediaDefender to gather evidence for child-porn prosecutions.

A law enforcement partnership with the peer-to-peer policing company raises questions about possible conflicts of interest and the integrity and security of evidence collected for criminal prosecutions, say attorneys.

"Generally it is not looked upon favorably when a prosecutor engages a private company to collect evidence in a case or to ... partner with in a criminal case," says San Francisco public defender Jeff Adachi. "This raises grave ethical concerns regarding the propriety of that relationship between the prosecuting authority and the private company, and it also could potentially show favoritism toward that company in the future," if the company broke a different law in New York and faced prosecution by the attorney general's office.

MediaDefender, a peer-to-peer policing firm that works with the entertainment industry to thwart the illegal trading of copyright works, became the target of hackers who stole and recently posted more than 6,000 of the company's internal e-mails online, along with a database, source code for its file-sharing tools and a recorded phone call between a MediaDefender employee and investigators with the New York attorney general's office.

The e-mails and the recorded phone call revealed that the attorney general's office planned to outsource certain steps in its evidence-collection process against New York child-porn violators to MediaDefender, a company based in Santa Monica, California.

Few specifics are known about the project, and MediaDefender did not return several phone calls seeking comment. The New York attorney general's office will not speak on the record about it.

But according to the e-mails, MediaDefender planned to unleash a peer-to-peer crawler to search unspecified file-sharing networks for child-porn videos and images based on keywords – such as "young," "kids" and "taboo" – provided by the AG's office.

Once suspected image files were found, the software would collect the IP address of the machines trading those files and filter for any addresses based in New York. The data MediaDefender collected would then be sent automatically to the AG's office, where investigators would analyze and investigate it, using a MediaDefender application to visit the IP addresses and download the suspect files.

It's unclear whether MediaDefender planned to download the suspected-child porn itself, or leave that to the AG's investigators. Jeffrey Lerner, spokesman for the New York AG's office, refused to comment on the record about whether MediaDefender was downloading child porn, due to "an ongoing investigation."

If the company knowingly downloaded child porn, it could run afoul of federal law, notwithstanding any arrangement it made with state authorities, legal experts say. Either way, several defense attorneys expressed surprise that a law enforcement agency would outsource any evidence collection to a private company.

"It is bizarre," says Martin Pinales, former president of the National Association of Criminal Defense Lawyers. "What they're doing is saying, 'We're going to make you a bounty hunter. We're going to pay you to go collect evidence so that in the future we can prosecute somebody.' But (MediaDefender doesn't) have the training of law enforcement."

Jeffrey Douglas, a criminal defense attorney in Santa Monica, California, finds other aspects of the MediaDefender law enforcement partnership disturbing. A private company that's under contract to collect information for law enforcement investigators has a financial incentive to produce results, he says.

"At the end of the contract, if they haven't made 'x' number of cases, are they going to lose their contract?" he asks. "The company knows there are certain expectations that they're going to accomplish, or they're not going to get another contract."

He also expressed concern about what could be described as a fishing expedition to net as many suspects as possible using less-than-accurate tools.

The e-mails between MediaDefender and the AG's office, for example, discuss sending the AG 1 gigabyte of "media data" daily, along with "a couple thousand New York IPs that our geo IP database identified using our software." An initial test MediaDefender conducted for the AG's office produced "a lot of false positives," according to one of the exposed e-mails.

"No software can determine whether a person (in a picture) is 17 or 18," Douglas says, so there are bound to be a lot of innocent IP addresses collected by MediaDefender and sent to the AG, before further investigation weeds out innocent suspects from actual lawbreakers.

San Francisco public defender Adachi says the relationship also conceivably gives MediaDefender the power to decide whom to collect evidence against and whom to let go.

"Say I ... find a web site that's run by my sister-in-law and decide that, 'Geez, I'm not going to turn that over,'" Adachi says. "There's no sworn duty by the private company (collecting evidence for law enforcement) to prosecute people in a fair, evenhanded manner."

On top of all these concerns is the issue of data security and the integrity of evidence against manipulation by intruders – either inside or outside the company – particularly in light of the hack of MediaDefender's internal e-mail. Of course, evidence on a law enforcement computer is at the same risk of being accessed and altered, but the e-mail breach at MediaDefender makes the danger all the more glaring.

"It is extremely difficult to protect the material under the best of circumstances," Douglas says. "The more computers it passes through and separate control centers that it passes through, the less likely it is that the integrity of the material will be maintained."

In the phone call between MediaDefender and the AG's office, an AG investigator tells MediaDefender that the "intelligence information" MediaDefender is sending them needs to be able to stand up in court, and that the AG needs to know that there's no chance that the data coming from MediaDefender was compromised, edited or modified.

Then there's the question of MediaDefender's own trustworthiness. Legal experts says the biggest risk for prosecutors in using a private company like MediaDefender to aid in catching child pornographers is that the company's stock-in-trade is deception: It specializes in introducing decoy "pirated" content onto file-sharing networks.

A blogger even discovered in July that the company was secretly operating a video-download site called MiiVi – apparently as another way of injecting decoy files and tracking downloaders. The hacked e-mails show the company tried unsuccessfully to hide its connection with the site, and even relaunched it under another name after it was exposed.

Mark Rasch, a former Justice Department cybercrime lawyer and current managing director of technology for FTI Consulting, says if he were defending a child-porn suspect against evidence produced by a law enforcement agency that worked with MediaDefender, he would raise an obvious question.

"How do we know that MediaDefender didn't put these files on the computer first?" he says.