Wednesday, April 23, 2014

Child Pornography, RoundUp and the Subpoena

Not long ago, I did a post on a defendant’s argument that evidence in a child pornography case should be suppressed because investigators used the RoundUp software. A few days ago, I ran across an opinion issued late last year that addressed a variant of that argument. The issue arises in a different context in this case, though.

The case is U.S. v. Brashear, 2013 WL 6065326 (U.S. District Court for the Middle District of Pennsylvania 2013), and this is how it arose:

In 2010, Trooper Matt Powell of the Pennsylvania State Police in Indiana, Pennsylvania, conducted an investigation of peer-to-peer file sharing programs that may have contained child pornography. . . . 

Peer-to-peer file sharing networks enable computer users to share digital files between different network users. . . . Powell used a program called Roundup 1.4.1 (`RoundUp’) to search files available for sharing in the Gnutella peer-to-peer file sharing network. . . .

RoundUp is a modified version of the file sharing software PHEX. . . . RoundUp utilizes a database of `hash values’ from files known to contain child pornography. . . . This database enables law enforcement to identify files with hash values that match the hash values of known child pornography. . . . RoundUp only identifies computer files that are available for downloading from a folder shared with the Gnutella network. . . .

During the court of his investigation, Powell downloaded two videos from the IP address that contained child pornography. . . . [He] identified numerous files associated with child pornography emanating from this same IP address. . . . Comcast Cable Communications controlled the subject IP address. . . . Powell alerted Corporal Thomas Trusal to his findings. . . . 

Trusal obtained a subpoena ordering Comcast to provide subscriber and billing information for this IP address. . . . Based upon an aggregate of investigative materials, including the identification of the registered account holder, [he] secured a search warrant for 1651 Kaiser Avenue, South Williamsport, Pennsylvania, 17702. . . .

[Jeremy T.] Brashear resided in a trailer on the property of the 1651 Kaiser Avenue residence. As a result of information obtained through the execution of the search warrant, Brashear was arrested. . . . Law enforcement eventually secured an additional search warrant for Brashear's trailer and laptop. . . . This search revealed child pornography.

U.S. v. Brashear, supra.

The opinion then explains that on February 24, 2011, a federal grand jury indicted

Brashear for distributing, receiving, and possessing material constituting or containing child pornography, in violation of 18 U.S. Code § 2252A(a). . . . On July 26, 2012, [he] filed a motion . . . to suppress, which the court denied on October 12, 2012. . . . 

On July 25, 2013, Brashear filed an ex parte motion . . . for the issuance and service of a subpoena to compel the Pennsylvania State Police (`PSP’) to provide the source code for RoundUp. Defense counsel explained that he already obtained the PHEX source code and sought access to the RoundUp source code to compare the two. . . .

The court granted the motion on July 26, 2013. . . . On September 23, 2013, Brashear filed a motion . . . to continue trial and jury selection. In support, he averred that, as of that date, the PSP had not produced the required source code. . . .On October 17, 2013, the government filed a motion to quash the subpoena. . . . The government alleges that compliance would be unreasonable and oppressive under Federal Rule of Criminal Procedure 17(c)(2). . . . The motion is fully briefed and ripe for disposition.

U.S. v. Brashear, supra.

The judge began his analysis of the parties’ arguments by noting that Brasher claimed

his subpoena is necessary to determine whether the use of the RoundUp program violated [his] 4th Amendment rights, the Federal Electronic Communications Privacy Act (`FECPA’), 18 U.S. Code § 1510 et seq., the Pennsylvania Wiretapping and Electronic Surveillance Control Act (‘PA Wiretap Act’), 18 [Pennsylvania Consolidated Statutes Annotated] § 5701 et seq., and the Gnutella network protocol.

The government asserts that Brashear is attempting to improperly use Rule 17 as a discovery vehicle, that the source code is subject to the law enforcement privilege, and that the information sought is irrelevant because the use of RoundUp did not violate Brashear's 4th Amendment rights, the FECPA, the PA Wiretap Act, or the Gnutella network protocol.

U.S. v. Brashear, supra.

The judge began the process of ruling on the parties arguments by noting that the

issuance of a subpoena is governed by Federal Rule of Criminal Procedure 17. To obtain a subpoena under Rule 17, the moving party must establish the following:

`(1) that the documents are evidentiary and relevant; (2) that they are not otherwise procurable reasonably in advance of trial by exercise of due diligence; (3) that the party cannot properly prepare for trial without such production and inspection in advance of trial and that the failure to obtain such inspection may tend unreasonably to delay the trial; and (4) that the application is made in good faith and is not intended as a general “fishing expedition.”’ U.S. v. Nixon, 418U.S. 683 (1974). The court must reconsider the Nixon standard when disposing of a motion to quash. . . .

U.S. v. Brashear, supra.

The judge then held that he found

the source code for RoundUp is not relevant because its use did not violate Brashear's 4th Amendment rights, the FECPA, and the PA Wiretap Act. Further, any violation of the Gnutella network protocol is irrelevant. 

U.S. v. Brashear, supra.

He began his analysis with the 4th Amendment, finding that the source code for the

RoundUp program is not relevant because investigating the use of a peer-to-peer file sharing program does not violate the 4th Amendment's protection against unreasonable searches. The 4th Amendment provides that `[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.’ U.S. CONST. amend. IV. 

A typical 4th Amendment analysis begins with analyzing whether the defendant possesses a reasonable expectation of privacy in the object being searched. Katz v. U.S., 389 U.S. 347 (1967). . . . Numerous cases have held that there is no reasonable expectation of privacy in files made available to the public through peer-to-peer file sharing programs. . . .

U.S. v. Brashear, supra.

The judge also explained that Brashear

wishes to compare the modified source code for RoundUp with the original PHEX source code, but there is no need. The RoundUp program only accesses files shared through the file sharing network. . . . By sharing files with the network, Brashear essentially shared those files with the public. 

He had no reasonable expectation of privacy over the files shared with Gnutella and, therefore, the use of the RoundUp program could not have violated his 4th Amendment rights.

Brashear responds that, pursuant to U.S.v. Jones, 132 S.Ct. 945 (2012), the use of the RoundUp program constituted a physical trespass of Brashear's `effect’ -- the computer -- and was therefore an unreasonable search.

In Jones, the Court addressed whether the warrantless installation of a GPS tracking device to the defendant's motor vehicle violated his 4th Amendment rights. . . . The Court concluded the defendant's `4th Amendment rights do not rise or fall with the Katz formulation’ concerning the defendant's reasonable expectation of privacy. . . . 

Instead, the Court found the defendant's motor vehicle was an `effect’ and the warrantless physical trespass of that `effect’ to obtain information or evidence constituted an unreasonable search under the 4th Amendment. . . . However, the Court noted that `[s]ituations involving merely the transmission of electronic signals without trespass would remain subject to [the] Katz analysis.’ Id. (emphasis in original).

U.S. v. Brashear, supra.

This judge also pointed out that “several” courts

have rejected the application of Jones to the investigation of file sharing programs.  See Russell v. U.S., 2013 WL 5651358 (U.S. District Court for the Eastern District of Missouri 2013); U.S. v. Brooks, 2012 WL 6562947 (U.S. District Court for the Eastern District of New York 2012); State v. Lemasters,  2013 WL 3463219 (Ohio Court of Appeals 2013).

The court concurs with the rationale of these decisions. The investigation of a file sharing program does not involve any physical trespass onto a constitutionally protected area. Powell did not physically enter Brashear's home or access his computer. Instead, Powell simply used a program that identified child pornography available on a public peer-to-peer file sharing program. This investigation involves `the transmission of electronic signals without trespass’ and does not implicate Brashear's 4th Amendment rights under Jones.

U.S. v. Brashear, supra.

The judge quickly disposed of Brashear’s remaining arguments.  He noted, first, that

Brashear also alleges that the subpoena is relevant to determining whether the warrantless use of RoundUp violated the FECPA and the PA Wiretap Act. Brashear provides no explanation for how these statutes potentially apply in the case sub judice and the court is unaware of any possible violation of these laws.

U.S. v. Brashear, supra.

And, finally, he noted that Brashear

states that the use of RoundUp violates Section 4.4 of the Gnutella network protocol, which requires that users who are able to download files must also be able to share files with others. . . . Trusal testified that RoundUp is only able to download files from another computer and is not able to upload any files. . . .

It is unclear how obtaining the RoundUp source code would shed any further light on this alleged violation. Moreover, Brashear does not posit how this alleged violation is relevant in the case sub judice. Indeed, application of the exclusionary rule is typically reserved for violations of a constitutional dimension. . . .

U.S. v. Brashear, supra.

The judge therefore held that the source code for RoundUp

is simply not relevant to determining any issue in the case. There is no indication that the use of RoundUp violated Brashear's rights under the 4th Amendment, the FECPA, or the PA Wiretap Act. The potential violation of the Gnutella network protocol is irrelevant. For the above-stated reasons, the court will grant the government's motion to quash.

U.S. v. Brashear, supra.  He then entered an order to that effect, which brought this matter to an end. U.S. v. Brashear, supra.

Monday, April 21, 2014

Lavabit, Encryption and Contempt

This post examines an opinion the U.S. Court of Appeals for the 4th Circuit recently issued in a case involving a criminal investigation and the imposition of sanctions for contempt:  In re Under Seal, 2014 WL 1465749 (2014).  The judge who wrote the opinion for the court begins by outlining how the case arose:

Lavabit LLC is a limited liability company that provided email service. Ladar Levison is the company's sole and managing member.  

In 2013, the United States sought to obtain certain information about a target in a criminal investigation. To further that goal, the Government obtained court orders under both the Pen/Trap Statute, 18 U.S. Code §§ 3123 - 3137, and the Stored Communications Act, 18 U.S. Code §§ 2701 - 2712 requiring Lavabit to turn over particular information related to the target. When Lavabit and Levison failed to comply with those orders, the district court held them in contempt and imposed monetary sanctions. Lavabit and Levison now appeal the sanctions.

In re Under Seal, supra.  In a footnote, the judge explains that “[b]ecause of the underlying criminal investigation, portions of the record, including the target’s identity, are sealed.”  In re Under Seal, supra. 

The judge then explains that the case concerns the encryption processes Lavabit

used while providing its email service. Encryption describes the process through which readable data, often called `plaintext,’ is converted into `ciphertext,’ an unreadable jumble of letters and numbers. Decryption describes the reverse process of changing ciphertext back into plaintext. Both processes employ mathematical algorithms involving `keys,’ which facilitate the change of plaintext into ciphertext and back again.

Lavabit employed two stages of encryption for its paid subscribers: storage encryption and transport encryption. Storage encryption protects emails and other data that rests on Lavabit's servers. Theoretically, no person other than the email user could access the data once it was so encrypted. By using storage encryption, Lavabit held a unique market position in the email industry, as many providers do not encrypt stored data.

Although Lavabit's use of storage encryption was novel, this case primarily concerns Lavabit's second stage of encryption, transport encryption. This more common form of encryption protects data as it moves in transit between the client and the server, creating a protected transmission channel for internet communications. Transport encryption protects not just email contents, but also usernames, passwords, and other sensitive information as it moves. Without this type of encryption, internet communications move exposed en route to their destination, allowing outsiders to `listen in.’ Transport encryption also authenticates-that is, it helps ensure that email clients and servers are who they say they are, which in turn prevents unauthorized parties from exploiting the data channel.

Like many online companies, Lavabit used an industry-standard protocol called SSL (short for `Secure Sockets Layer’) to encrypt and decrypt its transmitted data. SSL relies on public-key or asymmetric encryption, in which two separate but related keys are used to encrypt and decrypt the protected data. One key is made public, while the other remains private. In Lavabit's process, email users would have access to Lavabit's public keys, but Lavabit would retain its protected, private keys. This technology relies on complex algorithms, but the basic idea is akin to a self-locking padlock: if Alice wants to send a secured box to Bob, she can lock the box with a padlock (the public key) and Bob will open it with his own key (the private key). Anyone can lock the padlock, but only the key-holder can unlock it.

The security advantage that SSL offers disappears if a third party comes to possess the private key. . . . [A] third party holding a private key could read the encrypted communications tied to that key as they were transmitted. In some circumstances, a third party might also use the key to decrypt past communications (although some available technologies can thwart that ability). And, with the private key in hand, the third party could impersonate the server and launch a man-in-the-middle attack.

When a private key becomes anything less than private, more than one user may be compromised. Like some other email providers, Lavabit used a single set of SSL keys for all its various subscribers for technological and financial reasons. Lavabit in particular employed only five key-pairs, one for each of the mail protocols it supported. As a result, exposing one key-pair could affect all of Lavabit's estimated 400,000–plus email users.

In re Under Seal, supra. 

That brings us to the case itself.  The opinion explains that on June 28, 2013, the

Government sought and obtained an order (`the Pen/Trap Order’) from a magistrate judge authorizing the placement of a pen register and trace-and-trap device on Lavabit's system. This `pen/trap’ device is intended to allow the Government to collect certain information, on a real-time basis, related to the specific investigatory target's Lavabit email account. In accordance with the Pen/Trap Statute, . . .  the Pen/Trap Order permitted the Government to `capture all non-content dialing, routing, addressing, and signaling information . . . sent from or sent to’ the target's account. . . . 

In other words, the Pen/Trap Order authorized the Government to collect metadata relating to the target's account, but did not allow the capture of the contents of the target's emails. The Pen/Trap Order further required Lavabit to `furnish [to the Government] . . . all information, facilities, and technical assistance necessary to accomplish the installation and use of the pen/trap device unobtrusively and with minimum interference.’ . . .

On the same day the Pen/Trap Order issued, FBI agents met with Levison, who indicated he did not intend to comply with the order. Levison informed the agents he could not provide the requested information because the target-user `had enabled Lavabit's encryption services,’ presumably referring to Lavabit's storage encryption. . . . But, at the same time, Levison led the Government to believe he `had the technical capability to decrypt the [target's] information.’ . . . Nevertheless, Levison insisted he would not exercise that ability because `Lavabit did not want to “defeat [its] own system. . . . ”’

[T]he Government obtained an additional order that day compelling Lavabit to comply with the Pen/Trap Order. This `June 28 Order,’ again issued by a magistrate judge, instructed Lavabit to `provide the [FBI] with unencrypted data pursuant to the [Pen/Trap] Order’ and reiterated that Lavabit was to provide `any information, facilities, or technical assistance . . . under the control of Lavabit . . .  [that was] needed to provide the FBI with the unencrypted data.’ . . . Further, the June 28 Order put Lavabit and Levison on notice that any `[f]ailure to comply’ could result in `any penalty within the power of the Court, including the possibility of criminal contempt of Court.’ . . .

In re Under Seal, supra. 

The opinion says that “[o]ver the next eleven days, the Government attempted to talk with Levison about implementing the Pen/Trap Order”, but Levison “ignored the FBI's repeated requests to confer and did not give the Government the unencrypted data the June 28 Order required.” In re Under Seal, supra.  As each day passed, the Government lost forever the ability to collect the target-related data for that day.” In re Under Seal, supra.  Because Lavabit refused to comply with the prior orders,” the

Government obtained an order to show cause from the district court on July 9. The show cause order directed Lavabit and Levison, individually, to appear and `show cause why Lavabit LLC ha[d] failed to comply with the orders entered June 28, 2013[ ] in this matter and why [the] Court should not hold Mr. Levison and Lavabit LLC in contempt for its disobedience and resist[a]nce to these lawful orders.’ . . .

Entry of the show cause order spurred a conference call between Levison, his counsel, and representatives from the Government on July 10. During that call, the parties discussed how the Government could install the pen/trap device, what information the device could capture, and how the Government could view and preserve that information. In addition, the Government asked whether Levison would provide the keys necessary to decrypt the target's encrypted information. Although the Government again stressed that it was permitted to collect only non-content data, neither Levison nor his counsel indicated whether Lavabit would allow the Government to install and use the pen/trap device.

On July 13, 2013, four days after the show cause order issued, Levison contacted the Government with his own proposal as to how he would comply with the court's orders. In particular, Levison suggested that Lavabit would itself collect the Government's requested data:

I now believe it would be possible to capture the required data ourselves and provide it to the FBI. Specifically the information we'd collect is the login and subsequent logout date and time, the IP address used to connect to the subject email account and [several] non-content headers . . . from any future emails sent or received using the subject account. . . .Note that additional header fields could be captured if provided in advance of my implementation effort.

. . . Levison conditioned his proposal with a requirement that the Government pay him $2,000 for his services. More importantly, [he] intended to provide the data only `at the conclusion of the 60[-]day period required by the [Pen/Trap] Order . . . [ or] intermittently . . . as [ his] schedule allow[ed].’ If the Government wanted daily updates, Levison demanded an additional $1,500.

The Government rejected Levison's proposal, explaining that it needed `real-time transmission of results.’ . . . Moreover, the Government would have no means to verify the accuracy of the information Lavabit proposed to provide -- a concerning limit given Lavabit's apparent hostility toward the Government. Levison responded by insisting that the Pen/Trap Order did not require real-time access, but did not otherwise attempt to comply with the Pen/Trap Order or the June 28 Order.

In re Under Seal, supra. 

On July 26, Levison “appeared [for the show cause hearing] before the district court pro se, on behalf of himself and Lavabit”. In re Under Seal, supra.  When he was asked if he intended to “comply with the Pen/Trap Order,” Levison said “he had `always agreed to the installation of the pen register device.’” In re Under Seal, supra.  But he “objected to turning over his private SSL encryption keys `because that would compromise all of the secure communications in and out of [his] network, including [his] own administrative traffic.’” ” In re Under Seal, supra. He also “maintained [t]here was never an explicit demand [from the Government] that [he] turn over the keys.’” In re Under Seal, supra. 

After the show cause hearing, Lavabit did permit the Government to install a pen/trap device. But, without the encryption keys, much of the information transmitted to and from Lavabit's servers remained encrypted, indecipherable, and useless. The pen/trap device was therefore unable to identify what data within the encrypted data stream was target-related and properly collectable.

In re Under Seal, supra. 

On August 1, the U.S. District Court Judge who had the case held another hearing and “entered an order . . . directing Lavabit to turn over its encryption keys” “5:00 pm on August 2, 2013.”  In re Under Seal, supra.  The opinion says Lavabit “dallied and did not comply” with the order until “[j]ust before the 5:00 pm August 2 deadline” when Levison gave “the FBI with an 11–page printout containing largely illegible characters in 4–point type, which he represented to be Lavabit's encryption keys.” In re Under Seal, supra. 

“The Government instructed [him] to provide the keys in an industry-standard electronic format by the morning of August 5” but he “did not respond.”  In re Under Seal, supra.  On August 5, the government moved for sanctions against Levison and Lavabit for their “continuing `failure to comply’” with the judge’s order.  In re Under Seal, supra.  The motion asked the court to award “penalties of $5,000 a day” until Lavabit provided the encryption keys to the Government.  In re Under Seal, supra.  Levison turned over the keys two days later, by which time “six weeks of data regarding the target had been lost.”  In re Under Seal, supra. 

Lavabit and Levison appealed the order to the Court of Appeals for the 4th Circuit, but they lost.  In re Under Seal, supra.  The court began its analysis of their argument on appeal by noting that when they were before the district court judge,

Lavabit failed to challenge the statutory authority for the Pen/Trap Order, or the order itself, in any way. Yet on appeal, Lavabit suggests that the district court's demand for the encryption keys required more assistance from it than the Pen/Trap Statute requires. Lavabit never mentioned or alluded to the Pen/Trap Statute below, much less the district court's authority to act under that statute. In fact, with the possible exception of an undue burden argument directed at the seizure warrant, Lavabit never challenged the district court's authority to act under either the Pen/Trap Statute or the [Stored Communications Act].

In re Under Seal, supra. 

The Court of Appeals then explained that “[o]ur settled rule is simple: `[a]bsent exceptional circumstances, . . . we do not consider issues raised for the first time on appeal.’” In re Under Seal, supra (quoting Robinson v. Equifax Info. Services, LLC, 560 F.3d 234 (U.S. Court of Appeals for the 4th Circuit 2009)).  It noted that it follows this rule because holding that the failure to raise an issue below waives the litigant’s right to raise it on appeal fosters “respect for the lower court”, “avoids unfair surprise to the other party”, and “acknowledges the need for finality in litigation and conservation of judicial resources.”  In re Under Seal, supra.  It also agreed with the U.S. Court of Appeals for the 3rd Circuit, which held that issue waiver rules “`prevent parties from getting two bites at the apple by raising two distinct arguments’” before two different courts.  In re Under Seal, supra (quoting In re Diet Drugs Product Liability Litigation, 706 F.3d 217 (U.S. Court of Appeals for the 3rd Circuit 2013)).

The Court of Appeals for the 4th Circuit also pointed out that

. . . waiver principles apply with equal force to contempt proceedings. . . . If anything, `[t]he axiom that an appellate court will not ordinarily consider issues raised for the first time on appeal takes on added significance in the context of contempt.’ In re Bianchi, 542 F.2d 98 (U.S. Court of Appeals for the 1st Circuit 1976). After all, `[d]enying the court of which [a party] stands in contempt the opportunity to consider the objection or remedy is in itself a contempt of [that court's] authority and an obstruction of its processes.’  In re Bianchi, supra.  

The Court of Appeals therefore rejected Lavabit’s/Levison’s argument that “it preserved an appellate challenge to the Pen/Trap Order when Levison objected to turning over the encryption keys at the initial show cause hearing.”  In re Bianchi, supra.  It noted that

[i]n making his statement against turning over the encryption keys to the Government, Levison offered only a one-sentence remark: `I have only ever objected to turning over the SSL keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic.’ . . .

This statement -- which we recite here verbatim -- constituted the sum total of the only objection Lavabit ever raised to the turnover of the keys under the Pen/Trap Order.

We cannot refashion this vague statement of personal preference into anything remotely close to the argument that Lavabit now raises on appeal: a statutory-text-based challenge to the district court's fundamental authority under the Pen/Trap Statute. Levison's statement to the district court simply reflected his personal angst over complying with the Pen/Trap Order, not his present appellate argument that questions whether the district court possessed the authority to act at all.

In re Bianchi, supra.  

For these and other reasons, the Court of Appeals held that

[i]n view of Lavabit's waiver of its appellate arguments by failing to raise them in the district court, and its failure to raise the issue of fundamental or plain error review, there is no cognizable basis upon which to challenge the Pen/Trap Order. The district court did not err, then, in finding Lavabit and Levison in contempt once they admittedly violated that order. The judgment of the district court is therefore . . . AFFIRMED.

In re Bianchi, supra.  

As this story notes, Lavabit was Edward Snowden’s email provider.  You can read more about the court’s decision here, and you can find the opinion here.