Wednesday, June 25, 2008

IP Spoofing

In an opinion issued a few months ago, a federal district court in Nevada ruled on a defendant’s motion to suppress.

The motion
challenged whether evidence that an Internet Protocol (IP) address has allegedly been used to access and download child pornography, combined with evidence regarding the IP address subscriber's identity and residential address, is sufficient to provide probable cause to believe that evidence of child pornography will be found at the subscriber's residence.
U.S. v. Carter, 2008 WL 623600 (U.S. District Court – District of Nevada 2008).

Mr. Carter was charged with receiving and possessing child pornography in violation of federal law. The charges were based on evidence that found during a search of his residence. U.S. v. Carter, supra. The search was conducted with a search warrant, the probable cause for which was based on an affidavit from an FBI Agent: Agent Flaherty. U.S. v. Carter, supra.


In the federal system, as in, I believe, all states, an officer seeking a search warrant form a magistrate submits an application for the warrant and, to establish probable cause for the issuance of the warrant, usually submits an affidavit. Federal Rule of Criminal Procedure 41(d)(1), for example, states that “[a]fter receiving an affidavit or other information, a magistrate judge . . . must issue a warrant is there is probable cause to search for and seize . . . property”.

The affidavit Agent Flaherty submitted recounted an investigation another FBI agent, Agent Luders, had conducted “of the Ranchi message board which is a hard core child pornography message board . . .in Japan.” U.S. v. Carter, supra. Agent Luders was able to download “video and image files” from the board that contained child pornography, but because Japan’s “child pornography laws are different than those of the United States” he was not able to get a search warrant for user logs “that would have enabled the Government to identify users who” had downloaded child pornography form the Ranchi site. U.S. v. Carter, supra.

To get around that, Agent Luders logged into the Ranchi message board and created a posting that advertised a video of a four-year-old girl engaging in sexual activity with an adult male. U.S. v. Carter, supra. Forty minutes later, he posted another message, which stated that he had inadvertently posted the wrong video the first time; this message sent Ranchi patrons to another website to download the “correct” video. U.S. v. Carter, supra. That site “also returned to the covert FBI computer in San Jose, California which captured the . . . IP addresses of the users who accessed the website . . . and attempted to download the advertised video.” U.S. v. Carter, supra.

According to Agent Flaherty’s affidavit, several hundred IP addresses tried to download the video, one of which was IP address 68.108.184.145. U.S. v. Carter, supra.
The Affidavit described the steps taken . . .to identify the user of 68.108.184.145. A search of the publicly available website arin.net revealed . . [it] was controlled by Cox Communications. . . . [T]he Government served an administrative subpoena on Cox Communications to identify the . . . subscriber to IP address 68.108.184.145 on [the date was used in an attempt to download the video file]. . . . Cox . . .responded by identifying Luana Carter, . . . Las Vegas, Nevada . . . as the subscriber to . . . 68.108.184.145. . . . On January 17, 2007, the Government conducted a search of the public records data base LexisNexis which indicated that Luana Carter resided at the above listed address and that Defendant Travis Carter was a household member at that address. . . . On January 17, 2007, the Government also checked Nevada Department of Motor Vehicle records which revealed a current driver's license for Luana Carter, with the same social security number, date of birth and physical address obtained through LexisNexis. On February 8, 2007, the Government also served an administrative subpoena on Nevada Power Company for subscriber information for [the address]. Nevada Power Company's response / / / listed Luana Carter as having an active account at that address since June 22, 2001. . . .
U.S. v. Carter, supra.

Agent Flaherty then surveilled the address and observed a vehicle registered to Travis Carter parked in front of it. At that point Agent Flaherty sought a search wsarrant:
Because the IP address returned to the Internet account of Luana Carter, whose address was [that identified above] and there was still an active account in her name for that address on the date of the Affidavit, Agent Flaherty . . . stated that she believed evidence of child pornography crimes would be found at that residence. . . . Magistrate Judge Leavitt issued a search warrant to search the premises, including computers and other data storage devices for evidence of child pornography.
U.S. v. Carter, supra. The agents seized a computer from Travis Carter’s bedroom, and found “thousands of child pornography images” on it. U.S. v. Carter, supra.

As noted above, Mr. Carter moved to suppress the evidence, arguing that the warrant was invalid because it was not based on probable cause. He claimed Agent Flaherty’s
Affidavit was misleading because it failed to inform the Magistrate Judge of material facts regarding Internet access through an Internet services provider such as Cox Communications and how IP addresses function. Defendant argues that if such information had been included in the affidavit, probable cause would have been lacking.
U.S. v. Carter, supra.

In support of his motion, Mr. Carter submitted an affidavit from an expert who, after explaining how Internet access works and how IP addresses can be spoofed (or faked), concluded that there are
many problems with using an IP address to decide the location of a computer allegedly using an IP address on the Internet. The IP address can be `spoofed.’ A single IP address can be used by multiple computers at multiple locations through a wireless router. The MAC address of a cable modem can be spoofed to allow access to another's Internet connection. A neighborhood with several houses can share one Internet connection and therefore have the same IP address.
U.S. v. Carter, supra.

He lost. The district court followed the reasoning of the U.S. Court of Appeals for the Fifth Circuit in U.S. v. Perez, 484 F.3d 735 (2007). The argument in that case was essentially identical to Mr. Carter’s argument. It too relied on a claim of IP spoofing to argue that a warrant, which resulted in officers’ finding child pornography, was not based on probable cause. Here is what the Fifth Circuit said, in part:
[T]here was a substantial basis to conclude that evidence of criminal activity would be found at 7608 Scenic Brook Drive. The affidavit . . . included the information that the child pornography viewed by the witness in New York had been transmitted over the IP address 24.27.21.6, and that this IP address was assigned to Javier Perez, residing at 7608 Scenic Brook Drive. . . . Perez argues that the association of an IP address with a physical address does not give rise to probable cause to search that address. He argues that if he `used an unsecure wireless connection, then neighbors would have been able to easily use [Perez's] internet access to make the transmissions.’ But though it was possible that the transmissions originated outside of the residence to which the IP address was assigned, it remained likely that the source of the transmissions was inside that residence. . . . . `[P]robable cause does not require proof beyond a reasonable doubt.” [U.S. v.] Brown, 941 F.2d 1300, 1302 (5th Cir. 1991).
The Carter court therefore held that “even if the information set forth in” the testimony of Mr. Carter’s experts “had been included in Agent Flaherty's affidavit, there would still have remained a likelihood or fair probability that the transmission emanated from the subscriber's place of residence and that evidence of child pornography would be found at that location.” U.S. v. Carter, supra. It denied his motion to suppress the evidence. U.S. v. Carter, supra.

The IP spoofing argument is like the Trojan horse defense in that it, too, tries to claim that someone else committed the crime . . . the SODDI, or “some other dude did it” defense. I can see why these courts reached the conclusion they did, but it seems to me that the IP spoofing defense, like the Trojan horse defense, can be a valid defense (and/or a valid basis for suppressing evidence) in certain cases.

Since a SODDI defense can also be used at trial, I assume the IP spoofing defense can, as well. The only reported cases I find, so far, that refer to it all involve motions to suppress evidence.

1 comment:

Anonymous said...

i find this VERY intresting.I AM going through E X A C T L Y
the same thing in pa.
I have a motion to supress hearing shed for later this year.plz email me any more info u have
mcdchaz@yahoo.com