Tuesday, May 04, 2010

Peer Spectre?

This isn’t a post. It’s essentially a response to an email.

This morning, I received an email from someone who had heard about law enforcement’s using a program called Peer Spectre. The email said the author had heard about the program which, according to reports from some source(s), lets law enforcement officers

see what files are on a suspect's hard drive even if they have file sharing turned off. It apparently does this by scanning a file in the P2P configuration which shows which files have been downloaded through the program.

The email’s author thought this might have 4thAmendment implications, particularly with respect to the Kyllo issue I addressed in a post I did earlier this year.

Not having heard of Peer Spectre, I couldn’t reply knowledgeably to the email, but said I’d look into it and see if I could post something that would either help address this issue or maybe prompt responses from knowledgeable people who could address the issue.

I did some Google searches and found a couple of conferences that had offered training in how to use the program. I also found a paragraph in an affidavit issued in support of an application for a search warrant that talks about the program. If you’re interested, you can find the search warrant and warrant application here.

Paragraph 31 of warrant application Attachment A has this to say about Peer Spectre:

Your Affiant knows that Detective William Wiltse with the Salem, Oregon Police Department has created an automated software application, named Peer Spectre. This program operates on the gnutella network and reads the publicly available information from computers that are identified as offering child sexual abuse images for distribution. This software reads these reported offers to participate in the sharing of child pornography and reports the time, date, SHA1 value and filename for each computer in a consistent and reliable manner to the ICAC servers. Your Affiant has validated this software by running identical search terms through the manual method described above and the automated system using Peer Spectre and has confirmed that Peer Spectre performs in the same way, with matching results as the previous manual investigative techniques used in this operation to date. The Peer Spectre program provides beneficial data to ICAC officers by identifying and logging IP addresses that are offering to distribute child pornography.

(emphasis added).

If this is what (and all) Peer Spectre does, then I don’t see a 4th Amendment issue. If it’s only reading publicly available information, then using the program doesn’t constitute a “search” under the 4th Amendment. As I’ve explained in earlier posts, for something to constitute a 4th Amendment “search,” it has to intrude on a reasonable expectation of privacy.

As I’ve also explained, if you expose something to “public view,” you lose any 4th Amendment expectation of privacy in that thing or place. As the U.S. Supreme Court said, what a person knowingly exposes to public view isn’t protected by the 4th Amendment.

So unless the program does more than is described in the paragraph quoted above, I don’t see a 4thAmendment, Kyllo issue arising from law enforcement’s using the program.

I am, as I said, operating on incomplete information, so maybe there’s more to the program . . . aspects that might implicate the 4th Amendment. If anyone has more information on Peer Spectre and is willing to share it, I’d be interested in hearing it.


Anonymous said...

According to a noted computer forensic analyst, Peer Spectre is locating file names and SHA1 values from within "system files from the application system files" and not the files the application itself willingly shares. In a study in a computer during an active case she also found that 2 of the files returned by Peer Spectre had never existed on the computer itself.

Susan Brenner said...

Thank you for that information.

Anonymous said...

Whoever posted the above comment is way off base. Peer Spectre is simply a program like any other P2P Program. It is like Limewire. Search terms are sent to Ultrapeers - just like Limewire. Ultrapeers respond and pass off the requests for files to peers. Those peers directly respond with lists of files that have in their "shared folder" The returned lists and SHA1 values are checked. Any known Child Pornography files are noted along with the IP address that had that file and responded to the request. The information is logged. There is no such thing as the system search like in the last post. That post is total BS. Using Peer Spectre by the way is just as legal as you stated in your post. Someone freely and voluntarily sets up a computer with software that shares files. When someone else asks them what they have and their computer responds because of the way they set it up...there is no 4th amendment search. You could very well liken the process to me calling my public library and asking them to send me a list of books and Library of congress numbers. When I get that list in the mail at what point did I ever make a search or even have the 4th come into play.

Susan Brenner said...

Thanks for clarifying how it works . . . as I said, doesn't look like it raises any 4th Amendment issues.

Anonymous said...

I also take exception to the comment made by Anonymous 11:24 AM. I am a forensic analyst and have been for over 13 years. I found the the statement "...2 of the files returned by Peer Spectre had never existed on the computer itself" to be an overstatement. I can see an analyst saying they found no evidence that it existed, but never? Staying with the other analogy,I think that statement is akin to walking into a library and saying a book had never been in the library because I can't find it there now, and I can't find it in their catalog.

Anonymous said...

So who is this "noted computer forensic analyst"?

Anonymous said...

Anonymous Forensic Examiner:
You sidetracked the point. The point is that Peer Spectre has the ability to see what files are in a suspect's shared folder even if sharing is turned off. If sharing is turned off, you can't browse another user's files with regular Limewire.

Detective W said...

The program receives the file list from the ultrapeers, not the suspect. The program is getting the information from a third party who the user authorized to release the contents of their shared folder when they installed the program. Sorry, still no fourth amendment violation.

Susan Brenner said...

Thanks for clarifying that, Detective W.

Anonymous said...

"The point is that Peer Spectre has the ability to see what files are in a suspect's shared folder even if sharing is turned off."

Isn't that akin to saying "I know whats in the house because I had X-ray vision?" Shouldn't that still violate reasonable expectation if privacy seeing as the suspect deliberately stopped sharing the files?

What would be the case if the suspect had not only stopped sharing the files but removed them from the default "shared folder"? Does the suspect then have a reasonable expectation of privacy? Or is mere possession, for any length of time, whether it was shared or not, whether it was deleted immediately or continued to exist or not, enough to set off Peer Specre?

If such is the case, is the accidental downloading (something which I've heard quite often and which the USGAO has a report on) of child pornography, and immediate removal enough to set off Peer Spectre?

Anonymous said...

"To make things easier and safer, Shared folders don't exist in LimeWire 5. Instead, individual files are shared. For example, instead of sharing your "Pictures" folder and its entire contents, you control and choose which specific pictures (i.e., files) from your pictures folder you want to share. To see all the files you are sharing with the P2P Network or a Friend, click on "P2P Network" or a Friend in the sidebar and then click on "Share with (name)" at the top. This will show you a snapshot of your Library and what files are being shared with the P2P Network or that particular Friend. The number of files next to each category reflects the number of files you are sharing in that category. To share a file, simply check the checkbox next to that file. To unshare, uncheck the checkbox."

Is it reasonable to expect a file downloaded and then subsequently unshared would NOT be returned as a shared file by the program? If such a file is reported to be available even when sharing is turned off, does that violate one's reasonable expectation of privacy?