A few months ago, I did a post on the Peer Spectre program that was prompted by an email.
As I explained in that post, the person who sent the email to me said he/she had heard some things about how was used and asked if, IMHO, such activity would violate the 4th Amendment. I did a little research, found some information on what it seemed Peer Spectre does, and wrote that I didn’t see how its use would violate the 4th Amendment, if that, in fact, was how it was being used.
I recently found a reported case that addressed the use of Peer Spectre, so I thought I’d do a post about it.
The case is U.S. v. Willard, 2010 WL 3784944 (U.S. District Court for the Eastern District of Virginia 2010), and this is how it arose:
An undercover agent working for the . . . FBI conducted a keyword search on a peer-to-peer file-sharing network using terms known to be associated with child pornography. Her search revealed a file from Internet Protocol (`IP’) address 188.8.131.52. The agent conducted a search of other files available at this IP address and downloaded seven files, three of which depicted child pornography. Special Agent Howell of the FBI subsequently viewed the images and confirmed that they depicted child pornography. After being served with a subpoena, Comcast Corporation identified the owner of the IP address as John C. Willard, Sr., a resident of Mechanicsville, Virginia.
On September 11, 2008, U.S. Magistrate Judge Lauck authorized the installation of a pen register device on the Internet connections of John C. Willard, Sr., and [John Charles Willard], who had recently moved out of his father's home. In 2009, Special Agent Howell analyzed the pen data using the Wyoming Toolkit database. The database uses an automated software program called Peer Spectre which reads publicly available information from computers identified as sharing child pornography images. Howell queried Wyoming Toolkit regarding the IP addresses that communicated with [Willard’s] IP address in October and November 2008, and found that more than 2,200 of those IP addresses had been previously identified by Peer Spectre as advertising child pornography files available for sharing.
In the spring of 2009, another judicially-authorized pen register was installed on [Willard’s] Internet connection. Analysis of [his] Internet activity revealed that [his] IP address made thirty unique files of child pornography available for sharing on four separate occasions between May and July of 2009.
U.S. v. Willard, supra. As an FYI, maybe, the opinion explains that the Wyoming Toolkit
database was developed by the Wyoming Internet Crimes Against Children Task Force. Whenever an investigator identifies child pornography that is shared over a peer-to-peer file-sharing network, the observation is recorded into the Wyoming Toolkit database. The database record contains: (1) the date and time of the observation; (2) the SHA1 value of the files; and (3) the name of the files and the IP address sharing the files. SHA1 stands for Secure Hash Algorithm 1. It is essentially a fingerprint of a digital file. By comparing the SHA1 values of two files, investigators can determine whether the files are identical with precision greater than 99.9999 percent certainty.
U.S. v. Willard, supra.
On August 26, 2009 Agent Howell got a search warrant for John Charles Willard’s (hereinafter “Willard”) address that authorized a search for and seizure of his computer. U.S. v. Willard, supra.
The officers seized his computer and an external hard drive; then the hard drives were analyzed, they found “more than 300 still images and 67 videos of child pornography.” U.S. v. Willard, supra. As a result of the search, Willard was indicted on seven counts of transporting and receiving child pornography in violation of federal law. Indictment, U.S. v. Willard, 2010 WL 4092796 (2010).
He then filed a motion to suppress “evidence obtained during the child pornography investigation . . . because the pen register installed on his Internet connection was actually a wiretap that required a search warrant based on probable cause”. U.S. v. Willard, supra. The federal judge began his analysis of Willard’s motion to suppress by explaining that
[a] `pen register’ is `a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted . . . . ‘ 18 U.S. Code § 3127(3). When using a pen register or trap and trace device on a computer, the government is not entitled to receive information from the device if that information reveals the contents of a communication. In re United States for an Order Authorizing the Use of a Pen Register, 396 F.Supp.2d 45 (U.S. District Court for the District of Massachusetts 2005).
U.S. v. Willard, supra. The judge then explained that Willard’s “primary argument” was based on the fact that the pen register statute only allows the government to collect
the origin or destination of a communication and not the contents of the communication. [He] contends that a search that includes the opening of files exchanged between two IP addresses is beyond the scope of an order authorizing the use of a pen register or trap and trace device. Thus, [Willard] argues, the orders obtained authorized a search only of information pertaining to routing, addressing and signaling.
He asserts that Special Agent Howell went beyond the scope of the order when he used software to monitor the flow of information and read and record the IP address, date, time, file names, and SHA1 values of files on Defendant's computer. To have properly engaged in this type of search, [Willard] contends, the Government should have obtained a warrant pursuant to 18 U.S. Code §§ 2510-2522 (`Wiretap Act’).
U.S. v. Willard, supra. As one source explains, the Wiretap Act prohibits the government form intentionally intercepting “wire and electronic communications” unless a statutory exception applies to permit the interception or unless the government obtains a wiretap order that must be based on probable cause to believe the interception will reveal evidence of a crime. Willard, as the federal judge pointed out, argued that the use of
Wyoming Toolkit and Peer Spectre to determine the nature of his computer files was analogous to installing a wiretap and went beyond the scope of the pen register orders. As such, [he] argues, the officers should have obtained a search warrant based on probable cause.
U.S. v. Willard, supra. In its response to Willard’s motion to suppress, the government disagreed with his argument and with his characterization of Peer Spectre:
Peer Spectre does not . . . intercept the contents of any communications. What the software does is read publically available advertisements from computers that are identified as offering images of child pornography for distribution, and . . . identify those IP addresses offering to distribute child pornography.
The function performed by Peer Spectre is akin to data-mining in that the software is merely collecting information that is captured once the defendant and others make publically available files for sharing on the network. It operates to identify and log IP addresses offering to distribute child pornography. Peer Spectre did not acquire any contemporaneous . . . from [Willard’s] IP address to any other computer. . . . [Willard] is utterly misinformed in his understanding of the function and operation of Peer Spectre. . . .
Response of the United States to Defendant’s Motion to Suppress, U.S. v. Willard, 2010 WL 4092798 (2010).
The federal judge agreed with the prosecution:
The Court finds that the use of Peer Spectre did not constitute a wiretap because the software does not intercept electronic communications. The functions performed by Peer Spectre and Wyoming Toolkit are more akin to mining data. The term `intercept’ as used in the Wiretap Act requires that the acquisition of contents be contemporaneous with the transmission of such contents. See Konop v. Hawaiian Airlines, Inc., 302 F.3d 878 (U.S. Court of Appeals for the 9th Circuit 2002) (`Congress . . . accepted and implicitly approved the judicial definition of “intercept” as acquisition contemporaneous with transmission. We therefore hold that for a website . . . to be “intercepted” in violation of the Wiretap Act, it must be acquired during transmission, not while it is in electronic storage.’).
Peer Spectre does not acquire communications contemporaneously with the transfer of data from one IP address to another. Instead, it reads publicly available advertisements from computers identified as offering images of child pornography for distribution and identifies their IP addresses.
U.S. v. Willard, supra. The judge therefore denied Willard’s motion to suppress. U.S. v. Willard, supra.