Monday, November 08, 2010

Peer Spectre Revisited

A few months ago, I did a post on the Peer Spectre program that was prompted by an email.

As I explained in that post, the person who sent the email to me said he/she had heard some things about how was used and asked if, IMHO, such activity would violate the 4th Amendment. I did a little research, found some information on what it seemed Peer Spectre does, and wrote that I didn’t see how its use would violate the 4th Amendment, if that, in fact, was how it was being used.

I recently found a reported case that addressed the use of Peer Spectre, so I thought I’d do a post about it.

The case is U.S. v. Willard, 2010 WL 3784944 (U.S. District Court for the Eastern District of Virginia 2010), and this is how it arose:

An undercover agent working for the . . . FBI conducted a keyword search on a peer-to-peer file-sharing network using terms known to be associated with child pornography. Her search revealed a file from Internet Protocol (`IP’) address The agent conducted a search of other files available at this IP address and downloaded seven files, three of which depicted child pornography. Special Agent Howell of the FBI subsequently viewed the images and confirmed that they depicted child pornography. After being served with a subpoena, Comcast Corporation identified the owner of the IP address as John C. Willard, Sr., a resident of Mechanicsville, Virginia.

On September 11, 2008, U.S. Magistrate Judge Lauck authorized the installation of a pen register device on the Internet connections of John C. Willard, Sr., and [John Charles Willard], who had recently moved out of his father's home. In 2009, Special Agent Howell analyzed the pen data using the Wyoming Toolkit database. The database uses an automated software program called Peer Spectre which reads publicly available information from computers identified as sharing child pornography images. Howell queried Wyoming Toolkit regarding the IP addresses that communicated with [Willard’s] IP address in October and November 2008, and found that more than 2,200 of those IP addresses had been previously identified by Peer Spectre as advertising child pornography files available for sharing.

In the spring of 2009, another judicially-authorized pen register was installed on [Willard’s] Internet connection. Analysis of [his] Internet activity revealed that [his] IP address made thirty unique files of child pornography available for sharing on four separate occasions between May and July of 2009.

U.S. v. Willard, supra. As an FYI, maybe, the opinion explains that the Wyoming Toolkit

database was developed by the Wyoming Internet Crimes Against Children Task Force. Whenever an investigator identifies child pornography that is shared over a peer-to-peer file-sharing network, the observation is recorded into the Wyoming Toolkit database. The database record contains: (1) the date and time of the observation; (2) the SHA1 value of the files; and (3) the name of the files and the IP address sharing the files. SHA1 stands for Secure Hash Algorithm 1. It is essentially a fingerprint of a digital file. By comparing the SHA1 values of two files, investigators can determine whether the files are identical with precision greater than 99.9999 percent certainty.

U.S. v. Willard, supra.

On August 26, 2009 Agent Howell got a search warrant for John Charles Willard’s (hereinafter “Willard”) address that authorized a search for and seizure of his computer. U.S. v. Willard, supra.

The officers seized his computer and an external hard drive; then the hard drives were analyzed, they found “more than 300 still images and 67 videos of child pornography.” U.S. v. Willard, supra. As a result of the search, Willard was indicted on seven counts of transporting and receiving child pornography in violation of federal law. Indictment, U.S. v. Willard, 2010 WL 4092796 (2010).

He then filed a motion to suppress “evidence obtained during the child pornography investigation . . . because the pen register installed on his Internet connection was actually a wiretap that required a search warrant based on probable cause”. U.S. v. Willard, supra. The federal judge began his analysis of Willard’s motion to suppress by explaining that

[a] `pen register’ is `a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted . . . . ‘ 18 U.S. Code § 3127(3). When using a pen register or trap and trace device on a computer, the government is not entitled to receive information from the device if that information reveals the contents of a communication. In re United States for an Order Authorizing the Use of a Pen Register, 396 F.Supp.2d 45 (U.S. District Court for the District of Massachusetts 2005).

U.S. v. Willard, supra. The judge then explained that Willard’s “primary argument” was based on the fact that the pen register statute only allows the government to collect

the origin or destination of a communication and not the contents of the communication. [He] contends that a search that includes the opening of files exchanged between two IP addresses is beyond the scope of an order authorizing the use of a pen register or trap and trace device. Thus, [Willard] argues, the orders obtained authorized a search only of information pertaining to routing, addressing and signaling.

He asserts that Special Agent Howell went beyond the scope of the order when he used software to monitor the flow of information and read and record the IP address, date, time, file names, and SHA1 values of files on Defendant's computer. To have properly engaged in this type of search, [Willard] contends, the Government should have obtained a warrant pursuant to 18 U.S. Code §§ 2510-2522 (`Wiretap Act’).

U.S. v. Willard, supra. As one source explains, the Wiretap Act prohibits the government form intentionally intercepting “wire and electronic communications” unless a statutory exception applies to permit the interception or unless the government obtains a wiretap order that must be based on probable cause to believe the interception will reveal evidence of a crime. Willard, as the federal judge pointed out, argued that the use of

Wyoming Toolkit and Peer Spectre to determine the nature of his computer files was analogous to installing a wiretap and went beyond the scope of the pen register orders. As such, [he] argues, the officers should have obtained a search warrant based on probable cause.

U.S. v. Willard, supra. In its response to Willard’s motion to suppress, the government disagreed with his argument and with his characterization of Peer Spectre:

Peer Spectre does not . . . intercept the contents of any communications. What the software does is read publically available advertisements from computers that are identified as offering images of child pornography for distribution, and . . . identify those IP addresses offering to distribute child pornography.

The function performed by Peer Spectre is akin to data-mining in that the software is merely collecting information that is captured once the defendant and others make publically available files for sharing on the network. It operates to identify and log IP addresses offering to distribute child pornography. Peer Spectre did not acquire any contemporaneous . . . from [Willard’s] IP address to any other computer. . . . [Willard] is utterly misinformed in his understanding of the function and operation of Peer Spectre. . . .

Response of the United States to Defendant’s Motion to Suppress, U.S. v. Willard, 2010 WL 4092798 (2010).

The federal judge agreed with the prosecution:

The Court finds that the use of Peer Spectre did not constitute a wiretap because the software does not intercept electronic communications. The functions performed by Peer Spectre and Wyoming Toolkit are more akin to mining data. The term `intercept’ as used in the Wiretap Act requires that the acquisition of contents be contemporaneous with the transmission of such contents. See Konop v. Hawaiian Airlines, Inc., 302 F.3d 878 (U.S. Court of Appeals for the 9th Circuit 2002) (`Congress . . . accepted and implicitly approved the judicial definition of “intercept” as acquisition contemporaneous with transmission. We therefore hold that for a website . . . to be “intercepted” in violation of the Wiretap Act, it must be acquired during transmission, not while it is in electronic storage.’).

Peer Spectre does not acquire communications contemporaneously with the transfer of data from one IP address to another. Instead, it reads publicly available advertisements from computers identified as offering images of child pornography for distribution and identifies their IP addresses.

U.S. v. Willard, supra. The judge therefore denied Willard’s motion to suppress. U.S. v. Willard, supra.


Anonymous said...

I don't think its publicly available. Unless you know which peer-2-peer software they are using you won't be listening to the right communications channel to view their files.

The files they are sharing are also not broadcast so that anyone can find them. You have to connect to one of the p2p servers who knows who is on that particular p2p network and do a search.

The statement "What the software does is read publically available advertisements" can easily be used to mislead someone into thinking they didn't have to do a deep packet inspection or actively asking to computer being searched for information. In the real world the phrase "publically available advertisements" could easily mean a poster declaring come to my house for some criminal activity. You can easily see it from public land and you are passive in acquiring the information on the poster. However, in the p2p world the "publically available advertisements" are targeted at another computer and are encoded in such a way you can't passively acquire the information in the communication.

Anonymous said...

But I think the point that the court was making is that 'publically available' on a P2P network is similar to me standing outside of your house and hollering "Hey! You got any child porn that I can have?" And you yelling back, "Sure, I got some 'Vicky' files for you." You and I do not have some kind of special relationship whereby our communications would be privileged or legally confidential. I'm just a perv, and you're just a perv, and we are just two pervs talking & trading porn.

So when I start up Limewire or whatever and I type in a search term for child porn, its like me running up and down the street yelling at houses asking for porn. To listen to me you might have to have Limewire. But anybody with Limewire can hear me.