Friday, October 21, 2011

Privacy, Probable Cause and Peer Spectre

I’ve done a couple of posts about Peer Spectre, a program law enforcement officers use to identify the IP addresses of computers offering child pornography via file-sharing software. This post examines a recent Ohio case in which the court addressed several issues concerning the functioning of Peer Spectre.

The case is State v. Mahan, 2011 WL 4600044 (Ohio Court of Appeals 2011), and all I know about the underlying facts is that James Mahan was indicted on 95 counts,

including pandering sexually-oriented matter involving a minor, illegal use of a minor in nudity-oriented material or performance, and possessing criminal tools. The charges stemmed from the presence of certain files found on [Mahan’s] home computer as a result of an investigation conducted by Rick McGinnis (`McGinnis’).

McGinnis is an investigator assigned to Ohio's Internet Crimes Against Children Task Force (`ICAC’). McGinnis utilized software known as `Peer Spectre,’ which identified an internet protocol (`IP’) address associated with three files that he recognized from his experience as being child pornography. McGinnis prepared an affidavit and obtained a search warrant for [Mahan’s] residence.

State v. Mahan, supra.

Mahan filed a motion under Rule 16 of the Ohio Rules of Criminal Procedure to compel

certain information from the state, including a mirror image forensic copy of Peer Spectre and any and all instruction/operation and/or training manuals associated with Peer Spectre, and the software's source code. [He] believed the information would reveal the functionality and calibration of the software, and asserted it was material to his defense in order to challenge the software's reliability and methodology.

State v. Mahan, supra.

The prosecution responded by arguing that the information Mahan sought was not subject to discovery under Ohio Rule 16:

[T]he state indicated Peer Spectre is maintained under the strict control and ownership of William Wiltse and is restricted to use by law enforcement. Wiltse supplied an affidavit wherein he averred that without the source code, it is not possible to authenticate the function of the application or validate its “calibration.”’ Wiltse averred that the source code is not distributed.

Officers are trained how to validate the findings of Peer Spectre by `conducting similar searches on the Gnutella network using freely available software applications.’ The state confirmed that it did not own or have . . . a copy of the source code and maintained it could not produce what it did not have.

The trial court denied the motion to compel discovery . . . and instructed that [Mahan] could contact the software company regarding issues pertaining to programming.

State v. Mahan, supra. Mahan then filed a motion to suppress evidence, which the court denied; he then “entered a plea of no contest”, “was found guilty”, sentenced to 16 years and appealed. State v. Mahan, supra. On appeal, he argued that “the warrantless use of Peer Spectre constituted” a “search” that violated the 4th Amendment and that the search warrant “was issued without probable cause because it relied on information obtained from use of Peer Spectre”. State v. Mahan, supra.

At the hearing on Mahan’s motion to suppress, McGinnis testified that he was trained on Internet investigations of child pornography at Fox Valley Technical College, training that included the use of Peer Spectre. State v. Mahan, supra. He also testified that

Peer Spectre is a search program that operates on the Gnutella network. . . . The Gnutella network enables people to log onto the internet to search, find . . . and download shared files from other computers, including child pornography. The search will reveal an IP address and SHA1 values, and from this information the user can download the desired file from the computer(s) that offered to share it.

McGinnis repeatedly testified that all the information he obtained from using Peer Spectre he could have obtained using other publicly available software, such as LimeWire or Phex, the only difference being that with the other software he would have to manually enter the data to keep searching. McGinnis stated that Peer Spectre saves time. . . .

Each time Peer Spectre is used by a law enforcement agency anywhere in the world, the results are compiled in a centralized server. The information logged into the central database includes the IP address, the port that it came from, and the date and time of the search. Law enforcement agencies are then enabled to query the information that Peer Spectre recorded into the central server.

State v. Mahan, supra.

McGinnis also testified that on May 23, 2008 he used Peer Spectre to search for IP addresses “that were active in Ohio . . . and had been recorded as sharing known or suspected child pornography.” State v. Mahan, supra. He got a “`hit list’” for the relevant IP addresses “which identified each file's SHA1 value, the date and time [it] was made available for sharing, and the file's size, geographical location, and description.” State v. Mahan, supra. He reviewed each file to confirm it was child pornography, after which he subpoenaed the Internet Service Provider for the subscriber associated with the IP address he focused on, which turned out to be Mahan. State v. Mahan, supra.

McGinnis then “prepared a length affidavit” for a warrant to search Mahan’s home and computer, which was later executed (as part of 60 other searches) and resulted in the seizure of a computer that contained the “known child pornography files” Peer Spectre had identified. State v. Mahan, supra. At the suppression hearing, McGinnis testified that (i) “this was the first time he had used information gained from Peer Spectre to obtain search warrants,” (ii) he “could not testify to the technological processes Peer Spectre uses” and (iii) “ did not know if Peer Spectre went beyond shared folders of a computer”. State v. Mahan, supra. He also testified that “the information recorded by Peer Spectre is `identical to the information that you would get from running a search in LimeWire if you were running it at that time that the IP address had a computer sharing file.’” State v. Mahan, supra.

As I noted earlier, Mahan argued that the use of Peer Spectre was a “search” that violated the 4th Amendment, since it was conducted without a warrant. To establish that the use of the technology was a 4th Amendment “search,” Mahan had to establish that he had a 4th Amendment, reasonable expectation of privacy in the “area(s) searched.” State v. Mahan, supra. The Court of Appeals rejected Mahan’s unconstitutional “search” argument because it found there is no reasonable expectation of privacy in files made available for sharing via peer-to-peer file sharing networks. State v. Mahan, supra. In an earlier passage of the opinion, the court noted that Peer Spectre “simply automated the ability to search information that had been placed in the public domain”, i.e., it merely “searches those files that have been placed in a public file-sharing network.” State v. Mahan, supra.

Mahan also argued that McGinnis’

inability to testify as to the specific functionality of Peer Spectre wrongly placed the burden of proof on him. However, [he] has not challenged or refuted the evidence that indicated the files from an IP address assigned to his computer were being shared over a peer-to-peer network . . . and therefore has not established a reasonable expectation of privacy. Where there is no reasonable expectation of privacy over the shared files, the technical aspects of the law enforcement software are not at issue.

State v. Mahan, supra.

The Court of Appeals then addressed Mahan’s “argument that, as a means of establishing probable cause, McGinnis's affidavit could not be based on information he obtained through Peer Spectre in the absence of testimony concerning the technical functionality of the software.” State v. Mahan, supra. More precisely, Mahan argued

that probable cause was lacking because McGinnis was unable to testify as to the technical functionality of Peer Spectre and whether it was somehow able to search beyond what is shared, because he did not know Peer Spectre's standard of error. [Mahan] has not provided us with a single authority, in Ohio or otherwise, that found suppression was warranted where law enforcement obtained a search warrant based on the use of technology that searches open peer-to-peer networks.

Instead, [he] equates information gathered from Peer Spectre to information gathered from a confidential informant. As such, [Mahan] maintains, McGinnis was required to set forth underlying circumstances from which he concluded that the software was credible or reliable.

State v. Mahan, supra.

As Wikipedia notes, officers seeking a search warrant can rely on hearsay information, such as information from a confidential information. Since informant will not appear and testify before the judge from whom the warrant is being sought, the court must rely on second-hand information, i.e., hearsay. Since hearsay can be unreliable, in Illinois v. Gates, 462 U.S. 213 (1983), the Supreme Court held that the officer must give the judge information showing the informant is credible (known to be truthful) or his information is reliable (has a track record of providing good tips, for example) and there is evidence he was in a position to know what he was talking about (basis of knowledge). That lets the judge who is being asked to issue a search warrant make an independent determination of whether the facts establish probable cause for a search.

The Court of Appeals found that McGinnis’ affidavit provided a “substantial basis” for

concluding that the information obtained from Peer Spectre was credible and reliable, including, but not limited to the following: McGinnis has many years of experience investigating internet child pornography. He was aware of Peer Spectre's accuracy based on information he learned from other agencies.

He was trained on the use of Peer Spectre and knew [it] searches peer-to-peer, or file sharing, networks. McGinnis had used other software programs to search peer-to-peer networks and obtained the same information he got from using Peer Spectre. He has never known the other programs to search beyond shared files.

McGinnis located an IP address recorded as sharing files on May 12, 2008, three of which he recognized as being child pornography from his years of experience. He independently corroborated this by viewing the files. McGinnis obtained the account holder information associated with that IP address from the ISP. Accordingly, there was a sufficient factual basis to establish probable cause to believe that a computer containing child pornography files was located at defendant's residence.

State v. Mahan, supra.

The Court of Appeals therefore rejected this argument, along with the other arguments Mahan raised on appeal, and so affirmed his conviction. State v. Mahan, supra.

No comments: