Monday, March 26, 2012

Probable Cause and the Dynamic IP Address

After pleading guilty to “seventeen counts of transportation, distribution, and possession of child pornography” in violation of federal law, T. Patrick Kearney appealed, arguing in part that the search warrant issued for his home was not based on probable cause. U.S. v. Kearney, __ F.3d __, 2012 WL 639168 (U.S. Court of Appeals for the 1st Circuit 2012).

To understand his argument, it is necessary to understand how the case arose:

In May 2008, Nathan Kesterson, an . . . investigator of the Lexington, Virginia, police department, began communications over the internet with an individual while posing as a fourteen-year-old female named `Julie.’ The . . . communications occurred [on] chat-avenue.com, styled as a teen-only chat room. Kesterson communicated with a person who was identified . . . by the screen name `padraigh8,’ who claimed to be a twenty-eight-year-old male from Massachusetts.


These communications continued . . . through May and June, and padraigh8 utilized Yahoo! messenger on some . . . occasions. During several of the conversations, padraigh8 sent `Julie’ child pornography. . . . Kesterson was able to identify padraigh8's MySpace page and ID number, because the MySpace page bore the same name as the Yahoo! account: `padraigh8.’

U.S. v. Kearney, supra.

On May 12, 2008, Kesterson contacted the FBI, which assigned Agent Jennifer Weidlich to the case. U.S. v. Kearney, supra. She served three subpoenas in an effort to identify padraigh8. U.S. v. Kearney, supra. The first was “served on MySpace on May 22, 2008” and sought account and IP address information associated with the padraigh8 MySpace page. U.S. v. Kearney, supra.

MySpace said the account was created on August 23, 2007, using IP address 68.116.165.4. U.S. v. Kearney, supra. The subscriber’s name was listed as “`Padraigh NoName’” with an address in Westborough, Massachusetts, and an email address of padraigh9@hotmail.com. U.S. v. Kearney, supra. IP log records showed the user “signed onto this MySpace account from IP address 68.116.165.4 `multiple times between’ August 23, 2007, and May 22, 2008.” U.S. v. Kearney, supra.

On May 22, 2008, Weidlich served the second subpoena – which sought information on the padraigh8 account used to communicate with “Julie” -- on Yahoo!. U.S. v. Kearney, supra. Yahoo! reported that the account was created on October 24, 2000, by “Padraigh No Name”, who provided an “alternate email address of padraigh9@hotmail.com . . . the same address which was used to create the MySpace page.” U.S. v. Kearney, supra. Yahoo! also reported that padraigh8 accessed his account from IP address 68.116.165.4 “a total of 288 times `between’ April 7, 2008, and May 21, 2008.” U.S. v. Kearney, supra.

On June 4, 2008, Weidlich served the third subpoena on Charter Communications, “requesting the identity of the owner of the IP address 68.116.165.4 between . . . May 20, 2008, and May 22, 2008.” U.S. v. Kearney, supra. The company reported that the IP address belonged to Patrick Kearney and also supplied his home address, telephone number, and email accounts. U.S. v. Kearney, supra. Kearney opened the Charter account on August 23, 2003; the information Charter provided was the “only connection between the IP address and an identifiable individual.” U.S. v. Kearney, supra.

Weidlich cross-referenced the information Charter provided against the state Registry of Motor Vehicles database, and confirmed that the address Charter provided was accurate. U.S. v. Kearney, supra. She then prepared an application for a search warrant and an affidavit stating the facts establishing probable cause for the warrant, which was issued on July 7, 2008. U.S. v. Kearney, supra. (You can find a sample application and affidavit in support of the issuance of a search warrant here.)

On July 10, 2008, the warrant was executed by eight FBI agents and two local police officers. U.S. v. Kearney, supra. They seized “five computers and a variety of associated equipment”, which led to Kearney’s being charged with eight counts of transporting child pornography, eight counts of distributing child pornography and one count of possessing child pornography, in violation of 18 U.S. Code §§ 2252(a)(1), 2252(a)(2) and 2252(a)(4)(B). U.S. v. Kearney, supra.

He pled not guilty and filed a motion to suppress, arguing that “the affidavit submitted in support of the search warrant application did not demonstrate . . . probable cause” to believe evidence of crime would be found in his home. U.S. v. Kearney, supra. After the district court judge denied the motion, Kearney “conditionally pled guilty” to all the counts charged against him but reserved his right to appeal the denial of his motion to suppress. U.S. v. Kearney, supra.

The Court of Appeals began its analysis of Kearney’s challenge to the search warrant by noting that it raised an “important issue” the court had “not addressed before.” U.S. v. Kearney, supra. In his appeal, Kearney argued that the search warrant affidavit did not

tie his ownership of the IP address on May 20-22, 2008, to any unlawful conduct, and that because his IP address was `dynamic’ in nature, the fact he owned or possessed it on those three days says nothing about whether he possessed the address before or after that period. According to the affidavit of Kearney's computer forensics expert, a `dynamic’ IP address is an IP address that an internet service provider (ISP) may change after a certain number of hours, days or weeks logged onto the system.


Kearney's expert also stated that the frequency with which an ISP changes a user's dynamic IP address is determined by the ISP; some change addresses frequently, while others may not change addresses for months or even years. The user's conduct may also impact whether a dynamic address is changed: some ISPs do not change dynamic IP addresses unless a user disconnects his or her router or modem.

U.S. v. Kearney, supra.

In a footnote, the court explains that the evidence provided by Kearney that his

IP address was dynamic, rather than static, was a printout of Charter Communications’ `Frequently Asked Questions’ webpage, which explained that Charter customers `are provided a dynamic IP address unless a static IP address was specifically requested.’ The government does not dispute that Kearney's IP address was dynamic in nature.

U.S. v. Kearney, supra.

The Court of Appeals also noted that “[m]any” of the facts relevant to the probable cause determination were

undisputed. The relevant Yahoo! account was used for transmitting child pornography in May and June of 2008. The MySpace account had the same name as the Yahoo! account and was created using one of the same email addresses used to create the Yahoo! account, leading to the reasonable inference that whoever possessed the MySpace account also possessed the Yahoo! account. IP address 68.116.165.4 repeatedly accessed both accounts during certain periods of time. Kearney possessed IP address 68.116.165.4 during the May 20–22, 2008, period, during which no chats with `Julie’ took place.

U.S. v. Kearney, supra.

The court then explained that Kearney’s challenge to the affidavit’s adequacy to establish probable cause for the search warrant depended upon his

particular reading of the affidavit and the nature of dynamic IP addresses. He contends that the affidavit fails to establish that IP address 68.116.165.4 accessed the Yahoo! or MySpace accounts during the May 20–22, 2008, period.


The affidavit states that `IP log records from MySpace show that the user signed onto this MySpace account from IP address 68.116.165.4 multiple times between 8/23/07 and 5/22/08.’ The affidavit also states that `According to Yahoo!, padraigh8 accessed his account 288 times utilizing IP protocol address 68.116.165.4 between 4/7/08 and 5/21/08.’


Kearney argues that the use of the word `between’ fails to establish that the MySpace and Yahoo accounts were accessed on May 22 and May 21, respectively, because the use of `between’ in connection with dates simply indicates that the event took place at some point between the specified start and end date, rather than on the specified start or end date. Kearney then argues that because he possessed a dynamic IP address, his possession of IP address 68.116.165.4 between May 20 and 22 says nothing about whether he possessed it on any other date, because dynamic IP addresses are frequently re-assigned to different users.

U.S. v. Kearney, supra.

Like the district court judge, the Court of Appeals rejected this argument:

[T]he affidavit . . . establishes that IP address 68.116.165.4 accessed the MySpace and Yahoo! accounts on May 22 and 21, respectively. . . . [A] common-sense understanding of how the word `between’ is used is that the end dates specified were the last date of access. As a matter of common usage, the two dates on either side of `between’ in this context are typically used to specify the first and the last occurrence of the relevant event or activity.


Moreover, the variance in the end dates for the two subpoenas supports this reading. It is reasonable to understand the `between 8/23/07 and 5/22/08’ description of the MySpace log records and the `between 4/7/08 and 5/21/08’ description of the Yahoo! log records as being written in this manner because the last date specified was, in fact, the last date IP address 68.116.165.4 accessed the account.

U.S. v. Kearney, supra.

Kearney argued that the last date “simply reflected the date the subpoena was sent, May 22”, but the court found that this argument did not “explain why the Yahoo! end date was given as May 21, as both subpoenas were issued on May 22.” U.S. v. Kearney, supra.

The court explained that the fact that the affidavit established that the Yahoo! account

was accessed by Kearney on May 21 and the MySpace account was accessed by him on May 22, along with the other information, establishes probable cause. It is undisputed that these accounts were the conduits for child pornography to be transmitted to `Julie.’ And it is reasonable to infer that whoever accessed these accounts on May 21 and 22, 2008, was also the user of these accounts earlier that month and in June 2008 to engage in the communications with `Julie.’

U.S. v. Kearney, supra.

The court also found that the existence of probable cause was supported by the “sheer number of times the Yahoo! account was accessed from IP address 68.116.165.4 during the April 7, 2008, to May 21, 2008, period -- 288 times.” U.S. v. Kearney, supra. It pointed out that, as noted above, Kearney’s expert testified at the suppression hearing that ISPs “sometimes keep dynamic IP addresses the same for months, or even years.” U.S. v. Kearney, supra. The Court of Appeals found that the “high number of accesses of the Yahoo! account from the same IP address over a relatively short period of time shortly before the May 20 to 22 period when it was clear that Kearney possessed the IP address supports a finding of probable cause here.” U.S. v. Kearney, supra.

It therefore held that, while “the affidavit could have been drafted to make it indisputably clear that Kearney accessed the accounts on May 21 and 22” that did not mean “there was a failure to establish probable cause.” U.S. v. Kearney, supra. The issue was “whether, `given all the circumstances set forth in the affidavit . . . , there [was] a fair probability that contraband or evidence of a crime [would] be found’ in Kearney's residence.” U.S. v. Kearney, supra (quoting Illinois v. Gates, 462 U.S. 213 (1983)).

The Court of Appeals held that this “standard was satisfied”, which meant the district court judge did not err in denying Kearney’s motion to suppress. U.S. v. Kearney, supra.

No comments:

Post a Comment