After he was “indicted on one count of possession of child
pornography in violation of 18 U.S. Code §§2252A(a)(5)(B) and (b)(2)”, Christopher Schlingloff moved to suppress
the evidence found on “his laptop and external storage device.” U.S. v. Schlingloff, ___ F. Supp. 2d ___, 2012 WL 5378148 (U.S.District Court for the Central District of Illinois 2012).
The prosecution began on November 3, 2010, when federal “agents
obtained a warrant to search the residence located at 1816 2nd Avenue, Rock
Island, Illinois, for evidence of passport fraud and harboring an alien.” U.S.
v. Schlingloff, supra. The affidavit submitted in support of the
application for the warrant “indicated there was reason to believe that
computer devices found in the residence would contain records related to these
crimes due to the fact that one target of the investigation had used computer
devices in the past to generate, store, and print documents used in the
passport scheme.” U.S. v. Schlingloff, supra.
Schlingloff was not the target of the investigation but was “present
in the residence” when the warrant was executed and “informed agents that he
was living there with the targets.” U.S.
v. Schlingloff, supra. The agents seized “[a]pproximately 130
media devices”, including “a laptop and external storage device belonging to
Schlingloff”. U.S. v. Schlingloff, supra.
The “items were sent to the DSS Computer Investigations and Forensics Division
office in Arlington, Virginia, for analysis.”
U.S. v. Schlingloff, supra.
seized devices. In doing so, [he] used a computer
software program known as Forensic Tool Kit or FTK to index/catalog all of the
files on the devices into viewable formats. The Known File Filter or KFF in the
software was enabled to flag and alert during processing to certain files that
are identifiable from a library of known files previously submitted by law
enforcement, such as contraband or child pornography. McNamee described
enabling the KFF alert as his standard operating procedure.
The KFF alert in this case identified two video files
entitled `Vicky’ as child pornography. Based on his investigation of . . .
child pornography cases in the past, McNamee suspected the files contained
child pornography and briefly opened the[m] to confirm his belief.
McNamee
observed the image of a naked prepubescent girl and an adult male, closed the
file, and stopped any further processing of both the laptop and the external
storage device. He then notified Agent Michael Juni about his discovery.
U.S. v. Schlingloff, supra.
Based on what McNamee had observed, Juni prepared an
application for a warrant
to search the laptop and external
storage device for evidence of receipt and possession of child pornography. A
warrant issued on February 4, 2011, and . . . 33 video files containing known
child pornography were found on these devices. Files were also found indicating
Schlingloff was the owner and operator of the two devices.
U.S. v. Schlingloff, supra.
On July 21, 2011, Schlingloff was interviewed and “admitted
to downloading and viewing child pornography on the laptop in question.” U.S.
v. Schlingloff, supra. On
August 17, 2011, he was charged with possessing child pornography. U.S.
v. Schlingloff, supra. He then moved to suppress the evidence found
on the laptop and external storage device. U.S. v. Schlingloff, supra.
The district court judge denied the motion to suppress based
in part on his
mistaken belief that the filters in the
FTK system had to be applied on an all or nothing basis and that the agent
lacked the ability to disable the portion of the KFF specifically alerting to
known child pornography or other contraband. . . . Schlingloff filed a Motion
to Reconsider, bringing the factual error to the Court's attention and making
it clear that the KFF alerts can be disabled or not affirmatively enabled as
part of the processing with very little effort.
U.S. v. Schlingloff, supra.
The judge heard oral
arguments on the motion to reconsider his denial of the motion to suppress and
then issued this opinion. U.S. v.
Schlingloff, supra.
The 4th
Amendment requires that search warrants “particularly describe the place to be searched, and the . . . things to be seized.”
This is intended to outlaw “general warrants” and thereby “prevent a
general exploratory rummaging through one's belongings.” U.S. v. Mann, 592
F.3d 782 (U.S. Court of Appeals for the 7th Circuit 2010). Schlingloff argued that “the use of the KFF
filter in the FTK program to flag known files containing child pornography
enabled the agents to unreasonably broaden a limited search for evidence of
passport fraud into a general search for evidence of any illegal activity.” U.S. v. Schlingloff, supra. In other words, he claimed the warrant
did not satisfy the 4th Amendment’s particularity requirement, which
would make it unconstitutional.
The judge found that
to “the extent” Schlingoff suggested that the use of the
FTK
software in and of itself exceeded the scope of the warrant per se, his
argument is unpersuasive. The 7th Circuit has held that the use of the FTK filtering
software to index and catalogue files into a viewable format does not, in and
of itself, exceed the scope of a warrant based on the fact that digital
evidence could be found virtually anywhere on a computer. U.S. v. Mann, supra.
U.S. v. Schlingloff, supra.
He also, though, found it necessary to address Schlingloff’s
other two arguments:
(1) even if the use of the FTK software
in and of itself is not problematic, enabling the KFF alerts in cases that do
not involve suspected child pornography or some closely related cause of action
necessarily broadens the scope of the search in an unconstitutional manner,
and/or (2) the opening of the child pornography files by McNamee takes the
search beyond the scope of the warrant.
U.S. v. Schlingloff, supra.
The judge noted that, apparently when he testified on the
motion to suppress or the motion to reconsider, McNamee conceded that despite
the fact that he “was searching for evidence of passport fraud or identity
theft, he consciously and affirmatively checked the box to include the KFF
alerts for child pornography because that is his standard operating procedure.” U.S. v. Schlingloff, supra. He
also testified as follows:
Q. (By Mr. Tasseff) [Y]ou wouldn't have received
those alerts had you restricted your search for the objects of the warrant and
clicked the hide button for KFF Alert, correct?
A. (By Agent McNamee) I would not have clicked on
the KFF.
Q. You didn't in this instance, correct?
A. No, I clicked to include the KFFs. . . .
Q. You went ahead and did that because that's your
standard operating procedure, isn't it?
A. Yes.
Q. The 30 some cases that you have done, you have
done it every time, correct?
A. Correct.
Q. Does your agency investigate strictly child porn
cases?
A. No, it does not.
Q. In fact, this child porn case is a rare exception
to the general rule, isn't it?
A. Yes. . . .
Q. But you used the forensic tool that alerted you
to the presence of child porn in a non-porn case, didn't you sir?
A. Correct.
U.S. v. Schlingloff, supra.
The judge explained that McNamee’s testimony and the FTK
User Guide revealed that
the user can either choose to apply an existing, predefined filter
or customize a filter based on the purposes of the search with relative ease by
checking various boxes in the setup menu. . . . [T]he Court now understands it
is simple to make selections that allow the user to take advantage of the
utility of the FTK program to categorize and sort out common known files such
as program files, etc., without being required to flag the KFF alerts for child
pornography files as part of the process.
The search did not end with flagging the child pornography files
during preprocessing, however. After the KFF alerted to the two files in
question, McNamee believed he recognized them to be part of the `Vicky’ series
of child pornography based on their hash values and his experience. Rather than
stopping at this point to obtain a warrant to search for images of child
pornography, McNamee briefly opened each file in order to confirm his
suspicions before stopping any further processing and notifying Juni.
U.S. v. Schlingloff, supra.
The judge found that given this information, it was
necessary to grant Schlingloff’s motion to suppress. U.S. v. Schlingloff, supra. He
noted that in U.S. v. Mann, supra,
the Court of Appeals held that an agent who opened files the KFF alert flagged
as child pornography exceeded the scope of a warrant to search for “images of
women in locker rooms”. U.S. v. Schlingloff, supra.
And the judge found
that by opening the “Vicky” files flagged by the KFF alert, McNamee
knew
or should have known those files would be outside the scope of the warrant to
search for evidence of passport fraud or identity theft, particularly as the
warrant did not specifically refer to evidence found in video files. . . .
Additionally, in light of the admitted
ability to confine the FTK search by not enabling the KFF filter for child
pornography alerts, the Court finds McNamee took an affirmative additional step
to enable the KFF alerts that would identify known child pornography files as
part of his search for evidence of passport fraud or identity theft. In a case
where the professed subject matter sought in the search bore no resemblance to
child pornography, it is difficult to construe this as anything other than a
deliberate expansion of the scope of the warrant, or at the very least, an
affirmative step that effectively did so.
U.S. v. Schlingloff, supra.
Since the judge
rejected the government’s argument that the files were in plain view or would
inevitably have been discovered in a manual search, he granted Schlingloff’s
motion to suppress. U.S. v. Schlingloff, supra.
No comments:
Post a Comment