After Jeffrey Feldman was indicted on federal charges of “receiving and possessing child pornography” he filed motions to “compel discovery regarding
the computer program (`RoundUp’) used by law enforcement to initially detect
the alleged presence of child pornography on his computer” and to suppress “evidence
gathered pursuant to a subsequently obtained search warrant”. U.S. v.
Feldman, 2015 WL 248006 (U.S. District Court for the Eastern District of Wisconsin 2015).
The U.S. District Court Judge who has the case referred the
motions to a U.S. Magistrate Judge, who scheduled oral argument on them, but on
the “eve of the”
argument the parties notified the
Magistrate Judge that they had resolved the case and that the motions would be
withdrawn on the filing of a plea agreement. . . . The parties filed a plea
agreement on May 8, 2014, and [the U.S. District Court Judge] scheduled a plea
hearing for June 13, 2014. However, on May 29, 2014, defense counsel filed a
letter indicating [Feldman] was withdrawing from the plea agreement and asking
that the motions be set back on the calendar before the Magistrate Judge.
U.S. v. Feldman,
supra. On June 2, 2014, the District Court Judge “referred the case” to the
Magistrate Judge “for further action on the motions.” U.S. v. Feldman, supra.
The Magistrate Judge found Feldman waived his right to
litigate the motions by entering into a plea agreement. U.S. v.
Feldman, supra. In case the District
Court Judge did not agree, the Magistrate Judge denied the motion to compel and
recommended that the District Court Judge deny the motion to suppress.” U.S. v. Feldman, supra. The District Court judge agreed with the
Magistrate Judge with regard to the waiver, but addressed Feldman’s arguments to
get a decision on the merits in the record, in case Feldman appealed. U.S. v. Feldman, supra.
He began with the motion to suppress, noting that the first
issue was whether the
affidavit provided the issuing
magistrate with a “substantial basis” to find probable cause. U.S. v.
Koerth, 312 F.3d 862 (U.S. Court of Appeals for the 7th Circuit 2002) (citing Illinois v. Gates, 462 U.S. 213 (1983)). Probable cause is far short of
certainty; it requires only a probability or substantial chance of criminal
activity, not an actual showing of such activity or even a probability that
exceeds 50 percent. U.S. v. Seiver, 692 F.3d 774 (U.S. Court
of Appeals for the 7th Circuit 2012). Determining whether probable cause exists
requires a common-sense analysis of the facts available to the judicial officer
who issued the warrant.
U.S. v. Feldman,
supra.
The District Court Judge began by explaining that the
warrant in this case was based on
the January 22, 2013, affidavit of FBI
Special Agent Brett Banner. . . . Banner set forth the following information
specific to this case.
Between June 10, 2012, and July 23,
2012, an FBI online covert employee (`OCE’) conducted numerous online
investigations to identify individuals possessing and sharing child pornography
using the eDonkey and KAD peer-to-peer . . . networks. The OCE used a P2P file
sharing program, which scanned both networks simultaneously and has been
enhanced to ensure downloads occur only from a single selected source. . . .
During those investigations, the OCE
searched for suspected child pornography files and identified a particular IP
address on the KAD network which had suspected child pornography
files available for distribution. Specifically, this IP address responded to
the OCE's queries for 17 suspected child pornography hash values. . . .
Banner averred that during the dates
listed, the target IP address was registered to Time Warner/Road Runner and
assigned to a physical address in Milwaukee, Wisconsin. . . . On September 6,
2012, the . . . suspected child pornography hashes were submitted to the
National Center for Missing and Exploited Children (`NCMEC’) for preliminary
identification. NCMEC advised that five of them `matched known child
pornography victims. . . .’ The affidavit then specifically described two of
those files. . . . Banner averred that the `remaining hashes were identified as
“Recognized,” which meant they had been previously submitted to NCMEC as
suspected child pornography by law enforcement.’ . . .
[T]he OCE attempted without success to
conduct single source downloads of the suspected child pornography from the
target IP address. The OCE noted that the IP address had been given a `low ID’
designation on the KAD network, which, for technical reasons, may have
prevented the single source download. . . .
On September 7, 2012, Time Warner
responded to a subpoena requesting subscriber information for the target IP
address, identifying [Feldman] at a physical address in West Allis, Wisconsin.
. . . On September 13, agents went to the physical address to conduct
surveillance and determine if there was a wireless connection that could be
associated with this residence. A check of the available wireless connections
revealed there were several secured wireless connection points that could be
associated with the residence. There were no unsecured wireless connection
points found at this location, indicating that the suspect's wireless
connection was secured. . . . On December 6, 2012, Banner viewed a law
enforcement commercial data base and learned [Feldman] had lived at the West
Allis address since 1997. . . . State records revealed [he] had vehicles
registered to him at this address. . . .
Based on these facts, Banner averred
there was probable cause to believe evidence of violations of 18 U.S. Code § 2252A was located at [Feldman’s] West Allis residence. . . . Magistrate
Judge Callahan issued the warrant on January 22.
U.S. v. Feldman,
supra.
The judge found that “Banner's affidavit supplied a
substantial basis for a finding of probable cause”, given the facts outlined
above, the fact that the OCE identified the images at issue by their hash
values and the fact that “[c]ourts have found hash values sufficiently
reliable, even in the absence of a direct download.” U.S. v. Feldman, supra. He
also relied on the fact that the FBI agents “confirmed that the hash values
matched known child pornography by submitting them to NCMEC and viewing two of
the files associated with the hash values, providing a detailed description of
those two files.” U.S. v. Feldman, supra.
The judge goes on to explain that in objecting to the
Magistrate Judge’s ruling, Feldman
contends that no court has found that a
target computer responding to hash value queries, without some further
corroboration that the target computer likely contains child pornography, is
sufficient to establish probable cause for a search warrant. He points to my
decision in U.S. v. Case, where I indicated, in response to
the defendant's complaint about the use of an automated law enforcement
program, `This is not a situation where a computer program downloaded material
believed to be contraband (based on, say, a keyword search or hash values) and
no human being looked at the material before a warrant was sought.’ U.S. v. Thomas, 2014 U.S. Dist. LEXIS
34460 (U.S. District Court for the Eastern District of Wisconsin 2014).
In this case, the agents did not rely
on the target computer's response to the hash value query alone; they submitted
the hash values to the NCMEC for confirmation, viewed two of the offered files,
and provided the magistrate judge with a detailed description of the contents
of those two files. [Feldman] attempts to distinguish U.S.
v. Thomas, supra, arguing that unlike in his case the officers there
physically examined the images associated with the identified hash values. As
discussed above, the instant warrant application, fairly read, establishes the
same. In any event, [Feldman] concedes that the odds of two different files
having the same hash value are infinitesimal.
U.S. v. Feldman,
supra.
Feldman also argued that “[u]nlike the program used in U.S. v. Thomas, supra,”
RoundUp has the ability to infiltrate
private spaces on the target computer. He offers no evidence of that. While the
affidavit from his expert references remote `tagging,’ he makes no claim that
such tagging occurred in his case. Nor does the affidavit affirmatively contend
that the program invades non-shared space to search for evidence. (See R.
25–1 at 6 ¶ 22 -- `It can't be confirmed if the software has access to, or writes
information in other non-shared areas of the remote client.’) Relying on his
expert, [Feldman] further contends that it may be possible for hash values to
be present on a computer without the computer having any significant portion of
the file present on it (like having the table of contents of a book without
having any of the chapters). But this possibility does not defeat probable
cause, which requires only a substantial chance that a search will turn up
evidence of criminal activity.’
As the U.S. v. Miknevich, 638
F.3d (U.S. Court of Appeals for the 3rd Circuit 2011) court
stated:
`We recognize that file names are not
always a definitive indication of actual file content and, therefore, only
after downloading and viewing a particular file can one know with certainty
whether the content of the file is consistent with its designated name.
However, certainty has no part in a probable cause analysis. On the contrary,
probable cause requires only a probability or substantial chance of criminal
activity, not an actual showing of such activity.’
U.S. v. Miknevich, supra (internal citations and quote marks
omitted).
The District Court Judge noted that Feldman did not claim
that the Magistrate Judge
simply rubber stamped the application;
he cites no case finding a materially similar application insufficient; and he
makes no effort to show that the affidavit was so plainly deficient that any
reasonably well-trained officer would have known that it failed to establish
probable cause. Instead, he argues that good faith does not apply because the
affiant was dishonest or reckless.
U.S. v. Feldman,
supra.
The judge goes on to explain that Feldman pointed to
no false statements in or material
omissions from the affidavit. Instead, he argues that RoundUp exploits known
weaknesses in the P2P program and is able to locate information (including hash
histories) deleted or moved so as to prevent file sharing. In support of this
claim, he cites an article which states that, `the exact extent to which can
[sic] investigators can exploit a network protocol to gather information remotely
is unsettled law.’ . . . He contends that the `phrase “exploiting a network
protocol” is just techno-babble for writing a program that invades an otherwise
non-shared portion of a computer.’ . . . He concludes that the government
essentially developed a virus that
allowed it to access all of the data on a P2P user's computer, which it failed
to disclose to the issuing magistrate. . . . ([citing record pages in which
Feldman claimed] that the `developers of RoundUp themselves have stated that it
exploits weaknesses in peer-to-peer networks and that the exploitation of those
weaknesses may violate Kyllo’).
U.S. v. Feldman,
supra.
As Wikipedia explains, in Kyllo v. U.S., 533 U.S. 27 (2001), the U.S. Supreme Court held that when "the Government uses a device that is not in general
public use, to explore details of a private home that would previously have
been unknowable without physical intrusion, the surveillance is a 4th Amendment
`search,’ and is presumptively unreasonable without a warrant.” Kyllo v. U.S. supra.
Finally, the District Court Judge pointed out that Feldman
presents no evidence that RoundUp does
what he claims, much less that it did so in this investigation. . . . [T]here is
no support for these claims in the articles submitted. . . . For
instance, the article [he] cites in his objections discusses digital forensics
in general; it says nothing about RoundUp in particular. Further, the authors
of this article clearly state that pre-warrant evidence must be in plain view,
which in this context would mean the shared portion of the computer, in order for
it to be used. . . . Defendant presents no non-speculative basis for holding a
hearing, either to explore the legality of the government's pre-warrant
investigation or the veracity of the affiant. . . .
U.S. v. Feldman,
supra.
For “these and other reasons”, the District Court Judge
denied Feldman’s motion to suppress. U.S. v. Feldman, supra.