Friday, January 30, 2015

RoundUp, Child Pornography and Kyllo

After Jeffrey Feldman was indicted on federal charges of “receiving and possessing child pornography” he filed motions to “compel discovery regarding the computer program (`RoundUp’) used by law enforcement to initially detect the alleged presence of child pornography on his computer” and to suppress “evidence gathered pursuant to a subsequently obtained search warrant”.  U.S. v. Feldman, 2015 WL 248006 (U.S. District Court for the Eastern District of Wisconsin 2015).  
The U.S. District Court Judge who has the case referred the motions to a U.S. Magistrate Judge, who scheduled oral argument on them, but on the “eve of the”
argument the parties notified the Magistrate Judge that they had resolved the case and that the motions would be withdrawn on the filing of a plea agreement. . . . The parties filed a plea agreement on May 8, 2014, and [the U.S. District Court Judge] scheduled a plea hearing for June 13, 2014. However, on May 29, 2014, defense counsel filed a letter indicating [Feldman] was withdrawing from the plea agreement and asking that the motions be set back on the calendar before the Magistrate Judge.
U.S. v. Feldman, supra. On June 2, 2014, the District Court Judge “referred the case” to the Magistrate Judge “for further action on the motions.” U.S. v. Feldman, supra.
The Magistrate Judge found Feldman waived his right to litigate the motions by entering into a plea agreement.  U.S. v. Feldman, supra.  In case the District Court Judge did not agree, the Magistrate Judge denied the motion to compel and recommended that the District Court Judge deny the motion to suppress.” U.S. v. Feldman, supra.  The District Court judge agreed with the Magistrate Judge with regard to the waiver, but addressed Feldman’s arguments to get a decision on the merits in the record, in case Feldman appealed. U.S. v. Feldman, supra. 
He began with the motion to suppress, noting that the first issue was whether the
affidavit provided the issuing magistrate with a “substantial basis” to find probable cause. U.S. v. Koerth, 312 F.3d 862 (U.S. Court of Appeals for the 7th Circuit 2002) (citing Illinois v. Gates, 462 U.S. 213 (1983)). Probable cause is far short of certainty; it requires only a probability or substantial chance of criminal activity, not an actual showing of such activity or even a probability that exceeds 50 percent. U.S. v. Seiver, 692 F.3d 774 (U.S. Court of Appeals for the 7th Circuit 2012). Determining whether probable cause exists requires a common-sense analysis of the facts available to the judicial officer who issued the warrant.
U.S. v. Feldman, supra. 
The District Court Judge began by explaining that the warrant in this case was based on
the January 22, 2013, affidavit of FBI Special Agent Brett Banner. . . . Banner set forth the following information specific to this case.

Between June 10, 2012, and July 23, 2012, an FBI online covert employee (`OCE’) conducted numerous online investigations to identify individuals possessing and sharing child pornography using the eDonkey and KAD peer-to-peer . . . networks. The OCE used a P2P file sharing program, which scanned both networks simultaneously and has been enhanced to ensure downloads occur only from a single selected source. . . .

During those investigations, the OCE searched for suspected child pornography files and identified a particular IP address on the KAD network which had suspected child pornography files available for distribution. Specifically, this IP address responded to the OCE's queries for 17 suspected child pornography hash values. . . .

Banner averred that during the dates listed, the target IP address was registered to Time Warner/Road Runner and assigned to a physical address in Milwaukee, Wisconsin. . . . On September 6, 2012, the . . . suspected child pornography hashes were submitted to the National Center for Missing and Exploited Children (`NCMEC’) for preliminary identification. NCMEC advised that five of them `matched known child pornography victims. . . .’ The affidavit then specifically described two of those files. . . . Banner averred that the `remaining hashes were identified as “Recognized,” which meant they had been previously submitted to NCMEC as suspected child pornography by law enforcement.’ . . .

[T]he OCE attempted without success to conduct single source downloads of the suspected child pornography from the target IP address. The OCE noted that the IP address had been given a `low ID’ designation on the KAD network, which, for technical reasons, may have prevented the single source download. . . .

On September 7, 2012, Time Warner responded to a subpoena requesting subscriber information for the target IP address, identifying [Feldman] at a physical address in West Allis, Wisconsin. . . . On September 13, agents went to the physical address to conduct surveillance and determine if there was a wireless connection that could be associated with this residence. A check of the available wireless connections revealed there were several secured wireless connection points that could be associated with the residence. There were no unsecured wireless connection points found at this location, indicating that the suspect's wireless connection was secured. . . . On December 6, 2012, Banner viewed a law enforcement commercial data base and learned [Feldman] had lived at the West Allis address since 1997. . . . State records revealed [he] had vehicles registered to him at this address. . . .

Based on these facts, Banner averred there was probable cause to believe evidence of violations of 18 U.S. Code § 2252A was located at [Feldman’s] West Allis residence. . . . Magistrate Judge Callahan issued the warrant on January 22.
U.S. v. Feldman, supra. 
The judge found that “Banner's affidavit supplied a substantial basis for a finding of probable cause”, given the facts outlined above, the fact that the OCE identified the images at issue by their hash values and the fact that “[c]ourts have found hash values sufficiently reliable, even in the absence of a direct download.”  U.S. v. Feldman, supra.  He also relied on the fact that the FBI agents “confirmed that the hash values matched known child pornography by submitting them to NCMEC and viewing two of the files associated with the hash values, providing a detailed description of those two files.” U.S. v. Feldman, supra. 
The judge goes on to explain that in objecting to the Magistrate Judge’s ruling, Feldman
contends that no court has found that a target computer responding to hash value queries, without some further corroboration that the target computer likely contains child pornography, is sufficient to establish probable cause for a search warrant. He points to my decision in U.S. v. Case, where I indicated, in response to the defendant's complaint about the use of an automated law enforcement program, `This is not a situation where a computer program downloaded material believed to be contraband (based on, say, a keyword search or hash values) and no human being looked at the material before a warrant was sought.’ U.S. v. Thomas, 2014 U.S. Dist. LEXIS 34460 (U.S. District Court for the Eastern District of Wisconsin 2014).

In this case, the agents did not rely on the target computer's response to the hash value query alone; they submitted the hash values to the NCMEC for confirmation, viewed two of the offered files, and provided the magistrate judge with a detailed description of the contents of those two files. [Feldman] attempts to distinguish U.S. v. Thomas, supra, arguing that unlike in his case the officers there physically examined the images associated with the identified hash values. As discussed above, the instant warrant application, fairly read, establishes the same. In any event, [Feldman] concedes that the odds of two different files having the same hash value are infinitesimal.
U.S. v. Feldman, supra. 
Feldman also argued that “[u]nlike the program used in U.S. v. Thomas, supra,”
RoundUp has the ability to infiltrate private spaces on the target computer. He offers no evidence of that. While the affidavit from his expert references remote `tagging,’ he makes no claim that such tagging occurred in his case. Nor does the affidavit affirmatively contend that the program invades non-shared space to search for evidence. (See R. 25–1 at 6 ¶ 22 -- `It can't be confirmed if the software has access to, or writes information in other non-shared areas of the remote client.’) Relying on his expert, [Feldman] further contends that it may be possible for hash values to be present on a computer without the computer having any significant portion of the file present on it (like having the table of contents of a book without having any of the chapters). But this possibility does not defeat probable cause, which requires only a substantial chance that a search will turn up evidence of criminal activity.’

As the U.S. v. Miknevich, 638 F.3d (U.S. Court of Appeals for the 3rd Circuit 2011) court stated:

`We recognize that file names are not always a definitive indication of actual file content and, therefore, only after downloading and viewing a particular file can one know with certainty whether the content of the file is consistent with its designated name. However, certainty has no part in a probable cause analysis. On the contrary, probable cause requires only a probability or substantial chance of criminal activity, not an actual showing of such activity.’
 U.S. v. Miknevich, supra (internal citations and quote marks omitted).
The District Court Judge noted that Feldman did not claim that the Magistrate Judge
simply rubber stamped the application; he cites no case finding a materially similar application insufficient; and he makes no effort to show that the affidavit was so plainly deficient that any reasonably well-trained officer would have known that it failed to establish probable cause. Instead, he argues that good faith does not apply because the affiant was dishonest or reckless.
U.S. v. Feldman, supra. 
The judge goes on to explain that Feldman pointed to
no false statements in or material omissions from the affidavit. Instead, he argues that RoundUp exploits known weaknesses in the P2P program and is able to locate information (including hash histories) deleted or moved so as to prevent file sharing. In support of this claim, he cites an article which states that, `the exact extent to which can [sic] investigators can exploit a network protocol to gather information remotely is unsettled law.’ . . . He contends that the `phrase “exploiting a network protocol” is just techno-babble for writing a program that invades an otherwise non-shared portion of a computer.’ . . . He concludes that the government essentially developed a virus that allowed it to access all of the data on a P2P user's computer, which it failed to disclose to the issuing magistrate. . . . ([citing record pages in which Feldman claimed] that the `developers of RoundUp themselves have stated that it exploits weaknesses in peer-to-peer networks and that the exploitation of those weaknesses may violate Kyllo’).
U.S. v. Feldman, supra. 
As Wikipedia explains, in Kyllo v. U.S., 533 U.S. 27 (2001), the U.S. Supreme Court held that when "the Government uses a device that is not in general public use, to explore details of a private home that would previously have been unknowable without physical intrusion, the surveillance is a 4th Amendment `search,’ and is presumptively unreasonable without a warrant.” Kyllo v. U.S. supra
Finally, the District Court Judge pointed out that Feldman
presents no evidence that RoundUp does what he claims, much less that it did so in this investigation. . . . [T]here is no support for these claims in the articles submitted. . . . For instance, the article [he] cites in his objections discusses digital forensics in general; it says nothing about RoundUp in particular. Further, the authors of this article clearly state that pre-warrant evidence must be in plain view, which in this context would mean the shared portion of the computer, in order for it to be used. . . . Defendant presents no non-speculative basis for holding a hearing, either to explore the legality of the government's pre-warrant investigation or the veracity of the affiant. . . .
U.S. v. Feldman, supra. 
For “these and other reasons”, the District Court Judge denied Feldman’s motion to suppress.  U.S. v. Feldman, supra.  

No comments: