Monday, June 22, 2015

"Enhanced File-Sharing Software", Privacy and the 4th Amendment

After a court in Washington state found Casey Peppin “guilty of three counts of first degree possession of depictions of a minor engaged in sexually explicit conduct”, he appealed, arguing that the trial judge erred in denying “his motion to suppress the images of child pornography found on his computer.”  State v. Peppin, 347 P.3d 906 (Court of Appeals of Washington 2015).
More precisely, Peppin argued that “law enforcement's use of enhanced peer to peer file sharing software to remotely access the shared files on his computer was illegal under the 4th Amendment of the U.S. Constitution and article I, section 7 of the Washington State Constitution.” State v. Peppin, supra.
The Court of Appeals began its analysis of Peppin’s motion to suppress by explaining how the prosecution arose:
On December 29, 2011, Spokane Detective Brian Cestnik conducted an online investigation of the Gnutella network to identify persons possessing and sharing child pornography. Using peer to peer software called Round Up version 1.5.3, Cestnik found child pornography on Mr. Peppin's computer in a shared folder.

Cestnik's report of the investigation explains peer to peer file sharing. According to his report, peer to peer file sharing is a method of Internet communication that allows users to share digital files. User computers link together to form a network; the network allows direct transfer of shared files from one user to another. Peer to peer software applications allow users to set up and share files on the network with others using compatible peer to peer software. For instance, LimeWire and Shareaza are software applications that allow users to share files over the Gnutella network.

To gain access to shared files, a user must first download peer to peer software, which can be found on the Internet. Then, the user opens the peer to peer software on his or her computer and conducts a keyword search for files that are currently being shared on the network. The results are displayed and the user selects a file for download. The downloaded file is transferred through a direct connection between the computer wishing to share the file and the user's computer requesting the file. The Gnutella network gives users the ability to see a list of all files that are available for sharing on a particular computer. . . .

When more than one host computer offers the file that is requested, peer to peer software allows the user to download different parts of the file from different computers. This speeds up the time it takes to download a file. For instance, a person using Shareaza to download an image may actually receive parts of the image from multiple computers. However, often a user downloading an image file receives the entire image from one computer.

Every file shared on the Gnutella network has a unique identifier based on a Secure Hash Algorithm (SHA1) value, sometimes called a hash value. The SHA1 value acts as a fingerprint for that file. It is computationally infeasible for two files with different content to have the same SHA1 hash value. . . .
State v. Peppin, supra. The court went on to explain that Cestnik searched the
Gnutella network for `pthc,’ the commonly used term for preteen hard core Internet pornography. . . . The results indicated images matching the search terms could be found on a host computer with an IP address linked to Spokane. Cestnik's check of the IP address through two different Internet search engines confirmed that the IP address was in Spokane and that Qwest Communications was the provider.

Cestnik used the IP address to access the host computer. The host computer was configured to allow browsing of its shared folder. Cestnik viewed the contents of the folder and noticed four files that appeared to be child pornography. Cestnik successfully downloaded three files from the host computer before it stopped. After reviewing the videos in the files, he determined that each video constituted possession or dealing in depictions of minors engaged in sexually explicit conduct.

Cestnik presented Qwest Communications with a search warrant requesting information on the IP address for the host computer. Qwest Communications advised Cestnik that the IP address was connected to Peppin and provided Peppin's address.

Cestnik then obtained a search warrant for Peppin's computer. A complete forensic investigation uncovered over 100 videos of what appeared to be minors engaged in sexually explicit conduct. The State charged Peppin by amended information with three counts of first degree possession of depictions of minors engaged in sexually explicit conduct and one count of first degree dealing in depictions of minors engaged in sexually explicit conduct.
State v. Peppin, supra.
As noted above, Peppin moved to suppress the files
downloaded by Cestnik during his Internet search. He maintained that law enforcement's access and download of his computer files via the Internet was an intrusion into his private affairs and an unlawful warrantless search. At the suppression hearing, Peppin also argued that the use of enhanced peer to peer software provided information to law enforcement that was not available to the general public.
State v. Peppin, supra.
The Court of Appeals goes on to explain that at the suppression hearing, in addition to
the report provided by Cestnik, the court heard from Peppin's expert, Jennifer McCamm. McCamm worked as a computer system administrator, with some background in computer forensics. Ms. McCamm testified that the purpose of peer to peer file sharing programs is to share files. She explained that sharing is inherent in these programs and a user must change the default setting if they desire not to share files.

McCamm said she had not seen the law enforcement peer to peer software. Still, she testified that law enforcement uses an enhanced version of peer to peer software that is different from what is available to the general public.

As the biggest difference, she noted that law enforcement software has features that make searching the network easier. For instance, law enforcement software can search all user files on the Gnutella network, regardless of what client interface is being used. Also, the software provides law enforcement with a computer's IP address and gives the ability to identify files by hash value. Last, the software is built to do single source downloads. Despite this testimony, McCamm repeated that she had never tested or interacted with this software in any form.
State v. Peppin, supra.
As noted above, the judge denied Peppin’s motion to suppress because he found that
“under both article I, section 7 of the Washington State Constitution and the 4th Amendment to the U.S. Constitution, Peppin had no reasonable expectation of privacy or trespass protection when using file sharing software.” State v. Peppin, supra.
Peppin then went to trial – a bench trial – and the judge found him guilty on “three counts of first degree possession of depictions of minors engaged in sexually explicit conduct” and “not guilty on the one count of dealing in the depictions of minors engaged in sexually explicit conduct.” State v. Peppin, supra.  The judge then imposed “a low-end standard range sentence of 46 months.”  State v. Peppin, supra. 
The Court of Appeals began its analysis of Peppin’s argument that he should not have been convicted because he had “a constitutionally protected privacy right in the image files he shared with the public.”  State v. Peppin, supra.  It began by explaining that the
4th Amendment to the U.S. Constitution prohibits unreasonable search and seizures. The Washington State Constitution offers broader protection of privacy than the U.S. Constitution. State v. Carter, 151 Wash.2d 118, 125, 85 P.3d 887 (Washington Supreme Court 2004). Article I, section 7 of the Washington State Constitution provides, `No person shall be disturbed in his private affairs, or his home invaded, without authority of law.’
State v. Peppin, supra.  The court then went on to explain that, under the
`Washington Constitution, the inquiry focuses on “those privacy interests which citizens of this state have held, and should be entitled to hold, safe from governmental trespass absent a warrant.”’ State v. Myrick, 102 Wash.2d 506, 688 P.2d 151 (Washington Supreme Court 1984)).

The interpretation and application of article I, section 7 requires a two-part analysis. State v. Puapuaga, 164 Wash.2d 515, 192 P.3d 360 (Washington Supreme Court 2008). `The first step requires us to determine whether the action complained of constitutes a disturbance of one's private affairs. If there is no private affair being disturbed, the analysis ends and there is no article I, section 7 violation. If, however, a private affair has been disturbed, the second step is to determine whether authority of law justifies the intrusion. Authority of law may be satisfied by a valid warrant.’ State v. Puapuaga, supra.
State v. Peppin, supra. 
The Court of Appeals then went on to explain that, whether a person’s affairs are
private is not judged by the person's subjective expectation of privacy, but is determined in part by the historical treatment of the interest asserted. . . . If there is no historical evidence of protection under article I, section 7, then the relevant inquiry is whether the expectation is one that a citizen of this state is entitled to hold. . . . `This part of the inquiry includes a look into the nature and extent of the information that may be obtained as a result of the governmental conduct and the extent to which the information has been voluntarily exposed to the public.’ . . .
State v. Peppin, supra. 
The court then noted that U.S. Courts of Appeals have        
consistently held that a person who installs and uses file sharing software does not have a reasonable expectation of privacy in the files to be shared on his or her computer. See U.S. v. Ganoe, 538 F.3d 1117 (U.S. Court of Appeals for the 9th Circuit 2008); U.S. v. Perrin, 528 F.3d 1196 (U.S. Court of Appeals for the 10th Circuit 2008); U.S. v. Stults, 575 F.3d 834 (U.S. Court of Appeals for the 8th Cir.2009).  

Ganoe held that a defendant's expectation of privacy in his or her personal computer does not `survive [his] decision to install and use file-sharing software, thereby opening his computer to anyone else with the same freely available program.’  U.S. v. Ganoe, supra.

The [U.S. Court of Appeals for the] 9th Circuit in U.S. v. Borowy, 595 F.3d 1045 (2010), addressed a situation identical to the one here. A law enforcement agent used LimeWire peer to peer software to monitor trafficking in child pornography. U.S. v. Borowy, supra. After conducting a keyword search, the agent used special software that verified the `hash marks’ of files known to be images of child pornography. U.S. v. Borowy, supra. At least one of these files was shared through what was later determined to be Borowy's IP address. U.S. v. Borowy, supra.

The officer used LimeWire to search the rest of the files being shared on Borowy's computer. U.S. v. Borowy, supra. The agent downloaded seven files, four of which were child pornography. U.S. v. Borowy, supra. Later, a search warrant executed on Borowy's home uncovered a large number of images and videos of child pornography. U.S. v. Borowy, supra.

Borowy moved to suppress this evidence, arguing that the agent's activities in locating and downloading the files from LimeWire constituted a warrantless search and seizure without probable cause that violated his 4th Amendment rights. U.S. v. Borowy, supra. The 9th Circuit upheld the lower court's denial of the motion and held Borowy lacked a reasonable expectation of privacy in the shared files. U.S. v. Borowy, supra.

The court concluded that Borowy's files were entirely exposed to the public view and available for download so his `subjective intention not to share his files did not create an objectively reasonable expectation of privacy in the face of such widespread public access.’ U.S. v. Borowy, supra.

Furthermore, the court also rejected Borowy's argument that the use of a publicly unavailable software program rendered the search unlawful. U.S. v. Borowy, supra. The court concluded that Borowy had exposed the entirety of the files to the public, which negated any reasonable expectation of privacy in those files, and that the government's software simply functioned as a mechanism to sort through the shared files. U.S. v. Borowy, supra.

It is clear from Borowy and other federal cases that Detective Cestnik's access of Peppin's shared files was not a violation the 4th Amendment to the U.S. Constitution.
State v. Peppin, supra. 
The Court of Appeals then took up the “broader protection of the Washington State Constitution” and found that it
also does not offer any relief to Peppin. Cestnik's access of Peppin's computer through peer to peer software and download of the shared files was not a disturbance of Peppin's private affairs. Historically speaking, Washington courts have not afforded article I, section 7 protections to information voluntarily held out to the public. `[W]hat is voluntarily exposed to the general public and observable without the use of enhancement devices from an unprotected area is not considered part of a person's private affairs. State v. Young, 867 P.2d 593, 123 Wash.2d 173 (Washington Supreme Court 1994).

Here, Peppin voluntarily offered public access to the computer files obtained by Cestnik.  Peppin used peer to peer software to make these shared files available without restriction. Anyone wanting to view or download the files could do so. Law enforcement's access of these files was not an intrusion into Mr. Peppin's private affairs.
State v. Peppin, supra. 
It also went on to find that
this is not the type of information a citizen of this state is entitled to hold as private. The inherent nature of peer to peer software is the public sharing of digital computer files. Individuals using file sharing software cannot expect a privacy interest in files they hold open to the public. Again, Peppin's use of peer to peer file sharing voluntarily opened this information to the public for anyone to access, including law enforcement.

There is no disturbance of a person's private affairs when law enforcement accesses shared computer files that the person holds publically available for viewing and download. Thus, there is no violation within the context of article I, section 7 of the Washington Constitution. 

Despite Peppin's argument, Cestnik's use of specially designed software to search the peer to peer network did not transform his actions into an unlawful search. This situation is not like State v. Young, supra, where the Washington Supreme Court held that the use of an infrared device to gather information of the interior of a defendant's home was a warrantless invasion in his private affairs and his home. . . .  

In Young, the thermal infrared investigation was an invasion of privacy because it allowed law enforcement to peer into the walls of the home and reveal more than what was available to the naked eye.  State v. Young, supra. Additionally, the use of the sense-enhancing device penetrated the constitutional line of privacy that encircled the home, thus invading the home for purposes of article I, section 7 of the Washington Constitution.  State v. Young, supra.
State v. Peppin, supra. 
The court therefore held that,
[h]ere, unlike State v. Young, supra, law enforcement did not gain more information than was available to the public. Cestnik did not intrude into a computer file that Peppin intended to keep private. The files obtained by Cestnik were ones that Peppin made available to the public on the Gnutella network.

Additionally, unlike State v. Young, supra, the peer to peer software was not an enhancement device that allowed law enforcement to view what was hidden to the public. Law enforcement simply used a more efficient method for finding this publicly shared information. The government's software allowed them to efficiently view what was already knowingly exposed to the public.

We conclude that a person's private affairs are not disturbed when law enforcement uses peer to peer software to view files that the person voluntarily shares with the public on his or her computer. The trial court properly denied Peppin's motion to suppress.
State v. Peppin, supra. 
The Court of Appeals therefore affirmed Peppin’s convictions and sentence. 

State v. Peppin, supra. 

No comments: