Wednesday, October 12, 2016

The “Network Investigative Technique,” Child Pornography and the “Technical Violation”

This post examines a recent opinion from the U.S. DistrictCourt in the Southern District of Iowa:  U.S. v. Croghan, 2016 WL 4992105 (2016).  The judge is ruling on two motions to suppress, “one filed by Defendant Beau Croghan in Case No. 1:15–cr–48 (`Croghan’), and one filed by Defendant Steven Horton in Case No. 1:15-cr-51 (`Horton’).” U.S. v. Croghan, supra.  The judge explains that “[b]ecause the facts leading to each Defendant's arrest are fundamentally the same,” he will “consider the Motions to Suppress together.” U.S. v. Croghan, supra. 
The opinion goes on to explain that in
approximately September 2014, the Federal Bureau of Investigation (`FBI’) began investigating a child pornography website known as `Playpen.’ NIT Warrant ¶ 11. Playpen existed as a `hidden service’ on the `Tor’ network, which is designed to protect user anonymity by obscuring identifying information such as the user's IP address. Id. ¶ 10. Because `hidden services’ are not publically indexed or searchable, a user must both connect to Tor and know the specific Tor-based web address of a particular site to gain access. Id.

During the course of its investigation, the FBI connected to the Playpen website and discovered that it appeared to be dedicated to advertising and distributing child pornography. Id. ¶¶ 11–12. In December 2014, a foreign law enforcement agency advised the FBI that it had discovered the actual IP address of the Playpen server and that such server was located in Lenoir, North Carolina. Id. ¶ 28. In January 2015, the FBI obtained and executed a search warrant whereby it seized the Playpen website server. Id. Hoping to locate and identify visitors to the site, the FBI placed a complete copy of the Playpen website, including all of the child pornography on the website, on a government-controlled server located in Newington, Virginia. Id.see also Gov't Resistance Br. at 2. On February 19, 2015, the FBI arrested the suspected administrator of the Playpen website and `assumed administrative control’ of it. NIT Warrant ¶ 30.
U.S. v. Croghan, supra. 
The opinion then explains that on February 20, 2015,
the FBI submitted an application for and affidavit in support of a search warrant to Eastern District of Virginia Magistrate Judge Theresa Carroll Buchanan. See generally NIT Warrant. The affidavit provided that the FBI intended to continue operating the Playpen website from its own server for a period of time not to exceed 30 days in an attempt to identify users of the site. Id. ¶ 30. Because the site utilized the Tor network to mask user identify information, the FBI requested that Magistrate Judge Buchanan authorize use of a “Network Investigative Technique” (`NIT’) whereby the FBI would insert computer software into the Playpen website that would assist it in `locat[ing] and apprehend[ing] the TARGET SUBJECTS who are engaging in the continuing sexual abuse and exploitation of children’ by accessing the Playpen website. Id. Once installed on the Playpen website on the government-controlled server, the NIT would be deployed to the computer of any user who visited the Playpen website and entered a user name and password. Id. ¶¶ 31–34; Croghan Br. at 7 (noting that the NIT would be deployed to `”any user” who logged into the site with a username and password, regardless of their physical location, whether or not they were using the site's chat features, or viewing child pornography’).

The NIT would then force the `activating’ computer to transmit information back to the FBI, including: the IP address of the activating computer; the date and time the NIT determined the IP address; a unique identifier generated by the NIT to distinguish data from different activating computers; the type of operating system running on the activating computer, including type, version, and architecture; information on whether the NIT had already been delivered to the activating computer; the “`host name’ of the activating computer; the operating system used by the activating computer; and the Media Access Control (`MAC) address of the activating computer. NIT Warrant ¶ 34. Magistrate Judge Buchanan approved the warrant and authorized the FBI to deploy the NIT for 30 days. See generally Id. She further granted a request by the Government to delay notice of the search `until 30 days after any individual accessing the [Playpen site] has been identified to a sufficient degree as to provide notice.’ 18 U.S. Code § 3103a(b) and Federal Rule of Criminal Procedure 41(f)(3). Id. ¶¶ 38–41.

The Government began deploying the NIT on February 20, 2015, and continued to do so until March 4, 2015, at which time it took the Playpen website offline. Gov't Resistance Br. at 2. On July 17, 2015, law enforcement obtained a search warrant for Beau Croghan's residence in Council Bluffs, Iowa. Croghan Clerk's No. 33-3. Law enforcement obtained a search warrant for Steven Horton's residence in Glenwood, Iowa on August 5, 2015. Horton Clerk's No. 45-2. The affidavits submitted in support of each of the Iowa Warrants relied primarily on information collected from the NIT. In particular, each affidavit described the Playpen website, its existence on the Tor network, and the authorization for the NIT from the Eastern District of Virginia. The affidavits recounted that the NIT had yielded specific user names and IP addresses, and that subsequent investigation using public records and administrative subpoenas to Internet Service Providers (`ISPs’) had associated the identified IP addresses with Croghan, Horton, and their specific residences. While executing the warrants, law enforcement seized evidence from each Defendant's home, eventually culminating in both men being indicted for accessing or attempting to access child pornography in violation of 18 U.S. Code § 2252(a)(5)(b).
U.S. v. Croghan, supra. 
The judge then begins his analysis of the arguments made by both sides, explaining that
Defendants urge that all evidence discovered by virtue of and flowing from the NIT warrant must be suppressed. In particular, they argue: (1) the NIT warrant was issued in violation of Federal Rule of Criminal Procedure 41; (2) as a result of the Rule 41 violation, evidence obtained by use of the NIT must be suppressed; (3) evidence obtained as a result of the Iowa Warrants must also be suppressed because the probable cause supporting their issuance was derived solely from evidence collected by virtue of the NIT; and (4) no good faith exception is applicable to avoid suppression. The Government counters: (1) that the NIT warrant complied with Rule 41; (2) that even if Rule 41 was violated, suppression is not warranted; and (3) that the good faith exception applies in any event.

The Court notes that the NIT Warrant at issue in this case has resulted in a great deal of litigation across the country. The numerous district courts to consider motions similar to the present Motions to Suppress have reached varying conclusions on the legal issues at play. At least two courts have concluded that the NIT Warrant was unlawfully issued and suppressed all fruits of it. Seee.g.United States v. Levin, 2016 WL 2596010 (U.S. District Court for the District of Massachusetts May 5, 2016); United States v. Arterbury, No. 15-cr-182, Clerk's No. 42 (U.S. District Court for the Northern District ofOklahoma NApr. 25, 2016). Several others have found that while the NIT Warrant may have been issued unlawfully, suppression was not warranted, either under the exclusionary rule in general or pursuant to the Leon good faith exception. See United States v. Torres, No. 5:16–cr–285, 2016 WL 4821223 (W.D.Tex. Sept. 9, 2016); United States v. Henderson, No. 15–cr–565, 2016 WL 4549108 (N.D.Cal. Sept. 1, 2016); United States v. Adams, No. 6:16–cr–11, 2016 WL 4212079 (M.D.Fla. Aug. 10, 2016). . . . And, at least four decisions, three from the Eastern District of Virginia and one from the Western District of Arkansas, have concluded that the magistrate judge possessed adequate authority to issue the NIT Warrant under Rule 41 such that there was no legal violation that would require suppression.  See, e.g., United States v. Jean, No. 5:15–cr–50087, 2016 WL 4771096 (W.D.Ark. Sept. 13, 2016); United States v. Eure, No 2:16cr43, 2016 WL 4059663 (E.D.Va. July 28, 2016); United States v. Matish, No. 4:16cr16, ––– F. Supp.3d ––––, 2016 WL 3545776 (E.D.Va. June 23, 2016). . . .
U.S. v. Croghan, supra. 
The judge then took up the issue as to whether the NIT warrant complied with the requirements of Rule 41, explaining, initially, that the
Federal Magistrates Act provides that `[e]ach United States magistrate judge serving under [the Act] shall have within the district in which sessions are held by the court that appointed the magistrate judge, at other places where that court may function, and elsewhere as authorized by law’ certain duties, including among other things `all powers and duties conferred or imposed . . .by the Rules of Criminal Procedure for the United States District Courts.’ 28 U.S. Code § 636(a)(1). 
U.S. v. Croghan, supra. 
The judge went on to explain that Rule 41(b) of the Federal Rules of Criminal Procedure
provides in relevant part:

Venue for a Warrant Application. At the request of a federal law enforcement officer or an attorney for the government:

(1) a magistrate judge with authority in the district ... has authority to issue a warrant to search for and seize a person or property located within the district;
(2) a magistrate judge with authority in the district has authority to issue a warrant for a person or property outside the district if the person or property is located within the district when the warrant is issued but might move or be moved outside the district before the warrant is executed; ...
(4) a magistrate judge with authority in the district has authority to issue a warrant to install within the district a tracking device; the warrant may authorize use of the device to track the movement of a person or property located within the district, outside the district, or both ....

The Court finds, and the Government seemingly concedes, that neither Rule 41(b)(1) nor Rule 41(b)(2) authorized an Eastern District of Virginia magistrate judge to issue the NIT Warrant. Those two provisions authorize a magistrate to issue a warrant only when the property to be searched is `located within the district’ at the time the warrant issues. Here, only the Playpen website—located on a Government server under FBI control—was located in the Eastern District of Virginia. The very information the NIT Warrant was designed to uncover, however—i.e., the IP addresses and other identifying information of Playpen users—was not located in the Eastern District of Virginia. That information necessarily had to be retrieved from the `activating computers,’ which in this case were both located in Iowa. Indeed, only once the NIT was deployed onto Defendants' computers did their computers relay the information sought by investigators back to the Playpen website. See NIT Warrant ¶ 33 (explaining that the NIT would be deployed to an activating computer when a user logged into the Playpen website whereafter `the instructions, which comprise the NIT, are designed to cause the user's `activating’ computer to transmit certain information to a computer controlled by or known to the government’); ¶ 36 (explaining that the NIT would `attempt to cause the user's computer to send [certain information] to a computer controlled by or known to the government that is located in the Eastern District of Virginia’). Thus, the `activating computers,’ located outside of the Eastern District of Virginia, comprised the property to be searched pursuant to the NIT Warrant. Subsections (1) and (2) of Rule 41(b) are clearly inapplicable.
U.S. v. Croghan, supra. 
The opinion then explains that the
Government urges that the NIT Warrant was permissible pursuant to Rule 41(b)(4), because the Defendants `logged onto [Playpen] from computers located in the Southern District of Iowa, which triggered the NIT during the time period that the NIT tracking device was active, which gathered identifying information, including an IP address, for each of the defendant's computers.’ Gov't Resistance at 7. In support of its position, the Government cites Matish and Darby. In Matish, the court found that Magistrate Judge Buchanan had authority to issue the NIT Warrant under Rule 41(b)(4) because Playpen users made `a virtual trip via the Internet to Virginia.’ 2016 WL 3545776, at *18. Thus, it concluded that the NIT `resembles a tracking device’ in that the installation of the NIT occurred on `each individual computer that entered the Eastern District of Virginia when its user logged into Playpen via the Tor network. When that computer left Virginia—when the user logged out of Playpen—the NIT worked to determine its location, just as traditional tracking devices inform law enforcement of a target's location.’ Id. The Darby court likewise found the NIT Warrant permissible pursuant to Rule 41(b)(4):

It is understandable why the government sought the warrant in the Eastern District of Virginia. The government planned to run the website from a server located in the district. No district in the country had a stronger connection to the proposed search than this district. Additionally, nothing in Rule 41 categorically forbids the magistrates from issuing warrants that authorize searches in other districts—most of its provisions do just that. . . .

Rule 41(b)(4) allows a magistrate judge to issue a warrant for a tracking device to be installed in the magistrate's district. Once installed, the tracking device may continue to operate even if the object tracked moves outside the district. This is exactly analogous to what the NIT Warrant authorized. Users of Playpen digitally touched down in the Eastern District of Virginia when they logged into the site. When they logged in, the government placed code on their home computers. Then their home computers, which may have been outside the district, sent information to the government about their location. The magistrate judge did not violate Rule 41(b) in issuing the NIT Warrant.

2016 WL 3189703, at *11–12.
U.S. v. Croghan, supra. 
The judge then explained that he found
Darby and Matish unpersuasive. The Court additionally disagrees with the Jean decision, which was decided after the Government filed its resistance brief. There, the court found that the NIT Warrant `did not violate Rule 41(b)(4)'s jurisdictional boundaries, because law enforcement did not leave the Eastern District of Virginia to attach the tracking device.’ 2016 WL 4771096, at *16. The court reasoned:

`The whole point of seeking authority to use a tracking device is because law enforcement does not know where a crime suspect—or evidence of his crime—may be located. In such instances, Rule 41(b)(4) allows a magistrate judge to authorize law enforcement's use of electronic tracking tools and techniques. When an unknown crime suspect, or unknown evidence of his crime, is located in an unknown district, it would be nonsensical to interpret the Rule ... to require law enforcement to make application for such a warrant to an unknown magistrate judge in the unknown district. The fact that the NIT was purposely designed to allow the FBI to electronically trace the activating computer by causing it to return location identifying information from outside the Eastern District of Virginia—is not only authorized by Rule 41(b)(4), but is the very purpose intended by the exception.’
2016 WL 4771096, at *17.
U.S. v. Croghan, supra. 
The opinion goes on to explain that a “tracking device” is
defined for purposes of Rule 41 as any `electronic or mechanical device which permits the tracking of the movement of a person or object.’ See Rule 41(a)(2)(E) (employing the definition of `tracking device’ as set out in 18 U.S. Code § 3117(b)). Although the term `track’ is not further defined, its ordinary meaning is “`t]o follow up the track or footsteps of; to trace the course or movements of; to pursue by or as by the track left.’

See (last visited Sept. 19, 2016).

The NIT here at issue, however, clearly did not `track’ the `movement of a person or object.’ Indeed, it did not `track’ the `movement’ of anything; rather, it caused computer code to be installed on the activating user's computer, which then caused such computer to relay specific information to the government-controlled computers in Virginia. Thus, the plain language of Rule 41 and the statutory definition of `tracking device’ do not, in this Court's opinion, support so broad a reading as to encompass the mechanism of the NIT used in this case. See Torres, 2016 WL 4821223, at *6 (holding that it `is inappropriate for this Court to engage in a process of finesse justifying an ethereal presence of the defendant's computer in Virginia, where the plain language of [Rule 41(b)] as now written does not provide jurisdiction under these circumstances’). The limitations of Rule 41(b)(4) and its inapplicability to the NIT Warrant issued in this case are further evidenced by the fact that absent Congressional intervention, Rule 41 will be amended on December 1, 2016, to add subsection (b)(6), which provides in relevant part that `a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means.’

See Id. (finding that `the existence of the proposed amendment indicates at a minimum that there is currently ambiguity as to the state of the law’ and thus, `[b]olster[s]’ the argument that Rule 41(b)(4) did not justify issuance of the NIT Warrant).
U.S. v. Croghan, supra. 
The judge then explains that, since he has “rejected the position advanced by the Government,”
the Court instead agrees with the numerous district courts who have concluded that Magistrate Judge Buchanan lacked authority to issue the NIT Warrant under Rule 41(b)(4). In particular, the Court agrees with Michaud, wherein the court found that application of Rule 41(b)(4) to the NIT Warrant “stretches the rule too far”:

If the `installation’ occurred on the government-controlled computer, located in the Eastern District of Virginia, applying the tracking device exception breaks down, because [the out-of-state defendant] never controlled the government-controlled computer, unlike a car with a tracking device leaving a particular district. If the installation occurred on [the out-of-state defendant's] computer, applying the tracking device exception again fails, because [the out-of state defendant's] computer was never physically located within the Eastern District of Virginia.

2016 WL 337263, at *6; see also Henderson, 2016 WL 4549108, at *3 (`The NIT search does not meet the requirements of 41(b)(4) because, even though it was analogous to a tracking device in some ways, it nevertheless falls outside the meaning of a ”tracking device” as contemplated by the rule. Further, the NIT was installed outside of the district, at the location of the activating computers, not within the district as required by Rule 41(b)(4).”); United States v. Werdene, supra (finding Rule 41(b)(4) inapplicable because it is `premised on the person or property being located within the district” and because it is “uncontested that the computer information that the NIT targeted was at all relevant times located beyond the boundaries of the Eastern District of Virginia’); Levin, ––– F.Supp.3d at ––––, 2016 WL 2596010, at *6 (finding unpersuasive the government's attempt to analogize the transmittal of the NIT to activating computers to `the installation of a tracking device in a container holding contraband’); Arterbury, No. 15-cr-182, Clerk's No. 42 at 17 (agreeing with Michaud and concluding that the `NIT warrant was not for the purpose of installing a device that would permit authorities to track the movements of Defendant or his property’). The Court thus concludes that Magistrate Judge Buchanan lacked authority to issue the NIT Warrant pursuant to any provision of Rule 41(b).
U.S. v. Croghan, supra. 
The judge went on to consider the effect of this lack of authority, noting that
[u]pon careful review of the case law, this Court . . . concludes that a warrant issued without proper jurisdiction is void ab initio and that any search conducted pursuant to such warrant is the equivalent of a warrantless search. . . . Here, the Government does not argue that a warrantless search was permissible under the circumstances of this case. The warrantless search was, therefore, presumptively unreasonable and suppression is an appropriate remedy. . . . Moreover, because there would not have been probable cause to issue the Iowa Warrants without the information obtained from the NIT Warrant, all evidence seized as a result of the Iowa Warrants must be suppressed as fruit of the poisonous tree. See Wong Sun v. United States, 371 U.S. 471(1963).
U.S. v. Croghan, supra. 
The District Court Judge therefore ruled that,
[f]or the reasons stated herein, Defendants' Motions to Suppress (Croghan Clerk's No. 33; Horton Clerk's No. 45) are GRANTED. All evidence flowing from and obtained as a result of the improperly issued NIT Warrant is hereby suppressed.
U.S. v. Croghan, supra. 

No comments: