This post examines an opinion issued by a U.S. District
Court Judge who sits in the U.S. District Court for the District of South Carolina: U.S.
v. Knowles, 2016 WL 6952109 (2016). The District Court Judge begins the
opinion by explaining that the defendant
is charged with possession of child
pornography, in violation of 18 U.S. Code § 2252A. The charge arises from
the Government's investigation of a website known as `Playpen,’ a global
forum for distributing child pornography, which used `Tor’ software to avoid
detection by law enforcement. (Dkt. No. 59 at 1.) Tor prevents tracing
internet communications to the actual user. To overcome that obstacle, FBI
agents utilized a Network Investigative Technique (`NIT’) to identify Playpen
users. Using information obtained from the NIT, FBI agents connected
Defendant's home address to a Playpen username used to access child
pornography. Agents then obtained a warrant to search Defendant's home, wherein
they seized computer media containing child pornography. Defendant now moves to
suppress those items, arguing the Government's use of an NIT, which was
authorized by a search warrant issued in the [U.S. District Court for the] Eastern
District of Virginia, to obtain information from Defendant's computer, which
was located in South Carolina, violated the Fourth Amendment, Rule 41(b)of the Federal Rules of Criminal Procedure, and 28 U.S. Code § 636(a).
U.S. v. Knowles,
supra.
The judge then outlines what he refers to as “Internet
Background,” explaining that
Defendant's challenge to the use of an
NIT raises issues requiring some background on communications between a website
and its users. Websites exist on computers called `servers.’ A computer
accessing the website is a `client’ computer. Website servers and their clients
typically are not part of the same home or office computer network. Thus,
communications between server and client require a connection between
networks—a means of `internetworking’ (hence, the `internet’). This is
accomplished by assigning internet protocol (`IP’) addresses, bundling
communications into data `packets’ bearing source and destination IP addresses,
and using specialized devices, `network nodes,’ to forward the data packets
between networks. Each data packet has a `header’ containing the source IP
address, the destination IP address, and other data needed to route the packet.
Network nodes use those IP addresses to route the packet between the user's
location and the website's location, which might be the other side of the
world.
The process may be analogized to
physical mail. Communications are bundled into an envelope or `packet,’ having
a `header’ with source and destination addresses. The packet is forwarded among
various `nodes,’ post offices and mail distribution centers, resulting, ultimately,
in delivery to the intended recipient. By that analogy, to interact with a
website is to engage in a correspondence with it. A closer analogy may be
correspondence via telephone text messaging—an exchange of short messages
across a communications network between persons using devices associated with
unique numbers. The text message analogy illustrates IP addresses are
subscriber numbers assigned by a service provider, like a telephone number, and
not physical locations, like a mailing address. An internet service provider
can provide subscriber information, including location information, regarding
IP addresses, just as a telephone service provider may provide subscriber
information regarding telephone numbers. (See Dkt. No. 47–1 ¶ 22.)
The service provider responsible for a given IP address may be identified using
publicly available information, again, just as a telephone company may be
identified for a given telephone number. (Id.)
Finally, not all network addresses are
used to route communications across the internet. Some addresses are local
addresses valid for communications only within a single network or portion of a
network. . . . These addresses again can be analogized with telephones, as
number extensions on a shared line—persons in the same office can reach one
another by dialing an extension, but outside persons must dial the number for
main line and all outgoing calls display that number on `caller ID.’
A media access control address (`MAC
address’) is a type of local address at issue in this case. A MAC address is
assigned to a network interface, usually by the manufacturer, to identify
devices on a network. Smith, supra, at 462–63; see
also Azure Networks, LLC v. CSR PLC, 771 F.3d 1336, 1347 (Fed.
Cir. 2014) (discussing MAC addresses). . . . MAC addresses generally not
transmitted over the internet, and websites generally cannot request (or
“instruct”) a client to transmit its MAC address directly. Flickenger, supra, at
45. To obtain a client's MAC address, a website must somehow bypass the
client's normal security measures.
U.S. v. Knowles,
supra.
The Judge then takes up the issue of the Tor Network,
explaining that
[n]ormally, law enforcement can review
a website's IP address logs after they seize a website to determine which IP addresses
visited the site. (See Dkt. No. 47–1 ¶ 22.) They can then search
public information to determine which internet service provider owned a target
IP address and issue a subpoena to that service provider for the identity of
the user of that IP address. (Id.) Playpen users, however, concealed
their IP addresses with Tor. (Dkt. No. 47–3 ¶ 7.) The Department of Defense
designed Tor to protect government communications, but it is now free software
available to the public. (Id.) The NIT search warrant affidavit
describes Tor as masking users' IP addresses by “bouncing their communications
around a distributed network of relay computers run by volunteers all around
the world.” (Id. ¶ 8.) However, `bouncing . . . communications around
a distributed network . . . all around the world’ describes most internet
communications. More specifically, Tor utilizes `onion routing’ to make
internet communications anonymous. (Tor is an acronym for `The Onion Router.’) In
onion routing, packets are the core of layered cells or “onions.” Around that
core are layers of encryption. Special software on the user's computer chooses
a `circuit’ through the network of Tor servers, known as `onion routers.’ There
are approximately seven thousand publicly listed routers and another two
thousand unlisted routers (used to prevent service providers from blocking
access to the Tor network). See Tor Metrics, The Tor Project,
Inc., https://metrics.torproject.org/networksize.html. Each onion router
decrypts a layer of the onion, receiving instruction on where next to relay it.
No onion router knows how many routers are in the circuit, and only the last
router in the circuit, the `exit node,’ knows its position in the circuit. When
the onion leaves the exit node, it proceeds to its destination as any other
internet traffic, but with the exit node's IP address rather than the actual
sender's IP address.
U.S. v. Knowles,
supra. The opinion also notes that
“Tor also allows websites, such as Playpen, to operate as a `hidden
service.’” U.S. v. Knowles, supra.
For these and other reasons, the court denied Knowles’ motion to suppress.
The opinion goes on to explain that
Playpen needed the anonymity Tor
provides because it was `dedicated to the advertisement and distribution of
child pornography, [and] the discussion of matters pertinent to child sexual
abuse.’ (Id. ¶ 6.) The website's home page displayed an image of
two partially clothed prepubescent females with their legs spread apart. (Id. ¶
12.) That page prompted users either to register an account or to login using
an existing username and password. (Id.) . . . The message also stated,
`This website is not able to see your IP address and can not [sic]
collect or send any other form of information to your computer except what you
expressly upload.’ (Id.)
After logging in, users saw a page
listing discussion boards for images, videos, or text related to child
pornography, including `Preteen Photos,’ `Pre-teen Videos,’ `Pre-Teen Photos,’
`Family—Incest’ and `Toddlers.’ (Id. ¶ 14.) . . . Over 1,500 unique
users visited Playpen daily and over 11,000 unique users visited the site over
the course of a week. (Id. ¶ 19.) By March 2015, Playpen contained
a total of 117,773 posts, 10,622 total topics, and 214,898 total members. (Dkt.
No. 47–1 ¶ 12.)
In December 2014, a foreign law
enforcement agency informed the FBI it suspected a United States-based IP
address was associated with Playpen. (Dkt. No. 47–3 ¶ 28.) The FBI determined
the subject IP address was owned by a server hosting company headquartered in
North Carolina. (Id.;
Dkt. No. 59 at 2.) The FBI subsequently obtained a search warrant for the
server. (Dkt. No. 47–3 ¶ 28.) FBI agents examined the server and
determined it contained a copy of Playpen. They then stored the copy of the
website on a computer server at a government facility in Newington, Virginia.
Newington is located in the Eastern District of Virginia. (Id.)
Additional investigation revealed a Florida resident controlled Playpen. (Id.)
On February 19, 2015, FBI personnel executed a court-authorized search of the
administrator's residence in Florida. (Id. ¶ 30.) The FBI arrested
the suspect and assumed control of Playpen. (Id.)
U.S. v. Knowles,
supra.
The opinion then takes up the Network Investigative
Technique, explaining that on
February 20, 2015, Special Agent
Douglas Macfarlane applied to a United States Magistrate Judge in the Eastern
District of Virginia for a search warrant to use an NIT with Playpen (the `NIT
search warrant’). . . . In the warrant application, Agent Macfarlane stated the
NIT was necessary to overcome the anonymity Tor provides. . . . The warrant
application sought operating system, computer name, and MAC address information
to enable identification of a specific computer within a household sharing an IP
address, and possibly identification of a specific user of a shared computer.
Hr'g Tr. 27:19–30:11. United States v. Matish, Crim. No. 4:16–16
(E.D. Va. May 19, 2016), Dkt. No. 61.
The warrant provided that the NIT would
activate `each time that any user or administrator log[ged] into Playpen by entering
a username and password.’ (Dkt. No. 47–3 ¶ 36.) However, in practice the FBI
configured the NIT to activate only when a user accessed certain posts within
Playpen. Hr'g Tr. 20:19–25, Matish, Crim. No. 4:16–16, Dkt. No. 61.
. . .The NIT did not activate when a user reached Playpen's home page, created
an account, or logged into that account. . . . To activate the NIT, a user
actually had to access child pornography. See, e.g.,Hr'g Tr.
27:19–30:11, Matish, Crim. No. 4:16–16, Dkt. No. 61. . . . Once
activated, the NIT caused the “activating computer—wherever located—to send to
a computer controlled by or known to the government network level messages
containing information that may assist in identifying the computer, its
location, other information about the computer and the user of the computer.”
(Dkt. No. 47–3 ¶ 46.) The FBI could then link a username and its corresponding
activity on the site with an IP address. (Id. ¶ 37.) As explained
above, IP addresses can be used to determine location, and other information
gathered by the NIT, such as a local computer account name and MAC address, can
link a particular computer found at a location to a Playpen user. . . .
U.S. v. Knowles,
supra.
I cannot include all of the information in the opinion
because it is very long. If you would like to request a copy of the entire
opinion, you can contact U.S. District Court Judge Gergel via this website: http://www.scd.uscourts.gov/Judges/distjudge.asp.
Getting back to the opinion, it then explains that the
FBI used the NIT to, among other things, trace Knowles’ use
of the Playpen system, which led to agents’ executing a search warrant at his
residence, which apparently turned up evidence that was used to indict
Knowles. U.S. v. Knowles, supra. After
he was indicted, he filed a motion to suppress “evidence seized pursuant to the
search warrant of February 20, 2015, which authorized use of the NIT.” U.S. v. Knowles, supra. Like most motions to suppress, this one
argued that the FBI agents violated the 4th Amendment in their
investigation of Knowles’ use of the site. U.S.
v. Knowles, supra.
Getting back to the opinion, the District Court Judge began
his analysis of the motion to suppress and the prosecutors’ argument that it
should not be granted by explaining that
[t]he Fourth Amendment protects `[t]he
right of the people to be secure in their persons, houses, papers, and effects,
against unreasonable searches and seizures.’ U.S. Const. amend. IV. All
warrants must `(1) be issued by a neutral and detached magistrate, (2) contain
a particular description of the place to be searched, and the person or things
to be seized, and (3) be based upon probable cause, supported by Oath or
affirmation.’ United States v. Clyburn, 24 F.3d 613, 617 (U.S.
Court of Appeals for the 4th Circuit 1994). Evidence seized pursuant to a
warrant lacking one of those requirements may be suppressed. However,
`[s]uppression of evidence . . . has always been [the court's] last resort, not
[the court's] first impulse.’ Hudson v. Michigan, 547 U.S. 586 (2006). Because the consequences of suppression are dire, a defendant urging
suppression carries a heavy burden. See Hudson v. Michigan, supra.
Suppression is limited to cases in which its deterrent effect against law
enforcement's misconduct outweighs the costs inherent in barring evidence that
law enforcement expended great resources to obtain. See Penn. Bd.
of Prob. & Parole v. Scott, 524 U.S. 357 (1998). . . .
U.S. v. Knowles,
supra.
The court went on to explain that
Defendant argues the NIT search warrant
does not contain a particular description of the place to be searched, because
the location of Defendant's computer was unknown when the warrant issued, and
so violates the Fourth Amendment. (Dkt. No. 47 at 13–14.) Defendant also argues
the NIT search warrant's issuance in Virginia violates Rule 41(d) in
a manner requiring suppression, (1) because it was void ab initio because
it exceeded the magistrate judge's authority under the Federal Magistrates Act,
(2) because the violation prejudiced Defendant, and/or (3) because law
enforcement acted in bad faith or with deliberate disregard of Rule 41 when
obtaining the warrant. (Id. 5–11.) He moves to suppress evidence
seized from his home, because the probable cause supporting the warrant for
that search was a fruit of the NIT search warrant.
Many federal courts have addressed the
NIT search warrant at issue here. Courts generally find the magistrate judge in
Virginia lacked authority to issue the NIT search warrant without finding
suppression to be appropriate.
U.S. v. Knowles,
supra.
The judge went on to point out that a Fourth Amendment
“search” takes place
when `the person invoking its
protection can claim a “justifiable,” a “reasonable,” or a “legitimate
expectation of privacy” that has been invaded by government action.’ Smithv. Maryland, 442 U.S. 735 (1979). There are two components to a reasonable
expectation of privacy: `first that a person have exhibited an actual
(subjective) expectation of privacy and, second, that the expectation be one
that society is prepared to recognize as “reasonable.”’ Katz v. UnitedStates, 389 U.S. 347, 361 (1967) (Harlan, J., concurring). Defendant
claims the NIT violated his Fourth Amendment rights. He must therefore
demonstrate that the NIT violated a subjective expectation of privacy and that
society is prepared to recognize that expectation as reasonable. Smith v. Maryland, supra.
The NIT retrieved several types of
information from Defendant's computer. (See Dkt. No. 47–3 ¶¶ 34.)
The most important information retrieved from Defendant's computer was his IP
address, which informed authorities of Defendant's location and led to the
search that Defendant wishes suppressed. The government contends Defendant had
no reasonable expectation of privacy in his IP address. (Dkt. No. 59 at 14–15.)
Courts uniformly hold there is no reasonable expectation of privacy in an IP
address, a number assigned Defendant by his service provider, which he
voluntarily provided to third parties every time he used the internet. See
United States v. Laurita,Crim. No. 8:13–107, 2016 WL 4179365, at *5 (D.
Neb. Aug. 5, 2016); see also United States v. Bynum, 604 F.3d
161, 164 (4th Cir. 2010) . . . . But the IP address was not the only
information the NIT retrieved from Defendant's computer. It also retrieved his
MAC address, local computer operating system information, and local compute
operating system login username. (Dkt. No. 47–3 ¶ 34.) The Government needed
that information to identify Defendant as the person accessing Playpen under
the user name mim878. See Hr'g Tr. 27:19–30:11, Matish, Crim.
No. 4:16–16, Dkt. No. 61. To obtain that information, the NIT surreptitiously placed
code on Defendant's personal computer that extracted the information. (See Dkt.
No. 47–3 ¶¶ 33–34.) Thus, the relevant inquiry is whether Defendant has a
reasonable expectation of privacy in the contents of his personal computer,
which was located in his home, not whether he has a reasonable expectation of
privacy in his IP address.
U.S. v. Knowles,
supra.
The opinion then explains that individuals
generally have a reasonable expectation
of privacy in the contents of their home computers. See United
States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004). . . . The Court
is aware of no authority holding persons have no reasonable expectation of
privacy in their personal computers located within their homes. . . .
The NIT `downloaded’ surreptitiously to
Defendant's computer to search his computer for personally identifying
information not routinely disclosed over the internet. That is a search within
the meaning of the Fourth Amendment. . . .
There is little doubt that had law
enforcement officers obtained Defendant's IP address from a non-Tor-based
server and issued a subpoena to the ISP to determine Defendant's physical
address, a motion to suppress the information obtained from the ISP would be
without merit. However, Defendant's IP address was discovered only after
property residing within Defendant's home—his computer—was searched by the NIT.
. . .
U.S. v. Knowles,
supra.
The court went on to find that the NIT search warrant
complied with the
Fourth Amendment's requirements of
probable cause and particularity. See
U.S. Const. amend. IV (providing `no Warrants shall issue, but upon
probable cause, supported by Oath or affirmation, and particularly describing
the place to be searched, and the persons or things to be seized’). The
application for the NIT search warrant provided substantial probable cause for
the warrant to issue by describing overwhelming evidence Playpen was used to
host and exchange child pornography. . . . All courts analyzing the NIT search
warrant have found it supported by probable cause. . . .
Defendant's constitutional challenge to
the NIT search warrant is that it `failed to comply with the Fourth Amendment's
particularity requirements.’ (Dkt. No. 47 at 13.) The Court finds no merit in
that argument. As the U.S. District Court for the Northern District of
California noted in U.S. v. Henderson,
2016 WL 4549108 (N.D. Cal. Sept. 1, 2016) observed, the warrant provides
the NIT will
`obtain[ ] information. . .from the
activating computers,' that are “those of any user or administrator who logs
onto [Playpen] by entering a username and password.” NIT Warrant, Attachment A.
This description is sufficiently particular because it is limited only to individuals
that log onto the Playpen website using a username and password. Because of the
structure of the Tor network, only individuals actively attempting to access
the Playpen website, with sufficient knowledge of the website and its contents,
are able to access it. The Warrant is sufficiently particular as it specifies
that the NIT search applies only to computers of users accessing the website, a
group that is necessarily actively attempting to access child pornography.
U.S. v. Knowles,
supra.
The opinion also noted that
[t]his Court agrees: A search warrant
seeking an address from any computer that deliberately logs into a hidden,
illegal website hosted on a particular server is sufficiently particular. . . .
The point of the NIT search warrant was to learn the location of computers
accessing Playpen. If the Government knew Defendant's computer was in South
Carolina, no NIT search warrant regarding this Defendant would have issued
because the Government would not have needed one. Moreover, the Supreme Court
has squarely rejected Defendant's argument. . .
U.S. v. Knowles,
supra.
Finally, the Judge found that suppressing the evidence
gathered by the NIT was
inappropriate for several separate and independent reasons.
The search warrant was not void ab initio, as Defendant
argues. Rather, it was a valid search warrant, at least in the Eastern District
of Virginia, that satisfied all Fourth Amendment requirements. Even if that
were not the case, the Government relied upon its validity in good faith. Even
if the Government had learned Defendant was in South Carolina, exigent
circumstances would have justified the NIT search without first obtaining a
warrant in South Carolina. Finally, the ministerial violation of Rule
41 that occurred in this case does not justify the exclusion of evidence
seized on probable cause and with advance judicial approval, because the
Government did not intentionally disregard the rule and because the violation
did not prejudice Defendant.
U.S. v. Knowles,
supra.
The court’s reference to a violation of Rule 41 of the Federal Rules of Criminal Procedure deals with a related, but distinct, issue. As Wikipedia explains, the
Federal Rules of Criminal Procedure are the procedural rules that govern how federal criminal prosecutions are conducted in United States district courts and the general trial courts of the U.S. government.
Even if the
collection of evidence at issue in this case violated the provisions of Rule
41, which operationalize the requirements of the Fourth Amendment, the court
found that a violation or violations of Rule 41 would not justify suppressing
evidence. As Wikipedia explains, the exclusionary rule is only used to enforce
individuals’ Constitutional rights.
No comments:
Post a Comment