Friday, December 09, 2016

Child Pornography, the Network Investigative Technique and the 4th Amendment

This post examines an opinion issued by a U.S. District Court Judge who sits in the U.S. District Court for the District of South Carolina: U.S. v. Knowles, 2016 WL 6952109 (2016). The District Court Judge begins the opinion by explaining that the defendant
is charged with possession of child pornography, in violation of 18 U.S. Code § 2252A. The charge arises from the Government's investigation of a website known as `Playpen,’ a global forum for distributing child pornography, which used `Tor’ software to avoid detection by law enforcement. (Dkt. No. 59 at 1.) Tor prevents tracing internet communications to the actual user. To overcome that obstacle, FBI agents utilized a Network Investigative Technique (`NIT’) to identify Playpen users. Using information obtained from the NIT, FBI agents connected Defendant's home address to a Playpen username used to access child pornography. Agents then obtained a warrant to search Defendant's home, wherein they seized computer media containing child pornography. Defendant now moves to suppress those items, arguing the Government's use of an NIT, which was authorized by a search warrant issued in the [U.S. District Court for the] Eastern District of Virginia, to obtain information from Defendant's computer, which was located in South Carolina, violated the Fourth AmendmentRule 41(b)of the Federal Rules of Criminal Procedure, and 28 U.S. Code § 636(a).
U.S. v. Knowles, supra.
The judge then outlines what he refers to as “Internet Background,” explaining that
Defendant's challenge to the use of an NIT raises issues requiring some background on communications between a website and its users. Websites exist on computers called `servers.’ A computer accessing the website is a `client’ computer. Website servers and their clients typically are not part of the same home or office computer network. Thus, communications between server and client require a connection between networks—a means of `internetworking’ (hence, the `internet’). This is accomplished by assigning internet protocol (`IP’) addresses, bundling communications into data `packets’ bearing source and destination IP addresses, and using specialized devices, `network nodes,’ to forward the data packets between networks. Each data packet has a `header’ containing the source IP address, the destination IP address, and other data needed to route the packet. Network nodes use those IP addresses to route the packet between the user's location and the website's location, which might be the other side of the world.

The process may be analogized to physical mail. Communications are bundled into an envelope or `packet,’ having a `header’ with source and destination addresses. The packet is forwarded among various `nodes,’ post offices and mail distribution centers, resulting, ultimately, in delivery to the intended recipient. By that analogy, to interact with a website is to engage in a correspondence with it. A closer analogy may be correspondence via telephone text messaging—an exchange of short messages across a communications network between persons using devices associated with unique numbers. The text message analogy illustrates IP addresses are subscriber numbers assigned by a service provider, like a telephone number, and not physical locations, like a mailing address. An internet service provider can provide subscriber information, including location information, regarding IP addresses, just as a telephone service provider may provide subscriber information regarding telephone numbers. (See Dkt. No. 47–1 ¶ 22.) The service provider responsible for a given IP address may be identified using publicly available information, again, just as a telephone company may be identified for a given telephone number. (Id.)

Finally, not all network addresses are used to route communications across the internet. Some addresses are local addresses valid for communications only within a single network or portion of a network. . . . These addresses again can be analogized with telephones, as number extensions on a shared line—persons in the same office can reach one another by dialing an extension, but outside persons must dial the number for main line and all outgoing calls display that number on `caller ID.’

A media access control address (`MAC address’) is a type of local address at issue in this case. A MAC address is assigned to a network interface, usually by the manufacturer, to identify devices on a network. Smith, supra, at 462–63; see also Azure Networks, LLC v. CSR PLC, 771 F.3d 1336, 1347 (Fed. Cir. 2014) (discussing MAC addresses). . . . MAC addresses generally not transmitted over the internet, and websites generally cannot request (or “instruct”) a client to transmit its MAC address directly. Flickenger, supra, at 45. To obtain a client's MAC address, a website must somehow bypass the client's normal security measures.
U.S. v. Knowles, supra.
The Judge then takes up the issue of the Tor Network, explaining that
[n]ormally, law enforcement can review a website's IP address logs after they seize a website to determine which IP addresses visited the site. (See Dkt. No. 47–1 ¶ 22.) They can then search public information to determine which internet service provider owned a target IP address and issue a subpoena to that service provider for the identity of the user of that IP address. (Id.) Playpen users, however, concealed their IP addresses with Tor. (Dkt. No. 47–3 ¶ 7.) The Department of Defense designed Tor to protect government communications, but it is now free software available to the public. (Id.) The NIT search warrant affidavit describes Tor as masking users' IP addresses by “bouncing their communications around a distributed network of relay computers run by volunteers all around the world.” (Id. ¶ 8.) However, `bouncing . . . communications around a distributed network . . . all around the world’ describes most internet communications. More specifically, Tor utilizes `onion routing’ to make internet communications anonymous. (Tor is an acronym for `The Onion Router.’) In onion routing, packets are the core of layered cells or “onions.” Around that core are layers of encryption. Special software on the user's computer chooses a `circuit’ through the network of Tor servers, known as `onion routers.’ There are approximately seven thousand publicly listed routers and another two thousand unlisted routers (used to prevent service providers from blocking access to the Tor network). See Tor Metrics, The Tor Project, Inc., Each onion router decrypts a layer of the onion, receiving instruction on where next to relay it. No onion router knows how many routers are in the circuit, and only the last router in the circuit, the `exit node,’ knows its position in the circuit. When the onion leaves the exit node, it proceeds to its destination as any other internet traffic, but with the exit node's IP address rather than the actual sender's IP address.
U.S. v. Knowles, supra.  The opinion also notes that “Tor also allows websites, such as Playpen, to operate as a `hidden service.’”  U.S. v. Knowles, supra. 
For these and other reasons, the court denied Knowles’ motion to suppress. 
The opinion goes on to explain that
Playpen needed the anonymity Tor provides because it was `dedicated to the advertisement and distribution of child pornography, [and] the discussion of matters pertinent to child sexual abuse.’ (Id. ¶ 6.) The website's home page displayed an image of two partially clothed prepubescent females with their legs spread apart. (Id. ¶ 12.) That page prompted users either to register an account or to login using an existing username and password. (Id.) . . . The message also stated, `This website is not able to see your IP address and can not [sic] collect or send any other form of information to your computer except what you expressly upload.’ (Id.)

After logging in, users saw a page listing discussion boards for images, videos, or text related to child pornography, including `Preteen Photos,’ `Pre-teen Videos,’ `Pre-Teen Photos,’ `Family—Incest’ and `Toddlers.’ (Id. ¶ 14.) . . . Over 1,500 unique users visited Playpen daily and over 11,000 unique users visited the site over the course of a week. (Id. ¶ 19.) By March 2015, Playpen contained a total of 117,773 posts, 10,622 total topics, and 214,898 total members. (Dkt. No. 47–1 ¶ 12.)

In December 2014, a foreign law enforcement agency informed the FBI it suspected a United States-based IP address was associated with Playpen. (Dkt. No. 47–3 ¶ 28.) The FBI determined the subject IP address was owned by a server hosting company headquartered in North Carolina.  (Id.; Dkt. No. 59 at 2.) The FBI subsequently obtained a search warrant for the server. (Dkt. No. 47–3 ¶ 28.) FBI agents examined the server and determined it contained a copy of Playpen. They then stored the copy of the website on a computer server at a government facility in Newington, Virginia. Newington is located in the Eastern District of Virginia. (Id.) Additional investigation revealed a Florida resident controlled Playpen. (Id.) On February 19, 2015, FBI personnel executed a court-authorized search of the administrator's residence in Florida. (Id. ¶ 30.) The FBI arrested the suspect and assumed control of Playpen. (Id.)
U.S. v. Knowles, supra. 
The opinion then takes up the Network Investigative Technique, explaining that on
February 20, 2015, Special Agent Douglas Macfarlane applied to a United States Magistrate Judge in the Eastern District of Virginia for a search warrant to use an NIT with Playpen (the `NIT search warrant’). . . . In the warrant application, Agent Macfarlane stated the NIT was necessary to overcome the anonymity Tor provides. . . . The warrant application sought operating system, computer name, and MAC address information to enable identification of a specific computer within a household sharing an IP address, and possibly identification of a specific user of a shared computer. Hr'g Tr. 27:19–30:11. United States v. Matish, Crim. No. 4:16–16 (E.D. Va. May 19, 2016), Dkt. No. 61.

The warrant provided that the NIT would activate `each time that any user or administrator log[ged] into Playpen by entering a username and password.’ (Dkt. No. 47–3 ¶ 36.) However, in practice the FBI configured the NIT to activate only when a user accessed certain posts within Playpen. Hr'g Tr. 20:19–25, Matish, Crim. No. 4:16–16, Dkt. No. 61. . . .The NIT did not activate when a user reached Playpen's home page, created an account, or logged into that account. . . . To activate the NIT, a user actually had to access child pornography. See, e.g.,Hr'g Tr. 27:19–30:11, Matish, Crim. No. 4:16–16, Dkt. No. 61. . . . Once activated, the NIT caused the “activating computer—wherever located—to send to a computer controlled by or known to the government network level messages containing information that may assist in identifying the computer, its location, other information about the computer and the user of the computer.” (Dkt. No. 47–3 ¶ 46.) The FBI could then link a username and its corresponding activity on the site with an IP address. (Id. ¶ 37.) As explained above, IP addresses can be used to determine location, and other information gathered by the NIT, such as a local computer account name and MAC address, can link a particular computer found at a location to a Playpen user. . . .
U.S. v. Knowles, supra. 
I cannot include all of the information in the opinion because it is very long. If you would like to request a copy of the entire opinion, you can contact U.S. District Court Judge Gergel via this website:
Getting back to the opinion, it then explains that the
FBI used the NIT to, among other things, trace Knowles’ use of the Playpen system, which led to agents’ executing a search warrant at his residence, which apparently turned up evidence that was used to indict Knowles.  U.S. v. Knowles, supra.  After he was indicted, he filed a motion to suppress “evidence seized pursuant to the search warrant of February 20, 2015, which authorized use of the NIT.” U.S. v. Knowles, supra.  Like most motions to suppress, this one argued that the FBI agents violated the 4th Amendment in their investigation of Knowles’ use of the site. U.S. v. Knowles, supra.
Getting back to the opinion, the District Court Judge began his analysis of the motion to suppress and the prosecutors’ argument that it should not be granted by explaining that
[t]he Fourth Amendment protects `[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.’ U.S. Const. amend. IV. All warrants must `(1) be issued by a neutral and detached magistrate, (2) contain a particular description of the place to be searched, and the person or things to be seized, and (3) be based upon probable cause, supported by Oath or affirmation.’ United States v. Clyburn, 24 F.3d 613, 617 (U.S. Court of Appeals for the 4th Circuit 1994). Evidence seized pursuant to a warrant lacking one of those requirements may be suppressed. However, `[s]uppression of evidence . . . has always been [the court's] last resort, not [the court's] first impulse.’ Hudson v. Michigan, 547 U.S. 586 (2006). Because the consequences of suppression are dire, a defendant urging suppression carries a heavy burden. See Hudson v. Michigan, supra. Suppression is limited to cases in which its deterrent effect against law enforcement's misconduct outweighs the costs inherent in barring evidence that law enforcement expended great resources to obtain. See Penn. Bd. of Prob. & Parole v. Scott, 524 U.S. 357 (1998). . . .  
U.S. v. Knowles, supra. 
The court went on to explain that
Defendant argues the NIT search warrant does not contain a particular description of the place to be searched, because the location of Defendant's computer was unknown when the warrant issued, and so violates the Fourth Amendment. (Dkt. No. 47 at 13–14.) Defendant also argues the NIT search warrant's issuance in Virginia violates Rule 41(d) in a manner requiring suppression, (1) because it was void ab initio because it exceeded the magistrate judge's authority under the Federal Magistrates Act, (2) because the violation prejudiced Defendant, and/or (3) because law enforcement acted in bad faith or with deliberate disregard of Rule 41 when obtaining the warrant. (Id. 5–11.) He moves to suppress evidence seized from his home, because the probable cause supporting the warrant for that search was a fruit of the NIT search warrant.

Many federal courts have addressed the NIT search warrant at issue here. Courts generally find the magistrate judge in Virginia lacked authority to issue the NIT search warrant without finding suppression to be appropriate. 
U.S. v. Knowles, supra. 
The judge went on to point out that a Fourth Amendment “search” takes place
when `the person invoking its protection can claim a “justifiable,” a “reasonable,” or a “legitimate expectation of privacy” that has been invaded by government action.’ Smithv. Maryland, 442 U.S. 735 (1979). There are two components to a reasonable expectation of privacy: `first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as “reasonable.”’ Katz v. UnitedStates, 389 U.S. 347, 361 (1967) (Harlan, J., concurring). Defendant claims the NIT violated his Fourth Amendment rights. He must therefore demonstrate that the NIT violated a subjective expectation of privacy and that society is prepared to recognize that expectation as reasonable. Smith v. Maryland, supra.

The NIT retrieved several types of information from Defendant's computer. (See Dkt. No. 47–3 ¶¶ 34.) The most important information retrieved from Defendant's computer was his IP address, which informed authorities of Defendant's location and led to the search that Defendant wishes suppressed. The government contends Defendant had no reasonable expectation of privacy in his IP address. (Dkt. No. 59 at 14–15.) Courts uniformly hold there is no reasonable expectation of privacy in an IP address, a number assigned Defendant by his service provider, which he voluntarily provided to third parties every time he used the internet. See United States v. Laurita,Crim. No. 8:13–107, 2016 WL 4179365, at *5 (D. Neb. Aug. 5, 2016); see also United States v. Bynum, 604 F.3d 161, 164 (4th Cir. 2010) . . . . But the IP address was not the only information the NIT retrieved from Defendant's computer. It also retrieved his MAC address, local computer operating system information, and local compute operating system login username. (Dkt. No. 47–3 ¶ 34.) The Government needed that information to identify Defendant as the person accessing Playpen under the user name mim878. See Hr'g Tr. 27:19–30:11, Matish, Crim. No. 4:16–16, Dkt. No. 61. To obtain that information, the NIT surreptitiously placed code on Defendant's personal computer that extracted the information. (See Dkt. No. 47–3 ¶¶ 33–34.) Thus, the relevant inquiry is whether Defendant has a reasonable expectation of privacy in the contents of his personal computer, which was located in his home, not whether he has a reasonable expectation of privacy in his IP address.
U.S. v. Knowles, supra. 
The opinion then explains that individuals
generally have a reasonable expectation of privacy in the contents of their home computers. See United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004). . . . The Court is aware of no authority holding persons have no reasonable expectation of privacy in their personal computers located within their homes. . . .

The NIT `downloaded’ surreptitiously to Defendant's computer to search his computer for personally identifying information not routinely disclosed over the internet. That is a search within the meaning of the Fourth Amendment. . . .

There is little doubt that had law enforcement officers obtained Defendant's IP address from a non-Tor-based server and issued a subpoena to the ISP to determine Defendant's physical address, a motion to suppress the information obtained from the ISP would be without merit. However, Defendant's IP address was discovered only after property residing within Defendant's home—his computer—was searched by the NIT. . . .
U.S. v. Knowles, supra. 
The court went on to find that the NIT search warrant complied with the
Fourth Amendment's requirements of probable cause and particularity. See U.S. Const. amend. IV (providing `no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized’). The application for the NIT search warrant provided substantial probable cause for the warrant to issue by describing overwhelming evidence Playpen was used to host and exchange child pornography. . . . All courts analyzing the NIT search warrant have found it supported by probable cause. . . .

Defendant's constitutional challenge to the NIT search warrant is that it `failed to comply with the Fourth Amendment's particularity requirements.’ (Dkt. No. 47 at 13.) The Court finds no merit in that argument. As the U.S. District Court for the Northern District of California noted in U.S. v. Henderson, 2016 WL 4549108 (N.D. Cal. Sept. 1, 2016) observed, the warrant provides the NIT will
`obtain[ ] information. . .from the activating computers,' that are “those of any user or administrator who logs onto [Playpen] by entering a username and password.” NIT Warrant, Attachment A. This description is sufficiently particular because it is limited only to individuals that log onto the Playpen website using a username and password. Because of the structure of the Tor network, only individuals actively attempting to access the Playpen website, with sufficient knowledge of the website and its contents, are able to access it. The Warrant is sufficiently particular as it specifies that the NIT search applies only to computers of users accessing the website, a group that is necessarily actively attempting to access child pornography.
U.S. v. Knowles, supra. 
The opinion also noted that
[t]his Court agrees: A search warrant seeking an address from any computer that deliberately logs into a hidden, illegal website hosted on a particular server is sufficiently particular. . . . The point of the NIT search warrant was to learn the location of computers accessing Playpen. If the Government knew Defendant's computer was in South Carolina, no NIT search warrant regarding this Defendant would have issued because the Government would not have needed one. Moreover, the Supreme Court has squarely rejected Defendant's argument. . .
U.S. v. Knowles, supra. 
Finally, the Judge found that suppressing the evidence gathered by the NIT was
inappropriate for several separate and independent reasons. The search warrant was not void ab initio, as Defendant argues. Rather, it was a valid search warrant, at least in the Eastern District of Virginia, that satisfied all Fourth Amendment requirements. Even if that were not the case, the Government relied upon its validity in good faith. Even if the Government had learned Defendant was in South Carolina, exigent circumstances would have justified the NIT search without first obtaining a warrant in South Carolina. Finally, the ministerial violation of Rule 41 that occurred in this case does not justify the exclusion of evidence seized on probable cause and with advance judicial approval, because the Government did not intentionally disregard the rule and because the violation did not prejudice Defendant.
U.S. v. Knowles, supra. 
The court’s reference to a violation of Rule 41 of the Federal Rules of Criminal Procedure deals with a related, but distinct, issue. As Wikipedia explains, the 
Federal Rules of Criminal Procedure are the procedural rules that govern how federal criminal prosecutions are conducted in United States district courts and the general trial courts of the U.S. government. 
Even if the collection of evidence at issue in this case violated the provisions of Rule 41, which operationalize the requirements of the Fourth Amendment, the court found that a violation or violations of Rule 41 would not justify suppressing evidence. As Wikipedia explains, the exclusionary rule is only used to enforce individuals’ Constitutional rights.

No comments: