Monday, June 19, 2017

The Network Investigative Technique, the Search Warrant and the Exclusionary Rule

This post examines an opinion from the U.S. District Court for the Northern District of Texas – Dallas Division: U.S. v. Pawlak, 2017 WL 661371 (2017). The District Court Judge who has the case began the opinion by explaining that
[t]he instant motions to suppress and dismiss the indictment challenge the Federal Bureau of Investigation's (`FBI's’) seizure of a computer server that hosted a child pornography website called `Playpen,’ and the FBI's ensuing operation of the website on a government server. 
U.S. v. Pawlak, supra.
The opinion goes on to explain that
[t]he facts of this case that are material to the court's decision are undisputed.2 In early 2015, acting on a tip from a foreign law enforcement agency, the FBI located and seized a computer server that contained a child pornography website called Playpen. Playpen existed as a hidden website on the Tor Network, also known as the dark web. Through sophisticated encryption, the Tor Network anonymizes and actively conceals identifying information about website users, including a user's true Internet Protocol (`IP’) address. To access Playpen, it was necessary for users to know the website's address on the Tor Network. Users could not, for example, stumble upon Playpen while browsing the Internet. Once on the Playpen website, users logged in with dedicated usernames and passwords. Playpen offered users various forums for different child pornography topics, including `Incest’ and `Toddlers.’ Inside each forum were discussion posts, images, and videos related to the particular topic.

Because the Tor Network anonymizes its users, the FBI could not uncover who was operating or accessing the Playpen website through normal investigative techniques. The FBI devised a plan to investigate Playpen's users, who would normally be untraceable. The plan called for the FBI to copy the Playpen server and continue to operate the Playpen website on the FBI server. While operating the website, the FBI would use a network investigative technique (`NIT’) that allowed it to retrieve information from the computers of the persons who logged in to the Playpen website. The NIT—computer code developed by the FBI—would be attached to various files uploaded to Playpen. When the website user downloaded a file, the NIT would force the user's computer to send to the FBI the user's actual IP address and other identifying information. With the actual IP address, the FBI could identify and locate the user.
U.S. v. Pawlak, supra.
The judge goes on to explain that
[a]cting according to the plan, the FBI copied the Playpen server and brought it to a government facility located in the Eastern District of Virginia. On February 20, 2015 the FBI applied for and obtained from a United States Magistrate Judge of the Eastern District of Virginia a search warrant (the `NIT Warrant]) authorizing the FBI to deploy the NIT program for a period of up to 30 days. The FBI also obtained from a United States District Judge a Title III order authorizing the FBI to intercept private messages and private chats in real time on the Playpen website. But the government acknowledges that Pawlak's username did not engage in private messages or chats during the period of time the FBI monitored communications under the Title III order.

On or about March 4, 2015, Pawlak accessed the Internet from his residence using a laptop computer that his employer, Sigma Cubed, had issued. Using the Tor Network, he logged in to the Playpen website and clicked on a post entitled, `My daughter 5yo-photo 2015.’ As the content from this post downloaded onto the laptop, the NIT computer code was sent automatically. The NIT relayed Pawlak's IP address and other information back to the FBI in the Eastern District of Virginia.

Based on this information, the FBI issued a subpoena to AT & T, the Internet service provider connected with Pawlak's IP address, and learned that Pawlak's wife was the account holder associated with the address. The FBI obtained a warrant to search Pawlak's residence, but it did not find computers containing child pornography. While executing the warrant, agents called Pawlak's wife's cell phone, and Pawlak answered. He volunteered the details of how he accessed and viewed child pornography. Thereafter, the FBI contacted Pawlak's current employer, Independence Oil Field Chemicals, and his previous employer, Sigma Cubed, to request access to the work computers issued to him. The companies granted permission, and upon searching these computers, the FBI found hundreds of images of child pornography.
U.S. v. Pawlak, supra.
The opinion then explains how this prosecution arose:
The grand jury later indicted Pawlak for the offenses of receipt of child pornography, in violation of 18 U.S. Code §2252A(a)(2)(A), and possession of child pornography involving a prepubescent minor, in violation of 18 U.S. Code § 2252A(a)(5)(B). Pawlak moves to suppress all information obtained by the NIT that was authorized pursuant to the application for Title III interception on or about February 20, 2015 in the Eastern District of Virginia and the application for the search of computers that access the Playpen website on or about February 20, 2015. He also moves to dismiss the indictment. The government opposes both motions.
U.S. v. Pawlak, supra.  This post only examines the argument Pawlak made in his motion to suppress, which was the issue the Judge addressed first.
The opinion explains that Pawlak moved to suppress the evidence “hat he alleges was collected in violation of the Fourth Amendment.” U.S. v. Pawlak, supra.  The Judge went on to explain that the
general rule under the Fourth Amendment is that searches of private property are reasonable if conducted pursuant to a valid warrant issued upon probable cause.  See, e.g., Katzv. United States, 389 U.S. 347, 357(1967). `A defendant normally bears the burden of proving by a preponderance of the evidence that the challenged search or seizure was unconstitutional.’ United States v. Waldrop, 404 F.3d 365, 368 (U.S. Court of Appeals for the 5th Circuit 2005) (citing United States v. Guerrero–Barajas, 240 F.3d 428, 432 (5th Cir. 2001)). `The exclusionary rule prohibits introduction at trial of evidence obtained as the result of an illegal search or seizure' United States v. Runyan, 275 F.3d 449, 466 (5th Cir. 2001). The exclusionary rule also `encompass[es] evidence that is the indirect product or ‘fruit’ of unlawful police conduct.’ Id. (citing Wong Sun v. United States, 371 U.S. 471, 488 (1963)).
U.S. v. Pawlak, supra. 
The judge then began his analysis of Pawlak’s argument that the search violated the Fourth Amendment:
The court considers first the legality of the search. Pawlak contends that the search was unlawful because it exceeded the scope of the NIT Warrant. Pawlak maintains that the warrant `states that the property to be seized—the data including the identifiers from the Activating Computers—was . . . located in the Eastern District of Virginia,’ and authorized a search only of `one FBI computer server located in the Eastern District of Virginia hosting child pornography.’D. Br. 13–14. This is a mischaracterization of the NIT Warrant.

The NIT Warrant includes a standard court form that incorporates Attachments A and B. Although the form states that the property is located in the Eastern District of Virginia, it also specifically cites, and implicitly incorporates, Attachments A and B. Attachment A, entitled `Place to be Searched,’ provides that the NIT warrant authorizes the use of an NIT to be deployed on the computer server described in Attachment A to obtain information described in Attachment B from the activating computers described in Attachment A. Attachment A identifies the computer server as `the server operating the Tor network child pornography website referred to herein as the TARGET WEBSITE, as identified by its URL [website redacted by the court] which will be located at a government facility in the Eastern District of Virginia.` Gov't Br. Attach. A at 4. Attachment A identifies the `[t]he activating computers’ as “those of any user or administrator who logs into the TARGET WEBSITE by entering a username and password.’ Id. Attachment B, entitled `Information to be Seized,’ provides that specific information is to be seized `[f]rom any ‘activating’ computer described in Attachment A.’ Gov't Br. Attach. B at 5. The NIT Warrant therefore authorizes the search and seizure of the server operating the Tor Network child pornography website, which is located at a government facility in the Eastern District of Virginia, and the activating  , wherever located. It is not limited in scope to one FBI computer server located in the Eastern District of Virginia.
U.S. v. Pawlak, supra. 
The District Judge then takes up yet another Fourth Amendment argument Pawlak made in his appeal, i.e., “Pawlak also challenges the validity of the NIT Warrant on the ground that it was an improper general warrant.” U.S. v. Pawlak, supra.  The District Court Judge began his analysis of this argument by explaining that
`[u]nder the Fourth Amendment, `no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.’ U.S. Const. amend. IV. `Because indiscriminate searches and seizures conducted under the authority of ‘general warrants' were the immediate evils that motivated the framing and adoption of the Fourth Amendment, that Amendment requires that the scope of every authorized search be particularly described.’ Walter v. United States, 447 U.S. 649, 657, 100 S.Ct. 2395, 65 L.Ed.2d 410 (1980) (internal quotation marks and citation omitted). `The requirement that warrants shall particularly describe the things to be seized makes general searches under them impossible and prevents the seizure of one thing under a warrant describing another.’ Marron v. United States, 275 U.S. 192, 196 (1927).

In other words, the Fourth Amendment proscribes `issuance of general warrants allowing officials to burrow through a person's possessions looking for any evidence of a crime.’ United States v. Kimbrough, 69 F.3d 723, 727 (5th Cir. 1995) (citing  Andresenv. Maryland, 427 U.S. 463, 480 (1976)). For example, in United States v. Quinlan, 149 F.3d 1179  (5th Cir. 1998) (per curiam) (unpublished table decision), the panel held that a warrant was general where it authorized seizure of `property that constitutes evidence of the commission of a criminal offense and/or contraband, the fruits of a crime, and/or things criminally possessed.’ Id. at *1.
U.S. v. Pawlak, supra. 
The judge then began winding up his analysis of this particular argument, explaining that
Pawlak contends that the NIT Warrant was a general warrant because it `did not specify or identify any particular Activating Computer or router/modem the Government wished to search.’ D. Br. 15. The NIT Warrant identified the `Place to be Searched’ as the computer server operating the Tor network child pornography website, to be located at a government facility in the Eastern District of Virginia, and `activating computers,’ that is, computers `of any user or administrator who logs into the [Playpen website] by entering a username and password.’ Gov't Br. Attach. A at 4. Under the heading `Information to be Seized,’ the NIT Warrant authorized the seizure of seven specific categories of information, including `the “activating” computer's actual IP address.] Id. at 5.

The court concludes that the NIT Warrant was not a general warrant. The NIT Warrant limited the search to only the host server for the Playpen website, to be located at a government facility in the Eastern District of Virginia, and to defined `activating computers,’ that is, computers `of any user or administrator who logs into [the Playpen website] by entering a username and password.’ Gov't Br. Attach. A at 4. Because the magistrate judge found that the information to be seized from the server and activating computers would be evidence of multiple violations of federal child pornography laws, the warrant was not broader than necessary to uncover evidence of criminal activity. See, e.g. ,United States v. Matish, 193 F.Supp.3d 585, 609 (E.D. Va. 2016) (`[T]here existed a fair probability that anyone accessing Playpen possessed the intent to view and trade child pornography.’).
U.S. v. Pawlak, supra. 
For these and other reasons, the court denied Pawlak’s motion to suppress. U.S. v. Pawlak, supra. 

No comments: