United States District Court, E.D. North Carolina, Western Division
LOUISE W. FLANAGAN, District Judge.
This matter comes before the court on three motions of defendant Nikhil Nilesh Shah to suppress evidence obtained in violation of defendant's Fourth and Fifth Amendment rights (DE 23, 24, 25). The government timely filed a response in opposition to defendant's motions, to which defendant replied. The issues raised are ripe for ruling. For the reasons that follow, the court denies defendant's motions.
STATEMENT OF THE CASE
On December 17, 2013, a grand jury returned a one-count indictment charging defendant with intentional damage to a protected computer, in violation of 18 U.S.C. §§ 1030(a)(5)(A), 1030(c)(4)(B)(i), and 1030(c)(4)(A)(i)(I). After a period of discovery, defendant filed the instant motions to suppress on June 30, 2014.
Defendant asserts that the government violated his Fourth Amendment rights when it acquired "cell phone location evidence" for AT&T Wireless telephone numbers associated with defendant, along with "user location information" obtained from Facebook, Inc. ("Facebook"). (Mot. To Suppress Tracking Data, 13) (DE 25). Defendant also asserts Fourth Amendment violations based upon government seizure of email communications and associated data from Google, Inc. ("Google"). (DE 24). Finally, defendant asserts that government agents violated his Fifth Amendment rights by confronting him with evidence after he had requested an attorney. (DE 23).
The government filed a combined response in opposition to defendant's three suppression motions on August 30, 2014. The government argues that defendant has no reasonable expectation of privacy in the information obtained from AT&T Wireless and Facebook because the records are business records created and held by the respective service providers. As to defendant's motion regarding emails and associated information obtained from Google, the government argues that the search warrant for this information ("Google Warrant") complied with the Fourth Amendment because it was supported by probable cause, and particularly described the information to be searched and the procedure for seizure. Alternatively, if the court finds that the challenged evidence was obtained in violation of defendant's Fourth Amendment rights, suppression should not be ordered, it argues, because the government reasonably relied in good faith on the Stored Communications Act ("SCA"), 18 U.S.C. §§ 2701, et seq., and upon orders from a magistrate judge issued pursuant to § 2703(d). Finally, the government responds to defendant's motion seeking suppression of evidence generated during his arrest that it will not attempt to offer into evidence any of the statements or conduct discussed in defendant's motion to suppress on Fifth Amendment grounds, rendering that motion moot. Defendant's reply, filed September 4, 2014, after seeking leave, concentrates on the government's stated opposition to his motion to suppress tracking data obtained without a warrant.
The complexity of issues presented has necessitated a more extended period of time for the court's decision making. Arraignment and trial was continued in this case until no sooner than 45 days after disposition of the instant motions. In accordance with the court's order entered July 30, 2014, the clerk now will set the matter for arraignment and trial at the court's next regular criminal term no sooner than 45 days from date of entry of this order.
Defendant was formerly an Information Technology Manager at Smart Online, Inc. ("SOLN"), a mobile application development company in Durham, North Carolina. On June 28, 2012, after defendant was no longer a SOLN employee, an intruder accessed the SOLN computer network and caused significant damage. On June 29, 2012, SOLN and the Durham Police Department initiated an investigation, which was later joined by the FBI. As part of the investigation, the FBI filed an application for a search warrant targeting the electronic mail address email@example.com. The Google Warrant issued from a magistrate judge on November 5, 2012.
The Google Warrant references Attachment A as the "the property to be searched." (Google Warrant, at 2) (DE 24-1.) Attachment A provides that the warrant applies to "information associated with SHAHNN28@GMAIL.COM that is stored on premises controlled by Google, Inc." (Id. at 4). For the "property to be seized, " the affidavit references Attachment B. Section I of Attachment B details particular items of "Information to be disclosed by Google, " including:
a. The contents of all e-mails stored in the account, including copies of e-mails sent to and from the account, draft e-mails, the source and destination addresses associated with each e-mail, the date and time at which each e-mail was sent, and the size and length of each e-mail;
b. All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the types of service utilized, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative e-mail addresses provided during registration, methods of connecting, log files, and means and source of payment (including any credit or bank account number);
c. All records or other information stored by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, Google search history, and files;
d. All records pertaining to communications between including [sic] contacts with support services and records of actions taken.
(Google Warrant, 5-6). Section II of Attachment B specified that the information "to be seized by the government" would include
[a]ll information described above in Section I that constitutes fruits, evidence, and instrumentalities of Title 18, United States Code, Sections 1030 (Fraud and Related Activity in Connection with Computers), since account inception, including, for each account or identifier listed on Attachment A, information pertaining to the following matters:
a. Preparatory steps taken in furtherance of unauthorized network activity, communications regarding execution of the unauthorized network activity, and information regarding tools used in furtherance of the unauthorized network activity.
b. Records relating to who created, used, or communicated with the account or identifier, including records about their identities and whereabouts.
(Id. at 6).
As alleged by defendant, agents used the Google Warrant to obtain "over 1GB [gigabyte] of data associated with the firstname.lastname@example.org [account], including emails, chats, and other information spanning from roughly March 6, 2007 through November of 2012." (Mot. To Suppress Email and Related Evidence, 3) (DE 24). According to the government, the data "revealed that on June 29, 2012 at 4:46 PM, [defendant] sent himself an e-mail ("June 29 Email") to email@example.com from firstname.lastname@example.org with no subject line that contained three website links related to Cisco ASA VPN and PIX firewall configurations." (Gov. Resp., 8) (DE 35). These firewall configurations were used by SOLN in its network infrastructure. The links in the June 29 Email directed to web pages that discuss security settings for these devices. Furthermore, the Internet Protocol (IP) address associated with the June 29 Email was also identified as connecting to the SOLN network. The IP address had also been used previously to send emails to SOLN employees. The government determined that the IP address was geographically located in Holly Springs, North Carolina, the city of defendant's residence at the time of the intrusion.
The government also alleges that, although defendant contacted SOLN employees on June 28 and June 29, 2012, to report receiving security alerts regarding the SOLN network, a review of the email account shows that he never received any such alerts. Furthermore, chat sessions stored in the email account revealed that defendant had boasted of having access to the SOLN network and of performing the June 28, 2012 intrusion.
Subsequent to obtaining the Google Warrant, the government submitted two applications pursuant to Section 2703(d) of the SCA. On February 25, 2013, the magistrate judge issued an order requiring AT&T Wireless to disclose "[a]ll records and other information (not including the contents of communications) relating to the [referenced] [a]ccount, " including "[r]ecords of user activity for each connection made to or from the account[;]... [i]nformation about each communication sent or received by the [a]ccount, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers)" and "[a]ll data about which cell towers' i.e. antenna towers covering specific geographic areas) and sectors' (i.e., faces of the towers, received a radio signal from each cellular telephone or device assigned to the Account." (AT&T Wireless Order, at 5) (DE 26-1). The AT&T Wireless Order specified that the time period for this information would span from June 1, 2012 through February 12, 2013.
Agents obtained from AT&T Wireless records that were created and maintained when the cell phone associated with the accounts transmitted a signal to a cell tower to connect communications. Defendant alleges that "[t]he information produced by AT&T allowed the government to pinpoint the geographic location of [defendant's] cell phone for over half a year." (Mot. To Suppress Tracking Data, 2). The government's response suggests the information revealed that defendant exchanged text messages with a SOLN employee around the time of the network intrusion. A cell phone tower located close to defendant's Holly Springs residence facilitated these communications.
Nearly a month later, on March 19, 2013, pursuant to another Section 2703(d) request from the government, the magistrate judge issued an order for records from Facebook, Inc. ("Facebook Order") (DE 26-2). The order directed Facebook to provide "[a]ll records and other information (not including the contents of communications relating to the [referenced] Account." (Id. at 4-5). It specifically provided for disclosure of information concerning the account holder's IP addresses, times of connections made to Facebook, times of communications sent or received by the account, and the source and destination of IP addresses. (Id. at 5). As in the AT&T Wireless Order, the information spanned from June 1, 2012 to February 12, 2013. Information provided by Facebook pursuant to the order includes the account holder's IP addresses, the time of the account holder's Facebook activity, a general description of the type of Facebook interaction or activity performed (e.g. "Login" or "Session updated"), and the account holder's city, region, and country at the time of the activity. The government provides sample pages of Facebook's response at Exh. 3. (Gov. Resp., Exh. 3) (DE 35-3).
In both the AT&T Order and the Facebook Order, the magistrate judge found that the government had "offered specific and articulable facts showing that there are reasonable grounds to believe that the records or other information sought are relevant and material to an ongoing investigation." (AT&T Wireless Order at 2; Facebook Order at 2).
Defendant was arrested in New Jersey on January 8, 2014, by agents from the FBI. According to an investigative report dated January 15, 2014, defendant "immediately requested his attorney be present during any subsequent questioning." (Investigative Report Pertaining to the Arrest and Interview of Nikhil N. Shah, at 2) (DE 23-1). Agents transported defendant from his residence to the Newark, New Jersey FBI building, where he was placed in an interview room. Agents proceeded to review the evidence against defendant. In response, defendant provided agents with allegedly incriminating conduct and statements.
A. Motion to Suppress Location Data Obtained Without a Warrant (DE 25)
Defendant argues that the government's warrantless acquisition of records from AT&T and Facebook violated his Fourth Amendment rights. Although defendant seeks suppression of "all information obtained by the government pursuant to 18 U.S.C. § 2703(d) without the issuance of a warrant supported by probable cause, " (Mot. To Suppress Tracking Data, 1) his arguments focus on data that revealed his geographic location at particular times. (See Id., 13) (concluding that, "because the cell phone location evidence from AT&T and the user location information from Facebook was obtained in violation of [defendant's] Fourth Amendment rights, suppression of all location tracking evidence obtained by the government pursuant to 18 U.S.C. § 2703(d) should be ordered.") (emphasis added).
The records at issue were obtained pursuant to the SCA, 18 U.S.C. §§ 2703(c)(1) and (d). Section 2703(c)(1) states that the government "may require a provider of electronic communication service or remote computing service to disclose a record or other information pertaining to a subscriber to or customer of such service" under specified circumstances. 18 U.S.C. § 2703(c)(1). These circumstances include when the government obtains a warrant, when the subscriber or customer has given his or her consent, or, as is the case for the location data obtained here, when the government "obtains a court order for such disclosure under subsection (d) of this section, " (i.e. section ...