United States District Court, E.D. North Carolina, Western Division
ORDER
LOUISE
W. FLANAGAN United States District Judge
This
matter is before the court on defendant's motion to
suppress certain evidence allegedly obtained in violation of
the Fourth Amendment to the United States Constitution and
Rule 41 of the Federal Rules of Criminal Procedure. (DE 21).
For the reasons that follow, defendant's motion is
denied.
BACKGROUND
August
23, 2016, a grand jury returned an indictment charging
defendant with 10 counts of manufacturing child pornography,
in violation of 18 U.S.C. § 2251 (a) & (e), 10
counts of receiving child pornography, in violation of 18
U.S.C. § 2252(a)(2), and one count of possession of
child pornography, in violation of 18 U.S.C. §
2252(a)(4)(B).
November
7, 2016, defendant filed the instant motion to suppress.
Defendant moves to suppress all evidence seized
electronically from defendant's home computer February
20, 2015, through a computer forensic tool the Federal Bureau
of Investigation (“FBI”) terms a network
investigative technique (“NIT”), described in
detail below. Additionally, defendant moves to suppress
fruits of that search including computer equipment seized
from defendant's home October 29, 2015, and electronic
data found therein.
In
support of his motion, defendant asserts that the government
violated his rights under the Fourth Amendment and Rule 41 of
the Federal Rules of Criminal Procedure when it deployed the
NIT pursuant to an allegedly invalid search warrant issued
February 20, 2015, by a magistrate judge sitting in the
Eastern District of Virginia. Defendant contends the warrant
was unsupported by probable cause, constituted an
anticipatory warrant that never properly was triggered,
violated the Fourth Amendment particularity requirement, and
issued in violation of Rule 41.
STATEMENT
OF FACTS
Facts
pertinent to the instant motion may be summarized as follows.
Prior to February 20, 2015, a resident of Naples, Florida
(“Playpen's administrator”) began operating a
website known as “Playpen, ” which constituted an
online message board that hosted illicit images and videos
and enabled users to share child pornography. Additionally,
Playpen contained information about how to maintain anonymity
while engaged in conduct related to child pornography,
including advice about online privacy and guidance for
handling child victims.
Playpen's
administrator took extensive security measures to evade law
enforcement and to protect users' anonymity. In
particular, Playpen was inaccessible to ordinary internet
users. Playpen was accessible only through “the onion
router” (“Tor”), which is a system that
appears to users as a standard internet browser but is
designed to conceal users' internet protocol
(“IP”) addresses and other identifying
information. Tor achieves this result by routing online
communications through numerous connected computers
(“nodes”). This process creates the appearance
that the last node in the chain (“exit node”) is
the only other party to a communication.
In
reality, the nodes are unable to access the content of a
communication transmitted through Tor, nor is it possible for
an observer to retrace the steps in the chain to determine
the IP address of the computer that initiates communication
(“activating computer”).
One
court has offered the following useful analogy to describe
the process by which Tor conceals users' identities:
Imagine that “John receives a locked box, for which he
has the key. He opens it, finding within another locked box,
labeled “Jane.” He does not have the key for
Jane's box, so he mails the box to Jane. Jane has the key
and within she finds a locked box labeled “Jack.”
She does not have the key for Jack's box, so she mails it
to Jack. Jack likewise opens his box, finds within a locked
box labeled ‘Jill, ' and mails that box to Jill.
Jill opens her box to find an envelop bearing a website's
address. She writes her own address as the return address and
mails the letter. This process is reversible, so information
from a website can return through the Tor network to the end
user. Nor does John, Jane, Jack, or Jill know who is
communicating with whom.”
United States v. Knowles, No. 15-cr-875, 2016 WL
6952109, at *1, *5 (D.S.C. Nov. 28, 2016). By this process, a
website's host knows the IP address only of the exit
node, i.e, the return address of the last letter in the
illustration above. Additionally, because each node sends no
information about the complete return path, it is impossible
to identify the activating computer simply by controlling a
website accessed through Tor.
Beginning
December 2014, Playpen's administrator inadvertently made
Playpen available on the open (non-Tor) internet for a number
of days. During this time, the FBI was able to locate
Playpen's servers, seized them, and move the servers to a
location within the Eastern District of Virginia. The Tor
network would have made it impossible to identify
Playpen's users absent special methods.
To
address this problem, the FBI obtained a warrant (“NIT
warrant”) from a magistrate judge in the Eastern
District of Virginia that permitted the FBI to continue
operating Playpen for 30 days.
The
warrant also permitted the FBI during that time to deploy its
NIT directed to the computer of any user who entered a
username and password to log into Playpen. Nothing in the
record discloses the NIT's full capabilities, but, at a
minimum, the NIT is capable of installing itself on a
target's computer, running covertly in the background,
and causing a user's computer to send directly to the FBI
information that is normally concealed by Tor. In this case,
the warrant authorized the FBI to gather information
consisting of
• the IP address for any activating computer that logged
into Playpen;
• a unique identifier generated by the NIT to
distinguish data received from each activating computer;
• the type of operating system running on each
activating computer;
• information indicating whether the NIT already had
been installed on an activating computer;
• the host name for each activating computer, which is a
unique set of characters that serves to identify computers
connected to a network;
• the operating system username active on each
activating computer; and
• the media access control address (“MAC
address”) for each activating computer, which is
another set of characters that is designed to identify
uniquely certain equipment used to facilitate communication
over an electronic network.
(DE 21-3 at 25-26). The NIT warrant set forth no limitation
on the number of computers on which the NIT was to be
installed. The NIT warrant authorized the FBI to deploy the
NIT against any activating computer that logged into Playpen.
(DE 21-2 at 2).
On
February 26, 2015, FBI agents noted that a user logged into
Playpen under the username “harris.” (DE21-5 at
30). Pursuant to the NIT warrant, the FBI deployed its NIT to
obtain the information described above. The NIT revealed that
the subject's computer was assigned IP address
174.97.169.226. Using publicly available websites, the FBI
determined that Time Warner Cable provided internet access to
that IP address. Accordingly, it served upon Time Warner
Cable an administrative subpoena to obtain the name and
address of the corresponding user. In response, Time Warner
Cable submitted records indicating that defendant was the
user in question. The same records provided the address of
defendant's home in Raleigh, North Carolina. Using this
information, the FBI obtained from a magistrate judge in this
district a warrant (“EDNC warrant”) to search and
seize defendant's computer equipment. The FBI ...