United States v. Deichert

          ORDER

          LOUISE W. FLANAGAN United States District Judge

         This matter is before the court on defendant's motion to suppress certain evidence allegedly obtained in violation of the Fourth Amendment to the United States Constitution and Rule 41 of the Federal Rules of Criminal Procedure. (DE 21). For the reasons that follow, defendant's motion is denied.

         BACKGROUND

         August 23, 2016, a grand jury returned an indictment charging defendant with 10 counts of manufacturing child pornography, in violation of 18 U.S.C. § 2251 (a) & (e), 10 counts of receiving child pornography, in violation of 18 U.S.C. § 2252(a)(2), and one count of possession of child pornography, in violation of 18 U.S.C. § 2252(a)(4)(B).

         November 7, 2016, defendant filed the instant motion to suppress. Defendant moves to suppress all evidence seized electronically from defendant's home computer February 20, 2015, through a computer forensic tool the Federal Bureau of Investigation (“FBI”) terms a network investigative technique (“NIT”), described in detail below. Additionally, defendant moves to suppress fruits of that search including computer equipment seized from defendant's home October 29, 2015, and electronic data found therein.

         In support of his motion, defendant asserts that the government violated his rights under the Fourth Amendment and Rule 41 of the Federal Rules of Criminal Procedure when it deployed the NIT pursuant to an allegedly invalid search warrant issued February 20, 2015, by a magistrate judge sitting in the Eastern District of Virginia. Defendant contends the warrant was unsupported by probable cause, constituted an anticipatory warrant that never properly was triggered, violated the Fourth Amendment particularity requirement, and issued in violation of Rule 41.

         STATEMENT OF FACTS

         Facts pertinent to the instant motion may be summarized as follows. Prior to February 20, 2015, a resident of Naples, Florida (“Playpen's administrator”) began operating a website known as “Playpen, ” which constituted an online message board that hosted illicit images and videos and enabled users to share child pornography. Additionally, Playpen contained information about how to maintain anonymity while engaged in conduct related to child pornography, including advice about online privacy and guidance for handling child victims.

         Playpen's administrator took extensive security measures to evade law enforcement and to protect users' anonymity. In particular, Playpen was inaccessible to ordinary internet users. Playpen was accessible only through “the onion router” (“Tor”), which is a system that appears to users as a standard internet browser but is designed to conceal users' internet protocol (“IP”) addresses and other identifying information. Tor achieves this result by routing online communications through numerous connected computers (“nodes”). This process creates the appearance that the last node in the chain (“exit node”) is the only other party to a communication.

         In reality, the nodes are unable to access the content of a communication transmitted through Tor, nor is it possible for an observer to retrace the steps in the chain to determine the IP address of the computer that initiates communication (“activating computer”).

         One court has offered the following useful analogy to describe the process by which Tor conceals users' identities:

Imagine that “John receives a locked box, for which he has the key. He opens it, finding within another locked box, labeled “Jane.” He does not have the key for Jane's box, so he mails the box to Jane. Jane has the key and within she finds a locked box labeled “Jack.” She does not have the key for Jack's box, so she mails it to Jack. Jack likewise opens his box, finds within a locked box labeled ‘Jill, ' and mails that box to Jill. Jill opens her box to find an envelop bearing a website's address. She writes her own address as the return address and mails the letter. This process is reversible, so information from a website can return through the Tor network to the end user. Nor does John, Jane, Jack, or Jill know who is communicating with whom.”

United States v. Knowles, No. 15-cr-875, 2016 WL 6952109, at *1, *5 (D.S.C. Nov. 28, 2016). By this process, a website's host knows the IP address only of the exit node, i.e, the return address of the last letter in the illustration above. Additionally, because each node sends no information about the complete return path, it is impossible to identify the activating computer simply by controlling a website accessed through Tor.

         Beginning December 2014, Playpen's administrator inadvertently made Playpen available on the open (non-Tor) internet for a number of days. During this time, the FBI was able to locate Playpen's servers, seized them, and move the servers to a location within the Eastern District of Virginia. The Tor network would have made it impossible to identify Playpen's users absent special methods.

         To address this problem, the FBI obtained a warrant (“NIT warrant”) from a magistrate judge in the Eastern District of Virginia that permitted the FBI to continue operating Playpen for 30 days.

         The warrant also permitted the FBI during that time to deploy its NIT directed to the computer of any user who entered a username and password to log into Playpen. Nothing in the record discloses the NIT's full capabilities, but, at a minimum, the NIT is capable of installing itself on a target's computer, running covertly in the background, and causing a user's computer to send directly to the FBI information that is normally concealed by Tor. In this case, the warrant authorized the FBI to gather information consisting of

• the IP address for any activating computer that logged into Playpen;

• a unique identifier generated by the NIT to distinguish data received from each activating computer;

• the type of operating system running on each activating computer;

• information indicating whether the NIT already had been installed on an activating computer;

• the host name for each activating computer, which is a unique set of characters that serves to identify computers connected to a network;

• the operating system username active on each activating computer; and

• the media access control address (“MAC address”) for each activating computer, which is another set of characters that is designed to identify uniquely certain equipment used to facilitate communication over an electronic network.

(DE 21-3 at 25-26). The NIT warrant set forth no limitation on the number of computers on which the NIT was to be installed. The NIT warrant authorized the FBI to deploy the NIT against any activating computer that logged into Playpen. (DE 21-2 at 2).

         On February 26, 2015, FBI agents noted that a user logged into Playpen under the username “harris.” (DE21-5 at 30). Pursuant to the NIT warrant, the FBI deployed its NIT to obtain the information described above. The NIT revealed that the subject's computer was assigned IP address 174.97.169.226. Using publicly available websites, the FBI determined that Time Warner Cable provided internet access to that IP address. Accordingly, it served upon Time Warner Cable an administrative subpoena to obtain the name and address of the corresponding user. In response, Time Warner Cable submitted records indicating that defendant was the user in question. The same records provided the address of defendant's home in Raleigh, North Carolina. Using this information, the FBI obtained from a magistrate judge in this district a warrant (“EDNC warrant”) to search and seize defendant's computer equipment. The FBI ...