Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

United States v. Thomas

United States District Court, Second Circuit

November 8, 2013

UNITED STATES OF AMERICA
v.
DEREK THOMAS, DOUGLAS NEALE, and STEPHAN LEIKERT

OPINION AND ORDER DENYING DEFENDANTS' MOTIONS TO SUPPRESS Defendant Thomas (Docs. 47, 83 & 84) Defendant Neale (Docs. 24 & 65) Defendant Leikert (Docs. 22 & 46)

CHRISTINA REISS, Chief District Judge.

This matter came before the court for an evidentiary hearing on April 17 and July 30-31, 2013 on the motions to suppress filed by Defendants Derek Thomas, Douglas Neale, and Stephan Leikert which were consolidated for the purposes of the court's hearing. The parties' filing of post-hearing memoranda was completed on September 25, 2013.

The government is represented by Assistant U.S. Attorney Nancy J. Creswell in the Thomas case; by Assistant U.S. Attorney Timothy C. Doherty, Jr. in the Neale case; and by Assistant U.S. Attorney Christina Nolan in the Leikert case. Defendant Thomas is represented by Elizabeth D. Mann, Esq. Defendant Neale is represented by Assistant Federal Public Defender David L. McColgin. Defendant Leikert is represented by Chandler W. Matson, Esq. and William W. Cobb, Esq.

Each of the Defendants was charged by indictment with possession of child pornography in violation of 18 U.S.C. ยง 2252(a)(4)(B) after law enforcement executed search warrants at their respective residences and seized evidence from a computer or computers found therein. Defendants seek suppression of all evidence derived from the search, arguing that law enforcement's use of automated software constituted a warrantless search of the private areas of their respective computers in violation of the Fourth Amendment.

In the alternative, Defendants argue that the search warrants in their cases lacked probable cause, and contained false and misleading statements and omissions that intentionally or recklessly misled the magistrate judge who issued the search warrants. Defendants either collectively or individually assert that the search warrant affidavits were false and misleading because they allegedly: (1) failed to adequately disclose and describe law enforcement's use of automated software and a third-party database; (2) failed to disclose the automated software's alleged ability to access incomplete, deleted, and corrupted files, as well as files that had not been made available for sharing; (3) failed to advise of the alleged inadequacy of the testing of the automated software; (4) falsely represented the reliability of hash values to identify a file's contents; (5) falsely stated that an MD4 hash value could be "converted" to a SHA1 value; (6) falsely suggested there was a manual "undercover" investigation; (7) failed to accurately and adequately describe whether and how law enforcement verified the contents of the suspected files; and (8) noted that Defendants allegedly "shared" certain files of child pornography when the files were only allegedly "offered to be shared."

The government opposes the motions, contending that the automated software did not and cannot access "private" files not made available for sharing. Accordingly, it asserts no warrantless searches occurred. The government further contends that the use of automated software was fully disclosed in the search warrant affidavits, the search warrants are supported by probable cause, and the search warrant affidavits contain no intentional or reckless material misstatements of fact or omissions.

I. Findings of Fact.

In approximately December 2011, federal and state law enforcement in Vermont commenced an investigation, known as "Operation Greenwave, " into potential child pornography crimes using peer-to-peer file sharing software. Each of the search warrants at issue in this case was part of Operation Greenwave.

A. Peer-to-Peer File Sharing.

Peer-to-peer file sharing is a popular means of obtaining and sharing files free of charge directly from other computer users who are connected to the Internet and who are also using peer-to-peer file sharing software. Peer-to-peer file sharing software is publicly available for download free of charge from the Internet and operates on a particular network which dictates to some extent how the file sharing will occur. Gnutella and eDonkey are two popular networks on which peer-to-peer file sharing takes place.

Generally, the source code for peer-to-peer file sharing software is "open, " meaning that, to a certain extent, it may be modified by users. However, although users may make some modifications to the source code, the software must still adhere to a common protocol or language in order for it to communicate with other computers and allow file sharing to take place. There are numerous types of peer-to-peer file sharing programs and numerous versions of each particular type of program.

Once peer-to-peer file sharing software has been downloaded and installed by the user, the user may interface directly with other computers using the same file sharing software and browse and obtain files that have been made available for sharing. The file sharing software does not permit a user to access files that are not available for sharing. However, a user may download a version of the software which contains default settings that make certain files available for sharing without the user's affirmative designation of the files as shared files. In addition, file sharing programs often include a default setting which allows them to operate anytime a computer is on and connected to the Internet even if the user has not sought to reactivate the file sharing program. File sharing programs may resume an interrupted download if the file sharing program is reactivated, even if the user has not affirmatively requested that the download resume.

File sharing occurs when one computer, identified by an Internet Protocol ("IP") address, initiates a search for a responsive file by indicating the term or terms that it seeks to find in the file's name. This is called a "query" and consists of key words such as "child, " "pornography, " or "child pornography." Law enforcement has identified a number of search terms commonly associated with child pornography. Other computers that are using the same file sharing software and connected to the Internet at the time will respond to the query with a "query hit message." A query hit message identifies the file or files available for sharing which have a word in the file name that matches the search word in the query. The query hit message will also contain additional information such as the IP addresses of the computers offering to share responsive files. Often multiple computers will respond to a single query.

After a query hit message is received, the computer user requesting the file must affirmatively select it for download, generally by double clicking on the file's name. It is possible and even probable that the download will occur from multiple computers at the same time all of which have responded with a query hit message and are simultaneously sending the file for download to the computer requesting it. This permits a more rapid downloading process. A person seeking to download a file may often preview a portion of the file before downloading it, however, some peer-to-peer file sharing software programs do not allow the user to view the file until the download is complete. Incomplete files are generally not available for download unless the computer user responding to a query, or the default settings on his or her computer, have made an incomplete file available for sharing.

Peer-to-peer file sharing software also often allows a user to request a "browse host, " which is a request to view all of the files that another computer has available for sharing. Both the Gnutella and eDonkey networks have a browse host function built into their protocols. eDonkey, however, relies on actual servers while Gnutella does not. Accordingly, a user of the eDonkey network submits his or her shared files to eDonkey's servers, and the servers respond on behalf of users who are then online and operating eDonkey file sharing software. Both networks use a query-response protocol whereby queries are sent out, responses are received and displayed, and the user then selects the files he or she seeks to download or simply browses the files made available for sharing. It is not uncommon for a user to download all of another user's files available for sharing and then determine at a later time whether to retain those files.

Many peer-to-peer file sharing programs permit the user to disable the file sharing component of the software. In addition, the software may be configured to prohibit the use of the browse host function. However, because the software is open source code, it is not always certain that the peer-to-peer file sharing software will function as intended by the user. If a user's computer is either off or not connected to the Internet, no file sharing will take place.

B. Hash Values.

Peer-to-peer file sharing programs all use hash values to identify files in a manner that is significantly more precise than a file's name. A hash value is a list of characters that act as a digital fingerprint for a file's contents. Hash values have varying degrees of reliability. The network chooses the type of hash value it will use for file sharing purposes. Law enforcement agents investigating peer-to-peer file sharing activity will thus receive responses that reflect the network's chosen type of hash value.

The Secure Hash Algorithm ("SHA1") value consists of thirty-two characters and was developed by the National Security Administration in 1992. It is more reliable than DNA (in that the likelihood of two individuals coincidentally sharing the same DNA is greater than the likelihood that more than one file will have the same SHA1 value) and a collision[1] between two files with identical SHA1 values but with non-identical content has never been shown to exist. The Gnutella network uses the SHA1 value.

The eDonkey Network uses the MD4 hash value, which divides every file into 9.5 kilobytes, assigns a hash value to each part, and then assigns a hash value to the completed file. The component hash values are not stored separately. eMule, which is the most popular peer-to-peer file sharing program on the eDonkey network, uses the MD4 hash value as its unique identifier for files. There is no evidence that an MD4 hash value is inherently unreliable and cannot be used to identify files. To the contrary, it is a substantially more accurate means of identifying a file than the file's name.

There is no way to "convert" a MD4 hash value into a SHA1 value or vice versa. However, a law enforcement officer may access a database that identifies all of the hash values believed to be associated with a particular file and thereby cross-reference the different types of hash values that have been associated with the file. Software that performs this function is publicly available on the Internet.

C. TLO's Investigative Software Tools.

William Wiltse, a former law enforcement officer, certified computer forensics examiner, and experienced programmer, created or assisted others in the creation of a suite of software programs to automate, expedite, and focus law enforcement's investigation of child exploitation crimes. Through a company called TLO, a data fusion company, Mr. Wiltse and his colleagues offer a suite of software and other products known collectively as the Child Protection System ("CPS") free of charge to licensed law enforcement professionals. TLO has trained law enforcement officers investigating child exploitation crimes in forty-two countries.

Among the products TLO offers are certain products that substitute automation for the computer key strokes and data gathering a law enforcement officer would otherwise perform manually in order to investigate peer-to-peer file sharing software crimes. Rather than sitting at a computer sending out queries and evaluating responses, and then attempting to narrow search results in a relevant manner, a law enforcement officer may use CPS products to automate this process.

CPS is a web interface or portal which permits a user to access CPS's suite of tools. In order to use CPS products, law enforcement must attend and successfully complete an approximately three day training course. In the course, law enforcement officers are instructed regarding how to search for child pornography with peer-to-peer file sharing software using both a manual method and a CPS tool known as Peer Spectre which automates the query-response function. Law enforcement is then instructed regarding how to compare the results. If a law enforcement officer successfully completes the course, TLO issues the law enforcement officer a license to access CPS's suite of tools in his or her jurisdiction.

None of CPS's products have any ability to infiltrate a user's computer with child pornography because TLO does not possess, contain, or warehouse any actual images of child pornography or suspected child pornography. Moreover, because CPS software is based upon query-response software, the only information it gleans is information a user's computer has made available for sharing. As a further limitation, CPS tools gather only file names, hash values, and other data; they have no ability to access the images or files themselves. A law enforcement officer must therefore follow-up on the leads generated by CPS tools. He or she may decide to attempt a direct download from a particular IP address or consult his or her own agency's database or another available database of known child pornography to determine whether a file which corresponds to a particular hash value appears to contain suspected child pornography.

Peer Spectre is part of CPS's suite of tools and is a software application that focuses on the Gnutella file sharing network. It operates on a law enforcement officer's own computer and automates the process of sending out queries for files by using terms known to be associated with child pornography. If a user is online and has activated peer-to-peer file sharing software, his or her computer will respond to Peer Spectre's query with a query hit message, indicating that the computer has offered to share a responsive file or files. The query hit message generally includes the full file name, the file size, the hash value which identifies the file, the Globally Unique Identifier ("GUID") which is akin to a software serial number, the IP address of the computer offering to share the file, and the port it is using. Peer Spectre then analyzes the information received and sends a report of that information to the law enforcement officer, who may analyze it immediately or at a later time.

Because peer-to-peer file sharing programs operate globally and contain no internal distinction regarding geography, TLO uses publicly available geo-location technology to narrow search results to geographic areas of interest. This allows TLO to identity a country, state, and city for every query hit message. In turn, TLO is able to ensure that only those query hit messages that constitute responses from IP addresses within the law enforcement officer's licensed jurisdiction will be reported back to the officer. In most cases, there are more identified IP addresses for a particular geographic region than a law enforcement officer can reasonably investigate so the report generated by the automated software assists the officer in prioritizing his or her investigation by identifying the "worst" IP addresses, (in terms of the likelihood that the IP address is offering to share child pornography). In contrast, using a manual method, a law enforcement officer may receive query hit messages from computers in other states or other countries and thus must manually narrow those responses by determining whether the IP address reflects an Internet provider in his or her jurisdiction.

TLO developed Lime Crawler and Lime Scanner to run on TLO's own servers. Lime Crawler and Lime Scanner are one piece of software divided into two parts to automate the process of investigating the use of Limewire peer-to-peer file sharing programs. Lime Scanner sends out the query messages and Lime Crawler attempts to make a direct connection with the IP address by sending a browse host request, asking to see the other files that a particular IP address has made available for sharing. These programs operate on both the eDonkey and the Gnutella networks.

Nordic Mule is a software program, originally developed by law enforcement agents in Norway, that TLO has modified for use in a manner similar to Peer Spectre but which operates on the eDonkey network. Nordic Mule thus uses the MD4 hash value used by the eDonkey network. Like Lime Scanner and Lime Crawler, Nordic Mule is only used internally at TLO and resides on TLO's servers. It has the ability to automate the browse host function and submit responses to TLO's servers, which then generate a report of the results for law enforcement.

TLO's Media Library allows law enforcement to research whether a particular file has previously been determined by law enforcement to contain potential child pornography. The Media Library database contains over 330, 000 file entries and resides on TLO's servers. It, however, contains only hash values, file names, and file information. It contains no actual files or images of child pornography. Media Library does not verify the accuracy of the characterization of its files as suspected child pornography beyond the initial process by which a particular file is submitted to its database. It thus does not and cannot make the legal determination as to whether a particular file depicts child pornography as the definition of "child pornography" varies from jurisdiction to jurisdiction.

For each file, Media Library contains all known hash values associated with it including SHA1, Tiger tree, and MD4 hash values. In this respect, if a file is identified, a law enforcement officer can gain access to each type of hash value that has been associated with it. Other publicly available software programs offer this same functionality. A law enforcement officer may access Media Library even if he or she chooses not to use Peer Spectre or any of TLO's other products.

D. Testing of CPS Tools.

In order to test Peer Spectre, programmers used a program called a "packet capture" that allows a programmer to effectively eavesdrop on the network transmissions from that program out to the Internet. They then determined whether they could reliably connect and maintain a connection within a closed network environment to validate whether the queries were generating appropriate query hit messages. TLO tested Lime Scanner and Lime Crawler by comparing their performance with Peer Spectre, to determine whether both types of programs were generating the same leads regarding IP addresses. TLO concluded that no further testing was necessary as those products are based upon an existing source code which is the protocol for the networks on which they operate. Because Nordic Mule was built on the eMule source code by investigators in Norway, TLO did not test it further.

Mr. Wiltse opined that the reliability of CPS query-response software products has been established by marketplace acceptance. He explained that each of these programs uses the same protocol as the networks on which they are based, which offer popular file sharing programs that would not be used if they did not function as intended.

Defendants challenge Mr. Wiltse's opinion that CPS products are reliable. They contend that TLO must test and establish a known error rate for CPS products before they may be used to support a finding of probable cause. Defendants do not, however, suggest a manner in which such an error rate could or should be established. Since CPS's query-response software programs are based upon the same protocol used by the file sharing network they investigate, it is not clear what, if any, adjustments could be made to them to render them more "reliable." There is no evidence that CPS products report false or misleading information. Instead, they are evidence-gathering tools that merely obtain, report, and categorize information regarding files that are available for sharing from a particular IP address. A law enforcement officer must then take further steps to determine whether the information received supports a conclusion that there is probable cause to believe that evidence of child pornography will be found at a particular physical address.

E. Affidavits in Support of Probable Cause.

In each of these cases, law enforcement used a common template for the affidavits in support of probable cause which were used to obtain search warrants for Defendants' respective residences. The template was a collaborative drafting effort by a number of law enforcement officers and borrowed heavily from a search warrant affidavit that had been used to secure a Vermont state court search warrant. The template also reflected information obtained from an ICE Agent in New Hampshire who had drafted affidavits for child pornography search warrants in other cases. In each of Defendant's cases, law enforcement did not attempt a direct download or a browse host from a target IP address. Instead, law enforcement relied upon "historical" information to establish probable cause. Each search warrant affidavit recites the investigative steps that were taken thereafter to determine the residence with which a target IP address was associated.

Detective Corporal Gerry Eno, identified in each of the search warrant affidavits as a source of information, is the coordinator of an undercover operations unit that investigates child exploitation crimes. All proactive investigations conducted by Vermont's Internet Crimes Against Children Task Force ("ICAC") fall within his undercover unit which has been performing peer-to-peer file sharing investigations since approximately 2007. For this reason, Detective Eno refers to peer-to-peer file sharing investigations as "undercover investigations."

ICAC maintains a library of files that contain images and videos of child pornography and their associated hash values. Law enforcement officers may access ICAC's library or an officer's own agency's library to attempt to determine whether a particular file contains ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.