On
Appeal from Superior Court, Rutland Unit, Criminal Division
Cortland Corsones, J.
Thomas
J. Donovan, Jr., Attorney General, and Ultan Doyle, Assistant
Attorney General, Montpelier, for Plaintiff-Appellee.
Allison N. Fulcher of Martin & Associates, Barre, for
Defendant-Appellant.
Christopher J. Schmidt, St. Louis, Missouri, Logan
Rutherford, Kansas City, Missouri, and Lawrence G.
Scarborough, New York, New York, of Bryan Cave LLP, for
Amicus Curiae The National Center for Missing and Exploited
Children.
PRESENT: Reiber, C.J., Skoglund, Robinson, Eaton and Carroll,
JJ.
SKOGLUND, J.
¶
1. This case requires us to consider whether defendant's
Fourth Amendment rights were violated when his online service
provider, AOL, searched his transmissions, detected suspected
child pornography, and sent information to the National
Center for Missing and Exploited Children (NCMEC), which
opened the email and attachment and provided it to law
enforcement. We conclude that AOL was not acting as an agent
of law enforcement when it searched defendant's
transmissions, and that NCMEC and law enforcement did not
expand AOL's private search by viewing the file already
identified by AOL as containing child pornography. In
addition, any expansion of the search by opening the related
email did not invalidate the warrant because the other
information in the affidavit independently provided probable
cause to search. We affirm.
¶
2. The following facts are not disputed. Defendant registered
an account with America Online, now known as AOL, an
electronic service provider (ESP) and internet service
provider (ISP), which was in effect in March 2013. He
registered it under the screenname
"lilstuisthebest." This is the account used to send
the emails and attachments at the heart of this case. To use
AOL's services, AOL requires its users to agree to its
Terms of Service and Privacy Policy (TOS). The terms are
designed to protect AOL's rights and to control
members' behavior online and when using its services. At
the time in question, the TOS specifically stated, among
other things, that AOL could access the content of
communications if it believed a crime had been committed, and
that users could not post, transmit, or distribute illegal
content. In addition, the TOS explained that if illegal
material was posted or transmitted, then AOL would cancel the
account and cooperate with law enforcement.
¶
3. AOL monitors the content users send on its network through
tools including Image Detection Filtering Process
(IDFP).[1] IDFP uses the MD5 algorithm to compute the
hash value of attachments and embedded images in messages
sent by, replied to, or forwarded by an AOL user. The MD5
hash values are obtained by applying a mathematical algorithm
to a digital file or data set. The resulting hash value is a
unique numerical representation of that digital file or data
set. Two images that are pixel-for-pixel identical will have
the exact same hash value, and therefore, the hash value is
referred to as a digital fingerprint. See United States
v. Henderson, 595 F.3d 1198, 1199 n.2 (10th Cir. 2010)
(explaining that hash value is unique alphanumeric sequence
developed from pixel-by-pixel analysis of particular image or
video and called "digital fingerprint" because it
is, "so far as science can ascertain presently,
unique").
¶
4. MD5 hash values are a well-established means of
identifying and verifying electronic files. Using the hash
algorithm, the scanning system can scan numerous files and
identify those files with known hash values. The hash values
used to identify images of apparent child pornography within
AOL's system are created by AOL. All the hash values
contained in AOL's data set were derived from images of
apparent child pornography that have at one time been viewed
by an AOL Graphics Review Team representative and determined
to contain apparent child pornography. If the image is
altered in any way, the hash value will not match.
¶
5. When a file is identified by AOL using IDFP as having the
same hash value as a file previously categorized as apparent
child pornography, the file does not reach its intended
destination, the sender's email account is terminated,
the account is preserved, and AOL automatically files a
report with NCMEC's CyberTipline. AOL sends a copy of the
full email, the header information, and a copy of any image
or files attached or embedded in the email. The header
information is metadata about the email including routing
information. AOL does not necessarily view the flagged file
prior to submitting it to NCMEC, relying solely on the
identification of the images by the hash value and its
previous observation of the image with the same hash value.
NCMEC cannot tell whether the file has been opened, but the
report transmitted has a place for the ESP to indicate
whether the file has previously been viewed.
¶
6. NCMEC is a private, nonprofit corporation. Its mission is
to help find missing children, reduce child sexual
exploitation, and prevent child victimization. NCMEC has five
main project areas: (1) missing children; (2) child sexual
exploitation; (3) training; (4) safety and prevention; and
(5) child victim and family services. NCMEC has 350 employees
over several different departments and divisions. None of
NCMEC's employees are government employees or active law
enforcement officers. NCMEC is funded through private
donations, federal grants, foundations, and corporate
donations. Approximately seventy percent of its funding,
around thirty-four million dollars, comes from federal grants
from the Department of Justice and the Department of Homeland
Security.
¶
7. The Child Exploitation Division of NCMEC operates the
CyberTipline and a child victim identification program. The
child victim identification program uses hash values to
identify images that contain child victims. The CyberTipline
receives tips related to child exploitation. Reports can be
submitted online. The CyberTipline was created through a
grant and, at the time, law enforcement did not have any
involvement in the program. The government was not involved
in initiating the program and no statutes governed its
operation. Since then, the federal government has enacted
several laws related to the CyberTipline. Currently, federal
law requires ESPs and ISPs to report apparent child
pornography to NCMEC through the CyberTipline. See 18 U.S.C.
§ 2258A(a). NCMEC is then required to forward the report
to law enforcement. Id. § 2258A(c)(1). Although
ISPs and ESPs are not required to register with NCMEC, about
twenty-five percent of them are registered, including AOL.
Once registered with NCMEC, ESPs provide reports to the
CyberTipline using a secure encrypted electronic connection
that gives them the ability to upload files with their
reports. Of the four million tips to the CyberTipline in
2015, ninety-eight percent were made by ESPs.
¶
8. After NCMEC receives a report, the report is locked and
cannot be altered. A staff member then uses publicly
available tools to try to identify potential geographic
information pertaining to the individual who is the subject
of the report, as well as the geographic information of the
ESP potentially used in the possession, receipt, or
transmission of the apparent child pornography image files.
After the staff member has determined a potential geographic
location and the relevant ESP information, a CyberTipline
report is made available to a law enforcement agency in the
identified potential geographic location using a secured
virtual private network. NCMEC is required by federal
legislation to transmit or forward the report to the
appropriate law enforcement agency for investigation. See 18
U.S.C. § 2258A(c)(1)-(3) (requiring NCMEC to forward
each report "to any appropriate law enforcement agency
designated by the Attorney General" and allowing NCMEC
to forward report to state law enforcement or foreign law
enforcement); 34 U.S.C. § 11293(b)(1)(P) (describing
that annual grant to NCMEC should be used to "operate a
cyber tipline to provide online users and electronic service
providers an effective means of reporting Internet-related
child sexual exploitation"). NCMEC staff do not always
open and view files before forwarding them to law
enforcement. Staff sometimes open images for two reasons: to
make sure the file was transmitted properly and to identify
the location of the image, and therefore the involved minor,
in furtherance of their goal of helping victims.
¶
9. Law enforcement uses the private network to access and
obtain the report. NCMEC neither has control over any
subsequent investigation nor does it follow up with law
enforcement on any tips that NCMEC sent.
¶
10. In this case, AOL identified two emails that contained
files with hash values matching AOL's database of
suspected child pornography. AOL isolated the transmissions
and did not allow the emails to be sent to their intended
recipient. AOL then submitted two reports to NCMEC labelled
as 1812852 and 1812853.[2] AOL reported an individual using an
email address of lilstuisthebest@aol.com and provided the
associated IP address. AOL identified the incident as child
pornography based on its IDFP analysis. The attachment file
name was referenced in the header information. The header
also contained the MD5 hash value of the file that was sent.
Staff at AOL did not view either the content of the two
emails or the attachment at the time the report was made.
Once received by NCMEC, a staff person at the CyberTipline
viewed the video attachment and the opened the email. Using
publicly available internet tools, that staff person
determined that the IP address identified by AOL was
associated with a Comcast account having a potential
geographic location of Rutland, Vermont. Consequently, the
CyberTipline sent a notification of reports 1812852 and
1812853 to the Office of the Vermont Attorney General for
independent review and potential investigation.
¶
11. The Attorney General's Office has a unit called
Internet Crimes Against Children task force (ICAC). A
detective from that unit received an email from NCMEC stating
a tip was available. He logged onto the NCMEC virtual private
network and downloaded the reports designated as 1812852 and
1812853. The reports indicated that AOL had not viewed the
attachment. The detective opened and viewed both the emails
and the video attachment. The detective applied for a warrant
to search defendant's residence and any electronic
devices found therein. The search warrant affidavit included
information about NCMEC and the CyberTipline. The affidavit
also provided the name of the attached video, a description
of the video contents, information about the sender, and
content from the emails. A subsequent search warrant was
obtained to get information about the AOL account from AOL.
¶
12. Based on information obtained from these searches,
defendant was charged with four counts of possessing child
pornography, three counts of promoting child pornography,
three counts of aggravated sexual assault, and one count of
lewd and lascivious conduct.[3] Defendant moved to suppress. He
argued that he had a reasonable expectation of privacy in his
emails and related attachments and that his rights under both
the Fourth Amendment of the U.S. Constitution and Article 11
of the Vermont Constitution were violated because law
enforcement opened the attachment and his email before
obtaining a warrant.
¶
13. The court denied the suppression motion. Based on
defendant's agreement to the TOS with AOL, which notified
defendant that his communications could be accessed or
disclosed if there was a good faith belief a crime had been
committed, the court held that defendant had no reasonable
expectation of privacy in the transmissions involved in this
case. With no expectation of privacy, the court concluded
there was no violation of defendant's rights.
¶
14. The court rejected the argument that AOL and NCMEC were
acting as agents of law enforcement and therefore that their
searches required a warrant. The trial court found the
following: that law enforcement was not involved with
AOL's process of identifying apparent child pornography
and AOL was not working as an agent of same; no law
enforcement or government entity was involved in setting up
the CyberTipline and law enforcement did not direct NCMEC to
establish it; the government neither directs nor provides
guidance to NCMEC in its processing of CyberTipline reports;
law enforcement is not involved with NCMEC's process of
collecting reports; and NCMEC has no control over any
subsequent criminal investigation and does not follow up with
law enforcement on any tips that are sent. Based on these
findings the court concluded that neither AOL nor NCMEC were
functioning as agents of law enforcement and their private
searches were not precluded by the Fourth Amendment. Finally,
the court concluded that, even if NCMEC was a government
agent, neither NCMEC nor law enforcement in the form of the
detective, expanded the scope of the AOL search.
¶
15. Defendant then entered a conditional guilty plea,
pleading guilty to two counts of aggravated sexual assault,
one count of possessing child pornography, and two counts of
promoting child pornography. He reserved the right to appeal
the denial of his motion to suppress. More information about
the plea colloquy is set forth below. After a ...