United States v. Balog

1

UNITED STATES OF AMERICA, Plaintiff, v. BRYAN MICHAEL BALOG, Defendant.

No. CR 23-45-M-DWM

United States District Court, D. Montana, Missoula Division

May 20, 2024

OPINION AND ORDER

DONALD W, MOLLOY DISTRICT JUDGE UNITED STATES DISTRICT COURT

Defendant Bryan Michael Balog is charged with receipt and transportation of child pornography in violation of 18 U.S.C § 2252(a)(1), (2). (Doc. 1.) The charges arise out of Dropbox, Inc. reporting images of suspected child pornography in a CyberTip to the National Center for Missing and Exploited Children (“National Center”). (See Doc. 29-1.) Balog seeks to suppress the images on the basis that the National Center acted as a government entity or agent and its warrantless search of his private papers and effects violated the Fourth Amendment to the United States Constitution. (Doc. 28.) A suppression hearing was held on May 20,2024, and the government called one witness, Missoula Police Detective Josh Harris. Having considered the parties' filings, the record evidence, and the arguments at the hearing, Balog's motion to suppress is denied.

Background

The factual background is taken from Detective Harris' testimony, as well as the exhibits attached to Balog's motion-Dropbox's CyberTip Report, (Doc. 291); a declaration by Dropbox Content Safety Manager Tobi Wulff (Doc. 29-2); and Dropbox's Policies and Terms of Service (Docs. 29-3 through 29-7)-and the government's exhibits-October 11,2022 search warrant application, (Doc 32-1); Dropbox preservation letter, (Doc. 32-2); and October 12, 2022 search warrant application, (Doc. 32-3).

L Dropbox's Content Safety Review Process

By federal statute, “[i]n order to reduce ... and ... prevent the online sexual exploitation of children,” electronic service providers such as Dropbox must make a report to the National Center of “any facts or circumstances from which there is an apparent violation of... child pornography [statutes]” “as soon as reasonably possible after obtaining actual knowledge of any [such] facts and circumstances.” 18 U.S.C. § 2258A(a); see id. §§ 2510(15), 2258E. The contents of that report are at the discretion of the provider, but may include, inter alia, email addresses, IP addresses, geographic information, and descriptions of the identified images. Id. § 2258(b). The National Center then forwards the CyberTip report to the appropriate law enforcement agency for possible investigation. Id. § 2258A(c).

Dropbox, the provider at issue here, '

provides an online file syncing and collaboration service that allows users to access and share their files on computer, phones, tablets, and the Dropbox website. When Dropbox users upload files to their Dropbox accounts, they can choose whether to keep files private within their accounts, to share their files with specified Dropbox users, or to share their files with the public by creating a “shared link.” Files that are shared publicly can be accessed over the Internet by any person who knows the Uniform Resource Locator (“URL”) for the shared link.

(Doc. 29-2 at ¶ 3.) Dropbox's Acceptable Use Policy prohibits its services from being used to “publish, share, or store materials that constitute child sexually exploitive material (including material which may not be illegal child sexual abuse material but which nonetheless sexually exploits or promotes the sexual exploitation of minors), unlawful pornography, or otherwise indecent.” (Doc. 29-5 at 1.) Consistently, the Terms of Service explain that Dropbox may “accessf], store[] and scan[]” user content and “may review [user] conduct and content for compliance with” its Terms of Service and Acceptable Use Policy. (See Doc. 29-3 at 1; see also Doc. 29-5 at 1-2 (reserving “the right to take appropriate action in response to violations of th[e Acceptable Use] policy, which could include removing or disabling access to content, suspending a user's access to the Services, or terminating an account”).) Dropbox's Privacy Policy further states that Dropbox discloses user information to third parties if it determines that a disclosure is “reasonably necessary to ... comply with the law.” (Doc. 29-4 at 3.)

Consistent with the above, when Dropbox's Content Safety Team becomes aware of potential child sexual abuse material, it removes the content and disables the account if it determines that the content violates the Terms of Service and Acceptable Use Policy. (Doc. 29-2 at ¶¶ 7-8.) “When Dropbox discovers child pornography as defined in 18 U.S.C. § 2256, Dropbox provides a report to [the National Center] via the CyberTip in accordance with its statutory obligations under 18 U.S.C. § 2258A.” (Id. ¶ 9.) The Content Safety Team has been “trained on the statutory definition of child pornography and how to recognize it on our services. Dropbox makes reports in accordance with that training.” (Id.) Importantly, “[a] 11 apparent child pornography is manually reviewed by a member of the Dropbox content safety team before it is reported to [the National Center]. This review is necessary for quality control purposes and to confirm the content to be reported qualifies as ‘apparent child pornography.'” (Id. ¶ 10.) “When Dropbox indicates in a CyberTip report that a file was “Reviewed by Company,” or otherwise states or indicates that Dropbox has viewed or reviewed the file, Dropbox is referring to a review of that image by a human reviewer prior to making the report.”^[1] (Id. ¶ 12.)

IL Balog's Images

On September 9, 2022, Dropbox provided a CyberTip Report to the National Center containing 40 files it had reviewed as potential child pornography. (Doc. 29-1 at 4-14; Doc. 29-2 at ¶ 11.) Dropbox categorized each image through a coding system that denoted whether a prepubescent or a pubescent minor was involved and whether the act depicted was a “sex act” or “lascivious exhibition”:

(IMAGE OMITTED)

(Doc. 29-1 at 4-14, 15.) Using this system, Dropbox determined that most of the files were of prepubescent children: three files were classified as prepubescent children engaged in a sex act (Al), twenty-one as being a prepubescent child depicted in lascivious exhibition (A2), one as being a pubescent child engaged in a sex act (Bl), and fifteen as being a pubescent child depicted in lascivious exhibition (B2). (/J.) Dropbox also provided information about the account that had uploaded the images, including the email address, a screen/username, a user ID, and the IP address for the upload device. (Id. at 3.) Upon receipt of Dropbox's report, the National Center manually reviewed only three of images, (see id. at 18), although all the images were automatically categorized through a “hash match” with known images of child pornography, and labeled as “Apparent Child Pornography,” “CP (Unconfirmed),” or “Child Unclothed.” (See id. at 16.) Using a publicly available IP address database, the National Center determined that they came from a Spectrum IP address in Missoula, Montana, (see id. at 15-17). The National Center forwarded the report and images to law enforcement in Montana. (See id. at 21.)

On October 11, 2022, Missoula Police Department Detective Josh Harris submitted a search warrant application to the state district court to review the 40 images based on the information contained in the CyberTip Report. (See Doc. 321.) A warrant was issued the same day. (Id.) Pursuant to that warrant, Detective Harris opened and viewed the 40 images underlying the Report and, on October 12, 2022, he applied for another search warrant from the state district court, this time to seize the data within Balog's Dropbox account. (See Doc. 32-3.) According to the government, Detective Harris reviewed the data from Balog's Dropbox account on October 24, 2022, and found over 1,200 images of child sexual abuse material. (See Doc. 32 at 5.)

Analysis

“The Fourth Amendment guarantees the right to be free from ‘unreasonable searches and seizures.'” United States v. Rosenow, 50 F.4th 715, 728 (9th Cir. 2022) (quoting U.S. Const, amend. IV). This right has two components, one property-based and one privacy-based. See United States v. Wilson, 13 F.4th 961, 967 n.7 (9th Cir. 2021). The former is “‘tied to common-law trespass' and focuse[s] on whether the Government ‘obtains information by physically intruding on a constitutionally protected area.'” Carpenter v. United States, 585 U.S. 296, 304 (2018) (quoting United States v. Jones, 565 U.S. 400, 405, 406 n.3 (2012)). The latter focuses on the “person” and protects an individual from unlawful intrusions into areas that an individual has a subjective expectation of privacy and that society is prepared to recognize as reasonable. See Kyllo v. United States, 553 U.S. 37, 33 (2001) (citing Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring)).

Nevertheless “[t]he Fourth Amendment regulates only governmental action; it does not protect against intrusive conduct by private individuals acting in a private capacity.” Rosenow, 50 F.4th at 728. Accordingly, “a private party may conduct a search that would be unconstitutional if conducted by the government.” Wilson, 13 F.4th at 967; see Burdeau v. McDowell, 256 U.S. 465, 475 (1921) (disregarding the private theft of papers used against a criminal defendant); Coolidge v. New Hampshire, 403 U.S. 443, 489 (1971) (holding that police need not “avert their eyes” when voluntarily offered critical evidence). A government agent may then “reexamine” items previously discovered and revealed by a private party so long as the government agent does not exceed the scope of the private search: “[O]nce frustration of the original expectation of privacy occurs, the Fourth Amendment does not prohibit governmental use of the now-nonprivate information.” United States v....