United States v. Knowles

207 F.Supp.3d 585

UNITED STATES of America,

v.Jamison Franklin KNOWLES.

Criminal No. 2:15–875–RMG

United States District Court, D. South Carolina, Charleston Division.

Signed September 14, 2016

Dean H. Secor, U.S. Attorneys Office (Chas), Charleston, SC, for Plaintiff.

ORDER

Richard Mark Gergel, United States District Court Judge

This matter is before the Court on Defendant's motion to suppress evidence (Dkt. No. 47). After careful review of the parties' briefs and following a hearing held on September 6, 2016, the Court denies Defendant's motion.

I. Background

Defendant is charged with possession of child pornography, in violation of 18 U.S.C. § 2252A. The charge arises from the Government's investigation of a website known as "Playpen,"¹ a global forum for distributing child pornography, which used "Tor" software to avoid detection by law enforcement. (Dkt. No. 59 at 1.) Tor prevents tracing internet communications to the actual user. To overcome that obstacle, FBI agents utilized a Network Investigative Technique ("NIT") to identify Playpen users. Using information obtained from the NIT, FBI agents connected Defendant's home address to a Playpen username used to access child pornography. Agents then obtained a warrant to search Defendant's home, wherein they seized computer media containing child pornography. Defendant now moves to suppress those items, arguing the Government's use of an NIT, which was authorized by a search warrant issued in the Eastern District of Virginia, to obtain information from Defendant's computer, which was located in South Carolina, violated the Fourth Amendment, Rule 41(b) of the Federal Rules of Criminal Procedure, and 28 U.S.C. § 636(a).

A. Internet Background

Defendant's challenge to the use of an NIT raises issues requiring some background on communications between a website and its users.² Websites exist on computers called "servers." A computer accessing the website is a "client" computer. Website servers and their clients typically are not part of the same home or office computer network. Thus, communications between server and client require a connection between networks—a means of "internetworking" (hence, the "internet"). This is accomplished by assigning internet protocol ("IP") addresses, bundling communications into data "packets" bearing source and destination IP addresses, and using specialized devices, "network nodes," to forward the data packets between networks. Each data packet has a "header" containing the source IP address, the destination IP address, and other data needed to route the packet. Network nodes use those IP addresses to route the packet between the user's location and the website's location, which might be the other side of the world.

The process may be analogized to physical mail. Communications are bundled into an envelope or "packet," having a "header" with source and destination addresses. The packet is forwarded among various "nodes," post offices and mail distribution centers, resulting, ultimately, in delivery to the intended recipient. By that analogy, to interact with a website is to engage in a correspondence with it. A closer analogy may be correspondence via telephone text messaging—an exchange of short messages across a communications network between persons using devices associated with unique numbers. The text message analogy illustrates IP addresses are subscriber numbers assigned by a service provider, like a telephone number, and not physical locations, like a mailing address. An internet service provider can provide subscriber information, including location information, regarding IP addresses, just as a telephone service provider may provide subscriber information regarding telephone numbers. (See Dkt. No. 47–1 ¶ 22.) The service provider responsible for a given IP address may be identified using publicly available information, again, just as a telephone company may be identified for a given telephone number. (Id. )

Finally, not all network addresses are used to route communications across the internet. Some addresses are local addresses valid for communications only within a single network or portion of a network. See Barrie Sosinsky, Networking Bible 512–13 (2009); Jielin Dong, Network Dictionary 298 (2007); Richard E. Smith, Elementary Information Security 509–10 (2001). Network nodes do not forward packets with such addresses between networks. How to Accelerate Your Internet: A Practical Guide to Bandwidth Management and Optimisation Using Open Source Software 45 (Rob Flickenger, ed., 2006). These addresses again can be analogized with telephones, as number extensions on a shared line—persons in the same office can reach one another by dialing an extension, but outside persons must dial the number for main line and all outgoing calls display that number on "caller ID."

A media access control address ("MAC address") is a type of local address at issue in this case. A MAC address is assigned to a network interface, usually by the manufacturer, to identify devices on a network. Smith, supra, at 462–63; see also Azure Networks, LLC v. CSR PLC, 771 F.3d 1336, 1347 (Fed. Cir. 2014) (discussing MAC addresses), judgment vacated on other grounds, ––– U.S. ––––, 135 S.Ct. 1846, 181 L.Ed.2d 720 (2015). In practice, this means a computer has a MAC address analogous to an automobile's Vehicle Identification Number.³ See United States v. Cone, 714 F.3d 197, 210 n.9 (4th Cir. 2013). MAC addresses generally not transmitted over the internet, and websites generally cannot request (or "instruct") a client to transmit its MAC address directly. Flickenger, supra, at 45. To obtain a client's MAC address, a website must somehow bypass the client's normal security measures.

B. The Tor Network

Normally, law enforcement can review a website's IP address logs after they seize a website to determine which IP addresses visited the site. (See Dkt. No. 47–1 ¶ 22.) They can then search public information to determine which internet service provider owned a target IP address and issue a subpoena to that service provider for the identity of the user of that IP address. (Id. ) Playpen users, however, concealed their IP addresses with Tor. (Dkt. No. 47–3 ¶ 7.) The Department of Defense designed Tor to protect government communications, but it is now free software available to the public. (Id. ) The NIT search warrant affidavit describes Tor as masking users' IP addresses by "bouncing their communications around a distributed network of relay computers run by volunteers all around the world." (Id. ¶ 8.) However, "bouncing ... communications around a distributed network ... all around the world" describes most internet communications. More specifically, Tor utilizes "onion routing" to make internet communications anonymous. (Tor is an acronym for "The Onion Router.")⁴ In onion routing, packets are the core of layered cells or "onions." Around that core are layers of encryption. Special software on the user's computer chooses a "circuit" through the network of Tor servers, known as "onion routers." There are approximately seven thousand publicly listed routers and another two thousand unlisted routers (used to prevent service providers from blocking access to the Tor network). See Tor Metrics, The Tor Project, Inc., https://metrics.torproject.org/networksize.html. Each onion router decrypts a layer of the onion, receiving instruction on where next to relay it. No onion router knows how many routers are in the circuit, and only the last router in the circuit, the "exit node," knows its position in the circuit. When the onion leaves the exit node, it proceeds to its destination as any other internet traffic, but with the exit node's IP address rather than the actual sender's IP address.

Onion routing may be analogized with the following example. John receives a locked box, for which he has the key. He opens it, finding within another locked box, labeled "Jane." He does not have the key for Jane's box, so he mails the box to Jane. Jane has the key, and within she finds a locked box labeled "Jack." She does not have the key for Jack's box, so she mails it to Jack. Jack likewise opens his box, finds within a locked box labeled "Jill," and mails that box to Jill. Jill opens her box to find an envelope bearing a website's address. She writes her own address as the return address and mails the letter. This process is reversible, so information from a website can return through the Tor network to the end user. But it is impossible for the website to identify the actual IP address of the end user. Nor does John, Jane, Jack, or Jill know who is communicating with whom. As a result, "traditional IP identification techniques are not viable" because the last computer or exit node is not the IP address of the actual user who visits the website. (Dkt. No. 47–3 ¶ 8.) It is impossible to trace the exit node's IP address to the originating computer. (Id. )

Tor also allows websites, such as Playpen, to operate as a "hidden service." (Id. ¶¶ 9–10.) Tor replaces the website server's IP address with a Tor web address. (Id. ¶ 9.) The Tor web address "is a series of algorithm-generated characters, such as ‘asdlk8fs9dflku7f’ followed by the suffix ‘.onion.’ " (Id. ) Users had to obtain Playpen's specific address from other users or through a link posted on one of Tor's "hidden services" pages dedicated to child pornography. (Id. ¶ 10.)

C. Playpen

Playpen needed the anonymity Tor provides because it was "dedicated to the advertisement and distribution of child pornography, [and] the discussion of matters pertinent to child sexual abuse." (Id. ¶ 6.) The website's home page displayed an image of two partially clothed prepubescent females with their legs spread apart. (Id. ¶ 12.) That page prompted users either to register an account or to login using an existing username and password. (Id. ) A message told registering users "NOT [to] ... enter a real [email] address" and "[f]or your security you should...