Website Banner Defeats Numerous Fourth Amendment Objections in CP Case

A federal district judge recently held in a child pornography (CP) case that the website's banner doubly defeated any Fourth Amendment objection to an investigator's use of the site to collect evidence of possession and distribution of CP. The case, United States v. Bode, No. 1:12-cr-00158-ELH (D. Md. Aug. 21, 2013), rests on evidence developed by a government investigator (Burdick) who was granted administrator-level access to a website where the defendant (Bode) was allegedly posting CP. The website in question (which has since been shut down) offered users a real-time chat service, including the ability to send messages and images to public chat rooms, as well as "privately" to individual users. The site logged timestamps, IP addresses, message contents, images, and public chat room history for review by its administrators, though individual users could not see or review their own usage history after a chat session was over. The website also required acceptance of its terms of service before allowing users to post or receive messages. Its terms read:

CHILD PORNOGRAPHY...
BEHIND EVERY PICTURE THERE IS PAIN!
HELP US REPORT IT! 

Posting photos, graphics or cartoons showing persons under 18 years of age is not allowed. Child pornography or other illegal material will immediately be reported to the posters [sic] local authorities. Requesting images of the above nature is not allowed. All posted pictures and conversations, public and private, are logged and supervised. [The website] may disclose these communications to the authorities at its discretion.

The final sentence (emphasis added) was appended at Burdick's request during his investigation, before the CP images at issue in the case were allegedly posted.

But first, the backstory: Burdick, an agent with the Department of Homeland Security's Immigration and Customs Enforcement (Child Exploitation Investigations Group), heard that users of this website were trading. Without getting a warrant or a court order, he began looking into the site and observed users posting CP using the chat service. Burdick checked with the website's domain name registrar to try to identify its operator and found that its administrator was located in Sweden. Since it is more complicated to serve process on a foreign entity (and it is unclear whether Burdick would have had the authority to do so), he emailed the site operator to ask for cooperation in his CP investigation. The site operator enthusiastically complied, giving Burdick an administrator-level account on the website so he could directly review the site's logs. Burdick used his administrative access to identify users who had been reported by others for (potentially) trading CP, and then began checking the logs generated by those particular users more carefully.

Eventually Burdick checked with an Assistant United States Attorney, who recommended that he ask for changes to the website's terms of service, italicized above. (The US Attorney's office also declined to use any evidence developed before the language was appended.) After the terms of service were changed, Burdick used the administrator function to save logs and images users sent to public chat rooms and as private messages to other users. Burdick collected evidence that a user had posted CP from what turned out to be defendant Bode's IP address. This eventually served as probable cause for a warrant to search his home and computers for CP, which revealed additional CP on Bode's computer.

Suppression Analysis

Bode moved to suppress all of the evidence against him as fruit of the poisonous tree, on grounds that Burdick's initial investigation violated the Fourth Amendment, the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., and the Wiretap Act, 18 U.S.C. § 2510 et seq. The court dealt with the Wiretap Act and SCA claims easily: neither statute includes a suppression remedy for information obtained from "electronic communications" like those here, while the Wiretap Act does include a suppression remedy for information obtained intercepted in real time from "wire or oral communication," at 18 U.S.C. § 2515. This made it easy for the court to conclude that when Congress did not include a suppression remedy for electronic communications, it did so with a specific intent not to create such a remedy. The court therefore declined to find an implied statutory right of suppression.

The constitutional claim, violation of the Fourth Amendment, is more interesting, since it could give rise to a suppression remedy (though somewhat ironically, constitutional suppression is a court-created remedy, see Weeks v. United States, 232 U.S. 383 (1914)). As a preliminary matter, the parties had conceded (for the purposes of the Fourth Amendment analysis in the motion at issue here) that the website had become the government's agent, by granting Burdick administrator-level access and changing the language of its banner at his request. Nevertheless, the court held that the banner to which Bode agreed in order to use the chat service constituted two separate grounds for eliminating any Fourth Amendment objections to Burdick's collection of evidence:

First, the banner defeated any reasonable expectation of privacy, which is a prerequisite for any protectable Fourth Amendment interest under Katz v. United States, 389 U.S. 347 (1967). The Bode court compared the banner's language to other cases in which a reasonable expectation of privacy had been at issue, finding that the added text ("[The website] may disclose these communications to the authorities at its discretion.") put the issue beyond doubt, as the AUSA had hoped: users had given up their expectations of privacy. Under this theory, no protectable privacy interest existed, and no constitutional "search" ever occurred, so there was no Fourth Amendment violation and no reason to suppress the resultant evidence.

Second, the court found that even if a search had occurred, the banner indicated consent to that search. Bode tried to argue that his consent had been limited in scope to investigation by the website operator, not the government, but the court was having none of it, instead finding that there was "no meaningful distinction" between the consent Bode had given (for the website operator to turn over information to the authorities) and what actually happened (the operator creating an administrator account for the investigator). This consent was therefore sufficient to allow Burdick's collection of evidence even if it was a Fourth Amendment search.

The government also argued that the website operator had "common authority" to consent to searches of its logs, but the court did not address this argument, having already found two grounds for denying Bode's motion to suppress. Had the court addressed the issue, it probably would have been able to find the site administrator, which had the right to examine its logs, also had the right to authorize their search under the common authority doctrine of United States v. Matlock, 415 U.S. 164 (1974) (finding common authority over shared room sufficient) and Frazier v. Cupp, 394 U.S. 731 (1969) (finding shared use of a duffel bag sufficient). In fact, since the operator could view the logs while ordinary users could not, I found this to be the government's strongest argument, and I am not sure why the court did not even address it.

Conclusion

In any event, this one banner did quite a bit of work: the court's denial of suppression almost certainly means Bode is out of arguments and will be convicted. And it likely means other users of the site will be (or already have been) prosecuted for similar crimes: one of Burdick's emails thanking the website operator for cooperating with the investigation mentioned that he had found "roughly 25 users" in the United States violating CP laws. So, while the website might be gone, the text of its banner may have even more work to do in the courts.

A Footnote

The Bode court also notes that the website operator who was willing to help with the investigation -- seemingly a decent character -- was later tried, convicted, and imprisoned in the Philippines for sex trafficking.

Read More

Computer forensic delays a growing problem?

It is hard not to notice the growing number of cases that revolve around or discuss the delays associated with processing computer forensic evidence. Is there a growing problem? The short answer is yes, but it is hard to determine the scope and depth of the problem merely by analyzing disparate court opinions and news stories. It does appear to be a systemic problem, both at the federal, state, and local level. Here is some evidence:

Recent cases

(January 3rd, 2013) United States v. Montgomery, __ F.3d __ (10th Cir. 2013) - after obtaining documents through a FOIA request, the defendant alleged as part of his defense that "forensic analysis had not been done because the FBI's . . . CART . . . office in Oklahoma City was backlogged for over 6 months."

United States v. Lovvorn, 2012 WL 3743975 (M.D. Ala. April 24, 2012) - "Finally, Lovvorn argues that an unreasonable delay between the seizure and the subsequent search of his computer is a violation of the Fourth Amendment. . . . The property was taken to the Coffee County Police Station, and then turned over to the Alabama Bureau of Investigation ("ABI"). The ABI returned the results of their forensic investigation nineteen months after the seizure from Lovvorn's residence occurred. There was no evidence presented that Lovvorn sought to have his property returned or was prejudiced in any way, nor has there been any assertions against the chain of custody or the authenticity of the evidence. The ABI has only one location in the state. The court therefore finds it is reasonable to believe that the delay was caused by nothing more than a backlog of cases."

News Stories

General Dynamics Awarded $42 Million to Support FBI Computer Forensic Networks

Previous posts

Federal court holds that 15-month delay in reviewing electronic evidence was an unlawful seizure

District court orders suppression after lengthy delay for cell phone search (3 month delay)

In Paypal DDOS case, government reprimanded for failure to analyze and return data in a timely fashion - In that post, I wrote: "To me, it's hard not to wonder if there is a systemic problem going on with how the government is handling cybercrime cases and the plethora of evidence that they tend to produce - according to this transcript, there were at least 9 terabytes of data that had to be analyzed.  That is certainly a lot of data, but as the court in Metter stated, there has to be a line drawn somewhere when retention of data transforms from investigatory to a violation of the Fourth Amendment."

Comments

The underlying legal implications of such backlogs are numerous, but include: (1) the suppression of evidence (as seen in a few cases above) due to the delay, as a violation of the Fourth Amendment, (2) delay in prosecution of child pornography and similar child predator cases, which has the potential to provide time/opportunity to commit additional offenses, and (3) the likelihood that evidence in lesser cases will be skipped over for more high-profile cases, driving up the bar that must be reached to consider a case worthy of prosecution.

I'd appreciate any comments from practitioners in the field who have seen similar delays and can attest to them, or alternatively, stories indicating a trend in the opposite direction.

Read More

Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression

This case will be discussed in two posts.

In United States v. Weindl, __ F.Supp __ (D. N.M.I. Nov. 20, 2012), a Northern Mariana Islands federal district court denied suppression of evidence obtained when spyware installed on school-owned laptop (assigned to an FBI agent's son and later used by the principal) sent child pornography (CP) reports (alerts) to the FBI agent - evidence that led to charges against the school principal (two counts of receiving CP and two counts of possession of CP). There are three relevant issues in the case: (1) whether the act of "accidental" failure to remove the spyware resulted in an "inadvertent search" or an intentional one, (2) whether the FBI agent was acting under the color of law when he opened and later investigated the reports he received from the spyware, and (3) whether Weindl had standing to assert a reasonable expectation of privacy in the spyware reports.

I believe this case was wrongly decided on the all three issues. I contacted David Banes, the lawyer for Weindl, and he (not surprisingly) agrees as well. He indicated that his client "fully intend[s]" to appeal this denial of suppression after the case goes to trial (it does not look like the judge will allow a conditional plea).

In this first post, I will give a summary of the case. In the second post, I will argue why the court erred in its holding.

Summary 

The defendant Thomas Weindl ("Weindl") was a school principal at Whispering Palms public school in Saipan, Mariana Islands. The FBI agent whose actions gave rise to this case is Joseph Auther ("Auther"). Auther's eldest son was enrolled at Whispering Palms, and was assigned a laptop during his time there. Auther kept an eye on his son's use of the laptop by purchasing and installing eBlaster on the laptop (without his son's knowledge). eBlaster sent email reports directly to Auther, with keystrokes, internet sites visited, and a plethora of other information. The report in Auther's inbox "would give the subject as 'Report,' followed by the date and time span of covered activity."

Auther was reassigned to a different FBI office in April 2012 and as part of the moving process, returned the laptop to the school, and more specifically, handed it over to Weindl. Auther did not tell Weindl about eBlaster, apparently assuming that it had been removed, but had told Weindl (prior to turning it in) that he would wipe the machine. Auther did in fact attempt to wipe the machine, but failed. The court describes Auther's actions as follows:

The first step Auther took to service the laptop was to bring it into the FBI office and ask fellow agents for advice on how to wipe it clean. They tried to remove all the files but were unsuccessful. Next, . . . Auther asked a local computer store to repair a scratched screen and wipe off all the files on the laptop's hard drive. The store's service order (Ex. 1) lists the work to be done as "Reimage" and the work performed as "Clean out files." Auther did not tell the technician about eBlaster, but he expected that the cleaning would eliminate the program. 

As stated previously, eBlaster was not, in fact, removed. After handing the laptop over, Auther did not receive any emails from eBlaster for over six days. On the seventh day, Auther received four emails from eBlaster indicating someone was using the laptop to access child pornography. The emails had subject lines, as described above, that clearly indicated that they were regarding activity that occurred after Auther turned in the laptop. Auther viewed all four emails, nonetheless. Auther hypothesized that the activity could be from a virus, another student using the laptop, or Weindl himself. He thought of Weindl because the pornography searched for was of young asian children with older adults and Weindl had recently married a Korean woman and now had an 11-year-old stepdaughter.

At this point, Auther did not report the results of the reports to authorities, but instead called Weindl under false pretenses, acting as if he would like to purchase the laptop. Weindl indicated that he had given it back to the school laptop agency (PSS), and that Auther wouldn't be able to buy it. Auther did not indicate that he had received CP reports, or that eBlaster was apparently still on the computer. Auther's reasoning was:

. . .that he did not want to raise concerns in Weindl's mind about who was using the computer or about a possible investigation involving Whispering Palms teachers and students. . . . [H]e was concerned that the Internet activity might mean that a child molester was operating at Whispering Palms. He was aware that a former coach at Pennsylvania State University had just been convicted on child molestation charges, and he was determined not to allow similar conduct to go undetected at Whispering Palms. (emphasis added)

Three days later, instead of handing the case over to the authorities, Auther then proceeded to start an investigation into what was going on with the laptop. Flashing his FBI badge at the offices of the the laptop program agency (PSS), he inquired if the laptop had actually been returned, and found that it hadn't. Auther then inquired with his ISP about the IP address noted in the reports, attempting to find out where the computer was being used. Auther indicated to the court that he may have shown his FBI badge to the ISP. The ISP refused to tell him anything, but he was able to decipher that the computer usage was not from an IP at his house.

On the same day as the trip to PSS and the ISP, Auther received two more emails indicating that the computer was being used to access CP. He decided to drive by the school on his way to report everything to the FBI. He noticed Weindl's car in the parking lot and called Weindl on his cellphone. Auther asked about the laptop and Weindl said he was investigating some "hanky panky" going on at PSS. Auther knew he was lying since PSS did not have the laptop, and grew much more suspicious. He reported what was going on and his suspicion about Weindl to a special agent with the FBI (Ewing). He also asked that child protective services be sent to Weindl's house to check on his 11-year-old stepdaughter.

Over a week later, Ewing and Auther went to Weindl's office to speak with him. During the conversation, Weindl admitted he lied about returning the laptop to PSS and admitted to viewing child pornography. He also confessed that he had taken the laptop out into the jungle and smashed it. He was arrested outside the school a short time later. Prior to trial, Weindl filed a motion to suppress the eBlaster evidence arguing that it was obtained in violation of his Fourth Amendment rights.

The court, in denying suppression of the eBlaster evidence, began by declaring that to have a Fourth Amendment violation, there needed to be state action and standing (a reasonable expectation of privacy). Addressing the state action portion, the court laid out the standard relating to an off-duty officer - whether Auther was acting under color of state law, where his actions "in some way related 'to the performance of his official duties'" or "pursuant to [a] government or police goal." The court held that when Auther installed eBlaster he was acting as a private citizen, and not as an FBI agent. Despite the circumstances changing when Auther returned the laptop (that Auther wasn't acting as a concerned parent anymore), the court held that it was an inadvertent search not under color of state law because Auther did not intentionally leave eBlaster on the computer.

In reaching that result, the court was not persuaded by Weindl's argument that even if the presence of eBlaster was inadvertent, Auther opening and reading the eBlaster reports turned something inadvertent into intentional. The court reasoned that "[t]he search was the gathering of information by eBlaster, not the viewing of the contents." The court also dismissed the argument that "the initial eBlaster reports come under the Fourth Amendment via the two-part test for private-party searches."

So, to clarifiy, the original four emails from eBlaster sent to Auther, and him viewing them, were not the "product of a search conducted under color of state law."

The court did find a search, however, relating to the two eBlaster reports Auther received after he called Weindl to inquire about the laptop. The court stated:

By that time, Auther knew that someone may have been viewing illicit material on the laptop. He suspected Weindl even before he called him. When he did call, he hid his real concern about the laptop's usage behind a pretense that he was interested in purchasing the computer. After the call, he did not uninstall or disable eBlaster, even though as a private citizen he was under no obligation to continue monitoring an unknown person's offensive Internet activities. He did not immediately call his colleagues at the FBI and hand the investigation over to them — conduct that might have indicated Auther wanted to maintain a separation between his private self and his public persona as a law enforcement officer. . . . [instead] Auther continued his investigation into the child pornography website searches. . . . At the PSS offices, he showed his FBI badge. At the Internet service provider, he relied on the fact that he was known to be an FBI agent to seek information about IP addresses. The totality of the circumstances shows that at this point, Auther's actions were related to his official duties and in pursuit of a police goal. Although a formal FBI investigation had not been opened yet, Auther was now acting under color of law.

The court dismissed the government's argument to the contrary, that "even if Auther's conduct constituted state action, his discovery of the illicit Internet activity through eBlaster e-mails was accidental and therefore does not come under the Fourth Amendment." The court stated that precedent was clear that to have inadvertent discovery through plain-view doctrine, the police had to be somewhere they were justified to be. However, here, "Auther, . . . had no legitimate justification to intrude on anyone's conduct on the school laptop once it was no longer on loan to his son. Moreover, the incriminating evidence did not drop out while he was straightening the icons on the computer's desktop but came into view because of intentional spying on the keyboard and hard drive."

Addressing the argument that a violation of the federal Wiretap Act occurred, the court noted that under the criminal portion of the Act, "suppression motions are authorized only with respect to the contents of wire and oral — not electronic — communications."  The court laid out that the definition of "[a] wire communication is 'any aural transfer' involving wire or like connections between the point of origin and point of reception." 18 U.S.C. § 2510(1). And that, "an 'aural transfer' is 'a transfer containing the human voice' at some point in transmission of the communication." 18 U.S.C. § 2510(18). Thus, the court held that there was "no evidence that the transmission of information from the school laptop to Auther via eBlaster entailed hearing a human voice. Therefore, the evidence that Weindl seeks to suppress is not the product of a wire communication."

Finally, the court noted that to suppress the two eBlaster reports the arrived after Auther called Weindl under false pretenses, Weindl must have Fourth Amendment standing; that he had a subjective expectation of privacy regarding his actions on the laptop, and that his expectation was objectively reasonable. The court held that Weindl did not have standing. The court refused to accept the argument that Weindl had a property interest in the laptop. But, the court stated, the Fourth Amendment isn't solely grounded in property (note: don't tell that to Scalia), but also in privacy expectations.

Weindl argued, in that vein, that he had a legitimate expectation of privacy in the laptop because: he was the sole user, there were no warnings that his use would not be private (or that monitoring occured), he used the laptop in his own, locked office, when he was not using the laptop, he placed it in a desk drawer, and he never gave anyone else permission to use it. Not buying this argument, the court explained:

Sometimes, people delude themselves into thinking that they have a right to things that don't belong to them. . . . No evidence indicates that Weindl had a right to use, or himself had permission to use, a PSS laptop, even for school-related activities. Auther turned his son's laptop in to Weindl in Weindl's capacity as an agent for the school, not for Weindl's personal use.

Even if Weindl had a subjective (albeit unrealistic) expectation of privacy in the PSS laptop, it was not an expectation that society is prepared to endorse. An expectation of privacy does not become objectively reasonable just because a person hides someone else's property away in his office desk and does not let anyone else use it. A person cannot have a reasonable expectation of privacy in a computer he stole or obtained by fraud. See United States v. Wong, 334 F.3d 831, 839 (9th Cir. 2003) (stolen laptop); United States v. Caymen, 404 F.3d 1196, 1201 (9th Cir. 2005) (fraudulently obtained laptop). . . .

Weindl's case is similar to Wong and Caymen. Weindl misappropriated school property for his own personal use. Whatever expectation of privacy he developed in the contents of the laptop's hard drive and the keystrokes of Internet searches is not a legitimate one that society is prepared to accept. . . . The laptop was not assigned to Weindl and was not his office computer. For these reasons, Weindl lacks standing to claim a Fourth Amendment violation with respect to the eBlaster reports. (emphasis added)

Accordingly, the court held that none of the eBlaster reports should be suppressed, because the first four were not part of a search under color of state law and the last two were searches, but Weindl lacked standing (a reasonable expectation of privacy) to challenge them.

The next post on this case will focus on the court's analysis and explain what I believe the correct holding should have been.

(There is an additional issue in this case regarding the interrogation of Weindl that occurred in his office (after it was determined that he had looked at the CP), specifically: whether the conversation constituted a custodial interrogation requiring Miranda rights. The court held that part of the interrogation could stand, and part had to go. I believe this issue was wrongly decided as well (the entire conversation should have been tossed). However, I'm not going to address it because it is tangential to the main issue (and actually goes away if the computer evidence is suppressed because it would be fruit of the poisonous tree)). 

Read More