United States District Court, D. Nebraska
MEMORANDUM AND ORDER
Joseph F. Bataillon Senior United States District Judge
This matter is before the court after an evidentiary hearing on August 3, 2015, on the defendant's motion in limine, Filing No. 215. This Memorandum and Order supplements findings made on the record at the hearing. See Filing No. 257, Transcript of August 3, 2015, hearing ("Hr'g Tr.") at 182-84.
The defendant was charged in the Second Superseding Indictment in Case No. 8:13CR108 with receipt and attempted receipt of child pornography (Count I), in violation of 18 U.S.C. § 2252A(a)(2) and (b)(1), and with accessing a computer in interstate commerce with the intent to view child pornography (Count II), in violation of 18 U.S.C. § 2252A(a)(5)(B), between November 18, 2012, and December 2, 2012, and in Case No. 8:15CR239 with receipt and attempted receipt of child pornography (Count I), in violation of 18 U.S.C. § 2252A(a)(2)(A) and (b)(1), and with accessing a computer in interstate commerce with the intent to view child pornography (Counts II-IV), between on or about February 1, 2013, and on or about April 9, 2013. The facts are set out in several other orders and will be repeated here only as necessary. See Filing No. 155, Memorandum and Order at 4-7; Filing No. 148, Findings and Recommendation ("F&R") at 5-7. The defendant has entered into a conditional plea agreement, reserving the right to appeal the court's rulings on his motion to suppress and motion in limine. Filing No. 244, Plea Agreement.
This action involves an investigation of child pornography offenses that utilized the deployment, pursuant to a warrant, of a network investigative technique (“NIT”) in order to obtain the IP addresses of persons who accessed a child pornography website that had been seized and was operated by the Federal Bureau of Investigation (“FBI”) for several weeks in late 2012. The defendant, along with other defendants, challenged the NIT in a motion to suppress. Filing No. 53. The magistrate judge recommended that the motion be denied and this court overruled the defendant's objections to that recommendation and adopted the magistrate judge's findings. Filing No. 148, F&R; Filing No. 155, Memorandum and Order.
The record shows that in the course of these proceedings, the defendant moved for additional discovery, including the original source code that was used to create and deploy the NIT. The government concedes that the original source code was not preserved. The defendant seeks exclusion of the expert testimony of FBI Special Agents Steven A. Smith and Supervisory Special Agent P. Michael Gordon under Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1983). Filing No. 215. The defendant contends that the government's experts’ opinions regarding the NIT employed in this case lack proper foundation and are based on insufficient data. He contends his experts have reviewed the NIT and cannot definitively determine whether the NIT satisfies the Daubert standard because they cannot examine the source code used to create the NIT. Further, he reasserts his motion to suppress in light of the government's failure to preserve the source code.
The court held a hearing on the motion on August 3, 2015. At the hearing, Special Agent Steven Smith testified that he investigated child exploitation websites on the Tor network as part of the FBI's cyber squad. Filing No. 257, Hr'g Tr. at 8, 15. He has a bachelor's degree in computer science from Georgia Tech and FBI specialized training in the area of cyber investigation, including investigations involving Windows or Unix, networks, analysis of log files, as well as specialized child exploitation investigative training and industry-recognized certifications, such as Network, Microsoft Certified Systems Engineer, Cisco Certified Network Associate, among others. Id. at 12-13. He also trains others in the investigation of online crime, including child exploitation. Id. at 13.
He stated that he is familiar with the Tor anonymity network, which achieves anonymity for users, and with the methods and tactics that can be used to subvert that anonymity. Id. at 14-15. He explained that the Tor network is a system that enables users to browse the Internet anonymously without revealing their true IP address. Id. It is made up of volunteers around the world who install Tor software that turns their computers into what are known as Tor nodes and a collection of Tor nodes comprise the Tor network. Id. at 16. Communications are routed through numerous nodes that can be located in any country in the world. Id. at 15, 22. Smith identified Government Exhibit 2 as an exhibit that explains how the Tor network operates and how a user uses the Tor network and accesses websites for hidden services. Id. at 17-18. He testified that the Tor network is a "proxy system, " which means that "instead of proxying through one computer, it proxies or traffics through three Tor nodes before accessing the Internet." Id. at 26.
He further stated that typically, if a website is seized, law enforcement officers are able to use the IP logs on the website to trace back to the users accessing the website. Id. at 20. In the case of a Tor hidden service, however, once a website is seized, law enforcement does not know the true IP address of the users, and are not able to trace back who those users are. Id. at 21. He stated that in order to identify users, additional investigative tactics or techniques, such as a Flash application "used to cause the user's computer to communicate with an FBI-controlled computer outside of the Tor network, " are necessary. Id.
Smith testified that he was the lead technical agent in the investigation of websites run by Aaron McGrath out of Omaha, Nebraska. Id. at 22. Details connected to the investigation are set out in his affidavit in support of a NIT search warrant. See Gov't Ex. 1. Pursuant to the search warrant, the NIT was authorized to collect "the activating computer's actual IP address, the date and time that the NIT determined the IP address; the unique session identifier that was sent by the website; as well as the type of operating system running on the computer, including the type, version, and architecture of the operating system." Id. at 24.
Smith is familiar with the NIT technique that was used to identify the defendant in this case. Id. at 25. He stated the source of the technique was a website known as "Decloak.net." Id. The website was a public website available to anyone. Id. at 26. The FBI did not develop the technique. Id. at 26. Declaok.net provided a compilation of different methods and techniques that would reveal the user's true IP address regardless of the user's proxy configuration on their computer. Id. at 25. The technique used in this case involved a flash application to identify the activating computer URL. Id. at 26. A Flash application is a common web application that is used on many websites-advertising banners on websites are commonly Flash-based applications. Id. Smith testified that in 2012, the Flash application functioned to ignore the proxy settings of the activating computer-"it would not route the connection through Tor, it would go directly out of the user's IP address to wherever it was trying to connect to." Id.
The Decloak.net website was compiled by HD Moore and was known and published on the website since at least 2008. Id. at 27. Smith identified Exhibit 3 as a printout of the decloak.net website as preserved on the "Wayback Machine" of the website "Archive.org" on August 16, 2012. Id. The "Wayback Machine" is a tool on the Archive.org website that archives web pages to allow users to historically view those websites at different points in time. Id. On August 16, 2012, the decloak.net website listed eight network investigative techniques. Id. at 27-28. Technique number five, the Flash application, pertains to this case. Id. The technique is described as follows: "When the Flash plugin is installed, it allows direct TCP connections back to the originating host. These connections may bypass the proxy server, leaking the real external address of the user's workstation." Id. at 28. The Decloak.net flash application contains a link to a sample code for the technique. Id. The sample code had to be configured to deploy the Flash application in conformity with the actions authorized in the search warrant, that is, to collect the IP information, the operating system, the architecture, and the session ID of the computer. Id.
Smith stated that an FBI contractor, Matt Edman, helped Smith configure the investigative technique and prepare it for deployment. Id. at 29. Edman tested the technique and determined that it worked as designed. Id. There was no indication that the technique returned false positives. Id. at 30.
Smith testified that after the NIT was deployed, he observed the logs and database results and determined that the NIT was returning appropriate and expected information. Id. He stated there did not appear to be any additional functionality built into the code to return anything other than what it was authorized to return. Id. He also testified there was ...