Federal Corner: Child Pornography; The Playpen; The Onion Router (“Tor”); Network Investigative Technique (“NIT”) Warrants; Suppression; and, Confusion in the Courts - By F. R. Buck Files Jr.

Printer-friendly versionPrinter-friendly versionPDF versionPDF version
Saturday, November 5th, 2016

Like the Roadrunner and Wile E. Coyote, those who would watch child pornography and those who would prosecute them for doing so continue to try to outwit each other. In the real world, though, it is Mr. Coyote (the Government) who often prevails. Recently, I learned about the child pornographers’ use of The onion router (“Tor”) and the Government’s use of a Network Investigative Technique (“NIT”). United States v. Croghan, ___F.Supp.3d___, 2016 WL 4992105 (S.D. Iowa Sept. 19, 2016), and United States v. Werdene, ___F.Supp.3d___, 2016 WL 3002376 (E.D. Pa. May 18, 2016). These are two—and only two—of the many cases in which United States District Judges have been presented with the same basic facts and have come to different legal conclusions.

All of these cases were set in motion as a result of a search warrant issued by United States Magistrate Judge Theresa Carroll Buchanan of the Eastern District of Virginia. The most recent of these cases is Croghan, in which the defendant’s motion to suppress evidence was granted by United States District Judge Robert W. Pratt of the Southern District of Iowa. His order reads, in part, as follows:

[The Tor Network; the Network Investigative Technique; and the Issuance of a Warrant]

In approximately September 2014, the Federal Bureau of Investigation (“FBI”) began investigating a child pornography website known as “Playpen.” Playpen existed as a “hidden service” on the “Tor” network, which is designed to protect user anonymity by obscuring identifying information such as the user’s IP address. Because “hidden services” are not publically indexed or searchable, a user must both connect to Tor and know the specific Tor-based web address of a particular site to gain access.

        During the course of its investigation, the FBI connected to the Playpen website and discovered that it appeared to be dedicated to advertising and distributing child pornography. In December 2014, a foreign law enforcement agency advised the FBI that it had discovered the actual IP address of the Playpen server, and that such server was located in Lenoir, North Carolina. In January 2015, the FBI obtained and executed a search warrant whereby it seized the Playpen website server. Hoping to locate and identify visitors to the site, the FBI placed a complete copy of the Playpen website, including all of the child pornography on the website, on a government-controlled server located in Newington, Virginia. On February 19, 2015, the FBI arrested the suspected administrator of the Playpen website and “assumed administrative control” of it.

        On February 20, 2015, the FBI submitted an application for and affidavit in support of a search warrant to Eastern District of Virginia Magistrate Judge Theresa Carroll Buchanan. The affidavit provided that the FBI intended to continue operating the Playpen website from its own server for a period of time not to exceed 30 days in an attempt to identify users of the site. Because the site utilized the Tor network to mask user identify information, the FBI requested that Magistrate Judge Buchanan authorize use of a “Network Investigative Technique” (“NIT”) whereby the FBI would insert computer software into the Playpen website that would assist it in “locat[ing] and apprehend[ing] the target subjects who are engaging in the continuing sexual abuse and exploitation of children” by accessing the Playpen website. Once installed on the Playpen website on the government-controlled server, the NIT would be deployed to the computer of any user who visited the Playpen website and entered a user name and password. (noting that the NIT would be deployed to “‘any user’ who logged into the site with a username and password, regardless of their physical location, whether or not they were using the site’s chat features, or viewing child pornography”). The NIT would then force the “activating” computer to transmit information back to the FBI, including: the IP address of the activating computer; the date and time the NIT determined the IP address; a unique identifier generated by the NIT to distinguish data from different activating computers; the type of operating system running on the activating computer, including type, version, and architecture; information on whether the NIT had already been delivered to the activating computer; the “host name” of the activating computer; the operating system used by the activating computer; and the Media Access Control (“MAC”) address of the activating computer. Magistrate Judge Buchanan approved the warrant and authorized the FBI to deploy the NIT for 30 days. She further granted a request by the Government to delay notice of the search “until 30 days after any individual accessing the [Playpen site] has been identified to a sufficient degree as to provide notice” under 18 U.S.C. § 3103(a)(b) and Federal Rule of Criminal Procedure 41(f)(3). The Government began deploying the NIT on February 20, 2015, and continued to do so until March 4, 2015, at which time it took the Playpen website offline.

* * *

[The Search of Croghan’s Residence in Iowa and the Evidence Seized at that Residence]

On July 17, 2015, law enforcement obtained a search warrant for Beau Croghan’s residence in Council Bluffs, Iowa. Law enforcement obtained a search warrant for Steven Horton’s residence in Glenwood, Iowa, on August 5, 2015. The affidavits submitted in support of each of the Iowa Warrants relied primarily on information collected from the NIT. In particular, each affidavit described the Playpen website, its existence on the Tor network, and the authorization for the NIT from the Eastern District of Virginia. The affidavits recounted that the NIT had yielded specific user names and IP addresses, and that subsequent investigation using public records and administrative subpoenas to Internet Service Providers (“ISPs”) had associated the identified IP addresses with Croghan, Horton, and their specific residences. While executing the warrants, law enforcement seized evidence from each Defendant’s home, eventually culminating in both men being indicted for accessing or attempting to access child pornography in violation of 18 U.S.C. § 2252(a)(5)(B).

[A Review of Other Tor Cases]

The Court notes that the NIT Warrant at issue in this case has resulted in a great deal of litigation across the country. The numerous district courts to consider motions similar to the present Motions to Suppress have reached varying conclusions on the legal issues at play. At least two courts have concluded that the NIT Warrant was unlawfully issued and suppressed all fruits of it. See, e.g., United States v. Levin, No. 15–10271, __ F.Supp.3d __, 2016 WL 2596010 (D.Mass. May 5, 2016); United States v. Arterbury, No. 15-cr-182, Clerk’s No. 42 (N.D. Okla. Apr. 25, 2016). Several others have found that while the NIT Warrant may have been issued unlawfully, suppression was not warranted, either under the exclusionary rule in general or pursuant to the Leon good faith exception. See United States v. Torres, No. 5:16–cr–285, 2016 WL 4821223 (W.D.Tex. Sept. 9, 2016); United States v. Henderson, No. 15–cr–565, 2016 WL 4549108 (N.D.Cal. Sept. 1, 2016); United States v. Adams, No. 6:16–cr–11, 2016 WL 4212079 (M.D.Fla. Aug. 10, 2016); United States v. Acevedo–Lemus, No. 15–00137, 2016 WL 4208436 (C.D.Cal. Aug. 8, 2016); United States v. Werdene, No. 15–434, __ F.Supp.3d __, 2016 WL 3002376 (E.D.Pa. May 18, 2016); United States v. Epich, No. 15–cr–163–PP, 2016 WL 953269 (E.D.Wis. Mar. 14, 2016); United States v. Michaud, No 3:15–cr–05351–RJB, 2016 WL 337263 (W.D.Wash. Jan. 28, 2016). And, at least four decisions, three from the Eastern District of Virginia and one from the Western District of Arkansas, have concluded that the magistrate judge possessed adequate authority to issue the NIT Warrant under Rule 41 such that there was no legal violation that would require suppression. See, e.g., United States v. Jean, No. 5:15–cr–50087, 2016 WL 4771096 (W.D.Ark. Sept. 13, 2016); United States v. Eure, No 2:16cr43, 2016 WL 4059663 (E.D.Va. July 28, 2016); United States v. Matish, No. 4:16cr16, __ F.Supp.3d __ 2016 WL 3545776 (E.D.Va. June 23, 2016); United States v. Darby, No. 2:16cr36, –––F.Supp.3d ––––, 2016 WL 3189703 (E.D.Va. June 3, 2016).

[Federal Rule of Criminal Procedure 41(b)]

The Federal Magistrates Act provides that “[e]ach United States magistrate judge serving under [the Act] shall have within the district in which sessions are held by the court that appointed the magistrate judge, at other places where that court may function, and elsewhere as authorized by law” certain duties, including among other things “all powers and duties conferred or imposed . . . by the Rules of Criminal Procedure for the United States District Courts.” 28 U.S.C. § 636(a)(1). Federal Rule of Criminal Procedure 41(b) provides in relevant part:

Venue for a Warrant Application. At the request of a federal law enforcement officer or an attorney for the government:

(1) a magistrate judge with authority in the district . . . has authority to issue a warrant to search for and seize a person or property located within the district;

(2) a magistrate judge with authority in the district has authority to issue a warrant for a person or property outside the district if the person or property is located within the district when the warrant is issued but might move or be moved outside the district before the warrant is executed; . . .

(4) a magistrate judge with authority in the district has authority to issue a warrant to install within the district a tracking device; the warrant may authorize use of the device to track the movement of a person or property located within the district, outside the district, or both. . . .

[Magistrate Judge Buchanan Erred in Issuing the NIT Warrant]

The Court finds, and the Government seemingly concedes, that neither Rule 41(b)(1) nor Rule 41(b)(2) authorized an Eastern District of Virginia magistrate judge to issue the NIT Warrant.

* * *

[Judge Pratt Finds that Suppression Is the Appropriate Remedy]

It is clear in this case that neither the search pursuant to the NIT Warrant nor the searches pursuant to the Iowa Warrants would have occurred without the violation of Rule 41(b). Had Rule 41 been complied with, law enforcement would not have obtained Defendants’ IP addresses, would not have been able to link those IP addresses to De­fendants through subsequent investigation and the use of administrative subpoenas, and would not have had sufficient probable cause to obtain the Iowa Warrants. Thus, Defendants have satisfied their burden to prove that they were prejudiced by the Rule 41(b) violation. Suppression is an appropriate means to deter law enforcement from seeking warrants from judges lacking jurisdiction to issue them, and this deterrence function outweighs the societal costs associated with suppression. Moreover, the Court finds that law enforcement was sufficiently experienced, and that there existed adequate case law casting doubt on magisterial authority to issue precisely this type of NIT Warrant, that the good faith exception is inapplicable. See Levin, __ F.Supp.3d at __ 2016 WL 2596010 (finding that the good faith exception would be inapplicable even if the Rule 41(b) violation was not constitutional because the “conduct at issue here can be described as ‘systemic error or reckless disregard of constitutional requirements’” and because “it was not objectively reasonable for law enforcement—particularly ‘a veteran FBI agent with 19 years of federal law enforcement experience’—to believe the NIT Warrant was properly issued considering the plain mandate of Rule 41(b)” (citing Glover, 736 F.3d at 516 (“[I]t is quite a stretch to label the government’s actions in seeking a warrant so clearly in violation of Rule 41 as motivated by ‘good faith.’”)); Croghan Br. at 20–21 (citing case law supporting a conclusion that law enforcement should have been aware that Rule 41(b) had jurisdictional limits that would prevent issuance of the NIT Warrant).

[Conclusion]

For the reasons stated herein, Defendants’ Motions to Suppress are granted. All evidence flowing from and obtained as a result of the improperly issued NIT Warrant is hereby suppressed [emphasis added].

In Werdene, another case that began with Magistrate Judge Buchanan’s order, United States District Judge Gerald J. Pappert of the Eastern District of Pennsylvania came to a different conclusion. Because of space constraints, I have included only a small portion of his Memorandum which reads, in part, as follows:

[Tor and NIT]

Playpen’s patrons accessed the website through software called “Tor,” an acronym for “The onion router.” Tor conceals the IP addresses of people who visit certain websites, in Werdene’s case a website purveying child pornography. Otherwise stated, Tor enables people to use websites like Playpen to view, upload, and share child pornography without being identified by traditional law enforcement investigative methods. To circumvent Tor, the FBI used a Network Investigative Technique (“NIT”). The NIT caused software to be activated whenever a Playpen user logged into the website with his username and password. The software caused the Playpen user’s computer to reveal its IP address to the FBI. The search warrant issued by the Virginia magistrate authorized the NIT.

[A (Very) Brief Summary of the Opinion]

Werdene moves to suppress the evidence seized from his home, arguing primarily that the magistrate judge in Virginia lacked jurisdiction under Federal Rule of Criminal Procedure 41 to authorize the NIT. Werdene contends that this violation of a procedural rule warrants suppression. While Rule 41 did not authorize the issuance of the warrant in Virginia, suppression is not the appropriate remedy. The magistrate judge’s failure to comply with Rule 41 did not violate Werdene’s Fourth Amendment rights because Werdene had no expectation of privacy in his IP address, and certainly not one that society would recognize as reasonable. Even if Werdene’s constitutional rights were violated, the good faith exception to the exclusionary rule precludes suppression. Finally, any nonconstitutional violation of Rule 41 did not prejudice Werdene, as that term has been defined by the Third Circuit Court of Appeals in the Rule 41 context. The Court denies the motion [emphasis added].

My Thoughts

  • Magistrate Judge Buchanan could not have conceived of the confusion that her order has precipitated. It is impossible to know how many more of these cases are out there—and whether any are in the process of being considered by one of the United States Courts of Appeal. What a mess!
  • One of the difficult tasks that a criminal defense lawyer faces is trying to explain to a client that it is often difficult—if not impossible—to predict what ruling a judge will make when confronted with a suppression issue. These cases certainly illustrate that problem.
  • What should be of interest to us all is what we have learned about Tor and NIT. If the Government was successful in obtaining an NIT warrant from a magistrate in the Eastern District of Virginia, have they done so in other districts?
  • What, we all wonder, will be the next skirmish between the Roadrunner and Mr. Coyote?