United States v. Matish
193 F. Supp. 3d 585
E.D. Va.2016Background
- Defendant Edward Matish was charged in a superseding indictment with accessing and receiving child pornography after the FBI took control of the Tor hidden-service website "Playpen" and deployed a Network Investigative Technique (NIT) to identify users.
- The FBI operated Playpen from a government server (Feb 20–Mar 4, 2015), deployed a NIT that collected IP addresses and six other identifiers from "activating computers," and then used IP-based subpoenas to obtain subscriber information and execute a residential search warrant for Matish (July 29, 2015).
- Matish moved to suppress evidence obtained via the NIT, arguing the NIT warrant lacked probable cause, included false/omitted material information, lacked specificity, had no valid triggering event, was void ab initio, and violated Rule 41; he also sought the full NIT/exploit source code.
- The court held evidentiary hearings, reviewed declarations (including defense experts) and government materials, and made in-camera review of some classified material; the government produced NIT instructions and the two-way data stream but withheld full exploit source code.
- The court found: probable cause supported the NIT warrant; no Franks hearing warranted; the warrant was sufficiently specific; the triggering event occurred; Rule 41(b)(4) authorized issuance (tracking-device analogy); alternatively, no warrant was required for the IP capture and, in any event, the good-faith exception applies. The court denied suppression and denied the motion to compel full source code.
Issues
| Issue | Plaintiff's Argument (Gov.) | Defendant's Argument (Matish) | Held |
|---|---|---|---|
| Probable cause for NIT warrant | Affidavit gave a substantial basis (site content, access steps, anonymity, registration, site devoted to child porn) | Affidavit inaccurate (homepage logo changed) and overstated site dedication; thus no probable cause | Probable cause existed; magistrate had substantial basis; taking affidavit as whole supports issuance |
| Franks hearing (false statements/omissions) | No intentional/reckless misstatements; logo change immaterial | Affidavit knowingly/recklessly misdescribed homepage; material to probable cause, so hearing required | No substantial preliminary showing; logo change not intentional/reckless and not material; Franks hearing denied |
| Particularity/overbreadth under Fourth Amendment | Warrant particularly described "activating computers" and seven data items; large universe reflects many suspects, not a general warrant | Warrant authorized searches of tens of thousands of computers based only on site access; equates to general warrant | Warrant sufficiently particular and no broader than probable cause supported; particularity requirement met |
| Triggering condition for anticipatory warrant | Trigger was login/activation of site as identified by URL | Trigger should have been navigation to the homepage as described in affidavit; logo change means trigger never matched | Trigger was logging into the site (by URL); trigger occurred when "Broden" logged in and entered child-porn forum |
| Rule 41(b) jurisdiction to authorize NIT (magistrate authority) | Rule 41(b)(4) and tracking-device analogy permit warrant; magistrate had authority | Magistrate lacked authority to issue a warrant authorizing searches outside district; Rule 41 violated | Court finds Rule 41(b)(4) tracking-device analogy applies to NIT; magistrate had authority; Rule 41 compliant |
| Need for warrant / Fourth Amendment search | N/A | Deployment of NIT and retrieval of identifiers (and exploit) constituted a Fourth Amendment search requiring a valid warrant and suppression if invalid | Court holds no reasonable expectation of privacy in IP or in the limited addressing data collected; capturing IP via NIT was not a search requiring a warrant; alternatively Leon good-faith exception applies; suppression denied |
| Discovery — full NIT/exploit source code | Production of NIT instructions and data stream was sufficient; full code is privileged and would harm law enforcement | Full source code is material to challenge chain of custody, integrity, and security effects on defendant’s machine; defense needs it for trial and suppression challenges | Defense failed to show materiality under Rule 16; qualified law-enforcement privilege favors nondisclosure; motion to compel denied |
Key Cases Cited
- Illinois v. Gates, 462 U.S. 213 (probable cause totality-of-circumstances standard)
- Franks v. Delaware, 438 U.S. 154 (when to require evidentiary hearing for alleged false statements in warrant affidavit)
- United States v. Leon, 468 U.S. 897 (good-faith exception to exclusionary rule)
- Katz v. United States, 389 U.S. 347 (reasonable expectation of privacy test)
- Smith v. Maryland, 442 U.S. 735 (third-party doctrine; no expectation of privacy in dialing information)
- United States v. Grubbs, 547 U.S. 90 (anticipatory warrant and triggering condition principles)
- Kyllo v. United States, 533 U.S. 27 (use of technology to obtain information from a home can be a Fourth Amendment search)
- Rakas v. Illinois, 439 U.S. 128 (standing and personal Fourth Amendment rights)
- Riley v. California, 134 S. Ct. 2473 (cell-phone searches generally require warrants; limits of search-incident-to-arrest doctrine)
- United States v. Graham, 824 F.3d 421 (Fourth Circuit on third-party doctrine and electronic-data privacy)