United States v. Dodson

MEMORANDUM OPINION DENYING DEFENDANT’S MOTION TO SUPPRESS

ROBERT JUNELL, District Judge.

Procedural Background

Defendant William Warren Dodson was indicted on January 10, 2013, with one count of possessing child pornography, involving a prepubescent minor (a minor who had not attained the age of 12); two counts of receiving child pornography involving a prepubescent minor; and two counts of distributing child pornography involving a prepubescent minor. (Doc. 8).

Defendant filed his motion to suppress on April 12, 2013, contesting the validity of the search warrant. Specifically, Defendant claims the information used to obtain the search warrant was the product of an illegal search and warrantless search, thus, it rendered the search warrant invalid and the good faith exception would also not apply. (Doc. 8). The Court held a hearing on May 9, 2013, where the Court orally denied Defendant’s motion. The Court’s memorandum opinion now issues to expand on the reasons given for the denial at the hearing.

Factual Background

At the outset, the Court finds Special Agents Nicolas Marquez and Jody Sharp to be credible witnesses. Agent Marquez and Agent Sharp work for Immigration Customs Enforcement (ICE) and Homeland Security Investigations (HSI). The Court also finds Sergeant Matthew Pilón to be a credible witness. Sergeant Pilón has been a law enforcement officer with the New Mexico State Police for twelve years, the last five of which he has spent in the Online Predator Unit. Sergeant Pilón testified extensively during the hearing about online investigations of child pornography transfers on peer-to-peer (P2P) networks.

Sergeant Pilón explained one of the growing phenomenons on the Internet is P2P file sharing. P2P file sharing programs are a standard way to transfer files from one computer system to another while connected to a network, usually the Internet. They allow groups of computers utilizing the same file sharing network and the same protocol to connect directly to each other to share these files. One such network involved in file sharing is the eDonkey network. Individuals using the eMule file sharing software utilize this network to share their files. P2P networks, including eDonkey, have frequently been used to trade digital files of child pornography — both images and videos.

To root out purveyors of child pornography on these P2P networks, law enforcement agencies have developed specialized software to troll public networks, identify files containing child pornography, locate the users sharing these files, and catalog all of this public information. One example of this type of software is the Child Protection System (CPS). CPS analyzes the hash values assigned to files available for download on the eDonkey network and compares them to files stored in government databases that contain known child pornography. The eMule software generates a hash value for each image or video, based on its content, using the MD4 algorithm.¹ This hash value is viewable to all eMule users. Because each hash value is essentially one of a kind, it assures law enforcement officials there is a high likelihood that child pornography is contained on a computer using the identified Internet Protocol (IP) address.² CPS essentially automates the searches any normal human user can run on eMule and then stores the relevant information in a special law enforcement database. The program cannot search for private files on a computer if that user has not elected to make his files public.

An investigation into Defendant’s use of child pornography began in October 2012, when Agent Marquez identified an IP address in Presidio County in Texas as one that had downloaded and/or distributed “child notable” files, meaning files flagged as potential child pornography. This information was obtained through law enforcement software known as Child Protection Systems (CPS).³ On November 9, 2012, Agent Marquez sent a summons to AT & T to acquire the subscriber information associated with that IP address. On November 16, 2012, AT & T provided the subscriber information to Agent Marquez, which indicated the IP address belonged to a Julian Dodson. This information was passed on to Agent Sharp on December 11, 2012. Agent Sharp reviewed the CPS system and checked the child notable files associated with Julian Dodson’s IP address, confirming they did indeed contain child pornography. Agent Sharp then conducted surveillance of Julian Dodson’s residence and prepared' a search warrant, which she executed on December 26, 2012. It was later determined the child notable files belonged to Defendant even though the IP address was in Julian Dodson’s name, who is Defendant’s son.

Synopsis

The CPS software employed in this case did not actually search the contents of Defendant’s computer. The CPS software, here, searched for files in the same manner as normal users would on the eDonkey network.⁴ The investigation began with an agent logging in to the eDonkey network, which is accomplished using the eMule software. From there, the agent manually entered descriptive search terms into to locate a file containing child pornography (or child notable files). (Doc. 46 at 41). For example, whether a normal eMule user or agent, one would begin by entering the search term, such as “pthc” (a common description among child pornographers, meaning “preteen hardcore”), and a list of files with file names matching that description would return. Once a particular file is selected, eMule finds other users on the network sharing the same file to speed up the download process. (Id.). This is accomplished by eMule comparing the unique digital fingerprint (or designated root hash value) of the file to all other files being publicly shared on the P2P network. (Id.). At this same point, CPS uses those same tools employed by the eMule program to locate other users on the eDonkey P2P network who have elected to publicly share the same child notable file. (Id.). The CPS software then flags the IP addresses of those other users who are publicly sharing the child notable file and groups them together by the area or jurisdiction in which the IP address belongs. (Id.). From there, law enforcement officers subpoenaed records from internet service providers to locate the user sharing the child notable files.⁵

Thus, the Government’s use of CPS in this instance did not constitute a search because it only obtained publicly shared information and files.

Discussion

The Fourth Amendment guarantees citizens the right to be free from “unreasonable searches and seizures.” U.S. Const, amend. IV. But for a few exceptions, warrantless searches and seizures are “per se unreasonable.” Schneckloth v. Bustamonte, 412 U.S. 218, 219, 93 S.Ct. 2041, 36 L.Ed.2d 854 (1973) (internal quotation marks omitted).

Defendant raises several arguments in support of his motion to suppress.

1. Whether the CPS software’s search for child notable files on eDonkey, a P2P network, constituted a search of Defendant’s computer, which required a warrant.

Defendant first argues the use of the CPS software constituted a warrant-less search of his computer. The Court finds this was not a search. A search is “[a]n examination of a person’s body, property, or other area that the person would reasonably be expected to consider as private.” Black’s Law Dictionary 1468 (9th ed.2009); see Katz v. United States, 389 U.S. 347, 354, 361, 88 S.Ct. 507,19 L.Ed.2d 576 (1967) (acknowledging a search had occurred by electronically listening to an individual on the telephone inside a phone booth because there was an expectation of privacy). A reasonable expectation of privacy only exists where the person has exhibited an actual expectation of privacy that society accepts as reasonable. See Katz, 389 U.S. at 354, 361, 88 S.Ct. 507. Thus, the question of whether a defendant has a reasonable expectation of privacy is a two-fold inquiry; (1) whether the defendant is able to establish an actual, subjective expectation of privacy with respect to the place being search or the items being seized, and (2) whether that expectation of privacy is one which society would recognize as reasonable. United States v. Gomez, 276 F.3d 694, 697 (5th Cir.2001).

Here, although defense counsel argues Defendant intended to keep his files private, the Court finds made his child pornography files available for public download, which betrayed his alleged intentions. Defendant did not have an actual, subjective expectation of privacy because Defendant had already exposed the entirety of his files to the many unknown users on the eDonkey P2P network, which is the exact opposite of exhibiting an expectation of privacy. See United States v. Yang, 478 F.3d 832, 835 (7th Cir.2007) (noting an individual claiming a subjective expectation of privacy must demonstrate that he sought to preserve the objects of the search as private). At the hearing, defense counsel also emphasized, during closing argument, the Government had been unable to prove Defendant actually used eMule’s default installation setting that made all of his downloaded files public and available to share. But these arguments are immaterial because the burden is on Defendant to prove he actually attempted to keep his child pornography files private, which Defendant has not done. See Gomez, 276 F.3d at 697.

Additionally, the Court finds a user of file-sharing software has no reasonable expectation of privacy in his publicly shared files because it is not an expectation of privacy that society is willing to recognize. See United States v. Samples, No. 3-08-CR-12, 2011 WL 4907315, at *5 (N.D.Tex. Sept. 15, 2011) (“Counsel had no basis for challenging the use of forensic software to download files from a peer-to-peer network because a user of file-sharing software has no reasonable expectation of privacy in his public files.”); see also United States v. Borowy, 595 F.3d 1045, 1048 (9th Cir.2010) (“Borowy’s subjective intention not to share his files did not create an objectively reasonable expectation of privacy in the face of such widespread public access”); United States v. Stults, 575 F.3d 834, 842-45 (8th Cir.2009) (holding “Stults had no reasonable expectation of privacy in files that the FBI retrieved from his personal computer where Stults admittedly installed and used LimeWire to make his files accessible to others for file sharing. One who gives his house keys to all of his friends who request them should not be surprised should some of them open the door without knocking.”); United States v. Perrine 518 F.3d 1196, 1205 (10th Cir.2008) (defendant had no expectation of privacy in government’s acquisition of his subscriber information, including his IP address and name from third-party service providers, where the defendant voluntarily transmitted such information to Internet providers and enabled P2P file sharing on his computer, which permitted anyone with Internet access the ability to enter his computer and access certain folders); see also Smith v. Maryland, 442 U.S. 735, 743 — 14, 99 S.Ct. 2577, 61 L.Ed.2d 220 (1979) (“[The Supreme] Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”). Without a reasonable expectation of privacy, no search within the context of the Fourth Amendment could have occurred. Therefore, Defendant’s motion is denied in this regard because whatever Defendant’s intent, at the end of the day, his downloaded files were still public at the time the CPS system found them.

Defendant makes much of the fact that ICE and HSI initially learned about these publicly shared files via the CPS software, which is only available to law enforcement. Although the CPS program is not available to the public, the CPS program does not do anything an ordinary user on eMule could not accomplish. As explained by Sergeant Pilón at the hearing, the program is designed to ask computers on the network whether they have a particular file, or portion thereof, and whether that file is available to share. Both the CPS program and ordinary users only have the ability to:

• Ask other computers on the network whether they have a particular file name associated with certain search words and terms, and whether that file is available to share.

• Once the user has identified a particular file it wants to download, it asks that host computer if it can have it.

• Once the user has identified a particular file it wants to download, the user may view the MD4 root hash value associated with that file.

• At this point, the user also has the ability to ask other computers on the network if any of them have the • same file (by asking if any files contain the same MD4 root hash) or a portion of the file. The user is then presented with a list of-IP addresses that also claim to have access to that particular file.

The CPS program can only proceed as a normal user can. It is limited to the same protocol established for regular users on these file sharing networks as described above.⁶

Additionally, while few circuits have addressed any issues similar to the one Defendant raises now, some circuits have still noted in passing that the use of hash value algorithms in similar programs to detect child pornography are reliable and have acknowledged their growing use. See United States v. Chiaradio, 684 F.3d 265, 279-80 (1st Cir.2012) (EP2P program (similar to the CPS programs) analyzing hash values was explained with enough detailed for magistrate to gauge its reliability in determining whether child pornography would be found on a given computer); United States v. Wellman, 663 F.3d 224, 228 (4th Cir.2011); United States v. Cartier, 543 F.3d 442, 446-47 (8th Cir.2008).

Defendant contends a Title III wire tap order should have been required in this case, as well. However, wire tap orders are only required to intercept electronic communications contemporaneously with their transmission for the purpose of capturing the content of that communication. See 18 U.S.C. § 2510(4). This is factually distinct from the issue, here, which does not involve a contemporaneous capture of electronic communication for the content of that communication. Rather, the CPS program analyzes the code or content of a given file (but not as it is contemporaneously being transmitted) and searches for a match in its own database. Further, the content and actual MD4 root hash values of the files are already public, again, meaning there is no search or need for a court order.

Therefore, the Court denies the motion on this basis.

2. Whether the search warrant application was deficient.

At the outset, the Court finds the affidavit and the search warrant were both sufficient. However, Defendant contends the affidavit was deficient in the follow manners:

2.1 The affidavit erroneously states that the program in question does no more than automate the recording of information that any peer-to-peer user would see.

Defendant’s first argument is flawed in several regards. First, he misstates what the affidavit actually says. The affidavit clearly explains that CPS is complex software that first automates searches for specific files containing child pornography on P2P networks and then uses the root hash values assigned to files to locate IP addresses that have the same content available for download. Thus, the affidavit does acknowledge the program does more than merely automate subsequent searches (the initial search being conducted manually) — it is a special type of search program and database, but it still only looks at publicly shared information and it uses eMule’s own software to reach that end. Sergeant Pilón also explained at the hearing that the CPS system is designed to operate as a normal user and within the normal parameters of the eMule software. As explained previously, this simply means that the CPS software can only ask whether a user possesses a given file, and, if so, whether that file is available for download or partial download. CPS cannot obtain information that is not public. Additionally, the software’s use of root hash values to locate similar files is not something unique to the CPS program itself, rather, as explained previously, this information is readily available to all eMule users. In fact, eMule itself performs this function for users at the time a user is ready to download a particular file — CPS just stores this information in its database and organizes it by region. eMule uses an MD4 algorithm to convert all of its shared files to MD4 root hash values, allowing searches for other files with the same root hash value. This gives users the ability to download pieces of the same file simultaneously from multiple users to speed up the download process.

At the end of the day, the CPS program looks at the same available content as a regular human user, just from a different perspective; whereas users would look at the content of a file from a visual perspective, CPS looks at the files through a coded and numerical perspective. And it is again worth noting the whole CPS process has to begin with a law enforcement officer conducting a manual search by file name and then confirming the located file actually contains child pornography.

Therefore, this claim is without merit and Defendant’s motion is denied in this regard.

2.2 The affidavit does not explain that, in fact, SHA-1 values are not re'adily obtainable or displayable to peer-to-peer users

Again, Defendant’s argument here is a misstatement. First, eMule does not employ the SHA-1⁷ root hash value, but rather the MD4 root hash value. Second, as demonstrated by Sergeant Pilón, the MD4 hash value-of any given file is viewable by any user utilizing the eMule file sharing program. Both the affidavit and Sergeant Pilón explained the CPS program locates public files and then compares the hash values eMule- assigns to them with the hash values of known images and videos stored in a law enforcement database that contain child pornography. All eMule users are given the option to view the MD4 hash value of a given file. Even if this information, however, was not “readily displayable” to other users, as Defendant contends, it is immaterial because the entire, content of each file is publicly available and, thus, Defendant has no reasonable expectation of privacy therein.

Accordingly, this claim is without merit and Defendant’s motion is denied in this regard.

2.3 The affidavit does not say the program actually retrieves non-public information by accessing hidden or hard-to-fmd system files, and gathers information in those files and, thus, is misleading when it implies it only searches, publicly available data.

Defendant next contends the affidavit failed to mention that the CPS program goes beyond retrieving public information and into information that is wholly not public, examples being “hard-to-find system files” or hidden files. However, Defendant does not specifically allege that the CPS program did that here, let alone provide examples from Defendant’s case.

The affidavit indicates the only files accessed here are video and picture files sitting openly in the Defendant’s publicly shared folder. As Sergeant Pilón explained previously, CPS can only look iat files a user has made available to share with the public.

The Court also notes that just because files are “hard to find” does not necessarily mean that they are not still public. Thus, there is no basis for this claim and it is denied.

3. Whether the good faith exception to the exclusionary rule would apply in the alternative.

In the alternative, even if the search warrant was found to be invalid, the Court finds the good faith exception to the exclusionary rule would apply.

Reviewing courts will not defer to a warrant based on an affidavit that does not “provide the magistrate with a substantial basis for determining the existence of probable cause.” United States v. Leon, 468 U.S. 897, 915, 104 S.Ct. 3405, 82 L.Ed.2d 677 (1984) (quoting Illinois v. Gates, 462 U.S. 213, 239, 103 S.Ct. 2317, 76 L.Ed.2d 527 (1983)). “Sufficient information must be presented to the magistrate to allow that official to determine probable cause; his action cannot be a mere ratification of the bare conclusions of others.” Id. (citations omitted). Even if the warrant application was supported by more than a “bare bones” affidavit, a reviewing court may properly conclude that, notwithstanding the deference that magistrates deserve, the warrant was invalid because the magistrate’s probable-cause determination reflected an improper analysis of the totality of the circumstances, or because the form of the warrant was improper in some respect. Leon, 468 U.S. at 915, 104 S.Ct. 3405 (citation omitted).

The Fifth Circuit employs a two-step process for reviewing a district court’s denial of a motion to suppress when a search warrant is involved. United States v. Cherna, 184 F.3d 403, 407 (5th Cir.1999). First, the Fifth Circuit determines whether the good-faith exception to the exclusionary rule announced in United States v. Leon, 468 U.S. 897, 104 S.Ct. 3405, 82 L.Ed.2d 677 (1984) applies. Id. If so, the Court ends its analysis and affirms the district court’s decision to deny the motion to suppress. Id. If not, the Court proceeds to the second step, in which it “ ‘ensure[s] that the magistrate had a substantial basis for ... concluding that probable cause existed.’ ” Id. (quoting United States v. Pena-Rodriguez, 110 F.3d 1120, 1129 (5th Cir.1997)) (citation omitted). If the good-faith exception applies, the Court need not reach the question of probable cause. Id.

Under Leon, the good-faith exception does not apply when: (1) the magistrate or judge in issuing a warrant was misled by information in an affidavit that the affiant knew was false or would have known was false except for his reckless disregard of the truth, (2) where the issuing magistrate “wholly abandoned his judicial role,” (3) where a warrant is based on an affidavit “ ‘so lacking in indicia of probable cause as to render belief in its existence entirely unreasonable,’ ” and (4) where a warrant may be so facially deficient — i.e., in failing to particularize the place to be searched or the things to be seized — that the executing officers cannot reasonably presume it to be valid. See Leon, 468 U.S. at 923, 104 S.Ct. 3405.

None of the four Leon factors are present here.

Factor 1: There was no misleading or false information in the affidavit. As explained in the previous sections, Defendant has not pointed to any viable examples of misleading information and the Court cannot find any instances either.

Factor 2: The magistrate judge did not wholly abandon his judicial role. The search warrant affidavit was detailed and thorough, explaining every con cept and piece of background information necessary to evaluate the technical explanation given as to whether there was probable cause and how to evaluate the situation. Defendant has not pointed to a specific instance or instances that, taken together, would indicate the magistrate abandoned his role as an impartial judge.

Factor 3: The affidavit was not lacking in indicia of probable cause. To the contrary, the affidavit went to great lengths to explain how it matched the digital fingerprints from known child pornography with those being received and distributed on P2P networks. The affidavit explained Defendant’s IP address was associated with the P2P network known as eMule and the MD4 root hash algorithm employed by the CPS program matched several known child pornography images with files on his computer. The files located in Defendant’s shared folder (accessible to anyone with the same eMule software) also contained titles such as “9 Yo Blonde Daughter Fingered ... Underage R@Y gold Preteen Illegal Sister.avi,” which contain common terminology in the child pornography circles (for example. “9 Yo” means nine years old). The affiant also viewed several of these files and verified that they did indeed contain child pornography. Finally, the affidavit also explained how Defendant was located and confirmed as the user.

Factor 4: The affidavit was not facially deficient. To the contrary, the affidavit thoroughly explained the root hash value’s purpose, methods, and uses, as well as all the necessary background information to understand the technical explanation and evaluate the evidence for a probable cause determination. Other circuits have acknowledged when a root hash algorithm is used to determine whether child pornography is being traded, the hash tag itself should be enough to reach probable cause, given the digital fingerprint that is so unique it is extremely unlikely that another one would exist on a different type of file or picture. Finally, when the file name uses terminology consistently associated with terms used regularly by child pornographers, that itself is enough for probable cause even without viewing the files. See United States v. Wellman, 663 F.3d 224, 228 (4th Cir.2011). The affidavit also contained explanations regarding the content of the files, which the affiant viewed and confirmed as containing child pornography.

The Court also finds that there was a substantial basis for concluding probable cause existed. See Leon, 468 U.S. 897, 104 S.Ct. 3405. Among other things, the search warrant application and affidavit included a thorough explanation regarding:

• The type of software employed in this case, as well as the facts from the ensuing investigation.

• The descriptions of files containing child pornography associated with the IP address of Julian Dodson.⁸

• How ICE and HSI employed the CPS software, which located an IP address they eventually traced to Julian Dodson’s residence.

• Agent Sharp’s identification of Julian Dodson leaving the residence and observed a vehicle registered in his name at the residence.

This provided the Magistrate Judge with more than enough information to conclude probable cause existed to search the residence.

Therefore, in the alternative, the Court also finds the good faith exception would apply. Defendant’s Motion to Suppress is denied in this regard, as well.

Conclusion

Accordingly, the Court denies Defendant’s motion to suppress. (Doc. 26).

It is so ordered.

Notes

1 . A "hash" value is a code that identifies an individual digital file as a kind of "digital fingerprint.” See United States v. Wellman, 663 F.3d 224, 226 n. 6 (4th Cir.2011). The coding is created using various algorithmic functions — in this case, the algorithm used by eMule and the eDonkey network was MD4.

2 . In order to get on the Internet, an individual must have an IP address assigned to him, which are owned by internet services providers and leased out to customers.

An [IP] address is a unique 32-bit numeric address, written as numerals separated by periods, identifying each sender or receiver of information traveling across the Internet. An IP address has two parts: the identifier of the particular device (which can be a server or workstation) within that network. In essence, an IP address identifies a single computer....

United States v. Woemer, 709 F.3d 527, 531, n. 2 (5th Cir.2013) (quoting White Buffalo Ventures, LLC v. Univ. of Tex. at Austin, 420 F.3d 366, 369 n. 6 (5th Cir.2005)).

3 . The IP address was identified using software developed by a private group that licenses its use to government agencies.

4 . eDonkey is the peer-to-peer network of computers. eMule is the file sharing software that enables a user to connect to the eDonkey network to then search for and share files.

5 .Federal courts have held no reasonable expectation of privacy exists in an IP address because that information is conveyed to and from third parties, including internet service providers. See United States v. Christie, 624 F.3d 558, 574 (3rd Cir.2010) ("Federal courts have uniformly held that 'subscriber information provided to an internet provider is not protected by the Fourth Amendment’s privacy expectation’ because it is voluntarily conveyed to third parties.”); United States v. Bynum, 604 F.3d 161, 164 (4th Cir.2010); United States v. Perrine, 518 F.3d 1196, 1204 (10th Cir.2008); See also Smith v. Maryland, 442 U.S. 735, 743-44, 99 S.Ct. 2577, 61 L.Ed.2d 220 (1979) (acknowledging the Supreme Court “consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”). "IP addresses are not merely passively conveyed through third party equipment, but rather are voluntarily turned over in order to direct the third party's servers.” Id. (quoting United States v. Forrester, 512 F.3d 500, 510 (9th Cir.2008)).

6 . Aside from the automation capabilities the CPS system possesses, the CPS also has the capabilities of taking the MD4 hash values that eMule assigns to each file shared on that network and compares it to hash values of known child pornography stored on a law enforcement database.

7 . The SHA-1 is a root hash value similar to MD4. (Doc. 46 at 30). Different file sharing programs employ different algorithms to create unique digital fingerprints for each file on the shared network. Defendant erroneously believed the SHA-1 value was used in this case when the actual root hash value employed was the MD4.

8 . As explained previously, the investigation initially surrounded Julian Dodson, Defendant’s son, rather than Defendant, because the IP address was registered to Julian Dodson. As the investigation progressed, it was eventually determined that the images belonged to Defendant rather than Julian Dodson.

Case Details

Case Name: United States v. Dodson

Court Name: District Court, W.D. Texas

Date Published: Aug 13, 2013

Citation: 960 F. Supp. 2d 689

Docket Number: No. P-13-CR-14

Court Abbreviation: W.D. Tex.