883 F.3d 204 (3rd Cir. 2018), 16-3588, United States v. Werdene

Docket Nº:16-3588
Citation:883 F.3d 204
Opinion Judge:GREENAWAY, JR., Circuit Judge.
Party Name:UNITED STATES of America v. Gabriel WERDENE, Appellant
Attorney:Leigh M. Skipper, Brett G. Sweitzer [Argued], Office of the Federal Public Defender, Counsel for Appellant Louis D. Lappen, Robert A. Zauzmer, Michelle L. Morgan [Argued], Office of United States Attorney, Counsel for Appellee
Judge Panel:Before: GREENAWAY, JR., NYGAARD, FISHER, Circuit Judges. NYGAARD, Circuit Judge, concurring.
Case Date:February 21, 2018
Court:United States Courts of Appeals, Court of Appeals for the Third Circuit
SUMMARY

Investigating Playpen, a global dark-web child pornography forum with more than 150,000 users, the FBI relied on a single search warrant, issued in the Eastern District of Virginia, to search the computers of thousands of Playpen users all over the world, using malware called a “Network Investigative Technique” (NIT). Werdene, a Pennsylvania citizen, was a Playpen user whose computer was... (see full summary)

 
FREE EXCERPT

Page 204

883 F.3d 204 (3rd Cir. 2018)

UNITED STATES of America

v.

Gabriel WERDENE, Appellant

No. 16-3588

United States Court of Appeals, Third Circuit

February 21, 2018

Argued on October 23, 2017

Page 205

[Copyrighted Material Omitted]

Page 206

APPEAL FROM THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA, District Judge: Honorable Gerald J. Pappert (D.C. Crim. Action No. 2-15-cr-00434-001)

Leigh M. Skipper, Brett G. Sweitzer [Argued], Office of the Federal Public Defender, Counsel for Appellant

Louis D. Lappen, Robert A. Zauzmer, Michelle L. Morgan [Argued], Office of United States Attorney, Counsel for Appellee

Before: GREENAWAY, JR., NYGAARD, FISHER, Circuit Judges.

OPINION

GREENAWAY, JR., Circuit Judge.

This case arises from the Federal Bureau of Investigation’s (FBI) investigation into Playpen, a global online forum that existed on the dark web1 and that was dedicated to the advertisement and distribution of child pornography. The website had a substantial amount of users. In fact, more than 150,000 users collectively engaged in over 95,000 posts with over 9,000 forum topics related to child pornography. This appeal centers on the FBI’s decision to rely on a single search warrant, issued in the Eastern District of Virginia (" EDVA" ), to search the computers of thousands of Playpen users across the United States and the world using a form of government-created malware termed a " Network Investigative Technique" (" NIT" ).

Appellant Gabriel Werdene, a citizen of Pennsylvania, was a Playpen user whose computer was compromised by the NIT. Subsequently, he was charged in the Eastern District of Pennsylvania (" EDPA" ) with one count of possessing child pornography, in violation of 18 U.S.C. § 2252(a)(4)(B). He filed a motion to suppress the evidence seized during the search of his computer, including the information revealed by the use of the NIT. The District Court denied the suppression motion, holding that the NIT warrant violated the version of Fed. R. Crim. P. 41(b) then in effect (" Rule 41(b)" )2, but that the

Page 207

NIT itself did not constitute a search under the Fourth Amendment and that Werdene was not prejudiced by the error. On appeal, Werdene contends that the District Court erred in holding that no Fourth Amendment search took place. Further, he argues that the issuance of the warrant violated his Fourth Amendment rights because it lacked particularity and was issued in violation of the jurisdictional requirements set forth in both Rule 41(b) and the Federal Magistrates Act. The Government concedes that a Fourth Amendment search occurred, but contends that the NIT was authorized by Rule 41(b)(4) and that, in any event, the good-faith exception to the exclusionary rule precludes suppression.

We hold that the NIT warrant violated the prior version of Rule 41(b) and that the magistrate judge exceeded her authority under the Federal Magistrates Act. The warrant was therefore void ab initio, and the Rule 41(b) infraction rose to the level of a Fourth Amendment violation. However, we agree with the Government that the good-faith exception to the exclusionary rule may apply to warrants that are void ab initio, which ultimately precludes suppression in this case. We therefore will affirm on alternative grounds the District Court’s decision to deny Werdene’s suppression motion.

I. FACTS AND PROCEDURAL HISTORY

To inform our forthcoming analysis, we shall detail how Playpen escaped traditional law enforcement detection and how the FBI circumvented the dark web to apprehend its users.

A. Tor

The Playpen site operated on the anonymous " The Onion Router" (" Tor" ) network— a constituent part of the " dark web" — which allows users to conceal their actual internet protocol (" IP" ) addresses while accessing the internet.3 An IP address is a unique identifier assigned by an internet service provider to every computer having access to the internet, including computer servers that host websites. Websites that the computer user visits can log the computer’s IP address, creating a digital record of activity on each website. After lawful seizure of an illicit website under normal circumstances, law enforcement is able to retrieve the website’s IP log to locate and apprehend its users.

Tor, however, prevents websites from registering a computer’s actual IP address by sending user communications through a network of relay computers called " nodes" up until those communications reach the website. Numerous intermediary computers therefore stand between the accessing computer and the website, and the website can log the IP address of only the " exit node", which is the final computer in the sequence. Accordingly, Playpen’s IP log— like that of other Tor websites— contained only the IP addresses of the exit nodes, rendering traditional IP identification techniques useless.

B. The Playpen Investigation

In December 2014, a foreign law enforcement agency informed the FBI that Playpen was being hosted by a computer server in North Carolina. Playpen’s administrator was identified as a person residing

Page 208

in Florida, who was promptly arrested.4 The FBI then lawfully seized the server, moved it to a government facility in EDVA, and obtained a wiretap order to monitor communications on it. It then assumed administrative control of Playpen and allowed the website to operate while law enforcement officials tried to circumvent Tor and identify Playpen’s users.

The FBI’s solution was the NIT, a form of government-created malware that allowed the FBI to retrieve identifying information from Playpen users located all around the world. The NIT’s deployment worked in multiple steps. First, the FBI modified Playpen’s code so that each accessing computer— unknowingly to the user and no matter the computer’s physical location— downloaded the NIT whenever a " user or administrator log[ged] into [Playpen] by entering a username and password." App. 133. Once downloaded, the NIT searched the accessing computer for seven discrete pieces of identifying information: (1) an IP address; (2) a unique identifier to distinguish the data from that of other computers; (3) the type of operating system; (4) information about whether the NIT had already been delivered; (5) a Host Name; (6) an active operating system username; and (7) a Media Access Control address. Finally, the NIT transmitted this information back to a government-controlled computer in EDVA. The FBI postulated that it could then rely on this information to identify users’ premises and distinguish their computers from other computers located within their proximity.

In February 2015, the FBI obtained a search warrant from a magistrate judge in EDVA to deploy the NIT to all " activating computers." App. 106. An " activating computer" was defined in the search warrant as the computer of " any user or administrator who logs into [Playpen] by entering a username and password." Id . Further, the NIT could be deployed to any activating computer " wherever located ." App. 136 (emphasis added). In other words, this single warrant authorized the FBI to retrieve identifying information from computers all across the United States, and from all around the world. Most importantly, these computers were overwhelmingly located outside of EDVA.

C. Charges Against Werdene and Suppression Motion

Analysis of the NIT data revealed the IP address of a Playpen user, eventually identified as Werdene, residing in Bensalem, Pennsylvania. In the final month of the website’s operation, Werdene was logged in for approximately ten hours and made six text postings, commenting on child pornography and sharing links under the username " thepervert." The FBI obtained a separate search warrant for Werdene’s home from a magistrate judge in EDPA, where agents seized one USB drive and one DVD containing child pornography.[5]

In September 2015, Werdene was charged in EDPA with one count of possessing child pornography, in violation of 18 U.S.C. § 2252(a)(4)(B). He filed a motion to suppress the evidence seized during

Page 209

the search of his computer, including the information revealed by the NIT, the evidence subsequently seized from his home, and statements that he later made to the FBI. Werdene argued that the warrant was issued in violation of the jurisdictional requirements set forth in Rule 41(b), and that suppression was required because the violation was constitutional in nature and the good-faith exception to the exclusionary rule did not apply. The Government did not contend that the NIT warrant was explicitly authorized by Rule 41(b), but argued that the rule was flexible and expansive, and included warrants based on technological advances— such as the NIT warrant— which came within the spirit of the...

To continue reading

FREE SIGN UP