United States v. Werdene

• Decision Date: 21 February 2018
• Docket Number: No. 16-3588,16-3588
• Citation: 883 F.3d 204
• Parties: UNITED STATES of America v. Gabriel WERDENE, Appellant
• Court: U.S. Court of Appeals — Third Circuit

883 F.3d 204

UNITED STATES of America

v.Gabriel WERDENE, Appellant

No. 16-3588

United States Court of Appeals, Third Circuit.

Argued on October 23, 2017

Opinion Filed: February 21, 2018

Leigh M. Skipper, Brett G. Sweitzer [Argued], Office of the Federal Public Defender, 601 Walnut Street, Suite 540 West, Philadelphia, PA 19106, Counsel for Appellant

Louis D. Lappen, Robert A. Zauzmer, Michelle L. Morgan [Argued], Office of United States Attorney, 615 Chestnut Street, Suite 1250, Philadelphia, PA 19106, Counsel for Appellee

Before: GREENAWAY, JR., NYGAARD, FISHER, Circuit Judges.

OPINION

GREENAWAY, JR., Circuit Judge.

This case arises from the Federal Bureau of Investigation’s (FBI) investigation into Playpen, a global online forum that existed on the dark web¹ and that was dedicated to the advertisement and distribution of child pornography. The website had a substantial amount of users. In fact, more than 150,000 users collectively engaged in over 95,000 posts with over 9,000 forum topics related to child pornography. This appeal centers on the FBI’s decision to rely on a single search warrant, issued in the Eastern District of Virginia ("EDVA"), to search the computers of thousands of Playpen users across the United States and the world using a form of government-created malware termed a "Network Investigative Technique" ("NIT").

Appellant Gabriel Werdene, a citizen of Pennsylvania, was a Playpen user whose computer was compromised by the NIT. Subsequently, he was charged in the Eastern District of Pennsylvania ("EDPA") with one count of possessing child pornography, in violation of 18 U.S.C. § 2252(a)(4)(B). He filed a motion to suppress the evidence seized during the search of his computer, including the information revealed by the use of the NIT. The District Court denied the suppression motion, holding that the NIT warrant violated the version of Fed. R. Crim. P. 41(b) then in effect (" Rule 41(b)")² , but that the NIT itself did not constitute a search under the Fourth Amendment and that Werdene was not prejudiced by the error. On appeal, Werdene contends that the District Court erred in holding that no Fourth Amendment search took place. Further, he argues that the issuance of the warrant violated his Fourth Amendment rights because it lacked particularity and was issued in violation of the jurisdictional requirements set forth in both Rule 41(b) and the Federal Magistrates Act. The Government concedes that a Fourth Amendment search occurred, but contends that the NIT was authorized by Rule 41(b)(4) and that, in any event, the good-faith exception to the exclusionary rule precludes suppression.

We hold that the NIT warrant violated the prior version of Rule 41(b) and that the magistrate judge exceeded her authority under the Federal Magistrates Act. The warrant was therefore void ab initio , and the Rule 41(b) infraction rose to the level of a Fourth Amendment violation. However, we agree with the Government that the good-faith exception to the exclusionary rule may apply to warrants that are void ab initio , which ultimately precludes suppression in this case. We therefore will affirm on alternative grounds the District Court’s decision to deny Werdene’s suppression motion.

I. FACTS AND PROCEDURAL HISTORY

To inform our forthcoming analysis, we shall detail how Playpen escaped traditional law enforcement detection and how the FBI circumvented the dark web to apprehend its users.

A. Tor

The Playpen site operated on the anonymous "The Onion Router" ("Tor") network—a constituent part of the "dark web"—which allows users to conceal their actual internet protocol ("IP") addresses while accessing the internet.³ An IP address is a unique identifier assigned by an internet service provider to every computer having access to the internet, including computer servers that host websites. Websites that the computer user visits can log the computer’s IP address, creating a digital record of activity on each website. After lawful seizure of an illicit website under normal circumstances, law enforcement is able to retrieve the website’s IP log to locate and apprehend its users.

Tor, however, prevents websites from registering a computer’s actual IP address by sending user communications through a network of relay computers called "nodes" up until those communications reach the website. Numerous intermediary computers therefore stand between the accessing computer and the website, and the website can log the IP address of only the "exit node", which is the final computer in the sequence. Accordingly, Playpen’s IP log—like that of other Tor websites—contained only the IP addresses of the exit nodes, rendering traditional IP identification techniques useless.

B. The Playpen Investigation

In December 2014, a foreign law enforcement agency informed the FBI that Playpen was being hosted by a computer server in North Carolina. Playpen’s administrator was identified as a person residing in Florida, who was promptly arrested.⁴ The FBI then lawfully seized the server, moved it to a government facility in EDVA, and obtained a wiretap order to monitor communications on it. It then assumed administrative control of Playpen and allowed the website to operate while law enforcement officials tried to circumvent Tor and identify Playpen’s users.

The FBI’s solution was the NIT, a form of government-created malware that allowed the FBI to retrieve identifying information from Playpen users located all around the world. The NIT’s deployment worked in multiple steps. First, the FBI modified Playpen’s code so that each accessing computer—unknowingly to the user and no matter the computer’s physical location—downloaded the NIT whenever a "user or administrator log[ged] into [Playpen] by entering a username and password." App. 133. Once downloaded, the NIT searched the accessing computer for seven discrete pieces of identifying information: (1) an IP address; (2) a unique identifier to distinguish the data from that of other computers; (3) the type of operating system; (4) information about whether the NIT had already been delivered; (5) a Host Name; (6) an active operating system username; and (7) a Media Access Control address. Finally, the NIT transmitted this information back to a government-controlled computer in EDVA. The FBI postulated that it could then rely on this information to identify users’ premises and distinguish their computers from other computers located within their proximity.

In February 2015, the FBI obtained a search warrant from a magistrate judge in EDVA to deploy the NIT to all "activating computers." App. 106. An "activating computer" was defined in the search warrant as the computer of "any user or administrator who logs into [Playpen] by entering a username and password." Id . Further, the NIT could be deployed to any activating computer "wherever located ." App. 136 (emphasis added). In other words, this single warrant authorized the FBI to retrieve identifying information from computers all across the United States, and from all around the world. Most importantly, these computers were overwhelmingly located outside of EDVA.

C. Charges Against Werdene and Suppression Motion

Analysis of the NIT data revealed the IP address of a Playpen user, eventually identified as Werdene, residing in Bensalem, Pennsylvania. In the final month of the website’s operation, Werdene was logged in for approximately ten hours and made six text postings, commenting on child pornography and sharing links under the username "thepervert." The FBI obtained a separate search warrant for Werdene’s home from a magistrate judge in EDPA, where agents seized one USB drive and one DVD containing child pornography.⁵

In September 2015, Werdene was charged in EDPA with one count of possessing child pornography, in violation of 18 U.S.C. § 2252(a)(4)(B). He filed a motion to suppress the evidence seized during the search of his computer, including the information revealed by the NIT, the evidence subsequently seized from his home, and statements that he later made to the FBI. Werdene argued that the warrant was issued in violation of the jurisdictional requirements set forth in Rule 41(b), and that suppression was required because the violation was constitutional in nature and the good-faith exception to the exclusionary rule did not apply. The Government did not contend that the NIT warrant was explicitly authorized by Rule 41(b), but argued that the rule was flexible and expansive, and included warrants based on technological advances—such as the NIT warrant—which came within the spirit of the rule.

The District Court denied the motion in a memorandum and order issued on May 18, 2016. It first held that the NIT warrant violated Rule 41(b) because the magistrate judge in EDVA was without authority to issue a warrant to search Werdene’s computer in EDPA. But the District Court also held that the NIT was not a "search" within the meaning of the Fourth Amendment because Werdene lacked a reasonable expectation of privacy to his computer’s IP address. It concluded that the Fourth Amendment was not implicated, and that the Rule 41(b) violation was only "technical" in nature. The District Court therefore denied the suppression motion on the bases that the Government did not intentionally disregard the Rule’s requirements and that Werdene was not prejudiced by the violation. This appeal followed.

On June 7, 2016, Werdene pled guilty pursuant to a plea agreement in which he reserved his right to appeal the District Court’s ruling on the suppression motion. On September 7, 2016, the District Court accepted the recommendation of the U.S. Probation Office and applied a downward variance from the United States Federal Sentencing Guideline’s range of 51-63 months. It sentenced Werdene to 24 months’ imprisonment, a term of supervised release of five years, and restitution in the amount of $1,500.

II. JURISDICTION AND STANDARD OF REVIEW

The District Court had original...