United States v. Arterbury

• Decision Date: 25 April 2016
• Docket Number: Case No. 15-CR-182-JHP
• Parties: UNITED STATES OF AMERICA, Plaintiff, v. SCOTT FREDRICK ARTERBURY, Defendant.
• Court: U.S. District Court — Northern District of Oklahoma

UNITED STATES OF AMERICA, Plaintiff, v. SCOTT FREDRICK ARTERBURY, Defendant.

Case No. 15-CR-182-JHP

UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF OKLAHOMA

April 25, 2016

REPORT AND RECOMMENDATION

Before the Court is the Motion to Suppress Evidence Seized from Residence ("Motion to Suppress") and Request for an Evidentiary Hearing of Defendant Scott Fredrick Arterbury ("Arterbury"). [Dkt. No. 33]. On March 23, 2016, the matter was referred to the undersigned United States Magistrate Judge for Report and Recommendation on the Motion to Suppress. [Dkt. No. 35]. The Motion for hearing has been GRANTED, and a hearing conducted on April 25, 2016. After considering the submissions of the parties and the arguments of counsel, the undersigned makes the following findings and recommendation to the District Court.

I.FACTUAL BACKGROUND - THE "DARK NET" OR TOR

This case involves what is known as the "The Dark Net," the "Tor Network" or "Tor" for short.¹ "Tor is an open-source tool that aims to provideanonymity and privacy to those using the Internet. It prevents someone who is observing the user from identifying which sites they are visiting and it prevents sites from identifying the user. Some users value Tor's anonymity because it makes it difficult for governments to censor sites or content that may be hosted elsewhere in the world." Owen and Savage, at 1. An individual living under a repressive government such as North Korea, for example, might make use of Tor to access or post certain information while avoiding government surveillance. However, after analyzing Tor Dark net sites over a six-month period, Owen and Savage found that "the majority of sites were criminally oriented, with drug marketplaces featuring prominently. Notably, however, it was found that sites hosting child abuse imagery were the most frequently requested." Id.

The Tor network is designed to route communications through multiple computers, protecting the confidentiality of Internet Protocol ("IP") addresses and other identifying information. See, Keith D. Watson, The Tor Network: A Global Inquiry into the Legal Status of Anonymity Networks, 11 Wash. U. Global Stud. L. Rev. 715 (2012) (hereafter, "Watson"). See, for example, U.S. v. Frater, 2016 WL 795839, *3 (D. Ariz. March 1, 2016).

Tor allows users to send data over the Internet anonymously by shielding the source's location. This is accomplished by a complex encryption network that dissociates Internet communication from its source's IP address. Tor achieves user anonymity through so-called "onion routing," which bounces all communications routed through the Tor network to various different "nodes" before delivering them to their destination. These "nodes" are proxyservers scattered across the globe. Tor users connect to the network by first pulling in a list of nodes from a directory server. The user's computer then accesses the Tor network through a random node. The user's information is then routed through a random series of relay nodes before finally routing to an exit node, which sends the user's information to the actual Internet. What is significant about the Tor network is that each node communicates only with the nodes immediately preceding and following it in the chain. Therefore, the user's computer has direct contact with only the first node in the chain, and the actual Internet communicates only with the exit node. The entry node does not know the ultimate destination of the data, and the exit node is unaware of the data's origin. Because exit nodes are the only nodes that communicate directly with the public Internet, any traffic routed through the Tor network is traceable only to the exit node. Each communication is encrypted in a new layer of code before passing to the next node. The communication is eventually ensconced in several layers of code, which are then "peeled away" by the exit node, hence the onion metaphor.

Thus, Computer A submits data through the Tor network, the communication will pass through the network and exit onto the actual Internet through the exit node, Computer B. Any data sent by Computer A will appear to anyone tracing the communication as if it has come from Computer B. This essentially allows the user of Computer A to surf the Internet with complete anonymity, assuming the user never submits any information that is linked to her identity, such as accessing her standard e-mail account.

Watson, at 721-23.

To combat illegal activity using the Tor network, the Government has developed so-called "Trojan horse devices." These may include: "data extraction software, network investigative technique, port reader, harvesting program, remote search, CIPAV for Computer and Internet Protocol Address Verifier, or IPAV for Internet Protocol Address Verifier." Brian L. Owsley, Beware of Government Agents Bearing Trojan Horses, 48 Akron L. Rev. 315, 316 (2015). In the instant case, the parties have referred to the warrant issued by the U.S. magistrate judge in the Eastern District of Virginia as a NetworkInvestigative Technique ("NIT") warrant, and the Court will adopt that terminology.

Once approved, the NIT is installed on the target Website. "Once installed on Website A, each time a user accessed any page of Website A, the NIT sent one or more communications to the user's computer which caused the receiving computer to deliver data to a computer controlled by the FBI, which would help identify the computer which was accessing Website A." U.S. v. Pierce, 2014 WL 5173035, *3 (D.Neb. Oct. 14, 2014). In some cases, the Government has even activated a target computer's built-in camera to take photographs of the persons using that computer and send the photos back to the Government. E.g., In re Warrant to Search a Target Computer at Premises Unknown, 958 F. Supp. 2d 753, 759 (S.D. Tex. 2013).

The critical point is that without the use of such techniques as NIT, agents seeking to track a Tor user to his home computer will not be able to take that pursuit beyond the exit node from which the Tor user accessed the regular Internet.² NIT allows the Government to surreptitiously send a message back through the Tor network to the home computer directing it to provide information from which the user may be identified.

II.FACTUAL BACKGROUND OF THIS CASE

The Government obtained evidence regarding Arterbury's alleged criminal conduct through a multi-step process that began in the Fall of 2014. At that time, Agents of the Federal Bureau of Investigation ("FBI") began investigating the Playpen website, a global online forum believed to be hosting users for purposes of distributing and accessing child pornography.³ In February 2015, agents apprehended the administrator of Playpen in Naples, Fla., took control of the site, and moved it to Virginia. Rather than shut Playpen down immediately, agents decided to allow the site to continue operation for 12 days (February 20, 2015 to March 4, 2015) in the hopes of identifying and prosecuting Playpen users. In furtherance of the investigation, the Government sought to use a Network Investigative Technique that would covertly transmit computer code to Playpen users. That code would direct users' computers to provide investigators with information which could then be used to locate and identify the users. In order to employ the NIT, however, the Government needed to obtain an "NIT search warrant."

In February 2015, a warrant application was prepared and presented to a magistrate judge in the Eastern District of Virginia. Absent the use of the NIT, the Government had no ability to locate and identify users of the Playpenwebsite. Special Agent Douglas Macfarlane, in his Affidavit in Support of Application for the NIT Search Warrant, stated:

Due to the unique nature of the Tor network and the method by which the network protects the anonymity of its users by routing communications through multiple computers or "nodes" . . . other investigative procedures that are usually employed in criminal investigations of this type have been tried and have failed or reasonably appear to be unlikely to succeed if they are tried.

[Dkt. No. 34-1, Affidavit in Support of Application for Search Warrant, at 28-29, ¶ 31].

On February 20, 2015, U.S. Magistrate Judge Theresa Carroll Buchanan issued the NIT warrant. When users accessed Playpen, the NIT caused data extraction software to be installed on the user's computer - wherever it was located. The computer then sent - without Defendant's knowledge or permission - requested information to a Government-controlled computer.⁴ In this way, the Government could determine the identity of the person accessing Playpen - even when that person was using a computer that was located outside the Eastern District of Virginia.

Using NIT, agents determined that a Playpen registrant with the user name "johnnyb5" and an IP address of 70.177.122.133 had logged on to the website from February 20 to March 4, 2015. Agents were able to determine that the IP address was operated by Cox Communications, Inc. Using an administrative subpoena directed at Cox, they secured the name and address of the account holder. This information was included in the affidavit of SpecialAgent Joseph Cecchini in support of a search warrant application presented to U.S. Magistrate Judge T. Lane Wilson in the Northern District of Oklahoma (the "Oklahoma warrant") on November 2, 2015. See 15-mj-196-TLW, [Dkt. 1]. The affidavit supporting the Oklahoma warrant is quite similar to the affidavit supporting the NIT warrant application. However, the Oklahoma warrant details the Defendant's alleged conduct regarding the Playpen website and the information obtained as a result of the NIT.

Judge Wilson issued the search warrant for 1515 S. Nyssa Place, Broken Arrow, Oklahoma. Agents executed the warrant, and located and seized alleged child pornography. Judge Wilson then executed a Criminal Complaint and a warrant for the Defendant's arrest.

Defendant appeared...