United States v. Thomas
| Decision Date | 08 November 2013 |
| Docket Number | Case No. 5:12-cr-37,Case No. 5:12-cr-44,Case No. 5:12-cr-97 |
| Court | U.S. District Court — District of Vermont |
| Parties | UNITED STATES OF AMERICA v. DEREK THOMAS, DOUGLAS NEALE, and STEPHAN LEIKERT |
DEFENDANTS' MOTIONS TO SUPPRESS
Defendant Thomas (Docs. 47, 83 & 84)
Defendant Neale (Docs. 24 & 65)
Defendant Leikert (Docs. 22 & 46)
This matter came before the court for an evidentiary hearing on April 17 and July 30-31, 2013 on the motions to suppress filed by Defendants Derek Thomas, Douglas Neale, and Stephan Leikert which were consolidated for the purposes of the court's hearing. The parties' filing of post-hearing memoranda was completed on September 25, 2013.
The government is represented by Assistant U.S. Attorney Nancy J. Creswell in the Thomas case; by Assistant U.S. Attorney Timothy C. Doherty, Jr. in the Neale case; and by Assistant U.S. Attorney Christina E. Nolan in the Leikert case. Defendant Thomas is represented by Elizabeth D. Mann, Esq. Defendant Neale is represented by Assistant Federal Public Defender David L. McColgin. Defendant Leikert is represented by Chandler W. Matson, Esq. and William W. Cobb, Esq.
Each of the Defendants was charged by indictment with possession of child pornography in violation of 18 U.S.C. § 2252(a)(4)(B) after law enforcement executed search warrants at their respective residences and seized evidence from a computer or computers found therein. Defendants seek suppression of all evidence derived from the search, arguing that law enforcement's use of automated software constituted awarrantless search of the private areas of their respective computers in violation of the Fourth Amendment.
In the alternative, Defendants argue that the search warrants in their cases lacked probable cause, and contained false and misleading statements and omissions that intentionally or recklessly misled the magistrate judge who issued the search warrants. Defendants either collectively or individually assert that the search warrant affidavits were false and misleading because they allegedly: (1) failed to adequately disclose and describe law enforcement's use of automated software and a third-party database; (2) failed to disclose the automated software's alleged ability to access incomplete, deleted, and corrupted files, as well as files that had not been made available for sharing; (3) failed to advise of the alleged inadequacy of the testing of the automated software; (4) falsely represented the reliability of hash values to identify a file's contents; (5) falsely stated that an MD4 hash value could be "converted" to a SHA1 value; (6) falsely suggested there was a manual "undercover" investigation; (7) failed to accurately and adequately describe whether and how law enforcement verified the contents of the suspected files; and (8) noted that Defendants allegedly "shared" certain files of child pornography when the files were only allegedly "offered to be shared."
The government opposes the motions, contending that the automated software did not and cannot access "private" files not made available for sharing. Accordingly, it asserts no warrantless searches occurred. The government further contends that the use of automated software was fully disclosed in the search warrant affidavits, the search warrants are supported by probable cause, and the search warrant affidavits contain no intentional or reckless material misstatements of fact or omissions.
In approximately December 2011, federal and state law enforcement in Vermont commenced an investigation, known as "Operation Green wave," into potential child pornography crimes using peer-to-peer file sharing software. Each of the search warrants at issue in this case was part of Operation Greenwave.
Peer-to-peer file sharing is a popular means of obtaining and sharing files free of charge directly from other computer users who arc connected to the Internet and who are also using peer-to-peer file sharing software. Peer-to-peer file sharing software is publicly available for download free of charge from the Internet and operates on a particular network which dictates to some extent how the file sharing will occur. Gnutella and cDonkey are two popular networks on which peer-to-peer file sharing takes place.
Generally, the source code for peer-to-peer file sharing software is "open," meaning that, to a certain extent, it may be modified by users. However, although users may make some modifications to the source code, the software must still adhere to a common protocol or language in order for it to communicate with other computers and allow file sharing to take place. There are numerous types of peer-to-peer file sharing programs and numerous versions of each particular type of program.
Once peer-to-peer file sharing software has been downloaded and installed by the user, the user may interface directly with other computers using the same file sharing software and browse and obtain files that have been made available for sharing. The file sharing software does not permit a user to access files that are not available for sharing. However, a user may download a version of the software which contains default settings that make certain files available for sharing without the user's affirmative designation of the files as shared files. In addition, file sharing programs often include a default setting which allows them to operate anytime a computer is on and connected to the Internet even if the user has not sought to reactivate the file sharing program. File sharing programs may resume an interrupted download if the file sharing program is reactivated, even if the user has not affirmatively requested that the download resume.
File sharing occurs when one computer, identified by an Internet Protocol ("IP") address, initiates a search for a responsive file by indicating the term or terms that it seeks to find in the file's name. This is called a "query" and consists of key words such as "child," "pornography," or "child pornography." Law enforcement has identified anumber of search terms commonly associated with child pornography. Other computers that are using the same file sharing software and connected to the Internet at the time will respond to the query with a "query hit message." A query hit message identifies the file or files available for sharing which have a word in the file name that matches the search word in the query. The query hit message will also contain additional information such as the IP addresses of the computers offering to share responsive files. Often multiple computers will respond to a single query.
After a query hit message is received, the computer user requesting the file must affirmatively select it for download, generally by double clicking on the file's name. It is possible and even probable that the download will occur from multiple computers at the same time all of which have responded with a query hit message and are simultaneously sending the file for download to the computer requesting it. This permits a more rapid downloading process. A person seeking to download a file may often preview a portion of the file before downloading it, however, some peer-to-peer file sharing software programs do not allow the user to view the file until the download is complete. Incomplete files are generally not available for download unless the computer user responding to a query, or the default settings on his or her computer, have made an incomplete file available for sharing.
Peer-to-peer file sharing software also often allows a user to request a "browse host," which is a request to view all of the files that another computer has available for sharing. Both the Gnutella and cDonkey networks have a browse host function built into their protocols. eDonkey, however, relies on actual servers while Gnutella does not. Accordingly, a user of the eDonkey network submits his or her shared files to eDonkey's servers, and the servers respond on behalf of users who are then online and operating eDonkey file sharing software. Both networks use a query-response protocol whereby queries are sent out, responses are received and displayed, and the user then selects the files he or she seeks to download or simply browses the files made available for sharing. It is not uncommon for a user to download all of another user's files available for sharing and then determine at a later time whether to retain those files.
Many peer-to-peer file sharing programs permit the user to disable the file sharing component of the software. In addition, the software may be configured to prohibit the use of the browse host function. However, because the software is open source code, it is not always certain that the peer-to-peer file sharing software will function as intended by the user. If a user's computer is either off or not connected to the Internet, no file sharing will take place.
Peer-to-peer file sharing programs all use hash values to identify files in a manner that is significantly more precise than a file's name. A hash value is a list of characters that act as a digital fingerprint for a file's contents. Hash values have varying degrees of reliability. The network chooses the type of hash value it will use for file sharing purposes. Law enforcement agents investigating peer-to-peer file sharing activity will thus receive responses that reflect the network's chosen type of hash value.
The Secure Hash Algorithm ("SHA1") value consists of thirty-two characters and was developed by the National Security Administration in 1992. It is more reliable than DNA (in that the likelihood of two individuals coincidentally sharing the same DNA is greater than the likelihood that more than one file will have the same SHA1 value) and a collision1 between two files with identical SHA1 values but with non-identical content has never been shown to exist. The...
To continue reading
Request your trial