United States v. Keith, 2013 WL5918524 (D.Mass.)) November 2013

* This is a district court Judge’s ruling on a motion, which has not yet withstood appellate scrutiny.  However the issue presented is important to capture emerging trends in the field.  (Court pleadings and testimony attached).

Defendant is charged with distribution and possession of child pornography in violation of 18 U.S.C. § 2252a.  He filed a motion to suppress statements and evidence obtained as a result of a search of his house by Massachusetts State Police (pursuant to a search warrant).   The issue presented is whether NCMEC and AOL were governmental actors for purposes of the Fourth Amendment.

The Search Warrant:  The application relied upon two separate sources.  The first was from a CyberTipline report made available to the Massachusetts State Police by the National Center for Missing and Exploited Children (NCMEC).  The second came six months after the CyberTipline report, via a Staples store in New Hampshire, when an employee who had conducted repairs on defendant’s laptop noticed filenames describing child pornography.

(AOL): AOL uses two processes to identify instances in which subscribers are replying to, sending or forwarding emails containing apparent child pornography as either attachments or embedded images. One is the Image Detection and Filtering Process (IDFP) the other is photo DNA (pDNA).  AOL does this to support its business model of providing a family-friendly environment for its users.  Members’ exposure to objectionable content may motivate them to move to another Internet Service Provider (ISP).  Therefore AOL attempts to keep its network safer for its users by this process.  pDNA works by imposing a grid on an image, calculating values for the grid and creating a computational value of that image.  If there are enough similarities, a value is derived which shows the image is a likely match or very similar to a previously identified image.  If it is a “hit” an AOL employee will look at the image to determine if  it is apparent child pornography and take appropriate action.  pDNA is not an exact match like MD5 or SHA-2, but it is a very good indicator (read: probable cause strength) that an image is substantially similar to the image in the value set against which images are checked.  If an image is detected via the automatic IDFP (read: MD5), no employee reviews the image and it is automatically referred to NCMEC.  Note that all images in the IDFP hash set have had eyes-on by an AOL employee at some time. The purpose of IDFP is to automate the process so that neither the child nor the employee needs to be re-victimized by opening an already-identified and objectionable image.  pDNA hits are reviewed and referred to NCMEC as appropriate.  AOL and other ISPs have a duty to make this report to NCMEC.  See 18 U.S.C.§ 2258A(a)(1).  Defendant’s information was transmitted to NCMEC because it was an IDFP hit.   

CyberTipline Reports:  Once a CyberTipline report is uploaded to NCMEC, an analyst at NCMEC opens the suspected file to examine its content.  If that image (according to the analyst) meets the federal definition of child pornography, then the Internet Protocol (IP) Address associated with the email which sent the image is geographically located.  At this point NCMEC shares the CyberTipline Report with law enforcement in the jurisdiction where the IP Address is located.  In this case, the IP Address was located in Massachusetts, so NCMEC shared the report with law enforcement in Massachusetts.  From there, law enforcement subpoenas the ISP for subscriber information (name, address, etc…).  In this case, the State Police independently matched the IP address to defendant’s address.

Staples:  In July 2009, a Staples employee alerted the New Hampshire police that a laptop they were repairing contained filenames describing child pornography.  There is no evidence that the employee opened the files to view the content of the images.  The work order for the laptop listed defendant’s name and address.  Defendant was interviewed in mid-August by police and admitted that the laptop was his and he downloaded images of child pornography.

Attack on Fourth Amendment Grounds:  Defendant argued that the inspections by both AOL and NCMEC violated his fourth Amendment rights because he had a reasonable expectation of privacy (REP) in his email.  *The Government in this case never argued that he didn’t have a REP, so the Judge assumed for purposes of this motion that he did.  Based on this assumption, the Judge worked under the premise that any governmental invasion would be a “search” for purposes of Fourth Amendment analysis.

The defendant argued that neither AOL nor NCMEC are private party actors when they screen for child pornography because they have a statutory obligation to do so.  He reasons this statutory obligation makes them governmental agents. *First Circuit precedent analyses this issue with a three factor test: 1) What is “the extent of the government’s role in instigating or participating in the search;” 2) What is “the government’s intent and degree of control it exercises over the search and the private party;” and 3) What is the extent to which the private party aims to help the government or to serve its own interests.” United States v. Silva, 554 F.3d 13 (1st Cir. 2009).

Analysis of AOL’s Actions Under SilvaThe Judge found that AOL is not obligated by statute to detect images of child pornography (contrary to defendant’s assertion), rather its duty is to report those images when found.  The government exercised no control over AOL’s monitoring of its own network. Lastly, AOL was/is motivated by its own interests in seeking to detect and deter the transmission of child pornography.

Analysis of NCMEC’s Actions Under Silva: The Judge found that NCMEC’s sole purpose for examining files uploaded via CyberTipline Reports is to assist in the prosecution of child pornography crimes.  The Judge found that NCMEC is required via statute to report findings of child pornography to local law enforcement, and thus the government exercises control in instigating or participating in the search.  He also found that the CyberTipline serves no private purpose for NCMEC separate from assisting law enforcement.

Expansion of Private Party Search:  If a private party conducts a search, and the government does not expand that search, then no Fourth Amendment problems exist.  If however, the government exceeds/expands the private party search, then Fourth Amendment problems exist.  In this case, the Judge analogized AOL’s private search with Walter v. United States, 447 US 649 (1980).  Basically in Walter, a box was mistakenly delivered to a private company.  The company read the outside label and informed the FBI that it suspected obscene material.  The FBI took possession of the box, opened the box, and viewed the contents inside the box.  The search by the FBI exceeded the private search (which just looked at the outside label of the box).   The Judge in this case likened the outside label of the box (Walter) to the filename/hash noted by AOL here.  And since he previously found NCMEC to be a governmental actor, he reasoned that NCMEC’s opening up of the file (to view the image) exceeded the private search conducted by AOL (which just compared hash values).

The Government argued that NCMEC’s viewing of the file did not expand the AOL search and cited United States v. Jacobsen, 466 U.S. 109 (1984) in support.  In Jacobsen, FedEx employees opened a damaged box and discovered what appeared to be cocaine inside.  They closed the box and contacted the DEA.  The DEA reopened the box and removed the cocaine.  SCOTUS found no separate search.  The Judge in this case was not persuaded, and found Jacobsen to be inapposite, “it is worth noting that matching the hash value of a file to a stored hash value is not the virtual equivalent of viewing the contents of the file.  What the match says is that the two files are identical; it does not itself convey any information about the contents of the file…That is surely why a CyberTipline analyst opens the file to view it, because the actual viewing of the contents provides information additional to the information provided by the hash match.”

Analysis of the Search Warrant in Light of Findings:  The Trooper in this case applied for the search warrant based on both the NCMEC information as well as the Staples information.  An execution of the warrant revealed incriminating physical evidence.  Defendant also waived Miranda and admitted to the possession of child pornography.   Defendant contended at trial that because the search warrant relied on the NCMEC information (now deemed to be a governmental search), the application was tainted by unlawfully obtained information and the warrant was improperly issued.   As a backup, he argued that even if the NCEMC information was excised from the affidavit, there was not enough probable cause to support the issuance of the warrant.

The Judge found that if the evidence from NCMEC was excised from the affidavit, there was a sufficient factual basis based on the Staples information and subsequent admission by defendant (from the Staples investigation) for the issuance of the search warrant.  He also found a good faith exception and that the exclusionary rule should not be applied in this case.

Practitioner Notes: A prudent initial argument to make would be that there is no REP in these types of transmissions.  That argument was not advanced in this case so the Judge immediately assumed REP.  There also seems to be an implication by this Judge that hash values are insufficient to support probable cause.  That would be a flawed interpretation of a number of cases in multiple jurisdictions which support hash values as probable cause.  Additionally the Judge here found that hash values are akin to labels on the outside of boxes, not necessarily the contents of the box.  A stronger presentation that hash values are in fact equivalent to the inside of the box in front of a different Judge might prevail (assuming proper testimony by an expert).

There is no indication that the Government in this case is going to appeal this decision (since they didn’t lose the suppression motion there doesn’t seem to be grounds to do so).  Therefore other prosecutors should be aware of this case, review the pleadings, and be prepared.  In the end, this is one case by one Judge which has not (and most likely will not) be reviewed by an appeals court.

Motion Denied.

Keith Defendant Response 01 02 13

Keith Defense Motion to File Supplemental Brief 07 16 13

Keith Government Brief in Opposition 08 22 13

Keith Government Opposition (initial brief)

Keith mtn to suppress

Keith Order

Keith Reply by Defendant

Keith Supplemental Memo Defendant

Keith Supplemental Memo Mtn to Suppress 08 02 13

Keith transcript testimony

Keith transcript


This entry was posted in Defenses, Expert Testimony, Fourth Amendment, Probable Cause, Search Warrant, Suppression. Bookmark the permalink.

One Response to United States v. Keith, 2013 WL5918524 (D.Mass.)) November 2013

  1. Greg Schiller says:

    In light of Keith, if we get a NCMEC tip from an ESP that does not view the image prior to sending it to NCMEC, then our plan is, that assuming as with AOL that a hash value is recovered and viewed by the automated systems of the ESP, to find that file on our own via the hash value. Either it will be in iur library or we will conduct magnet downloads to acquire the file.

    That should get around the NCMEC issue with Keith. A good start is to run the hash value in a program like cps and use the suite of tools available with cps to download that particular hash value.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s