Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 1 of 12 PAGEID #: 515
IN THE UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF OHIO WESTERN DIVISION UNITED STATES OF AMERICA, Plaintiff, v. JAMES GAVER, Defendant.
: : : : : : : : :
CASE NO. 3:16-CR-88
UNITED STATES’ RESPONSE IN OPPOSITION TO DEFENDANT’S MOTION FOR DISCLOSURE OF DISCOVERY The United States of America, by and through the undersigned Assistant United States Attorney, files this response in opposition to Defendant’s motion for disclosure of discovery (R. 14). Because the information requested is immaterial and subject to qualified law enforcement privilege, his motion should be denied.
Respectfully submitted, BENJAMIN C. GLASSMAN United States Attorney /s/Andrew J. Hunt ANDREW J. HUNT (0073698) Assistant United States Attorney 200 West Second Street, Suite 600 Dayton, Ohio 45402 Office: (937) 225-2910 Fax: (937) 225-2564
[email protected]
1
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 2 of 12 PAGEID #: 516
BACKGROUND Between February 20, 2015 and March 4, 2015, the FBI had taken over the “Playpen” website and attempted to identify individuals who were logging into Playpen to access child pornography. (R. 13, Govt. Response to Motion to Suppress, Ex. A, NIT Warrant; Ex. B, 514 Forrer Blvd. Search Warrant, ¶ 25). Because Playpen was hosted on the Tor network (which effectively hides the identifying information of accessing computers), the FBI applied for and obtained a warrant (from the Eastern District of Virginia) granting authority to employ a Network Investigative Technique (“NIT”) to identify those logging into Playpen. (R. 13, Govt. Response to Motion to Suppress, Ex. A, NIT Warrant, ¶¶ 7-9; Ex. B, 514 Forrer Blvd. Search Warrant, ¶ 25). In summary, when an individual logged into Playpen and accessed child pornography files, the NIT code was included in the data sent back to the individual’s computer from the Playpen website, causing the user’s computer to transmit certain information about the computer, such as its name, IP address, and other identifying data about the computer to the FBI. (R. 13, Govt. Response to Motion to Suppress, Ex. A, NIT Warrant, Attachment A and ¶¶ 31-37; Ex. B, 514 Forrer Blvd. Search Warrant, ¶ 25). The data the FBI received from the NIT revealed that a particular computer accessed Playpen website in February/March 2015. (R. 13, Govt. Response to Motion to Suppress, Ex. B, 514 Forrer Blvd. Search Warrant, ¶¶ 26-35). The computer logged into the Playpen website under the username “ronj13.” (Id. at ¶ 28). The NIT revealed that the computer had the hostname “Jim-HP” with logon name “Jim,” and that it had used a certain IP address. (Id. at ¶¶ 28, 31). Through the use of legal process, this IP information ultimately led investigators to identify the computer’s location, namely Gaver’s apartment in Kettering. (Id. at ¶ 30). On July 23, 2015, the FBI applied for and obtained a search warrant from this Court to search Gaver’s
2
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 3 of 12 PAGEID #: 517
apartment. (Id. at “Search Warrant”). On July 27, 2015, the search warrant was executed at Gaver’s apartment and the FBI seized computers and external storage media. (R. 13, Govt. Response to Motion to Suppress, Ex. B, 514 Forrer Blvd. Search Warrant, Inventory). Ultimately, a forensic examination revealed that they contained child pornography and had accessed child pornography websites. On September 14, 2015, after the search warrant was executed at his apartment, Gaver contacted Special Agent Andrea Kinzig and voluntarily appeared at the FBI office, where he was interviewed. (Exhibit 1, Report by Special Agent Kinzig date of entry 10/7/15, Page 1). 1 During the interview, Gaver said he had viewed child pornography since 2003, and that he had accessed the Playpen website through the Tor network over the past two years. (Id. at 2). He confirmed that he used the “ronj13” user name on Playpen. (Id. at 2). Gaver stated that he had deleted his child pornography collection approximately three months earlier, but that he had had subsequently reengaged in his child pornography activities, which he stored directly on an encrypted thumb drive (i.e., PNY USB thumb drive). (Id. at 3). Gaver said that he saved the child pornography files directly onto the thumb drive without first saving them to his computer hard drive. (Id.) Gaver described having previously used other computers from the apartment to access child pornography, including an HP computer, and stated that he alone had accessed child pornography on the computers and associated devices. (Id. at 4, 7, 11). Gaver described some of the child pornography his devices contained, which included images of toddlers and infants being sexually abused. (Id. at 12). When confronted with the fact that child pornography was found on some of the devices other than the PNY USB thumb drive, Gaver surmised that they were old computer files he had forgotten to or unsuccessfully deleted. (Id. at 11).
1
The report has been redacted to remove identifying information (i.e., social security numbers, phone numbers, etc.) and the names of others.
3
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 4 of 12 PAGEID #: 518
Based on the child pornography matters found in Gaver’s computers, Gaver was indicted on June 16, 2016 for violations of 18 U.S.C. §§ 2252(a)(4)(B) and (b)(2), “Possession of child pornography/knowingly accessing with intent to view child pornography;” and 18 U.S.C. §§ 2252(a)(2) and (b)(1), “Receipt of child pornography.” The following table reflects the count of the indictment, offense alleged, offense date alleged, and the computer device on which the child pornography was allegedly accessed/possessed/received:
COUNT
OFFENSE
Count One
18 U.S.C. § 2252(a)(4)(B) Possession of child pornography
Count Two
18 U.S.C. § 2252(a)(4)(B) Accessing child pornography 18 U.S.C. § 2252(a)(4)(B) Accessing child pornography
Count Three
DATE OF DEVICE(S) OFFENSE 7/27/15 Compaq computer, HP Pavilion computer, Samsung External Hard Drive, Toshiba 8 GB thumb drive, PNY USB thumb drive, Apple I-Mac computer 7/27/14 Compaq computer 9/12/14
Compaq computer
Count Four
18 U.S.C. § 2252(a)(4)(B) Accessing child pornography
7/26/15
HP Pavilion computer
Count Five
18 U.S.C. § 2252(a)(2) Receipt of child pornography 18 U.S.C. § 2252(a)(2) Receipt of child pornography
7/12/15
HP Pavilion computer
6/7/15
PNY USB Thumbdrive
Count Seven
18 U.S.C. § 2252(a)(2) Receipt of child pornography
6/12/15
PNY USB Thumbdrive
Count Eight
18 U.S.C. § 2252(a)(2) Receipt of child pornography
6/20/15
PNY USB Thumbdrive
Count Nine
18 U.S.C. § 2252(a)(2) Receipt of child pornography
7/6/15
PNY USB Thumbdrive
Count Six
4
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 5 of 12 PAGEID #: 519
Count Ten
18 U.S.C. § 2252(a)(2) Receipt of child pornography
3/1/15
Toshiba 8 GB thumb drive
Count Eleven
18 U.S.C. § 2252(a)(2) Receipt of child pornography
4/17/15
Toshiba 8 GB thumb drive
Count Twelve
18 U.S.C. § 2252(a)(2) Receipt of child pornography
6/5/15
Samsung external hard drive
The United States has provided discovery to Gaver in compliance with Rule 16 of the Federal Rules of Criminal Procedure, either by making copies of relevant documents or making them available for inspection (e.g., the child pornography at issue in this case). On September 16, 2016, Gaver filed a “Motion for disclosure of discovery,” that seeks all components of the NIT code, to include the “payload, exploit, identifier, and server components.” (R. 14, Motion for disclosure of discovery, PageID # 395). Notwithstanding the United States’ position that it is immaterial to Gaver’s defense, the United States (subject to a protective order) is amenable to providing certain components of the NIT code and NIT-related information, namely: i. the “payload,” that is, the computer instructions sent to Gaver’s computer and executed that produced the NIT results; ii. the information collected by the NIT – that is, the IP address, MAC address, operating system, etc., along with the rest of Gaver’s activity on the website. The existence of the report that details this information, and that it is available for inspection, was disclosed in discovery on or about July 11, 2016; iii. a two-way network data stream (also called “PCAP” data) between Gaver’s computer and the government’s computer that can be used to verify the accuracy of the NIT results; iv. the computer code used to generate unique identifiers related to the NIT.
5
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 6 of 12 PAGEID #: 520
Further, the United States is willing to make available a forsenic copy of Gaver’s HP computer, which counsel and/or his experts can examine. However, the United States should not have to disclose the “exploit” and “server components,” not only because they are immaterial, but also because they are subject to qualified law enforcement privilege. 2
ARGUMENT Gaver’s “Motion for disclosure of discovery” should be denied because he has not established that the disputed portions of the NIT code (i.e., the exploit and server components) are material to his defense. Additionally, these portions of the NIT code are subject to qualified law enforcement privilege. With one exception, every court that has considered this discovery issue and that the undersigned is aware has rejected defense requests for the entire NIT code. See United States v. Darby, No. 16-cr-036, R. 49 Opinion and Order, page 12 (E.D. Va. Aug. 12, 2016); United States v. Matish, No. 4:16-CR-16, 2016 WL 3545776, *8 (E.D. Va. June 23, 2016); Jean, 2016 WL 6886871, *7; United States v. McLamb, No. 16-cr-092, 2016 WL 6963046, *8 (E.D. Va. Nov. 28, 2016); but see United States v. Michaud, No. 15-5351, R. 212 Opinion and Order (May 25, 2016)(finding NIT information legitimately withheld but still material, and excluding NIT-derived evidence). Notably, a few months later, the same court that issued Michaud found the entire NIT code non-discoverable because it was not relevant or helpful to the defense, effectively reversing its earlier holding on this matter. Tippens, et al., 3:16-cr-05110-RJB, R. 106 Order, pages 27-28.
2
As indicated in United States v. Tippens, et al., 3:16-cr-05110-RJB, R. 106 Order, pages 19-27 (W.D. Wash. November 30, 2016); and United States v. Jean, No. 15-cr-50087, 2016 WL 6886871, *8 (W.D. Ark. Nov. 22, 2016), the disputed portions are also subject to the Classified Information Procedures Act (CIPA).
6
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 7 of 12 PAGEID #: 521
I.
Gaver fails to make a prima facie showing of materiality. Under Federal Rule of Criminal Procedure 16, a criminal defendant has a right to inspect
documents, data, or tangible items within the government’s “possession, custody, or control,” that are “material to preparing the defense.” Fed. R. Crim. P. 16(a)(1)(E). “[I]n the context of Rule 16, ‘the defendant’s defense’ means the defendant’s response to the government’s case in chief.” United States v. Armstrong, 517 U.S. 456, 462 (1996); see also United States v. Pirosko, 787 F.3d 358, 367 (6th Cir. 2015). To obtain disclosure of documents or objects under Rule 16(a)(1)(E)(i), a defendant must make a prima facie showing of the item’s materiality. United States v. Clingman, 521 Fed.Appx. 386, 392 (6th Cir. 2013) (citing United States v. Phillip, 948 F.2d 241, 250 (6th Cir. 1991)). In order to be material, “there must be some indication that pretrial disclosure [of the evidence] would have enabled the defendant to ‘alter the quantum of proof in his favor’...” Clingman, 521 Fed.Appx. at 392 (quoting United States v. Stevens, 985 F.2d 1175, 1180 (2d Cir. 1993)). Conclusory arguments are insufficient to establish materiality. Phillip, 948 F.2d at 250. In Matish, the defense alleged that it needed the entire NIT code in order to challenge the link between Matish’s computer and the Playpen website, and to support a defense that the NIT compromised Matish’s computer’s security setttings and potentially allowed a third party to place child pornography on it. Matish, 2016 WL 3545776 at *6. After considering information from
FBI agent about the workings of the NIT code, as well as declarations by the defense’s experts, the court found the entire NIT code (particularly the “exploit”) was immaterial to Matish’s defense and denied his request. Id. at *6-8. Noting that Matish’s defense team had not even examined his computer or tested the NIT themselves on a different computer even though it was
7
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 8 of 12 PAGEID #: 522
available to them, the court found that the request was based merely upon speculation, and that they had not offered any evidentiary in support of their theories. Id. at *6-7. Subsequently in McLamb, the defense filed a motion to compel the government to turn over the NIT code (including the exploit) because – among other matters – it suspected that the NIT could have carried out functions outside the scope of the NIT warrant, that McLamb’s computer’s security had been compromised and perhaps vulnerable to others putting child pornography onto it, and to confirm government representations of how the NIT worked. McLamb, 2016 WL 6963046 at *8. The court noted that McLamb had not taken advantage of the government’s offer to examine his computer for signs of hacking, presented no evidence that the computer was hacked, not examined the computer instructions that generated the identifying data and the identifying data itself, nor offered any evidence that contradicted the government’s claims. Id. at *7-8. Characterizing McLamb’s request as a “fishing expedition” that effectively asserted that “he cannot know what evidence he is looking for until he finds it,” the court found McLamb had not demonstrated the materiality of the entire NIT code, and rejected his motion to compel its disclosure. Id. at *8. Gaver fails to make a prima facie showing that explains how revealing the entire NIT code would alter the evidence in his favor. The United States will not be introducing the NIT code or how it works in its case in chief, as it was simply an investigative lead that agents used to develop probable cause for a search warrant of Gaver’s apartment. The NIT obtained: 1) the IP address and 2) host/logon name for Gaver’s computer. A review of the 514 Forrer Blvd. Search Warrant 3 reveals that this was the only NIT-related information used in that warrant. Whether the NIT was theoretically capable of obtaining or doing more is irrelevant because the 514 Forrer
3
See R. 13, Govt. Response to Motion to Suppress, Ex. B, 514 Forrer Blvd. Search Warrant, ¶ 28.
8
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 9 of 12 PAGEID #: 523
Blvd. Search Warrant was based on that information (which was within the scope of the NIT Warrant). Gaver’s statements and the nature of the instant charges further undermine his materiality claim. The NIT was deployed only after Gaver logged in and accessed the Playpen site from his HP computer on February 23, 2015. 4 He has not shown how it has bearing on the child pornography found on the other computers and electronic devices. None of the charges arise from when Gaver accessed the Playpen site in conjunction with the deployment of the NIT. The charges with regard to the HP computer relate to the access and receipt of child pornography in July, 2015, months after the NIT was employed. Gaver himself stated that the child pornography images on his computers were either old images he forgot to delete or were images he downloaded approximately three months before the July 27, 2015 search of his home. Regarding Gaver’s challenges to the NIT Warrant, he likewise fails to identify how the NIT code’s operation is material. The NIT code mechanics have no bearing on whether the magistrate judge had jurisdiction to issue the NIT Warrant, whether the agent acted in good faith in relying on the propriety of the warrant, whether the NIT Warrant was supported by probable cause, whether Rule 41 of Federal Rules of Criminal Procedure applied to the NIT Warrant, or the necessity of a Franks hearing. Gaver submits only conclusory claims that the entire NIT code is material and cites Michaud, a holding no other court has followed and which was effectively overridden by the same judge in Tippens, et al. (on the basis that revealing the entire NIT code was not helpful or relevant to the defense 5). Absent a more particularized showing, and in light of what the United
4 5
See R. 13, Govt. Response to Motion to Suppress, Ex. B, 514 Forrer Blvd. Search Warrant, Ex. B, ¶ 28. Tippens, et al., 3:16-cr-05110-RJB, at pages 26-27.
9
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 10 of 12 PAGEID #: 524
States is willing to provide, Gaver has not shown the entire NIT code is material. Therefore, the Court should deny his motion.
II.
The qualified law enforcement privilege should apply to portions of the NIT code. The Sixth Circuit and others have recognized a qualified law enforcement privilege in
response to a defendant’s discovery requests for sensitive investigative techniques. Pirosko, 787 F.3d at 365; United States v. Van Horn, 789 F.2d 1492, 1507-08 (11th Cir. 1986)(extending privilege to the nature and location of electronic surveillance equipment); United States v. Green, 670 F.2d 1148, 1155 (D.C. Cir. 1981)(privilege covers the location of hidden police observation posts). Courts apply a balancing test as to the government’s need to protect the information versus the defendant’s articulated need. Pirosko, 787 F.3d at 365. While no uniform procedure appears applicable to considering those needs, courts have allowed in camera hearings in order for the government to present evidence regarding the law enforcement need. United States v. Sierra-Villegas, 774 F.3d 1093, 1099 (6th Cir. 2014); United States v. Sharp, 778 F.2d 1182, 1187 (6th Cir. 1985); United States v. Tenorio-Angel, 756 F.2d 1505, 1509 n. 7 (11th Cir. 1985)(noting the Supreme Court has indicated that in camera hearings are appropriate). The privilege is overcome only when the withheld information is “relevant and helpful to the defense of an accused, or is essential to a fair determination of a cause.” Sierra-Villegas, 774 F.3d at 1098 (quoting Rovario v. United States, 353 U.S. 53 (1957)). However, the court need not conduct an in camera hearing where the defendant fails to identify how the information sought could be of “genuine assistance in his defense.” Sierra-Villegas, 774 F.3d at 1099 (citing Sharp, 778 F.2d at 1187).
10
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 11 of 12 PAGEID #: 525
In Van Horn, defendants sought information as to where and what kind of hidden microphones were used to intercept conversations in an office, which was rejected by the trial court. Van Horn, 789 F.2d at 1507. On appeal, the Eleventh Circuit noted that the qualified law enforcement privilege extended to this kind of information, and that courts must use a balancing test to determine whether the privilege should give way to the defendant’s need for the information. Id. at 1508. Specifically, the Eleventh Circuit noted that electronic surveillance “is an important tool of law enforcement, and its effectiveness should not be compromised.” Id. The defendants argued that the information was necessary to confirm that their voices had not been distorted, resulting in improper voice identifications, but the appellate court found that necessity had not been shown after the district court conducted an in camera hearing that confirmed the microphones reliably and accurately recorded voices. Id. Here, the United States has a need to protect the “exploit” and “server components” related to the NIT. Disclosure would hamper future investigations and allow individuals to develop countermeasures to the NIT. Despite the United States’ arguments to the contrary, if the Court determines that the entire NIT code is material, the United States would request an in camera and ex parte hearing to present evidence about the government’s need to protect these portions of the NIT code. 6
6
Gaver suggests that turning over the entire NIT code to the defense team subject to a protective order would sufficiently safeguard that material. (R. 14, Motion for disclosure of discovery, PageID #395). However, at least one district court, after receiving information about the NIT’s importance and conducting the balancing test, has specifically concluded such a scenario insufficient to protect this investigatory technique. United States v. Jean, 5:15-CR-50087-001, 2016 WL 6886871 at *7 (W.D. Ark. November 22, 2016). The court concluded there was a risk that the material may be inadvertently leaked, and that the experts exposed to the information would have the ability to later build their own exploit or assist others in doing so, which was too much of a public risk. Id.
11
Case: 3:16-cr-00088-WHR Doc #: 26 Filed: 12/16/16 Page: 12 of 12 PAGEID #: 526
CONCLUSION For the foregoing reasons, the Court should deny Gaver’s motion for disclosure of discovery.
Respectfully submitted, BENJAMIN C. GLASSMAN United States Attorney /s/Andrew J. Hunt ANDREW J. HUNT (0073698) Assistant United States Attorney 200 West Second Street, Suite 600 Dayton, Ohio 45402 Telephone: (937) 225-2910 Fax: (937) 225-2564
[email protected]
CERTIFICATE OF SERVICE I hereby certify that a copy of the foregoing was served this 16th day of December 2016, upon Thomas Anderson, attorney for James Gaver, by electronic filing. /s/Andrew J. Hunt ANDREW J. HUNT (0073698) Assistant United States Attorney
12