Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

United States v. Hoeffener

United States District Court, E.D. Missouri, Eastern Division

May 9, 2018

UNITED STATES OF AMERICA, Plaintiff,
v.
ROLAND HOEFFENER, Defendant.

          ORDER AND REPORT AND RECOMMENDATION

          PATRICIA L. COHEN, UNITED STATES MAGISTRATE JUDGE

         This matter is before the Court[1] on Defendant's Motion to Suppress Evidence and Request for a Hearing Pursuant to Franks v. Delaware [ECF No. 29].[2] The Court held an evidentiary hearing on Defendant's Motion to Suppress and preliminarily denied the request for a Franks hearing.[3] Based upon the arguments of the parties and the evidence adduced at the hearing, the Court recommends denial of Defendant's motion and request for a Franks hearing.

         Background

         The Government charged Defendant with violating 18 U.S.C. § 2252A(a) by: (1) receiving over the internet videos and images of child pornography; and (2) possessing two storage devices containing images and videos of child pornography [ECF Nos. 56 and 57]. Each of the three counts includes a list identifying four visual depictions of a minor allegedly engaging in sexually explicit conduct. Defendant filed a motion to suppress evidence and a request for a Franks hearing. As grounds for a Franks hearing, Defendant contends: (1) in his opening motion that the search warrant affiant's claims that the images referenced in the search warrant constitute child pornography are an overstatement and therefore misleading;[4] and (2) in his post-evidentiary hearing memorandum that the search warrant affiant intentionally withheld from the reviewing judge information that the referenced images were not “files of interest.”[5]

         As grounds for the motion to suppress evidence, Defendant states in his opening motion that: (1) he had a reasonable expectation of privacy in the content of his online communications through the BitTorrent peer-to-peer network; (2) the information obtained from his computer by law enforcement using Torrential Downpour was not in “plain view;” (3) use of Torrential Downpour is a violation of the Electronic Communications Privacy Act (“ECPA”) 18 U.S.C. §§ 2510-2522; (4) the search warrant was not based on probable cause because it was issued as a result of “omissions pertaining to BitTorrent and the investigators (sic) use of Torrential Downpour;” and (5) the state circuit court judge who issued the search warrant (“issuing judge”) lacked the technological expertise to determine probable cause and “abdicated his role as a neutral and detached magistrate.” In the post-evidentiary hearing memorandum, Defendant adds a ground absent from his initial motion: the search warrant lacks probable cause because “the evidence does not conclusively support that a single source download was performed on Defendant's computer.” The Government opposes a Franks hearing on the grounds the two images contained in the search warrant affidavit meet the definition of child pornography under United States v. Dost, 636 F.Supp. 828 (S.D. Cal. 1986), [6] aff'd sub nom., United States v. Wiegand, 815 F.2d 1239 (9th Cir. 1987), and the descriptions of the images do not constitute false statements. The Government also contends that Defendant has not demonstrated that the search warrant contains omissions related to BitTorrent or Torrential Downpour.

         With respect to the Motion to Suppress Evidence, the Government argues that Defendant does not have a legitimate expectation of privacy “when sharing files with unknown peers” on the BitTorrent network. More specifically, the Government asserts that the law enforcement computer was an “intended recipient” of shared data, i.e. Defendant voluntarily sent information about the incriminating files to the law enforcement computer. In addition, the Government does not rely on the “plain view” exception to the warrant requirement to support its use of Torrential Downpour. With respect to ECPA, the Government contends that law enforcement did not violate ECPA “because they did not intercept any contents of Defendant's electronic communications.” Furthermore, the Government rejects the assertion that the search warrant affidavit contains omissions sufficient to prevent a finding of probable cause. The Government also argues that the issuing judge was a “neutral party” and capable of determining probable cause. Finally, the Government asserts that the law enforcement computer's “log files” conclusively demonstrate a single-source download occurred during use of Torrential Downpour.

         Facts

         A. The Investigation

         1. Detective Bobby Baine

         On December 15, 2012, Detective Bobby Baine of the St. Louis Metropolitan Police Department was running a software program called Torrential Downpour on the department computer system. Torrential Downpour is a law enforcement “software program configured to search the BitTorrent network for [Internet Protocol (“IP”) addresses] … offering to share or possessing files known to law enforcement that contain images/videos of child pornography.”[7]Torrential Downpour connected to an IP address in the St. Louis area after discovering the IP address had videos or images of child pornography known to law enforcement. Shortly thereafter, Detective Baine checked his computer's logs to determine if any files were downloaded from the suspect IP address. Detective Baine located 196 images in one file and, following a review, identified two of the downloaded images that he believed were child pornography.

         After concluding that the download contained child pornography, Detective Baine prepared a subpoena intended to determine the physical address for the suspect subscriber's IP address. To that end, the subpoena was directed to AT&T Internet Services on January 22, and the results were received on February 5, 2013.

         Detective Baine testified that Torrential Downpour cannot access non-public areas of a suspect computer. Detective Baine also testified that if his computer was “blocked, ” he would not be able to connect to the suspect IP address. In addition, Detective Baine explained that in contrast to the way users normally participate in the BitTorrent network, the law enforcement software does not allow the law enforcement computer to share files from it.

         2. Detective Dustin Partney/the search warrant

         In 2013, Dustin Partney, a detective with the St. Louis County Police Department, worked in the Special Investigations Unit. The Special Investigations Unit primarily investigated internet crimes against children. Detective Partney was the affiant on the search warrant directed to Defendant's home address. Detective Partney received approximately a month of training prior to drafting the search warrant. Prior to the search warrant used in Defendant's case, Detective Partney had drafted one search warrant affidavit and assisted on approximately eight search warrants.

         Detective Partney learned of the investigation with respect to Defendant through a contact from Sergeant Adam Kavanaugh, Detective Partney's supervisor in the Special Investigations Unit. The investigation was initiated by Detective Bobby Baine of the St. Louis Metropolitan Police Department through an undercover operation on the BitTorrent network. Detective Baine identified an IP address “that was displaying the willingness to share … and that they possessed child pornography.” Detective Baine downloaded 196 image files from the IP address that was the subject of the investigation - - later identified as Defendant's IP address. Two of the images downloaded from Defendant's IP address formed the basis for the search warrant.

         In the search warrant affidavit, Detective Partney describes the images as follows:

1. File name: spread.em.chan12\125943702341 Description: An image file depicting a prepubescent female lying on her right side. The female is pulling her panties to the side, exposing the side of her vagina and anus.
2. File name: spread.em.chan12\1125946249912 Description: An image file depicting a prepubescent female lying on her back with her legs spread, exposing the pubic area and making the focal point of the image her vagina.

         The issuing judge did not view the images described in the affidavit prior to issuing the warrant.[8]

         Detective Partney did not include information in the description that the subjects of the images were clothed. More specifically, Detective Partney did not state in his description that each subject's “actual vagina” was covered.

         3. Post-seizure forensic examinations

         a. Torrential Downpour/Detective Robert Erdely [9]

         Detective Robert Erdely currently works for the Indiana County, Pennsylvania District Attorney's Office as a county detective. Detective Erdely has investigated peer-to-peer file sharing since approximately 1998 when he joined the Pennsylvania State Police's Computer Crime Unit. He has been involved in developing investigative software that is “used by law enforcement across the country and around the world.” Detective Erdely has testified approximately 50 times as an expert in computer forensics and on-line investigations.

         Detective Erdely explained that, through use of Torrential Downpour, a law enforcement investigator is able to observe the IP address of computers seeking to obtain or share the torrent the investigator is investigating. The investigator then chooses a computer's IP address, and port for Torrential Downpour to connect to. Torrential Downpour next ascertains whether the suspect computer has the suspect torrent, and, if so, directly connects to the suspect computer. Torrential Downpour logs the date, time and infohash of the activity occurring during the investigation, the path and file name investigated, and the investigated computer's IP address, port identifier and BitTorrent software.

         Detective Erdely reviewed the log for Detective Baine's December 15, 2012 investigation. The log confirmed that the investigated computer contained all pieces of the torrent investigated, “did not need anything from the investigating computer, ” and provided the data during one connection.

         Detective Erdely testified that Torrential Downpour does not access encrypted material on a computer, but while uTorrent is “downloading to an encrypted volume” the data “is in a decrypted state” and shared. When the user “unmounts [the downloaded data] so it is no longer accessible, ” the sharing stops because data is now encrypted and BitTorrent software “cannot see” the encrypted data. Encrypted data “cannot be accessed unless it is decrypted and connected to [or] in a computer.” Additionally, if a user accesses data through a Virtual Private Network, Torrential Downpour “still sees” the computer's IP address, but at a different location, and law enforcement is able to locate the computer after further investigation of the log information. According to Detective Erdely, Torrential Downpour cannot access unshared portions of an investigated computer or override settings on that computer.

         b. Officer Steven Grimm

         Steven Grimm is a Webster Groves, Missouri police officer who has been detached full-time to the Regional Computer Crimes Education and Enforcement Group (“RCCEEG”) for approximately ten years. He has an undergraduate certificate in management information systems from St. Louis University as well as a bachelor's degree in English and a master's degree in organizational security administration. He also has digital forensics training through the National Computer Forensics Institute. He has forensically examined thousands of devices in child pornography investigations.

         Over the course of approximately two months, Officer Grimm examined Defendant's computers and computer devices, consisting of 48 items, including computers, external hard drives, thumb drives, CDs, DVDs, and other items. Officer Grimm determined that the uTorrent file sharing application was installed on “Item 45.” Officer Grimm advised that the uTorrent application saved .torrent files to the L drive. A storage device was attached to the L drive. Officer Grimm testified that he found items of child pornography on the L drive and that files could be shared from other locations on Defendant's computer. Officer Grimm also advised that he found references to the spread.em files mapped to the Y drive, “whether or not that data was resident on Item 45 or on another device.” Officer Grimm discussed the presence of “encrypted containers” on Defendant's computer system, noting that there were multiple encrypted containers. Officer Grimm was unable to access any of Defendant's encrypted containers.

         c. Michele Bush

         Michele Bush is the daughter of Tami Loehrs, owner of Loehrs & Associates in Tuscon, Arizona, a computer forensics firm. Ms. Bush is an employee of Loehrs & Associates. Ms. Bush graduated from the University of Arizona in 2015 with a degree in psychology. She is 24 years old and stated she began testing peer-to-peer networks at fourteen years old, or, as she put it, “as a kid.” She testified in one previous federal court proceeding. She has no formal training in the forensics of peer-to-peer applications but has participated in several “labs.” Specifically, with respect to BitTorrent network and uTorrent software, Ms. Bush's experience consisted of “[t]esting and researching on [her] own and as well as [what she had been taught] in lectures and labs.” Defendant retained Ms. Bush to consult “regarding the Government's forensic examination.” She reviewed Detective Partney's affidavit and the police report as well as the RCCEEG forensics report, supplemental forensic reports, and a “details log” generated by the Torrential Downpour software.[10] Ms. Bush's experience with Torrential Downpour included demonstrations facilitated by Detective Erdely, observation of Detective Erdely's live testimony and Detective Erdely's affidavits.

         Ms. Bush testified that she performed a forensic examination of Defendant's seized computer equipment, particularly Item 45, the computer found to have the file sharing application uTorrent. Her examination consumed approximately fifteen hours. She determined that Defendant set the uTorrent application to save downloads to a specific directory - the L directory. On cross-examination, Ms. Bush acknowledged that at the time Defendant downloaded the suspect images to the law enforcement computer running Torrential Downpour, Defendant's setting could have mapped to the Y drive. Ms. Bush also conceded that the uTorrent software running on Defendant's computer could share files from either a Y drive or an L drive “[a]s long as it's mapped and attached currently.” Ms. Bush also testified to Defendant's use of an anti-malware software program, Malwarebytes. At the time Torrential Downpour identified Defendant's IP address, Defendant was blocking numerous IP addresses through Malwarebytes. Prior to attending the evidentiary hearing, Ms. Bush did not know the IP address used by Detective Baine's computer when it connected with Defendant's computer through Torrential Downpour. Upon learning the address at the hearing, however, Ms. Bush testified that the log of all addresses blocked by Malwarebytes did not include Detective Baine's IP address.

         Ms. Bush also testified to some general features of the uTorrent software Defendant had installed on his computer. She stated that uTorrent warns the user that it is an “open publicly available file sharing network, ” that the user will be sharing files “with other users on the network, ” and that the user may “have no idea who those other users are.” Finally, with respect to hacking, Ms. Bush did not analyze Defendant's computer for evidence of hacking. In particular, when asked if she found any evidence that Torrential Downpour had hacked into non-public areas of Defendant's computer, Ms. Bush stated: “I didn't do a hacking analysis, so I can't say one way or another.”

         Discussion

         A. Request for ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.