From Casetext: Smarter Legal Research

United States v. Harney

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF KENTUCKY NORTHERN DIVISION COVINGTON
Mar 1, 2018
CRIMINAL ACTION NO. 16-38-DLB-CJS (E.D. Ky. Mar. 1, 2018)

Summary

finding that the defendant's arguments in support of his need for the software were closer to Pirosko than Budziak because he "merely alleged he might find evidence in support of his defense if his expert [was] provided the opportunity to analyze the requested information in its entirety"

Summary of this case from United States v. Gonzales

Opinion

CRIMINAL ACTION NO. 16-38-DLB-CJS

03-01-2018

UNITED STATES OF AMERICA PLAINTIFF v. JEFFREY HARNEY DEFENDANT


MEMORANDUM ORDER

* * * * * * * * * *

This matter is before the Court on Defendant Jeffrey Harney's Motion for Discovery, wherein he moves the Court to order the full production of the Government's NIT source code and a copy of the Playpen homepage as it appeared on February 20, 2015. (Doc. # 40). The Government has filed its Response to the Motion for Discovery (Doc. # 47), and Defendant has filed his Reply. (Doc. # 61).

At Defendant's request, this Motion for Discovery has been held in abeyance pending Defendant's procurement of a forensic computer expert, with whom Defendant wished to consult about possibly offering an affidavit or other evidence in support of Defendant's asserted need for this discovery. See Docs. # 70, 91. At the recent Final Pretrial Conference, defense counsel advised that his computer expert's report is complete and has been provided to the Government. See Doc. # 97. That expert report has also now been filed of record. (Doc. # 96). Defense counsel having further advised the Court that Defendant stands on his Motion for Discovery as filed, it now being ripe for adjudication with the filing of the expert report.

Although this Motion was initially referred to the Magistrate Judge for adjudication pursuant to Standing Referral Order, see Doc. # 7, given the impending trial date, the Motion will be addressed directly by the District Court via this Order. For the reasons set forth below, Defendant's Motion for Discovery (Doc. # 40) will be denied.

I. BACKGROUND

Defendant is charged in this case with four counts of knowingly receiving child pornography in violation of 18 U.S.C. § 2252(a)(2), one count of knowingly possessing child pornography in violation of 18 U.S.C. § 2252(a)(4)(B), and a forfeiture allegation. (Doc. # 3). In his Motion for Discovery, Defendant argues he cannot investigate potential defenses without all of the information sought pertaining to the NIT, the tool implemented by the FBI to assist in identifying Defendant in this case. (Doc. # 40 at 3). Defendant also argues that Playpen's homepage as it appeared on February 20, 2015, is necessary to determine if the Government's description of the website in seeking the NIT warrant was consistent with the actual appearance of the homepage. Id. at 3-4.

A. Factual Background

A more detailed recitation of the case facts is set forth in the Magistrate Judge's Report and Recommendation (R&R) to deny Defendant's Motion to Suppress (Doc. # 78, at 2-7) and in the District Court's Order adopting that R&R. (Doc. # 90, at 1-3).

The charges against Defendant stem from a Government investigation of a website known as "Website A" or the "Playpen" that began in 2014. The Playpen was only accessible through The Onion Router ("TOR") network; a hidden network designed to allow its users a high degree of anonymity. (Doc. # 36, at 14). In January 2015, after a foreign law-enforcement agency provided the FBI with a suspected IP address for the Playpen website, the FBI obtained a search warrant, seized the server, and placed a copy of it into a Government-controlled server in Newington, Virginia. Id. at 25-30.

On February 20, 2015, the Government obtained a search warrant granting permission to continue operating the Playpen in order to locate and identify the administrators and users of the website. Id. at 27. The Government could not use publicly-available searches to accomplish this task, and thus requested and received authorization to deploy a Network Investigative Technique ("NIT") on the server located in Newington, Virginia, in order to obtain information that could be utilized to help identify the users of the Playpen. Id. Once the NIT was deployed, anytime a user logged into the Playpen website using their unique username and password, the NIT would cause the user's computer to send certain information to a computer controlled by the Government in the Eastern District of Virginia. Id. at 28. The information transmitted included: the user's IP address; a unique identifier generated by the NIT; the type, version, and architecture of the user's computer's operating system; information about whether the NIT had already been delivered to that computer; the computer's host name; the operating system username; and the computer's media access control (MAC) address. Id. at 29. This information would then allow the Government to begin identifying the user. Id. at 30.

To gain this information, the NIT utilized several different components to bypass the TOR network's anonymity and access the users' information. These components were: (1) the payload, comprised of computer instructions sent to the defendants' computers that produced NIT results; (2) the PCAP, which was the 2-way network data stream between the defendants' computers and the government's computers used to verify the accuracy of the gained information; (3) the computer code, which was the unique code used to generate unique identifiers related to the NIT; (4) the exploit, meaning the code used to circumvent the TOR network's security features; and (5) the server component, which was the tool used to store the information gathered by the NIT. See United States v. Jones, No. 3:16-cr-026, 2017 U.S. Dist. LEXIS 216572, *14 (S.D. Ohio Aug. 28, 2017) (discussing the components of this same NIT); United States v. Gaver, No. 3:16-cr-88, 2017 WL 1134814, **2-3 (S.D. Ohio Mar. 27, 2017) (same).

As a result of the operation of the NIT, the FBI identified Defendant Harney as a Playpen user. (Doc. # 36, at 30-31). More specifically, from the information gathered by the NIT, law enforcement learned the host name and logon name used to access the site, the computer's MAC address and operating system. (Id. at 28). Upon further investigation, this information was used to identify the physical address associated with the IP address, which law enforcement determined was Defendant's address. Id. at 29-31. A search warrant of the residence was obtained and executed, wherein the FBI seized multiple items of electronic media and computer equipment that the Government contends belong to Defendant. (Doc. # 46-1 at 2). The Government contends Defendant made a recorded statement admitting to downloading child pornography on numerous occasions, and that a forensic examination of some of the items seized confirmed the presence of over 3,640 images depicting child pornography, including over 1,100 videos. (Doc. # 46 at 13).

B. Procedural History

Defendant also filed a Motion to Suppress, seeking suppression of all evidence seized as a result of the NIT search on his computer. (Doc. # 34). The Court has previously denied this Motion. (Doc. # 90). The current Motion for Discovery was filed the same day as the Motion to Suppress but, as previously stated, was held in abeyance pending Defendant's procurement of a forensic expert. See Docs. # 70, 91.

At the recent Final Pretrial Conference, defense counsel informed the Court that the expert's report was complete and had been provided to opposing counsel. See Doc. # 97. Although at the Final Pretrial Conference defense counsel seemed to indicate his willingness to proceed with the Court's adjudication of the Motion for Discovery without the expert report, defense counsel also informed that he would file the expert report of record, which he did later that day. Doc. # 96. Therefore, the Motion for Discovery is no longer held in abeyance, and is now ripe for adjudication.

II. ANALYSIS

In his Motion for Discovery, Defendant requests "the NIT source code in possession of the government" and a copy of the Playpen homepage as it appeared on the day the government sought the NIT warrant, February 20, 2015. (Doc. # 40, at 1, 4). In his Reply, Defendant clarified that his request was for all NIT components. (Doc. # 61, at 1). The Government has stated that it is willing to provide certain components of the NIT software but not all of the components, arguing they are not material to Defendant's case and, alternatively, are subject to the law enforcement privilege. (Doc. # 47, at 2). As for Defendant's request for the Playpen homepage as it existed on February 20, 2015, the Government stated it is willing to provide an offline copy of the website for Defendant's review. Id. at 5.

Defendant states he is seeking "all four components of the NIT," but does not name or describe these four components, although he does later express his need for the source code, the exploit code, and the logging server code. (Doc. # 61 at 1, 3).

A. Discovery of all Requested NIT Information

1. Rule 16 and Materiality

Rule 16(a)(1)(E) requires the government to permit a defendant to inspect and to copy or photograph books, papers, documents, data, photographs, tangible objects, buildings or places, or copies or portions of any of these items, if the item is within the government's possession, custody, or control and: (i) the item is material to preparing the defense; (ii) the government intends to use the item in its case-in-chief at trial; or (iii) the item was obtained from or belongs to the defendant. Fed. R. Crim. P. 16(a)(1)(E). (emphasis added). The Government states the information requested by Defendant is not information the Government intends to use in its case-in-chief and was neither obtained from nor ever belonged to Defendant. (Doc. # 47 at 2). Defendant does not contest this, but instead focuses his Reply on the materiality of the remaining NIT components. (Doc. # 61, at 4). Therefore, the issue here is whether the NIT components Defendant seeks and the Government is unwilling to provide are material to preparing his defense in this matter.

The Sixth Circuit has described materiality under Rule 16 as follows:

A defendant does not satisfy [the] requirement that an object be material to the preparation of the defendant's defense by means of merely conclusory arguments concerning materiality. Rather, defendant must make a prima facie showing of materiality. Materiality under Rule 16 has not been authoritatively defined in this Circuit. However, the Supreme Court has determined that "defense" within the meaning of Rule 16 means the "defendant's response to the Government's case in chief." Therefore, the rule applies only to "'shield' claims that 'refute the Government's arguments that the defendant committed the crime charged.'" It follows that information which does not counter the government's case or bolster a defense is not material "merely because the government may be able to use it to rebut a defense position." Rather, there must be an indication that pre-trial disclosure would have enabled the defendant to "alter the quantum of proof in his favor," not merely that a defendant would have been dissuaded from
proffering easily impeachable evidence. In assessing materiality, we consider the logical relationship between the information withheld and the issues in the case, as well as the importance of the information in light of the evidence as a whole.
United States v. Lykins, 428 F. App'x 621, 624 (6th Cir. 2011) (internal citations omitted). An analysis of two cases, both cited by Defendant, and both concerning the Government's utilization of technology to identify online users possessing and/or sharing files containing child pornography, is helpful to help clarify Defendant's requirement in arguing materiality. See United States v. Budziak, 697 F.3d 1105 (9th Cir. 2012); United States v. Pirosko, 787 F.3d 358 (6th Cir. 2015) (distinguishing Budziak).

First, in Budziak, the Ninth Circuit reviewed the district court's denial of the defendant's three motions to compel the discovery of computer software—referred to as EP2P—used in an investigation of the distribution of child pornography. Budziak, 697 F.3d at 1107-13. Law enforcement officers in Budziak used the program to download several images of child pornography from an IP address registered to the defendant and obtained a warrant to search the defendant's residence based on the downloaded images. Id. Based on the evidence gathered, the defendant was charged with and ultimately convicted of possessing and distributing child pornography. Id. at 1107-08.

On appeal, the Ninth Circuit stated defendant should have been able to examine the software pursuant to Rule 16 because:

All three of [the defendant]'s motions to compel provided more than a general description of the information sought; they specifically requested disclosure of the EP2P program and its technical specifications. [The defendant] also identified specific defenses to the distribution charge that discovery on the EP2P program could potentially help him develop . . . [The defendant] presented evidence suggesting that the FBI may have only downloaded fragments of child pornography files from his "incomplete" folder, making it "more likely" that he did not knowingly distribute any complete child pornography files . . . [the defendant also] submitted
evidence suggesting that the FBI agents could have used the EP2P software to override his sharing settings.
Id. at 1112. The court further noted that much of the evidence presented by the Government at trial was devoted to describing the EP2P and the FBI's use of the program. Id. The court found that the district court's ruling on the motions for discovery denied the defendant the background material on the software that would have enabled him to pursue a more effective examination of the government's witnesses. Id. The Ninth Circuit remanded the case to the district court for a determination on whether the EP2P materials the defendant requested contained or would have led to information that might have altered the verdict. Id. at 1113.

In Pirosko, the Sixth Circuit affirmed the denial of the defendant's motion to compel, distinguishing the holding in Budziak on the basis that the defendant in Pirosko failed to produce any of the evidence produced by Budziak, and instead merely alleged he might have found such evidence had he been given access to the Government's programs. Pirosko, 787 F.3d at 366. Law enforcement officers in Pirosko had used a similar program to observe defendant sharing child pornography files via a file-sharing program, and based on the information gathered from their observations, obtained a warrant to search the defendant's hotel room, where they seized the defendant's computer on which they found numerous files containing child pornography. Id. at 363.

After being provided an opportunity to review his seized equipment, the defendant filed a motion to compel discovery of the tools and records used to assess the information associated with his computer. Id. at 362. Defendant argued that he was entitled to the items under Rule 16 and provided a letter from Interhack, a computer analysis company, which explained that analysis of the tools used by law enforcement could provide useful information concerning whether law enforcement officers manipulated data on the defendant's computer and/or the error rate associated with the program used by the United States. Id. In its opinion affirming denial of the motion to compel, the Sixth Circuit found, among other things, that the defendant did not establish materiality of the evidence he requested under Rule 16. Id. at 369.

In this case, Defendant first argues he is entitled to all components of the NIT code based on the ruling in United States v. Michaud, No. 3:15-cr-5351, Doc. # 212 (W.D. Wash. May 25, 2016), a case arising from deployment of the NIT warrant on alleged Playpen users. (Doc. # 40 at 2-3). According to Defendant, like in Michaud, the Government here should be compelled to produce all components of the NIT software he requests or face suppression. Id. at 9. Defendant argues that once the NIT code is produced, his retained computer expert would need to determine the extent of information gained by the NIT, how the Government compromised security settings, and whether third parties could have compromised the same security settings to access his computer. Id. at 3. Defendant further argues that his expert would need to determine whether the NIT compromised any data or computer functions, and whether the Government accurately represented the functionality of the NIT in the warrant application. Id. Defendant contends that without this information he cannot investigate potential defenses in light of the complex technology at the heart of this case. Id.

Attached to Defendant's Motion for Discovery is the court's order in Michaud excluding evidence gathered as a result of the NIT. (Doc. # 40-1). Also attached to the Motion for Discovery is a motion for discovery filed in a case pending in the District Court in the Southern District of Ohio, United States v. Stamper, 1:15-cr-109, Doc. # 56 (S.D. Ohio). (Doc. # 40-2). Defense counsel admits using this motion as a template for his Motion for Discovery in this matter. Review of the record in Stamper reveals that the defendant's Motion for Discovery (Doc. # 56) and second Motion to Compel Discovery (Doc. # 79) have not been adjudicated by that court, as of the date of this Order.

In response to Defendant's first request, the Government argues that Federal Criminal Rule 16(a)(1)(E) does not require the Government to produce all requested information about the court-authorized NIT. (Doc. # 47 at 2). However, the Government does state it would "provide certain information subject to a protective order." Id. at 3. Specifically, the Government agrees to provide the computer code instructions sent to Defendant's computer that generated the NIT results and the two-way network data stream that would show "the data sent back-and-forth between the Defendant's computer and the government-controlled computer as a result of the execution of the NIT." Id. This information, according to the United States, would allow Defendant to confirm "the data sent from the Defendant's computer is identical to the data the government provided as a part of discovery." Id.

In his Reply, Defendant reiterates his assertion that all components of the NIT are needed. (Doc. # 61 at 1). Defendant first claims the source code is needed to verify "whether the government could accurately link a true IP address, MAC address, Operating System, Host Name, and Log-on ID," (collectively "computer identification information"). Id. at 3. According to Defendant, the exploit code is also needed to "determine if the government was able to introduce the payload to the computer as it claims and whether it was possible for the government to accurately determine the true [computer identification information], and whether the files at issue in this case were actually placed on the computer by [Defendant]." Id. Finally, Defendant claims the logging server code is needed so that Defendant's expert can "verify that the log file that was supposed to be created by this component was done correctly." Id. In sum, according to defense counsel, without being provided the entirety of the discovery requested, it is impossible for the defense to determine if the NIT software was accurately able to identify the computer identification information as the United States claims and whether the files placed on Defendant's computer were placed there by him or by third parties. Id. at 3-4.

Although Defendant's Reply does set forth more than a general description of the information sought, (Doc. # 61 at 3), his request is not as detailed as the request set forth in Budziak. 697 F.3d at 1112. More importantly, Defendant does not set forth specific defenses the requested material may help develop. Although Defendant's Reply does state the requested material may call into question the accuracy of the NIT software, or may support a contention that the files were placed onto Defendant's computer by a third party (Doc. # 61, at 3-4), such contentions are insufficient as stated in Pirosko, and are not supported even by the Expert Report provided by Defendant's own retained expert. See Doc. # 96.

Defendant's recent Expert Report contains the opinions of Dr. Marcus K. Rogers, PhD, of MKR Forensics. Id. In the report, Dr. Rogers states that he was not provided the NIT source code, nor was he able to "conduct a black box analysis of the NIT software tool." (Id. at 2). Dr. Rogers first opined "[t]here is no indication that the NIT software tool altered or modified any information that would be related to evidence listed in the LE investigator's report." Id. at ¶ 1. Dr. Rogers further stated that "[t]here is no indication that the NIT software tool was not functioning as described by the FBI; as it relates to correctly identifying IP addresses of the system that it has been installed on." Id. at ¶ 2. Most importantly, Dr. Rogers, Defendant's own computer forensic expert, stated "[i]t is unlikely that a source code review or black box analysis would provide any evidence that the software incorrectly identified the IP address of the system it had been installed on." Id. at ¶ 3. Dr. Rogers concluded his report by stating "[w]ithout conducting a source code review or black box analysis, no opinion can be made regarding whether the NIT software tool could provide further context related to any purposeful or unintentional behavior on the part of [Defendant.]" Id. at ¶ 4.

Based on the Reply (Doc. # 47) detailing his request, and the Expert Report (Doc. # 96) in support of his Motion for Discovery, Defendant's arguments in support of his need for the entire NIT code are closer to Pirosko, as Defendant has merely alleged he might find evidence in support of his defense if his expert is provided the opportunity to analyze the requested information in its entirety. Thus, Defendant has failed to show the remaining components are material to his defense. Such a conclusion is further supported by the Gaver decision, in which the district court for the Southern District of Ohio denied the defendant's motion for disclosure of the entire NIT code because the defendant had no evidence to support his allegations that a third party could have placed incriminating images on his computer. 2017 WL 1134814, at *4. Defendant's assertions of the remaining components' materiality are merely conclusory, and thus insufficient to be discoverable under Rule 16.

Furthermore, even assuming Defendant's argument does rise beyond the level of mere conclusion, district courts within this circuit have analyzed the materiality of the remaining components of the NIT code and unanimously found that when the Government provides a sufficient portion of the code, the remaining components it is unwilling to provide are not material to the defense. See United States v. Spicer, No. 1:15-CR-73, 2018 WL 635889, at *3 (S.D. Ohio Jan. 31, 2018) (stating defendant "had not demonstrated that the requested materials are material to his defense," and denying the defendant's motion for disclosure of discovery); Jones, 2017 U.S. Dist. LEXIS 216572 at *14 (overruling the defendant's motion to compel discovery largely because the defendant "fail[ed] to articulate why the discovery already provided (or agreed to be provided) [was] insufficient."); Gaver, 2017 WL 1134814 at *3 (denying the defendant's motion to compel, as the defendant did not make the required showing that the remaining requested discovery was material).

Although not binding upon this Court, the significance of the Government's production here is clarified in Owens, a case from the Eastern District of Wisconsin analyzing the NIT software utilized in Defendant's case. United States v. Owens, No. 16-CR-38-JPS, 2016 WL 7351270 (E.D. Wis. Dec. 19, 2016). The court noted that the defendant in Budziak was denied access to any of the software used by the Government to download files from the defendant's computer. Id. at *5. The court in Owens contrasted the situation in Budziak because the Government provided the defendant in Owens with the "relevant portions of the NIT and he offers no more than speculation that he requires the remainder." Id. The Owens court went on to note that, due to the defense expert's ability "to use the parts of the NIT [the expert had] to test [the defendant]'s hypotheses, [the defendant's] situation is a far cry from Budziak, where the defendant had no such opportunity." Id. In addition, as previously indicated, the Government in this case has stated, unlike in Budziak, that it does not intend to use the requested information in its case-in-chief. Accordingly, Defendant cannot rely upon the holding in Budziak in support of his contention that the United States must produce the remaining information sought pertaining to the NIT code.

Similar to the trial court's conclusion in Owens, district courts within the Sixth Circuit have concluded that even when the defendant seeks to offer expert testimony in support of his theory that third parties could have placed the files at issue onto his computer, the remaining portions of the NIT code are nevertheless not material. See, e.g., Jones, 2017 U.S. Dist. LEXIS 216572 at *14 ("there is no need to provide [the entire NIT code] to the defense expert."); United States v. Ammons, No. 3:16-CR-00011-TBR-DW, 2017 U.S. Dist. LEXIS 82030, at *3 (W.D. Ky. May 30, 2017) (simply speculating that an expert may uncover evidence to support the defense is insufficient to demonstrate the remaining components are material); Gaver, 2017 WL 1134814 at *3 (stating the government had provided the defendant with enough of the NIT code to allow a computer expert to determine whether the NIT code rendered the defendant's computer vulnerable to attacks by third parties).

In Gaver, the district court for the Southern District of Ohio denied defendant's motion for disclosure of the entire NIT code. 2017 WL 1134814, at *4. The defendant in Gaver was also before the Court on child pornography charges as a result of deployment of the NIT onto users of the Playpen website. Id. at *1. Prior to the defendant's trial, his counsel filed a motion for disclosure of discovery requesting production of "all the components to the NIT source code, including the payload, exploit identifier, and server components." Id. at *2.

In support of the defendant's motion for disclosure of discovery, Gaver's counsel stated that he wanted to hire a computer expert to determine: "1) the full extent of information seized when the NIT was deployed; 2) how the government was able to compromise the computer's security setting; 3) whether the NIT compromised any data or computer functions; and 4) whether the government's representations about how the NIT works are complete and accurate." Id. Counsel further argued that "to the extent any of the charges against him are based on images that were downloaded to his computer after February 23, 2015, when the NIT was deployed, he needs the NIT source code to determine whether the NIT could have surreptitiously installed malware that caused those images to be transmitted to his computer, altered those images, or otherwise left his computer vulnerable to attacks from third parties." Id.

Unlike Defendant, the defendant in Gaver did not retain a computer expert to review discovery prior to the court's ruling on his motion for discovery. After the court denied his motions to suppress and motion for discovery, the defendant entered into a plea agreement with the United States. Gaver, No. 3:16-CR-88, Doc. # 36. The defendant was sentenced to 132 months of incarceration, to be followed by a lifetime of supervised release. Gaver, No. 3:16-CR-88, Doc. # 47 at 2, 4.

The United States stated it was willing to produce "the 'payload,' which is the instructions sent to [the defendant's] computer to gather the information; a list of all information collected by the NIT; the two-way network data stream; the computer code used to generate unique identifiers related to the NIT; and a forensic copy of [the defendant's] computer, which could be examined by an expert." Id. at *3. The Government additionally agreed to allow the defendant to inspect the report containing a description of his activities on the site during the time the NIT was deployed. Id. Similar to the Government in Defendant's case, the Government would not, however, produce the "exploit" or "server component" of the NIT source code, arguing, among other things, that these items were immaterial to the defense. Id.

The court was persuaded by the Government's claim that it had offered to produce sufficient components of the NIT code which, coupled with the forensic copy of the defendant's computer, would allow the defendant's expert to determine whether the NIT rendered the computer vulnerable to attacks by third parties. Id. at *3. Noting the defendant's lack of evidence to support his allegation that someone other than himself could have placed the incriminating images on his computer, the court held the defendant had failed to show how, in light of all of the information the United States had already offered to produce, the exploit and the server component were material to his defense. Id. at *4.

Two other decisions, both rendered by the district court for the Southern District of Ohio, relied upon the court's reasoning in Gaver to deny the defendants' motions for discovery. See Spicer, 2018 WL 635889 at *3 (S.D. Ohio Jan. 31, 2018) (holding "the payload, exploit, identifier, and server components" were not material to the defense); Jones, 2017 U.S. Dist. LEXIS 216572, at *10 (even if the NIT's reliability were material, the government had already provided defendant's retained computer expert with the means to verify the reliability). Upon this Court's review, no other case within this Circuit analyzing the specific NIT warrant utilized in Defendant's case has held the production of all NIT components was material to a defense.

However, as Defendant points out, two cases decided by the same district court in the Western District of Washington have led to the dismissal of counts or charges against defendants due to the Government's unwillingness to disclose the entire NIT code. See Michaud, No. 3:15-cr-05351, Doc. # 212 at *1; Tippens, No. 3:16-cr-5110, Doc. # 106, at 28. Given Defendant's heavy reliance upon these two cases, close examination of each case is warranted.

In Michaud, the defendant was also indicted on child pornography charges as a result of the deployment of the NIT on users of the Playpen website. Michaud, No. 3:15- CR-05351-RJB, 2016 WL 337263 at *1 (Order Denying Defendant's Motions to Suppress Evidence). The defendant filed numerous motions to compel, the third of which requested "the complete N.I.T. code data, as well as any related records or information that are needed for the defense's analysis of that data." Michaud, No. 3:15-cr-05351, Doc. # 205, at 2. In response to the motion, the United States argued that the full NIT code was not material to the defendant's defense and, even if it were, the Government should not be compelled to produce it to defendant. Id. at 2-3.

The court ultimately granted defendant's third motion to compel, relying heavily upon the report of the defendant's expert to find the defendant satisfied his threshold burden to show that a copy of the entire NIT code was material to his defense pursuant to Federal Criminal Rule 16(a)(1)(E)(i). Id. at 2-3. However, after conducting an ex parte, in camera hearing, the court also found that, due to the sensitive nature of the evidence, the Government had made a sufficient showing that it was not required to disclose the entire NIT code to defendant. Id. at 3.

After making these findings, the district judge noted:

The resolution of Defendant's Third Motion to Compel Discovery places this matter in an unusual position: the defendant has the right to review the full N.I.T. code, but the government does not have to produce it. Thus, we reach the question of sanctions: What should be done about it when, under these facts, the defense has a justifiable need for information in the hands of the government, but the government has a justifiable right not to turn the information over to the defense?
Id. at 5. After hearing oral argument on the issue, the court entered an order finding that the defendant's request for dismissal of the indictment was not the proper result but that "evidence of the N.I.T., the search warrant issued based on the N.I.T., and the fruits of that warrant should be excluded and should not be offered in evidence at trial." Michaud, No. 3:15-cr-05351, Doc. # 212 at *1. The United States subsequently moved to dismiss the indictment against defendant, which was granted. Michaud, No. 3:15-cr-05351, Docs. # 226, 227, 228.

In Tippens, the defendant was charged with three child pornography-related charges: receipt (count 1), possession (count 2), and transportation (count 3). Tippens, No. 3:16-cr-5110, Doc. # 180, at 3. Prior to trial, the defendant filed a motion to compel discovery which requested, among other things, that the court order the United States to give him the opportunity to review the NIT code in its entirety. See Tippens, No. 3:16-cr-5110, R. 106, at 19. Although the Government provided defendant certain information about the NIT, it objected to producing the NIT in its entirety. Id. At the Government's request, the court conducted a CIPA (Classified Information Procedures Act) § 4 ex parte, in camera hearing to allow the Government to provide information supporting its position that it should not be required to produce the NIT code in its entirety.

Based on the showing made at the CIPA § 4 hearing, the court ruled that the United States was not required to disclose the remaining NIT code because it was classified. Id. at 19. In its subsequent order addressing the defendant's motion for discovery, the court concluded that certain portions of the NIT code were material under Rule 16 because of their potential bearing on the defendant's motions, including the constitutional challenges to the NIT warrant. Id. at 21-22. However, the court ultimately determined that the remaining portions of the NIT code requested by defendant, particularly the exploit code, were not relevant and helpful to the defense and, thus, the Government did not need to disclose that information to defendant. Id. at 22-27.

The United States proceeded to prosecute defendant on the three counts and the case went to trial. Tippens, No. 3:16-cr-5110, Doc. # 180, at 3. Following the defendant's oral motion to dismiss the receipt (count 1) and transportation (count 3) charges, the court granted the defendant's motion and dismissed both counts. In making this ruling, the court stated, "[a]t its own peril, the Government elected to prosecute receipt and transportation counts partially reliant on evidence of timestamp metadata, while also electing to withhold the NIT code and [the defendant]'s proposed exhibits." Id. at 5. The court found that the withholding of this material weakened defendant's argument on reasonable doubt at trial and hindered defendant's ability to attack the Government's evidence. Id. The court also held that defendant's offering of these exhibits "eroded" the presuppositions that formed the basis of the court's pretrial "relevant and helpful" finding. Id. at 6. As a result the court held, "for the reason that the United States has withheld classified material that is material to the defense, the interest of justice required that Counts 1 and 3 be dismissed." Id.

The decisions in Michaud and Tippens are not binding upon this Court, and, even if they were, each case turns on an individualized assessment of whether the defendant had made the necessary prima facie showing of Rule 16 materiality. See United States v. Pawlak, No. 3:16-cr-306-D(1), 2017 WL 2362019 at *3 (holding, despite defendant's heavy reliance on Michaud, that defendant had failed to make the required prima facie showing that the exploit was material to his defense). Unlike in Michaud, the expert report in Defendant's case does not support Defendant's assertion that inspection of all NIT components would further his defense. Unlike in Tippens, the Government in Defendant's case has affirmatively stated it will not use the information Defendant seeks in its case- in-chief. Therefore, Michaud and Tippens are factually distinguishable to Defendant's case as well.

Furthermore, the overwhelming majority of courts that have analyzed the same or substantially similar argument raised by Defendant here as it pertains to the same NIT codes have held the portions of the NIT not provided to the defendant were not material. See Spicer, 2018 WL 635889 at *3 (stating defendant had "not demonstrated that the requested materials are material to his defense," and denying the defendant's motion for disclosure of discovery); Jones, 2017 U.S. Dist. LEXIS 216572 at *14 (overruling the defendant's motion to compel discovery largely because the defendant "fail[ed] to articulate why the discovery already provided (or agreed to be provided) [was] insufficient."); Pawlak, 2017 WL 2362019 at *3 (denying the defendant's motion to compel, as the defendant did not make the required showing that the remaining requested discovery was material); Gaver, 2017 WL 1134814 at *3 (same); Owens, 2016 WL 7351270 at *4 (same); United States v. McLamb, 220 F. Supp. 3d 663, 676 (E.D. Va. 2016) (same); United States v. Jean, No. 5:15-cr-50087, 2016 WL 6886871 at *7 (same); United States v. Darby, No. 2:16-cr-036, Doc. # 49, at 788-90 (same); United States v. Matish, 193 F. Supp. 3d 585, 600 (E.D. Va. 2016) (same).

This Court finds that the argument raised by Defendant should meet the same fate as these decisions. Defendant has not shown the components of the NIT code not provided by the Government are material to his defense. He has not satisfied the requirements set forth in Rule 16, as articulated in Pirosko. 787 F.3d at 369. Upon consideration of the relationship between the information withheld (the remaining NIT components), the issues in this case, and the importance of the information in light of the evidence as a whole, Defendant has not made the required prima facie showing. See Lykins, 428 F. App'x at 624. Other than noting that he could offer no opinion on "whether the NIT software tool could provide further context related to any purposeful or unintentional behavior" on Defendant's part (Doc. # 96), Dr. Rogers, Defendant's own expert, opined that it is unlikely the remaining components would provide any evidence in support of Defendant's defense. Defendant claims the source code, exploit code, and logging server code are all necessary for him to "meaningfully challenge the government's data." (Doc. # 61 at 3). However, partly due to his own expert's report, there is no indication that the remaining components of the NIT code would "alter the quantum of proof in his favor." Lykins, 428 F. App'x at 624. In light of the Government's production and Defendant's expert report (Doc. # 96), Defendant's arguments of materiality are simply too speculative to warrant the Court ordering the United States to provide the remaining NIT components.

2. Law Enforcement Privilege

In addition to the Government's assertion that the entire NIT code is not material to Defendant's defense, the Government also claims the requested NIT information is subject to the law enforcement privilege. (Doc. # 47 at 2). It is the burden of the party asserting the law enforcement privilege, in this case the Government, to show that the privilege applies. In re The City of New York, 607 F.3d at 948. To meet this burden, the Government must show:

[T]he documents contain information that the law enforcement privilege is intended to protect, which 'includes information pertaining to law enforcement techniques and procedures, information that would undermine the confidentiality of sources, information that would endanger witness and law enforcement personnel or the privacy of individuals involved in an investigation, and information that would otherwise interfere with an
investigation' . . . If the party asserting the privilege successfully shows that the privilege applies, the district court then must balance the public interest in nondisclosure against 'the need of a particular litigant for access to the privileged information,' as the privilege is qualified, not absolute.
Matish, 193 F. Supp. 3d at 592 (quoting In re The City of New York, 607 F.3d at 944). If the Government meets its burden to show that the law enforcement privilege applies, "the court must balance the defendant's need for the privileged information against the public interest in nondisclosure." Gaver, 2017 WL 1134814 at *3 (citing Pirosko, 787 F.3d at 365; In re The City of New York, 607 F.3d 923, 948 (2d Cir. 2010)). The privilege is only overcome when the information "is relevant and helpful to the defense of an accused, or is essential to a fair determination of a cause." United States v. Sierra-Villegas, 774 F.3d 1093, 1098 (6th Cir. 2014).

In Gaver, the court analyzed the same NIT code utilized in Defendant's case. Gaver, 2017 WL 1134814, at *1. The Government effectively argued that requiring it to disclose the remaining components of the NIT it was unwilling to disclose would "severely compromise future investigations, and could allow others to develop countermeasures." Id. at *4. The court further noted "[c]ourts have widely agreed that these portions of the code are protected by the law enforcement privilege, because the defendant's need for it is greatly outweighed by the government's need to keep it secret." Id. (citing United States v. Darby, No. 2:16-cr-036, Doc. # 49 at 789; Matish, 193 F. Supp. 3d at 601; Jean, 2016 WL 6886871, *7; McLamb, 220 F. Supp. 3d 663, 676 n.6).

In this case, Defendant has not cited to any cases in which the United States asserted the law enforcement privilege and the court found that the NIT information sought was not privileged. Other courts that have analyzed this same NIT utilized in Defendant's case have widely held that production of all components of the NIT source code is protected by the law enforcement privilege. See, e.g., Gaver, 2017 WL 1134814 at *1; Darby, No. 2:16-cr-036, Doc. # 49 at 789; Matish, 193 F. Supp. 3d 585 at 601; Jean, No. 2016 WL 6886871 at *7; McLamb, 220 F. Supp. 3d at 676 n.6.

Based on the arguments presented in this matter, this Court finds no reason to deviate from the aforementioned cases. Defendant's need for the additional NIT components he requests is outweighed by the Government's interest in keeping those items secret. As in Gaver, disclosure of the remaining components could compromise future investigations and allow others to develop countermeasures. 2017 WL 1134814 at *4. The risk of inadvertently leaking the remaining components or other information gained as a result of production being used by third parties outweighs any argument Defendant has made in asserting his need for the remaining NIT components. Thus, because of the law enforcement privilege, the Government need not produce the remaining NIT components requested by Defendant.

In conclusion, based on the aforementioned, the remaining NIT components the Government is not willing to provide to Defendant are not material to his defense, as he has failed to satisfy the requirements of Rule 16, even taking into account his expert's report. Furthermore, even if the remaining components were material to Defendant's defense, the production of such components is protected by the law enforcement privilege. Therefore, Defendant's request for the remaining NIT components is denied.

B. The Alternative Home Page

As for Defendant's second request—his request for production of the Playpen homepage as it appeared on February 20, 2015— Defendant again relies on Michaud. (Doc. # 40, at 3). Specifically, defense counsel argues, without citing to the record, that defense counsel in Michaud averred that the Government's description of the Playpen's homepage in the NIT warrant was not consistent with the way the homepage actually appeared on February 20, 2015, the date on which the Government sought and obtained the warrant. Id. According to defense counsel, if this is true, the allegations establishing probable cause in the NIT warrant would have contained false information. Id. at 3-4. Defense counsel contends that this would be a material consideration for the Court when assessing the validity of the NIT warrant. Id. at 4. Although defense counsel states that the Government showed him the homepage which was purportedly the page that users saw when accessing the site, he claims he has no way of confirming that what was shown to him was actually the homepage as it appeared on February 20, 2015. Id. Thus, counsel contends he is in need of this discovery. Id.

Although defense counsel argues that this would be a material consideration for the Court when assessing the validity of the NIT warrant, Defendant's previously denied Motion to Suppress did not contain any arguments challenging the probable cause behind the NIT warrant. (See Doc. #. 34).

In response to Defendant's request for production of the Playpen webpage, the Government states that "an offline copy of the website, as it appeared to users, is available for review and inspection under the supervision of the FBI and will continue to be available for review and inspection during the pendency of this litigation." (Doc. # 47 at 5). Defendant does not otherwise address in his Reply to the Government's Response whether this access is sufficient or whether he continues to assert he is entitled to production to him of the webpage. Regardless, due to the Government's agreement to provide the webpage as it appeared, Defendant's second request will be rejected as moot. Although Defendant claims there is no way of confirming the homepage that the Government first showed defense counsel was the homepage that actually appeared on February 20, 2015, the offline copy made available to defense counsel alleviates any concern. The Government has already complied with such request. Defendant has not shown, or even argued, that the Government's production of the offline copy of the webpage is inadequate to alleviate his concerns.

Furthermore, other cases analyzing the NIT warrant have pointed out that the picture on the opening page changed around the time the search warrant was obtained. Specifically, the picture changed from two scantily-clad pre-pubescent females to a picture of "a young girl with her legs crossed, reclined on a chair, wearing stockings that stop at her upper thigh and a short dress or top that exposes the portion of her upper thigh not covered by the stockings." See United States v. Darby, No. 2:16-cr-36, Doc. # 31 (E.D. Va. June 3, 2016). The materiality of the possibly alternative webpage was also addressed in Spicer, which stated the court had "reviewed the differences between the two PlayPen homepages and . . . they are not materially different." 2018 WL 635889 at *5.

Thus, despite Defendant's contention, even if the opening page on February 20, 2015 was inconsistent with the description contained in the application for the NIT warrant, the possible alternative homepage would not negate probable cause for the issuance of the warrant. As the possible alternative homepage would not support Defendant's defense here, any evidence of the possible alternative homepage, beyond what the Government has already provided to Defendant, is not material to his defense. Therefore, to the extent Defendant's request for production of the Playpen homepage as it appeared on February 20, 2015 goes beyond what the Government has already provided, such request is denied.

III. CONCLUSION

The Government has offered to provide a portion of the NIT code, and Defendant cannot show the production of the entire NIT code is material to his defense. Even if the remaining components of the NIT code were material to Defendant's defense, the production of such components is protected by the law enforcement privilege. As for the Playpen homepage, the Government is willing to provide an offline copy of the webpage, and thus Defendant's request for the homepage is now moot. To the extent Defendant requests additional evidence of the homepage beyond what the Government has provided, such request is denied. Accordingly,

IT IS ORDERED that Defendant's Motion for Discovery (Doc. # 40) is DENIED.

Dated this 1st day of March, 2018.

Signed By:

David L . Bunning

United States District Judge


Summaries of

United States v. Harney

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF KENTUCKY NORTHERN DIVISION COVINGTON
Mar 1, 2018
CRIMINAL ACTION NO. 16-38-DLB-CJS (E.D. Ky. Mar. 1, 2018)

finding that the defendant's arguments in support of his need for the software were closer to Pirosko than Budziak because he "merely alleged he might find evidence in support of his defense if his expert [was] provided the opportunity to analyze the requested information in its entirety"

Summary of this case from United States v. Gonzales
Case details for

United States v. Harney

Case Details

Full title:UNITED STATES OF AMERICA PLAINTIFF v. JEFFREY HARNEY DEFENDANT

Court:UNITED STATES DISTRICT COURT EASTERN DISTRICT OF KENTUCKY NORTHERN DIVISION COVINGTON

Date published: Mar 1, 2018

Citations

CRIMINAL ACTION NO. 16-38-DLB-CJS (E.D. Ky. Mar. 1, 2018)

Citing Cases

United States v. Stamper

Defendant appears to have an uphill battle in demonstrating materiality: the majority of courts have denied…

United States v. Gonzales

Because Defendant Ordonez has failed to make a threshold showing of materiality under Rule 16(a)(1)(E)(1),…