People v WorrellAnnotate this Case
Decided on March 2, 2018
Supreme Court, Queens County
The People of the State of New York, Plaintiff,
Ekins Worrell, Defendant.
Deborah S. Modica, J.
On remand from the Appellate Division, and after a hearing, the defendant, Ekins Worrell, has filed a Memorandum of Law in Support of his Motions to Suppress Physical Evidence and to Controvert the Search Warrant in which he asks this Court to find that law enforcement violated his reasonable expectation of privacy by accessing the content of his home computers without a warrant and that the search warrant which was obtained later was obtained untruthfully and without probable cause. The People's response urges the Court to deny the defense motions in their entirety. The Court decides the motions as follows.
FACTUAL AND LEGAL HISTORY
The New York City Police Department executed a search warrant at the defendant's home, the basement apartment at 86-15 233 Street, Queens County, on April 25, 2012. Detective Damon Gergar recovered twenty-three compact discs containing child pornography and thirty-two electronic devices including a laptop computer, internet router, and cable modem from the bedroom of the defendant's basement apartment. The defendant was arrested and was initially charged with forty-three counts of Promoting a Sexual Performance by a Child (PL 263.15) and forty-three counts of Possessing a Sexual Performance by a Child (PL 263.16). The defendant was subsequently indicted, under Queens County Indictment number 1486/2012, with forty (40) counts of Promoting a Sexual Performance by a Child (PL 263.15) and forty (40) counts Possessing a Sexual Performance by a Child (PL 263.16).
After a forensic examination of items recovered during the search warrant execution, the defendant was indicted again, under Queens County Indictment number 967/2013, for one-thousand-three-hundred-forty-seven (1,347) additional counts of Promoting a Sexual Performance by a Child (PL 263.15) and one-thousand-three-hundred-forty-seven (1,347) additional counts of Possessing a Sexual Performance by a Child (PL 263.16).
In a motion dated August 12, 2013, the defendant moved, inter alia, to suppress his [*2]statements and to controvert the search warrant, challenging the affiant's basis of knowledge and the reliability of the source of the information in the search warrant affidavit. The defendant argued that a "hash value" does not reveal the contents of a file, and therefore, the court was misled into believing that a user at the target location of the search warrant possessed or distributed child exploitation files. The defendant further contended that since the defendant's IP address was the sole connection linking the affiant's internet observations to the defendant, the affiant failed to establish probable cause. In response, the People argued that the issuance of the search warrant was proper because the search warrant affidavit provided reasonable cause to believe that evidence of illegal activity would be present at the time and place of the search. In a decision and order dated October 16, 2012, the court granted a hearing on the motion to controvert the search warrant, as well as a Huntley hearing to determine the admissibility of the defendant's statements to law enforcement. (Camacho, J.)
On February 5, 2013, this Court conducted a Huntley hearing while the motion to controvert the search warrant was still pending. The People called one witness, Det. Damon Gergar; the defendant called no witnesses. In a decision and order dated March 12, 2013, this Court denied the defendant's motion to suppress statement evidence, finding that the credible testimony of Det. Gergar established that the defendant was neither in custody when he made statements nor was he actually being interrogated by law enforcement.
On March 8, 2013, the defendant filed a Supplemental Motion to Suppress pursuant to CPL 710.40(2) which moved to suppress evidence recovered as a result of Det. Gergar's allegedly illegal search. The defendant contended that he only became aware of the need for such a motion after receiving the grand jury testimony of Det. Gergar prior to the Huntley hearing.
In a written decision dated March 12, 2013, this Court denied the defendant's motion to controvert the search warrant. Additionally, the Court noted receipt of the defendant's Supplemental Motion to Suppress and denied the motion from the bench for several reasons, one of which being that it was untimely. The Court later provided the parties with a written decision denying the defendant's Supplemental Motion to Suppress which embodied the findings which were previously made on the record. The Court again held that the defendant's motion was untimely and that the portions of grand jury testimony which the defendant attached in support of his motion failed to show any new facts which were not already contained in the affidavit in support of the search warrant.
On May 13, 2013, the defendant pleaded guilty to two counts of Promoting Sexual Performance by a Child (PL 263.15) in satisfaction of both indictments, and was promised an indeterminate sentence of one to three years on one count and a consecutive indeterminate sentence of one and three-quarters years to five and one-quarter years on the other count. (Kron, J.) On May 30, 2013, the defendant was sentenced as promised. (Kron, J.)
In a decision dated April 27, 2016, the Appellate Division, Second Department ordered that the defendant's appeal be held in abeyance and remitted the matter back to this Court for a hearing and a "new determination thereafter of that branch of the defendant's omnibus motion which was to controvert a search warrant and his separate motion to suppress physical evidence on the ground that it was the product of an unlawful search by police."
Accordingly, this Court conducted a hearing in order to determine the defendant's motions to controvert the search warrant and to suppress physical evidence. In a post-hearing memorandum of law, the defendant argues, inter alia, that the defendant had a reasonable [*3]expectation of privacy in his home, that Det. Gergar trespassed while obtaining files from his computer, that the search warrant affidavit contained false claims that Det. Gergar had personal knowledge of the files on the defendant's computer, and that the search warrant affidavit falsely claimed that Det. Gergar obtained evidence using publicly available peer-to-peer software. The People submitted a memorandum of law in response in which they argue that the contents of the defendant's computer were not remotely accessed by law enforcement, that the defendant had no reasonable expectation of privacy when using a peer-to-peer network, and that probable cause existed for the issuance of the search warrant.
FINDINGS OF FACT
DETECTIVE DAMON GERGAR, a seventeen-year veteran of the New York City Police Department, testified that he has worked in the Vice Major Case Unit, which investigates sex trafficking cases as well as the exploitation of children on the internet, child pornography, and pedophilia, since 2009. The majority of the cases that he investigates involve the use of internet-based, peer-to-peer networks which share child exploitation videos and images.
Det. Gergar utilizes various law enforcement tools and computer software to locate individuals in his jurisdiction who have downloaded or shared child exploitation files on peer-to-peer networks. A peer-to-peer network (hereinafter "P2P") is when two or more computers connect with each other over the internet, without the need for a central server, where they can then exchange files such as music, movies, applications, and games. There are many different types of P2P networks which are known throughout the internet community, such as the Gnutella network, the Ares network, BitTorrent, and eDonkey.
Det. Gergar began investigating P2P networks in 2010 and has received training on the Child Protection System (hereinafter "CPS") and GigaTribe. In addition, he has received training with respect to undercover chat investigations, forensic preview training, forensic imaging training, and sex trafficking training. Det. Gergar was trained on CPS by a company named TLO, and the training was sponsored by the Internet Crimes Against Children Task Force (hereinafter "ICAC"). ICAC is a nationwide task force which is comprised of numerous law enforcement agencies that work on child exploitation cases, including child pornography and internet chat room cases. He has also been trained by the Federal Bureau of Investigation and the National White-Collar Crime Center in forensic preview, which is a basic, cursory search of a computer during the execution of a search warrant to determine whether there are child exploitation files on the device. If the forensic preview finds child exploitation files, the computer will be taken to the NYPD's Computer Crimes Unit for a full forensic examination.
Detective Gergar received training on the software tools CPS and Shareaza Law Enforcement (hereinafter "Shareaza LE"). CPS is a tool which locates IP addresses in a law enforcement officer's jurisdiction which might have child exploitation files. Deg. Gergar has used CPS to target IP addresses in New York City which have been seen, by CPS, to have available for sharing known child sexual exploitation files. CPS also has a repository of thousands of known child exploitation files that have been identified by law enforcement based upon their Secure Hash Algorithm Value or "SHA1 hash value". As Gergar explained, every image and video possesses a hash value, which is a unique set of numbers and letters. As law enforcement officers view and identify child exploitation files, they isolate the files' hash values and enter them into the repository. Hash values are like a person's DNA; no two images or videos can have the same hash value. For example, if a person were to take a digital photograph with their smart phone, that photograph would have a unique hash value. If that person were to [*4]later edit a single pixel of that same picture, the hash value would change.
The Child Protection System scans P2P networks, identifies known child pornography files by their unique hash values, and tags the IP address of users who possess these files. Det. Gergar then uses CPS to identify the IP addresses in New York City that appear to have child exploitation files in order to investigate. As Gergar testified, an "IP address" is an abbreviation for Internet Protocol Address, which is an identifying number that is assigned to an internet account by an internet service provider such as Time Warner, Optimum, or Verizon. There are both external and internal IP addresses; an external IP address is assigned to a customer — an entire household, for example, which could be assigned to several electronic devices that are all using the internet in the same household. An internal IP address, however, is assigned to the individual devices that are using the internet on the same external IP address so that individual devices and computers in the same household can be identified.
Gergar testified that for each IP address that possesses child exploitation files, a GUID report [FN1] is generated which shows the history of activity for that IP address, as well as the names of the files that that IP address has possessed, the dates and times that the system detected that IP with the files, the type of network that IP address was on, and whether or not those files were known child exploitation files. CPS provides information on the IP addresses which have the most known child exploitation files based on their unique hash values; Det. Gergar can select which borough to search and it is his practice to focus on targets that possess videos and images of baby and toddler child pornography. CPS also provides the detective with a history for that IP address, which includes, among other things, how long an IP address has been detected by CPS; what date and time that IP address was observed by CPS; what the GUID for that IP address is; what other IP addresses are associated with that GUID; hash values and file names possessed by the IP address; and what P2P network that IP address was on.
Det. Gergar then uses Shareaza LE software in an attempt to obtain downloads from that particular IP address. If he is successful in obtaining child exploitation files, the program creates case folders for him on his police computer and CPS saves it for him. When a case is initialized, CPS shows all other law enforcement agents that Det. Gergar is investigating that IP address and provides them with his contact information so that they can communicate with him if they had previously downloaded any files from his target IP address. Shareaza LE continuously attempts to download files from the target IP address when the target is using the P2P network and sharing files. Once Det. Gergar directs Shareaza LE to attempt to download files from the target IP address, it will continue its attempt to download until he turns off his program. He isn't always successful when he tries to download files from a target IP address.
If Shareaza LE is successful in downloading a child exploitation file from a target IP address, Det. Gergar opens the file, confirms, based upon his training and experience, that the image is a child exploitation image, and then contacts the District Attorney's office in whichever borough he believes the IP address is operating; he explains the type of file he has downloaded and asks the District Attorney's office to send a subpoena to the internet service provider for the subscriber information for that IP address at the exact date and time that he downloaded the [*5]image. After receiving that, he conducts a series of NYPD computer checks: a background check on the subscriber's name, a check to determine the names of persons who receive mail at that address, and background checks on everyone who receives mail at that address. He also checks with Con Edison to find out who pays the electric bill for that address, and checks an NYPD database to see if anyone with a criminal history lives at that address or nearby. At the same time, he continuously monitors the target IP address on CPS to see if there has been any recent activity.
In his career, Gergar has executed over one hundred search warrants as a result of his own investigations. He has also assisted Homeland Security and the F.B.I. with the execution of approximately 30 or 40 additional search warrants. Det. Gergar has never had a case, using the CPS system, in which he has executed a search warrant at the wrong location.
Even though he can often tell that an IP address or GUID possesses child exploitation files based upon the file's unique hash value, in an excess of caution, Det. Gergar does not obtain a search warrant until he has actually downloaded a file from the IP address and viewed it himself to confirm that the IP address possesses child exploitation files. Although the software which Det. Gergar uses to conduct his investigations are law enforcement programs, many of these programs were commercially available programs which had law enforcement-specific changes made to them in order to ensure the integrity of their performance.
In August of 2011, Det. Gergar was assigned to the Vice Major Case squad and was using CPS to conduct P2P investigations when he initiated an investigation on a high-profile target IP address which was observed to have many known child exploitation files. The target IP address, 220.127.116.11, was using the publicly available BearShare software to access the publicly available Gnutella network. The Gnutella network can be used to share anything, including, but not limited to, movies, games, documents, and applications. BearShare is a popular application that persons use to access the Gnutella network. Det. Gergar examined both the GUID report for that IP address and the hash values for the files which were identified by CPS, which were publicly available.
Det. Gergar attempted to download known child exploitation files from the target IP address but was unsuccessful. He continued his investigation into September of 2011 and discovered that there was another IP address, 18.104.22.168, which was associated with the GUID of the target IP address. Since CPS tracks devices based upon their GUID, if a user disconnects from the internet and travels, and then connects to the internet somewhere else, CPS will still recognize the GUID for that device even though it has changed IP addresses. The second IP address discovered by Det. Gergar was also connected to the Gnutella network using BearShare software and displayed the hash values of child exploitation files. Det. Gergar then attempted to download files from this second IP address but was unsuccessful.
On September 26, 2011, CPS, through Shareaza LE, was able to make a connection to that same unique GUID, which was now using a different, third IP address — 22.214.171.124; Det. Gergar observed all three IP addresses accessing the Gnutella network with that GUID. There was also a second GUID which was associated with the third IP address that Gergar was investigating. Det. Gergar was able to download two images from that third IP address using the Shereaza LE program. He viewed those images and determined that they were child pornography. He then contacted the District Attorney's office for a subpoena for the Time Warner Cable subscriber information for that IP address as well as the other related IP addresses. The subpoena eventually revealed the subscriber to be "Al Worrell" of 86-15 233 Street — [*6]basement, in Queens Village, Queens County, New York.
In April of 2012, Det. Gergar asked that a subpoena be sent for an updated IP address for the residence that he was investigating. The new IP address was 126.96.36.199 and Gergar used CPS to determine that the new IP address was also accessing the Gnutella network using commercially available LimeWire software. There was a new GUID for the fourth IP address; this new IP address had been seen by CPS on April 11, 2012 at 5:25 PM and was also associated with "Al Worrell" of 86-15 233 Street — basement. A CD-Rom containing folders and documents from Det. Gergar's computer, including GUID reports which he utilized during the investigation of this case, as well as a Shareaza LE summary report for the IP address from which Det. Gergar was able to download child pornography was received into evidence at the hearing. The child exploitation files which Det. Gergar was able to download were accessible to anyone on the Gnutella network because they were publicly shared files in a shared folder. Based on all of the information he had, Det. Gergar obtained a search warrant for 86-15 233 Street, and executed it on April 25, 2012, which led to the discovery of twenty-three compact discs containing child pornography and thirty-two electronic devices including a laptop computer.
WILLIAM WILTSE testified that he was the president of the Child Rescue Coalition, which is a 501C3 nonprofit organization based in Boca Raton, Florida. Prior to that, he was a police officer in the State of Oregon, where his last assignment was as a computer forensics detective, where he did examinations of computers and began to develop the software which is now used to investigate P2P networks. As a law enforcement officer, Wiltse performed hundreds of forensic examinations of computers and electronic devices, including cases dealing with child exploitation files.
In 2002, Mr. Wiltse became a "Certified Forensic Computer Examiner" after he passed an examination offered by the International Association of Computer Investigative Specialists; he has maintained that certification through the date of his testimony. In 2006, he attended training on the investigation of P2P networks at the Internet Crimes Against Children Task Force Office in Wyoming; in 2007, he attended an instructor development course so that he could teach the same topics that he had been taught by ICAC the previous year. He then became part of the development team at the ICAC Wyoming office because of his background in computer programming and technology.
In order to investigate P2P networks in 2007, investigators had to download publicly available P2P software off of the internet and then manually search for child exploitation related keywords. Computers all over the world which were connected to the Gnutella network would receive that search request, evaluate their own publicly shared files for a match, and send back a response indicating things like file names, file sizes, file indexes, and hash values. Investigators would then have to sort through the responses to determine which users were within their jurisdiction based upon their geo-location.
While he was at the instructor development course in 2007, Wiltse had the idea to automate the above process, and he began to experiment with creating a software program that replicated exactly what was already being done on the Gnutella network. In January 2008, he released an early copy of a program called Peer Spectre, a program of which he was the sole developer, which took a library of more than one-hundred key words which were commonly present in child exploitation files and automatically searched for those words on the Gnutella network at a rate of one-per-second. Computers from all over the world then evaluated their [*7]own shared content and responded to those keyword searches. Peer Spectre then determined, based upon the hash value of the response files, that an image was "child notable" and stored that information in a database, which could later be reviewed by law enforcement officers.
In developing Peer Spectre, Wiltse reviewed the "Gnutella protocol", which is a publicly available specification document which described in detail how to form a keyword search message, what a query hit message contained, and how those two pieces of information had to be formatted in order to be understood by other Gnutella-based software. Armed with this knowledge, Wiltse programmed an application which would send out keyword searches in the proper format so that they would be understood by Gnutella software and then evaluate those responses to find the files' hash values. He then programmed the application to compare the hash values to known child exploitation files and, if the hash values matched, to store the file name and other bits of information in a database. Since developing Peer Spectre, Wiltse has developed four other programs, three of which are widely used by law enforcement to investigate the Gnutella network and the GigaTribe network. While employed by a company named TLO, Wiltse and other computer programmers began to develop CPS, which is continuously improved and updated as of the date of his testimony. Mr. Wiltse had previously testified in both state and federal courts in the states of Oregon, California, Utah, New Mexico, Illinois, and Florida as an expert in both computer forensics as well as P2P network investigations. Wiltse was deemed by this Court to be an expert in computer forensics, P2P investigations, and the operation of the Child Protection System.
As Wiltse explained it, a P2P network is a network that "sits on top of the internet" as "sort of the vehicle to allow computers to connect to and communicate with other personal computers anywhere in the world." The Gnutella network is a P2P network with no centralized server that coordinates operations; instead, it is a set of connections between personal computers. It allows computers to advertise and then ultimately distribute shared content from one computer to another. Types of P2P networks include, but are not limited to, Gnutella, Napster, Gnutella 2, eDonkey, Ares, BitTorrent, and Freenet. Each P2P network has its own unique protocols and they cannot communicate with each other.
CPS is a web-based application which allows users with proper licenses to be able to look at the CPS database or retrieve data from the CPS database; it is used in 64 countries all over the world, and by state, federal, and local agencies. Investigators will generally refer to CPS as the suite of tools that works in conjunction with the web-based application. In order to use CPS, a law enforcement officer must receive three to four days of training from a certified instructor.
As Wiltse explained it, there are a series of commercial programs which connect to the Gnutella network; in order to download one of these programs, a user can simply access a search engine, such as Google, and search for a program, such as LimeWire, which gives them access to the Gnutella or other file-sharing network. The user then has to download LimeWire, BearShare, or another P2P application onto their computer, double-click the icon that appears, and they will have access to the Gnutella network. The programs that access Gnutella and other P2P networks can be installed just like any other program that can be downloaded from the internet.
All of the Gnutella-based software that Wiltse has downloaded or tested have some combination of "downloaded" and "incomplete" folders. As a file is in the process of being downloaded from the Gnutella network, it resides in a folder that is called "incomplete" because [*8]it is incomplete until all of the digital pieces of the file have been downloaded from the network. Once complete, it is moved to the "downloaded" or "complete" file where it is then available to any other computer on the network that is searching for some term that is in the file name of that completed file.
Files are shared on a P2P network by being obtained from a computer using the P2P network and being automatically transferred into the download folder, which makes it immediately available for sharing or distribution. If files are not in the "downloaded" folder, or any other folder designated by the user as being available for sharing, then they will not be accessible to other users on the network because the P2P program literally does not know about them. To search on the Gnutella network, almost all programs present a user with a main screen which has a search bar and a search button. A non-law enforcement user simply has to type in a search term indicating that they are interested in obtaining certain files and click the search button.
As Wiltse testified, a GUID, or "Global Unique Identifier", is a serial number which is generated by the installation of P2P software that uniquely identifies that particular download of software. For example, if three people in a household each downloaded LimeWire onto their individual computers, each download would have a different GUID. If a user were to update his software, the software would be assigned a new GUID, or, if the user deletes their software and then re-downloads the program, it would also be assigned a new GUID. Any query that goes out onto a network has the user's GUID embedded inside the message; if two people in the same household with the same external IP address are searching the network for two different types of files, the GUID ensures that the device searching for a file will receive the file requested.
When a computer responds to a search query, Wiltse explained, its response includes a file name, a SHA1 [FN2] hash value, a file size, a file index, the speed of their internet connection and other information. The initial response does not include the file itself; rather, it indicates that the computer has a file with a specific file name and hash value, but the content is still stored on the responding computer's hard drive in the shared folder. The response gets sent back to the requesting computer, which can then attempt to download the file by simply double-clicking on an arrow to establish a direct connection with that particular computer so that it can request of that computer the data available in the file.
Since there may be more than one computer that has a file with the same hash value, the searching computer can request the file from all responding computers and compile the data to create the entire file; this is called a distributed download. Usually, civilians prefer distributed downloads for efficiency — downloading a file from multiple users at once leads to a faster, more efficient download.
However, effective law enforcement requires sole-source downloading; one computer downloads a file, in its entirety, from only one computer in order to build a case against an IP address or GUID and the person using them. The law enforcement tool Shareaza LE was modified from the commercial version so that it completes only sole-source downloads, to ensure that the sharing computer has the entire child exploitation file in their downloaded folder rather than just individual, incomplete pieces of that file. In the early stages of developing CPS, computer programmers downloaded Shareaza's publicly available source code and made specific [*9]modifications to it to serve law enforcement purposes.[FN3] In the law enforcement version of Shareaza, the download requested can only come from the one IP address or GUID.
Wiltse also explained the workings of a firewall [FN4] in a P2P network. Most internet routers have firewalls built in upon purchase. However, when someone connects to a file-sharing network, the computer allows a hole in their firewall for every single connection that they make on that network. The hole stays open for as long as they are connected to the file-sharing network.
Wiltse further testified that a "download header" is a description sent by the sending computer which describes what data was transferred. In the defendant's case, the files transferred were done in one single transmission and the download header indicated that the data being sent was a .jpeg image file, the size of the file in bytes,[FN5] the hash value, the date and time of transfer, the IP address, port, and other information.
In order to share files, a computer needs to be signed onto the P2P network; once a person closes his P2P software, the computer becomes disconnected and invisible to the network, as well as any law enforcement officers seeking to make connections. Once disconnected, computers do not receive keyword searches nor are they able to share any content. Similarly, if a user downloads a file and then moves it out of the "downloaded" file on their computer into another file, it then becomes invisible to the network and P2P software.
As Wiltse explained, since 2004, law enforcement officers who find child exploitation files have been recording the hash value of those files and adding them to a database of hash values contained in the "media library" area of CPS. Each hash value that is added to the database has been visually examined by a law enforcement officer; there are now over ten-million files in the database. The media library does not actually contain movies or images but rather the information about the files and hash values.
Wiltse also explained that a hash value is a mathematical formula, of which SHA1 is one example. All computer files, at their most simple level, are a combination of the numbers 1 and 0 inserted into mathematical formulas. P2P software designers included hash values in their programs so that their software can see that other computers have the exact same hash value, and then a downloading peer can receive pieces of the file from multiple users. If a single 1 or 0 is changed within the file, the entire hash value of the file will change, even if the actual change to the file is extremely minor. However, changing the file name of a file does not affect the hash value; so long as the contents of the file remain the same, the hash value remains the same. There are various reasons why a law enforcement officer might not be able to obtain a download [*10]from an IP address, such as: the user turned off their P2P software, the user moved the file out of the download folder, or too many people were requesting downloads of the same file.
Mr. Wiltse did not participate in the investigation of Ekins Worrell or his associated GUIDs and IP addresses; he did, however, review some documents from that case prior to testifying. The IP address 188.8.131.52 appears on a report, portions of which were received into evidence at the hearing as both People's 2 and 3, which was generated by the program Shareaza LE. That report indicates that the image obtained by Shareaza LE for Det. Gergar was obtained in a single transaction with IP address 184.108.40.206. The IP address 220.127.116.11 was firewalled, so Shareaza LE sent a push message to the IP address, which then made a hole in its firewall to allow for direct connection to Det. Gergar's computer.
The Defense called no witnesses.
The Court credits the testimony of Detective Gergar and Mr. Wiltse.
CONCLUSIONS OF LAW
I. Burdens of Proof
At a hearing on a motion to suppress physical evidence, the People have the burden of going forward by presenting evidence of the legality of police conduct. (People v. Baldwin, 25 NY2d 66 ; People v. Malinsky, 15 NY2d 86 ; People v. Sanders, 79 AD2d 688 [2nd Dept 1980], lv denied 52 NY2d 906 ). The defendant then has the ultimate burden to establish, by a preponderance of credible evidence, that the challenged police conduct was illegal. (Id.; People v. Di Stefano, 38 NY2d 640 ). The defendant must also prove that he had a legitimate expectation of privacy in the area which was searched. (People v. Rodriguez, 69 NY2d 159 ).
At a hearing on a motion to controvert a search warrant, the defendant has the burden of proving that the allegations contained in the search warrant affidavit were perjurious or were made in reckless disregard of the truth, and that the application for the search warrant was not supported by probable cause. (Franks v. Delaware, 438 US 154 ; People v. Kirby, 168 AD2d 981 ; People v. Tambe, 71 NY2d 492 ; People v. Alfinito, 16 NY2d 181 ). "Any fair doubt arising from the testimony at the suppressal hearing as to whether the affidavit's allegations were perjurious should be resolved in favor of the warrant since those allegations have already been examined by a judicial officer in issuing a warrant." (People v. Alfinito at 186).
The Court finds that the People have met their burden of going forward by presenting credible testimony of two expert witnesses as to the legality of the police conduct in this case. The defendant has failed to meet his burdens with respect to both branches of his motion. Specifically, the defendant has been unable to prove that he had a reasonable expectation of privacy in a "shared" folder on his computer which was linked to a peer-to-peer file-sharing program. Furthermore, the defendant has failed to prove that Det. Gergar's downloading of child exploitation images from the defendant's computer was a search; in fact, the Court finds, as delineated below, that the download was not a search of the defendant's computer at all. Finally, with respect to his motion to controvert the search warrant, the defendant has failed to prove that the allegations contained in the search warrant affidavit were perjurious or made with reckless disregard for the truth, nor has he established that the search warrant affidavit lacked probable cause. Accordingly, the defendant's motions to suppress physical evidence and to controvert the search warrant are denied.
II. Defendant's Motion to Suppress Physical Evidence
A. The Operation of Peer-to-Peer Networks and File-Sharing Software
The People established, through the testimony of two expert witnesses, how peer-to-peer networks operate. Mr. Wiltse testified about the structure and nature of P2P networks and how law enforcement software, much of which he developed or helped develop, investigates using these networks to look for the presence of child exploitation images available for sharing.
The testimony at the hearing established that a P2P network is a series of internet connections between computers which allows users, called "peers", to share digital files, such as videos and images, with other peers over the internet (hence, "peer to peer" network). P2P networks are accessible through the use of publicly available file-sharing software which can be downloaded from the internet.[FN6] When a user downloads and installs file-sharing software, the software creates a shared folder, which is commonly called "downloaded" or "my downloads", on the user's computer. The digital files which reside in these shared folders on the computers of users are available to others on the P2P network using software specifically designed for the sole purpose of file-sharing. When a user searches for a keyword, that search is sent across the P2P network and any file which contains the keyword in its title will generate a response. These keyword searches only access files which are in shared folders. As the testimony established, files which reside on users' computers, but are not in folders purposefully designated for sharing, cannot be seen or searched; when the computer of the requesting user makes a connection to the responding peer and a digital download of the file takes place, any file that is in a user's shared folder is available for download by any civilian (or law enforcement officer) that has file-sharing software on their computer connected to the P2P network.
The expert testimony established that these file-sharing networks allow one peer to browse the files of another peer to examine what content that peer has available for download. During this browsing, each file's information is available to the browsing peer, including the file name, the file size, and the hash value. No two files can have the same hash value, since a hash value is a unique identifier of a file. Law enforcement officers using CPS can access a database, or library, of hash values of known child exploitation files, which are added to the database only after a law enforcement officer actually verifies that the file with that hash value is a child exploitation image or video by viewing the contents. Therefore, it is possible for law enforcement to know, with high probability, that a file will be child exploitative based solely on viewing its hash value, which is publicly available information.
B. The Use of CPS and the Fourth Amendment Implications
In the instant case, Det. Gergar utilized CPS to determine that four IP addresses used by the defendant possessed files with hash values that corresponded to known child exploitation files. Det. Gergar then used Shareaza LE to attempt to download files from the defendant's IP addresses; on September 26, 2011, Det. Gergar successfully downloaded two child exploitation images from IP address 18.104.22.168, which was later determined to be assigned to the defendant at the exact date and time that the downloads were made. The detective opened the files and confirmed that they were, in fact, child exploitation images that depicted underage children engaged in sexual acts or exhibited in a sexual manner. Based on this information, he [*11]secured the search warrant in question.
The first issue, whether the use of CPS is a search within the meaning of the Fourth Amendment, can be answered straightforwardly. The defense must show a legitimate expectation of privacy in the area searched or the items seized (Katz v. US, 389 US 347 ), and that his expectation is objectively reasonable. (US v. James, 534 F3d 868, 872-73 [8th Cir 2008]). It has long been held that "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties." (Smith v. Maryland, 442 US 735, 743-44 ; Katz v. US at 351; People v. Dunn, 77 NY2d 19 ). The Fourth Amendment does not protect against all searches, but only unreasonable ones. (People v. Peters, 18 NY2d 238 ).
In Smith v. Maryland, the defendant contested the use of a pen register which recorded the numbers which he dialed on a telephone; the Supreme Court rejected the defendant's arguments, finding that the defendant did not have a reasonable expectation of privacy in information which he willingly turned over to third parties — in that case, the telephone company. (Smith v. Maryland, supra). Other federal courts have also held that a defendant does not have a legitimate expectation of privacy in cell-site location information turned over to a mobile telephone service provider. (In re United States for an Order Authorizing the Release of Historial Cell-Site Info., 809 F Supp 2d 113 [EDNY 2011]). The District Court for the Eastern District of New York held that "the Fourth Amendment does not prohibit the Government from obtaining information disclosed to a third party because any reasonable expectation of privacy is destroyed when the risk of disclosure is assumed." (Id. at 120).
In this case, the argument that the defendant had an expectation of privacy in a shared folder on his computer fails for even more compelling reasons. The very nature of a shared folder is to advertise and distribute the files and their contents to third parties — thereby destroying any expectation of privacy. (US v. Ganoe, 538 F3d 1117 [9th Cir 2008], cert denied 556 US 1202 ). Indeed, Ganoe held that any expectation of privacy the defendant had in his personal computer could not "survive his decision to intall and use file-sharing software." (Id.). Any peer that is operating on the network can browse files in another peer's shared folder and download the files simply by clicking on them; the subsequent download can happen in a matter of seconds. Had the defendant chosen to, he had the ability to remove files from his shared folders and make them unavailable to other peers.[FN7] Other circuits have adopted the same rule. In United States v. Borowy, 595 F3d 1045 (9th Cir 2010), cert denied 562 US 1092 (2010), the Ninth Circuit held that the search of P2P networks for child exploitation images is a search of publicly available information which does not violate a computer user's reasonable expectation of privacy. The court further held that the defendant's "subjective intention not to share his files did not create an objectively reasonable expectation of privacy in the face of such widespread public access." (Id. at 1048). Although no controlling New York State cases have dealt with this issue, this Court agrees with the federal courts that the defendant did not have a reasonable [*12]expectation of privacy in his shared folders; his expectation was to share those files, not to keep them private.
As to the use of CPS in particular, every Fourth Amendment challenge to its use has failed in federal courts, which have repeatedly found CPS to be both a reliable investigative tool and that it does not perform a search of suspects' computers. (US v. Thomas, 788 F.3d 345 [2nd Cir 2015], cert denied — US &mdash, 136 S Ct 848 ; US v. Borowy, supra; US v. Ganoe, supra; US v. Perrine, 518 F3d 1196 [10th Cir 2008]; US v. Gabel, 2010 US Dist LEXIS 107131 [SD Fla 2010]). Indeed, the Second Circuit, in United States v. Thomas, held that "CPS software merely automates the aggregation of public information — a task that could otherwise be manually performed by law enforcement, albeit at a slower and less efficient pace." (Id. at 352 [footnote omitted]). The Ninth Circuit has held that CPS operates "simply as a sorting mechanism to prevent the government from having to sift, one by one, through [the defendant's] already publicly exposed files." (US v. Borowy at 1048). Although not actually considering CPS software itself, the Eighth Circuit has held that a defendant did not have a reasonable expectation of privacy in files that were accessible to others for sharing. (US v. Stults, 575 F3d 834 [8th Cir 2009], cert denied 559 US 915 ). The testimony in the hearing in this instant case established the same facts.
In addition to federal courts, state courts have also upheld the use of CPS as a lawful and reliable investigative tool which did not conduct a search of an area protected under the Fourth Amendment. (Frazier v. State, 180 So 3d 1067 [Ct of Appeal Florida, 5th Dist 2015][holding "CPS software does not infiltrate any computers when searching peer-to-peer networks for child exploitation material. Rather, the software gathers only public information made available by the user sharing files over the network "]; State v. Holland, 272 Ore App 211 [Court of Appeals of Oregon 2014][holding that the use of Shareaza LE was not a search because the information obtained by police "was available to any other user of the network."]). In sum, the defendant has failed to demonstrate that the use of CPS was a search, let alone an unlawful one.
The defendant also argues that his use of a firewall was intended to shield the files in his shared folder from public view. However, the hearing testimony established that by opening up his BearShare file-sharing software and connecting to the Gnutella network, the defendant opened a door in his firewall to allow connections to the network; indeed, that is the entire purpose of file-sharing software such as BearShare, used by the defendant in this case. Furthermore, Det. Gergar testified that he was able to make a direct connection to the defendant's IP address and download the files; defendant's firewall allowed access to Det. Gergar due to the defendant's installation of file-sharing software so that files could be transferred. Because the defendant's own firewall allowed access, the defendant's contention that the firewall created an expectation of privacy fails. Here, even if the defendant expected to only share child exploitation images with other civilians rather than with law enforcement, he nevertheless revealed the contents of his files (through file names and hash values) to third parties (other peers using BearShare on the Gnutella network) and this information was therefore obtained by Det. Gergar without an unlawful search.
Finally, there was no testimony which suggested that Det. Gergar's use of the Shareaza LE software entered, intruded, or examined the contents of the defendant's computer to any extent other than what a public user using file-sharing software would have been able to do. In fact, if they searched for the same keywords, a public user could have downloaded the identical two files that Det. Gergar did from the defendant just seconds before or after Det. Gergar [*13]completed his downloads from the defendant. Although the testimony established that Det. Gergar could have downloaded the same child exploitation files from the defendant using publicly available file-sharing software, the process would have been less efficient and more cumbersome; the use of CPS simply automates this investigative process. (see United States v. Thomas, supra).
As to defendant's argument that there was no evidence that anyone else, other than Det. Gergar, obtained a download from the defendant's IP address, this claim is unprovable but also irrelevant. Once Det. Gergar obtained two child exploitation images from the defendant, he had probable cause for a search warrant and probable cause for an arrest. Whether anyone else had downloaded these files is irrelevant to the issue of probable cause.
Accordingly, the Court holds that there was no search of the defendant's computer prior to the search warrant application. Every connection to and interaction with the defendant's computer by Det. Gergar could have been done by a civilian using file sharing software. The defendant did not have any objectively reasonable expectation of privacy in his shared file folder on a file-sharing network. The defendant's motion to suppress physical evidence is therefore denied.
III. Motion to Controvert the Search Warrant
The defendant has also failed to meet his burden of making a substantial showing that Det. Gergar made a false statement knowingly or intentionally, or that he had a reckless disregard for the truth in his affidavit in support of the search warrant. To establish probable cause, a search warrant application must provide sufficient information to support a reasonable belief that evidence of a crime may be found in a certain place. (see People v. Edwards, 69 NY2d 814 ; People v. Bigelow, 66 NY2d 417, 423 ). There is a "strong judicial preference for search warrants." (People v. Leggio, 84 AD3d 1116 [2nd Dept 2011] and a magistrate's decision to issue a warrant is entitled to great deference. (People v. Johnson, 66 NY2d 398, 405, 488 ; United States v. Ventresca, 380 US 102 ; People v. Hanlon, 36 NY2d 549 ).
In the case at bar, Det. Gergar, in his affidavit in support of the search warrant, explained his training and experience, his experience conducting P2P investigations, the nature of a P2P network and file-sharing software, the use of hash values, and other general information about computers and the internet. His affidavit then explained his investigation of the defendant, his initial observation of hash values on the defendant's IP address that matched known child exploitation files, his failed attempts at downloading files from the defendant, as well as his successful download of two images on September 26, 2011. He further swore to his examination of the images and his determination that those images were child pornography. Based on the matching hash values of child exploitation files and the detective's own observations of the content, the Court finds that there was ample probable cause to support the issuance of the search warrant.
Furthermore, the search warrant was specific to the address which detectives wished to search and which types of items and files for which they wished to search. The detective included in his affidavit that, based on his training and experience, the information in child pornography cases is less likely to become stale because "collectors and traders of child pornography are known to store and retain their collections for extended periods of time. Also, evidence which offenders have attempted to delete can usually be recovered."
As noted in United States v. Thomas, supra, the Second Circuit Court of Appeals upheld [*14]the validity of a search warrant which was based upon the use of CPS software; significantly, the search warrant in Thomas was upheld based on the officer identifying the hash values of known child exploitation files on that defendant's computer. Here, Det. Gergar went one step further and actually downloaded those files containing the unique hash values of child exploitation files and confirmed that they were, in fact, child exploitation files by viewing them himself. With that additional information, there is no question that the search warrant affidavit in this case was based upon probable cause.
Although the defendant argues that Det. Gergar falsely claimed to use publicly available software when he downloaded child exploitation images from the defendant, the Court finds that the hearing testimony overwhelmingly established the truth of the facts alleged in the search warrant affidavit. In addition, the one statement referred to by the defense, that the detective had used "publicly available" software, cannot be taken out of context. The affidavit also stated "I utilize software available exclusively to law enforcement to conduct investigations on peer to peer networks." Importantly, the hearing testimony established that Shareaza LE, used by the detective, was a commercially available product modified to ensure the integrity of a child exploitation investigation; there was no testimony that Shareaza LE was programmed in such a way to intrude into files on a computer which were not available to the public.
In sum, the testimony at the hearing supports the truthfulness of the totality of Det. Gergar's statements in his affidavit in support of the search warrant. The defendant has failed to make a substantial showing that Det. Gergar made a false statement knowingly or intentionally or that he had a reckless disregard for the truth. (Franks v. Delaware, supra; People v. Kirby, supra; People v. Tambe, supra; People v. Alfinito, supra). Moreover, the search warrant was based upon probable cause. People v. Darling, 262 AD2d 61, 65 [4th Dept 1999], affirmed 95 NY2d 530 ; People v. DeProspero, 91 AD3d 39 [4th Dept 2011]. Accordingly, the defendant's motion to controvert the search warrant is denied.
The defendant's motions to suppress physical evidence and controvert the search warrant are denied.
This constitutes the decision and order of the Court.
Dated: March 2, 2018
Queens, New York
Deborah Stevens Modica, J.S.C. Footnotes
Footnote 1:GUID stands for "Global Unique Identifier" and is another unique set of numbers and letters that is created when a user installs software, such as a P2P application, on their computer, laptop, or other device.
Footnote 2:"SHA1", as explained by Mr. Wiltse, refers to one type of hash value, which is essentially a set of 0s and 1s entered into a mathematical formula.
Footnote 3:If a program's source code is made available to the public, any programmer can download another programmer's body of work and modify it without having to expend the initial time and energy themselves. Shareaza is "open source", which means that the source code is available to anyone who wishes to download it.
Footnote 4:A "firewall" is a computer function which is designed to prevent unsolicited communication attempts from other IP addresses on the internet from reaching computers inside of the protected area.
Footnote 5:"Byte" is defined as "[a] group of binary digits or bits (usually eight) operated on as a unit." (Oxford Online Dictionary, byte [https://en.oxforddictionaries.com/definition/byte] [Note: online free version]).
Footnote 6:"File-sharing" is defined as "[t]he practice of making computer files available to other users of a network, in particular the illicit sharing of music and video via the internet." (Oxford Online Dictionary, file-sharing [https://en.oxforddictionaries.com/definition/file-sharing] [Note: online free version]).
Footnote 7:Defense Exhibit A demonstrates that the defendant's personal computing devices contained child exploitation files in areas of his computer which were not shared with other peers. In addition, the defendant possessed compact discs which had child exploitation images saved on them. Accordingly, the Court draws the inference that the defendant was aware that files that remained in his shared folder were publicly available and had chosen to remove other child exploitation files and store them in private folders or on compact discs.