Articles Posted in Computer crimes

Prof. Berman at sentecing law and policy invites our attention to an interesting new decision from the Third.

US v. Husmann, No. 13-2688 (3d Cir. Sept 3, 2014) (available here) .

We all of us have an a client who is charged with distribution of CP because they were using a P2P program such as Limewire, and where the automatic settings placed information in the “shared” folder.  Because the information is in the shared folder it is accessible to others who search Limewire and come across it.  Actually many clients have been caught through the FBI or some other enforcement agency trolling Limewire for such information.

The opinion in Husmann makes much of the “intentional” placing of CP in the shared folder.  But does not address the way in which the program, by default places everything in the shared folder. Normally the use needs to affirmatively change the settings for downloads not to go in the shared folder.  The opinion assumes the subject files were deliberately placed in the shared folder making them accessible to others.

So, you have a client who downloads CP via a P2P program, doesn’t realize about the automatic settings upon execution of the P2P software, and there is NO evidence that someone queried and received CP from that client’s account?  In Husmann the investigators went through the various logs to see if they could find any evidence of another computer connecting and downloading, but weren’t able to find such evidence.

Currently in the Third the person may not be convicted, see Husmannn.  It’s a 2-1 decision with a strong dissent.  It’s only the Third.

Can you use the rationale from Husmann to defeat a conviction for distribution.  Keep in mind that he court was construing the definition of “distribution” under the federal statute.  And if it’s not distribution is it an attempted distribution.

All in all an interesting read for the all to common CP case.

In United States v. Blouin, ARMY 20101135 (A. Ct. Crim. App. 28 May 2014), the court has, in my view, taken a broader view of what qualifies as CP for the purpose of a guilty plea.  However, the court is not taking an unknown or unvisited trail.

Blouin was charged with possessing CP in violation of 18 U.S. Code Sec. 2256(8), to which at trial he plead guilty.

As is common in these type of cases, the prosecution threw up a whole bunch of alleged (173 to be exact) CP images, without really understanding what they were doing.  And they compounded this with offering 12 images as a “sample.”  This caused the military judge to reopen providency, because he found only three of the images were likely CP.

Continue reading →

Here is an interesting opinion from the Sixth about the reasonable expectation of privacy in items transmitted or available through Limewire (or similar P2P programs).  There is none, compared to other ways stuff gets onto a computer – in the Sixth.

Defendant had no reasonable expectation of privacy in his computer from police accessing it via Limewire when he was hooked up to the Internet. He did not create an expectation of privacy from his efforts to hide files on his computer. Warshak has no application to this situation. United States v. Conner, 2013 U.S. App. LEXIS 7437, 2013 FED App. 0365N (6th Cir. April 11, 2013)[.]

The court references United States v. Warshak, 631 F.3d 266 (6th Cir. 2010).

Generally speaking, computer users have a reasonable expectation of privacy in data stored on a home computer. Guest v. Leis, 255 F.3d 325, 333 (6th Cir. 2001). Conner argues that under United States v. Warshak, 631 F.3d 266 (6th Cir. 2010) (en banc), third-partyaccess to information on one’s computer is consistent with a reasonable expectation of privacy in that information. In Warshak, we agreed that the government could not compel a commercial ISP to turn over the contents of a subscriber’s e-mails without a warrant because subscribers “enjoy[] a reasonable expectation of privacy in the contents of emails,” even though an ISP has the ability to view the contents of e-mail prior to delivery. 631 F.3d at 288.

Here is a link to EFF’s amicus in Warshak.

h.t fourthamendment blog.

Over the years I have had some success in challenging expert testimony about the “age” of a child in photographs and video’s.  The testimony is based on so-called Tanner Scale.  As with many expert testimony in court, the prosecutor takes a method used by pediatricians in evaluating the health of a person whose age is known.  Basically the stages are compared to the persons physical development to determine if there is an illness or some form of abuse causing the person not to thrive as expected.   Tanner himself has frequently pointed out and argued that, “the scales were not designed to be used for estimating chronological age, forensically or otherwise.”  Thus a misuse of an otherwise medical diagnostic tool.

Generally there is a challenge that should be made in a Houser motion prior to trial, when the alleged images are of older children.

Basically the objection relates to being able to tell that a person is under 18, a very specific age.  A person can be 18 years and one day old and look like they are 16, or they can look like they are 20.  Essentially you should be cautious of any expert purporting to place the person in an image as being a Tanner Scale three or above and as being under the specific age of 18 (meaning they have not reached their 18th birthday).

Here is an interesting article that is relevant to the issue.

Arlen L. Rosenblum, Inaccuracy of age assessment from images of postpubescent subjects in cases of alleged child pornography, Int’l J. of Legal Med. (April 2012).

Despite frequent medical expert testimony authoritatively stating that images of individuals who are postpubescent indicate age less than 18 and therefore, child pornography, developmental experts have noted that a scientific basis for such estimation is lacking. In fact, recent studies have demonstrated a high degree of inaccuracy in such estimates, and that the stage of breast development often used as indicative of age under 18 years is present in a substantial percentage of adult women. Ten images of adult women from legitimate pornographic sites promoting youthful images were shown to 16 pediatric endocrinologists expert in evaluating maturation, who determined whether or not the individuals represented were under 18 years of age. They also provided information about what features were most important in their evaluations. Sixty-nine percent of the 160 estimates were that the images represented females under 18 years of age. There was wide variability in the designation of importance of the various features of maturation in reaching conclusions, with breast development and facial appearance considered most important. This study confirms that medical testimony, even by experts in adolescent development, can deem images of adult women selected for their youthful appearance to be under age 18 two thirds of the time. Thus, important as prosecuting users of child pornographic material may be, justice requires the avoidance of testimony that is not scientifically based,

Even if the military judge lets the expert testify, this is a fertile area of cross-examination.

Here is an interesting “report” of a case involving people over 18, where the government expert insisted they were 13-15 (and one of the people was a witness in court).

FederalEvidence blog has a good post on United States v. Caldwell, __ F. 3d ___ (5th Cir.  October 26, 2009).

For those of us doing a lot of CP cases – LimeWire, one of several peer-to-peer file sharing programs, is increasingly found to be the method by which CP is received or transmitted.  Typically the prosecution calls a forensic computer examiner as an expert witness (although I notice the Navy is trying to short-circuit this by calling the duty NCIS agent to testify about computers).  Anyway, FEB notes the difficulty courts are having in deciding whether testimony about computers and/or software falls within [Mil. ]R. Evid. 701 (lay) or 702 (expert).

[T]he line between lay and expert testimony is very hard to discern. A closer question would have been raised in the case if an objection had been made at trial and review was under the less deferential abuse of discretion standard. The issue of lay versus expert testimony arises in other contexts, including on computer forensic testimony, as noted in these prior posts: Drawing The Line On Computer Forensic Expert And Lay Testimony (Part I); Drawing The Line On Computer Forensic Expert And Lay Testimony (Part II).

In Caldwell the defense didn’t object to a LimeWire employee’s testimony, so the standard of review was “plain error” which is the easiest of all standards for the prosecution to beat.

Of interest was the testimony of the LimeWire employee in issue.  When asked if someone else using LimeWire can send you a file you didn’t request he answered no.  That is superficially correct.  The idea being that the file was a CP related file and the person searched for it, knew it was CP, and had it downloaded.  However, the question presumes that the downloaded file was correctly named (in the visible part) or that there were not additional files added to the file downloaded.  I’ll give you an example.

A certain actress with the initials CZJ is an attractive woman.  People will search for and find some risque pictures of her on LimeWire (or Kazaa, BitTorrent, etc.).  Most of the time they will get risque pictures and nothing else.  However, every now and again the person is likely to get a series of pictures of CZJ where a CP image is tacked on the end of the series.  You won’t know this until you view all the series on or off line.  And remember, at this point the images are automatically downloaded to a default folder.  (This is no different than CP distribution via VHS.  When VHS was a popular video medium CP’ers would cut-and-paste a CP video five or ten minutes into a regular movie.  That’s done with DVD now.  That’s why law enforcement seize the home movies and DVDs.  They are looking for embedded CP videos.  The same can happen with a series of apparently legitimate images on the web.)  You don’t know you are getting CP images because all you know is the displayed name of the file is CZJ nude.  When there is CP attached there is usually an extended file name that is not visible/displayed unless you examine the properties of the image.  That extended name has the typical CP search terms in the extended, but not visible/displayed, file name.  That hidden extended name is done by CP’rs to help other CP’rs find the images.  But in  process the innocent searcher and retriever of some risque photos of CZJ can unknowingly end up with CP.  But ask anyone to believe that if you will . . .  (Caution:  Please don’t try this at home yourself.)

Courtesy of my favorite forensic computer examiner, Eric Lakes at CyberAgents, Inc., he pointed me to a couple of items about LimeWire and forensic examination problems.  For example, DCFL has itself found an issue with LimeWire.

Lewthwaite, Joseph, & Smith, Victoria, Limewire examinations, Digital Investigation 5 (2008) S96-S104.  The authors are employed at the Defense Cyber Crime Institute and DCFL.

Here is the important part of the article which shows that a non-expert/lay-person (read duty NCIS agent) might misinterpret and therefore wrongly testify that a client has been searching for CP in LimeWire.

image The issue comes up most frequently with clients who have been actively searching for adult P., and who think that’s all they are getting or likely to get.

Back to Caldwell.  If you get a situation where a non-forensic computer examiner is going to testify about LimeWire and CP, consider filing a Houser motion to exclude the testimony.

NMCCA has issued an unpublished opinion in United States v. Davis, III, NMCCA 200900137 (N.M.C. Ct. Crim. App. 8 September 2009).

The case addresses the often perplexing issue of prosecutorial overcharging in CP cases.  In this case the prosecution charged the CP under Article 134(1)(2) and (3), UCMJ.  The court does note that some overcharging is to be expected prior to trial and the prosecution then commits itself to proving up the various charges.  However, this was a guilty plea case.  While the MJ did address some factors under United States v. Quiroz, NMCCA decided she’d not gone far enough.  There was no effect on the sentence.

CA Court of Appeals provides guidelines for “knowing posession”.

In People v. Michael James Tecklenburg, (2009, 169 Cal. App. 4th 1402) the California Court of Appeals considered the relevance and applicability of involuntary "pop-ups" and temporary Internet files (TIF or "cache") to the applicable statute. California’s Penal Code section 311.11(a) makes it illegal to "knowingly posses or control" depictions defined as child pornography according to state law (P.C. 314, subd. d). The court specifically considered the variables required to establish "control".

In Tecklenburg, the court denied appeal based on the State’s discovery having established the cumulative applicability of the following variables:

  1. the user actively searched for child porn;
  2. the user visited child porn web sites;
  3. the user explored beyond the first page of said web sites;
  4. the user clicked on images on, at least, one web site;
  5. the images appeared and were accessed multiple times;
  6. the user enlarged thumbnail images;
  7. the images were “part of a series or collection”;
  8. the size and format did not match that of a pop-up;
  9. similar, and sometimes identical, images were found on both the user’s home and work computers.

While I don’t agree with the entirety of the court’s findings, said computer forensics expert Jeff Fischbach, nor am I comfortable that the court fully appreciates the non-standardized and ever-evolving nature of the Web, or the limitations of computer forensics, I do think that the decision itself serves as a good minimum benchmark, or litmus test, for both prosecution and defense in similar cases.

A search warrant for drugs and possible records of drug sales did not permit officers to enter defendant’s computer where the execution of the warrant produced no evidence of drug sales on the premises. (There was also a Franks violation because the officer represented a neighbor’s report of drug use and drug sales, but the remainder of the affidavit showed PC. Child porn was found on the computer.) United States v. Payton, 07-10567 (9th Cir. July 21, 2009).

/tip to fourthamendment.com blog for reporting this case.

United States v. Brobst, 558 F. 3d 982 (9th Cir. 2009), is primarily a search and seizure case.  But here is a tantalizing piece about double jeopardy in a child pornography case.

In light of this court’s decisions in United States v. Davenport, 519 F.3d 940 (9th Cir. 2008) and United States v. Giberson, 527 F.3d 882 (9th Cir. 2008), Brobst’s convictions for both receipt and possession of child pornography violated the Double Jeopardy Clause of the Fifth Amendment to the Constitution. See Davenport, 519 F.3d at 947. "Where we conclude that a defendant has suffered a double jeopardy violation because he was erroneously convicted for the same offense under two separate counts . . . ‘the only remedy consistent with the congressional intent is for the [d]istrict [c]ourt, where the sentencing responsibility resides, to exercise its discretion to vacate one of the underlying convictions.’" United States v. Schales, 546 F.3d 965, 980 (9th Cir. 2008)(quoting United States v. Ball, 470 U.S. 856, 864, 105 S. Ct. 1668, 84 L. Ed. 2d 740 (1985)). Accordingly, we vacate the judgment and remand with instructions that the district court vacate one of Brobst’s convictions for either receipt or possession of child pornography, allowing for it to be reinstated without prejudice if his other conviction should be overturned on direct or collateral review.

United States v. Brobst, 558 F.3d 982, *39-40 (9th Cir. 2009).