Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

United States v. Jean

United States District Court, W.D. Arkansas, Fayetteville Division

September 13, 2016




         Now pending before the Court is a Motion to Suppress Evidence (Doc. 19) filed under seal by Defendant Anthony Allen Jean. The parties fully briefed the Motion, and on June 28, 2016, the Court held an evidentiary hearing, at which time the Government and Mr. Jean each called a witness to testify. The Court then entertained oral argument before taking the matter under advisement. Now having considered these complex issues thoroughly, the Court finds that Mr. Jean's Motion to Suppress Evidence (Doc. 19) should be DENIED for the reasons explained herein.

         I. BACKGROUND

         Mr. Jean was indicted on December 9, 2015 (Doc. 1), on four counts of knowingly receiving child pornography in violation of 18 U.S.C. §§ 2252(a)(2) and (b)(1); one count of knowingly possessing a laptop computer containing images of child pornography in violation of 18 U.S.C. §§ 2252(a)(4)(B) and (b)(2); and a forfeiture allegation.

         Mr. Jean is accused of downloading child pornography from a website called "Playpen." The Playpen website operated as a “hidden service” on “The Onion Router, " which allows users to roam the internet in complete anonymity. In the course of its investigation, the FBI was able circumvent the anonymity feature-a feat that Mr. Jean now challenges as a constitutionally impermissible violation of his rights under the Fourth Amendment and the Federal Rules of Criminal Procedure.

         The TOR Network, a/k/a the “Dark Web”

         A primer of The Onion Router, or "TOR network, ” for short, is necessary for an understanding of the issues presented. The Onion Router is so named because of its onion-like layers of encryption that operate to obscure users' identities. Anyone may download TOR software for free. The TOR browser masks a user's true Internet Protocol (“IP”) address by bouncing user communications around a distributed network of relay computers, called "nodes, " which are run by volunteers around the world. When a TOR user accesses a website, the IP address of a TOR "exit node" will appear in the website's IP log, rather than the user's actual IP address. Through these mechanisms, the TOR software prevents the tracing of a user's IP address, thereby concealing the identity of the user at every node or “hop” along the information highway.[1]

         The TOR network was originally designed by the United States Naval Research Laboratory to protect intelligence communications online, and legal uses for the network include whistleblowing activities, investigative journalism, activism, and scholarship dealing with such issues as cyber-spying and censorship. Despite these legal uses, TOR has developed a reputation for hosting illicit criminal activity, as well. For this reason, the TOR network of websites-called “hidden services”[2]-is commonly referred to by TOR users and non-users alike as the “dark web.” This name is apt for two reasons. First, the TOR browser enables users to cloak their identities in darkness-like guests to a dimly lit masquerade ball using masks to conceal their faces. Second, the TOR network is an ideal forum for dark, illegal activities to flourish, precisely because TOR users remain masked, and this allows them to escape easy detection by law enforcement.

         In his testimony at the motion hearing, FBI Special Agent Dan Alfin explained the TOR network and its hidden services this way:

The Tor network is accessible initially through use of the regular Internet. It runs on top of the regular Internet, and it is made up of hundreds of thousands of computers all around the world.
Tor affords its users two primary uses. The first is the user using the Tor network can use it to connect to a website or other type of Internet service on the regular Internet in an anonymous capability. So a user could use the Tor software or the Tor browser software to connect to a regular Internet website,,, any normal website. In doing so through the Tor network, that website cannot see where you're actually coming from. So if I were to access from this courtroom using the Tor software, Google would not know that I was here in Arkansas. It may pull an IP address somewhere else in the country or somewhere else in the world. It wouldn't be able to locate me here.
Another use of the Tor network [is] what are referred to as hidden services. So when you run a website or other Internet service within the Tor network, that service is now referred to as a hidden service and so when a website is configured to operate as a hidden service, it can only be accessed through use of the Tor software. It can no longer be accessed on the traditional Internet in the manner that you would normally access You need to use special [TOR] software to access the hidden service.
And so the hidden service affords the same [ ] benefits that I described earlier in that a user who accesses a hidden service, his or her IP address and other identifying information is concealed. The owner and operator of the hidden service cannot see it. The additional benefit that Tor provides to operators of hidden services is that the true IP address and location of the hidden service [are] similarly concealed . . . . [The operators] could be anywhere in the world. And so Tor hidden services are frequently used to host child pornography websites because of these types of security benefits afforded to operators of such websites, and these are the areas where I focus the majority of my investigative work.

(Doc. 38, pp.16-17).

         The Playpen Website

         In August of 2014, Agent Alfin discovered the existence of the Playpen website- which was configured as a “hidden service” on the TOR network-and he came to learn that the website's primary purpose was dedicated to the advertisement and distribution of child pornography. Because the website operated in complete anonymity on the TOR network, law enforcement had no readily available means to identify its owner/operator, much less its users. Then, in December of 2014, the FBI received a serendipitous break. The Playpen operator inadvertently misconfigured the website's TOR settings during an update-temporarily deactivating its cloaking mechanism for a few days-which was enough time for investigators to locate a computer server in North Carolina that was being used to host the Playpen website. This, in turn, led to the arrest of Playpen's owner on February 19, 2015, at his residence in Naples, Florida-which further resulted in the FBI gaining access to the owner's administrative account, and with that came the ability to control the Playpen website.

         The NIT Warrant

         But investigators still had no means to identify and locate the website's users, whom they believed to be downloading and distributing child pornography in violation of federal law.[3] The users' identifying information was purposely unknown to Playpen's owner, and the users' IP addresses remained concealed because the website was only accessible as a hidden service on the TOR network, thus providing total anonymity to the users. So the FBI devised a plan. First, agents made a copy of the Playpen website and placed it on a government computer server located in the Eastern District of Virginia. Then, after obtaining a search warrant, the FBI re-launched the Playpen website from its own computer server in Virginia, secretly assuming administrative control over the website for a window of approximately 13 days, from February 20, 2015, to March 4, 2015.

         The FBI submitted the application for the search warrant to Magistrate Judge Theresa Carroll Buchanan in the Eastern District of Virginia. See Doc. 19-2. The warrant application was supported by a 31-page affidavit signed by Special Agent Douglas Macfarlane. See Doc. 19-2, pp. 2-32. In the affidavit, Agent Macfarlane first explained why there was probable cause to believe that users of the Playpen website were committing criminal acts related to the exploitation of children. Agent Macfarlane's affidavit then requested Judge Buchanan to authorize the FBI to deploy computer code, which it refers to as a “Network Investigative Technique” (“NIT”), from its server in Virginia that would be used to host the Playpen website. When a Playpen user's computer (defined in the affidavit and warrant as an “activating computer”) would log into the website using a username and password, the NIT would surreptitiously deploy and “cause” the user's “activating computer”-wherever it might be located-to report back certain identifying information to the government's computer on the other end of the line. Id. at pp. 30-31.

         Judge Buchanan made a finding of probable cause and signed the warrant authorizing use of the NIT to search “[t]he activating computers[4] . . . of any user or administrator who logs into the [Playpen] WEBSITE by entering a username and password.” Id. at p. 34. The warrant's authorization was expressly limited to a period of not more than 30 days. Id. The items authorized to be “seized” were expressly identified and limited to the following identifying information:

1. the activating computer's actual IP address, and the date and time that the NIT determines what that IP address is;
2. a unique identifier generated by the NIT (e.g., a series of numbers, letters, and/or special characters) to distinguish data from that of other activating computers, that would be sent with and collected by the NIT;
3. the type of operating system running on the computer, including type (e.g., Windows), version (e.g., Windows 7), and architecture (e.g., x 86);
4. information about whether the NIT has already been delivered to the activating computer;
5. the activating computer's Host Name;
6. the activating computer's active operating system username; and
7. the activating computer's media access control ("MAC") address;[5]Attachment B to the warrant, id. at p. 35.

         Finding of Probable Cause

         Judge Buchanan's finding of probable cause was based on Agent Macfarlane's affidavit in support of the search warrant, which provided, in part:

Because the TARGET WEBSITE is a Tor hidden service, it does not reside on the traditional or "open" Internet. A user may only access the TARGET WEBSITE through the Tor network. Even after connecting to the Tor network, however, a user must know the web address of the website in order to access the Site. Moreover, Tor hidden services are not indexed like websites on the traditional Internet. Accordingly, unlike on the traditional Internet, a user may not simply perform a Google search for the name of one of the websites on Tor to obtain and click on a link to the site. A user might obtain the web address directly from communicating with other users of the board, or from Internet postings describing the sort of content available on the website as well as the website's location. For example, there is a Tor "hidden service" page that is dedicated to pedophilia and child pornography. That "hidden service" contains a section with links to Tor hidden services that contain child pornography. The TARGET WEBSITE is listed in that section. Accessing the TARGET WEBSITE therefore requires numerous affirmative steps by the user, making it extremely unlikely that any user could simply stumble upon the TARGET WEBSITE without understanding its purpose and content.

Id. at pp. 13-14. Agent Alfin elaborated on this point when he testified at the hearing that it was “incredibly unlikely” that a user would simply stumble upon the Playpen website without knowing the website's illegal purpose. See Doc. 38, p. 20.

         The FBI's Use of the NIT

         Agent Alfin also testified that he had personal knowledge as to how the FBI went about deploying the NIT from the Playpen server onto a user's computer. The NIT was designed to automatically deploy once an activating computer (1) entered the Playpen website via a username and password, and then (2) clicked on a forum link to begin downloading child pornography.[6] (Doc. 38, p. 86). The FBI was able to cause the user's computer to report the identifying information by exploiting a defective window in the TOR broswer, through which it ran what amounts to malware[7] on the user's computer, with the objective being to override the TOR browser's and the user's computer security settings, and then “cause” the user's computer to return discrete, content-neutral items of identifying information back to the FBI. Id. at pp. 60-61.[8]

         Important to the Court's analysis below is Agent Alfin's testimony that the NIT deployed and returned the identifying information while the user's computer was (1) actually online, (2) connected to and actively communicating with the FBI's computer in Virginia, and (3) while the user was in the process of receiving child pornography. As Agent Alfin explained:

As soon as a user clicks on the post, they begin downloading the material from that post. Additionally they download the NIT instructions to their computer, and while the post is still . . . downloading, the NIT does its business and sends the information back to the FBI. This happens very quickly. In the matter at hand, the entire transmission generated by the NIT took place in approximately 0.27 seconds. Again, it happened very quickly because it was just transferring a very limited amount of information . . . . [T]he NIT would be triggered and deploy and likely complete its task before that page even fully loads.

Id. at pp. 86-87. The entire objective of the NIT transaction was consummated in the blink of an eye, [9] while the user's computer was still in the process of actively downloading child pornography from the computer hosting the Playpen website in Virginia. See Doc. 38, pp. 88-89.

         The FBI monitored and generated reports of all Playpen user activity during the authorized period of surveillance.[10] The reports contained two sets of data. See Id. at pp. 40-41. The first set related to Playpen website usage and included the date each user registered his account with Playpen, the number of hours that each user was logged into the website during the monitoring period, and the specific posts each user accessed while online. None of this data was gathered using the malware, but was instead observed directly by the FBI through website monitoring.

         The second set of data was seized by virtue of the malware causing each user's computer to return the identifying information (without the user's knowledge) to the government's computer in Virginia. This second set of data, as authorized by the warrant, included the user's MAC address, hostname, log-on name, and the activating computer's IP address.

         Interestingly though, the user's IP address-the most critical piece of information in locating the user-does not actually reside on the user's computer. IP addresses are assigned by an Internet Service Provider (“ISP”)-much like one's residential address is assigned by the postal service. The IP address is maintained on the internet modem that connects an internet device to the internet. See Id. at p. 43. Ordinarily, one's true IP address can be determined with relative ease because it is always attached, like a “return address, ” to every “envelope” of information exchanged back and forth by computers that are actively communicating with each other over the internet. But this is not so on the TOR network, where a user's true IP address is intentionally masked by the shuffling of information into different envelopes with different return addresses at each node along the route. Here, the FBI's malware circumvented TOR's veil-simply by causing the user's computer to return the “envelopes” of seized information to the government's computer via the regular internet-which had the clever side effect of causing the user's true “return address” to be written on the envelope.[11] With the user's true IP address in hand, the FBI subpoenaed the internet service provider and-in effect-turned on the lights to unmask the user's real location.

         The Investigation of Anthony Allen Jean

         Agent Alfin testified that the Playpen website was accessed thousands of times during the 13 days it was monitored by the FBI. Id. at p. 65. As to the specific investigation of Defendant Anthony Allen Jean, Agent Alfin testified that on March 1, 2015, an individual logged into the Playpen website with the username “regalbegal” and used the website index to select a forum dedicated to “Preteen Videos-Girls Hardcore.” Id. at pp. 44-45. There, regalbegal allegedly opened a post that purported to contain images of prepubescent female children engaged in penetrative sexual activity. Once regalbegal opened this post, the NIT protocol was triggered, and, unbeknownst to regalbegal, the malware deployed from the Playpen server in Virginia to his computer. According to Agent Alfin, in 0.27 seconds, while regalbegal was still actively connected to (and downloading child pornography from) the Playpen server, the malware caused his computer to transmit the information authorized by the warrant back to the government computer server located in the Eastern District of Virginia. And with that return transmission of data over the regular internet came regalbegal's true IP address.

         The Administrative Subpoena

         From the IP address alone, and using publically available data, the FBI could determine the region of the country where regalbegal resided, as well as the particular ISP, Cox Communications (“Cox”), associated with his IP address. The FBI then sent an administrative subpoena to Cox, and Cox provided the FBI with the name and residential address affiliated with regalbegal's IP address.

         The Residential Search Warrant

         Soon after obtaining this subscriber information, law enforcement applied to Magistrate Judge Erin L. Setser of the Western District of Arkansas for a residential search warrant (Doc. 19-1) to be executed at Mr. Jean's residence.[12] The warrant was Dated: July 8, 2015, and executed on July 9, 2015. When the FBI first arrived at the residence, they advised Mr. Jean that they had a search warrant, but they did not volunteer that they had located his whereabouts by tracing his IP address. Mr. Jean apparently cooperated with investigating agents and allegedly made incriminating statements both at the time of his arrest and later ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.