Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

United States of America v. Richard Stanley

November 14, 2012

UNITED STATES OF AMERICA,
v.
RICHARD STANLEY, DEFENDANT.



The opinion of the court was delivered by: Conti, District Judge

MEMORANDUM OPINION AND ORDER

Pending before the court is a motion to suppress evidence seized during a search of the home and computer of Richard Stanley ("Stanley" or "defendant") on January 19, 2011, and statements made by Stanley subsequent to that search. (ECF No. 24.) On November 9, 2011, a federal grand jury in the Western District of Pennsylvania returned a one-count indictment charging Stanley with possession of child pornography in violation of 18 U.S.C. § 2252(a)(4)(B). (ECF No. 1.) On December 1, 2011, he pleaded not guilty to count one of the indictment. (ECF No. 17.) On April 13, 2012, Stanley filed a motion to suppress evidence and statements made by him. (ECF No. 24.) The government filed a response to defendant's motion to suppress on April 27, 2012. (ECF No. 26.) Defendant filed a reply brief to the government's response to defendant's motion to suppress on May 11, 2012. (ECF No. 27.) Defendant filed a supplemental brief with respect to the motion to suppress on May 23, 2012. (ECF No. 28.)

On May 24, 2012, the court held a hearing with respect to defendant's motion to suppress. (ECF No. 29.) The court heard testimony from Cpl. Robert Erdely (retired) of the Pennsylvania State Police ("Erdely") and exhibits were entered into evidence. The court ordered the parties to file proposed findings of fact and conclusions of law. The proposed findings of fact and conclusions of law were filed on August 6, 2012. (ECF Nos. 36 and 37.) Defendant filed a reply to the government's proposed findings of fact and conclusions of law on August 8, 2012. (ECF No. 38.) The government filed a response to defendant's proposed findings of fact on August 14, 2012. (ECF No. 39.) Defendant filed a reply brief on August 28, 2012. (ECF No. 41.)

After reviewing the parties' submissions and considering the evidence presented at the suppression hearing on May 24, 2012, the court determined additional evidence was required to decide the issues presented by defendant's motion to suppress. On August 24, 2012, the court reopened the record and continued the suppression hearing for the parties to present additional evidence with respect to the issues contained in the court's order, dated August 24, 2012. (ECF No. 40.) At the continued suppression hearing on October 15, 2012, the court heard testimony from Erdely and exhibits were entered into evidence. After considering the parties' submissions and the evidence and testimony presented at the suppression hearings, the court makes the following findings of fact and conclusions of law:

I.Findings of Fact

Erdely's Use of the MoocherhunterTM

1. On November 11, 2010, Erdely, the head of the computer crime unit of the Pennsylvania State Police ("PSP"), was investigating the distribution of child pornography files over peer-to-peer file-sharing networks on the internet. (5/24/2012 Tr. at 6-7.)

2. As the head of the computer crime unit, Erdely ran the statewide computer crime task force and was responsible for a twenty-six member unit. Erdely also handled his own caseload investigating internet crimes involving the sexual exploitation of children. Erdely served as an instructor in online investigations for the Internet Crimes Against Children Task Force, and his training included various computer crime conferences and numerous Microsoft, Cisco, and computer forensics certifications. (Id. at 5-6; Gov't's Ex. 8, ¶ 2.)

3. During Erdely's online investigation on November 11, 2010, he discovered a computer sharing seventy-seven files (the "subject computer") on the Gnutella network, which runs various file-sharing programs and allows users to share files between their computers. (5/24/2012 Tr. at 6.)

4. Erdely suspected at least twenty-two of the seventy-seven files were child pornography based on the files' titles. Erdely was able to confirm with certainty that several of the seventy-seven files contained child pornography. (Id. at 8, 11; Gov't's Ex. 8, ¶ 19.)

5. Law enforcement officials maintain an electronic database of files containing child pornography recovered from criminal investigations. The files maintained in the database have unique identifiers called hash values. Erdely found that the hash values of several of the files on the subject computer were identical to the hash values of the files in the law enforcement child pornography database. Based on this information, Erdely concluded that the subject computer was sharing child pornography on the Gnutella network. (5/24/2012 Tr. at 8, 11; Gov't's Ex. 8, ¶ 20.)

6. Each computer which accesses a file-sharing program on the Gnutella network is assigned a globally unique identification ("GUID") that stays with the computer even after a particular file-sharing session is completed. Erdely identified the GUID of the user sharing the seventy-seven files as "8754E6525772BA0134C4C6CACF12E300" ("300 GUID"). (5/24/2012 Tr. at 9; Gov't's Ex. 8, ¶ 17.)

7. Erdely identified that the subject computer was using an internet protocol address ("IP address"), of "98.236.6.174" (the "174 IP address"). An IP address is a number assigned to a modem when it connects to the internet. Every modem that connects to the internet has a unique IP address. When users share an internet connection through the use of a wireless router, the wireless devices, such as a computer, which are connected to the internet through the wireless router, are assigned private IP addresses, which are not disclosed to the public. All users connected to the internet via the wireless router use the public IP address of the modem the wireless router is connected to in order to communicate on the internet.*fn1 (5/24/2012 Tr. at 8-9; Gov't's Ex. 8, ¶ 17.) The only persons that can view the private IP addresses are those persons that are able to access the wireless router's configuration, i.e. those whose devices are connected to the wireless router. (See ¶ 13 infra.) Unlike GUIDs, IP addresses can be reassigned and do not always stay the same for a particular modem. (5/24/2012 Tr. at 8-9; Gov't's Ex. 8, ¶ 17.)

8. Erdely searched publically available records and determined the 174 IP address assigned to the subject computer through which the Gnutella network was accessed was subscribed to through Comcast Cable ("Comcast"). On November 11, 2010, Erdely obtained a court order directing Comcast to identify the subscriber of the 174 IP address. (5/24/2012 Tr. at 6, 8-9, 11-12; Gov't's Ex. 8 ¶ 21.)

9. Comcast identified that on November 11, 2010, the 174 IP address was assigned to William Kozikowski ("Kozikowski") in Allegheny County. Comcast provided Erdely with Kozikowski's home address in Allegheny County. (5/24/2012 Tr. at 12; Gov't's Ex. 8 ¶ 21.)

10. Based on the information provided by Comcast, Erdely obtained and executed a search warrant for Kozikowski's home. Erdely found two computers in the home, but concluded that neither was the subject computer because neither computer contained internet file-sharing software with the 300 GUID. (5/24/2012 Tr. at 12-13.)

11. Erdely learned that Kozikowski used a wireless router in his home to connect his computers to the internet. (Id. at 13, 30.)

12. Comcast provides internet service through a coaxial cable that is run into the subscriber's home. The coaxial cable is physically connected to a modem inside the subscriber's home. A wireless router is connected to a modem via a cable. The wireless router is located within a small box and allows multiple devices, e.g. computers, to connect to the internet. Through the modem, the multiple devices share one public IP address, and may or may not have a physical connection to the wireless router. Once the wireless router is connected to the modem, computers equipped with wireless technology can detect the wireless router and send signals to and receive signals from that router in order to connect to the internet. A computer can also connect to the wireless router via a cable. (10/15/12 Tr. at 3-5.)

13. In Kozikowski's house, one computer was connected to the wireless router via a cable, while another computer was connected to the wireless router via a signal. (10/15/12 Tr. at 3-5, 10-11.)

14. The wireless router may be secured, meaning a password is required to access the wireless router, or may be unsecured, meaning a password is not required to access the wireless router to connect to the internet. (Id.) Erdely found Kozikowski's internet connection was unsecured; thus, it did not require users to enter a username and password before connecting to the internet via Kozikowski's internet connection. Kozikowski informed Erdely that he had not given anyone outside his home permission to use his internet connection. (5/24/2012 Tr. at 13, 30.)

15. A password is required, however, for a person to view the wireless router's settings or to examine the information stored on the wireless router. This information included, among other things, the router's settings, detailed information about the devices connected to the wireless router, and the private IP addresses it assigned to those devices. This information is stored on the wireless router and even if the wireless router is powered down, the information remains stored on the wireless router. (10/15/12 Tr. at 7, 9.) To view the wireless router's settings or to examine the information stored on the router, a user must open a web page on his or her computer and type the wireless router's IP address into the address bar. The user must then enter a password. Once a user correctly enters the password, the wireless router's settings and other information stored on the wireless router are displayed on the web page. (10/15/12 Tr. at 8.)

16. Computers*fn2 are generally equipped with wireless technology, sometimes referred to as a "wireless card," which enables them to connect to a wireless router. A computer user can view information about his computer's wireless technology by clicking an icon located on his computer screen.*fn3 This wireless technology is assigned a unique serial number called a MAC address. When computers are powered on, and assuming the wireless technology is not turned off, the wireless technology sends out a signal to search for wireless routers within a certain range of the computer. Each wireless router has a name, and when the user clicks on the wireless technology icon on his computer screen, the names of available wireless routers within the computer's range appear in a list on the computer screen. To connect to one of those wireless routers, the user clicks on that wireless router's name and is prompted to connect to that wireless router. (10/15/12 Tr. at 13-14.) If the wireless router is secured, the user will have to enter a password to connect to that wireless router. If the wireless router is not secure, the user can connect to the wireless router without entering a password. (Id. at 21.)

17. A person must take those affirmative steps to connect his or her computer to a wireless router. (10/15/12 Tr. at 14, 27, 62.) Stanley had to follow that process to connect his computer to Kozikowski's wireless router. (10/15/12 Tr. at 62.)

18. Once a computer is connected to the wireless router, it is assigned a private IP address. The private IP address is used to identify the devices connected to the internet via that wireless router. Each device connected to the wireless router has a different private IP address. Private IP addresses are only used by the wireless router and are not revealed to third parties on the internet. All devices connected to the modem share the modem's public IP address. The public IP address is disclosed to third parties to facilitate the user's interactions on the internet. (5/24/2012 Tr. at 8-9; 10/15/12 Tr. at 15-16.)

19. Following Erdely's initial investigation of Kozikowski's home and computers, Kozikowski left his wireless router unsecured and allowed Erdely to place a computer in his home and connect it to his wireless router. Erdely had access through that computer to the wireless router's settings, which provided, among other things, the public IP address the wireless router was using, the private IP addresses the wireless router assigned to any devices connected to that wireless router, and the MAC address of any of those devices connected to the wireless router. This set-up allowed Erdely to continue his investigation of the person using Kozikowski's wireless router to share and view child pornography. (Id. at 13-14.)

20. Law enforcement officials have a computer system that allows investigators to record the results of their investigations of child pornography crimes to share with law enforcement officials in other states. (10/15/12 Tr. at 41, 80.)

21. On January 19, 2011, Erdely was using this computer system while in Harrisburg, Pennsylvania to view the search results of other law enforcement officials' investigations of child pornography crimes. These search results updated every thirty minutes to include the results of the most recent investigations. (Id.) Erdely learned two other computer crime investigators, Jessica Eger ("Eger"), an employee of the Pennsylvania Attorney General's Office and Paula Hoffa ("Hoffa"), an investigator with the Hartland Police Department, each identified a computer sharing child pornography that had the same 300 GUID as the subject computer identified by Erdely. (5/24/2012 Tr. at 17-18; Gov't's Ex. 8 ¶ 21.)

22. Eger's investigation that identified the 300 GUID sharing child pornography took place at 9:50 a.m. on January 19, 2011. (5/24/2012 Tr. at 23, 24, 66; Gov't's Ex. 8 ¶ 21.)

23. Hoffa's investigation that identified the 300 GUID sharing child pornography took place at 3:19 p.m. on January 19, 2011. (Gov't's Ex. 8 ¶ 21.)

24. Hoffa reported the public IP address of the user sharing child pornography was "98.239.133.215" (the "215 IP address"). (Id.)

25. After Erdely learned about Eger's and Hoffa's investigations, he logged into the computer located at Kozikowski's residence from his computer in Harrisburg, Pennsylvania and examined the configuration of Kozikowski's wireless router. (5/24/2012 Tr. at 22; 10/15/12 Tr. at 46-47; Gov't's Ex. 8 ¶ 21.)

26. Erdely learned that the 215 IP address was assigned to Kozikowski's wireless router. Erdely examined the logs on Kozikowski's wireless router, which revealed there was a computer connected to that router with a private IP address of "192.168.2.114" (the "114 IP address") and the computer's MAC address was "mac=00-1C-B3-B4-48-95" (the "95 MAC address"). (5/24/2012 Tr. at 22-24; Gov't's Ex. 8 ¶ 21.)

27. An online search of the prefix "mac" of the 95 MAC address identified that the wireless networking card was an Apple wireless device, which led Erdely to believe the computer using the private 114 IP address was an Apple computer. Neither computer in Kozikowski's home was an Apple computer. (5/24/2012 Tr. at 20, 24; Gov't's Ex. 8 ¶ 21.)

28. Erdely learned from his review of the Kozikowski's wireless router's configuration that the computer assigned the private 114 IP address was using port 6346 to interact with other devices assigned IP addresses. (5/24/2012 Tr. at 23-24; 10/15/12 Tr. at 63-64; Gov't's Ex. 8 ¶ 21.)

29. Ports are channels of communication on the internet. There are 65,536 available ports. The first 1,023 of these ports are well-known ports and are set aside for particular internet traffic, such as viewing a webpage (port 80), sending email (port 25), or receiving email (port 110). (10/15/12 Tr. at 31.) There are other ports, starting with port 1,024, that are registered ports. The Internet Assignment Number Authority (the "IANA") is responsible for, among other things, registering ports. The Gnutella network registered port 6346 with the IANA, and it is one of the most common ports used to access the Gnutella network. (Id.) Even though a port is registered, it can still be used for internet activity not associated with its registering network, meaning that a computer could use port 6346 without accessing the Gnutella network. (Id. at 31-33, 70.)

30. In Erdely's experience investigating child pornography crimes, he saw port 6346 being consistently used by persons via their computers to view and share child pornography by accessing the Gnutella network. (Id.)

31. At some point after Erdely learned about Eger's and Hoffa's investigations, looked at the configuration of Kozikowski's wireless router, and called Eger and Hoffa to confirm their search results, he drove from Harrisburg, Pennsylvania to Kozikowski's residence in Allegheny County, Pennsylvania. (5/24/2012 Tr. at 25-26; 10/15/12 Tr. at 47-48.)

32. Erdely called Craig Haller, an Assistant United States Attorney ("Haller"), to determine whether it was appropriate to use a program called MoocherhunterTM to locate

geographically the computer assigned the 114 IP address. (5/24/2012 Tr. at 25-26.) After Erdely called Haller, he decided to use MoocherhunterTM to locate the subject computer. (Id.)

33. Erdely had previously received a few minutes of training on the use of MoocherhunterTM by Cpl. Jon Nelson of the PSP.*fn4 (Id. at 32, 70.)

34. Erdely used a free version of MoocherhunterTM, which is available on the manufacturer's website. (5/24/2012 Tr. at 32-34, 83; Gov't's Ex. 1.)

35. According to the manufacturer's website:

MoocherhunterTM is a free mobile tracking software tool for the real-time on-thefly geo-location of wireless moochers, hackers and users of wireless networks for objectionable purposes (e.g. paedophile activity, illegal file downloading, illegal music/video sharing, etc.)" . . .

MoocherhunterTM identifies the location of an 802.11-based wireless moocher or hacker by the traffic they send across the network. If they want to mooch from you or use your wireless network for illegal purposes (e.g. warez downloading or illegal filesharing), then they have no choice but to reveal themselves by sending traffic across in order to accomplish their objectives. MoocherhunterTM enables the owner of the wireless network to detect traffic from this unauthorized wireless client (using either MoocherhunterTM's Passive or Active mode) and enables the owner, armed with a laptop and directional antenna to isolate and track down the source. (5/24/2012 Tr. at 33; Gov't's Ex. 1.)*fn5

36. MoocherhunterTM has an active mode and a passive mode. At all times during his investigation, Erdely used MoocherhunterTM in the passive mode. In the passive mode, the user of MoocherhunterTM enters the MAC address of a wireless router that is connected to a wireless device and traces the signal of that wireless device from the wireless router back to its source. In active mode, the user of MoocherhunterTM searches for wireless routers to determine whether the wireless device being searched for is connected to that wireless router. Once the MoocherhunterTM connects to a wireless router, it can trace the signal of any wireless devices, e.g. computers, connected to that wireless router. In either mode, the wireless device, e.g. a computer, must be connected to a wireless router for MoocherhunterTM to be able to trace the signal of the wireless device. (10/15/12 Tr. at 23, 25-26.)

37. The ability of MoocherhunterTM to trace a signal of a wireless device, such as a computer, back to the wireless device is dependent upon a connection between the wireless device and the wireless router. MoocherhunterTM cannot cause a computer to send a signal that it is not otherwise already emitting. If the person accessing Kozikowski's wireless router with the 95 MAC address had terminated his connection with the wireless router, MoocherhunterTM could not have located the origin of that signal. (Id. at 24.)

38. Erdely arrived at the Kozikowski residence during the evening of January 19, 2011. (5/24/2012 Tr. at 30.)

39. To use MoocherhunterTM, Erdely downloaded the MoocherhunterTM software to his laptop, connected a directional antenna to his laptop, and used a USB wireless card to connect to Kozikowski's wireless router. (5/24/2012 Tr. at 81; Gov't's Ex. 1.)

40. Erdely knew the MAC address of Kozikowski's wireless router's MAC address. This information enabled him to identify Kozikowski's wireless router with MoocherhunterTM and trace the 95 MAC address that was connected to Kozikowski's router to its origin -- Stanley's computer. (10/15/12 Tr. at 23.)

41. To track the signal, Erdely pointed the directional antenna at Kozikowski's wireless router in Kozikowski's home and found the signal of the 95 MAC address. Erdely began to follow the signal from Kozikowski's wireless router to the source of the signal, i.e. the computer assigned the 114 IP address. (5/24/2012 Tr. at 62-63, 88-89.)

42. The MoocherhunterTM provides a reading that indicates how close the user of the software is to the source of a signal, with 100 being the highest possible reading. Erdely followed the signal from Kozikowski's wireless router and ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.