One of the leading sources of child pornography prosecutions are law enforcement investigations of ac-tivity on peer-to-peer (P2P) networks. In recent months, however, some serious questions have been raised about the data collection methods used by officers to identify possible suspects. Many of those questions center around a somewhat shadowy Florida corporation that has developed software de-signed to automate P2P searches for child pornography.
BASIC OPERATION OF PEER-TO-PEER NETWORKS
During the early days of the computer industry, the distribution of information was dominated by the still-popular client-server model. A central server stored information, which was requested and distributed to individual clients (either workstations or personal computers) upon request. In this approach, client com-puters could not speak directly to each other, but had to do so through a server.
With the popularization of the Internet in 1993-94, it became possible to create a new type distribution architecture, called peer-to-peer. The concept underlying P2P is that each computer on the P2P network can operate both as a client (i.e., a requestor of information) and as a server (i.e., a distributor of informa-tion). The first widely-popular example of this concept was the music-sharing service Napster, although it crashed on the legal shoals of copyright due to a critical design flaw (the service maintained a central repository of copies of the music being shared by its users).
After a user installs the client software, he or she can search for files being shared by other users of the P2P network. There are a lot of technical issues that arise with respect to P2P searching, download-ing, and shardownload-ing, but for the purposes this lecture, the key issue is the role of hash values. Cryptographic hash values are integral to the operation of P2P networks. Both Gnutella (which uses SHA-1) and eDon-key (which uses MD4, the precursor to MD5), use the hash values to verify that multiple versions of a file are in fact identical. By doing so, the P2P networks make it possible for a user to download pieces of a particular file from multiple locations, since the network has a very high degree of confidence that each location is offering exactly the same file.
When a user sees a file name of interest and initiates the download process, the first thing the client software does is to record the hash value of the complete file on the user’s computer. As the pieces of the requested file are downloaded, they are stored in a temporary folder, usually called “Incomplete.” Once all of the pieces of the file have been downloaded and compiled, the client software then calculates the cryptographic hash value of the file and compares it to the original hash value; assuming a match, the default behavior is for the file to move to the “Shared” directory, where it is available for downloading by others on the same P2P network. (A user can change the location of where files are stored when they are successfully downloaded, and whether those files are in fact re-shared.)
AUTOMATING THE SEARCH PROCESS
It didn’t take law enforcement long to realized that contraband images were being shared on P2P net-works, and that they could conduct their own searches for downloaders and distributors of CP. If they identified a CP image, they then could view the IP address of each person offering to share that file, and use the IP address to determine the subscriber and real-world location of the device in question.
Given the number of P2P network users (at its height, Limewire alone had over 40 million users) and the volume on content available, this was obviously a time-consuming process. So not surprisingly, someone decided to try to assist law enforcement by automating the search for child pornography dis-tributors on P2P networks.
That someone was a man named William Wiltse. In 2008, Wiltse and Flint Waters, a special agent with the Wyoming Internet Crimes Against Children task force, collaborated on a program called Peer Spec-tre. That same summer, Wiltse conducted a seminar at the 2008 Crimes Against Children Conference in Dallas, TX, in which he promised to educate attendees on “how high numbers of leads are currently being generated in P2P undercover operations using ‘Peer Spectre’. Investigators will then learn how to use the automated tool ‘GnuWatch’ to download leads in their own jurisdiction and establish probable cause with minimal effort.”
Wiltse is currently listed as the Security Director of Law Enforcement Systems, for TLO, LLC, a Florida company based in Boca Raton. The company was incorporated in 2009, but in May 2013, filed for volun-tary reorganization in the U.S. Bankruptcy Court for the Southern District of Florida. On September 30, 2013, the South Florida Business Journal reported that the company is currently the subject of a bidding war among various investors.
GROWING DEFENSE OBJECTIONS TO SEARCH AUTOMATION
Over the last five years, TLO has made Peer Spectre and GnuWatch available without charge to law en-forcement organizations around the world to assist in P2P investigations. However, as Wiltse has stated in various legal proceedings, the source code of Peer Spectre is proprietary and has not been made available to any governmental agency or criminal defendant for review and/or testing.
There are a growing number of questions about the operation of Peer Spectre and reliance on its results by investigators, particularly with respect to their preparation of search warrant applications and affidavits.
Even though the precise details of the program’s operation are secret, the basic concept of Peer Spec-tre is not complicated: using pre-programmed search terms closely identified with child pornography, and a database of hash values of known CP images, the Peer Spectre software seeks out shared folders on the Gnutella P2P network that contain child pornography. When a hash value match is made, Peer Spectre records the date, the time, and the IP address of the device that is offering the CP. The informa-tion collected by Peer Spectre is then logged in a secure, online database that is part of a TLO program
One of the leading concerns regarding the operation of Peer Spectre is that it is used by investigators to infer possession of CP when no such possession actually occurred. This concern arises out of the fact that P2P clients retrieve the hash value of a requested file before the file is fully downloaded. As each chunk of a requested file is downloaded and verified, that chunk is automatically “advertised” as available for sharing on the P2P network using the same SHA-1 hash value as the full file. But a variety of circum-stances can prevent the full download of the file: the computer may be turned off, the network connection may be interrupted, the user could cancel the download, etc.
Thus, it is not only possible but likely that Peer Spectre has registered some unknown number of IP addresses as offering to share CP when the user in question was never actually in possession of CP.
A closely-related concern is that law enforcement officers do not necessarily verify possession. In the-ory, they could do so by conducting real-time investigations, and actually downloading suspicious files or known CP that individuals are offering to share. But as noted earlier, that approach is time-consuming.
Instead, search warrant affidavits increasingly indicate that investigators are relying on the data gener-ated by Peer Spectre and other automgener-ated programs. For instance, in one recent case on which I am cur-rently working, the officer averred that “[o]n November 21, 2012 I conducted undercover operations on the eDonkey network. I noted that on multiple dates an individual utilizing the IP Address 75.69.66.217 was possessing and/or offering to distribute in whole or in part digital files containing known child pornography. I was able to view two of the digital files and I verified the files depict what appears to be child pornography.”
The “undercover operations” referred to by the officer means that he reviewed data stored in the Child Protection System created and maintained by TLO (which is not mentioned in the affidavit). As he later notes, he did not actual view the two alleged files of child pornography on the defendant’s computer sys-tem; instead, he used the hash values of the files flagged by the automated search software (a program called Nordic Mule is used to monitor the eDonkey network) to locate the same files on a different com-puter, and view them there. But while it may be true that the defendant initiated a download of a known CP image on the date recorded in the Child Protection System, that does not mean that he or she actu-ally possessed it.
A third issue worth considering is whether law enforcement affidavits that omit any mention of Peer Spectre, Nordic Mule, the Child Protection System, or TLO are providing full and accurate information to a judge or magistrate. The phrasing of these affidavits tends to suggest real-time investigation, but that is often not the case. Moreover, omission of these key players in the investigative process makes it more difficult for defendants to challenge the adequacy of probable cause.
A handful of cases around the United States are pursuing these issues in detail, and I will be updating my work in this area as developments arise.
ABOUT THE AUTHOR
I am an attorney, author, and expert witness in the field of computer forensics. I have been working with computers – particularly personal computers – for thirty years, and have worked as a computer forensics expert since 1999. During that time, I have assisted attorneys and their clients across the country in the in-vestigation and defense of a wide range of cases, including embezzlement, domestic relations, obscenity, child pornography, and first degree murder. I have been retained as a consulting expert in nearly 100 child pornography cases, and was recently accepted as an expert by the Defense Office of Hearings and Appeals (a branch of the DOD Defense Legal Services Agency) in the methodology and technology used to create, distribute, and acquire child pornography.
In addition to my consulting work, I have been invited to lecture numerous times over the past twenty years to a variety of attorney groups and public defender organizations (both federal and state) on topics rang-ing from peer-to-peer networks to the basics of computer forensics. Additional information about my work can be found on my main computer forensics Web site, www.ComputerForensicsDigest.com. I also operate a blog about CP and technology issues, which you can read at www.CPCaseDigest.com.