1 1 UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT TACOMA 2 3 4 UNITED STATES OF AMERICA, 5 Plaintiff, 6 vs. 7 DAVID TIPPENS, 8 9 10 11 12 13 Defendant. UNITED STATES OF AMERICA, Plaintiff, vs. GERALD LESAN, Defendant. 14 15 UNITED STATES OF AMERICA, 16 Plaintiff, 17 vs. 18 BRUCE LORENTE, 19 20 21 22 23 24 25 Defendant. ) ) ) ) ) ) ) ) ) ) Docket No. CR16-5110RJB ) ) ) ) ) ) ) ) ) ) Docket No. CR15-387RJB ) ) ) ) ) ) ) ) ) ) Docket No. CR15-274RJB Tacoma, Washington October 31, 2016 TRANSCRIPT OF EVIDENTIARY HEARING BEFORE THE HONORABLE ROBERT J. BRYAN SENIOR UNITED STATES DISTRICT COURT JUDGE Court Reporter: Teri Hendrix Union Station Courthouse, Rm 3130 1717 Pacific Avenue Tacoma, Washington 98402 (253) 882-3831 Proceedings recorded by mechanical stenography, transcript produced by Reporter on computer. Teri Hendrix, RMR, CRR - Official Court Reporter 2 1 2 3 APPEARANCES: For the Plaintiff: 4 5 KEITH BECKER U.S. Department of Justice 1400 New York Avenue NW, 6th Floor Washington, DC 20530 6 7 8 For Defendant Tippens: COLIN FIEMAN Office of the Public Defender 1331 Broadway, Suite 400 Tacoma, Washington 98402 For Defendant Lesan: ROBERT W. GOLDSMITH Law Office of Robert W. Goldsmith 702 2nd Avenue Seattle, Washington 98104 For Defendant Lorente: MOHAMMAD ALI HAMOUDI Office of the Public Defender 1601 5th Avenue, Suite 700 Seattle, Washington 98101 9 10 11 12 13 14 MATTHEW HAMPTON Assistant United States Attorney 700 Stewart Street, Suite 5220 Seattle, Washington 98101-1271 15 16 17 18 19 20 21 22 23 24 25 Teri Hendrix, RMR, CRR - Official Court Reporter 3 1 T A B L E 2 3 4 5 6 7 O F C O N T E N T S October 31, 2016 TESTIMONY PAGE BRIAN LEVINE Direct Examination By Mr. Becker............... 13 Cross-Examination By Mr. Fieman................ 43 Redirect Examination By Mr. Becker............. 88 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Teri Hendrix, RMR, CRR - Official Court Reporter 4 1 Monday, October 31, 2016 - 9:30 a.m. 2 (Defendants present.) 3 THE CLERK: All rise. The United States District 4 Court is now in session, the Honorable Robert J. Bryan 5 presiding. 6 THE COURT: Please be seated. Good morning. Okay. 7 This is the time set for hearing motions in three combined 8 cause numbers: 9 Lesan and Bruce Lorente. 10 United States versus David Tippens, Gerald 15-0387 and 15-0274. 11 I understand the defendants are all present, counsel? 12 MR. FIEMAN: 13 THE COURT: 14 Those are Cause Nos. 16-5110, Yes, Your Honor. Their lawyers, Mr. Fieman, Mr. Goldsmith and Mr. Hamoudi, are present for the defendants. 15 For the government are Mr. Hampton and Mr. Becker. 16 MR. HAMPTON: 17 THE COURT: Good morning, Your Honor. There are a couple of preliminary 18 matters. 19 Michaud case at this point. 20 First, I wanted to find out the status of the MR. HAMPTON: Your Honor, the government has filed a 21 motion to extend the briefing schedule. 22 the Ninth Circuit has acted on that as yet. 23 ECF. 24 25 I don't believe that I haven't seen an Mr. Fieman, is that correct? MR. FIEMAN: That's correct, Your Honor. That second request for an extension was over my objection, and we are Teri Hendrix, RMR, CRR - Official Court Reporter 5 1 waiting to hear from the Ninth Circuit whether they will grant 2 a new scheduling order. 3 THE COURT: Okay. In regard to Michaud, I don't know 4 who I told, whether I told counsel or whether it was in my 5 chambers, but it seems to me that Michaud is basically a dead 6 issue. 7 have jurisdiction to do anything, and the information on the 8 motions that are now before the Court on these cases are 9 somewhat different, with different information, different As long as the notice of appeal is pending, I don't 10 affidavits and different briefing, as well as all the briefing 11 that's been filed by various judges around the country on the 12 same issues. 13 So it appears to me that my role is to start all over in 14 this and take it as it comes. 15 have recall of what happened there, and the record of what 16 happened there is the record. 17 That's not to say that I don't I don't know how you propose to proceed today. There is 18 the proposed motion -- or the motion for a pretrial 19 conference. 20 there might be a response, and there was. 21 documents. 22 the simple reason that I am not sure that it was necessary at 23 this point in this case because, of course, I don't know what 24 the government may want to show at such a hearing. 25 I delayed signing that because I anticipated that I have read those I have not signed the order setting that up for But it also crossed my mind that if it was the same Teri Hendrix, RMR, CRR - Official Court Reporter 6 1 information that was presented in Michaud, there's no reason 2 to present it again, but if there's something new that's 3 critical to the motions here, then we can proceed with that. 4 MR. BECKER: Thank you, Your Honor. Your Honor, it 5 is not the same information as was presented in Michaud. 6 There are some critical new pieces of information, 7 particularly the pieces of information that have triggered the 8 filings coming under the Classified Information Procedures 9 Act, and so we would maintain that the Court would -- we'd 10 still maintain our request that the Court review this new 11 material. 12 THE COURT: There are three motions pending here. 13 Does that hearing have to do with one or more of those 14 motions? 15 MR. BECKER: It pertains to the motion to exclude 16 evidence because it relates to information that has not been 17 produced to the defense that they have requested in discovery. 18 THE COURT: 19 MR. BECKER: And at what point should we do that? Your Honor, we can be prepared to 20 present those materials today during a break. We'd need some 21 lead time because they have to be couriered down here from the 22 FBI, but we can make them available for Court review today. 23 And then if the Court were to grant our motion to appoint a 24 classified information security officer, that individual would 25 then be responsible to contact you to provide the documents Teri Hendrix, RMR, CRR - Official Court Reporter 7 1 whenever you needed to review them again and ensuring their 2 security. 3 That person hasn't been appointed yet, and so today we are 4 prepared to show Your Honor the documents. 5 them back. We'd have to take 6 THE COURT: When is Barry available? 7 THE CLERK: He's not available 1:30 to 2:30, but he's 8 available the rest of the day. 9 THE COURT: 10 MR. BECKER: 11 THE COURT: 12 MR. FIEMAN: Could we set that for like 2:30? Yes, we can do that. Does that make sense? Your Honor, if I may be heard briefly on 13 that. 14 government's pleadings is that there would be three areas that 15 are potentially, or are in fact classified. 16 the security risks that would arise from disclosure of the NIT 17 code. 18 being submitted to the Court would be the same as in Michaud 19 and if it's not, I would appreciate knowing that on the 20 record. 21 To request clarification, my understanding from the One relates to I believe from my pleadings that that aspect of what's The other two aspects -- and again, it's just my 22 understanding -- relate to the VEP review and witness 23 identities, and those areas would be new. 24 not addressed in Michaud, so if we could just clarify whether 25 the NIT code presentation that is going to be presented, Those issues were Teri Hendrix, RMR, CRR - Official Court Reporter 8 1 apparently ex parte, is the same, that would be helpful. 2 THE COURT: 3 MR. BECKER: Okay. Your Honor, I am somewhat limited in 4 what I can state in open court given the sort of issue that we 5 are discussing. 6 status regarding information which led the government to make 7 a CIPA filing, which we did not do in Michaud. 8 that's the easiest way for me to answer that question. 9 10 11 12 13 14 15 Again, as I said, there's been a change in THE COURT: So I think I have signed the order, and we'll plan on that at 2:30. MR. FIEMAN: Thank you, Your Honor. I don't think I need to note my objections in the pleadings; is that correct? THE COURT: I have your pleadings on that, that I have read. MR. BECKER: Judge, there's one issue that I wanted 16 to raise with respect to the defense pleadings regarding the 17 Classified Information Procedures Act. 18 pleading, they suggested that the government was invoking the 19 state secrets privilege and that that would require a 20 certification by a head of agency. In the defense 21 We are not invoking the state secrets privilege. 22 would relate to civil issues rather than criminal issues. 23 are operating pursuant to the Classified Information 24 Procedures Act, and we are prepared to present additional 25 briefing on that discreet issue which we think would be Teri Hendrix, RMR, CRR - Official Court Reporter That We 9 1 2 important, if necessary. So if the Court were going to determine that there would 3 be some requirement of a head of agency to certify 4 classification of data, we would ask to be able to present 5 briefing on that issue. 6 THE COURT: Okay. Here's the order on that, and 7 we'll plan on that at 2:30. 8 to reread the briefing you filed on it and the act itself, 9 which I know has been in some dispute at times. 10 That will give me an opportunity Now, we have three motions pending from all three 11 defendants. 12 was a Motion to Exclude Evidence. 13 32, and that's a Motion to Dismiss Indictment. 14 motion in order of filing was the Motion to Suppress Evidence 15 in docket 35. 16 The first, in order of filing, is docket 31 which The second motion is docket The third I have read all your pleadings at least once and mostly 17 twice, and I don't know how you wish to proceed on these 18 motions, in what order you want to take them or how you want 19 to proceed on them. 20 MR. FIEMAN: As I understand today, the government 21 has one witness, Your Honor. Professor Levine is here, I 22 guess to either explain or supplement his declaration. 23 not planning at this point to call any witnesses, potentially 24 one rebuttal witness. 25 the motion to exclude. We are That, of course, would all relate to Teri Hendrix, RMR, CRR - Official Court Reporter 10 1 The defense believes that all of the facts and evidence 2 that the Court needs to decide the motion to suppress and also 3 the Franks motion folded in there, as well as the motion to 4 exclude, is already all before the Court in terms of the 5 exhibits and declarations that have been submitted. 6 So that would leave just one witness, is my understanding, 7 from the government on the motion to exclude and discovery 8 issues. 9 10 11 THE COURT: Are you all suggesting we take the motion to exclude first? MR. FIEMAN: Your Honor, what I would anticipate as 12 maybe being workable is for them to offer their witness, take 13 the testimony on that and then, subject to your review of the 14 classified records, we would then be prepared to argue all of 15 the issues in one argument together. 16 THE COURT: Mr. Becker, Mr. Hampton? 17 MR. BECKER: 18 THE COURT: 19 MR. GOLDSMITH: Your Honor, we think that's workable. Okay. Could I just add one thing, just for 20 the record? On behalf of all three defendants, any time Mr. 21 Fieman speaks, we are joining into all of his objections and 22 arguments, just so that the record is clear, Your Honor. 23 THE COURT: I understand. 24 MR. HAMOUDI: 25 THE COURT: Thank you, Your Honor. Now, on this motion to exclude, my law Teri Hendrix, RMR, CRR - Official Court Reporter 11 1 clerk pointed out to me that he wasn't sure here in the record 2 that in these cases a specific discovery request has been 3 made, that the government has not responded to, that responds 4 to this motion. 5 MR. FIEMAN: If I may clarify, Your Honor. Certainly 6 what we noted in our initial motion to exclude pleading was 7 that we had made a request to the government for disclosure of 8 all the NIT components, most clearly laid out in Vlad 9 Tsyrklevich's declaration which was submitted as an exhibit to 10 our motion to exclude docket 31 and -- 11 12 THE COURT: You think that preliminary matter is part of the record? 13 MR. FIEMAN: Yes, Your Honor. And my understanding 14 is that the government has declined, as in Michaud, to provide 15 that discovery, with one development noted in our pleading 16 from last Wednesday. 17 all codes related to the identifiers now. 18 MR. HAMPTON: Apparently, we will be getting some or Your Honor, as to the unique 19 identifiers code, we have provided that, so that has been 20 provided. 21 to make available the pay load component. 22 understood, but just to make sure we are clear on that as 23 well. 24 25 We have also provided, as we have, and are willing MR. FIEMAN: clear. I think that's Well, if I can make sure the record is The payload component that was provided is the one Teri Hendrix, RMR, CRR - Official Court Reporter 12 1 that is referenced in Mr. Tsyrklevich's declaration. 2 not received any additional code. 3 We have Our understanding -- again based on that declaration and 4 some other information that we will develop through Professor 5 Levine -- that was a partial payload or partial code, so we 6 are contending there's still a complete payload that's 7 missing, but they did provide some payload code just -- 8 nothing has been provided since the Michaud ruling except the 9 identifier issue. 10 11 12 THE COURT: Now, does either side wish to make any opening comments before we hear testimony? MR. HAMPTON: Your Honor, I apologize. I want to 13 confirm one thing. 14 realize that's a matter for the Court, and we will resolve 15 that, but we believe we have provided or are willing to make 16 available the full payload. 17 We do disagree with that assessment. I I neglected to mention that we also made available the 18 network packet traces for each of the three defendants' 19 interactions with the FBI. 20 declined to examine those, but they are available, and I just 21 want that on the record. 22 23 24 25 THE COURT: So the defense has thus far Do you wish to make any other comments before we start? MR. FIEMAN: No, thank you, Your Honor. I think that clarifies the record where we disagree about it. Teri Hendrix, RMR, CRR - Official Court Reporter 13 1 THE COURT: 2 MR. BECKER: 3 THE COURT: At this time, the government calls Brian If you'll raise your right hand and be sworn. 6 BRIAN LEVINE, called as a witness, duly sworn. 7 8 You may call your witness. Levine. 4 5 All right. THE COURT: Please be seated. Let me ask you to speak right into the mike and keep your voice up, please. 9 MR. BECKER: Your Honor, if I can just have a brief 10 moment to set the computer up. 11 we are not publishing the computer now. 12 THE CLERK: 13 MR. BECKER: 14 THE COURT: 15 BY MR. BECKER: 16 Could I ask the Court staff, You wanted it unpublished? Yes. Thank you. Okay. May I inquire, Your Honor? DIRECT EXAMINATION 17 BY MR. BECKER: 18 Q. 19 for the record? 20 A. My name is Brian Levine, B-r-i-a-n 21 Q. What do you do for a living? 22 A. I am currently a professor in the College of Information 23 and Computer Sciences at the University of Massachusetts, 24 Amherst. 25 professor. Sir, can you start by stating and spelling your full name L-e-v-i-n-e. I joined the faculty in 1999 as an assistant I was granted tenure in 2005. I was promoted to Teri Hendrix, RMR, CRR - Official Court Reporter 14 1 professor -- full professor, as they say, in 2010 and I have 2 continued there. 3 Institute at UMass, Amherst, and I have various functions as a 4 professor there. 5 Q. 6 professor at UMass, Amherst? 7 A. So for how long in total have you been working as a Since 1999. 8 9 I am also the director of the Cyber Security THE COURT: Counsel, I have read his CV and his report. 10 MR. BECKER: Your Honor, we'll just briefly go 11 through his credentials. 12 BY MR. BECKER: 13 Q. What do your current duties include? 14 A. As a professor as UMass, Amherst, my duties include 15 research. 16 often graduate students seeking a Master's or Ph.D. degree. 17 That research, as a brief summary, relates to digital 18 forensics, forensic investigation, crimes against children on 19 the internet, networks, network security and so on, as 20 detailed in the declaration that I submitted. 21 My research typically involves undergrads, but more In terms of teaching, I teach a variety of classes also 22 listed in the declaration, including digital forensics, 23 computer networks, security at the graduate and undergraduate 24 level and so on. 25 lead conferences where we -- and workshops -- where we review As a service component of my job, I often Teri Hendrix, RMR, CRR - Official Court Reporter 15 1 papers submitted for review by peers. I'm one of the peers, 2 so to speak. 3 Q. 4 and similar publications? 5 A. 6 started publishing in peer review conferences and their 7 relative venues, and I published something like 80 peer 8 reviewed papers on the topics that I mentioned. 9 Q. Have you personally been published in peer review journals Yes. Since the time I started as a graduate student, I Other than your work as a professor, what other sort of 10 employment have you had in your field? 11 A. 12 after graduation, I worked at various places, and also during 13 a year-long sabbatical, so I worked at what's called Bell 14 Labs -- it used to be owned by Lucent when I worked there -- 15 Intel research labs, Sprint research labs. 16 a local company in Massachusetts working on Internet 17 advertising, for example. 18 Q. Can you describe your educational background? 19 A. I received my bachelor's of science in applied math and 20 computer science from the University of Albany. 21 went to graduate school and received a master's and Ph.D. in 22 computer engineering. 23 and how groups of people can use the internet to communicate. 24 Q. 25 current? Both as a -- during my time as a graduate student and I spent a year at From there, I My dissertation focused on the internet How are you able to keep your skills and knowledge Teri Hendrix, RMR, CRR - Official Court Reporter 16 1 A. 2 maintain the material to be current with state of the art, but 3 certainly working on research papers, my goal is to advance 4 that state-of-the-art and in writing those papers I have to 5 reference, of course, related work. 6 Well, teaching. Certainly, the classes I teach I always And as I mentioned before, leading peer review panels or 7 even serving on peer review panels keeps me informed on the 8 latest work, even perhaps prior to its publication. 9 Q. Have you specifically been involved in researching work 10 related to child pornography dissemination over the internet? 11 A. 12 and various aspects of it. 13 various agencies in the United States government to work on 14 these topics. 15 solicitation from the National Institute of Justice to work on 16 novel methods and tools that can be deployed across the nation 17 to investigate Internet-based crimes against children. 18 Yes. I have a number of publications that relate to that Since 2008, I have been funded by I was first -- I first responded to a public From there, I received funding from various agencies, 19 including the National Science Foundation. Currently, I am 20 funded by the Federal Bureau of Investigation to research and 21 deploy tools on these types of crimes. 22 Q. 23 investigation of the Playpen website? 24 A. 25 I was not involved in that operation. Now, to be clear, did you have any involvement in the Not at all. I was not involved. Our tools were not used. Teri Hendrix, RMR, CRR - Official Court Reporter 17 1 Q. Did you have any involvement in the development or 2 deployment of any network investigative technique related to 3 the Playpen website? 4 A. Not at all. 5 Q. Are you being paid for your time in connection with 6 preparing your declaration and your testimony today? 7 A. 8 time today. 9 Q. Yes, I am being paid by the U.S. Attorney's Office for my Has any of this work been done pursuant to any contract 10 you have with the FBI? 11 A. Not at all. 12 Q. Professor Levine, I want to ask you if you can describe 13 for the Court, before you prepared your declaration in 14 preparation for your testimony, what documents and information 15 did you review? 16 A. 17 one addition since then, but to briefly summarize what's 18 already in there, I reviewed the expert declarations of the 19 defense team, including Mr. Tsyrklevich, Mr. Young, 20 Professor Miller, Professor Reyzin and Mr. Kasal. 21 So this is also summarized in my declaration, but there is I have also read Special Agent Alfin's affidavit -- or 22 declaration, I should say; various documents related to 23 evidence that was collected that I list more specifically in 24 the declaration I submitted. 25 components that were provided to me. I also looked at the payload I looked at the traces Teri Hendrix, RMR, CRR - Official Court Reporter 18 1 specific to each of the three cases. 2 are three payloads as well, one for each case. 3 I should clarify there I looked at data from the FBI about what was recorded by 4 them as these three cases proceeded. And since my 5 declaration, I was provided with the source code for what the 6 FBI used to generate the identifiers. 7 Q. 8 were provided for review was also made available to the 9 defense team? Is it your understanding that all of the information you 10 A. 11 mentioned. 12 Q. 13 information? 14 A. I did not. 15 Q. Professor Levine, I want to ask you next about some basics 16 of internet communications. 17 in your testimony to use a demonstrative exhibit? 18 A. Yes, it would. 19 Q. Have you -- 20 That's my understanding, including the source code that I Did you review any related exploit or government server MR. BECKER: First of all, would it assist you First of all, Your Honor, if I can 21 approach, I do have a hard copy of that, and we are also going 22 to present it using the computer. 23 For the record, we have marked this as demonstrative 24 Government's Exhibit No. 1. 25 BY MR. BECKER: Teri Hendrix, RMR, CRR - Official Court Reporter 19 1 Q. Professor Levine, do you recognize -- just take a look 2 through the paper. 3 A. I do. 4 Q. Is that the demonstrative exhibit that you prepared? 5 A. Yes, it is. 6 Q. Have you also reviewed a digital copy of that on the 7 laptop in front of you? 8 A. Yes. 9 Q. Are they substantially the same? 10 A. Yes. 11 12 Do you recognize Government Exhibit 1? MR. BECKER: Permission to publish using the electronic version? 13 MR. FIEMAN: I have seen all their exhibits. 14 no objection to any of them. 15 THE COURT: Okay. We have The exhibit may be admitted for 16 illustrative purposes and may be published. 17 BY MR. BECKER: 18 Q. 19 the monitor in front of you? 20 A. I do. 21 Q. Can you just start by explaining -- at a basic level -- a 22 sort of ordinary or standard internet communication between a 23 user and website? 24 A. 25 people experience every day, and that's starting from the Okay. Professor Levine, do you have the first slide on What the slide shows is something that I believe many Teri Hendrix, RMR, CRR - Official Court Reporter 20 1 laptop on the left, their own laptop, they would like to 2 contact some internet website. 3 the right side of the slide, for example, Google or Amazon. 4 Many other websites of course exist. 5 Some examples are presented on So to do that, there's going to be a series of internet 6 protocols that are involved, that ensure that that information 7 gets to its destination, and that process has a useful analogy 8 to the postal system. 9 So if you were to advance one slide. Thank you. So now 10 you can seek this green line that's going from the internet 11 user to the website. 12 this website and receive information back. 13 work? 14 to this postal system analogy. 15 Any particular user will want to contact So how does that There are three protocols involved, and they correspond There will be an envelope that carries a "to" address and 16 a "from" address. 17 the mail carrier or the mail system can't deliver a message 18 unless the destination is specified correctly, and you can't 19 receive a message back from your pen pal to form a 20 communication back and forth unless you included a from 21 address or a source address, as it's called on the internet, 22 on the outside of the envelope. 23 The IP protocol handles that. Similarly, At another level, there will be an analogy to certified 24 mail. There's a protocol in the internet called TCP, or 25 transmission control protocol, and it provides what's called a Teri Hendrix, RMR, CRR - Official Court Reporter 21 1 reliable service to deliver information across the network, 2 and that's again very much like certified mail. 3 Among the things that TCP does is check to make sure that 4 the data maintained its integrity as it traveled across the 5 internet. 6 internet such that the other side can confirm that everything 7 that was numbered was received indeed. 8 by the other side to resend information that is missing due to 9 this numbering, and anything that is received out of order can 10 11 It numbers the information as it goes across the A request can be made be reordered by the other side. Additionally, at the start of TCP, there's a hand shake 12 where one says, are you ready to start communicating, the 13 other side says yes, I am ready to start, and then the other 14 side says yes, let's get going. 15 So then at the end, when all communications are done, each 16 side can say good-bye and say in fact everything that was sent 17 I received, I am all done, I don't need any other 18 transmissions. 19 this happens across the internet per day. 20 or billions, a very common protocol. So this -- I can't tell you how many times It must be millions 21 So then there's the content of the message, which is this 22 HTTP request or web request, and that might be analogous to a 23 request from a merchant to purchase something. 24 are saying is, I would like this website that you provided, 25 and the response will be, here's the website, and that can get Here what we Teri Hendrix, RMR, CRR - Official Court Reporter 22 1 more detailed as the website is larger and so on. 2 So that's standard. The most important thing to note in 3 our context is that when the communication is open, it's sent 4 reliably. 5 destination address but a source address, and the 6 communication goes back and forth, there's the type of 7 communication that that's the person you are talking to. 8 9 The fact that there's an address, not only a Of course, it reveals the IP address, the public addresses that are assigned to both sides, and information is again 10 provided reliably. 11 typical communications on the internet. 12 Q. 13 how communications via the Tor network might differ? 14 A. 15 typical communication using TCP, of course you reveal your IP 16 address to the other side. 17 to the website the IP address of the Tor user -- if you 18 wouldn't mind advancing one more -- and Tor, as represented on 19 the slide, is a collection of volunteers who have put up 20 computers on the internet that accept traffic. 21 So that's standard, what you might call If I can move you to a second slide. Can you illustrate So as I said at the previous slide, at the end of any So Tor was designed to not reveal Here, I put up a sample, nine of them, but the numbers are 22 in the many of thousands, and instead of directly 23 communicating with the website using the standard means I 24 described earlier, the Tor user will relay the information 25 through a series of proxies. So without getting into the Teri Hendrix, RMR, CRR - Official Court Reporter 23 1 extraordinary number of details at the highest level, the Tor 2 user will pick some random three -- and then if you don't mind 3 advancing once more -- and then form a connection to the first 4 one, form a connection to the second one, form a connection to 5 the third one. 6 And again, I am eliminating some details, but essentially 7 this is an encrypted connection, and then you can see there's 8 a red arrow out of the last relay. 9 are that that first relay on the left side of the screen knows 10 the IP address of the Tor user, which is what we are trying to 11 hide from the website. 12 address but, due to the mechanisms in Tor, it does not know 13 the IP address of the Tor user. 14 So some important details The last relay notes the website's IP That last relay on the right side of the screen also does 15 not know the IP address of the first relay because they are 16 not directly connected; there's someone in between. 17 relay does know -- in cases where the connection is 18 non-encrypted -- the contents that the Tor user has sent to 19 the internet website. 20 mechanism in place to secure that content. The last There would have to be some other 21 So if you connect to Amazon securely over Tor, HTTPS, your 22 browser lock turns a different color maybe, then that last Tor 23 relay would not know the contents. 24 just a plain text connection, that last Tor relay would. 25 one limitation here, of course, is that the Tor user knows the But if the connection is Teri Hendrix, RMR, CRR - Official Court Reporter So 24 1 IP address of Amazon, knows the IP address of Google, these 2 web addresses that were provided, and that may not be 3 sufficient in some cases. 4 Q. 5 looking at a Tor user who's accessing a regular website off 6 the internet? 7 A. 8 of anonymity themselves, they are just allowing people to 9 connect to them through Tor. That's because in this scenario, in this slide, we are That's right. It's not a website that's seeking any kind 10 Q. 11 access to a Tor hidden service differs at all in this process? 12 A. 13 of all, in a Tor hidden service -- again, it's the website, 14 for example -- it's the website that would like to maintain 15 its IP address as something that it would not like to reveal 16 to people that visited. 17 more machinery, and there's a few steps involved. 18 If we can move to the next slide, and can you describe how Yes, it differs in a number of important details. First So we are going to need a little bit So the first step is that hidden service, which is really 19 just a web server in this case. 20 random three volunteer relays from the Tor network and, like 21 before, forms a connection out. 22 the real details of Tor here in order to present the high 23 level. 24 25 It finds three or selects at I am going to skip some of But once that's created -- if you don't mind advancing once more -- they will release a document or a file, which I Teri Hendrix, RMR, CRR - Official Court Reporter 25 1 will just call an onion file, to the world, and so that 2 doesn't necessarily go out over the Tor network. 3 email that to their friends. 4 room. 5 file. 6 They might They might announce it in a chat Whatever it is, they announce to the world this onion A Tor user will somehow come in contact with the onion 7 file, and that's important because that onion file contains a 8 secret, and it's a secret about forming an encrypted 9 connection to the hidden service. So with that secret, with 10 that key in place effectively, the Tor user will then create, 11 as before, their own circuit through the seven volunteer Tor 12 relays -- if you don't mind advancing -- again, picking three, 13 and those three bridge together with the original three, and 14 now we have a connection through this Tor network inside the 15 cloud in the diagram. 16 Now, unlike before, we have the advantage that because of 17 the onion file, no one in the middle actually gets to see the 18 plain text, even if that Tor user connects to the hidden 19 service through a standard, unencrypted, plain view protocol. 20 We do have what we had before, the left most relay closest to 21 the Tor user knows its IP address, the right most relay in the 22 diagram knows the IP address of the hidden service, but they 23 don't know each other. 24 the encryption that's used end-to-end would detect that and 25 the packets would be dropped. If they tamper with the traffic, then So I think that summarizes Teri Hendrix, RMR, CRR - Official Court Reporter 26 1 everything. 2 Q. 3 of the network investigative technique would work in this sort 4 of network setup. 5 A. 6 relevant to these cases, and the problem, of course, that it's 7 trying to solve is that from the hidden service's point of 8 view, the IP address of the Tor user is not revealed. 9 network investigative technique, as described and available to Next I want to ask you if you can describe how the process So the network investigative technique obviously is So the 10 me in the documents that I have read, works as follows: 11 FBI will put up a server and then we know -- we all know that 12 the FBI seizes control of the hidden service -- if you don't 13 mind advancing -- and at that point, they will place the NIT 14 as part of the hidden service such that our Tor user who 15 creates a connection using that onion file, all the way 16 through the Tor network as it appears on the slide, will make 17 connection to the Tor hidden service, log in, request a page 18 from the hidden service, and the Tor hidden service will 19 return to them the payload, and the exploit will travel 20 through the Tor network and arrive at the Tor user. 21 I should say -- I should go back. The After the NIT is 22 available on the hidden service but before the Tor -- before 23 the Tor user requests the page, the hidden service -- which is 24 again seized by the FBI -- coordinates with the server to 25 generate and obtain this unique ID. That unique ID is placed Teri Hendrix, RMR, CRR - Official Court Reporter 27 1 in the NIT. 2 the NIT is returned to the Tor user, the exploit is a method 3 of access by which the payload can be executed. 4 It's tailored to this particular visitor and when The payload acquires information from the Tor user -- if 5 you don't mind advancing. 6 -- the ID is really what we are mostly concerned with here -- 7 would be returned outside of Tor. 8 outside of Tor, that ID can be associated with the IP address 9 that appears in the packet sent from that Tor user. 10 That information, which is really So we have a full circle. So because it's returned We have the hidden service, 11 it's waiting for Tor users to come. 12 that's generated, that's embedded in the NIT, the NIT is 13 delivered through the Tor network. 14 access that allows the payload to run. 15 message, which is that unique identifier, most importantly, 16 and that's received by the FBI server. 17 Each user, there's an ID The exploit is a method of The payload sends the The FBI server can confirm that that is indeed a unique ID 18 that is generated. And then we are really back to the 19 standard set of techniques with an IP address. 20 an investigator could subpoena information from an IP -- about 21 the billing address for that particular IP address, and things 22 proceed as is more typical with investigators. 23 Q. 24 actually visible to the server that receives it? 25 A. For example, So why is it that the IP address that's returned is So that arrow information sent outside of Tor on the left Teri Hendrix, RMR, CRR - Official Court Reporter 28 1 of the diagram is a standard IP based, TCP based, HTTP request 2 that I started with in the very first slide. 3 connection -- it's that analogy of sending mail through the 4 post office. 5 address, that the FBI server receives. 6 The standard There's a return address, in our case a source And again, the FBI server doesn't receive just one 7 message. It's a TCP connection with our hand shake, with the 8 number of packets, recovery from loss, recovery from out of 9 work delivery and then a good-bye. So not only that TCP 10 provides, as I mentioned before, check zones that ensure the 11 integrity of information that goes past it, and the 12 information itself is exactly the number that the FBI 13 generated prior to the NIT being delivered to the Tor user, 14 and as I might explain later, the number is so large that it's 15 difficult for someone to guess a value that the FBI might have 16 generated. 17 Q. 18 this system that you've reviewed, so let's move to that. 19 can start with what you have described as the payload. 20 All right. I want to ask you about some components of What did you review with respect to the payload? We What did 21 that consist of? 22 A. 23 corresponded to each case. 24 packet trace or PCAP file, as it's sometimes called in some of 25 the declarations. So the three payload files that I was given, one Each payload had a corresponding Teri Hendrix, RMR, CRR - Official Court Reporter 29 1 Each payload had an embedded identifier just like the one 2 I described earlier. 3 for example, one of them had a code in it that was easily 4 human-readable. 5 is what's called a script. 6 have the training, and I was able to look at that 7 human-readable code and execute each instruction. 8 9 The files had various differences, but Some code is meant for a computer, other code It's very easily readable if you These instructions gathered exactly what was described in the warrant application that I reviewed. For instance, the 10 operating system version, and I could see that the same 11 information was available in the packet traces itself. 12 Q. 13 instructions and the packet traces? 14 A. 15 one for each case. 16 the variations of -- it was a live internet trace, but they 17 all conformed to exactly the general summary that I gave 18 before. Did you notice anything abnormal from the review of those Right. So the packet traces are -- there's three of them, Each was a little bit different because of 19 For each one, I could see that there was a TCP request for 20 a connection, the other side of the hand shake, the third hand 21 shake and then I could see the web request go out. 22 cleanly and very visible, without any expertise, you could see 23 in the outgoing packet that the unique ID was present. 24 There's other information that's in my declaration that I 25 alluded to, but for instance, all three cases shared a common Teri Hendrix, RMR, CRR - Official Court Reporter Very 30 1 random number, a case ID. 2 When available, other information was also recorded in 3 this packet that went out, that looked like a web request, 4 including as I say the operating system or host name or other 5 information. 6 web page is not available, and then the connection is 7 essentially closed after tidying up any missing packets out of 8 order or things like that. The FBI server responds with oh, I am sorry that 9 I was also able to, by looking at these individual packet 10 traces, confirm that these integrity checks that I mentioned, 11 these check zones, were valid. 12 zones on each of the packets going out -- and when I say going 13 out, I mean going out from the defendants' computers -- I 14 could see that they were valid, they were fine. 15 There's in fact two check There was also no indication of various attacks that might 16 have taken place, extra packets, odd occurrences. They looked 17 very straightforward. 18 described in the warrant and conform to, for instance, what I 19 saw in the payload. 20 Q. 21 someone to do further testing of that payload information? 22 A. 23 for example, I know -- I didn't personally examine them, but I 24 know that what are called the images, the record of the 25 defendants' computers as they were seized, is available. They appeared to do exactly what was Now, were the ingredients there, so to speak, in order for Yeah, in fact all told, that's a lot of information. Teri Hendrix, RMR, CRR - Official Court Reporter So So 31 1 those were the computers that these payloads were executed on. 2 The payloads are also available for executing on other 3 computers. The output of -- in other words, the output of the 4 payload, which is the packet capture, is in a standard format 5 that's easily viewable by anyone who knows these techniques. 6 If the goal is to verify that indeed this ID appeared in the 7 packet trace, they were there. 8 the information that is in the packet traces conforms to the 9 warrant, those ingredients are there. If the goal is to verify that If the goal is to 10 figure out what else this payload might have done, they can be 11 run -- they can be run on other computers. 12 Q. 13 is for disclosure of the exploit component. 14 necessary to have the exploit in order to run the sort of 15 testing that you've been talking about? 16 A. 17 equivalent or analogous, rather, to a lock picking device. 18 if the goal is to determine whether that identifier appeared 19 in the payload, the exploit is not necessary for that. 20 need to do is look at -- if I said -- let me restate my 21 response. 22 Now, one of the requests in this case, as you are aware, Would it be No, because the exploit is a method of access. It's So All I If the goal is to validate or verify that the ID is 23 present in the packet traces, one need only look at the packet 24 traces. 25 can look at the payload. If the goal is to examine what this payload did, one The method of access to deliver the Teri Hendrix, RMR, CRR - Official Court Reporter 32 1 payload is not the same as the payload itself. 2 Q. 3 connection was subject to some kind of attack, are the 4 ingredients there for that? 5 A. 6 extremely explicit. It's low level. 7 of the web request. It's the actual TCP packet at the lowest 8 level. 9 examining that packet trace. Now, what if you wanted to determine whether this TCP So the ingredients are there. The packet trace itself is It's not just a printout Reviewing the exploit would not add information to As I said before, the packet 10 trace includes the integrity checks, the call sequence 11 numbers, all the recovery mechanisms, it's all there. 12 Q. 13 unique identifiers? 14 A. 15 line, because it leverages an industry standard technique. 16 uses an industry standard library. 17 version 4 of UUID, which has the computer it runs on generate 18 a very -- well, pick from among a very large space of random 19 numbers. 20 internet by Google for its advertisements. 21 That code is easy to review. 22 Professor, did you also review the code used to generate Yes. In fact, this code is very short. It's exactly one It's called UI. It's used extremely widely. It It uses It's used all over the It's widely used. I looked at the underlying library as well. It's the 23 industry standard. In my declaration, I did not have access 24 to that code when I stated it, but with the exception of a 25 small detail, it conforms exactly to what I stated in my Teri Hendrix, RMR, CRR - Official Court Reporter 33 1 declaration in terms of its ability to generate numbers that 2 are unique without duplication. 3 Q. Did you notice anything abnormal about that code? 4 A. No, it's exactly one line. 5 It's very simple. 6 Q. 7 general probability of there being duplicates? 8 A. 9 astronomically low. It's entirely appropriate. There is not much to examine. Using that particular type of code, what would be the Nil. The exact numbers are in my declaration. It's Even so, it's trivial to detect those 10 duplicates. 11 Q. 12 them? 13 A. 14 during this operation, one need only find duplicates that are 15 there. 16 There is no trick. 17 spreadsheet and ask them to detect them. 18 do. 19 Q. 20 with respect to this investigation? 21 A. 22 you can look at Special Agent Dan Alfin's declaration, and he 23 notes that he fact checked for those duplicates. 24 I find it hard to believe that that was not a trivial task, 25 but I am sure he got that right. What do you mean by that, that it's trivial to detect Well, if one had a list of all ID's that were generated There's no algorithm. There's no exercise to be done. You could load them into an Excel There's nothing to What is your understanding of whether that review was done As I stated in my declaration -- well, more specifically As I stated, There's nothing to do. Teri Hendrix, RMR, CRR - Official Court Reporter 34 1 Q. Would review of the exploit be necessary to make any of 2 those determinations about the unique identifiers? 3 A. 4 is not run on the server. 5 Selecting the entire code is available in this one line. 6 not related to the exploit. 7 Q. 8 to ask you first, Professor Levine, if you could just start by 9 defining a term for us. The exploit is a completely separate piece of code. That It's not related to this unique ID. Let's move more specifically to that concept then. It's I want Could you define the term malware? 10 What is malware? 11 A. 12 executes on someone's machine, generally for some task that is 13 deemed malicious, hence the MAL in malware. 14 Q. What are the components of malware? 15 A. The components are apparent from my definition, actually. 16 There's a method of access, and then there's an activity that 17 happens. I think that at a high level that describes all 18 malware. So for example, what I mean by a method of access is 19 some malware -- some malware is -- the method of access is 20 what some people call phishing or social engineering or good 21 old-fashioned trickery. 22 to be from a friend, and they ask you to run the attached 23 code, and that attached code does something. So malware is code that through some method of access You might get an email that appears 24 Another method of access is, you might be given a USB key 25 from a coworker, you might find a USB on the floor at a cafe, Teri Hendrix, RMR, CRR - Official Court Reporter 35 1 plug that USB key into your computer, that is the method of 2 access. 3 could do anything. 4 The code that runs, that was stored on that USB code, A third might be advanced code that's written by someone 5 to circumvent protections on your computer that were normally 6 provided by the operating system. 7 access. 8 it actually do? 9 Q. That would be a method of The separate component would be the task, what does So how does that method of access differ from the actual, 10 what it does, the malicious activity? 11 A. 12 might tell you that malware on my machine sent spam, 13 unbeknownst to me, to different people. 14 it recorded my key strokes so that my banking credentials 15 could be stolen. 16 computer unbeknownst to me. 17 It differs quite a bit. So the activity that it does, I I might tell you that It might be that materials were stored on my But that's a different thing. Perhaps one analogy that explains that is, if I tell you 18 that my house was broken into, you might say how did they get 19 in? 20 say they got in through the garage or the basement. 21 question has to be, what did they do when they got inside? 22 How they got in doesn't tell you what they did. 23 And I might say, they got in through the door or I might The next Then I might say oh, when they got in, they stole cash 24 from my safe. They left materials in my garage. They did 25 other things. In fact, if I had started with, there was a Teri Hendrix, RMR, CRR - Official Court Reporter 36 1 break-in at my house and they stole cash from my safe, your 2 next question has to be, how did they get in? 3 separated concepts. 4 other. 5 These are two Knowing one is not sufficient to know the So the same is true in malware. If I tell you that I 6 received what's called a trojan horse, which means that I 7 downloaded a program that appeared to be a tick-tack-toe game 8 but in fact what it really did is run some other activity, 9 your next question has to be what did the trojan horse 10 deliver? And then I might say, it was a key stroke logger or 11 I might say it stored files on my computer. 12 that malware got on my machine, the method of access, is not 13 the same as what it did. 14 Q. 15 talking about here regarding the deployment of the NIT? 16 A. 17 method of access, and the payload is the activity that was 18 done. 19 be observable or notable from looking at the exploit. 20 the other hand, the payload tells you what was done once 21 access was gained. 22 Q. 23 someone else could have used, say, the same method of access, 24 the same exploit to, for example, plant child pornography on 25 their computers. But knowing how So how does that line up with the scenario that we are So as I stated before, that exploit has this function of a So in these cases, knowing the method of access would But on So the defendants have suggested that it is possible that Teri Hendrix, RMR, CRR - Official Court Reporter 37 1 First, in a general, theoretical sense, is that possible? 2 A. Yes. 3 Q. Would examining the exploit that was used in connection 4 with these cases support or refute that theory? 5 A. 6 the analogy I gave before, knowing that a computer is -- 7 knowing that a method of access is available on a particular 8 computer does not tell you what else was done. 9 example, if I was to examine that exploit, perhaps one of two 10 11 It would not support or refute that theory because, like So, for things would happen. The first thing might be that in examining the exploit, I 12 might discover that first, in executing and allowing this 13 method of access, it leaves a trace on the computer. 14 other might be that it leaves no trace. 15 The Well, actually in the second case, if the exploit leaves 16 no trace whatsoever, examining the exploit does nothing for me 17 because I have no information to act on to look for other 18 software or malware that might use the same method of access. 19 So let's go back to that first case. 20 In examining the exploit, let's say that I hypothetically 21 discover that it does leave a trace on the computer, some type 22 of artifact that indicates that that was the method of access. 23 Having that actually still does not support or refute other 24 theories that I have about how this computer might have been 25 used by some other malware with the same method of access. Teri Hendrix, RMR, CRR - Official Court Reporter 38 1 Like the house analogy, hearing that someone can get in 2 through my windows doesn't say what they are going to do when 3 they get there. 4 is information that can be gained from it or not, but whether 5 there is information that can be gained from it does not tell 6 me whether later, even if I find that same trace, what that 7 other software did. 8 9 Examining the exploit, discovering that there This is not a property of malware. It's just a property of software; the same functions of software can appear in 10 other software. What it does after that function is run -- in 11 the case of malware, certainly -- is anything that that 12 computer can do. 13 If the computer has storage, it can store files. 14 connected to a network, it can send things over the internet. 15 Q. 16 designed to download and store child pornography, would it 17 necessarily depend on any one particular method of access to 18 be possible? 19 A. 20 stage -- it's just one component of malware that can do 21 anything after it. 22 vulnerable to a trojan horse, again my next question has to be 23 what happened next? 24 of that software, my first question would then be, how did it 25 get in? If the computer has a CPU, it can compute. If it's In a scenario where we are talking about malware that was Absolutely not. A method of access is just the first So telling me that a computer was If you started with the malicious effects They are unrelated. Teri Hendrix, RMR, CRR - Official Court Reporter 39 1 Q. In terms of looking for malware itself on your machine, 2 where would you look in order to make those sorts of 3 determinations about codes that ran and what it could have 4 done? 5 A. 6 are really looking for is what did it do to your computer. 7 you would look for evidence of those activities. 8 instance, if it's malware that sent spam, you would look for a 9 code that has aspects of it that related to an email. So if you are looking for malware, for instance what you So So for If you 10 are looking for malware that is related to storing images on a 11 computer, you would look for evidence of that type of activity 12 in the program. 13 On the other hand, you could look for malware based upon 14 this method of access. 15 that are core to the operating system have been changed. 16 Operating systems, because they are public, the files that run 17 them, the engine of the operating systems are well-known and 18 any changes in them can be easily detected. 19 So you could look at whether files There's a long list of things that could happen. For 20 example, some malware actually prevents a computer from being 21 upgraded. 22 You could test whether files have different time stamps on 23 them. 24 changed. 25 You could tell whether the computer prevents that. You can test whether they have their permissions Windows computers, for example, have a very important Teri Hendrix, RMR, CRR - Official Court Reporter 40 1 component called the registry. 2 permissions and access controls and configurations, and 3 there's a long list of standard entries in this registry that 4 can be looked at to look for evidence of malware. 5 It's a massive catalog of There's many other components. File systems, the malware 6 can hide in the first sectors of the file system, the last 7 sectors, in the middle. 8 forensics, and we spend at least a semester going through all 9 the different places that you can examine a computer for use I teach an entire course on digital 10 by somebody as part of an incident. 11 Q. 12 exploit could have, for example, altered security settings on 13 the defendants' computers. 14 So the defense has suggested that it's possible that an First, as a theoretical premise, is that possible? 15 A. Yes. 16 Q. Would you need to review the method of access to determine 17 what the computer's security settings are? 18 A. 19 their computer and look at the security settings and see 20 whether they allow for some unexpected access. 21 settings can be evaluated after an event happens. 22 the first -- or maybe not the first, but it's definitely a 23 very critical step of recovering from some event is to then go 24 back and examine those settings. 25 variety of related tasks, such as securing a computer, No. In fact, every owner of a computer should look at Those same It's one of So anyone trained in a Teri Hendrix, RMR, CRR - Official Court Reporter 41 1 recovering from an incident, investigating an incident, has a 2 list of activities, places, things they can do to examine a 3 machine. 4 Q. 5 declarations. 6 finding of changed or altered security settings or a 7 particular vulnerability? 8 A. 9 before I wrote my own declaration, and in the response to my You mentioned that you reviewed the defense expert's Did you see any indication of a review or a I didn't see any in the declarations that I reviewed 10 declaration, I didn't see a note of any of those findings. 11 There was a note in that response about Mr. Young examining 12 the computer. 13 statement to that. 14 Q. 15 conclusion here -- I didn't see it in that declaration, a So not to my knowledge. So, Professor Levine, to kind of bring this to a 16 MR. BECKER: Your Honor, if I could have the Court's 17 indulgence for just a quick moment, if I could have a brief 18 moment. 19 THE COURT: 20 Sure. (Off the record discussion.) 21 BY MR. BECKER: 22 Q. 23 would reviewing the exploit, the method of access, help to 24 find malicious software or malware related to child 25 pornography? Professor Levine, to sort of bring us to a conclusion, Teri Hendrix, RMR, CRR - Official Court Reporter 42 1 A. No, because as I have said, knowing the method of access 2 does not give you information about malware that might have 3 run subsequent to that, whether the malware used the same 4 method of access or a different method of access. 5 Q. 6 determine whether the payload was delivered accurately to the 7 defendants' computers? 8 A. 9 Tor network. Would reviewing the exploit, the method of access, help No, because in this case, the payload was delivered by the As I explained earlier, that connection is 10 encrypted for every volunteer router along the way, and the 11 exploit is not involved in it. 12 Q. 13 the payload executed or what it collected? 14 A. 15 what commands the payload executed. 16 Q. 17 determine whether the payload data was delivered back 18 securely? 19 A. 20 available, are the place to look to see whether that 21 information was returned accurately. 22 information is returned on systems that didn't see the 23 exploit, so it's not relevant. 24 Q. 25 unique identifiers were chosen reliably? Would reviewing the exploit help determine what commands No. In fact, the payload is the best place to look to see Would reviewing the exploit or method of access help No. In fact, the packet traces are PCAP files, which are Additionally, that Would reviewing the exploit help determine whether the Teri Hendrix, RMR, CRR - Official Court Reporter 43 1 A. No. In fact, we have the source codes for how those 2 identifiers were chosen, and it doesn't involve the exploit. 3 MR. BECKER: Your Honor, those are all the questions 4 that I have for Professor Levine, unless Your Honor has 5 specific questions. 6 7 MR. FIEMAN: recess so I can change out my computer? 8 9 Your Honor, may we have a five-minute THE COURT: That's fine. Let me know when you are ready. 10 MR. FIEMAN: 11 Thank you, Your Honor. (Morning recess.) 12 THE COURT: 13 Be seated, please. Mr. Fieman. 14 MR. FIEMAN: 15 Thank you, Your Honor. CROSS-EXAMINATION 16 BY MR. FIEMAN: 17 Q. 18 ourselves over the break, but for the record, my name is Colin 19 Fieman. 20 A. Good morning. 21 Q. I have a fair amount of ground to cover, and I am not a 22 technical person, so please, if I ask something that's 23 confusing or I just don't have it right, feel free to clarify. 24 A. Okay. 25 Q. Now, I just want to start -- what I am hoping is we are Good morning, Professor Levine. We just introduced I represent Mr. Tippens in these proceedings. Teri Hendrix, RMR, CRR - Official Court Reporter 44 1 actually going to find areas more where you agree with our 2 experts than disagree, which I think you summarized in your 3 declaration today. 4 where we overlap. 5 6 So I am going to try to focus on the areas In order to do that, I would like to just get some basic terminology or principles clear. 7 THE COURT: 8 BY MR. FIEMAN: 9 Q. This isn't working. So Professor Levine, let me start, just as a basic 10 principle, you agree that collecting reliable and accurate 11 digital evidence in internet cases can be challenging? 12 not like your typical drug case or something where you 13 actually have physical drugs to analyze? 14 A. 15 general, forensics is a difficult problem. 16 Q. 17 challenges, I think, in your work. 18 the weekend to try to read your Efficient Tagging of Remote 19 Peers article. 20 some cowriters? 21 A. 22 are talking about? 23 It's Well, I don't have experience with drug cases, but in It is. Yes. And you have, in fact, written about some of those I had the opportunity over Is that an article that you presented with Do you have the article here so I can verify what we MR. FIEMAN: If I may approach, Your Honor. 24 like to have this marked as Exhibit 1. 25 bench copy as well. We'd There should be a It's an article from Professor Levine, Teri Hendrix, RMR, CRR - Official Court Reporter 45 1 and copies have also been provided to the prosecution. 2 A. 3 BY MR. FIEMAN: 4 Q. 5 there's a typo in there, because I did capture it from the 6 original -- but as a basic principle, "strengthening 7 techniques used in network-based criminal investigations" -- 8 and some of those concerns have been addressed by, for 9 example, the National Academy of Sciences, calling for a Yes, this appears to be the article I have written. Is this an accurate quotation from your article -- I think 10 scientific overhaul? 11 A. 12 in my article, or are you asking me to confirm the statement? 13 What exactly are you asking? 14 Q. 15 National Academy of Sciences is calling for? 16 A. 17 report which came out a number of years ago talking about 18 forensics, broadly ballistics, digital evidence and so on. 19 Q. 20 a typo. 21 "investigations begins"? 22 A. 23 documents. 24 Q. 25 you have a chance to proofread that article? So I am sorry. Are you asking me to confirm that this is Are you confirming that's a correct statement of what the Yes. The reference in -- the article referenced that Correct. I am going to narrow as we go. I think there's I think it says "investigations beings"; it should be I apologize. There was no copy editor for these It's just me. I hope you review your code a little more carefully. Teri Hendrix, RMR, CRR - Official Court Reporter Did 46 1 A. Did I have a chance to proofread this? 2 Q. Yes. 3 A. Yes, I tried, certainly. 4 Q. Now, is it fair to say that one way to ensure that digital 5 evidence, forensic evidence in a particular case, is accurate 6 and reliable for a jury is to have qualified experts review it 7 for possible errors? 8 A. The evidence that was collected? 9 Q. Any evidence. Before evidence -- digital evidence is 10 presented to a jury, is it fair to say that one way to ensure 11 that it's reliable and accurate is for qualified experts to 12 review it? 13 A. 14 was, for instance, seized from the scene? 15 Q. Correct. 16 A. Yes. 17 Q. Now, one area of expertise that I understand you have is 18 with peer-to-peer networks or P2P networks; is that correct? 19 A. That's correct. 20 Q. Are you familiar with a software or program called EP2P? 21 A. I am not very familiar with it. 22 honestly just know its name. 23 construction design. 24 never seen it demonstrated, so I don't know much about it at 25 all. Yes. I assume you are talking about digital evidence that EP2P is a program that I I was not involved in its I have never seen it, never held it, Teri Hendrix, RMR, CRR - Official Court Reporter 47 1 Q. So you haven't had a chance, for example, to review EP2P 2 software? 3 A. No. 4 Q. So you are not in a position to comment on it; is that 5 correct? 6 A. Well, it depends on what your question is, but no. 7 Q. Now, would you agree just as a general matter, not based 8 on any specific knowledge, that if a defendant was charged 9 with file sharing via a P2P network or over a P2P program, his 10 computer expert should be able to analyze that software to 11 make sure it was identified correctly? 12 as a general statement of principle? 13 MR. BECKER: 14 THE COURT: Do you agree with that Objection to relevance. He can answer. 15 A. I am sorry, can you repeat the question? 16 BY MR. FIEMAN: 17 Q. 18 because that's something you are particularly familiar with, 19 would it be a fair statement that if a defendant was charged 20 in a criminal case based upon identifying information 21 collected on a P2P network, that his expert should be able to 22 analyze and check the software that was used to collect that 23 information? 24 A. If you are asking my opinion on a legal matter -- 25 Q. No, just as a general matter of principle. Just as a general matter, focussing on P2P networks, If you are Teri Hendrix, RMR, CRR - Official Court Reporter 48 1 doing work as an expert, is that a fair statement? 2 A. 3 referring to. 4 Q. As general fairness and to ensure accuracy... 5 A. Accuracy of the evidence collected over the P2P network? 6 Q. Yes. 7 A. For instance, they could look at the evidence itself. 8 of the ways in which you might provide that fairness is to 9 look at the tool that was used; it might not be the only way. What principle? Sure, I don't know what principle you are In general fairness or a legal principle or...? One 10 Q. Okay. What about looking at the P2P software itself? 11 A. Which P2P software? 12 used by the investigator? 13 Q. The one used by law enforcement. 14 A. That, in addition to other methods, would be one way. 15 Q. Now, Professor Levine, I understand that the word NIT or 16 Network Investigative Technique really covers could relate to 17 a lot of different stuff, but have you ever worked on a case 18 involving a NIT? 19 A. 20 you are describing it so broadly, I am not sure what you are 21 referring to. 22 the techniques used in this case as I described in my earlier 23 statements, and in that sense, this is the only case that I 24 have worked on that involves a NIT. 25 Q. The one used by the client or the one So why don't you define NIT, because I believe -- because Okay. My understanding of a NIT is that it refers to Are you familiar with a prior FBI operation called Teri Hendrix, RMR, CRR - Official Court Reporter 49 1 Operation Torpedo? 2 A. Only from reading about it in the news. 3 Q. Okay. 4 Miller and Shawn Kasal, actually worked on the Operation 5 Torpedo case? 6 A. Only as described in their declarations. 7 Q. And you are aware also, from Robert Young's declaration 8 which you say that you reviewed, that he's an expert in 9 forensic analysis, digital analysis? Are you aware that defense experts, Professor 10 A. I am aware that he wrote that, yes. 11 Q. Have you ever been qualified in a court or any judicial 12 proceeding as an expert in forensic evidentiary analysis? 13 A. Not in a court proceeding, no. 14 Q. You say that some of your research is currently funded by 15 the FBI; is that correct? 16 A. Yes. 17 Q. How much funding are you receiving and over what number of 18 years or terms? 19 A. 20 believe these are correct. 21 $400,000. 22 example, covers what's called the overhead of the university, 23 a variety of costs and so on. 24 sufficiently? 25 Q. The current contract is for -- this is from memory, but I The current contract is for It's over a 12-month period. It does. That $400,000, for Does that answer your question Thank you, professor. Teri Hendrix, RMR, CRR - Official Court Reporter 50 1 Now, I just want to be clear on what you have looked at in 2 connection with this case in terms of code or components and 3 what you have not had the opportunity to look at. 4 want to clarify that. 5 A. Okay. 6 Q. Now, have you in fact looked at the exploit component or 7 the code for the exploit? 8 A. No. 9 Q. Have you looked at the server component? 10 A. I have not looked at the server component, but as I stated 11 earlier, I did look at the code that generated the identifier. 12 I don't know if you want to call that part of the server or 13 not. 14 Q. 15 not always easy to make different hard and fast boundaries 16 between various components; is that fair? 17 A. 18 packet traces because that includes responses from the server. 19 Q. 20 disclose that you did not review the source code or executable 21 for the exploit that deployed the NIT payloads. 22 that on the screen. 23 A. That appears to be from the declaration. 24 Q. You referenced -- you used the word "payloads" plural? 25 A. Well, there are three cases involved here, and there were So I just I understand that things can sometimes overlap, and it's That's fair. In fact, I might include in that overlap the Now, in your declaration, in paragraph 3, you forthrightly I have Is that, in fact, from your declaration? Teri Hendrix, RMR, CRR - Official Court Reporter 51 1 three payloads that were given to me. 2 Q. 3 payloads that were generated in connection with this case. 4 you recall that? 5 A. 6 declaration? On page 4, line 1, of your declaration you reference I don't. 7 Do Do you want to point me to that line in my MR. FIEMAN: Your Honor, I am referencing docket 8 58-1. All my references are to Tippens dockets for clarity, 9 Your Honor, and this will be on page 3, paragraph 4, the last 10 line, carrying over to page 5. 11 BY MR. FIEMAN: 12 Q. Do you have a copy of your declaration with you? 13 A. I do have a copy in front of me. 14 Q. I just want to read that sentence into the record -- and 15 correct me if I am misreading it -- "The bespoke payload" -- 16 that means sort of the custom payload for this operation, 17 correct? 18 A. Yes. 19 Q. Okay -- "carried a unique identifier that was generated by 20 the FBI" -- we've already talked a little bit about that -- 21 "as well as a case identifier common to all payloads generated 22 for the Playpen operation." 23 two things there. 24 being generated for the individual cases. 25 If I may approach the witness. So again, there's a reference to One, multiple payloads and secondly, them Now, my question is, were there multiple payloads that Teri Hendrix, RMR, CRR - Official Court Reporter 52 1 were used in connection with this NIT? 2 A. 3 given the three payloads. 4 payloads that I was given. 5 one, as I indicated in the declaration, contained or had 6 embedded in it these unique identifiers. 7 the word "generated." 8 identifier. 9 Q. So to clarify what I meant in my statement is that I was Thank you. I am referring to those Playpen They were different because each So that's why I used It's the embedding of the unique Professor Levine, do you know who wrote the 10 code for the payloads? 11 A. I don't. 12 Q. Do you know when it was written? 13 A. I don't. 14 Q. Do you know if it is the same or different from the NIT 15 payloads that were used previously in Operation Torpedo? 16 A. No, I don't. 17 Q. Now, just to back up for a second, on your slide that 18 dealt with NIT investigative techniques, you had indicated 19 while mapping the route of the NIT that the NIT was downloaded 20 by the user at some point in this investigative process; is 21 that correct? 22 A. I see that on the slide. 23 Q. And that would have been done, based on the information 24 you have about this case, without the user's knowledge; 25 correct? It was done in secret? Teri Hendrix, RMR, CRR - Official Court Reporter 53 1 A. 2 correct. 3 Q. 4 not in our terminology, but it is fair to say that commonly, 5 when we talk about malware, it is fair to describe it as code 6 through some method of access to a computer, without the 7 user's knowledge or consent, performs functions on the 8 affected computer that the users did not know or want? 9 A. Are we talking about the NIT or are we talking -- 10 Q. We are talking about malware in general. 11 A. Okay, so we are changing from the NIT? 12 Q. Yes, that's why I was saying in general at the beginning 13 of the question. 14 A. Sure, those are among the components of malware. 15 Q. Thank you. 16 little bit on the exploit component, so that's where I am 17 going next. 18 Based on the information I have in this case, that's I don't really want to debate whether this is malware or Now I want to spend some time focussing a As I indicated, I understand that you want to distinguish 19 between the various components as much as possible to keep 20 things clear; is that correct? 21 A. The components of the NIT, yes. 22 Q. Is it fair to say that it's called "Network Investigative 23 Technique" because these components work in conjunction with 24 each other? 25 A. I didn't invent the terminology. When I referenced Teri Hendrix, RMR, CRR - Official Court Reporter 54 1 Network Investigative Techniques, I am talking about this 2 entire process, so that it's clear to the Court. 3 Q. 4 fair, that these components work in conjunction with each 5 other and all together they make up the NIT? 6 A. Yes. 7 Q. Now, do you agree or disagree that the exploit, the 8 exploit component, can make fundamental changes to a 9 computer's data and disable its security settings? Well, based on your knowledge of this process, is that 10 A. 11 speaking generally, when I say the exploit, I am referring to 12 the method of entry that allowed this payload to execute. 13 I said in my earlier testimony, I can speculate that this 14 exploit may leave some changes behind or it might not. 15 Q. 16 testimony by Agent Alfin that an exploit can make -- and we 17 are speaking generally -- can make fundamental changes to a 18 computer's data and disable its security settings. 19 So, again, I haven't examined the exploit, so just So again, this is actually a statement from earlier Do you agree or disagree with that statement? 20 A. 21 yes, I agree. 22 Q. 23 exploit? 24 A. 25 As If I interpret the statement to mean can or cannot, then It can do those things. And you have not seen the I have not seen the exploit. BY MR. FIEMAN: And just for the record, Your Honor, Teri Hendrix, RMR, CRR - Official Court Reporter 55 1 this is in our exhibits, but I am referring to testimony 2 that's before the Court on the screen from Agent Alfin on 3 October 11, 2016. 4 BY MR. FIEMAN: 5 Q. 6 possible for exploits to do those things, make fundamental 7 changes to data and disable security settings? 8 A. 9 possible or it might not. So you are in agreement with Agent Alfin that it's The exploit is undefined as a piece of software, yes, it's 10 Q. 11 not seen it, correct? 12 A. I have not seen it. 13 Q. Neither have we, so there we are. 14 Professor Miller -- you've reviewed his declaration that was 15 submitted originally in the Michaud case but also in 16 connection with this case? 17 A. 18 read the one I referred to in my declaration. 19 Q. Just for the record, there's only been one declaration. 20 A. That's the one I read. 21 Q. I promise you I will try not to lead you down the garden 22 path on records you have not seen. 23 Correct. We don't know. You don't know because you have In fact, I think I believe we are referring to the same declaration. I So in Professor Miller's declaration -- I have it on the 24 screen now, paragraph 4 -- he makes a couple of statements, 25 and again, I am trying to find areas where we can agree. Teri Hendrix, RMR, CRR - Official Court Reporter 56 1 A. Uh-huh. 2 Q. He says that "a computer system that has been exploited 3 has been fundamentally altered in some way," and he goes on to 4 talk about how, as a result of that, "the computer may crash, 5 lose or alter data, not respond to normal input or it may 6 alter any of the settings on the system. 7 exploit, it can affect the security posture of the computer 8 going forward." 9 Depending on the Now, do you agree or disagree with that summation? 10 A. I don't agree with the entire quote that you've provided. 11 Q. And I understand that your disagreement may arise from the 12 fact that you've described to the Court the exploit as a key, 13 correct? 14 A. Can I tell you how I disagree? 15 Q. Absolutely. 16 A. So this first statement is very absolute. 17 system that has been exploited has been fundamentally altered 18 in some way; it may or may not have. 19 will give you an example of an exploit that does not 20 fundamentally alter a computer in some way. A computer We don't know. So I 21 I may approach you and I may call you and say, oh, I'm 22 here -- I am sorry, I don't want to use you as an example. 23 may approach someone and say: 24 really need to know the password to your email because your 25 child needs to go home. I'm here with your child. I I I get the password and I log in as Teri Hendrix, RMR, CRR - Official Court Reporter 57 1 normal. There's no alteration to the computer. That's a 2 method of access that does even not touch the computer. 3 think that first statement, first of all, is way too broad. 4 Q. 5 don't know what this exploit looks like, correct? 6 A. 7 reasoning. 8 Q. 9 correct? So I It's broad, in fact, because at least the defense experts No, I don't agree that that's a description of my Okay. You are aware that we have not seen the exploit, 10 A. Yes, I am aware of that. 11 Q. You have not seen the exploit? 12 A. I have not seen the exploit. 13 Q. So by some standards, some generalization is inevitable 14 given that we don't know what this actually did, correct? 15 A. Yes. 16 Q. As a generalization, do you agree with Professor Miller's 17 statement that exploits are capable of doing all of these 18 things? 19 A. 20 alter -- any of the settings on the system. 21 you are asking me, I agree with that. 22 Q. 23 well? 24 A. 25 the exploit to the method of entry. I agree with the statement that they may alter -- may If that's what And also delete or lose or change data, that may happen as If that's part of the method of entry. I am restricting If you are referring to Teri Hendrix, RMR, CRR - Official Court Reporter 58 1 what happens after the entry, yes, it's also possible after 2 the method of entry to then crash, lose or alter data. 3 Q. 4 Professor Miller, are speaking specifically and directly to 5 exploits. 6 you aware of the context of their statements, correct? 7 A. 8 think we maybe have a disagreement about definitions. 9 agree that these things are all possible on a computer for Well, both Agent Alfin in his October 11th testimony, and Yes. Now, I understand you may not agree with them, but I don't think we disagree. I think you are right, I But I 10 software that can run. 11 Q. 12 exploit does that, it's much more than a key, correct? 13 actually not just going into the house, but moving the 14 furniture or shredding documents, altering data or leaving the 15 door open for other people; that's more than just a key if the 16 exploit is doing that? 17 A. 18 entry. 19 stated, malware can have multiple goals, or rather have 20 multiple components. 21 the other would be what it does once it gains entry. 22 would be, for example, altering the data perhaps maliciously. 23 So if you would like to put this all together in the 24 components of malware, I certainly agree with that. 25 Q. That possibility is -- certainly in a case where an It's So the way you've described it is beyond the method of If you move around the furniture, then yes. As I One of them is the method of entry, and So that Well, again these statements from both Professor Miller Teri Hendrix, RMR, CRR - Official Court Reporter 59 1 about the exploit component -- I understand that you don't 2 necessarily agree with them in their entirety; is that fair to 3 say? 4 A. 5 them because if I realign what they are saying with my 6 definitions -- for instance, as I stated, in order to gain 7 entry, some things may be done, there may be malicious 8 activity afterwards. 9 system. I agree with them in parts, and I think -- I agree with These components can happen on the I agree. 10 Q. And I you understand why you want to use your definitions, 11 but you can understand why we are concerned about maybe the 12 definitions that Agent Alfin and Professor Miller are using 13 and where these boundaries might be drawn, correct? 14 A. Yes. 15 Q. Now, in terms of the exploit being restricted and just 16 being a key in this case, you are basically relying on 17 information that's provided to you by Agent Alfin, correct? 18 A. 19 that I rely on to do this. 20 Q. 21 example where you say we know from Special Agent Alfin's sworn 22 statement that the exploit was restricted to allowing the 23 payload to be delivered and executed, correct? 24 A. Yes, I wrote that. 25 Q. So is it fair to say that the entirety of your information Yes. There are various statements from the declarations In fact, in paragraph 9 of your declaration, this is one Teri Hendrix, RMR, CRR - Official Court Reporter 60 1 about what this exploit did or did not do, comes from Agent 2 Alfin's declarations? 3 A. 4 want to talk about the quote that's up here -- 5 Q. 6 about what this particular exploit did or did not do. 7 all I am asking about. 8 A. You are correct. 9 Q. All right. Yes. I mean, "entirety" is a strong word there. If you I just want to know about your personal knowledge, if any, That's Now, setting aside what the exploit did or did 10 not do and what we may or may not know about it, let's talk a 11 little bit about what we might be able to find out about what 12 it did without looking at the exploit itself? 13 A. Uh-huh. 14 Q. I think you testified earlier about how you would expect 15 that if there were changes, if there was some kind of change 16 to the security settings or lost data, you should be able to 17 kind of reverse engineer it from the client's hard drive? 18 A. That's not what I said. 19 Q. Okay, then please correct it. 20 A. What I said was that in the case of a method of access -- 21 what I was referring to was malware. 22 method of access from malware, it may have left a trace. 23 may have altered things. 24 So in the first case, if it doesn't alter anything, an example 25 of that is the phone call I gave before, then there's nothing So in the case of the It It may not have left a trace, okay. Teri Hendrix, RMR, CRR - Official Court Reporter 61 1 to do there. 2 In the other case, the malware or method of entry might 3 alter the computer. 4 same artifacts, you might conclude that that same method of 5 access was used. 6 tell you any of the following activities since different 7 software could reuse that same method of access. 8 Q. 9 You had indicated in paragraph 16 of your declaration that, All right. So if on another computer you see those And then I also clarified that that does not So let's just use the word "malware" broadly. 10 assuming for the sake of argument that the exploit did 11 something to the computer beyond just opening it, you would 12 expect -- and I am looking at the last sentence -- that "such 13 malware would need to reside in permanent storage, making it 14 easier to find by experts, and yet it has not been found." 15 Is that an accurate statement of your declaration? 16 A. Well, the full quote is -- 17 Q. Please read it. 18 A. Okay. 19 to furtively store images on the defendants' machines would 20 also have the ability to later retrieve the images." 21 "It is reasonable to expect that malware designed So here, I am talking about a specific kind of task for 22 that malware. The task I am referring to is both the storage 23 and retrieval of the images. 24 task, what I write next is, "In order to allow retrieval after 25 a device reboot, in that case storage retrieval after a device So within the context of that Teri Hendrix, RMR, CRR - Official Court Reporter 62 1 reboot, the malware would need to reside in persistent 2 storage, making it easier to find by experts." 3 So what I am saying is, this particular type of malware, 4 for instance, it might store child pornography, has not been 5 found, to my knowledge. 6 Q. 7 particularly about the reboot. 8 these general principles about computer code or malicious code 9 that may be on a computer before we get to specifics. We are going to talk a little bit more about that, and But I do want to stick with 10 A. Okay. 11 Q. Now, Agent Alfin has also testified -- this is again 12 attached to our pleadings. 13 in general -- 14 A. Uh-huh. 15 Q. -- and was questioned about whether programs can be 16 written so that there is no code left behind on the computer 17 once that information has been sent somewhere else. 18 understand the question he's being asked? 19 A. Yes. 20 Q. He answers -- this is on a separate slide. 21 there is agreeing that malware can be designed so in fact 22 there is no code left behind on the computer that can show 23 that it was there, tell a forensic specialist like Robert 24 Young what it did or all those other things that may be 25 important to know. He was asked earlier about malware Do you Agent Alfin Teri Hendrix, RMR, CRR - Official Court Reporter 63 1 A. Are you asking me a question? 2 Q. If you agree or disagree with that statement. 3 A. I don't agree with what you said. 4 fair reading of the quote in front of me because I believe you 5 skipped an important phrase between the two hyphens, the end 6 dashes. 7 Q. 8 someone's information, correct? 9 A. I don't think that's a He is talking here about the information designed to steal He's talking about malware is generally designed if you 10 are going to steal someone's information -- and I would like 11 to point out that is a different scenario than the quote you 12 took from my declaration, which was about malware that's 13 stored and retrieved after reboot -- that information, 14 stealing someone's information and then leaving doesn't 15 require you to stay there. 16 So that's why such malware could delete itself. But if I 17 am going to write malware that stores images on someone's 18 computer, and I would like to later retrieve it, then I do 19 need to stick around because how can I respond to commands 20 that request retrieval? 21 Q. 22 these cases, the NIT components -- excuse me, because we don't 23 need to agree on the word. 24 against the various defendants in these cases back in February 25 and early March of last year; are you aware of that timeframe? Well, you are aware, are you not, that the malware in The NIT components were deployed Teri Hendrix, RMR, CRR - Official Court Reporter 64 1 A. That's what I understand. 2 Q. Okay. 3 it's to steal somebody's information, alter or delete files, 4 create a remote storage for pornography, do you agree or 5 disagree that any of those types of malware may be written so 6 that there's no code left behind? 7 A. 8 that would store and then retrieve. 9 retrieval to work correctly, I don't see how the malware could No. And just in terms of malware in general, whether Is that possible? Again, you are including in that the type of malware So in order for the 10 -- 11 Q. I am not talking about retrieval -- 12 A. I'm sorry, could you clarify your question? 13 Q. I'm talking any type of malware that either alters or 14 changes data, alters or changes security settings, stores 15 unwanted data or images on a computer remotely, any of that 16 type of malware, whatever its malicious purpose may be, is it 17 possible for code to be written, the code itself, that does 18 not leave a trace on the computer? 19 A. For the examples you just gave, yes, it's possible. 20 Q. For all those examples, correct? 21 A. I believe so, as I understand you to say them. 22 Q. Now, in this case, you actually indicated that at least 23 some of the NIT code -- and again, these definitions are hard, 24 but whether it's the exploit or the payload, some part of the 25 NIT code may not have been left behind on the target Teri Hendrix, RMR, CRR - Official Court Reporter 65 1 computers; is that a fair statement? 2 A. 3 you are requesting this information and you have those 4 computers, I assume that you don't have access to that 5 information. 6 Q. 7 4 -- excuse me, paragraph 4 on page 5 of your declaration -- 8 A. Uh-huh. 9 Q. Turn to page 4, lines 7 and 8. Well, I haven't examined those computers, but given that Well, in fact you wrote -- if you will turn to paragraph It's the last sentence, 10 "The exploit and payload did not persist on the defendants' 11 computers after execution." 12 A. What's your question? 13 14 THE COURT: Just a minute, counsel, where are you looking? 15 MR. FIEMAN: If you look at docket 58-1, Professor 16 Levine's declaration on page 4, Your Honor, it's lines 7 and 17 8. 18 BY MR. FIEMAN: 19 Q. 20 "The exploit and payload did not persist on the defendants' 21 computers after execution"; is that correct? 22 A. 23 and available -- what I mean by "persist" is there and 24 available -- you would not be requesting them from the 25 government. Now, in reference to the NIT in this case, you state that, I state that because I am assuming that if they were there Teri Hendrix, RMR, CRR - Official Court Reporter 66 1 Q. Okay. 2 A. So by persist, I mean they are not available or ready made 3 for you. 4 Q. 5 storage devices in connection with this case? 6 A. I did not. 7 Q. Did you ask to get a mirror image hard copy or do that at 8 any point? 9 A. I did not. 10 Q. I am not impugning your logic. 11 Again, you indicated that you had read Robert Young's 12 declaration in connection with this case? 13 A. Yes, I read that declaration. 14 Q. And in paragraph 7 of his declaration, he talks about some 15 of the things that may have gone on, given the NIT on the 16 defendants' computers, and that may include instructions that 17 mask or conceal the object code -- we'll talk a little bit 18 more about that -- but basically the code, making it possible 19 to reverse engineer the code, and he also talks about 20 encryption and some technical things that are already kind of 21 over my head. 22 even be lost when a program ends or is shut down or rebooted. Did you look at any of the defendants' hard drives or data So you are right, that's a logical conclusion. I just want to follow it. And then he also talks about that some data may 23 Again, these are generalizations, but do you dispute any 24 of his description of some of the challenges that would come 25 with trying to work backwards from the defendants' devices? Teri Hendrix, RMR, CRR - Official Court Reporter 67 1 A. So, putting aside disagreements about what the NIT is, so 2 let's talk more, as you said, as you suggest, let's talk about 3 the exploit and the payload. 4 to you, than yes -- sorry, did I say that correctly? 5 payload is available, and so looking at that material is not 6 as hard. 7 have -- I am not sure of your question. 8 that exploit is still available on the defendants' computers, 9 could it be reverse engineered, would there be challenges in If the exploit is not available The But yes, the exploit, which is not available, would You are asking if 10 discovering it, yes. Possibly, yes, presumably because you 11 haven't found it. 12 Q. 13 imagine the trouble we are having, but I appreciate your 14 efforts to clarify. If you are having trouble keeping track of terminology, 15 Now, you did spend a fair amount of your declaration 16 talking about sort of in general well, we don't need the 17 NIT -- all the NIT components, there's some we have got and 18 some we haven't. 19 you would expect to be able to find evidence of what we are 20 looking for on the storage devices of our clients. 21 fair general statement of what you talked about at some 22 length? 23 A. 24 malware that's responsible for evidence that's found on the 25 computer, that's not related to the method of entry. We don't need all of those because again, Is that a Yes, because if what you are looking for is third-party Teri Hendrix, RMR, CRR - Official Court Reporter 68 1 Q. It's not what we are looking for. That may be part of -- 2 A. Could you clarify that? 3 Q. We are looking for what the NIT did. 4 trying to figure out. 5 A. You are looking for the method of access? 6 Q. We are looking for whether the exploit, as you previously 7 agreed, could have changed or altered data or changed security 8 settings, for example. 9 A. That's what we are So you are looking for the trace that might be left behind 10 from an exploit that ran and had a method of entry? 11 Q. We are looking for the exploit to know what it is. 12 A. You are looking for the task that occurred in the payload? 13 Q. We are looking for what the exploit is. 14 A. So you are looking for the method of entry? 15 Q. No, we are not agreeing about that because -- 16 A. I agree. 17 Q. -- I think we already agreed, based on the prior 18 statements, that some exploits can change data, correct? 19 A. Some methods of entry might change data, yes. 20 Q. Now, just in terms of -- just finishing up with this 21 problem of trying to work backwards from our clients' devices, 22 I want to direct you again to some testimony from Agent Alfin 23 that has been provided to the Court as part of the Jean 24 transcript on October 11, 2016. 25 Again, we are talking in general just about some of the Teri Hendrix, RMR, CRR - Official Court Reporter 69 1 data analysis problems that attend this type of case, whether 2 it's an NIT case or malware case, however you want to define 3 it, okay. 4 Alfin about: 5 computer over time that's become overwritten," correct? 6 And there was a question that was directed to Agent "Are you familiar with what happens to data on a And the answer there is: Yes, among other things, when 7 the computer reboots, it's going to clean up data files, which 8 I understand may change or delete or compress files, correct? 9 A. Depending on the operating system. 10 Q. Depending on the operating system. 11 with Agent Alfin's statement, so if there were changes to the 12 computer -- and I think we are referencing a defendant's 13 computer -- "eventually they can be corrected or deleted or 14 removed." 15 you? 16 A. Yes, it could be. 17 Q. Also, if you update your operating system, there may be 18 changes to the data? 19 A. Which data, the user data or the operating system data? 20 Q. Data that is stored on the system. 21 A. Certainly, the operating system data would be changed if 22 that's what was upgraded. 23 Q. 24 the time; is that a fair general statement from Agent Alfin? 25 A. So again, continuing Does that seem like a fair general statement to So computers are inherently rewritable and changeable all General purpose computers do general things, absolutely. Teri Hendrix, RMR, CRR - Official Court Reporter 70 1 Q. 2 the Cottom case. 3 A. Only in the declarations that I have read. 4 Q. Just for clarification, that was one of the cases that 5 involved Operation Torpedo -- I don't expect you necessarily 6 to know that, but clearly, you can see from this question and 7 answer that Agent Alfin is referring to a prior case involving 8 an NIT, and he was asked: 9 case, the software that you analyzed didn't make any 10 Now, there's a reference, as the testimony continues, to Have you heard that case referenced? "You testified that in the Cottom fundamental changes?" 11 Do you see that question? 12 A. This is a question to Agent Alfin? 13 Q. Yes. 14 A. Okay. 15 Q. And I am going to ask at the end if you agree or disagree 16 with that statement. 17 MR. BECKER: Objection, just briefly, Your Honor. 18 think this may just be an error. 19 Agent Alfin's testimony, and I would just ask if counsel can 20 clarify. 21 I I don't believe this is I think this is Mr. Miller's testimony. MR. FIEMAN: I will double-check the record, but it 22 doesn't matter if it's Agent Alfin or Professor Miller -- and 23 I will clarify it at the break -- 24 25 MR. BECKER: I think it doesn't matter in terms of the clarity of the record, but I do not believe this is Teri Hendrix, RMR, CRR - Official Court Reporter 71 1 Special Agent Alfin's testimony. 2 MR. FIEMAN: 3 THE COURT: I will double-check the excerpts. What's the question to the witness? 4 BY MR. FIEMAN: 5 Q. 6 were fundamental changes to the computer as a result of an NIT 7 without it having been analyzed? 8 A. 9 materials. Do you believe that it's possible to know whether there I don't have access to the Cottom case. I don't have the I am not sure what you are asking me. If you 10 want, I can read this and then try to agree with it, but I am 11 so uninvolved in the other case, I am not sure what you are 12 asking me. 13 Q. 14 clarification. 15 the payload components at this point. 16 exploits and malware in general. 17 payloads. 18 A. Okay. 19 Q. I am going to need some help because I have never taken a 20 computer class, and I don't know code. 21 certain general principles as this: 22 are two types of code, source code or code that is initially 23 written by a programmer, correct? 24 A. You said there were two types? 25 Q. Well, is that one type of code, source code? I am going to move on because I think we also need a But let me focus on an issue just in terms of We talked about Now I want to talk about the But I understand Broadly speaking, there Teri Hendrix, RMR, CRR - Official Court Reporter 72 1 A. The original source code, yes. 2 Q. And is that also sometimes known as human-readable code? 3 A. Yes, that's an example of human-readable code. 4 Q. And then there is a different type of code that's called 5 sometimes object code or binary code, correct? 6 A. Yes, the result of compilation. 7 Q. When you say compilation, if I understand the process, 8 you'll have a programmer write out the code in a programming 9 language. That human-readable written code will then be 10 converted into zeros and ones, binary language which will give 11 the computer instructions to run. 12 generalization? 13 A. Yes, absolutely. 14 Q. So if you know -- if you have the source code, and you 15 know the programming language that was used to write it, you 16 can go through and analyze it and understand what the code 17 instructed the computer to do or not do, correct? 18 A. You can certainly try. 19 Q. But with binary code, that's often referred to as not 20 human-readable, correct? 21 A. 22 yes, it's definitely not as easy as human-readable code, the 23 binary code. 24 source code. 25 Q. Is that a fair Well, there are fewer experts who can take care of it, but You can run it, which is a nice advantage over Now, you said you reviewed human-readable code in Teri Hendrix, RMR, CRR - Official Court Reporter 73 1 connection with the payload; is that correct? 2 A. On the stand here today? 3 Q. Yes. 4 A. So what I was referring to is, embedded within the payload 5 there is scripting language. 6 Q. What is scripted language? 7 A. There was particular human-readable code, I believe it was 8 called the bash script. 9 me to get, but there was a script embedded inside the I don't know how technical you want 10 executable, at least one of them. 11 Q. What about non human-readable? 12 A. There was also non human-readable code in there. 13 Q. So if I understand your testimony correctly, you testified 14 that you looked at and analyzed the payloads, correct? 15 A. I did. 16 Q. And you looked at human-readable code, right? 17 A. There was some human-readable code embedded in it. 18 Q. There was also, however, other code that was not 19 human-readable? 20 A. 21 in the code, and there was compiled code, this object code 22 that you referred to. 23 Q. 24 that were not human-readable? 25 A. There was human-readable code, there were pieces of text All three were in there. What did you do with those portions of the payload code I didn't read them. Teri Hendrix, RMR, CRR - Official Court Reporter 74 1 Q. You didn't read them? 2 A. No. 3 easy to read as you would say. 4 extracted the text that was embedded in that quote-unquote non 5 human-readable code, and that text corresponded, for example, 6 to the unique identifier that I saw -- or other output that 7 appeared in the packet traces. 8 Q. So you were able to read part of it? 9 A. I was able to read part of it; only part, as you are So let me clarify. So I didn't -- they are not as I looked through them. I 10 saying. 11 Q. 12 payload code, but only those parts you could understand; is 13 that correct? 14 A. 15 extracted the human-readable code. 16 not clear. 17 Q. 18 declaration, parts of this payload that, at least according to 19 your testimony just now, are not in a human-readable format? 20 A. 21 executed. 22 let's say, a computer scientist readable code. 23 impossible to read the code. 24 But it's not impossible to do. 25 a dead-end, but it's certainly challenging, I agree with you. Previously, you had testified that you analyzed the Yes, I apologize. To clarify, as part of my analysis, I I apologize if that was So there are, consistent with Mr. Tsyrklevich's They are not in a human-readable form, but they can be For example, there are people who can read this, I didn't do it. It's not I didn't do it. And you can run it. Teri Hendrix, RMR, CRR - Official Court Reporter It's not 75 1 Q. It was a dead-end to you, though -- 2 A. It was not a dead-end. 3 find it necessary because my concern was whether or not the 4 exploit would help me, and I didn't see how reviewing the 5 payload more than I did was necessary at the time. 6 Q. 7 necessary? 8 A. 9 testified earlier, for example, reviewing the exploit would I didn't elect to do it. I didn't That was your opinion of what was necessary or not When referring to the exploit, I found that, as I 10 not tell me whether the packet traces would return correctly, 11 it would not tell me whether the identifier was created 12 without error. 13 on the machine using the same method of entry. 14 tell me whether the payload was delivered without error as it 15 was with Tor. 16 going further than I did at the time of the payload. 17 doesn't mean I couldn't have gone further. 18 Q. 19 determine what may be relevant or not relevant for the -- 20 A. 21 wouldn't presume. 22 Q. 23 see the exploit, correct? 24 A. I didn't ask to see the exploit. 25 Q. Okay. It would not tell me whether malware was run It would not So those questions didn't seem relevant to But that But you understand, it's ultimately for the judge to Just the questions I personally was trying to answer, I They were fairly limited, right, because you didn't ask to And you didn't deal with the non human-readable Teri Hendrix, RMR, CRR - Official Court Reporter 76 1 parts of the payload, correct? 2 A. 3 the non human-readable parts that I could see corresponded to 4 the packet traces. 5 Q. The extract part, but there are lots of parts -- 6 A. There was lots of other parts that I did not. 7 Q. What about the server component? 8 server component? 9 A. I did deal with it. I did not. For example, I extracted text from Did you look at the We discussed the authority. The only part I 10 saw was the source code that generated the identifier. I 11 don't know if we are calling that part of the server or not. 12 I did not look at the parts that weren't related to -- now, 13 however, I did see the output of the server because that's 14 contained in the packet traces -- 15 Q. Okay. 16 A. -- and that's available for anyone to inspect. 17 Q. We'll get to that briefly. 18 declaration at paragraph 5, talked about this problem between 19 human-readable code and non human-readable code, and I take it 20 you don't really have a disagreement with his assessment of 21 the problems in trying to deal with non human-readable code at 22 the back end of the defendants' -- 23 A. Do you mind if I read the statement? 24 Q. No. 25 declaration. Robert Young, in his I am sorry, I thought you already reviewed the Teri Hendrix, RMR, CRR - Official Court Reporter 77 1 A. I have reviewed it, but I would like to see it again. 2 Q. Take your time. 3 A. Yes. 4 function on an object code. 5 Object code is created by taking human-readable source code. 6 This is the standard process by which programs are created. 7 So did you have a question other than -- 8 Q. 9 his assessment -- This is absolutely factually true. Everything he says here is true. No, I just wanted to know if you had any disagreement with 10 A. Of how computer programs are generated -- 11 Q. And then he goes on to talk about -- 12 13 The computers THE COURT: other. 14 Just a minute. You are talking over each Let's go by question and answer. MR. FIEMAN: Go a little slower. Thank you, Your Honor. 15 A. Can we start again? Can you reask the question? 16 BY MR. FIEMAN: 17 Q. 18 word "reverse engineering" or trying to figure out what the 19 source code is from the binary code is a difficult or at times 20 impossible process? 21 A. 22 difficult in some cases, not in others. 23 the compiled code, pretty much looks exactly like the source 24 code. 25 only part, was exactly human-readable. Just to wrap this up, you also understand that I use the Generating the source code from a compiled program can be For instance, Java, The script that I extracted from the binaries, which is But yes, absolutely, Teri Hendrix, RMR, CRR - Official Court Reporter 78 1 it can be the case that compiled code can be obfuscated in 2 such a way that you can't reveal the source; however, that is 3 not what the statement in front of me is referring to. 4 Q. 5 foreign car, a BMW, and part of it is in English and the rest 6 is in German -- 7 A. Uh-huh. 8 Q. -- and you can only read English? 9 A. That's true. 10 Q. Do you think you have a complete idea of how your car 11 operates or how to repair anything that may go wrong with it 12 if you can only read the English parts? 13 A. 14 my experience to see -- my general experience to see how cars 15 operate and go with that. 16 Q. Correct. 17 A. But yes, your question is would the manual tell me 18 everything? 19 That's true, I don't read German. 20 Q. 21 getting close to the end -- about the delivery and routing of 22 the information on the internet in general and then more 23 narrowly within the Tor network -- 24 A. Okay. 25 Q. -- and follow-up a little bit on the slides you presented Let me ask you this. Let's say you've got a manual for a Well, I still have the car, so I can drive the car and use But -- Certainly. I couldn't read the German parts. Now, I just want to talk a little bit -- and we are Teri Hendrix, RMR, CRR - Official Court Reporter 79 1 earlier. 2 This is from paragraph 8 of your declaration. You made a 3 conclusion in paragraph 8 about the delivery and integrity of 4 the code, and you stated that "it stands without doubt that 5 the exploit and payload were delivered with integrity because 6 connections to Playpen were accepted only by a tamperproof 7 connection created and maintained by Tor," and you are 8 correct, nobody disputes that part. 9 summary of your statement? Is that an accurate 10 A. That is my statement. 11 Q. Okay. 12 data involved in this case traveled or resided solely on the 13 Tor network, correct? 14 A. 15 outside of Tor? 16 Q. Yes. 17 A. That's correct. 18 Q. Now, this has also been provided to the Court. 19 want to talk generally about the benefits of using encryption 20 or like the Tor network, an encrypted network, for 21 transmitting information. Now, you are aware, however, that not all of the For example, the results of the payload were returned They were returned on the open internet, correct? I just 22 Would you agree that there are benefits for sending 23 information through the internet on an encrypted connection? 24 A. Yes. 25 Q. Does that prevent tampering? Teri Hendrix, RMR, CRR - Official Court Reporter 80 1 A. It's one of the ways to prevent tampering; it's not the 2 only one. 3 Q. But it is one fundamental way to use encryption, correct? 4 A. Correct. 5 Q. You are aware that the data that was collected from the 6 defendant's computer was not encrypted when it was sent from 7 the target computer to the FBI server, correct? 8 A. 9 right, that the payload return packets through this TCP It's not the only one. My examination of the packet traces show that, you are 10 connection, but it did not use encryption. 11 Q. 12 companies like banks and credit card companies and things like 13 that generally use encryption as a security method? 14 A. 15 Would you mind going back? 16 Q. Maybe we should have it reread because I will probably -- 17 A. Forget? 18 Q. -- forget what I was going to ask previously. 19 A. You asked me if we could use encryption. 20 Q. I am asking if the part of this delivery and return that 21 went from the target computers back to the government server 22 where the data was collected, the IP address, was that portion 23 of the transmission over the open internet? 24 A. 25 correct. Is it fair to say that even such basic services or Yes. Actually, could I restate the previous question? I'm sorry. Yes. I don't want to change anything. My apologies. It was on the open internet. Teri Hendrix, RMR, CRR - Official Court Reporter That's 81 1 Q. Now, then you talk about these packet capture traces -- 2 and I think it has got a little bit something -- and please 3 correct me if I am wrong, but I think it has something to do 4 with the data stream or the transmissions on the open 5 internet? 6 A. Yes, that's exactly what that is. 7 Q. You analogized your assessment of the security of that 8 part of the process based upon kind of "to" and "from" 9 addresses for the data, correct? 10 A. Yes, uh-huh. 11 Q. And I just want to give you a very simple analogy and see 12 if I understand this. 13 order with Amazon for delivery of a pair of sneakers -- 14 A. Yep. 15 Q. -- and they are put in a package by Amazon and the package 16 is delivered to my door, and we know the package got there 17 because it's being sent from Amazon, and we have a delivery 18 receipt to me, correct? 19 A. Yes. 20 Q. Does that basically coincide with what you were describing 21 in your declaration? 22 A. Using your analogy, can I add one more detail? 23 Q. Go ahead. 24 A. So you said I ordered something from Amazon. 25 later, it's delivered to my house. So it's a little bit like if I place an Sometime And then Amazon knows that Teri Hendrix, RMR, CRR - Official Court Reporter 82 1 it's been delivered and so on. 2 would be a tracking number. 3 my materials yet. 4 package? 5 was delivering it. 6 which package would you like to track? 7 But part of that delivery Now, let's say I haven't received Amazon may say, why don't you track your So what do I do? I go to the -- let's say Fed Ex I go to the Fed Ex website and they say Now, I can input everything in there, but I have to get a 8 very long tracking number to get the package that's going to 9 my house. There's no encryption perhaps on that connection 10 but could my neighbor guess my package? Not a chance. 11 Q. But really, my question is a little bit different. 12 A. Okay, but I think that's what -- 13 Q. That's a fair statement. 14 the to and from information. 15 know what's in your Amazon package until you open it? 16 know if they sent you the sneakers or sneakers at all? 17 A. No, I don't. 18 Q. That brings me actually to the server component here, and 19 I just want to make sure -- confirm that you have not looked 20 -- setting aside the identifiers which you agree are at least 21 related but separate -- you have not looked at the server 22 component, correct? 23 A. 24 is in the packet traces. 25 Q. I think that's fair. You got But, Professor Levine, do you Do you I have looked at the output of the server component, which Right. Which is that address information, correct? Teri Hendrix, RMR, CRR - Official Court Reporter 83 1 A. Which is the complete packet trace including the address 2 information and the responses by TCP and so on. 3 Q. Now, this is just my final question. 4 BY MR. FIEMAN: It's from, Your Honor, docket 31-2, 5 Mr. Tsyrklevich's declaration. 6 BY MR. FIEMAN: 7 Q. 8 statement regarding the importance of the server component, 9 and this will be my last area -- I am just going to ask you about Vlad Tsyrklevich's 10 A. Okay. 11 Q. Mr. Tsyrklevich states on page 3 of his declaration that 12 "it is the server component that stores the identifying 13 information returned by the payload, and it must faithfully 14 store and reproduce the data that was sent." 15 Do you agree or disagree? 16 A. 17 statement, would you put it up? 18 I agree, but may I ask you, if you have a slide with that MR. FIEMAN: Can we switch to the screen, Dara? That 19 will make it much easier for everybody. 20 A. 21 BY MR. FIEMAN: 22 Q. 23 The server component is what stores the identifying 24 information returned by the payload and "must faithfully store 25 and reproduce the data it was sent." If you wouldn't mind, could you repeat the question? It's actually the bottom paragraph we are focussing on. Do you agree or Teri Hendrix, RMR, CRR - Official Court Reporter 84 1 disagree, in generalization? 2 A. Yes. 3 Q. Then he goes on to talk about some of the things related 4 to the server component that he was concerned about, including 5 the correct use of data storage -- I frankly don't even know 6 what that is. 7 A. 8 would ensure that the data storage primitives were done 9 correctly. Well, for example, the checksum would be something that 10 Q. That's an example? 11 A. That's an example. 12 Q. And the programming practices used on the component to 13 avoid corruption, tampering and things like that. 14 talked about this in terms of the digital chain of custody; is 15 that sort of a fair analogy? 16 A. 17 case? 18 Q. 19 without the missing data, basically the server component, "I 20 am unable to make a determination about the various chain of 21 custody issues." 22 A. Well, I believe he -- are you asking me a question? 23 Q. I am asking if you've read that and if you disagree or 24 agree with Mr. Tsyrklevich's assessment? 25 A. And then he Is digital chain of custody an important concept in this Absolutely. He concludes -- at least Mr. Tsyrklevich concludes -- that I agree that chain of custody is an important part of Teri Hendrix, RMR, CRR - Official Court Reporter 85 1 these cases. 2 available for review in the information that was provided, in 3 particular the information returned to the server is exactly 4 what is in the packet traces. 5 I believe that this chain of custody is Additionally, as a redundancy, there's also the report 6 from the FBI about what was received. Those values match, and 7 I have no reason to believe anything about the integrity of 8 what's in the packet traces. 9 is available for review, and I have done that and I believe it So in fact, the chain of custody 10 was maintained. 11 Q. 12 component is an important part of this chain of custody? 13 A. 14 packet traces to see what the server received. 15 we don't even need the server. 16 we also have a report from the FBI of what they received. 17 They happen to match. 18 that any chain of custody was broken, nor that the data was 19 tampered with along the way because the checksums would show 20 that kind of alteration by a router -- 21 Q. 22 the information that's been made available to you in terms of 23 the chain of custody -- 24 A. And I believe it meets his needs. 25 Q. Well, Mr. Tsyrklevich at least is addressing here the fact But Mr. Tsyrklevich at least believes that the server And he does say that. Okay. Unfortunately, we have both the Effectively, We know what was received, and There's no reason to doubt, therefore, So I fully understand this, you are satisfied with Teri Hendrix, RMR, CRR - Official Court Reporter 86 1 that the server component is an essential part of the chain of 2 custody process, correct? 3 A. 4 part to not take advantage of the packet traces that were made 5 available. 6 been able to conclude differently and this statement would 7 have been satisfied about his chain of custody. 8 Q. 9 that would be insufficient without access to the server He's stating that, and I believe that's a failure on his Perhaps if he had evaluated them, he would have But they were available to Mr. Tsyrklevich and he deemed 10 component? 11 A. How would he know without looking at them? 12 Q. Because it's like saying you get half a puzzle in a box, 13 you are not going to know the picture unless you get the other 14 half. 15 A. 16 So for example, we don't know -- for a time, until the source 17 code was released for the identifiers, for generating the 18 identifiers, we didn't know exactly how they were identified. 19 Is that a fair way to put it? No. And I can give you a counter example, if you'd like. But I gave the example of, without that code after the 20 fact, you could look for duplicates and validate that no 21 matter what algorithm was used, that process was completed 22 reliably. 23 though we don't have the server code, we do have the exact 24 information that was sent to the server. 25 mysterious algorithm being performed at the server that is So I believe here is another example where, even There is also no Teri Hendrix, RMR, CRR - Official Court Reporter 87 1 under dispute. There's no secret at the server -- 2 Q. How do you know that if you haven't looked at it? 3 A. Because you don't need to know what happened at the server 4 other than the fact that the information was sent to it from 5 the packet traces. 6 what the server generated. 7 see -- can you clarify for me what he would get out of looking 8 at the server code? 9 Q. We know what the server received. We have the code for it. I am not the expert here. We know I don't I am just going by Mr. 10 Tsyrklevich's -- 11 A. I am sorry for interrupting. 12 Q. He deals with the identifiers in the first bullet point, 13 correct? 14 A. 15 I dispute what he says. 16 Q. 17 of the server? 18 A. 19 slide back on. 20 talks about the -- 21 Q. Which paragraph? 22 A. I believe you are talking about the bullet on what looks 23 like 15. 24 Q. The first bullet or the last bullet? 25 A. I believe you asked me about the first bullet, which is He does deal with it in his paragraph. In my declaration, You dispute Mr. Tsyrklevich's assessment of the importance No, that's not what I just said. If you could put the You asked me about the paragraph where he Teri Hendrix, RMR, CRR - Official Court Reporter 88 1 13. So I agree that he talks about unique identifiers in that 2 paragraph. 3 cryptographic operation. 4 It's factually not a cryptographic operation. 5 Q. 6 Let me just ask one final question. 7 states -- and I understand you may not agree with him -- 8 A. I might. 9 Q. -- that he needs to see the server component, and you say What I don't agree with is that this is a That's what I was starting to say. Again, you are sort of getting a little bit over my head. Mr. Tsyrklevich clearly 10 he doesn't. 11 A. 12 on the information that the server received. 13 to look at the server code, but it is a redundancy. 14 a necessity. 15 Q. 16 unable to make a determination without it about the integrity 17 of the data. 18 A. 19 packet traces. 20 he did and didn't do. 21 Q. I believe that the chain of custody can be validated based 24 25 He may also like It's not Well, he didn't say he'd like to do it, he says he's Do you disagree with that statement? I believe he's correct, because he did not look at the So his statement is correct in terms of what All right. 22 23 Is that a fair summary? MR. FIEMAN: No further questions. Thank you, Your Honor. THE COURT: Mr. Becker. REDIRECT EXAMINATION Teri Hendrix, RMR, CRR - Official Court Reporter 89 1 BY MR. BECKER: 2 Q. 3 questioning from cross-examination. 4 declaration, did he point to any fact or evidence that 5 suggested that there was a problem with the digital chain of 6 custody that you've talked about? 7 A. No, not to my knowledge, not to my recollection. 8 Q. In terms of the security, you were asked some questions 9 about the TCP connection, its security and encryption. Professor Levine, starting with the last topic of In the Tsyrklevich In 10 terms of evaluating how secure that connection was, does that 11 evaluation have anything to do whatsoever with review of the 12 exploit and method of access? 13 A. 14 that's related to the payload and the execution of the 15 payload. 16 Q. 17 human-readable or not human-readable. 18 human-readable, testable? 19 A. 20 and you can even -- as an expert, you can even follow the code 21 and read it. 22 science degrees -- the second year of my undergraduate 23 program, I took a course on programming in "human-unreadable" 24 code. 25 computer science major with this type of code. It has nothing to do with it, because it's a process You were asked some questions about computer code being Absolutely, it's testable. Is code that is not It's runable on a computer, I myself, like many people who have computer So I have written an entire program, as probably any In fact, the Teri Hendrix, RMR, CRR - Official Court Reporter 90 1 compilers that generate this other code were written by 2 humans. 3 readable. 4 Q. 5 that in a form that could be tested in the sort of manner as 6 you suggested? 7 A. 8 as many times as they would like or any tester would like. 9 can be compared to the output of the packet -- it can be 10 compared to the packet traces specifically, is what I am 11 referring to and compared to contrast it. 12 Q. 13 information was delivered in order to conduct that sort of 14 testing? 15 A. 16 into your house, that doesn't answer what they did when you 17 know what they did, it doesn't tell you how they gained entry. 18 Q. There are people who do this. It's testable. It's just not as easy as reading a book. And so in the form that you reviewed the payload data, is It could be run again and again on a variety of computers, No, you don't. As I said earlier, when someone breaks Thank you. MR. BECKER: No further questions, Your Honor. 20 MR. FIEMAN: Nothing further, Your Honor. 21 THE COURT: Just a minute. guess this is to counsel. 23 THE WITNESS: 24 THE COURT: 25 It Would you need to have the method by which that payload 19 22 It's Thank you. I have a question, and I Mr. Levine or Dr. Levine -- As you prefer. -- he indicated that the exploit and the payload were two different things. I've lost track of what Teri Hendrix, RMR, CRR - Official Court Reporter 91 1 2 3 you all have because you've got some new information here. Do you have information on the payload, as opposed to the exploit, or are we just talking about the exploit? 4 MR. FIEMAN: No. We are talking about three things 5 at this point, Your Honor. 6 about its functionality. 7 payload. 8 he received some information that actually started this whole 9 thing. 10 11 12 The exploit, which we disagree We have gotten readable parts of the As you refer back to Mr. Tsyrklevich's declaration, THE COURT: You are telling me you don't have full information that you want on the payload? MR. FIEMAN: Well, the problem is -- and we also 13 disagree about what's readable or not readable, and we are 14 actually just learning -- over the past week, I asked 15 Mr. Hampton about this just this past week -- that there are 16 not human -- there are human-unreadable portions of it, and we 17 are trying to clarify what that means and who's seen what. 18 honestly don't know at this point, except based on 19 Mr. Tsyrklevich's record he received some readable portions. 20 THE COURT: 21 MR. FIEMAN: I Okay. So we are missing the exploit. We will 22 go back and revisit -- I can sort out our terminology about 23 the payload, but regardless we are still, no matter what, 24 absolutely missing the exploit and the server components. 25 that has not changed since Michaud, Your Honor. Teri Hendrix, RMR, CRR - Official Court Reporter And 92 1 I hope that answers your question. 2 THE COURT: 3 THE WITNESS: 4 THE COURT: 5 Okay. Thank you. You may be excused. Thank you, Your Honor. Any further evidence to offer on the first motion? 6 MR. BECKER: Not from the government, Your Honor. 7 MR. FIEMAN: No, thank you, Your Honor. 8 THE COURT: 9 MR. FIEMAN: All right. Your Honor, I would beg one caveat. We 10 had represented in our pleadings that Mr. Young did in fact go 11 back and try to do this reverse engineering on Mr. Tippens's 12 hard drive. 13 Mr. Young had received a copy of Mr. Tippens's laptop hard 14 drive and did make the attempt to reverse engineer, as we are 15 calling it, and was unable to do that. 16 confirm that if you need confirmation, but that statement in 17 my pleadings is saying that. 18 THE COURT: We had represented in our pleadings that He is in court and can I am mindful of the hour. I assume the 19 next step is some argument on this motion, and I assume that 20 the sensible thing is to start that at 1:30. 21 MR. FIEMAN: Your Honor, my only question is just in 22 terms of the national security presentation, where that would 23 fit into your schedule. 24 25 Assuming that the general representations are that the exploit is classified and the information you received in Teri Hendrix, RMR, CRR - Official Court Reporter 93 1 Michaud, we'd be prepared to go forward in our view. 2 clear to me they are not turning over any information about 3 the VEP. 4 about any of that. 5 here. 7 this? 8 9 10 I don't know whether you need to make a finding THE COURT: 6 I don't know what the order of things are Do we need to have that other hearing before we argue MR. BECKER: Your Honor, as to -- you are speaking as to the ex parte pleading? The question is whether we need to have the ex parte pleading presentation prior to the argument? 11 THE COURT: 12 MR. BECKER: Yes. I think, Your Honor, that certainly 13 relates to the motion to exclude. 14 on the suppression and the dismissal without that 15 presentation. 16 It's THE COURT: All right. I believe we could proceed We are not going to have a 17 court reporter until 2:30 for that. 18 1:30 and hear argument on the -- first on the motion to 19 dismiss, okay. 20 So let's reconvene at Then we'll come back on this. MR. FIEMAN: Did you want also want to hear argument 21 on the suppression issues which are also separate from the ex 22 parte pleading and the discovery issues? 23 24 25 THE COURT: We are going to do these motions one at a time, if that's what you are asking me. MR. FIEMAN: I just wanted to know if you wanted to Teri Hendrix, RMR, CRR - Official Court Reporter 94 1 proceed directly to the suppression argument after that 2 initial argument. 3 4 5 6 THE COURT: We are going to keep plowing until we are done. MR. FIEMAN: Thank you. (Luncheon recess.) 7 THE CLERK: All rise. 8 THE COURT: Please be seated. 9 is the motion to dismiss. Okay, the next matter I have read all of your submissions 10 on that subject, if I can get them out for reference. 11 the first order of business is argument from the defense. 12 you may proceed. 13 MR. FIEMAN: Thank you, Your Honor. I guess So I will be 14 relatively brief on this issue because I know it has been 15 thoroughly briefed. 16 to make here. 17 overlap with the other issues, because we are looking at 18 really, ultimately, with a lot of this, totality of the 19 circumstances and reasonableness standard. 20 just how high the bar is legally in terms of dismissing the 21 indictment outright for outrageous conduct, but the 22 circumstances here are unprecedented and deeply troubling, and 23 there are some new facts that were not available to the Court 24 at the time of the Michaud hearing. 25 There are just a few points that I want As I will show later, I think there is some I do want to touch about that. And I understand We have never, in our Teri Hendrix, RMR, CRR - Official Court Reporter 95 1 nation's history as far as I can tell, seen a warrant so 2 utterly sweeping. 3 8700 IP addresses captured. 4 investigations. 5 And I will be touching on that later. 6 100,000 potential targets. Something like At least 1152 open And now oddly enough only, about 214 arrests. But what is truly remarkable on top of this is also, of 7 course, the global aspect of it. 8 terms of the jurisdictional Rule 41 issues we are going to be 9 talking about, but global in terms of what the FBI did in 10 11 It is global not only in terms of disseminating the child pornography. And I want to be very clear, Your Honor, and that's why -- 12 I found the Sherman case a little bit late, and I think it is 13 important because it captures what I have been trying to 14 articulate from the beginning. 15 outrageous in any way, shape or form for the government to try 16 and investigate these type of cases on the Tor network. 17 was outrageous was the way they went about it. We are not saying that it's What 18 When the Sherman court talked about and actually put the 19 government on notice about how it was inexplicable that they 20 would actively distribute, in that case a few videotapes and 21 pictures, in order to investigate their cases, well, it is 22 just vastly more inexplicable in this case and much more 23 disturbing given that prior warning from the Seventh Circuit. 24 Now, the government has not disputed at this point, I 25 think we are up to now about 62,000 pictures, videos, and Teri Hendrix, RMR, CRR - Official Court Reporter 96 1 links to pictures and videos that were posted on Playpen. 2 that's just what's available given the amount of traffic to 3 the site just during the time that the FBI was in control of 4 the site. 5 images downloaded and circulated. 6 terms of disputing that from the government, and as I said I 7 think that's a conservative estimate. 8 9 We put out a conservative estimate of 1 million There's absolute silence in So let's just go step back to Sherman, and I have some quotes available on the screen, just to show the starting In Sherman, all the way back in 2001, the Court 10 point. 11 recognized -- 12 13 And THE COURT: Just a second, I am looking for the citation to Sherman here. 14 MR. FIEMAN: I have it on the screen, Your Honor, 268 15 F.3d 539. And we filed this in our reply to the government's 16 response to the motion to exclude. 17 THE COURT: 18 MR. FIEMAN: Okay. That was a case where the FBI, and I 19 think the postal service or customs had overlapping 20 investigations, and the FBI delivered a catalog of print 21 pictures and VCRs, and some of them actually containing child 22 pornography were sent to the target in the investigation. 23 Just to walk through a few points, and the Seventh Circuit 24 framed this as a warning to the government. 25 in the context of a motion to dismiss indictment. It was not raised Teri Hendrix, RMR, CRR - Official Court Reporter 97 1 The Court took it upon itself to make these statements, 2 because they were so troubled by it. So first they start "we 3 are aware of the necessity of such tactics" -- in terms of 4 undercover operations and baiting with contraband -- "we are 5 aware of the necessity of such tactics in so-called victimless 6 crimes such as drug offenses, but the use of these methods 7 when victims are actually harmed" -- and they are talking 8 about the children depicted in these images -- "is 9 inexplicable." 10 And "moreover" -- this is again Sherman, continuing with 11 the quote from 549 -- "the government's dissemination of the 12 pornographic materials could hardly be described as a 13 'controlled' delivery." 14 delivery where they were able to send it to the defendant and 15 it sat in his house, I think for a period of time, several 16 weeks, and they recovered it ultimately, the scale of lack of 17 control and heedless distribution in this case is mind 18 boggling. 19 Well, if it's not a controlled The Court went on in Sherman, "The government's 20 dissemination of child pornography during the investigation 21 resulted in an invasion of privacy of the children depicted. 22 The government here supplied Sherman with a literal catalog of 23 child pornography, and then delivered to him materials that 24 depicted actual children, allowing him enough time to view and 25 even copy the materials before arresting him." Teri Hendrix, RMR, CRR - Official Court Reporter 98 1 And one of the things we've argued is that, and I don't 2 think it's seriously really disputed, is that particularly 3 with the Tor site, there are hosts of things they could have 4 done to maintain the credibility of the site and the traffic 5 to the site without actually distributing child pornography. 6 And Your Honor, we submitted last week, in response to the 7 latest discovery that were produced by the government, all the 8 things that were going on with the Tor site about how there 9 were problems with the file hosting, the very function that 10 allows you to upload or download. 11 couldn't access links. 12 submissions that we put to the Court, this is actually fairly 13 commonplace with Tor sites because the very rerouting and 14 bouncing around from those that makes it anonymous also makes 15 it slow and often not very functional. 16 It was slow. Often people In fact, we know from some of the And all of those postings from the undercover agent, who 17 was posing as the administrator, indicate that they were 18 perfectly capable of saying file hosting is down, we are 19 rebooting, we are having access problems. 20 traffic at all. 21 pornography. 22 It didn't slow the They could have put out virtual child They could have put out child erotica. What's even more disturbing, even if they disagree about 23 the efficacy of some of those methods, we now know from Agent 24 Alfin's recent testimony which we cited, there was absolutely 25 no discussion at the Department of Justice or the FBI about Teri Hendrix, RMR, CRR - Official Court Reporter 99 1 protocols in terms of handling this stuff or whether these 2 methods of limiting, at least limiting the most egregious 3 distribution were viable. 4 Nobody cared. This is in face of the warnings that they had from 5 Sherman. 6 child pornography site. 7 it up as a criminal undercover site. 8 simply took no steps, and there's every indication they did 9 not care, that as many as a million or more images were So again, it's not the fact that they took over a It's not the fact they wanted to keep It's the fact that they 10 flooding the internet, while they were in total control of the 11 site. 12 rebooted Playpen on its own server and the time they shut it 13 down on March 4th or March 5th. 14 I am talking only the time period from the time the FBI The date is a little unclear. So that leads me to Sherman, as they say on page 550, the 15 Court there said "we have no doubt that creative investigative 16 techniques and tight controls on the materials used as bait 17 for the consumers of child pornography can lead to better 18 protection of the victims of child pornography." 19 So there, again, they are focussing not on the overarching 20 goal, they are not discounting the difficulties in terms of 21 investigating the type of crime, what they are saying is if 22 you do this, you need to do it extremely carefully and take 23 every possible step to limit the distribution and 24 revictimization. 25 And we have seen now, we have been asking for information, Teri Hendrix, RMR, CRR - Official Court Reporter 100 1 getting information for really almost a year now, Your Honor, 2 starting with Michaud, and what we know now is there was no 3 discussion of trying to limit the distribution. 4 protocols for these agents for handling or limiting the 5 distribution of child pornography. 6 distribution now went out to at least 120 countries, at least 7 1 million images. 8 not seen something like this. 9 There were no And the scale of the And it is absolutely mind boggling, we have So Your Honor, I started out early on in the Michaud case 10 saying I was appalled by this, because with my limited 11 familiarity about the methods and techniques and technology 12 available, I was aware, and certainly my experts, there are 13 lots of ways to go about this when you are not, as the world's 14 largest distributor of child pornography for at least a 15 two-week period, heedlessly and discriminately pumping out and 16 revictimizing children with this type of material. 17 And Your Honor, I made this analogy before, but what they 18 are doing here is really, I think, fairly simple. Every one 19 of these defendants that I have seen charged in these cases, 20 and I haven't seen all 214, but there's a lot of information 21 that comes my way about other cases, but in every single case 22 that I have seen the person charged is your run of the mill 23 heartland person going to look at some of this stuff, 24 downloading some of it. 25 clients have not been charged with distribution, but the I don't think -- well certainly these Teri Hendrix, RMR, CRR - Official Court Reporter 101 1 amount of images that are at stake in these cases from the 2 individual clients, and they run in the hundreds, maybe a few 3 thousand, but they are essentially the addicts and couriers 4 who are going to the drug house and the kingpin for this 5 stuff. 6 the kingpin role, they should have been darn sure that they 7 weren't distributing pure heroin indiscriminately to the 8 entire world when they were trying to do this. 9 effectively what happened here. Whatever justifications the FBI had for stepping into To me that's 10 So Your Honor, I will return to some of these points I 11 think in terms of the probable cause and other issues, but 12 that is essentially our argument. 13 upon themselves to investigate these crimes, I recognize and I 14 appreciate the difficulties of doing this. 15 It is not that they took it You know, apart from being a defense attorney I am a 16 parent. 17 enforcement, as they are going about with the end in sight of 18 trying to investigate the addicts and the couriers, that they 19 do not themselves step into the role of such a distributor. 20 21 But as a parent I would want to know that law Thank you, Your Honor. THE COURT: Let me ask you a couple questions, and 22 the government may want to comment on some of this. 23 user, a Tor user signed into this website and saw child 24 pornography, could that person then download those pictures 25 into his own computer? Teri Hendrix, RMR, CRR - Official Court Reporter If a 102 1 MR. FIEMAN: 2 THE COURT: 3 Could those pictures then be transferred to others? 4 5 Yes. MR. FIEMAN: happen, Your Honor. 6 Absolutely, that is routinely what would So let me just follow-up on that point. One of the very troubling things here, as you know from 7 the NIT warrant, the authorization allowed the FBI to deploy 8 the NIT and complete their searches in a matter of a fraction 9 of a second, at the time the targets landed on the home page. 10 So they had authorization to collect all the information they 11 wanted before anybody actually got the content, and then had 12 the opportunity through this improved file hosting feature the 13 FBI was running, to not only to download, post new images. 14 know new material, at least 43 series was posted during the 15 time the FBI was running this site, and of course massively 16 redistributed from whatever computers and users had access to 17 it. 18 19 We So that's another aspect of this. THE COURT: I am not sure I understand that. You mean additional pornography was attached to this site? 20 MR. FIEMAN: 21 THE COURT: 22 MR. FIEMAN: Yes. By users? Yes, Your Honor. The government's 23 disclosure, we submitted their letter, that in addition to all 24 the redistribution, as a result of the FBI maintaining this 25 site, at least 43 new series, new victims were posted -- Teri Hendrix, RMR, CRR - Official Court Reporter 103 1 THE COURT: 2 MR. FIEMAN: By Series, you mean -For example, you might have 15 or 20 or 3 100 pictures in a series, or you might have a series of 4 videos, there might be two or three, there might be dozens. 5 And I don't know the exact quantity, because all we know from 6 the disclosure is 43 new series. 7 of time that the FBI was running this site, 43 new series. 8 That means things that haven't been seen from the National 9 Center for Missing & Exploited Children were launched onto, But during just that window 10 uploaded with the assistance of the FBI through their file 11 hosting feature, onto the site, and have now circulated 12 globally and will never be recovered. 13 And those images are, as you know from the old series we 14 see, they are redistributed endlessly. 15 at least 43 new victims was actively aided and abetted by the 16 FBI. 17 So the circulation for I have never seen anything like that before, Your Honor. 18 Just to get back to my original point, they didn't have to do 19 that. 20 We'll talk about what that home page showed, the fact that a 21 lot of people could have gone in, said oh my God, this is a 22 child pornography site, and backed out. 23 separate series of problems there. 24 the authorization actually made it completely unnecessary to 25 act -- to distribute any of this stuff. All the NITs could be deployed from the home page. There's a whole But the way they asked for Teri Hendrix, RMR, CRR - Official Court Reporter 104 1 I can even understand if they saying okay, we are going to 2 narrow this warrant so we are only going to deploy the NIT 3 when people go to specific subdirectories that have a 4 particular kind of content on it, and then once those 5 subdirectories look realistic so will deploy from there, but 6 that's not what they asked. 7 the home page. 8 9 10 They asked for deployment from It was unnecessary and was it heedless, and it was massive. Thank you, Your Honor. 11 THE COURT: Okay, thank you. 12 MR. HAMPTON: Mr. Hampton. Thank you, Your Honor. Again, I want 13 to address two important points that we just concluded on. 14 is true that over the life of Playpen, not during the two 15 weeks it was under FBI control, but over the life, the FBI and 16 the images and videos they were able to catalog being 17 trafficked in the site, those images contained 42 series. 18 over that six-month period that had not been seen by anyone, 19 that's true. 20 weeks. 21 new series. 22 So But that didn't just happen during that two But that certainly in the end that means there are 42 Now, we don't know whether that necessarily means new 23 victims or new images and videos that haven't been seen 24 before. 25 It All we know is that NCMEC hadn't seen them. THE COURT: Just a second, if somebody added Teri Hendrix, RMR, CRR - Official Court Reporter 105 1 something onto this site, doesn't the FBI have it after the 2 site is closed to public access? 3 now? I don't want to see it, but is it somewhere? 4 MR. HAMPTON: 5 line copy of the website, yes. 6 Can you show me this website Your Honor, we do -- there is an off The government in its warrant did ask to deploy the NIT at 7 log-in. 8 discretion choose to deploy it more strategically. 9 deploy it to those who accessed the most egregious content. 10 However, it also made very clear that it may in its That is, So I just want to make clear that the government actually 11 flagged that on the front end that would be a possibility. 12 And in fact that is generally how they approached the 13 operation. 14 But I think what's important about the defense position, 15 and what they have acknowledged is something, I think, the 16 government on some level doesn't dispute, that these are very 17 tough choices. 18 with practical impunity, using the anonymity that Tor provides 19 to traffic in the most appalling images and videos that one 20 can think of. We are dealing with criminals who are acting 21 So the law enforcement interests are very strong. 22 also have to acknowledge that when the FBI identified this 23 website, identified the opportunity to take it over and to 24 identify -- and then to identify its users through the use of 25 technology, the FBI, the Department of Justice, had to make a Teri Hendrix, RMR, CRR - Official Court Reporter But we 106 1 very tough call. 2 those users who are committing horrific crimes with 3 essentially impunity, outweigh the known consequences that 4 that website will continue to be used by those users to trade 5 child pornography? 6 Does the potential benefits of identifying And the government undertook that balancing before the 7 process was initiated, while Playpen was under FBI control. 8 There were regular meetings. 9 pleadings. We have discussed those in our The FBI asked for a total of 30 days. Ultimately 10 the government concluded to terminate the operation in two 11 weeks. 12 So the government knew well how tough this choice was. 13 But the legal standard, which I think is what the Court must 14 focus on in evaluating defendants' motion here, is not did the 15 government make a tough choice? 16 how the government balanced these interests? 17 did the government act in a way that is so outrageous as to 18 offend fundamental notions of due process and fairness? 19 Could someone disagree with The question is Nothing about what the government did was fundamentally 20 unfair to these defendants. These defendants learned about 21 Playpen. 22 Playpen and to access it. 23 collections of child pornography stored on their devices that 24 we found in their homes. 25 Playpen. They gained access to Tor. They chose to log-in to And they chose to have the The government did not create It did not force the defendants to join Playpen or Teri Hendrix, RMR, CRR - Official Court Reporter 107 1 to download pornography from anywhere. 2 defendant's choice. 3 That was the And the Ninth Circuit, in applying this outrageous test, 4 the way it determines whether or not the government acted in a 5 way that was so fundamentally unfair, balances these important 6 factors. 7 The government's involvement was minimal. 8 allowed a website that was already in operation to continue to 9 run. 10 What was the government's involvement in the crime? The government The Ninth Circuit looks to what was the defendant's role 11 in the crime? 12 substantial. 13 not at the urging or behest, not in communicating with the 14 government, but of their own free will. 15 The defendant's role in the crime was They are the ones who committed these crimes, The Ninth Circuit also looks at the necessity of the 16 technique. 17 search warrant application and affidavit why this was an 18 appropriate investigative approach. 19 information to the magistrate judge who authorized the 20 warrant, to the district judge who authorized the Title III. 21 And then the government did its very best to minimize the 22 harm. 23 And the government explained in detail in its It disclosed that It monitored the traffic on the site. If it identified 24 individuals that it believed were actively abusing children, 25 it took the steps necessary to try to rescue them. Teri Hendrix, RMR, CRR - Official Court Reporter And indeed 108 1 some children were rescued and have been rescued since. 2 And for defense counsel to characterize all the defendants 3 as sort of mere addicts who just accessed a few images, that's 4 not true. 5 identified. 6 administered this website, who were setting up a system to 7 efficiently transfer huge quantities of child pornography over 8 the internet anonymously. 9 There have been cases of producers who were There have been the cases of the individuals who These are bad people who hurt children. And the 10 government did what it thought was necessary and appropriate, 11 given the technological limitations it faced, to try to 12 identify those people and bring them to justice. 13 Now, I think it is absolutely fair to say that reasonable 14 people can disagree whether this was the right balancing, 15 whether this is an investigation, an investigative technique 16 that should be used, whether at this point or should it be 17 used in the future. 18 a discussion about that. 19 I think that's appropriate. We can have But the question is not can someone disagree with what the 20 government did? Can someone conceive of some better way for 21 the government to do it? 22 asked so outrageously, that the unfairness of what the 23 government did offends the due process clause and shocks the 24 conscience. 25 the government did here was so grossly unfair to the rights of The question that the government And I don't think it can be fairly said that what Teri Hendrix, RMR, CRR - Official Court Reporter 109 1 the defendants, or to anyone as to shock the conscience and to 2 offend fundamental notions of fairness in due process, and I 3 would urge the Court to deny the motion. 4 THE COURT: What about the statute? 18 U.S.C. 5 3509(m) that says you have to keep such material in the care, 6 custody and control of the government? 7 MR. HAMPTON: That's correct, Your Honor, and that's 8 true. But it is well understood that sometimes law 9 enforcement has to do things that would, if not done by law 10 enforcement, be contrary to the law, and so it was a necessary 11 part of this investigation. 12 The government, however, sometimes in the course of undercover 13 investigations has to allow illegal narcotics to be 14 trafficked. 15 It is illegal to deal narcotics. It's the same unfortunate necessity. THE COURT: There's not the same kind of a statute 16 preventing, arguably preventing what happened here with drugs, 17 is there? 18 statute, you haven't mentioned in your briefing, and I am 19 wondering where it comes in here. That's a different deal. This is a pretty specific 20 Usually when there's a warrant issued, there's a lawyer 21 somewhere in the background, and I wonder about the ethical 22 propriety of putting this material out to the public in spite 23 of that statute. 24 decisions, but it seems to me it's of concern, both ethically 25 and legally. And I don't know who's making these Teri Hendrix, RMR, CRR - Official Court Reporter 110 1 MR. HAMPTON: Well, Your Honor, I certainly agree 2 it's a difficult problem. 3 to take on this particular approach, but I think that the way 4 law enforcement works, and has worked from the beginning, has 5 to allow law enforcement the leeway to investigate crimes. 6 That statute certainly -- the statute says what it says. 7 by necessity, law enforcement has to sometimes do things that 8 if done by someone else might run afoul of the law. 9 THE COURT: It is not an easy choice for anyone But Isn't that basically saying to Congress, 10 I don't care what you think, we are going to do what we think 11 we need to do, to do our jobs. 12 MR. HAMPTON: Well, Your Honor, I think -- I see how 13 one might read it that way. 14 what -- I don't want to seem flip in responding to statutes, 15 but I think the same argument could be made when the 16 government permits illegal narcotics to be trafficked. 17 Because you are right, while there's not a statute like 3509, 18 it's still illegal for anyone, other than law enforcement, to 19 possess illegal drugs, to possess with intent to distribute, 20 to distribute them. 21 government's investigative necessity to prosecute, sometimes 22 to prosecute those crimes, it has to do things that private 23 parties are not allowed to do. 24 25 THE COURT: I don't think that is, though, There is that same problem, the Was this statute even considered by anyone before all this occurred? I don't think we know, Teri Hendrix, RMR, CRR - Official Court Reporter 111 1 2 unless Mr. Becker may know. MR. HAMPTON: Your Honor, Mr. Becker has pointed 3 something out to me, which I apologize should have mentioned 4 at least as to 3509. 5 context, so it's about discovery in criminal proceedings, so 6 it is narrowly drawn. 7 implicating -- it doesn't apply. 8 9 10 11 3509(m) applies to the discovery THE COURT: As to the considerations, without Well, the title of the section is Child Victims' and Child Witnesses' Rights, and it has more to do than discovery. But anyway, that's -- MR. HAMPTON: I am referring specifically to 12 subsection (m), which is the section of the statute that 13 relates to the explicit material, the material involved in 14 this case. 15 THE COURT: 16 MR. HAMPTON: Okay. One thing I think I should clarify, to 17 make sure that the Court understands what the government is 18 saying here, the government did not at any point create or 19 manufacture child pornography or itself post child 20 pornography. 21 pornography on Playpen are the users of Playpen. 22 who were doing it for months while Playpen was under 23 investigation, and prior to its coming under government 24 control, are the exact same, maybe not identical as there may 25 have been changes in the users, but it's the same set of users The people who posted and distributed child The people Teri Hendrix, RMR, CRR - Official Court Reporter 112 1 2 who continued to do that after. The government simply did not stop Playpen from operating 3 immediately. 4 that it could identify those people who were actively sexually 5 exploiting children. 6 It allowed it to operate for a brief period so THE COURT: Well, he's going to say you all were 7 doing exactly what the people you just arrested there in 8 charge of the website were doing. 9 your argument, counsel. 10 11 MR. HAMPTON: THE COURT: I don't know who wears the white hat, Mr. Hampton. 14 15 I understand that is the defense position, but I think it's an important distinction here. 12 13 So, you know, go ahead with MR. FIEMAN: Your Honor, just very briefly. You know, Your Honor, this is the problem with the whole 16 case. 17 Magistrate Judge Buchanan that they were going to be operating 18 a child pornography site and redistributing child pornography 19 in the course of this investigation. 20 that on the warrant, and I assure you she never would have 21 signed off on it. 22 First of all, they never disclosed, they never told They never disclosed They now say that reasonable minds can differ about what 23 Congress has essentially already decided; this is illegal and 24 you have to maintain custody and control. 25 when they don't like the rules, they don't like Rule 41, they Again, you know, Teri Hendrix, RMR, CRR - Official Court Reporter 113 1 don't like the Magistrate's Act, they violate their own 2 policies on hacking into foreign countries. 3 hand, the rules committee that we understand Rule 41 does not 4 allow foreign searches, while the whole time they know this is 5 an international search. 6 They disagree with 3509. Telling, on one They disagree with the statute 7 that you are not supposed to distribute child pornography at 8 all. 9 hard copies of our client's hard drives to prepare for trial There was a time we could not even get the mirror image 10 under the protective orders because they are saying, no, if we 11 hand that to you, we are distributors of child pornography in 12 the context of defending a case pursuant to a protective 13 order. 14 didn't post it. 15 file hosting features, none of this could have been done. 16 if nothing else they kept those up and they improved on it in 17 terms of speed and accessibility. 18 Now they turnaround and tell the Court, well, we Yes, they did post it, because without those And So reasonable minds can differ except where the law says 19 otherwise, where Congress has said otherwise, where the rules 20 said otherwise. 21 Those decisions have been made. And we know also, Your Honor, that this warrant was signed 22 off on by an AUSA in Virginia. We don't know what debate was 23 going on except from October 11th, Agent Alfin's testimony 24 that this was debated by high levels in the FBI and DOJ. 25 yet they elected, either the FBI on its own, and we've Teri Hendrix, RMR, CRR - Official Court Reporter And 114 1 certainly seen the FBI willing to go out on a limb by itself 2 regardless of the advice of DOJ on a number of occasions or 3 whether nobody simply cared. 4 And this is really the crux of it. The ends are okay. 5 The means were deplorable. It's reassuring that they did not 6 produce child pornography. If that's what we're reduced to, 7 that's great. 8 But the problem here, Your Honor, is that while trying to 9 solve one problem and avoid revictimization of some children, 10 they created a massive new one. 11 protocols, no explanation for why they did it this way. 12 And we have seen no Every one of those people who's been arrested was arrested 13 based on IP information that was collected at the point that 14 they landed onto the home page. 15 completely unnecessary. Everything after that was 16 Your Honor, to the extent that reasonable minds can differ 17 about this, and I don't think they can, particularly given the 18 warning, the explicit warning that was in the Sherman case, 19 and the fact that this was never disclosed to Magistrate Judge 20 Buchanan in terms of how this investigation was going to be 21 done, I am asking the Court to make a referral to the 22 Department of Justice and the FBI, Offices of Inspector 23 General. 24 25 To whatever extent that there are reasonable differences that can be elucidated, to whatever extent the attorneys Teri Hendrix, RMR, CRR - Official Court Reporter 115 1 involved in this and the Department of Justice and in Virginia 2 and the FBI did not take proper precautions in the handling or 3 distribution of child pornography may have violated their bar 4 oaths, I think all this needs to be sorted out, not just based 5 on the limited information that we have, but internally as 6 well. 7 If they don't want to disclose their deliberations, and 8 the Court has already ruled on that, we respect that ruling 9 although we object to it, then let them do it in-house. Let's 10 have the IG offices do that in an appropriate manner and make 11 recommendations about this. 12 But at this point we only know what happened in the end, 13 it was not disclosed to the magistrate, at least a million 14 images out there, and absolutely no investigatory need to do 15 this. 16 17 18 Thank you, Your Honor. THE COURT: MR. BECKER: 20 THE COURT: 21 MR. BECKER: 23 Now, are you prepared for this other hearing at this point, Mr. Becker? 19 22 Thank you. For the ex parte matter, Your Honor? Yes. Yes, Your Honor, we have the documents available. THE COURT: Okay, I see our court reporter in the 24 back, too. Why don't you all get set up and we'll do that 25 next and then come back to court -- Teri Hendrix, RMR, CRR - Official Court Reporter 116 1 MR. BECKER: 2 THE COURT: 3 Very well, Your Honor. -- and finish the rest of this. Let Dara know when we are ready. Just give me a minute, I 4 want to read the motion and the reply again before we start. 5 Okay. 6 MR. BECKER: 7 THE COURT: 8 MR. BECKER: 9 THE COURT: 10 You all ready? Yes. Okay, well give me a couple minutes to read this. 11 MR. BECKER: 12 THE COURT: 13 (Recess taken.) 14 THE COURT: 15 Very well, Your Honor. Thank you, Your Honor. Again. Okay, I will give you a short ruling after I take ten minutes or so. We'll reconvene about 3:15. 16 (Recess taken.) 17 THE CLERK: All rise, Court is again in session. 18 THE COURT: Please be seated. Okay, first I should 19 give you a ruling on the ex parte and in-camera hearing that 20 we just completed. 21 discovery that the plaintiffs have made. 22 that the discovery need not be disclosed by the government 23 based on what I learned and heard at the in-camera ex parte 24 hearing. 25 The real subject was three areas of It is my judgment Other issues remain, as do whether that material is Teri Hendrix, RMR, CRR - Official Court Reporter 117 1 relevant and helpful and material to plaintiffs and whether a 2 summary can or should be substituted. 3 issues. 4 I don't reach those Now, the remaining matter today is the third motion, which 5 is the motion to suppress. 6 some of you probably can't wait to go trick or treating. I am 7 good for the day, but I don't know what issues you have. I 8 want to give you plenty of time to argue this last motion 9 which has a lot of parts to it. 10 I know it's Halloween and I know But you tell me when you want to stop. 11 MR. FIEMAN: Well, Your Honor, if I may approach. 12 First of all, just to clarify where we are in terms of 13 discovery issues. 14 that, as it did in Michaud, that the government need not turn 15 over the components. 16 which is essentially the same on Michaud, the sanctions that 17 should imposed for nondisclosure. 18 hear argument on that, I was a little unclear, because we 19 believe we are in the same position that we were in the prior 20 case. 21 If I understand, the Court has determined We would still like to argue, however, I don't know if you want to We do have argument about -- it's the same situation that 22 we talked about from Jencks and everything. 23 clearly has classified information, and they have a right not 24 to hold it -- 25 THE COURT: The government Wait, I want to give you time to argue Teri Hendrix, RMR, CRR - Official Court Reporter 118 1 whatever it is you want to argue. 2 house is how long you want to argue this afternoon? 3 MR. FIEMAN: The question before the Well, I know that Mr. Hamoudi's son is 4 hoping he'll be home around 5:00 to go trick or treating. 5 may have about 45 minutes or an hour of argument. 6 My request, and I think it's joined, is that we reconvene 7 tomorrow morning for the remaining issues. 8 evidence. 9 at most. 10 11 I We've done all the It shouldn't take much -- it will take the morning, THE COURT: You are telling me you don't think we'll be finished tonight anyway? 12 MR. FIEMAN: No, Your Honor, not with both arguments, 13 and I know counsel have points they want to make apart from my 14 general arguments. 15 THE COURT: 16 machine. 17 what. Mr. Becker, you are hiding behind that I don't know if you are making nasty faces at me or 18 MR. BECKER: Definitely not, Your Honor. 19 MR. HAMPTON: Your Honor, we'll defer to the Court. 20 We are happy to come back tomorrow morning and finish things 21 up, that's fine. 22 THE COURT: Well, that's fine with me, I guess. 23 doesn't matter to me a lot one way or the other. 24 lose an hour, but I have got tomorrow entirely clear. 25 It I hate to I intended to start out this morning by telling you that I Teri Hendrix, RMR, CRR - Official Court Reporter 119 1 have made a bad mistake in this case in authorizing 2 over-length briefs. 3 on these three motions. 4 within the time limits very nicely and they would have been 5 better briefs. 6 same about argument here. 7 point and bear in mind I have read your briefs. 8 9 Try and keep it succinct and to the I will use the evening to edit my notes, Your Honor. THE COURT: 11 That would be good. Okay, well, we'll reconvene tomorrow at 9:30, then, and finish the argument in this case. 13 14 And they all could have been done I guess what I am leading up to is I feel the MR. FIEMAN: 10 12 I read all your briefs, most of it twice, And happy Halloween. (The Court recessed to Tuesday, November 1, 2016, at the hour of 9:30 a.m.) 15 * 16 * * * * C E R T I F I C A T E 17 18 19 I certify that the foregoing is a correct transcript from the record of proceedings in the above-entitled matter. 20 21 /S/ Teri Hendrix __________ 22 Teri Hendrix, Court Reporter November 21, 2016 Date 23 24 25 Teri Hendrix, RMR, CRR - Official Court Reporter