Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 1 of 157 PageID# 534 1 1 IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA Norfolk Division 2 3 4 5 6 7 8 9 10 11 12 13 - - - - - - - - - - - - - - - - - UNITED STATES OF AMERICA, ) ) Plaintiff, ) ) v. ) ) GERALD ANDREW DARBY, ) ) Defendant. ) -----------------------------) UNITED STATES OF AMERICA, ) ) Plaintiff, ) ) v. ) ) HUNTER VAUGHAN EURE, ) ) Defendant. ) - - - - - - - - - - - - - - - - - - 14 CRIMINAL CASE NO. 2:16cr00036 CRIMINAL CASE NO. 2:16cr00043 TRANSCRIPT OF PROCEEDINGS Norfolk, Virginia July 5, 2016 15 16 17 18 19 20 21 22 23 24 25 BEFORE: THE HONORABLE ROBERT G. DOUMAR, United States District Judge APPEARANCES: UNITED STATES ATTORNEY'S OFFICE By: Elizabeth M. Yusi Leslie W. Fisher Assistant United States Attorneys Counsel for the United States FEDERAL PUBLIC DEFENDER'S OFFICE By: Andrew W. Grindrod Richard J. Colgan Rodolfo Cejas, II Assistant Federal Public Defenders Counsel for the Defendants Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 2 of 157 PageID# 535 2 1 2 3 4 5 6 7 8 I N D E X ON BEHALF OF THE DEFENDANTS: C. Soghoian, Ph.D. (Recalled) Direct Cross Red. Rec. 5 64 -- -- 148 153 -- -- 96 102 136 142 ON BEHALF OF THE GOVERNMENT: D. Alfin 9 10 11 12 13 14 15 16 17 18 E X H I B I T S No. Page Government's Exhibit 1 71 Government's Exhibit 2 80 Defendant's Exhibit 1 94 19 20 21 22 23 24 25 Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 3 of 157 PageID# 536 3 1 2 3 4 5 (The proceedings commenced at 2:30 p.m., as follows:) THE CLERK: Criminal Case No. 2:16cr36, United States of America v. Gerald Andrew Darby. Ms. Fisher, Ms. Yusi, are you ready to proceed on 6 behalf of the United States? 7 MS. YUSI: 8 Good afternoon, Your Honor. 9 THE CLERK: 10 We are. Mr. Cejas, are you ready to proceed on behalf of the defendant? 11 MR. CEJAS: Yes, we are. 12 THE CLERK: And in Case No. 2:16cr43, the United 13 States v. Hunter Vaughan Eure, Ms. Yusi, Ms. Fisher, are you 14 ready to proceed? 15 MS. YUSI: 16 THE CLERK: 17 We are, Your Honor. And Mr. Grindrod and Mr. Colgan, are you ready to proceed on behalf of the defendant? 18 MR. GRINDROD: We are. 19 Good afternoon, Your Honor. 20 THE COURT: I would like to take up the motion to 21 suppress by Mr. Eure first, which we haven't ruled upon, and 22 then we will deal with the motions to compel jointly so that 23 we just don't reiterate everything and we won't have two. 24 25 So let's take up Mr. Eure's motion to suppress at this time. And I assume, Mr. Grindrod, you're arguing that. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 4 of 157 PageID# 537 4 1 2 MR. GRINDROD: evidence, if we could, Your Honor. 3 4 I am, Your Honor, and we also have THE COURT: you. All right. I'll be glad to hear from It's your motion. 5 MS. YUSI: 6 THE COURT: 7 (There was a pause in the proceedings.) 8 THE COURT: 9 MR. GRINDROD: 10 May I have a moment, Your Honor? Sure. All right. Go ahead. Your Honor, the defense calls Dr. Christopher Soghoian to the stand. 11 (The clerk administered the oath.) 12 MR. GRINDROD: And, Your Honor, Dr. Soghoian is 13 going to be testifying as to matters that relate both to 14 suppression and the motions to compel. 15 and recall him later, or I can ask all the questions at once, 16 Your Honor. 17 THE COURT: I can separate them Well, since we're having a joint 18 hearing, my suggestion is he's going to testify in both, and 19 maybe that would save us some time, assuming counsel for 20 Mr. Darby would agree. 21 MR. CEJAS: Yes, sir, that's fine. 22 THE COURT: Thank you, Mr. Cejas. 23 MR. GRINDROD: 24 THE COURT: 25 CHRISTOPHER SOGHOIAN, Ph.D., called as a witness, May I inquire, Your Honor? Yes, go ahead. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 5 of 157 PageID# 538 5 C. Soghoian - Direct 1 having been first duly sworn, testified as follows: 2 DIRECT EXAMINATION 3 BY MR. GRINDROD: 4 Q. 5 to the Court. 6 A. My name is Christopher Soghoian. 7 Q. And why are you here today, sir? 8 A. I volunteered in my personal capacity as an expert so 9 that the defense and so that the Court can have a better Good afternoon, sir. Could you please introduce yourself 10 understanding of the technology used by the FBI in this case. 11 Q. 12 background, about your experience and qualifications. 13 you tell us a little bit about your educational background? 14 A. 15 from James Madison University, I have a Master's degree in 16 security informatics from the Johns Hopkins University, and I 17 have a Ph.D. in informatics from Indiana University. 18 Q. 19 working in these fields? 20 A. 21 Federal Trade Commission I am a computer scientist who 22 explains technology to lawyers. 23 Okay. Sure. I want to talk to you about a little bit of Could I have a Bachelor's degree in computer science Can you tell us a little bit about your experience Sure. So in my job at the ACLU and before that at the My Ph.D. was focused in the analysis of surveillance 24 techniques used by the U.S. Government, and specifically I 25 help lawyers understand how the government engages in high Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 6 of 157 PageID# 539 6 C. Soghoian - Direct 1 tech surveillance. 2 work with the lawyers who litigate Fourth Amendment cases, 3 and I make sure that they understand the technology and that 4 they are accurately describing it in the cases in which 5 they're engaged. 6 Q. And what is your position at the ACLU? 7 A. I'm employed as the ACLU's principal technologist in our 8 Speech Privacy and Technology Project. 9 Q. Do you currently hold any other position? 10 A. I'm also a visiting fellow at the Information Society 11 Project at Yale Law School. 12 Q. And have you received any awards or honors in your field? 13 A. I've received a couple of awards. 14 year named me one of the top 50 people affecting policy in 15 the United States. 16 of my head. 17 Q. That's fine. 18 A. My academic research on surveillance has been cited by a 19 few federal courts, including the Ninth Circuit Court of 20 Appeals, and by the State Supreme Courts of Massachusetts and 21 New Jersey. 22 23 24 25 So at the ACLU, where I'm employed, I Politico magazine last That's the one I can remember off the top Have any courts cited your work? THE COURT: Where was this academic research? You just said your academic research. THE WITNESS: Yeah. I have law review articles that have been published in the Harvard Journal of Law and Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 7 of 157 PageID# 540 7 C. Soghoian - Direct 1 Technology, the Berkley Journal of Law and Technology, and 2 the Yale Journal of Law and Technology, and so that research 3 has been cited by those courts. 4 BY MR. GRINDROD: 5 Q. 6 technology or malware? 7 A. 8 techniques, for about five years, and in the course of that 9 research I have learned quite a bit about the technology, And has any of your work focused specifically on remote I've been researching NITs, the network investigative 10 I've interviewed people who have worked in the teams at the 11 FBI that deliver this technology, and I've analyzed some of 12 the code that the FBI has used. 13 Q. 14 training you've received. 15 spoken on these topics? 16 A. 17 organized by the Federal Judicial Center, so I've given 18 training to judges, both District Court Judges, Magistrate, 19 and even Circuit Court Appellate Judges, about surveillance 20 technology, including the use of NITs. 21 Q. 22 or rule-making committees about these topics? 23 A. 24 state legislative bodies in the United States, the European 25 Parliament, and I also testified before the rules committee And have you done -- we've talked a lot about the Sure. Have you given any training or So I've been invited to several training events Have you offered testimony before any legislative bodies Yeah. I've testified before, I think, three different Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 8 of 157 PageID# 541 8 C. Soghoian - Direct 1 that put out the changes to Rule 41 regarding the use of 2 these technologies. 3 Q. 4 your preparation for your testimony in this case. Okay. 5 And now I want to talk to you specifically about First of all, do you have any background knowledge on 6 NITs or network investigative techniques? 7 A. 8 years. 9 NITs have been used, as a volunteer, an unpaid volunteer, for So, as I said, I've been researching NITs for about five I've testified in two cases, two prior cases where 10 the defense in those cases. 11 filings. 12 and others. 13 I've reviewed numerous case I've reviewed transcripts from Special Agent Alfin And then, under protective order in various cases, 14 I've looked at some of the code and some of the two-way 15 network recordings as well. 16 Q. 17 was produced in Mr. Eure's case? 18 A. I have. 19 Q. You said you're here in your personal capacity. 20 right? 21 A. Yes. 22 Q. Are you being paid for your services in this case by the 23 defense? 24 A. 25 reimbursed, but I'm not receiving any kind of honorarium or Okay. Have you looked at the code and the PCAP data that Is that My flight was paid for, and I think my taxi fees will be Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 9 of 157 PageID# 542 9 C. Soghoian - Direct 1 consulting fee, no. 2 Q. 3 this? Okay. So why is it that you volunteer in cases like 4 MS. YUSI: 5 relevance of this? 6 THE COURT: I object, Your Honor. Objection sustained. 7 BY MR. GRINDROD: 8 Q. I want to talk to you about -- 9 A. I'm sorry. 10 What's the Can I get a glass of water, too? Is that possible? 11 MR. GRINDROD: Yes. 12 (There was a pause in the proceedings.) 13 BY MR. GRINDROD: 14 Q. 15 issues having to do with suppression. 16 familiar with the government's argument that the NIT that was 17 deployed in this case -- 18 Are you familiar -- I want to talk to you about a couple THE COURT: Stop. So, first, are you You're getting into the case 19 itself so, consequently, are you finished with the voir dire 20 of this witness's qualifications? 21 MR. GRINDROD: 22 THE COURT: 23 24 25 Yes, Your Honor. Ms. Yusi, do you have any questions on voir dire? MS. YUSI: I don't, Your Honor, but I also don't know what he's being offered for as an expert in. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 10 of 157 PageID# 543 10 C. Soghoian - Direct 1 THE COURT: Well, I'm sure he'll tell us. 2 MS. YUSI: 3 THE COURT: 4 MR. GRINDROD: Okay. Go ahead, Mr. Grindrod. Thank you, Judge. 5 BY MR. GRINDROD: 6 Q. 7 the government in this case and related cases that the NIT 8 that was deployed in this case worked like a tracking device? 9 A. I am familiar with that theory. 10 Q. And just so we're on the same page, that argument goes, 11 basically, that a Playpen user entered the government server 12 hosting Playpen, which -- Are you familiar with the argument that's been raised by 13 14 MS. YUSI: Objection, Your Honor. He's testifying. If he wants to ask a direct question... 15 THE COURT: Objection sustained. 16 BY MR. GRINDROD: 17 Q. 18 government's argument is with respect to this tracking 19 device? 20 Can you tell me what your understanding of the THE COURT: It's not the government's argument, it's 21 what his understanding of what is utilized in this case is. 22 Don't let's talk about somebody else's argument. 23 He's not an expert on the argument, okay? 24 expert on the use of the Internet. 25 of his uses. He's an He can also describe all He can tell me what a NIT is, but he's not Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 11 of 157 PageID# 544 11 C. Soghoian - Direct 1 going to tell me whether the argument of the government is 2 appropriate or inappropriate in any way. 3 he wants about any factual matter or his opinions, but not 4 his opinions of somebody else's case. He can discuss all 5 Do we understand one another, sir? 6 MR. GRINDROD: 7 THE COURT: 8 BY MR. GRINDROD: 9 Q. Yes, Your Honor. Okay. Can you tell me from a technological perspective where 10 the NIT is installed, the location, the physical location? 11 A. 12 ultimately had to contact the government server, which was 13 located somewhere in Northern Virginia. 14 the computer instructions for the NIT, was hosted on the 15 government's computer, it didn't activate. 16 anything until it was transmitted all the way over the 17 Internet to the receiving parties, to the computers that were 18 visiting the Web site, and then ultimately ran on those 19 individual computers. So the computers that were visiting the Playpen Web site Although the code, It didn't do 20 THE COURT: You lost me, so let's go back. 21 THE WITNESS: 22 So there were a number of people who visited the Let's try again. Okay. 23 Playpen Web site. They connected to the Playpen Web site 24 using this technology called Tor, but ultimately there was a 25 Web browser, like Firefox or Internet Explorer or Chrome, and Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 12 of 157 PageID# 545 12 C. Soghoian - Direct 1 then they used their Web browser to visit a Web site. 2 The NIT, the network investigative technique, was 3 delivered to the computers of the people who were visiting 4 this Web site, and the network investigative technique -- 5 6 THE COURT: Well, what you have to do is to say what visited the network site, not "the NIT visited." 7 "The NIT visited" is too broad a concept. 8 That's investigative techniques. So what we want to deal 9 with are the specifics, and that's what I've got to hear. 10 Otherwise, you just become another attorney for the 11 defendant. 12 expert, okay? Don't become the attorney, just become the 13 THE WITNESS: 14 And, to be clear, I'm not an attorney. 15 Yes, Your Honor. I didn't go to law school. 16 THE COURT: Well, by the time you finished 17 explaining your background, you probably know more than most 18 attorneys who are dealing with this subject. 19 THE WITNESS: 20 THE COURT: 21 22 I appreciate that, sir. So let's get on with what we're doing here. First, one thing I want to find out about 23 qualifications -- I might as well do it now that I've 24 interrupted you -- is are you paid a salary by the ACLU? 25 THE WITNESS: I am paid a salary, sir, but I'm Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 13 of 157 PageID# 546 13 C. Soghoian - Direct 1 taking a vacation day to come here. 2 THE COURT: You're taking a vacation? 3 THE WITNESS: 4 THE COURT: 5 THE WITNESS: A one-day vacation. Do they give you vacation days? I receive vacation days at the ACLU. 6 Not as many as I would like. 7 THE COURT: 8 So what I'm getting at is you're not losing any money, as such. 9 THE WITNESS: 10 THE COURT: No, I'm not. And when you say you're an unpaid 11 volunteer, you are a volunteer here, but I assume it's with 12 the understanding of the ACLU. 13 THE WITNESS: 14 I have to ask my boss for permission to take time off, yes. 15 THE COURT: I figured that. So I just want to know 16 where we are and what we are dealing with. 17 you can go on from there, but let's stick to the facts and 18 your expertise, okay? 19 MR. GRINDROD: 20 THE WITNESS: 21 just want to clarify. 22 So, consequently, Thank you, Your Honor. Sir, if I might add one more thing, I I asked to come here from my -- I asked for 23 permission from my employer, as opposed to being told by my 24 employer, "Hey, Chris, take a day off and go down to 25 Norfolk." Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 14 of 157 PageID# 547 14 C. Soghoian - Direct 1 THE COURT: Oh, I understand that. 2 BY MR. GRINDROD: 3 Q. 4 explain kind of the technology -- how the NIT works from a 5 technological standpoint. 6 first of all, what is -- Judge Doumar just asked this. 7 Okay, Dr. Soghoian. So I think you were starting to So if you could tell us where -- So what is the NIT? When we're talking about the NIT 8 and we talk about code associated with it, can you just tell 9 us what that is? 10 A. The NIT is a specially made computer program that is 11 designed to surreptitiously collect information from one or 12 more person's computers, collect that information, and 13 transmit it back to the government. 14 Q. 15 we talk about the NIT being computer code, what is that? 16 What is computer code? 17 A. 18 the building itself, human beings write code, and computer 19 scientists who know how to write computer programs, they 20 create code by writing it in a special language. 21 still human readable, readable by humans who understand 22 computers, and then the computer turns it into a special 23 language that is easier for the computer to understand. 24 that's called computer code. 25 Q. Okay. So even kind of more specifically than that, when So if you think of the blueprints for a building versus Okay. Heidi L. Jeffreys, Official Court Reporter But it's So Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 15 of 157 PageID# 548 15 C. Soghoian - Direct 1 A. And, essentially, they're a series of instructions that 2 tell the computer, do this, do that, do this other thing. 3 Q. 4 the government surveillance context, or does computer code 5 exist -- 6 A. 7 lives, from a cell phone to an ATM machine to an airplane, 8 has computer code in it now. 9 Q. And computer code, is that something that only exists in No, every single electronic device that we have in our So the question I asked you a little while ago was trying 10 to understand where the computer code that we're talking 11 about in this case, the NIT, where that actually was 12 deployed, where it worked. 13 technological perspective, focusing on the facts, where that 14 happened? 15 A. 16 would have been downloaded from a server run by the FBI in 17 Northern Virginia, downloaded to the computers of the 18 individual people visiting the Playpen site, including the 19 alleged defendants in this case. 20 the code would not have done anything, until it reached their 21 computers and ran on their computers. 22 Sure. So can you explain, just from a The computer code, the NIT code in this case, But it would not have run, You could think of the code as being inert. It 23 didn't have the power to do anything until it ran on the 24 computers of the individual defendants. 25 Q. And was the -- until the code was installed on our Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 16 of 157 PageID# 549 16 C. Soghoian - Direct 1 client's computer, would there have been -- did it serve any 2 functional purpose for anyone who would have been using the 3 code? 4 A. 5 the defendant's computer, you know, unless an FBI agent ran 6 it in the lab to test it out. 7 government's Web server, its Web site, waiting to be 8 downloaded it would be sitting dormant. 9 anything. The code would never have run on anyone's computers but But when it was sitting on the It wasn't doing It wasn't hurting anyone or helping anyone. It 10 was just sitting there like an unopened piece of mail, and 11 someone had to go and get it, bring it back, and it was only 12 then, once it was executed on the defendant's computer, that 13 it would come to life and that it would have the resources to 14 then run. 15 power and had the ability to think, the processing 16 capability, then the NIT could come to life and perform the 17 instructions that it had been programmed to do; in this case, 18 to collect various forms of information from the computer 19 that it was operating on and then to call home to the 20 government server with those bits of information. 21 Q. 22 computer visit the FBI's server? 23 A. 24 communicated with the government's server. 25 Web pages, and the Web pages were then returned to those And with those resources with a computer that had In any technological sense, did the user of an activating The individual users of the Playpen site certainly They requested Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 17 of 157 PageID# 550 17 C. Soghoian - Direct 1 individuals. 2 didn't get in their car and drive across country or up -- 3 4 Those individuals never left their homes. THE COURT: They So the code had nothing to do, then, with the requested Web pages of the -- 5 THE WITNESS: 6 individual users -- 7 THE COURT: The Web pages were viewed by the I'm asking once it was sent to the 8 government -- to Playpen, we'll call it, and you're familiar 9 with it. The code had nothing to do with that. 10 THE WITNESS: 11 THE COURT: 12 The code -- The code is merely an investigatory matter, correct? 13 THE WITNESS: The NIT code was delivered to the 14 visitors of the site at the same time as they were visiting 15 the Web page. 16 17 THE COURT: I understand, but the site itself would know what was requested of it, correct? 18 THE WITNESS: 19 THE COURT: 20 THE WITNESS: When you say "the site," I mean -- Playpen. I understand Playpen, but Playpen was 21 a Web site, it wasn't a human, so when you say did the site 22 know do you mean the people operating the Web site, did they 23 know? 24 what was being delivered. 25 Because they were FBI agents, they definitely knew THE COURT: Once the Web site gets something, does Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 18 of 157 PageID# 551 18 C. Soghoian - Direct 1 the Web site know it got it? 2 THE WITNESS: The -- 3 THE COURT: 4 THE WITNESS: 5 When the NIT called home it did not call home to the Does it record? I think I know what you're asking. 6 Playpen site. 7 visiting Playpen; that when the NIT called home it called 8 home to a different computer run by the FBI. 9 10 The NIT was delivered to people who were THE COURT: All I'm asking you is Playpen. It receives something, correct? 11 THE WITNESS: The -- when the user visits the 12 Playpen site, they request a Web page. 13 page back, and that response would have included -- I'm 14 trying to figure out how to explain this in terms that are 15 easy to -- 16 THE COURT: They get that Web Playpen responds to whatever the request 17 is, and all I'm saying is there's a record of that response, 18 correct? 19 20 THE WITNESS: record? 21 THE COURT: 22 anything. 23 sends. 24 25 When you say -- you mean a permanent I don't know if it's permanent or I assume Playpen has some knowledge of what it THE WITNESS: That would really depend on how the FBI configured the Playpen site. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 19 of 157 PageID# 552 19 C. Soghoian - Direct 1 2 THE COURT: worried about Playpen, the site itself. 3 4 I'm not worried about the FBI, I'm Once the FBI runs it, it's just running a site, correct? 5 THE WITNESS: Again, that really depends on how the 6 FBI is running the site. If I can use an analogy, Your 7 Honor, the PACER Web site that this court runs that people 8 can download documents from, there may be records that are 9 kept of every document I download from PACER; there may not 10 be. It really depends on how the administrators of this 11 courthouse configure the Web site to operate. 12 I don't know whether the FBI, when they were 13 operating the Playpen site -- whether they recorded every 14 single thing that the Web site sent or nothing. 15 THE COURT: 16 THE WITNESS: 17 THE COURT: the site. And they don't know what's happening on Is that your testimony? 20 THE WITNESS: 21 THE COURT: 22 The FBI was running the Playpen site, yes, sir. 18 19 So the FBI has the site, correct? No, Your Honor. Oh, so they know what's happening on the site. 23 THE WITNESS: Your Honor, I'm saying I don't know 24 what the FBI knew because I don't know how the FBI configured 25 Playpen. And the Playpen site is no longer operational, so I Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 20 of 157 PageID# 553 20 C. Soghoian - Direct 1 cannot go and check. 2 3 THE COURT: at all when you were investigating this matter, correct? 4 5 So you didn't look into that information THE WITNESS: It would be a crime for me to visit the Playpen site, Your Honor, when it was up and running. 6 THE COURT: Excuse me. You can help me a lot -- if 7 you answer questions, you can answer "yes" or "no" and make 8 any explanation you desire. 9 understanding your answers. Otherwise, I may have trouble 10 Now, let's go back over that. 11 say you don't know what the FBI knew when it was 12 administering the site. 13 THE WITNESS: 14 THE COURT: 15 MR. GRINDROD: Let's go back. You Is that correct? That is correct, sir. So -- okay. Go ahead. Thank you, Your Honor. 16 BY MR. GRINDROD: 17 Q. 18 the -- is it your understanding that one of the reasons the 19 government ran the NIT was to find out geographically where 20 the user's computer was located? 21 So this NIT, as the government has stated -- one of THE COURT: He hasn't testified to that yet, and so 22 be careful about leading the witness. 23 because we pretty well know that he's been informed of a 24 great many things, but don't lead witnesses, okay? 25 I will allow it, But that question I'm going to allow. I'm just Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 21 of 157 PageID# 554 21 C. Soghoian - Direct 1 warning you, don't do it again. 2 MR. GRINDROD: 3 THE WITNESS: I'm warned. Thank you, Your Honor. So the Tor software that everyone was 4 using to access the Playpen site, that protects -- more than 5 anything else, that is designed to protect the IP address of 6 each person visiting the site. 7 THE COURT: 8 THE WITNESS: 9 THE COURT: 10 So you're familiar with that software. I'm familiar with Tor, yes, sir. I understand you're familiar with Tor. Are you familiar with the software that Tor employs? 11 THE WITNESS: Yes, Your Honor, I'm familiar with the 12 Tor browser, which is the software I think that we're 13 discussing. 14 15 16 17 18 19 20 THE COURT: So you've looked at that software before. THE WITNESS: I've used that software. The tool was created by the government ten years ago, and it's -THE COURT: It's created by the Navy. Were you a part of that creation? THE WITNESS: No, sir. It was created with by the 21 U.S. Naval Research Lab originally and then was subsequently 22 spun out into a nonprofit, but I've never been a developer of 23 Tor or employed by the Tor organization. 24 25 But some of the developers taught classes at my Ph.D. university, and I know some of the developers who work Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 22 of 157 PageID# 555 22 C. Soghoian - Direct 1 on it. 2 3 THE COURT: My curiosity abounds. their names? 4 THE WITNESS: 5 THE COURT: 6 And what were Sorry. What was the question, sir? You said you knew the developers because they taught you at the university. 7 THE WITNESS: What were their names? So Paul Siverson, who is employed by 8 the U.S. Naval Research Lab still to this day, he was a 9 visiting professor for a semester at my university. 10 THE COURT: 11 THE WITNESS: 12 And so he taught you a course? Yeah, I think he gave one guest lecture in -- 13 THE COURT: One lecture? 14 THE WITNESS: One lecture. 15 BY MR. GRINDROD: 16 Q. 17 so, again, going back to my original question, before the 18 government deployed the NIT did the government have any 19 understanding of where geographically an activating computer 20 was located? 21 A. 22 impossible, because the Tor browser and the Tor network 23 software are designed, first and foremost, to shield that 24 information from everyone who might wish to discover it. 25 Q. Dr. Soghoian, let me ask you about the government's -- It would have been extremely difficult, if not And was -- Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 23 of 157 PageID# 556 23 C. Soghoian - Direct 1 THE COURT: Doesn't the person who is trying to get 2 the information have to give the computer that it sends to 3 information where to send the material? 4 THE WITNESS: So that's why Tor is such an 5 interesting tool. When you use Tor to browse the Internet -- 6 let's say you're visiting CNN, you look for an article on the 7 CNN Web site. 8 sending it, so the data gets bounced around through a bunch 9 of servers, and so no one -- CNN doesn't actually know where they're 10 THE COURT: How do they get the information, then? 11 THE WITNESS: 12 THE COURT: 13 THE WITNESS: If you -- It's not being sent back. Instead of the data being sent 14 directly from CNN to your personal computer, it gets sent 15 through a couple intermediaries along the way, and they -- 16 17 THE COURT: I know about coming to the Playpen. Now something leaves the Playpen, I assume. 18 THE WITNESS: Just as the connection from the user 19 to the Web site goes through the intermediaries, the 20 responses go back through the same intermediaries. 21 intermediaries are servers run by volunteers around the 22 world. 23 BY MR. GRINDROD: 24 Q. 25 any idea where in the world the activating computer is And the So before the NIT is deployed does the government have Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 24 of 157 PageID# 557 24 C. Soghoian - Direct 1 located? 2 A. No. 3 Q. Okay. 4 that authorized the government to deploy this NIT but only 5 against computers that were located in the Eastern District 6 of Virginia. 7 that warrant be executed? 8 A. 9 only computers located in the Eastern District of Virginia, So I want you to imagine for me, then, a warrant From a technological perspective, how would There would be no way to limit the execution of a NIT to 10 because until the government hacks into the computers of the 11 targets they won't know where they are -- I'm sorry. 12 government will not know where the defendants' computers are. 13 Q. 14 talk to you about some issues related to the pending motion 15 to compel. 16 Understood. I want to shift gears now for a moment and So at various points in the briefing the parties have 17 referred to the NIT as having different components. 18 familiar with that terminology? 19 A. Yes, sir. 20 Q. Okay. 21 produced the two components of that, right? 22 A. Yes, the -- 23 Q. Can you tell us what components? 24 A. I've reviewed and analyzed the NIT -- 25 The Are you In Mr. Eure's case, at least, the government has THE COURT: First tell us what two components they Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 25 of 157 PageID# 558 25 C. Soghoian - Direct 1 are, then you tell us what you analyzed. 2 THE WITNESS: 3 The two components are the NIT, the network 4 investigative technique, and what's known as a PCAP, P-C-A-P, 5 file. 6 to as a two-way network recording. 7 BY MR. GRINDROD: 8 Q. 9 produced, is one of those the exploit? This is what the government, I believe, has referred And two other components that exist but have not been 10 MS. YUSI: 11 THE COURT: 12 Your Honor, I object. You know, I asked you not to lead the witness. 13 MR. GRINDROD: 14 THE COURT: 15 MR. GRINDROD: 16 THE COURT: 17 don't do it again. 18 time. I'll rephrase, Your Honor. I'm not going to do it anymore. I'll rephrase, Your Honor. Next time you'll know what happens, but And I asked you not to do it the last 19 MR. GRINDROD: 20 THE COURT: 21 Yes, Your Honor. I understand, Your Honor. And I don't expect you to do those things if I tell you don't do it, okay? 22 He's perfectly capable of discussing it. He's a volunteer. He's been 23 testifying. I'm not worried about him not 24 knowing what's going on, but I am worried about leading the 25 witness. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 26 of 157 PageID# 559 26 C. Soghoian - Direct 1 MR. GRINDROD: I understand, Your Honor. 2 BY MR. GRINDROD: 3 Q. 4 tell us what the other two are? 5 A. 6 haven't reviewed and that haven't been disclosed are the 7 exploit and the code that generates the unique serial numbers 8 for the individual NIT deliveries. 9 Q. You mentioned two parts of the four components. Can you The other significant components that are missing that I Okay. I want to talk about -- 10 THE COURT: Slow down. 11 THE WITNESS: 12 THE COURT: 13 THE WITNESS: One is called the exploit. An exploit, yes, sir. What is the other one? The second one is a special code that 14 would have run on the government's server that generated 15 unique serial numbers each time the NIT was deployed. 16 BY MR. GRINDROD: 17 Q. I want to have you just -- 18 THE COURT: 19 THE WITNESS: 20 21 And that is not the exploit? No, sir. And if you would like, I can go through each component and say what they do. THE COURT: I'm just trying to make sure where I'm 22 going, because you're going to be discussing these terms. 23 want to be able to understand them. 24 25 Okay. Go ahead. BY MR. GRINDROD: Heidi L. Jeffreys, Official Court Reporter I Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 27 of 157 PageID# 560 27 C. Soghoian - Direct 1 Q. I do want to go through each of these components with you 2 just to get an understanding of what they are, and then we'll 3 talk later about why they may be important for various -- 4 5 THE COURT: witness? 6 7 MR. GRINDROD: THE COURT: All right. You have another half hour, period. 10 MR. GRINDROD: 11 THE COURT: 12 It's going slower than I expected, Your Honor, but another half hour, at most. 8 9 How much time do you expect for this Thank you, Your Honor. Because, otherwise, we won't get finished today. 13 MR. GRINDROD: I understand, Your Honor. 14 BY MR. GRINDROD: 15 Q. 16 what that is, briefly? 17 A. 18 first is that it collects specific information from the 19 computers on which it runs. 20 of the Wi-Fi card, information about the operating system 21 that's running on the computer. 22 You mentioned the NIT computer code. Yes. Can you tell us The NIT code has two pieces of functionality. The That might be the serial number Once it has compiled that information, the second 23 piece takes over, and that transmits that collected 24 information back to an FBI-controlled server. 25 Q. The PCAP data, can you tell us what that is? Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 28 of 157 PageID# 561 28 C. Soghoian - Direct 1 A. 2 facility that purports to show what the government received 3 from the individual NIT users. 4 Q. The exploit, what is that? 5 A. As I said before, the Web browser that people are using, 6 that is designed to visit Web pages, and the Tor browser is a 7 special Web browser that is designed to be more secure than 8 the average Web browser. 9 The PCAP data is a recording created at a government The piece of information that it is designed to 10 protect, first and foremost, over everything else, is the IP 11 address of the user. 12 a Web site asks, "What is your IP address?" it will say, 13 "No," and it is designed to resist any creative attempts to 14 try and learn the user's IP address. 15 The Tor browser is designed so that if For the NIT to be able to successfully run on the 16 computer of the targets, the first thing the government needs 17 to be able to do is to somehow bypass these strong security 18 features built into the Tor browser. 19 of the Tor browser as a house guarded by trained guard dogs, 20 the exploit is a piece of meat that's been laced with 21 sleeping pills so the guard dogs fall asleep and let the 22 government go inside the house. 23 that bypasses or circumvents the security settings and 24 protections in the Tor browser. 25 Q. And, so, if you think So the exploit is the code And then the final piece is the unique ID generator -- Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 29 of 157 PageID# 562 29 C. Soghoian - Direct 1 2 THE COURT: The exploit is the thing that tells them what computer is coming in on that particular information? 3 THE WITNESS: No, Your Honor, the NIT is the code 4 that identifies the computer and sends that information back 5 to the FBI server. 6 The exploit is the code that disables the security 7 protections of the Tor browser so that the NIT can then be 8 installed and execute. 9 BY MR. GRINDROD: 10 Q. 11 So if the question is what let you in -THE COURT: 12 BY MR. GRINDROD: 13 Q. 14 government -- 15 16 17 18 19 20 Hold on a minute. What's the -- what let you in or what allowed the THE COURT: Stop a minute so I'll understand where we're going. First you find the name of the computer; that is, the individual computer? THE WITNESS: No, Your Honor. That's actually one of the later stages. 21 The first thing the government has to do is get the 22 defendants' computers into a state where they will allow the 23 NIT to run. 24 to run something like the NIT, because first and foremost 25 it's designed to protect that information from outside Normally, the Tor browser software will refuse Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 30 of 157 PageID# 563 30 C. Soghoian - Direct 1 parties who might wish to learn it. 2 So the exploit has to disable the built-in security 3 features that are contained within the Tor browser, and it 4 does that through the use of what is called a security 5 vulnerability; that is, a design mistake in the software, in 6 the Tor browser software. 7 8 The Tor browser, like all pieces of software, is made by humans -- 9 10 THE COURT: essence, any security; that's it. 11 12 So the exploit just destroys, in THE WITNESS: That's a good way of thinking of it, sir, yes, sir. 13 THE COURT: All right. 14 BY MR. GRINDROD: 15 Q. 16 unique ID generator. 17 A. 18 defendants or the targets visit the Playpen site and receive 19 the NIT and the exploit, they are given a unique number like 20 a serial number. 21 Okay. Yes. And then the last component of the four is the Can you tell us briefly what that is? The purpose of the ID generator -- when the When the computers that are running the NIT call 22 home, in addition to transmitting back their serial numbers 23 and other information, they transmit back that number that 24 the government has given them. 25 government to associate a particular user on the Playpen site In essence, it allows the Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 31 of 157 PageID# 564 31 C. Soghoian - Direct 1 with a particular successful operation of the NIT and, as a 2 result, the IP address that the government learns through the 3 NIT operation. 4 Q. Okay. 5 A. And it's through the unique numbers that they're able to 6 say, defendant X was this user name on this Web site, and 7 they were logged in for this many days, and they viewed these 8 posts. 9 users and their history on the sites. 10 Q. That gives them the ability to identify individual Understood. 11 So let's focus first on the exploit. Can you tell the Court why it's important from a 12 technological perspective to review the exploit? 13 that tell you? 14 A. 15 collected a bunch of information from the computer, and 16 without knowing -- without experts being able to look at the 17 exploit, it's not possible to say which condition or state 18 the computer was in before it collected the NIT. The exploit is important for a few reasons. 19 Let me use an analogy. What would The NIT If the government is 20 analyzing DNA in a lab, you want to know that the petri 21 dishes that they were using, the equipment in the lab, is 22 clean. 23 particular defendant's genetic sample. You want to know that it's sterile before they test a 24 If we cannot see the exploit, we do not know the 25 state in which the computer was in before it ran the NIT, Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 32 of 157 PageID# 565 32 C. Soghoian - Direct 1 which calls into question the reliability, the forensic 2 reliability, of the evidence that the NIT then collected. 3 that's the first reason. 4 THE COURT: So looking at any computer, you have to 5 know what it was before anything was done to the computer. 6 Is that correct? 7 8 THE WITNESS: It would certainly be helpful. If you want -- 9 10 So THE COURT: I didn't ask you about "helpful." Everything is helpful. 11 The question in my mind is if I were looking at a 12 computer, any computer -- let's forget this case. 13 talking about your expertise. 14 computer and wanting to know what it's putting out, I'd have 15 to know in advance what it had on it before? 16 17 18 19 THE WITNESS: We're If I were looking at a That is true. You would want to know -THE COURT: So nobody should ever be able to testify what was on a computer, correct? 20 THE WITNESS: 21 THE COURT: The -- They can't testify because they couldn't 22 possibly have known what was on it before, even if they 23 looked at the computer, correct? 24 25 THE WITNESS: There are many things that a computer can do, but the -- Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 33 of 157 PageID# 566 33 C. Soghoian - Direct 1 THE COURT: I understand there are many things a 2 computer can do, and I can walk and run and talk and count to 3 ten, but that doesn't mean that I can't ask questions 4 concerning what's happening. 5 What I'm trying to find out is -- the statement 6 you're making is that unless I know what was there before I 7 cannot tell you what's there after. 8 THE WITNESS: 9 THE COURT: 10 So anything I see is not real, because it could have been different. 11 THE WITNESS: 12 THE COURT: 13 If I could try and explain -- The -- I couldn't say that Mr. Grindrod is there unless I knew he wasn't there yesterday, correct? 14 THE WITNESS: The exploit forces the computer to do 15 things that it would never normally do, and it puts -- it 16 stresses the computer or the software running on the 17 computer -- 18 THE COURT: I know what the exploit does. This is 19 not the first case, by the way, and we've heard these terms 20 consistently. 21 And what I want to do is to make sure I understand 22 what you're saying in relation to the determination of how 23 the FBI learned of whose computer was calling their Playpen 24 site. 25 by having the NIT, having exploit, that would allow them to And you're saying that the first way they learned is Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 34 of 157 PageID# 567 34 C. Soghoian - Direct 1 find the name of the individual calling, correct? 2 THE WITNESS: 3 THE COURT: 4 THE WITNESS: It's not the name of the individual -- Well, the name of the computer. The name of the person logged in to 5 the computer, the unique serial number associated with their 6 Wi-Fi card, and some other information from the computer. 7 8 THE COURT: finding out that particular computer, correct? 9 10 So all of this is generated towards THE WITNESS: information is collected by the NIT? 11 THE COURT: 12 THE WITNESS: 13 Yes. I believe that is why the FBI collects information from those computers, yes, Your Honor. 14 THE COURT: 15 BY MR. GRINDROD: 16 Q. All right. So I think you mentioned -- 17 18 You're asking me if that's why the THE COURT: I'll give you five minutes more by virtue of the fact that I've interrupted you. 19 MR. GRINDROD: Thank you, Your Honor. 20 BY MR. GRINDROD: 21 Q. 22 view the exploit, but I think you said there were other 23 reasons. 24 A. 25 it. So you mentioned one of the reasons why it's important to There's another significant reason that you would want If you think of the computer as a house, you have a Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 35 of 157 PageID# 568 35 C. Soghoian - Direct 1 front door, you have a lock on the door. 2 exploit takes advantage of a security flaw in the software 3 that was there that most people may not have known about 4 ahead of time. 5 on your front door. 6 flaw in your lock so they send a Special Agent who is skilled 7 in the art to stand there and pick the lock, and that gains 8 them access to your house, and then they can execute the 9 search inside the house. 10 As I said, the So think of it as a design flaw in the lock So the government knows that there's a Now, you could pick the lock, if you're skilled at 11 lock-picking, and leave no trace, and when you close the door 12 and you're done with the search the lock is in perfect 13 working order. 14 could still gain access to the house, but you could break the 15 lock in the process, and then the lock may not work in the 16 future and other people could go inside that house after. 17 One of the reasons why it would be a really good But it's possible if you make a mistake you 18 idea for the defense to be able to look at the exploit is to 19 see if the exploit leaves the computer in as secure a state 20 as the government found it or if it leaves the computer in a 21 more vulnerable state, where other parties might be able to 22 log in to the computer, download their own software to the 23 computer, download other content or contraband to that 24 computer. 25 And this is not a hypothetical concern. Heidi L. Jeffreys, Official Court Reporter Tools Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 36 of 157 PageID# 569 36 C. Soghoian - Direct 1 similar to NITs used by other governments have been analyzed 2 by experts, and -- 3 THE COURT: Stop telling me unless you give me -- 4 you know, the world is full of explanations, so we've got to 5 deal with specifics. Who did what to whom at what time? 6 THE WITNESS: Okay. So a specific example: 7 A tool like the NIT, used by the German police, was 8 analyzed a couple years ago by German security experts and 9 discovered to have security flaws in it that left the targets 10 of the authorized law enforcement investigations -- left 11 those computers vulnerable to compromise and search by 12 unauthorized third parties. 13 It is very difficult to design secure software, and 14 it's quite possible that the exploit may have flaws in it 15 that we don't know about, but if it left the computer in a 16 less secure state it's possible that other parties might have 17 been able to gain access to that computer at a later date. 18 19 THE COURT: So why would another party want to gain access? 20 THE WITNESS: 21 THE COURT: Your Honor, there are -- I didn't ask -- is there any evidence 22 that some other party tried to gain access? 23 any? 24 25 THE WITNESS: Did you hear of So criminals break into computers every day. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 37 of 157 PageID# 570 37 C. Soghoian - Direct 1 THE COURT: I know that, but they generally break 2 into computers because they want to find out something, 3 correct? 4 5 THE WITNESS: No. There are many reasons why criminals do it. 6 One frequent reason is not to steal information from 7 a computer but to use that computer as a staging point to 8 download and distribute other stolen information. 9 10 THE COURT: To break into that, wouldn't they have to be able to know what it is they're breaking into? 11 THE WITNESS: No, Your Honor, there are tools that 12 one can use to scan the Internet for vulnerable computers, 13 so -- 14 15 16 THE COURT: If you scan the Internet, how many millions of computers are there? THE WITNESS: There are a large number of computers 17 in the world, but there are tools that can scan the entire 18 Internet in less than an hour. 19 THE COURT: 20 THE WITNESS: 21 THE COURT: 22 23 In less than an hour? Yes, sir. So what do you scan the Internet, and what does it give you? THE WITNESS: So there's a tool that was made by the 24 University of Michigan called ZMAP, Z-M-A-P, that can visit 25 and interact with every single computer on the Internet in Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 38 of 157 PageID# 571 38 C. Soghoian - Direct 1 less than an hour. And think of it as knocking on the front 2 door of every house on the street. 3 THE COURT: What does it do? 4 THE WITNESS: It makes a connection to a computer, 5 and a follow-up activity would be looking for known flaws, 6 looking for likely methods of entry. 7 criminal might try and open the window on every front door -- 8 or the front window of every house on the street. 9 THE COURT: So, you know, a So what you're saying is if they had 10 unlocked the computer, if they unlocked the door to this 11 house, a person could scan it, every computer in the world, 12 in one hour. And then what would that do? 13 THE WITNESS: 14 THE COURT: 15 THE WITNESS: 16 THE COURT: 17 18 They could gain access and do -- And do what? Sorry? How does it change what already has occurred? THE WITNESS: It's not that it changed what has 19 already occurred, it's that they could -- the information 20 that is on the computer could then be changed by subsequent 21 people entering the house. 22 23 THE COURT: The information on the computer. So the information concerning the address would be changed? 24 THE WITNESS: 25 THE COURT: Not the -- Right now we're talking about getting Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 39 of 157 PageID# 572 39 C. Soghoian - Direct 1 the address or the computer of the individual concerned. 2 THE WITNESS: 3 THE COURT: 4 It's not -- It wouldn't change that, because the FBI already has it, don't they? 5 THE WITNESS: The user name on the computer, the 6 identifiers, those wouldn't change, but any contraband the 7 government later discovered in an in-person search -- 8 9 THE COURT: Well, first we're dealing with the question of finding out whose computer it is that's 10 communicating with Playpen. 11 saying, well, they need to know the exploit, because it could 12 tell us what happened subsequent to that, correct? 13 THE WITNESS: 14 THE COURT: 15 16 17 18 19 20 They find that. Then you're Yes, Your Honor. Couldn't tell us what happened before that. THE WITNESS: The -- so, as I said, there were two main reasons for the defense to look at the exploit -THE COURT: I understand that. They could put something in there and put it into Tor -- into Playpen. THE WITNESS: No. So the latter reason is the 21 reason -- as I just discussed, would go to what may have been 22 found on the computer weeks or months later. 23 The former reason, you know, knowing the state that 24 the computer is in, that goes to the validity of the 25 information that the NIT collects. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 40 of 157 PageID# 573 40 C. Soghoian - Direct 1 THE COURT: So what you're saying is that they 2 couldn't -- there's no way to rely on a name that they 3 obtain, and that would be wrong. 4 THE WITNESS: Is that correct? So there is a unique identifier on the 5 computer called a MAC address, and that was one of the things 6 collected by the NIT. 7 card burned in at the factory. 8 software running on your computer, and so -- 9 10 THE COURT: It's a serial number for your Wi-Fi That can be changed by It can't be changed until you get to the computer. 11 THE WITNESS: That is correct. 12 What I'm saying is if the exploit somehow 13 malfunctioned it's possible that that serial number might 14 have changed in such a way that it would be, you know, 15 forensically unreliable. 16 THE COURT: All right. Go ahead. 17 BY MR. GRINDROD: 18 Q. 19 was the one that had to do with changes to the computer 20 potentially after the NIT was deployed. 21 Let me ask you about the second reason you stated, which Does the time gap between when the NIT was deployed 22 and when the computer was physically seized in a traditional 23 search, does that affect anything as far as, you know, the 24 mistakes of that second reason? 25 A. There are a lot of criminals out there on the Internet Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 41 of 157 PageID# 574 41 C. Soghoian - Direct 1 who try and break into computers, and the longer that a 2 computer is left vulnerable to cyber attackers the greater 3 opportunity those cyber attackers will have to compromise the 4 computer and use it for whatever purpose they have. 5 If someone -- you know, if the FBI were to show up 6 the day after the NIT operation, that would be a relatively 7 short window. 8 the search, that would be a lot of time for a vulnerable 9 computer to be compromised by other third parties. If they waited a year or 11 months to conduct 10 Q. 11 that was also filed in the Matish case? 12 A. I have. 13 Q. So in paragraph 9 of that declaration Agent Alfin 14 essentially states that he executed the exploit and observed 15 that it didn't make any changes to the computer. 16 Do you have any views on that statement? 17 A. Have you reviewed Agent Alfin's declaration in this case I do. I -- 18 THE COURT: I -- well, go ahead. 19 MS. YUSI: 20 THE WITNESS: No objection? (Shakes head.) So Special Agent Alfin testified 21 saying, essentially, that the exploit worked just fine; that 22 he ran it on his computer a few times, it worked okay in the 23 lab, and there's no reason to believe that the exploit 24 malfunctioned and, as a result, there's no need for the 25 defense to be able to look at the exploit. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 42 of 157 PageID# 575 42 C. Soghoian - Direct 1 It's really hard to write reliable, secure software. 2 Large companies like Microsoft and Apple and Boeing, spend a 3 huge amount of money on software quality assurance, trying to 4 write code that does what they think it's supposed to do. 5 They also employ teams of people who do nothing but test the 6 software to look for flaws. 7 or twice, they run it thousands or millions of times, looking 8 for that one-in-a-million case where it misfires or does 9 something unpredictable. 10 And they don't just run it once It is frequently the case that software can have 11 subtle flaws that don't show up under a modest amount of 12 testing, and, you know, with respect to Special Agent Alfin's 13 declaration or testimony, running an exploit a couple times 14 is not enough to say conclusively that it works and that it 15 didn't have any bugs, particularly if he hasn't even looked 16 at the exploit, which is my understanding from that 17 testimony. 18 sometimes they don't notice flaws. 19 know -- You know, even when experts can look at codes, 20 THE COURT: 21 THE WITNESS: This is why we have, you So experts can differ. Experts who have access to the same 22 information can differ, but in this case only one side has 23 access to the information, and we have to take their word for 24 what the code does. 25 BY MR. GRINDROD: Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 43 of 157 PageID# 576 43 C. Soghoian - Direct 1 Q. So, Dr. Soghoian, let me direct your attention to another 2 component, which we talked about earlier, called the PCAP 3 data. 4 Now, in this same declaration that we were just 5 talking about, Agent Alfin's declaration, he, in paragraph 6 16, said that the data stream reflecting the information 7 transmitted to the FBI from the defendant's computer -- 8 MS. YUSI: 9 THE COURT: 10 We object, Your Honor; leading. Objection sustained. You may recite exactly what he said. 11 MR. GRINDROD: 12 THE COURT: 13 MR. GRINDROD: 14 THE COURT: Okay. Thank you, Your Honor. Don't start summarizing -I'm sorry. I was trying to -- -- because then you are changing, in 15 some ways, it. Let him understand what it is. 16 "He says as follows," and I'll allow you to do that, but 17 don't -- 18 MR. GRINDROD: 19 THE COURT: 20 MR. GRINDROD: 21 THE COURT: You can say, Thank you, Your Honor. "In essence, he says this." Thank you, Your Honor. In essence, I might say one thing, but 22 the question is what it is that's exactly said. 23 BY MR. GRINDROD: 24 Q. 25 reads as follows: So paragraph 16 of Special Agent Alfin's declaration Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 44 of 157 PageID# 577 44 C. Soghoian - Direct 1 "Review of this data stream reflecting the 2 information transmitted to the FBI from Matish's computer as 3 a result of the deployment of the NIT confirms that the data 4 sent from Matish's computer is identical to the data the 5 government provided as part of discovery." 6 Have you reviewed the PCAP data in Mr. Eure's case 7 and other Playpen cases? 8 A. 9 previous case. I have. I've reviewed the PCAP in this case and one 10 Q. 11 paragraph 16 that I just read to you -- is that statement 12 correct? 13 A. 14 the data that the government received only shows what the 15 government received, it does not show what the NIT sent. 16 In your view, is Special Agent Alfin's statement in No, in my view it is not. The PCAP -- the recording of So think of it this way: You have someone putting a 17 letter in the mail, it goes through the U.S. Mail system, and 18 the government has a video camera pointing at the FBI's 19 office showing the letter being delivered. 20 doesn't show what happened along the way as the letter was 21 making its way from point A to point B, it doesn't show who 22 may have opened the letter, it just shows what happens once 23 the government has received -- 24 25 THE COURT: Their recording So if you received any e-mails from anyone it would have the same problem. It could be Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 45 of 157 PageID# 578 45 C. Soghoian - Direct 1 different -- if you received it, it could be different from 2 what was sent, correct? 3 4 THE WITNESS: And, for that reason, there is technology that you can use to protect against that. 5 THE COURT: I understand that, but I look at e-mails 6 all the time; I assume that they're what somebody sent. 7 you're saying you shouldn't assume what somebody sent because 8 it could be changed along the way. 9 MR. GRINDROD: 10 THE COURT: And Can I follow up on that, Your Honor? Certainly. 11 BY MR. GRINDROD: 12 Q. 13 that this information was changed, or can you testify that, 14 in fact, information in the PCAP data stream was changed? 15 A. 16 there showing that at least some of the information was 17 changed as it was transmitted from A to B. So clarify for me. Is this a theoretical possibility Looking at the PCAP data stream, there are indicators in 18 THE COURT: What was changed? 19 THE WITNESS: The IP address of the government 20 server that is in the PCAP recording is definitely not the IP 21 address that was -- that the NIT addressed the information to 22 when it left the defendants' computer. 23 THE COURT: Excuse me. The NIT addressed the 24 information to a different computer than that which was sent 25 back to them? Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 46 of 157 PageID# 579 46 C. Soghoian - Direct 1 2 THE WITNESS: Your Honor, I'll try and explain it in English to you, in plain English. 3 If I call your chambers -- 4 THE COURT: 5 THE WITNESS: 6 Yes. I call your chambers, and I ask to speak to you. 7 THE COURT: 8 THE WITNESS: 9 10 Let's say I have a telephone number. Yes. I'll speak to one of your colleagues, and then they will transfer me on an extension to your chambers. 11 THE COURT: Correct. 12 THE WITNESS: I may not know your direct line. In 13 the same way, the PCAP file does not have the extension of 14 the server that actually received the data -- sorry. 15 The PCAP file contains the extension number, it 16 doesn't contain the number of the main switchboard, and only 17 the main switchboard number was reachable from the outside 18 world. 19 THE COURT: So the government server that got the IP 20 or the exploit was not the government server that sent back 21 the information. 22 THE WITNESS: That's also true. There was a server 23 that the government maintained that delivered the exploit, 24 and then there was a different server that received the 25 information back from the NIT, but then there's also a third Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 47 of 157 PageID# 580 47 C. Soghoian - Direct 1 government server -- 2 THE COURT: 3 First we have Playpen, okay? 4 THE WITNESS: 5 THE COURT: 6 7 Stop a minute. That's a government server, yes, sir. That's a government server. I thought the exploit got you into the Playpen. THE WITNESS: The exploit was delivered when someone 8 visited Playpen and caused the NIT to operate, which calls 9 home to a second government server. 10 THE COURT: Okay. 11 THE WITNESS: Then that second government server 12 passes the information to a third government server, and that 13 third government server's address is in the PCAP recording. 14 15 16 THE COURT: So, similarly, there are several computers involved, is what you're saying. THE WITNESS: The second IP -- the second server's 17 address, which is the one that the NIT would have called home 18 to, that never appears in the recording. 19 was changed. 20 number two to server number three the IP address was changed, 21 and the recording that we've been given only lists server 22 number three. 23 So that IP address As the information was being passed from server THE COURT: Okay. So the information being 24 transmitted back from the Playpen to the ultimate user of the 25 information -- that is, the person desiring the particular Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 48 of 157 PageID# 581 48 C. Soghoian - Direct 1 documents or pictures that Playpen has -- it goes through 2 several different computers constantly in order to hide where 3 it came from or where it was going. 4 THE WITNESS: 5 THE COURT: 6 7 8 9 10 That is correct, Your Honor. So this is not unusual, then, for information to go from one computer to another. THE WITNESS: If I might expand on what you're asking, the --THE COURT: I'm merely asking how does the person know that what they got is what was sent? 11 THE WITNESS: 12 THE COURT: 13 THE WITNESS: I have a good answer for that. Oh. So there's a technology called 14 "encryption." 15 you'll see a lock icon, and that's designed to do two things. 16 It protects the confidentiality of information so that no one 17 can see your account number, but it also stops anyone from 18 tinkering with the information as it's sent from A to B. 19 connection from Playpen to the visitors to the site was 20 encrypted, and so nothing could be tinkered with as it was 21 going from A to B. 22 If you've ever visited your bank's Web site, The The connection from the NIT users back to the FBI 23 was not encrypted, and so when the NIT called home the 24 government did not have a chain of custody of the data that 25 the NIT sent, and it could have been tampered with along the Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 49 of 157 PageID# 582 49 C. Soghoian - Direct 1 way. Now, they knew how to maintain the chain of custody 2 because they used it for the outgoing data from the Playpen 3 site to the user, but they didn't use it on the way back. 4 And in your question about e-mails, it used to be a 5 big problem on the Internet that people would receive e-mails 6 that purported to be from other organizations. 7 someone trying to steal your banking credentials by 8 pretending to be Bank of America or Chase. 9 the big Internet companies actually employ some encryption 10 technology that signs e-mails so that only Bank of America 11 can send e-mails that look like they come from Bank of 12 America, and if someone tries to fake it they go straight in 13 the trash can. 14 BY MR. GRINDROD: 15 Q. 16 trial in this case and either Special Agent Alfin or some 17 other government expert testified, in sum and substance, to 18 what is in paragraph 16. 21 22 23 24 25 And now all of So I want you to imagine for me now that you were at 19 20 You could get Would you testify to something inconsistent with that? MS. YUSI: Objection, Your Honor. This calls for speculation as to -THE COURT: I'm going to allow him to testify what's wrong with it. THE WITNESS: I disagree with Special Agent Alfin's Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 50 of 157 PageID# 583 50 C. Soghoian - Direct 1 assessment of what the PCAP file -- what the recording shows. 2 I believe it does not show what the NIT sent, I believe it 3 only shows what the government received. 4 And, moreover, Special Agent Alfin -- 5 THE COURT: So you can't tell what was sent 6 because -- you're saying the possibility that there was some 7 invasion or hacker that came in -- they could change whatever 8 was sent so that the identification of the computer of the 9 defendant was not the defendant's computer. 10 THE WITNESS: 11 THE COURT: That possibility is there, and -- Except if they went to the defendant's 12 computer and saw it then it wouldn't make any difference to 13 you at all? 14 THE WITNESS: 15 THE COURT: 16 That's a legal question, Your Honor. Oh, it's a legal -- what's legal about it? 17 THE WITNESS: 18 THE COURT: You're not asking me -- I'm asking you. You're the expert 19 testifying here, and I'm saying, as an expert, if the 20 information you received is what you saw, then you still feel 21 that a hacker changed it? 22 THE WITNESS: I'm not saying that a hacker has 23 changed this stuff, Your Honor, I'm saying that the 24 government had the means to maintain a chain of custody, and 25 they didn't use it. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 51 of 157 PageID# 584 51 C. Soghoian - Direct 1 THE COURT: Oh, unquestionably. I have the means to 2 maintain a lot of things that I don't maintain, and what 3 you're saying is in this case they didn't utilize encryption 4 in transmitting information. 5 THE WITNESS: 6 THE COURT: Is that correct? That is true. Okay. But that's not to say that the 7 information transmitted was incorrect, that's to say there's 8 a possibility that it could be incorrect if a hacker invaded 9 it and what they saw when they got there was different from 10 that which was transmitted. 11 But if it wasn't different... 12 THE WITNESS: So, separately, Special Agent Alfin 13 testified that the data that left the client is exactly the 14 data that was received by the government, and, as I just 15 testified before, the IP address information did change along 16 the way. 17 THE COURT: Okay. Go ahead. 18 BY MR. GRINDROD: 19 Q. 20 you not analyzed the PCAP data? 21 A. 22 was clear that there was something wrong, but without the 23 PCAP data the only thing I would have had to go on was 24 Special Agent Alfin's testimony saying that nothing changed. 25 Q. So would you be able to have reached that conclusion had No. Within five minutes of looking at the PCAP data it The question may come to someone's mind, why not conduct Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 52 of 157 PageID# 585 52 C. Soghoian - Direct 1 a forensic analysis of the defendant's computer. 2 that move the ball forward one way or the other in answering 3 these questions that you've raised about the exploit? 4 MS. YUSI: Your Honor, I'm going to object. 5 not a forensic expert. 6 his specialty. 7 8 THE COURT: He's He's talking about a NIT, and that's He's a computer expert. I understand that. 9 MS. YUSI: 10 THE COURT: I'm not sure -I'll allow him to testify as a computer 11 expert, not as a forensic expert. 12 BY MR. GRINDROD: 13 Q. Do you remember the question? 14 A. No. 15 Q. Sure. 16 our clients' computers. Can you say it again? So the question may come to mind, why not look at 17 THE COURT: 18 MR. GRINDROD: 19 THE COURT: 20 MR. GRINDROD: 21 THE COURT: Not "why not." Okay. Ask him a question. So -- Don't ask him why not. Okay. Please, don't. 22 BY MR. GRINDROD: 23 Q. 24 computers in this case -- 25 So does Would a forensic analysis of the hard drives of the THE COURT: Stop. He just said no forensic Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 53 of 157 PageID# 586 53 C. Soghoian - Direct 1 testimony, and I agreed. He's not claiming to be a forensic 2 expert, he's claiming to be a computer expert, and you 3 just -- what a forensic -- do you see what I'm trying to tell 4 you? 5 BY MR. GRINDROD: 6 Q. 7 about how the exploit may shed light on certain answers. 8 there anything about looking at the computers themselves in 9 this case that would answer those same questions? Let's don't get into that. So you've addressed certain questions that -- and talked 10 A. 11 between when the NIT and the exploit executed and when the 12 computer was searched and ultimately a forensically sound 13 copy of the computer was made -- the longer that period is, 14 the more time there is for information on that computer to 15 deteriorate. 16 It would be very difficult. Is The longer the time period If the government had conducted the search of the 17 defendant's house an hour after the NIT operated and the 18 computer hadn't been turned off, you know, you'd probably 19 have a pretty good idea of what happened. 20 months and the computer has been turned off frequently, a lot 21 of information would have been lost, particularly if much of 22 what the NIT and the exploit did only tampered with the 23 software that was running on the computer and not the 24 software that was installed permanently on the computer. 25 But if it's been And, so, it would be really hard to reconstruct what Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 54 of 157 PageID# 587 54 C. Soghoian - Direct 1 happened a year before just by looking at the physical 2 computer, without being able to look at the individual 3 components of the government's software that ran on the 4 computer. 5 Q. 6 been produced, the unique ID generator. Let's talk quickly about the last component that has not 7 You told us what that is, but can you tell us why 8 that's important, from your technological perspective? 9 A. Sure. As I said before, the purpose of the ID generator 10 is to allow the government to associate a known user on the 11 Web site, someone with user name Jack, with a particular IP 12 address that is revealed through the NIT. 13 For that to be -- for the ID generator to be 14 helpful, it must generate a unique ID only once. 15 malfunctions for some reason and generates the same ID over 16 and over again, you could incorrectly associate one user's 17 activity on the site with a different person's IP address. 18 Q. Other than looking -- 19 20 If it THE COURT: Well, was there any evidence that there was multiple deliverance of the same site? 21 THE WITNESS: 22 THE COURT: Well, there's certainly hundreds -- I didn't ask you that. 23 evidence in this case? 24 saying that. 25 this? Was there any I don't remember any declaration Where do we get this? Is there any evidence of Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 55 of 157 PageID# 588 55 C. Soghoian - Direct 1 2 MR. GRINDROD: I'm sorry. Your Honor? 3 THE COURT: 4 MR. GRINDROD: Just what he testified to. Well, Your Honor, we haven't been 5 provided with the evidence. 6 unique identifier, so we don't -- 7 8 Any evidence of what, THE COURT: We haven't been provided with a Well, how is he testifying as an expert on that which he doesn't know any evidence of? 9 MR. GRINDROD: 10 THE COURT: He knows what -- It makes suppositions, but I don't want 11 to start talking about evidentiary matters. 12 dealing in that we're dealing in a different scope. 13 expert. 14 am assuming that he is a computer expert. MR. GRINDROD: 16 THE COURT: And I Well, this -- The question in my mind is -- the only question I'm trying to find out is where we're going. 18 MR. GRINDROD: 19 THE COURT: 20 He's an Not a forensic expert, but a computer expert. 15 17 When we start I -- The question really before us is did the government violate Mr. Eure's constitutional rights. 21 MR. GRINDROD: 22 THE COURT: Well, Your Honor, we're -- That's one question we're dealing with, 23 and so far I've heard very little about that. I've heard a 24 lot about the computer. 25 talking about something that's evidentiary in this case. So eventually we're going to start Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 56 of 157 PageID# 589 56 C. Soghoian - Direct 1 We allowed an expert to testify, and I did it out of 2 order, without any evidence at all other than the evidence in 3 the declarations. 4 trial of any sense but a question of the appropriateness of 5 various search warrants. And we can do that because this is not a 6 MR. GRINDROD: 7 THE COURT: Well, Your Honor, we're also -- And I assume we are dealing first with 8 Mr. Eure's warrant that you're trying to suppress the 9 evidence. 10 Now, what evidence are you trying to suppress? MR. GRINDROD: 11 sorry. 12 the motion to compel. 13 14 15 None with this, Your Honor. I'm As I tried to flag for the Court, I had moved on to THE COURT: These are trial -Oh, you're not -- the only thing in the motion to suppress, then, was what was on his computer? MR. GRINDROD: Was the -- well, Your Honor, to the 16 extent -- Your Honor, basically, the testimony that I offered 17 with respect to where the NIT was installed, the geographic 18 location, and also as to how the NIT would have worked had 19 the warrant only authorized it being deployed on computers 20 that were located in the Eastern District of Virginia. 21 were the topics that were specifically directed to the 22 suppression. 23 THE COURT: Those So all of this testimony that he has, 24 other than that very short testimony, deals with the motion 25 to compel. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 57 of 157 PageID# 590 57 C. Soghoian - Direct 1 MR. GRINDROD: 2 THE COURT: That's correct, Your Honor. I got lost on the motion to suppress. 3 And so all of this deals with the motion to compel them to 4 produce what? 5 6 7 8 9 MR. GRINDROD: To produce the exploit and the unique ID generator. THE COURT: The code is what you want, correct, the code that allows them to get into Tor? MR. GRINDROD: The code that allowed them to get 10 into our client's computer. 11 server on Tor, but -- 12 13 14 15 16 17 18 THE COURT: exactly what? They were operating the Playpen So what you're seeking to suppress is So tell me. MR. GRINDROD: Well, with respect to suppression, it's everything that was a fruit of the NIT. THE COURT: Everything is nothing, so tell me what it is you're seeking to suppress. MR. GRINDROD: Your Honor, we're seeking to suppress 19 all fruits of the NIT search. 20 our clients in these cases, so it's everything. 21 don't mean to be cavalier -- 22 THE COURT: 23 And that's how they identified I mean, I Well, normally if we have a weapon we want to suppress the utilization of the evidence. 24 MR. GRINDROD: 25 THE COURT: Correct. If it's the subject of a seizure, that Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 58 of 157 PageID# 591 58 C. Soghoian - Direct 1 was the subject of an illegal search and seizure. 2 they seized or obtained evidence by a search. 3 MR. GRINDROD: 4 THE COURT: That's all I'm asking. 6 MR. GRINDROD: 10 THE COURT: anything else? What evidence? What gun, weapon, Tell me what it is you're seeking to suppress. 11 12 To suppress the evidence of the -- obtained by -- I'm sorry, Your Honor. 8 9 That's correct. And you're seeking to suppress what? 5 7 MR. GRINDROD: We're seeking to suppress the hard drives, the -- we're seeking to suppress the information -- 13 THE COURT: The hard drive is not in evidence. 14 not -- what difference does that make? 15 was taken from the hard drive. 16 17 MR. GRINDROD: It's It's what information Any and all evidence from it, Your Honor. 18 19 Evidently, THE COURT: What information are you seeking to suppress, is what I'm trying to get at. 20 MR. GRINDROD: 21 THE COURT: If I could -- When we suppress something we have an 22 object to suppress; a PIN, the wording of such-and-such and 23 so-and-so, this particular evidence. 24 25 All I'm asking is what evidence are you seeking to suppress? Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 59 of 157 PageID# 592 59 C. Soghoian - Direct 1 MR. GRINDROD: 2 THE COURT: We're seeking to -- When you say, we're seeking to suppress 3 all evidence of his guilt, that's wonderful, but it doesn't 4 help me a bit. It doesn't help anyone. 5 So what are we seeking to suppress? 6 MR. GRINDROD: Testimony about our client's alleged 7 activity on the Playpen Web site, testimony regarding -- Your 8 Honor -- 9 THE COURT: That's not a motion to suppress. 10 got to suppress some evidence. 11 to suppress? 12 MR. GRINDROD: 13 THE COURT: You've What evidence are you seeking The IP address mainly, Your Honor. I understand you're seeking to suppress 14 anything that might lead to your client being guilty, and I 15 understand that, but that is not a motion to suppress. 16 You've got to suppress something. 17 18 19 20 MR. GRINDROD: We're seeking to suppress the IP address, the MAC address -THE COURT: Wait a minute. You're seeking to suppress the IP address of the defendant, correct? 21 MR. GRINDROD: 22 THE COURT: 23 MR. GRINDROD: 24 THE COURT: 25 MR. GRINDROD: Correct. What else? The MAC address. The MAC -- what's the MAC address? It's the unique code that appears on Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 60 of 157 PageID# 593 60 C. Soghoian - Direct 1 any wireless card, so it would have been the code associate 2 with the device our client used to access the Internet. 3 was obtained through the use of the NIT. 4 5 THE COURT: You're trying to suppress what your client's code was? 6 MR. GRINDROD: 7 THE COURT: 8 MR. GRINDROD: 9 Yes, Your Honor. Client's code. The host name, Your Honor, the operating system. 10 THE COURT: 11 suppress something. 12 You can't suppress a system. MR. GRINDROD: You can Suppress any testimony regarding what 13 operating system was running on any computer associated 14 with -- 15 16 17 18 It THE COURT: You want to suppress any evidence of any operating systems on any computer or a particular computer? MR. GRINDROD: On the computers mentioned in the forfeiture allegations in this case. 19 If I may, Your Honor, I don't mean to make an end 20 run at all around the Court's desire to get specific about 21 this, but if I could just very briefly explain why I think it 22 is -- why the -- 23 24 25 THE COURT: is on the stand. No, don't explain anything. Let's keep going. MR. GRINDROD: Understood, Your Honor. Heidi L. Jeffreys, Official Court Reporter The witness Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 61 of 157 PageID# 594 61 C. Soghoian - Direct 1 THE COURT: You've got five minutes, and that's it. 2 MR. GRINDROD: 3 THE COURT: Understood, Your Honor. The ball game's over. 4 BY MR. GRINDROD: 5 Q. 6 any other means of determining whether multiple IDs were 7 created that matched, other than having the generator itself? 8 A. 9 back, so the government has in their possession a list of NIT We were talking about the unique ID generator. Is there The government's server would know which IDs were sent 10 clients that called home and what their unique IDs were. 11 some of the NIT clients would never execute properly, so 12 there would be failures. 13 without looking at the generator, if the generator would have 14 executed successfully, if it did what it was supposed to do 15 and gave unique codes to everyone. 16 THE COURT: 17 THE WITNESS: 18 What is the ID generator? THE COURT: 22 THE COURT: 25 The ID generator is the code? THE WITNESS: 24 So this is the code that creates "This is the code." 21 23 And so there's no way of knowing, serial numbers for each operation of the NIT. 19 20 But Yes, Your Honor. So without knowing the code you don't know what the government's position was. THE WITNESS: Without knowing the code you don't know if the ID numbers were created properly. In a Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 62 of 157 PageID# 595 62 C. Soghoian - Direct 1 successful, good operation you would want one new code for 2 each delivery of the NIT. 3 gave two people the same ID, that would be a bad thing. 4 THE COURT: If that code malfunctioned and Except we have no evidence of any 5 malfunction. 6 occurred something would be different, correct? 7 8 That's a supposition you're making. THE WITNESS: If that That's why it's useful to have the code. 9 THE COURT: 10 different, correct? If it occurred, something would be 11 THE WITNESS: 12 THE COURT: All right. 13 BY MR. GRINDROD: 14 Q. 15 exploit one more time. 16 Yes, Your Honor. Let me jump back and talk to you briefly about the To your knowledge, has the FBI disclosed the exploit 17 in this case to anyone? 18 A. 19 have provided the exploit to hundreds of thousands of people. 20 When the operation took place the exploit was delivered to 21 every person who the government delivered the NIT to. 22 Q. 23 record it? 24 A. 25 PCAP file, on their end and record the data that they Sure. When the operation took place the government would Was there any way for someone to capture the exploit or Sure. Just as the government can make a recording, a Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 63 of 157 PageID# 596 63 C. Soghoian - Direct 1 receive, so, too, can individuals record a copy of all the 2 data that they receive from the Web sites that they visit. 3 And in a previous NIT operation that the government 4 did in 2013 a copy of the exploit that they used then was -- 5 the exploit and the NIT were saved by experts who visited the 6 Web site that was being used for the NIT delivery, and the 7 government's exploit and NIT were analyzed by independent 8 experts. 9 So the government has in the past, through 10 unfortunate luck, had their NIT and their exploit analyzed by 11 the open research community. 12 THE COURT: 13 14 15 This particular NIT was -- this exploit was analyzed? THE WITNESS: No, Your Honor, a different one that they used in -- 16 THE COURT: A different exploit. 17 THE WITNESS: 18 THE COURT: 19 THE WITNESS: -- in 2013. In 2013. This operation took place in 2015, but 20 two years before that the FBI seems to have made a mistake, 21 and their NIT was delivered to people who were not themselves 22 viewing contraband, and some of those individuals saved 23 copies of the NIT and published it online. 24 25 MS. YUSI: Your Honor, I'm going to object to his speculation as to any mistake that was made. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 64 of 157 PageID# 597 64 C. Soghoian - Cross 1 THE COURT: 2 what it's worth, ma'am, okay? 3 4 I'm going to allow him to testify for MR. GRINDROD: I have no further questions at this time, Your Honor. 5 THE COURT: All right. 6 cross-examination. 7 morning, it looks like. 8 9 Let's go. MS. YUSI: You have 50 minutes for We're going to have to come back tomorrow I'm sorry, Your Honor. You said we only have 15 more minutes? 10 THE COURT: 11 MS. YUSI: Okay, Your Honor. 12 THE COURT: Wait a minute. 13 Mr. Cejas, in relation to your portion of this 14 50 minutes. testimony, do you want to ask any more questions of this -- 15 MR. CEJAS: No, sir. 16 THE COURT: All right. 17 asked. 18 All right. MS. YUSI: Anything that hasn't been Let's go. Your Honor, I have an agent here. I have 19 Special Agent Alfin here from D.C., so I'm hoping we can get 20 him on briefly today. 21 THE COURT: 22 Okay. CROSS-EXAMINATION 23 BY MS. YUSI: 24 Q. 25 not here on behalf of the ACLU, correct? Dr. Soghoian, you said you're pro bono here, but you're Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 65 of 157 PageID# 598 65 C. Soghoian - Cross 1 A. That's correct. 2 Q. Do they support you being here? 3 A. What does that mean? 4 Q. I mean, did they approve? 5 their behalf? 6 A. 7 NIT work that I've been doing, the unpaid NIT work, that I 8 should emphasize in each case that I'm doing this in my 9 personal capacity and not on behalf of the ACLU. Not on their behalf. Okay. Did you ask to be here on I was told, in fact, that for the 10 Q. Your supervisors told you to not associate the 11 ACLU with what you're here for today? 12 A. 13 to say that, just like government employees. 14 Q. 15 promise perfect security to its users, correct? 16 A. 17 acknowledges risks associated with the Tor software, yes, 18 ma'am. 19 Q. 20 criminals who commit crimes, correct? 21 A. I believe that's true. 22 Q. Do you believe that, or do you know that to be true? 23 A. I don't know any criminals that have used Tor, but -- 24 Q. But you've testified in a lot of criminal -- well, this 25 particular -- And when I speak on panels at conferences I'm also told All right. Now, you agree that the TOR project doesn't I believe there's a statement on the Tor Web site that And Tor is used by a lot of people, but it includes Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 66 of 157 PageID# 599 66 C. Soghoian - Cross 1 A. This is my third case. 2 Q. Okay. 3 criminals, based on news reports and things like that. 4 A. Yes, ma'am. 5 Q. Okay. 6 7 THE COURT: 10 You didn't know that child pornography was criminal? 8 9 But you're aware that Tor has been used by THE WITNESS: I'm aware that child pornography is a crime, but I don't have firsthand knowledge -- I only have -I've read the newspapers -- 11 THE COURT: You don't have firsthand knowledge of 12 any of this, sir, you only have knowledge that was based on 13 what your investigation was. 14 reveal any criminal activity? 15 THE WITNESS: 16 THE COURT: And your investigation did not The -- You mean you didn't see anything about 17 child pornography in this case? 18 THE WITNESS: 19 child pornography in this case. 20 21 22 THE COURT: Your Honor, I haven't looked at any Nobody told you what this case was about? THE WITNESS: I've certainly read the affidavits in 23 this case, but I haven't looked at any of the child 24 pornography, if that's what you're asking. 25 THE COURT: The affidavits mean nothing. Heidi L. Jeffreys, Official Court Reporter That's the Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 67 of 157 PageID# 600 67 C. Soghoian - Cross 1 evidence in this case, correct? 2 THE WITNESS: 3 THE COURT: The -- You didn't analyze anything from the 4 affidavits. 5 this was all dealing with child pornography? 6 7 THE WITNESS: THE COURT: Your understanding is child pornography is not a crime? 10 THE WITNESS: 11 THE COURT: 12 So my understanding -- so the three cases -- 8 9 Even as a human being you didn't realize that Your Honor, the three -- You testified that this wasn't criminal activity. 13 THE WITNESS: The three cases in which I've 14 testified, none of them have led to convictions yet, so I 15 don't personally know -- 16 17 THE COURT: convicted of it, correct? 18 19 20 So it's not a crime unless someone is THE WITNESS: I'm not a lawyer, Your Honor, but that's -THE COURT: Just so I understand what you're 21 saying -- you know, the problem is -- the only thing that's 22 criminal is if there's a conviction? 23 another person and they don't convict them, it's not 24 criminal, correct? 25 THE WITNESS: If somebody shoots I don't know, Your Honor. Heidi L. Jeffreys, Official Court Reporter I'm not an Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 68 of 157 PageID# 601 68 C. Soghoian - Cross 1 expert on that. 2 3 THE COURT: You don't have to be an expert to understand what murder is, do you? 4 THE WITNESS: 5 THE COURT: 6 except find out... 7 Go ahead. 8 BY MS. YUSI: 9 Q. (No answer.) You know, I'm not trying to do anything I'm sorry, Ms. Yusi. You agree that law enforcement -- their job is to stop 10 crime, correct? 11 A. That is one of their jobs, yes, ma'am. 12 Q. All right. 13 including sexual exploitation of children on the Internet. 14 A. Yes, ma'am. 15 Q. And they need to stop and identify these criminals 16 through legally available means, correct? 17 A. I'm sorry. 18 Q. Do you agree that law enforcement should stop the 19 exploitation of children on the Internet through legally 20 available means? 21 A. Yes, if those means are lawful. 22 Q. Okay. 23 fight government surveillance, right? 24 A. 25 democratic system keep surveillance under control. And they have an obligation to stop crimes, Can you ask that question again? Do you agree with that? But you also agree that your purpose is to also Yes, ma'am -- well, I believe that my role is to help our Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 69 of 157 PageID# 602 69 C. Soghoian - Cross 1 Q. Okay. 2 A. That is what I do through my actions as someone who helps 3 the courts and legislative bodies adequately oversee 4 surveillance tools that are frequently used in the shadows. 5 Q. And you consider yourself an activist, correct? 6 A. I'm an activist and a scholar and a researcher. 7 Q. Okay. 8 Government's Exhibit 1. 9 And to fight surveillance? I'm going to show you what I've marked as THE COURT: Ms. Yusi, I'm going to keep going until 10 the government testifies, so everybody just be prepared to 11 stay late. 12 MS. YUSI: Thank you, Your Honor. 13 BY MS. YUSI: 14 Q. Do you recognize this? 15 A. Yes, ma'am. 16 Q. What is it? 17 A. These appear to be printouts of tweets of mine from 18 Twitter. 19 Q. And what is Twitter? 20 A. Twitter is a social network. 21 Q. Okay. 22 A. Yes, ma'am. 23 Q. And you frequently tweet about personal and professional 24 observations? 25 A. And you have an account there? It's mainly professional. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 70 of 157 PageID# 603 70 C. Soghoian - Cross 1 Q. Mainly professional. 2 A. Uh-huh. 3 Q. This is the front page of your Twitter account, correct? 4 A. That is my Twitter home page, yes, ma'am. 5 Q. And how do you describe yourself? 6 A. In my bio it says I fight surveillance, and then it says, 7 "Views expressed here are my own," which, as I described 8 before, my employer asked me to put. 9 10 And then -- do you want me to continue? Q. No, that's okay. 11 And I'm going to show you page 2 -- 12 MS. YUSI: 13 14 15 I'm sorry, Your Honor. The government moves to admit Exhibit 1. THE COURT: You're going to have to speak into the microphone. 16 MS. YUSI: I'm sorry, Your Honor. 17 The government moves to admit Exhibit 1. 18 THE COURT: This is merely for what purpose, ma'am? 19 MS. YUSI: Your Honor, bias, to show the expert's -- 20 THE COURT: 21 MS. YUSI: Has he admitted to this? He admitted that these are tweets that he 22 wrote on his Twitter account. 23 THE COURT: 24 25 All right. It's admitted, but I haven't looked at it yet, other than the front page of this thing. MS. YUSI: I'll go through it, Your Honor. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 71 of 157 PageID# 604 71 C. Soghoian - Cross 1 THE COURT: Okay. 2 (The exhibit was admitted into evidence.) 3 BY MS. YUSI: 4 Q. Page 2. 5 A. Yes, ma'am. 6 Q. And what did you say? 7 A. Are you asking me to read it, or -- 8 Q. I am asking you to read it. 9 A. So this is a tweet @daveaitele, who is an ex-NSA analyst. 10 Is this one of your tweets? "The FBI shat the bed with their Playpen op. An 11 overbroad, illegal warrant, and no chain of custody for the 12 data they collected." 13 Q. 14 defendants' computers? 15 A. I've never looked at any defendant's computer, ma'am. 16 Q. I'm talking about the information that was sent. 17 looked at the NIT and the source code and the affidavit or 18 the search warrant? 19 A. What is the date of this tweet? 20 Q. I'm not sure. 21 A. That's because I was shown it in court last week. 22 Q. Okay. 23 right? 24 A. 25 your colleagues from the U.S. Attorney's Office in Arkansas At this point had you looked at things on some of these Had you At this point had you looked at those? You remember writing it, though, so -- And at that point you said you didn't remember, I didn't remember if I had tweeted it, but then one of Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 72 of 157 PageID# 605 72 C. Soghoian - Cross 1 showed me a printout, and I believe I said, "That looks about 2 right." 3 Q. Okay. 4 A. No. 5 Q. So you're not sure if you had this opinion before or 6 after you started testifying? 7 A. Testifying or looking at stuff? 8 Q. Either. 9 A. Well, I testified in the Michaud case, which was the And do you remember the date? 10 first one, but never looked at the NIT or the PCAP file. I 11 never looked at any of the evidence that was under protective 12 order in that case. 13 case, in which I testified two weeks ago. 14 Q. 15 in this case, or the NIT, was illegal, correct? 16 A. 17 government employed exceeded Rule 41 of the Rules of Criminal 18 Procedure and that it has some serious Fourth Amendment 19 issues to it, yes, ma'am. 20 Q. 21 order to further show that you believe it's illegal, correct? 22 A. 23 issue I believe doesn't involve the source code. 24 that the Fourth Amendment issue as to whether searching 25 10,000 or 50,000 computers with a single warrant -- whether I only looked at that in the Arkansas But you have an opinion that everything that the FBI did I have a personal opinion that the method that the Okay. No. And you want to see the source of all this in I believe that the legal issues can -- the Rule 41 Heidi L. Jeffreys, Official Court Reporter I believe Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 73 of 157 PageID# 606 73 C. Soghoian - Cross 1 that -- I don't think the code is important there. 2 I think in this case, you know, if you -- there are 3 things that the defense counsel, I think, wants to be able to 4 see, such as the chain of custody, such as the state that the 5 computer was in before it was hacked, the state the computer 6 was in after it was hacked, where the code would be useful. 7 I'm actually, as I -- I assume you've read the 8 Arkansas transcript. As I said there, I'm actually not the 9 right person to look at the exploit itself. I don't want to 10 look at the exploit. I don't have the skills for it. In the 11 same way you wouldn't hire a tax attorney to do a murder 12 defense, I don't have the specialized skills to look at the 13 exploit. 14 Q. 15 just in general, you want to fight surveillance and limit the 16 government's ability to surveil on the Internet, including 17 Tor? 18 A. 19 Amendment limits the role of government, and the Fourth 20 Amendment creates a role that judges have to play of 21 supervising surveillance tools, and I think that it would be 22 a really awesome thing if the Fourth Amendment more robustly 23 were applied to the use of NITs. 24 Q. 25 you believe that without even having seen what you call the So you want to be -- just to be clear about your position I believe in the Fourth Amendment, and the Fourth So the Fourth Amendment was violated in this case, and Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 74 of 157 PageID# 607 74 C. Soghoian - Cross 1 whole NIT in this case. 2 A. 3 about whether a single warrant can be used to authorize 4 50,000 or 100,000 searches. So, as I said before, in my view there are real questions 5 6 THE COURT: pornography site? 7 Were there 50,000 users of this child Is that what you're saying? THE WITNESS: The FBI has testified that there were 8 100,000 people who visited the site in the two weeks that it 9 was under the government's control, but they have not 10 revealed how many of those were -- 11 THE COURT: 100,000? 12 THE WITNESS: Yes, Your Honor, but they have not 13 revealed how many of those the NIT successfully operated 14 against. 15 THE COURT: 100,000? 16 BY MS. YUSI: 17 Q. 18 enforcement still has an obligation to try to investigate who 19 is a part of this Web site, correct? 20 A. Sure. 21 Q. And regardless of how many there are, if it's a legal 22 warrant then it's a legal warrant, correct? 23 A. 24 the Fourth Amendment should not permit searches of such a 25 huge scope. And if there were 100,000 people, you agree that law No. I think that -- I think that the Fourth Amendment -- I think that if -- with a single warrant the Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 75 of 157 PageID# 608 75 C. Soghoian - Cross 1 government can search thousands of computers -- 2 Q. 3 opinion, and you're applying it to see the -- you want the 4 NIT released, correct, in an effort to further your personal 5 opinion. 6 A. 7 ma'am. 8 Q. 9 your personal opinion, correct? But this personal opinion -- I mean, you have this I don't know that anyone is asking for it to be released, You're asking for access to it, and that's to further 10 A. 11 because I don't have the skills to look at the exploit. 12 NIT has already been turned over to the defense. 13 Q. Okay. 14 A. The exploit is something that I don't have the skills to 15 analyze. 16 Q. But you're opining as to why it would be important. 17 A. Sure, but whoever will look at that will be under a 18 protective order, just like I'm under a protective order for 19 the NIT. 20 Q. 21 basis. 22 A. 23 government, yes, ma'am. 24 Q. 25 I haven't asked for access to the NIT for my sake, The And you also criticize the FBI publicly on a regular Is that right? As I also criticize companies and other parts of the Let me show you page 3 of Exhibit 1. And you're criticizing the FBI for saying that they Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 76 of 157 PageID# 609 76 C. Soghoian - Cross 1 can't be bothered to use security, a secure Web site, 2 correct? 3 A. Yes, ma'am. 4 Q. No. 5 A. Can I? 6 Q. I haven't asked that question, but -- 7 A. Well, may I describe what I'm saying here? 8 Q. Sure. 9 A. Okay. Would you like me to describe that? Last year the Office of Management and Budget 10 required every federal agency to encrypt their Web sites. 11 default, the FBI home page is now encrypted, as are many U.S. 12 Government agencies. 13 By Over the last few months and the last year, I have 14 pushed different parts of the government to follow that 15 order, and I have had personal conversations with the FBI's 16 general counsel about encrypting their e-mails, for example, 17 and they say that they're working on that. 18 slow progress, and I think that, just as the FBI has 19 encrypted its home page, they should be using encryption on 20 their NIT server. 21 Q. Let me show you what's been marked as -- 22 A. Ma'am, there are no page numbers on this, so -- 23 Q. Right. 24 with, "The FBI's malware transmits data back to the FBI 25 server." That's why I'm counting. They're making Page 6, where it starts And it will be on your screen, too. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 77 of 157 PageID# 610 77 C. Soghoian - Cross 1 A. Okay. 2 Q. Do you see that? 3 A. Yes, ma'am. 4 Q. So, again, you're commenting on the FBI, and what does 5 "face palm" mean at the end? 6 A. "Face palm" is a way of expressing shock at an action. 7 Q. That means -- okay. 8 on -- 9 A. 10 So you're, once again, commenting So this is -- embedded under that tweet is a screenshot from -- wait a minute. 11 I haven't seen this in a while. (There was a pause in the proceedings.) 12 BY MS. YUSI: 13 Q. You're commenting on the Matish case here, correct? 14 A. That's correct. 15 Q. And that's the other case in this court in front of Judge 16 Morgan. 17 A. 18 embedding a screenshot from a public document and summarizing 19 for a lay audience what that document said. 20 Q. 21 your pro bono as an expert, correct? 22 A. 23 public proceedings. 24 Q. 25 declarations and things like that in these cases, correct? Is that correct? This would have been a public document, and I was So you're advertising what you're doing on your behalf in No, I'm describing facts that have come to light in Okay. And you're also bragging about providing Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 78 of 157 PageID# 611 78 C. Soghoian - Cross 1 A. What do you mean by -- 2 Q. I'm going to show you -- you can look on the screen, too. 3 "I wrote an 8-page expert declaration in an FBI 4 hacking case." And you -- 5 A. I don't see anything there that's bragging. 6 Q. If you can look on the screen -- 7 A. No, I see the tweet. 8 bragging. 9 that I downloaded from PACER, which is a publicly accessible I'm saying I don't see that as I'm publishing a link to a copy of a declaration 10 system. I paid for the declaration through PACER and 11 published it because there are a number of scholars, academic 12 scholars, and journalists who are really interested in 13 NIT-related issues. 14 Q. 15 want to continue this livelihood after this case is over, 16 correct? 17 A. 18 what to work on. 19 on NITs." Okay. And this is your livelihood, correct? I mean, you So the way it works at the ACLU is I'm actually not told 20 So no one said, "Chris, please spend time I think this is interesting, so I chose to work on 21 this. There are a million other issues I could work on. 22 There's no shortage of interesting Fourth Amendment issues, 23 and so if the entire NIT issue went away I would move on to 24 body cams or GPS darts or whatever new surveillance 25 technology the government uses. There are plenty of people Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 79 of 157 PageID# 612 79 C. Soghoian - Cross 1 who want to learn how they work and have me explain it to 2 them. 3 Q. 4 particularly government surveillance is what your main focus 5 is. 6 A. 7 years, but I've shifted my work towards government issues, 8 yes, ma'am, the U.S. Government but also other governments. 9 Q. Okay. And, as you said, you fight surveillance, and I mean, I worked in consumer privacy issues for a few I want to talk to you about your declaration and some of 10 the things you were testifying about earlier. 11 A. Sure. 12 Q. Do you have a copy of your declaration? 13 A. I don't. 14 me? 15 Q. 16 Yes. (There was a pause in the proceedings.) 17 BY MS. YUSI: 18 Q. 19 Exhibit 2. 20 Do you have a spare copy that you could give I'm going to show you what we marked as Government MS. YUSI: Your Honor, this is just a copy of -- I 21 don't know if I need to admit it into evidence, but I will do 22 so now, the declaration of Dr. Soghoian, just for ease sake. 23 THE COURT: 24 MS. YUSI: 25 Was it attached to -It was attached to the reply in support of Defendant Eure's motion to compel. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 80 of 157 PageID# 613 80 C. Soghoian - Cross 1 THE COURT: Okay. 2 (The exhibit was admitted into evidence.) 3 BY MS. YUSI: 4 Q. If we could look at paragraph 19 on page 5. 5 A. Yes, ma'am. 6 Q. And that's where you're criticizing the FBI about not 7 using encryption for information that was transmitted by the 8 NIT to the FBI server, correct? 9 A. Yes, ma'am, that's true. 10 Q. Now, when you talk about how someone could possibly have 11 tampered with that information, that's speculation, correct? 12 A. Sure. 13 Q. Okay. 14 case, correct? 15 A. 16 data as it goes over the Internet. 17 Q. 18 something when you looked at it, correct? 19 A. 20 watching the data as it's going over the network? 21 Q. 22 unique identifier that you want to look at. 23 A. 24 with encryption issues. 25 Q. There's no proof of any of that in this particular It is very difficult to detect tampering with unencrypted So it's just speculation that you might be able to see When you say "you" do you mean me, or do you mean someone I'm talking about you looking at the exploit or the The unique identifier and the exploit have nothing to do Okay. All right. So -- Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 81 of 157 PageID# 614 81 C. Soghoian - Cross 1 A. The encryption issue is about chain of custody -- 2 Q. Okay. 3 A. The exploit is about the state of the computer and 4 whether the information derived from it was forensically 5 sound. 6 Q. 7 if someone had -- what would have to happen if someone was to 8 have changed the information that was sent from the user back 9 to the FBI? Okay. How would it work? Sure, I can explain that. Do you know how it would work 10 A. So when data is sent over the 11 Internet it goes from your computer to a remote server, say 12 the FBI's Web site, and it has to -- we don't have direct 13 connections, direct lines, from, you know, our houses to 14 every Web site we visit. 15 points along the way, and those points are servers or devices 16 that are called routers that are run by companies like 17 Comcast, Verizon, and AT&T. 18 path anyone controlling that server, either the operator of 19 the network or a hacker or a foreign government that has 20 gained improper access to those devices -- 21 Q. 22 hacking this particular case? 23 A. 24 I'm saying, or -- 25 Q. We have to go through a bunch of And at every point along the Are you saying that a foreign government is involved with I don't know, but I -- would you like me to finish what No, I'm just -- you're saying a lot, so I'm trying to -- Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 82 of 157 PageID# 615 82 C. Soghoian - Cross 1 A. Governments hack routers. 2 U.S. Government hacks foreign communications networks, and 3 I'm sure that China and Russia hack U.S. Government networks. 4 This is why there are a lot of people working in cyber 5 security these days. 6 This is a known thing. The Generally, servers that deliver our data are not 7 trusted anymore. This is why large responsible organizations 8 now use encryption to protect data. 9 Q. This is -- And I get that, but what I'm asking for is the NIT was 10 sent to a user's computer, correct? And then that NIT got 11 the information from that computer and sent it to the FBI 12 immediately, correct? 13 A. 14 know, but quickly. 15 Q. 16 be involved with it during that one second, correct? 17 A. No. 18 Q. No? 19 A. No. 20 Q. Okay. 21 A. If they had already hacked the server and they had -- 22 Q. Hacked the FBI's server? 23 A. No, ma'am, hacked one of the servers or routers sitting 24 between an individual NIT user and the government server. 25 Either someone who has hacked it, an employee or a piece of I mean, there might have been a one-second delay, I don't Someone, if it was unencrypted, would have to hack it or So -- Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 83 of 157 PageID# 616 83 C. Soghoian - Cross 1 malfunctioning software on one of those computers, could 2 change data that is going through it, just as the 3 government's own server changed the IP address in the PCAP 4 file that you gave to me. 5 Q. 6 Okay. Well, the PCAP -- let's talk about that. You're talking about something that was -- you're 7 talking about the review of the PCAP data indicated that 8 the -- seized from the defendant's computer changed in 9 transit, correct? 10 A. Uh-huh. 11 Q. When you're talking about that, are you talking about the 12 substantive data or the header that was sent back? 13 A. 14 have, like, the envelope and the data that's inside the 15 envelope, it would be the data on the outside of the envelope 16 that was changed. 17 Q. 18 reply to something you don't change the subject, but it says 19 "Re," R-E. 20 automatically does that on the header, correct? 21 A. 22 there are other ones that I -- 23 Q. 24 it goes through. 25 A. The IP address appears in the header, not the -- if you So it's like the header of an e-mail. Like when you When you reply to most e-mails accounts it I don't think that's a great analogy. I think -- I mean, I'm just saying it's the automatic change of a header as Certainly, the two changes that definitely occurred here Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 84 of 157 PageID# 617 84 C. Soghoian - Cross 1 were automatic. We have no way of knowing if there were any 2 other changes, because you didn't use encryption. 3 Q. 4 indications that something was tampered with, you were 5 talking about automatic changes. 6 A. 7 information that left the defendant's computer. 8 Q. Because of automatic changes in the header. 9 A. So it was changed probably by the Wi-Fi router in the So when you're telling the Court that you found I'm saying that the data in the PCAP file is not the same 10 defendant's home, and that would have been a change of the 11 source address. 12 Q. I'm asking -- it was automatic, correct? 13 A. Yes. 14 Q. And you want the Court -- you were trying to have the -- 15 your information to the Court was automatic changes mean that 16 that's evidence that there could be other changes in the 17 substantive. 18 A. 19 substantive part, the IP address appears in the header. 20 Q. 21 nothing different in that from what was sent to the user to 22 what was sent back to the FBI. 23 A. We don't know what -- 24 Q. You looked at the PCAP. 25 A. Right. No. And then whatever government server was -- Did you find any changes in the substantive? This is the -- the IP address isn't in the I'm talking about the substantive portion. You found That only shows what was received by the FBI. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 85 of 157 PageID# 618 85 C. Soghoian - Cross 1 Q. Okay. 2 A. It doesn't show what left the user's computer. 3 Q. You saw the unique identifier in both what was sent to 4 the computer and what was received by the FBI. 5 right? 6 A. 7 PCAP -- that is contained in the PCAP file. 8 Q. 9 You saw automatic changes, and that is what you're relying on Is that I saw the unique identifier that was received by the So just to be clear, there are no substantive changes. 10 to say that there's a possibility that there were other 11 changes. 12 A. 13 give me -- 14 Q. Is that a simple way to say it? 15 A. No. 16 looked at one file and looked at another and saw something 17 change from A to know B. 18 can tell from the IP addresses that are in it that it was 19 changed twice. 20 Q. And wasn't it a two-way communication file? 21 A. That's what the government called it, yes, ma'am. 22 Q. And then what was sent to the computer, the computer 23 instructions, you were also given that, correct? 24 A. 25 We don't have a -- I think that's not a great way of saying it. You didn't give me two PCAP files. You didn't It's not like I All you gave me was one file, but I We don't have a PCAP file of the instructions being sent. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 86 of 157 PageID# 619 86 C. Soghoian - Cross 1 Q. But you actually have the source code that was sent 2 there. 3 A. 4 code, the object code. 5 Q. 6 what was sent there. 7 A. 8 computer. 9 missing is a PCAP file saved from the defendant's computer. No, we don't have the source code, we have the computer I'm sorry, the object code. You have that of exactly Yes, but that's not -- that's the code that gets to the What's missing is the exploit, and then what's 10 Q. And you were also speculating as to looking at a 11 defendant's computer may not be helpful, correct? 12 A. I answered some questions about that. 13 Q. Okay. 14 A. I said over time it would be less and less helpful. 15 Q. Okay. 16 speculating. 17 A. 18 disappears. 19 Q. That's in the ram, not in your hard drive. 20 A. That's correct. 21 Q. And ram is very small in most computers, correct? 22 A. I mean, we generally have much less ram than storage 23 space, yes, ma'am. 24 Q. 25 going to be in your external hard drive, and that, if it's But you said it would not be helpful. But you don't know that for sure, so you're I mean, when you reboot a computer, whatever is in memory And, so, if you -- And most of the things that are found on computers are Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 87 of 157 PageID# 620 87 C. Soghoian - Cross 1 done correctly by a trained forensic person, is going to be 2 the exact same as when that computer was turned off. 3 A. 4 address, that's not stored on the hard drive. 5 initially in the Wi-Fi card, but it can be changed by running 6 software, and then that would be in memory. 7 Q. 8 Mr. Eure's information from his computer, correct? 9 A. So the data that the NIT collected, such as the MAC That's stored And in this particular case you looked at at least I haven't looked at information from his computer, no, 10 ma'am. 11 Q. 12 was -- the exact same MAC address that was sent to the FBI 13 was the MAC address of Mr. Eure's computer that contained 14 child pornography. Okay. 15 So let's say hypothetically that the MAC address Would that change your speculation as to whether or 16 not you need an exploit to prove any infirmities? 17 A. 18 you some indication as to whether the computer was left in 19 either a secure state or an insecure state, and without the 20 exploit you don't know if information that's on the 21 computer -- that's stored on the computer was downloaded by 22 the defendant or may have been put there later by someone 23 else. 24 Q. 25 defendants, Mr. Eure and Mr. Darby, in this case, confessed No. So, as I said before, having the exploit will give How about a defendant -- hypothetically, let's say both Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 88 of 157 PageID# 621 88 C. Soghoian - Cross 1 that they used Playpen, that they had those exact user names 2 that were in their search warrants, and that they were 3 responsible for what was on their computer and what they saw 4 in Playpen. 5 Would that change your opinion that the exploit and 6 the unique identifier generator is necessary? 7 A. 8 you. That they -- so I need to ask a clarifying question of 9 Did they say that every single file that was on the 10 computer was downloaded by them? 11 Q. This is a hypothetical -- 12 THE COURT: They didn't say every single file was 13 anything. 14 computer was their information on their computer. 15 fact that that information was what the FBI had also 16 discovered makes no difference to you, does it? 17 They just said the information contained on the THE WITNESS: And the If -- knowing -- being able to see the 18 exploit -- and, to be clear, not me but someone skilled in 19 the art of malware and exploit analysis being able to look at 20 the exploit -- 21 THE COURT: The question is it doesn't make any 22 difference, because isn't it true that you challenge all 23 computers where they don't use encryption; that is, that 24 includes all e-mail providers, social networking sites, and 25 any Web sites that transmit computer data. Is that correct? Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 89 of 157 PageID# 622 89 C. Soghoian - Cross 1 2 THE WITNESS: question. I'm sorry, sir, I don't understand the Can you ask it again? 3 THE COURT: Let me say this: 4 You challenge all of the companies that are not 5 using an encryption by default. 6 THE WITNESS: Isn't that correct? I have spent several years pushing 7 companies and government agencies to encrypt their data, yes, 8 sir. 9 THE COURT: I didn't ask you about several years, I 10 asked you is it true -- and I'll repeat it -- "I challenge 11 all the companies that are not using https by default." 12 Is that correct? 13 THE WITNESS: 14 Challenge to what? What are you reading from? 15 THE COURT: "...includes all e-mail providers, 16 social networking sites, and any Web site that transmits 17 consumer data. 18 just some of the time, make your Web sites secure by 19 default." 20 Step up and protect consumers. THE WITNESS: Don't do it Okay, now I know what you're quoting. 21 That's a statement by Pamela Jones Harper, a Commissioner at 22 the Federal Trade Commission. 23 are hers. 24 THE COURT: 25 THE WITNESS: Those are not my words, those So you don't agree with it. I agree with it. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 90 of 157 PageID# 623 90 C. Soghoian - Cross 1 THE COURT: 2 THE WITNESS: 3 THE COURT: 4 You printed it. Yes, and you gave it verbatim in your declaration, did you not? 5 THE WITNESS: 6 THE COURT: 7 THE WITNESS: 8 THE COURT: 9 12 Sir, that's a quote in a footnote. I understand. Okay. But you gave it. I didn't dream it out of the air, did I? 10 11 I think I cited it. THE WITNESS: You didn't dream it out of the air, but -THE COURT: Okay. You know, you're going to have to 13 start answering questions and stop arguing all the time about 14 every question. 15 we're just trying to get at what you're seeking to achieve. 16 17 Nobody is trying to trick you in any way, You're seeking to achieve the fact that the FBI did not encrypt the material it was sending back, correct? 18 THE WITNESS: 19 THE COURT: 20 THE WITNESS: Yes, Your Honor. And that's it in a nutshell, isn't it? I believe that the government should 21 have encrypted the data, because it would have provided 22 tampered evidence. 23 THE COURT: 24 along, Ms. Yusi. 25 BY MS. YUSI: That's all right. Okay. Let's move Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 91 of 157 PageID# 624 91 C. Soghoian - Cross 1 Q. Now, you did agree -- just to touch base with the 2 suppression issue, you agree that every user and every person 3 that's been charged, or has allegedly been involved with 4 Playpen and charged, that that person had to choose to go to 5 the Playpen site, correct? 6 A. I don't believe I said that. 7 Q. You said everyone that got the NIT had to go to the 8 Playpen Web site. 9 A. Right, but I didn't say that they had to choose to go. 10 So it's possible to visit the site without choosing to go 11 there. 12 Q. 13 seen well before the NIT, they continue to use the site; they 14 use it afterwards, too. 15 to -- they're choosing to go to a Web site at that point, 16 correct? 17 A. Sure. 18 Q. And they have to go to the Eastern District of Virginia 19 to get information from that Web site. 20 A. No, they don't go into the Eastern District of Virginia. 21 Q. They cause their computer to go into the Eastern District 22 of Virginia, or the Internet, or whatever -- 23 A. 24 City of New Haven, I'm sitting in Washington, D.C. making a 25 telephone call. Okay. Let's say they open up an account and they've been Okay? Let's say that. They go Do you agree? When I call my family in New Haven I'm not entering the And my voice is turned into digital data, Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 92 of 157 PageID# 625 92 C. Soghoian - Cross 1 and it goes over a phone line, but I never leave D.C. 2 Q. 3 activity of each user on the Web site, correct? 4 A. Yes, ma'am. 5 Q. You said you don't know what they knew, if they knew 6 anything. 7 A. 8 described information in affidavits about how many hours 9 individuals spent logged in to the forums, when they created You also talked about what the FBI knew in terms of Is that right? Well, so, we've seen in several cases the government has 10 their accounts. So there's certainly some information that 11 was collected and created initially by the server 12 administrators and then further supplemented by the 13 government. 14 Q. And there's activity logs or user reports? 15 A. Yes, ma'am. 16 Q. And, so, the FBI knew what was going on, at least in 17 those cases that you know about? 18 A. 19 accounts but not with IP addresses. 20 Q. Right. 21 A. Until they hacked the computers of the people visiting 22 the site, yes, ma'am. The government knew about activity associated with Until there's a NIT, right? 23 THE COURT: You have seven minutes left, Ms. Yusi. 24 MS. YUSI: 25 (There was a pause in the proceedings.) Yes, sir. If I can have one moment. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 93 of 157 PageID# 626 93 1 BY MS. YUSI: 2 Q. One last thing: 3 You said earlier that encryption is a guarantee of 4 safety, correct? 5 A. Did I say that today? 6 Q. Yes. 7 A. When did I say that? 8 Q. I don't think we need to, but -- okay. 9 encryption is not a guarantee? That's correct. Can you read that back? So you agree that 10 A. 11 his or her hands before surgery is not a guarantee that 12 you'll come out of surgery in good condition. 13 wash their hands, you're going to have a really bad time, and 14 encrypting is a contributing element to good cyber security 15 hygiene. 16 17 MS. YUSI: Encryption -- just like a doctor washing Thank you. Those are all my questions, Your Honor. 18 THE COURT: 19 MR. GRINDROD: 20 THE COURT: 21 If they don't Any other questions? No, Your Honor. Thank you very much, sir. You may step down. 22 Who is your next witness? 23 MR. GRINDROD: Your Honor, there are no further 24 defense witnesses. We would just offer the transcript from 25 proceedings before Judge Morgan in the United States against Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 94 of 157 PageID# 627 94 1 Edward Joseph Matish. The parties have reached an agreement 2 that we will submit this transcript for the Court's 3 consideration with respect to the pending motion to suppress 4 in Mr. Eure's case. 5 THE COURT: The entire transcript from Judge 6 Morgan's case you want to admit? 7 MR. GRINDROD: 8 MS. YUSI: 9 Yes, Your Honor. And, Your Honor, I have no objection, but I do want to say I agreed to this not knowing that we were 10 going to rehash the majority of things for the last two 11 hours. 12 13 14 15 But that's fine, if we still need to do that. THE COURT: Well, we'll just keep going, because I'm going to finish tonight. MR. GRINDROD: Yes, sir, Your Honor. If I could submit this for the Court. 16 THE COURT: 17 MR. GRINDROD: 18 So don't plan on going anywhere. All right. It's been marked as Defendant's Exhibit 1. 19 (The exhibit was admitted into evidence.) 20 THE COURT: I've read Judge Morgan's opinion, which 21 is a very interesting opinion, and it differs somewhat from 22 my prior opinion. 23 to show what Judge Morgan's opinion is about, and he ruled 24 against your position. 25 MR. GRINDROD: So where are we going? This is admitted That's correct, Your Honor. Heidi L. Jeffreys, Official Court Reporter We're Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 95 of 157 PageID# 628 95 1 certainly not submitting it for the same outcome in that 2 case, but we called Agents McFarland and Alfin in that case 3 to testify, and in order to not just duplicate that testimony 4 we thought it would be more efficient to submit their 5 testimony. 6 THE COURT: So all of your testimony is in here. 7 MR. GRINDROD: Yes, sir, that's the full transcript, 8 including argument. 9 is necessarily relevant to the -- 10 THE COURT: But, I mean, I don't think the argument Well, that's what this case has been 11 about, was the whole argument instead of the testimony of a 12 witness. 13 you, try to stick to testimony from everyone. 14 one person. And I don't like it if it's not testimony. 15 Okay. 16 Have you got anything else? 17 MR. GRINDROD: 18 THE COURT: 19 MS. YUSI: I tell It's not any What else have you got, Ms. Yusi? No, Your Honor. All right. All right, Ms. Yusi. Your Honor, I'd like to call Special 20 Agent Alfin. And the transcript, that's regarding the motion 21 to suppress. I'm going to be very brief and just kind of 22 address some of the issues that Dr. Soghoian went into with 23 Special Agent Alfin. 24 25 THE COURT: Well, let's take a break right now. Let's take a 12-minute break by that clock. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 96 of 157 PageID# 629 96 D. Alfin - Direct 1 MS. YUSI: 2 (A recess was taken.) 3 THE COURT: 4 MS. YUSI: 5 Yes, sir. All right, Ms. Yusi. Thank you. Your Honor, we call Special Agent Alfin from the FBI. 6 (The clerk administered the oath.) 7 DANIEL ALFIN, called as a witness, having been first 8 duly sworn, testified as follows: 9 DIRECT EXAMINATION 10 BY MS. YUSI: 11 Q. 12 Court? 13 A. 14 am a Special Agent with the FBI. 15 FBI Headquarters, Criminal Investigative Division, Violent 16 Crimes Against Children Section, Major Case Coordination 17 Unit, located in Lithicum, Maryland. 18 Q. And how long have you been an FBI agent? 19 A. I've been employed as an FBI agent since 2009. 20 Q. And in your current position what sort of cases do you 21 work on? 22 A. 23 investigate individuals who use various types of technology 24 to facilitate the production, trade, and distribution of 25 child pornography. Could you introduce yourself, Special Agent Alfin, to the My name is Daniel Alfin, last name spelled A-L-F-I-N. I'm currently assigned to My role at the Major Case Coordination Unit is to Specifically, my investigations involve Heidi L. Jeffreys, Official Court Reporter I Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 97 of 157 PageID# 630 97 D. Alfin - Direct 1 individuals who use the Tor network. 2 Q. 3 investigation? 4 A. I am. 5 Q. And when did you start being involved with the 6 investigation of Playpen? 7 A. 8 approximately August, 2014. Are you the case agent for the national Playpen I became aware of Playpen shortly after it came online in 9 In December, 2014, the FBI learned the true location 10 of the Playpen Web site, and we initiated an investigation. 11 I have been involved in that investigation from the 12 beginning. 13 Q. 14 and others concerning the NIT that was involved in the 15 investigation? 16 A. I have. 17 Q. All right. 18 about or ask you questions about certain points. 19 here when Dr. Soghoian testified, correct? 20 A. I was. 21 Q. All right. 22 possibility of someone tampering with the information that 23 came from the user to the FBI servers. 24 well, the FBI did not use encryption, correct? 25 A. Okay. And you've submitted a declaration in this case And I'm going to talk to you just briefly You were He talked about encryption and the Can you talk about -- That is correct, the information transmitted by the NIT Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 98 of 157 PageID# 631 98 D. Alfin - Direct 1 was not encrypted. 2 Referring to Dr. Soghoian's testimony, in theory he 3 is correct. 4 format can be tampered with. 5 possibility; however, it is not an issue in the matter at 6 hand for a number of reasons. 7 that we sent was unencrypted, a number of things would have 8 had to have taken place in order for someone to tamper with 9 it. 10 Generally, data that is not sent in an encrypted That is a theoretical Despite the fact that the data First of all, an individual would have had to have 11 known about the FBI's operation. 12 known sensitive government information about the FBI takeover 13 of a Playpen Web site. 14 that we were deploying a NIT on the Web site to identify 15 users. 16 functioned and how it sent data back to the FBI. 17 They would have had to have They would have had to have known They would have had to have known how the NIT Additionally, a user would have had to have known 18 information from the defendant's computer. 19 had to have known the unique identifier on the defendant's 20 computer, previously referred to as a MAC address, among 21 other pieces of information. 22 known that the defendant was a member of the Playpen Web 23 site. 24 25 They would have They would have had to have In addition to all of this, an attacker would have had to have the capability to intercept the data from the Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 99 of 157 PageID# 632 99 D. Alfin - Direct 1 defendant's computer to the government. 2 or organization that could have known or had the capability 3 to do all of these things, and so I can say with certainty 4 that the data that was collected by the government in this 5 operation is true and accurate. 6 Q. 7 available to the defendant. 8 9 There is no person Now, I'd like to talk to you about what has been made Could you describe the two things that have been made available to the defendant? 10 A. A number of things have been made available to the 11 defendant. 12 information that would be needed to prove what has been 13 referred to as a digital chain of custody. 14 All of these things are the necessary pieces of First of all, we have made available to defense for 15 review the NIT that seized the data from the defendant's 16 computer. 17 defendant's computer itself from which that data was seized. 18 Additionally, we have made available to defense the We have also made available to defense the 19 network data that was captured by the government, showing the 20 data that the NIT sent to the government from the defendant's 21 computer. 22 These three things on their own can prove the 23 digital chain of custody, showing that the data originating 24 from the defendant's computer was, in fact, what was 25 collected by the government and what was, in fact, used in Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 100 of 157 PageID# 633 100 D. Alfin - Direct 1 its investigation of the defendants. 2 A fourth piece of information that further 3 emphasizes the fact that the data collected was accurate is 4 the fact that the defendants admitted to the activity on the 5 Playpen Web site of which they were accused. 6 purpose of the NIT was to associate a user account on Playpen 7 with a real-world person. 8 defendants admitted to that activity, so that further throws 9 out any concern of alleged digital chain of custody issues. The primary In both instances at hand both 10 Q. Do you know if either of the defendants have requested 11 that a forensic person or someone else, another expert, look 12 at the computers that were seized from their house? 13 A. 14 from the residences of the defendants have been made 15 available to defense for review; however, defense has not 16 made any attempts to review or analyze those devices. 17 Q. 18 not your theory but what the FBI said, the information that 19 matches the computer back to what the FBI received, did you 20 do any tests, or are there any tests available to do that? 21 A. 22 government received and provided the defense is accurate, you 23 would need to analyze a number of pieces of information, all 24 of which I described previously, all of which are available 25 for defense to review, including the defendants' computers, It is my understanding that the digital devices seized Now, in order to also, I guess, test your theory -- or Yes. In order to validate that the information that the Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 101 of 157 PageID# 634 101 D. Alfin - Direct 1 the network data stream, the actual NIT, and the statements 2 made by the defendants. 3 Q. 4 with it in a sterile environment, I guess, to test it? 5 A. 6 can be used to confirm that the evidence used in the charges 7 at hand were -- that that evidence was good and accurate. 8 9 And with that information can they -- what can they do All that information that has been provided to defense Additionally, the NIT source code that has been provided to defense can confirm that the information that the 10 NIT was authorized to collect is the same as the information 11 that the NIT did, in fact, collect and that it did not 12 collect anything outside the scope of the warrants that 13 authorized its use. 14 Q. 15 generator." 16 A. I did. 17 Q. And can you expound on what he said? 18 A. When the NIT is downloaded to a user's computer it 19 includes a unique identifier. 20 during this operation was, in fact, unique. 21 because as the case agent I have access to every single 22 unique identifier that was generated in this investigation. 23 Dr. Soghoian also talked about "unique identifier Did you hear that testimony? Every identifier generated I know this I have reviewed every single unique identifier in 24 this investigation in order to determine that there were, in 25 fact, no unique identifiers generated more than once. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 102 of 157 PageID# 635 102 D. Alfin - Cross 1 Q. If you had found a duplicate unique identifier, what 2 would you have done with that information? 3 A. 4 have attempted to identify the source of that duplication; 5 however, there were no unique identifiers generated, so it's 6 not an issue that I had to deal with. 7 Q. If a unique duplicate identifier had been found, I would Okay. 8 9 MS. YUSI: Your Honor, I think those are all of my questions at this time. 10 THE COURT: 11 MR. GRINDROD: 12 Mr. Grindrod. Thank you, Your Honor. CROSS-EXAMINATION 13 BY MR. GRINDROD: 14 Q. 15 about the unique identifier or the creation of unique 16 identifiers. 17 A. Yes. 18 Q. And you talked about a list of unique identifiers that 19 you reviewed. 20 A. Yes. 21 Q. Was that the list of the unique identifiers that were 22 sent out by the FBI or the list of unique identifiers that 23 were successfully returned to the FBI? 24 A. 25 by the FBI. Let's pick up where Ms. Yusi left off. You were talking It was the list of unique identifiers that were generated So "sent out by the FBI," I think that would be Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 103 of 157 PageID# 636 103 D. Alfin - Cross 1 an accurate description. 2 Q. 3 unique identifier to every other identifier? 4 A. 5 identifier in a spreadsheet, and you say "find duplicates" 6 and the spreadsheet says there are no duplicates. 7 simple to do. 8 Q. Have you produced that spreadsheet to the defense? 9 A. No. And you reviewed that list and compared, what, each It's a very simple process. You put every unique It's very I have provided the unique identifier used in the 10 matter at hand. 11 Q. 12 the unique identifier, to your knowledge, has the government 13 produced any indication as to how that unique identifier was 14 even created? 15 A. Yes, we generated unique identifiers. 16 Q. Using an algorithm? 17 A. Yes. 18 Q. Did you write that algorithm? 19 A. I did not. 20 Q. Do you know that algorithm? 21 A. I do not. 22 Q. Would you recognize it if you were presented with it? 23 A. I would not. 24 Q. Can you explain the inner workings of how that algorithm 25 works? And even if you're not providing the code that created Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 104 of 157 PageID# 637 104 D. Alfin - Cross 1 A. I can. 2 Q. That's the inner workings, as far as your understanding 3 goes? 4 A. Could you be more specific in what you're asking for? 5 Q. Well, this unique identifier is a piece of computer code, 6 correct? 7 A. No, it's a string of text. 8 Q. It's a string of text? 9 A. A unique identifier is a string of text, yes. 10 Q. It's a generator. 11 A. The generator could be described as computer code, yes. 12 Q. And it runs on a system. 13 A. Yes. 14 Q. What system does it run on? 15 A. A government-controlled computer. 16 Q. Okay. 17 operating in some program that is unique that is created by 18 the government in order to create these unique identifiers? 19 Does it run within Excel? 20 spreadsheets involved. 21 It generates a unique identifier. It's computer code. And is it operated inside any -- is it just You mentioned that there may be I'm trying to figure out how, from a technological 22 perspective, this generator worked. 23 A. 24 unique identifier, and it injects it into the package that is 25 downloaded to the user's computer. When a NIT is packaged or put together it generates a Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 105 of 157 PageID# 638 105 D. Alfin - Cross 1 Q. 2 how does it do that? 3 Okay. And that's what it does, but now my question is So this creation of a unique identifier, you said 4 that that is created through some sort of computer code. 5 What I'm trying to figure out is how exactly, from a 6 technological perspective, is the unique identifier created? 7 MS. YUSI: 8 THE COURT: 9 Your Honor, I'm going to object. We're going into the code itself. Isn't that where we're going? 10 MR. GRINDROD: Your Honor, in the event the 11 government is not going to produce it, perhaps Agent Alfin 12 can explain how the code works so that we can understand why 13 there is some alleged law enforcement privilege that covers 14 it. 15 MS. YUSI: Your Honor, if I may interject, I don't 16 think any of these other unique identifiers are important. 17 The only ones that are important are the ones that went to 18 the two defendants. 19 THE COURT: Well, there isn't any question the -- 20 there is testimony that an IP, I believe, was different from 21 one sent that one existed, and I thought we would probably be 22 going into that some day. 23 MS. YUSI: That's a separate issue, Your Honor. 24 THE COURT: Well, I'm not going into the code. 25 can tell you that. I And we're not going into the code, so -- Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 106 of 157 PageID# 639 106 D. Alfin - Cross 1 at this time. We may go into the code later, but it's only 2 after I make a ruling on whether the code is discoverable or 3 not. 4 that the code was utilized, and that's all that I'm going 5 into or all I'm going to allow at this particular portion. 6 So let's don't go into what the code is or does and how it 7 works, because that's one way that it could be released. 8 problem about codes that invade Tor is what it may lead to. So we're not going into it at this time. We're knowing The 9 We have tremendous security problems at the present 10 time with encrypted materials being utilized by those people 11 whose main object in the makeup of things at the present time 12 is to kill nonbelievers, and unfortunately there are a great 13 many nonbelievers right in this room at this time. 14 therefore, they are everywhere. 15 organization who would love to get into Tor to find out what 16 the government is doing, I'm not about to release anything 17 unless it's essential, and then the government would have to 18 decide whether it's going forward or not with the case. And so, And since there is an 19 MR. GRINDROD: I understand, Your Honor. 20 THE COURT: 21 examination of this witness. 22 BY MR. GRINDROD: 23 Q. 24 than what you've already provided, can you just tell me 25 whether you have -- you personally could give any more But I'm not going to go into it on Agent Alfin, without providing any further explanation Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 107 of 157 PageID# 640 107 D. Alfin - Cross 1 detailed explanation about how the code worked than what 2 you've already provided here in court? 3 A. Which specific code? 4 Q. The unique identifier generator. 5 I don't want to get into any -- 6 THE COURT: Just a "yes" or "no." Unique identifier -- which one are you 7 speaking of, the one that found Tor or the one that found the 8 defendant? 9 10 MR. GRINDROD: I think Your Honor may be referring to the IP address. 11 THE COURT: Yes. 12 MR. GRINDROD: And I'm referring, instead, to the 13 FBI-generated code that was injected into the packet of 14 information that was sent from our clients' computers to the 15 FBI as a means of linking up the Playpen use with the user 16 account. 17 uniquely identify people, and what I'm trying to figure out 18 is whether Agent Alfin even has an understanding as to how 19 that code worked. 20 This was a number that the FBI created in order to THE COURT: I'll allow that. 21 BY MR. GRINDROD: 22 Q. 23 providing a substantive answer as to how the code may or may 24 not have worked, do you have the ability to provide any more 25 detail as to how the unique identifier generator worked in So, Agent Alfin, I'll ask you again. Again, without Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 108 of 157 PageID# 641 108 D. Alfin - Cross 1 this case from a technological perspective? 2 A. 3 technological perspective, so I would still need you to 4 clarify what exactly you're asking, because your questions 5 don't make sense from a technical standpoint. 6 Q. 7 works has been said. I've already explained in detail how it works from a So, as far as you're concerned, everything about how it 8 THE COURT: I don't know about everything, but -- 9 THE WITNESS: 10 THE COURT: 11 THE WITNESS: I have not -- Where has it been said? The actual mathematical algorithm that 12 generates the unique identifiers, that has not been stated. 13 I do not know that mathematical algorithm. 14 BY MR. GRINDROD: 15 Q. Or how it was created? 16 A. How the mathematical algorithm was created? 17 Q. What went into its design? 18 algorithm is to ensure it produces unique numbers. 19 THE COURT: I'm not going into how -- 20 MR. GRINDROD: 21 THE COURT: 22 I'll move on, Your Honor. -- it was created, because that will imply a knowledge of how to get it. 23 MR. GRINDROD: 24 THE COURT: 25 Presumably, the point of the I'll move on, Your Honor. I'm not going to get into that, unless I find that the motion to produce or the motion to compel or Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 109 of 157 PageID# 642 109 D. Alfin - Cross 1 the motion to suppress is merited. 2 that, and then you can go into it, but you're not going into 3 it indirectly, okay? 4 MR. GRINDROD: First I'd have to find Understood, Your Honor. 5 BY MR. GRINDROD: 6 Q. 7 this case and now testified, so I want to talk a little bit 8 about your credentials. Agent Alfin, you've obviously prepared a declaration in 9 Your declaration states that you hold a university 10 degree in information technology. Can you tell me what 11 that's in reference to? 12 A. I have a Bachelor's degree in information technology. 13 Q. And where is that from? 14 A. Florida State University. 15 Q. And did your training in information technology include 16 computer science courses? 17 A. Yes. 18 Q. And do you have a working ability to write computer code? 19 A. Basic computer code, yes. 20 Q. But it's fair to say you're not capable of writing, for 21 example, the NIT in this case. 22 A. The NIT is actually very simple computer code. 23 Q. Did you help write it? 24 A. I did not. 25 Q. Could you write a NIT? Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 110 of 157 PageID# 643 110 D. Alfin - Cross 1 A. The NIT that was used in this case? 2 capabilities to write a NIT similar to this one. 3 Q. Okay. 4 A. It was. 5 Q. Let's talk about the exploit, then. 6 Yes, I do have the And the NIT was produced in this case, right? Do you have the technical capability to write an 7 exploit? 8 A. I do not. 9 Q. Did you work at all in the creation of the exploit in 10 this case? 11 A. I did not. 12 Q. You've obviously testified, both here and in your 13 declaration, about what the exploit does and doesn't do, 14 correct? 15 A. Yes, I have. 16 Q. Is that based on your review of the exploit? 17 A. It is based on my use of the exploit. 18 Q. Okay. 19 never actually reviewed the exploit, correct? 20 A. Are you referring to the source code of the exploit? 21 Q. Well, have you looked at the source code of the exploit? 22 A. I have not. 23 Q. Have you looked at any other aspect of the exploit? 24 A. Such as... 25 Q. Such as -- so the -- And you make that clarification because you've Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 111 of 157 PageID# 644 111 D. Alfin - Cross 1 THE COURT: The exploit is the code. 2 MR. GRINDROD: Well, that's where it gets tricky, 3 Your Honor. I think there are various things that can be 4 referred to as "the code" in this case, but the exploit is a 5 code, that's correct. 6 So the source code -- 7 THE COURT: What was the exploit in this case, I 8 understood, was the code utilized in this case. 9 another exploit besides the code that was used in this case? 10 11 12 13 MR. GRINDROD: Well, Your Honor, "an exploit" can describe -THE COURT: I know what an exploit is in this case; it's the code utilized in this case. 14 MR. GRINDROD: 15 THE COURT: Correct. And that's what's referred to in various 16 declarations and in various testimony. 17 different exploit? 18 So there's MR. GRINDROD: Now we've got a No, Your Honor, but there are 19 different -- so the NIT computer code is sometimes referred 20 to as a code. That's a separate thing. 21 THE COURT: 22 MR. GRINDROD: 23 THE COURT: 24 25 I understand the NIT is one thing. Right. The exploit was the code utilized to determine the defendant's computer, correct? MR. GRINDROD: To determine -- no -- well, I don't Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 112 of 157 PageID# 645 112 D. Alfin - Cross 1 think so, Your Honor. 2 to hack into our client's computer. 3 to actually collect the data and send it back to the FBI. 4 I think the exploit was what was used The NIT is what was used I think Dr. Soghoian referred to the exploit as the 5 picking of the lock or the exploit as the drugged piece of 6 meat that the guard dogs eat. 7 into our clients' computers. 8 THE COURT: 9 It's what let the government All right. Let's go ahead. We've got to get into it some day. 10 BY MR. GRINDROD: 11 Q. 12 correct? 13 A. I have not reviewed the exploit source code in this case. 14 Q. And all of the statements you're making about what the 15 exploit does and doesn't do, those statements are based on 16 your observations of running the exploit. 17 A. In part, yes. 18 Q. What else are they based on? 19 A. Based on my conversations with other people who are 20 knowledgeable in the matter, as stated in my declaration. 21 Q. Who are those people? 22 A. Other FBI personnel. 23 Q. Yeah, but what people? 24 A. That information is subject to law enforcement privilege. 25 Q. The names of the people who -- so you're basing your So you've not reviewed the exploit in this case. Is that Is that correct? Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 113 of 157 PageID# 646 113 D. Alfin - Cross 1 testimony on what you were told by other individuals, at 2 least in part. 3 THE COURT: In part, okay? 4 BY MR. GRINDROD: 5 Q. Is that correct? 6 A. Everything substantive in my declaration is based on my 7 own observations of my own testing. 8 supported and backed up by other statements I've received 9 from other individuals; however, I have tested everything It has been further 10 with regard to the NIT's functions in my declaration. 11 Q. 12 exploit, you make certain observations, and you draft this 13 declaration. 14 A. That's fair. 15 Q. And then at that point, after you drafted the 16 declaration, you went to other folks in the FBI and said, 17 "Does this look right to you?" 18 A. No, that's not what I said. 19 Q. Okay. 20 A. There are other individuals at the FBI who obviously have 21 reviewed the source code of the exploit. 22 conversations with those individuals -- 23 Q. And the conversations -- 24 A. -- several times throughout the course of this 25 investigation, both before and after I wrote my declaration. Okay. So help me understand the process. So you run the Is that what happened? That is an accurate order of events. So tell me how -- what part of this declaration -- I have had Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 114 of 157 PageID# 647 114 D. Alfin - Cross 1 Q. So it's fair to say there are people who are more heavily 2 involved in the tech side of this than you, correct? 3 A. In certain aspects of it, yes, that's true. 4 Q. Specifically with regard to the exploit, right? 5 A. Yes, that's true. 6 Q. Because you don't have the ability to create the exploit. 7 THE COURT: 8 times now. 9 BY MR. GRINDROD: He's already testified to that three Don't ask it again, please. Let's move on. 10 Q. 11 as to what parts of this declaration that you submitted to 12 the Court is based on your own personal observations versus 13 your conversations with other people? 14 A. 15 questions about a specific portion of my declaration, I'd be 16 happy to answer. 17 Q. 18 paragraph 14 the first sentence says, "It's theoretically 19 possible for an exploit to make fundamental changes or 20 alterations to a computer system or to disable its security 21 firewall." 22 And, so, is there any way that you can be more specific I think I've been clear on that, but if you have Okay. So let's be specific about paragraph 14. So in Is that based on your own personal knowledge? 23 A. Yes, it is. 24 Q. So it's possible for an exploit to make fundamental 25 changes or alterations to a computer. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 115 of 157 PageID# 648 115 D. Alfin - Cross 1 A. An exploit. 2 Q. Okay. 3 part of your statement. 4 Not the one in this case, but yes. So let's figure out what the source is for that The part of your statement in which you say this 5 exploit specifically didn't make fundamental changes, is that 6 based on your personal observations or based on what other 7 FBI agents have told you? 8 A. 9 on a computer under my control. I tested a NIT on a computer -- or, rather, the exploit I observed that it did not 10 open up any security holes on it, it didn't place any files 11 on it, it didn't make it any more vulnerable to outside 12 attackers. 13 Q. 14 reached that conclusion? 15 A. A few times. 16 Q. More than five? 17 A. Possibly. 18 Q. Was it less than ten? 19 A. It may have been. 20 Q. Okay. 21 software or computer code like an exploit? 22 A. I have. 23 Q. And where was that training? 24 A. I have received courses in malware analysis put on by FBI 25 and FBI contractors. It is based on my observations and my testing. And how many times did you run the exploit before you I don't know the exact number. Less than a hundred. Have you received any training on how to test Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 116 of 157 PageID# 649 116 D. Alfin - Cross 1 More importantly, I have conducted analysis of such 2 code on several occasions during the course of both criminal 3 investigations and national security investigations. 4 analyzed exploits used by criminals trying to steal money. 5 have analyzed exploits used by foreign countries trying to 6 steal state secrets. 7 I have I In all of these cases I have successfully found and 8 analyzed this code without -- obviously, these foreign 9 governments were not kind enough to give me the exploit on 10 the front end; however, that did not stop me from being 11 successful in my analyses. 12 Q. 13 taught the appropriate way to test an exploit to determine 14 whether it creates software vulnerabilities is to run it been 15 5 and 10 times? 16 A. 17 as you want. 18 to keep doing that one thing. 19 Q. 20 you said you received training in malware analysis, and I'm 21 asking whether as part of that training you were taught that 22 an appropriate means of testing an exploit to determine 23 whether it makes fundamental changes or alterations to a 24 computer system is to run that exploit between 5 and 10 25 times. And as part of that training that you received were you You can run an exploit that does one thing as many times Okay. If it's programmed to do one thing, it's going So my question was did you receive as part of -- Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 117 of 157 PageID# 650 117 D. Alfin - Cross 1 A. I don't recall whether or not there was a number involved 2 in that training. 3 Q. I was taught how to analyze malware. So you don't have any recollection -- 4 THE COURT: He wasn't taught in that training. 5 Don't argue with the witness. 6 questions. 7 BY MR. GRINDROD: 8 Q. 9 the activating computer? Let's go along and ask Was the NIT ever programmed to collect the IP address of 10 A. 11 NIT search warrant attachment and transmits it to the 12 government. 13 data is originating from. 14 Q. 15 16 The NIT collects pieces of information identified in the At that point we can see the IP address that Let me ask you my question again. Was the NIT ever programmed to collect the IP address of the activating computer? 17 THE COURT: 18 MR. GRINDROD: 19 Of whose computer? The activating computer, the user's computer. 20 THE COURT: The user's computer. 21 THE WITNESS: Go ahead. Your question is not technically 22 sufficient for me to answer it "yes" or "no," and so I would 23 have to rely on my statements, unless you can rephrase your 24 question. 25 BY MR. GRINDROD: Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 118 of 157 PageID# 651 118 D. Alfin - Cross 1 Q. Do various forms of the NIT exist? 2 A. Yes. 3 was unique. 4 Q. 5 this case that instead of collecting the IP address as sort 6 of a byproduct of the other information -- was the NIT ever 7 written in a way so that it collected the IP address from the 8 activating computer itself? 9 A. 10 Or, rather, multiple -- every NIT used in this case And were there ever versions of the NIT that was used in Could you define what you mean by "collect" in that statement? 11 THE COURT: From which computer are we speaking of, 12 now? 13 in. 14 the other was the computer utilized by the defendants or one 15 or more of the defendants. 16 You've got two computers that I think we're interested One is the computer that was transmitting Playpen, and So we have actually three computers involved in the 17 motion to compel, as I understand it. 18 because there may have been another computer transmitting 19 information, as the other expert has testified to, a 20 different computer transmitting the information back to the 21 FBI than there was collecting information. 22 four computers. 23 24 25 MR. GRINDROD: We may have four, So there may be I'll try to be more specific as to the computer. THE COURT: All right. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 119 of 157 PageID# 652 119 D. Alfin - Cross 1 BY MR. GRINDROD: 2 Q. 3 computer" or "the user's computer" I'm talking about the 4 defendant's -- the to-be-defendant's computer, the computer 5 that was the target of this search. 6 A. Yes. 7 Q. Okay. 8 there was ever any version of the NIT that gathered from the 9 operating system the IP address of that activating computer. So, Agent Alfin, when I use the term "activating Do you understand that? So my question was whether the NIT -- whether 10 A. I still need you to be more specific. 11 "gathered" do you mean sent back to the government? 12 Q. No, I mean gathered. 13 A. If it wasn't sent to the government, it wasn't gathered. 14 Q. Okay. 15 A. Well, let me rephrase. 16 Q. The FBI, through the NIT. 17 A. So it is sent to the FBI in your question. 18 Q. I'm not concerned really -- so let me break it down. 19 When you say Well, what word can I use to -Who is gathering it, then? So the NIT you can think of as having two stages, 20 right? Part of what the NIT does is once it gets onto our 21 client's computer, onto the activating computer, it gathers 22 certain information, right -- the MAC address, the host 23 name -- gathers that information and then packages that 24 information and sends it -- as part two, it sends that 25 information that it gathered to the FBI server, correct? Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 120 of 157 PageID# 653 120 D. Alfin - Cross 1 A. That's accurate. 2 Q. Okay. 3 question with what was sent to the FBI. 4 for purposes of this question on what information was 5 gathered to be packaged on the activating computer. 6 7 THE COURT: I want you to focus If it wasn't sent to the FBI, how would he know what was packaged? 8 9 So I'm not concerned for the purposes of this MR. GRINDROD: Well, Your Honor, I think he's going to testify that -- 10 THE COURT: All right. 11 THE WITNESS: I'm familiar with Dr. Soghoian's 12 testimony, and I know where you're going with this, so if you 13 will just allow me to testify I think I can put the issue to 14 rest, if that satisfies. 15 BY MR. GRINDROD: 16 Q. Well, are you capable of answering the question? 17 A. Yes, I am capable of answering the question. 18 Q. Okay. 19 A. The NIT that you're referring to -- I just want to 20 clarify. 21 Q. Yes. 22 A. Okay. 23 order to collect certain pieces of information such as the 24 MAC address the NIT executes a command that displays the MAC 25 address. Can you answer the question? Is it the one that was used in the matter at hand? So in some instances, for some of the NITs, in It also displays, in some cases, the local IP Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 121 of 157 PageID# 654 121 D. Alfin - Cross 1 address of the computer, which is also covered by the NIT 2 search warrant. 3 important to the FBI. 4 sent to the FBI. 5 However, that information is not relevant or It is not parsed out, and it is not So, to answer your question, the NIT itself does not 6 gather an IP address. 7 the computer. 8 but it does not gather it, because that implies that we 9 collected it and received it. Okay. It does not gather an IP address from I think you're discussing a semantic argument, 10 Q. 11 obviously isn't it -- but I'm trying to get you to focus on 12 not what was sent to the FBI but what your NIT, the FBI NIT, 13 was designed to collect for packaging. 14 15 I don't know what the right word is -- "gather" THE COURT: What information is the NIT designed to obtain? 16 THE WITNESS: Several pieces of information, Your 17 Honor, but the most important one, the one that identifies 18 the defendant, is his IP address, the one that's assigned to 19 him from his Internet service provider. 20 NIT communicates back to the FBI we can see which IP address 21 that communication is coming from. 22 BY MR. GRINDROD: 23 Q. 24 the NIT collect, not as in transmitting back to the FBI but 25 packaging -- And, so, when the So is it correct that, in fact, at least some versions of Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 122 of 157 PageID# 655 122 D. Alfin - Cross 1 2 3 THE COURT: When you use the word "collect" or anything else we're using what information was derived. Now you want to -- if they -- I assume that we're 4 worried about the words "collect" and "gather," so why don't 5 we use, "What did you learn from this," "What did you expect 6 to learn from it." 7 fact that we're having a dispute as to the terminology of the 8 utilization of words in this case. 9 I don't mind any of this, other than the And if we can move it along -- that's why I asked 10 what information did they collect -- did they obtain, I 11 should say, not "collect." 12 MR. GRINDROD: 13 THE COURT: I'll try, Your Honor. The problem -- I don't know where we're going with it. 14 Are you trying to find out what information was on the 15 computer that they did not use? 16 MR. GRINDROD: Your Honor, I don't know what Agent 17 Alfin will testify to, but I suspect that -- there's reason 18 to believe that the NIT gathered certain information from our 19 clients' computers without transmitting that information back 20 to the FBI and instead deleted or blocked certain aspects of 21 that code from transmitting data and instead transmitted 22 other data through this -- 23 THE COURT: What you're saying, in essence, is you 24 have some information that the FBI has transmitted false 25 information back and claimed it was your defendants' Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 123 of 157 PageID# 656 123 D. Alfin - Cross 1 information. Isn't that correct? 2 MR. GRINDROD: 3 representation, no, Your Honor. 4 THE COURT: I'm not sure I can make that Well, somewhere or another you're going 5 to have to have some evidence of some kind to go into this. 6 We're all in suppositions, and suppositions are wonderful. 7 In fact, I suppose I'd like to go to the moon, but I don't 8 know if I'm going to get there or live that long. 9 people may get there; I'm not sure who. 10 know, but it is possible. 11 12 But some Right now I don't Do you understand? So we're not interested in possibilities, we're interested in, you know, what has happened in this case -- 13 MR. GRINDROD: That's correct. 14 THE COURT: 15 Now, I understand nothing was encrypted in this -- and what the FBI did or did not do. 16 case, so consequently the question then is how reliable is 17 it? 18 how reliable something may be, but it is not a legal question 19 of how reliable it is. 20 MR. GRINDROD: 21 THE COURT: It appears to me that it may be a jury question as to That's true, Your Honor. So the question really boils down to a 22 question of fact for a jury to determine, unless there is 23 some evidence which would place it in a position where the 24 motion should be granted or not granted here. 25 I've heard is some suppositions about what's possible on the And so far all Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 124 of 157 PageID# 657 124 D. Alfin - Cross 1 computer or what can or may be done with computers that are 2 not encrypted. 3 In fact, I'm not so sure that encryption does much 4 good when I realize how much is stolen from banks over a 5 computer system that's totally encrypted. 6 relying on news broadcasts for that; I don't know. 7 had a case on the stealing from banks by computers. 8 9 And I'm only I haven't So the case which we're interested in is was there an unreasonable search in this case resulting in the 10 obtaining of evidence illegally, not a question of whether 11 they legally obtained evidence, so I want to get to that, if 12 I can. 13 possibilities of various things, and I don't mind going into 14 it, but some of it is farfetched. 15 16 And we've been here a couple of hours dealing in the MR. GRINDROD: Your Honor is exactly right. I think a lot of these things are questions for the jury. 17 The reason I'm offering this testimony and a lot of 18 the testimony from Dr. Soghoian was to make clear that there 19 are substantial factual questions, and those questions -- 20 THE COURT: There are always factual questions in 21 that regard. There may be a very simple answer to a lot of 22 simple questions. 23 substantial or insubstantial. I'm not in any way suggesting that it's 24 MR. GRINDROD: 25 THE COURT: Fair enough, Your Honor. I make sure that there's no ruling of Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 125 of 157 PageID# 658 125 D. Alfin - Cross 1 mine which indicates that possibilities are substantial or 2 insubstantial. 3 possibilities, they can become probabilities, which is a 4 situation that is more than 50 percent of the time. 5 Possibilities can grow into more than just MR. GRINDROD: I only mean to say, Your Honor, these 6 questions are aimed at our motion to compel, and so that's 7 why some of these may seem like trial issues. 8 9 THE COURT: In relation to the motion to compel, there must be some evidence, one, that either the FBI was 10 dishonest or that they wrongly used some search warrant or 11 that the search warrant -- well, in the motion to -- it's not 12 the motion to suppress that deals with the search warrant, 13 we're talking about the motion to compel the disclosure of 14 the code, and I'm not about to disclose the code unless I 15 find that it is material to the defense in this case. 16 So far I don't know what it is that's been testified 17 to as to the materiality of the code in this case. The 18 question of its materiality has to do with the guilt or 19 innocence of the defendants, and that has to do with did the 20 defendants in this case utilize and receive pornographic 21 material in relation to children, and what the type of the 22 particular material was that it may or may not have received. 23 So far I haven't heard any evidence on materiality in 24 relation to the code. 25 to find the particular Internet company that was delivering The code merely gave the FBI the means Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 126 of 157 PageID# 659 126 D. Alfin - Cross 1 material as well as the particular Internet company that 2 received the material. 3 discovery it deals with materiality, and we're dealing in a 4 lot of suppositions, Mr. Grindrod. 5 And the question in this case is in I'm not trying to chide you or disturb you. There's 6 no question in my mind that the Internet is possible for 7 hackers to do most everything with the Internet. 8 even claim to hack the Secretary of State's Internet. 9 know that there's going to be no prosecution of the Secretary 10 They can Now we of State, so we can talk about it. 11 But the question is we know that that can be hacked. 12 What is it that we don't know? What we don't know only is 13 what is that code and how valuable is that code, and what 14 could we sell it for, and what could we achieve with it. 15 I imagine people would pay millions to get that 16 code, enough so that the government wouldn't prosecute some 17 people if I ordered it produced, and they may not prosecute 18 these two if I ordered it produced. 19 find that the material is such as to affect the outcome of 20 this case in some fashion, and I haven't seen it yet. 21 22 MR. GRINDROD: But that's only if I I understand, Your Honor. I'll try to -- 23 THE COURT: I'm not trying to stop you. 24 MR. GRINDROD: 25 THE COURT: Okay. You've got the fact that, number one, Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 127 of 157 PageID# 660 127 D. Alfin - Cross 1 the testimony of the expert is clear. 2 that there's no protection for that which is transmitted on 3 the Internet. 4 somebody can receive it. 5 hacker who can understand how to encrypt things can find it. 6 In fact, the FBI was particularly adept at hacking itself. 7 It hacked into Tor, whether anybody believes it or not. 8 they hacked in, and they found it, and the question is what 9 did they find? 10 There's no question Whatever you transmit on the Internet, If it's encrypted, then a clever So They found a place that transmits child pornography. 11 I don't know where we're going with child 12 pornography, but it's a very basic thing that we should try 13 to eliminate, if possible; that is, the utilization of 14 children in these matters. 15 seen the children of the individuals who utilized them to 16 make these pictures end up with huge problems later on in 17 life -- huge. 18 psychiatrist indicates the same. 19 we can stop the utilization of these children. Or evidently they do. 20 MR. GRINDROD: 21 THE COURT: 22 23 24 25 materiality. In almost every case that I have Almost every So the question is whether Well, I -- The question before me today is You know that, I know that. MR. GRINDROD: And I only have two more quick lines of questioning on those points, Your Honor. THE COURT: I'm not trying to stop you, I'm trying Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 128 of 157 PageID# 661 128 D. Alfin - Cross 1 to define what I'm interested in hearing; not learning about 2 the computer as much as I am about what is material that may 3 help the defendant's case as a matter of probabilities, not 4 possibilities, okay? 5 MR. GRINDROD: Yes, sir. 6 BY MR. GRINDROD: 7 Q. 8 against? 9 A. In the matter at hand for two defendants? 10 Q. For the Playpen operation as a whole, for all users of 11 the Playpen site. 12 A. 13 charged in the matter at hand. 14 that were identified by the FBI is known to me. 15 the Court's permission not to answer that question, because 16 it could give other individuals insight into the full scope 17 of the FBI's operation. Agent Alfin, how many computers did the NIT deploy Two computers. There were a number of other defendants who were not 18 The total number of users I would ask Specifically, we identified a number of people in 19 foreign countries, and some foreign countries are very slow 20 to act on the information that they receive because it has to 21 go through official diplomatic channels. More importantly, 22 it's not relevant to the matter at hand. In the matter at 23 hand there are two defendants. 24 two computers. 25 defense. We deployed the NIT against Both of those computers are available to the It has no bearing on these defendants how many Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 129 of 157 PageID# 662 129 D. Alfin - Cross 1 other people were identified in the case. 2 3 THE COURT: But many people were identified, correct? 4 THE WITNESS: 5 MR. GRINDROD: Yes, Your Honor. Your Honor, I do think, especially 6 with respect to the particularity argument on our pending 7 motion to suppress, it is relevant. 8 legal argument from Agent Alfin is -- 9 10 THE COURT: I'm not sure that the I don't know that -- my view is that what they're saying is that it's unique to the proper... 11 (There was a pause in the proceedings.) 12 THE COURT: I'm going to sustain the objection made 13 by the witness. 14 BY MR. GRINDROD: 15 Q. Is the NIT classified? 16 A. The NIT is not classified. 17 Q. Is the exploit? 18 A. At the moment I believe that it is undergoing review; 19 however, further information about that is answered in the 20 declaration that I believe is under seal. 21 Q. 22 Is that correct? 23 A. I did. 24 Q. Was the exploit -- well, first of all, was it classified 25 at that time? You testified in a case called United States v. Michaud. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 130 of 157 PageID# 663 130 D. Alfin - Cross 1 A. The actual exploit at that time? 2 classified. 3 Q. Was it undergoing review, as you say it is now? 4 A. I don't know exactly when that review process began. 5 not involved in it. 6 Q. When did you learn about it? 7 A. At some point in the past year. 8 Q. Can you be any more specific? 9 A. No. is not material to the case at hand. 11 particular conversation. 13 I don't recall that However, I did learn in the past year that it is undergoing -- 14 THE COURT: Well, he asked you if it was very 15 material in this case, but the question of determining the 16 exploit, which is the code, I'm not allowing at this time. 17 MR. GRINDROD: Understood, Your Honor. 18 BY MR. GRINDROD: 19 Q. 20 against whom the NIT was deployed? 21 Was the exploit in this case transmitted to everyone THE COURT: It wasn't transmitted to anyone, as far 22 as I know. 23 transmitted to anyone, or -- 24 25 I'm Again, the government's position is that the exploit 10 12 I do not believe it was Has the exploit itself, the code, been THE WITNESS: Your Honor, if I can clarify some earlier points, there are two important pieces of computer Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 131 of 157 PageID# 664 131 D. Alfin - Cross 1 software. 2 thought of as an open window. 3 information from the defendant's computer, and so there's a 4 vulnerability, an open window, on the defendant's computer. 5 We know about it, and that's how we're able to retrieve 6 information from his computer. 7 window, the exploit, and then the NIT is the code that we've 8 turned over. 9 it back to the government. 10 The first one is the exploit, and that can be So we want to seize So we go in through that open That is what seizes the information and sends So the exploit, the open window, is the part that we 11 have asserted law enforcement privilege. 12 that actually seizes the data that actually collects 13 information that was used to identify the defendant, that was 14 turned over to the defense in its entirety. 15 THE COURT: The NIT, the part Okay. 16 BY MR. GRINDROD: 17 Q. 18 a -- like a defect in the lock of an activating computer. 19 A. I did. 20 Q. And you note that what the exploit does is it essentially 21 would allow someone with the proper tool to pick that lock, 22 correct? 23 A. 24 bypass the lock, yes, that's accurate. 25 Q. So in your declaration you referred to the exploit as I don't know if I said "pick lock" -- I may have -- but Okay. And, so, in this case for each of our clients the Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 132 of 157 PageID# 665 132 D. Alfin - Cross 1 exploit was sent to our clients' activating computer. 2 A. It was downloaded to their computer, yes. 3 Q. It was sent from the FBI to their computer physically, 4 correct? 5 A. They downloaded it from the government's computer, yes. 6 Q. And, indeed, the exploit was sent every time that the NIT 7 was deployed, correct? 8 A. 9 hand, so "every time" would be once. The NIT was only deployed once per user in the matter at 10 Q. 11 was deployed a large number of times, although you didn't 12 want to specify the precise number. 13 Agent Alfin, you just testified a moment ago that the NIT THE COURT: There's probably many times when he's 14 talking about the hundreds of people that they participated 15 in. 16 MR. GRINDROD: That's correct. 17 BY MR. GRINDROD: 18 Q. 19 of these people, not just our clients in this case, but in 20 the whole Playpen operation. 21 THE COURT: 22 MR. GRINDROD: And, so, what I'm asking you about, Agent Alfin, is all How is that relevant? Well, Your Honor, the government is 23 now claiming that the exploit is so sensitive that it can't 24 be turned over. 25 can't be reviewed by an identified expert in a safe Even with a strong protective order, it Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 133 of 157 PageID# 666 133 D. Alfin - Cross 1 environment, even at FBI Headquarters, right? 2 believe Agent Alfin will testify that this same code that is 3 so sensitive it can't be disclosed under strict controls was 4 sent out, I don't know, a hundred thousand times or so and 5 could have been recorded in transit. 6 7 THE COURT: I don't know about a hundred thousand times, but -- 8 9 And now I MR. GRINDROD: Well, without them limiting the number down, Your Honor, I think the Court has to assume -- 10 THE COURT: A number of times, and what you're 11 saying is that since the people who received it can discover 12 the code -- 13 14 MR. GRINDROD: sent to them. 15 16 THE COURT: It was sent there, but can they determine what the code was that they used to pick the lock? 17 MR. GRINDROD: 18 THE COURT: 19 BY MR. GRINDROD: 20 Q. 21 Not discover it, Your Honor, it was Yes, Your Honor. I don't know. Ask him. Can they? Someone recording -THE COURT: If you use the exploit to go on my 22 computer to determine information, can I know what that code 23 is that you utilized by looking at my computer? 24 25 THE WITNESS: The specific answer to that question, Your Honor, is contained in the document that the government Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 134 of 157 PageID# 667 134 D. Alfin - Cross 1 has asserted is law-enforcement-sensitive. 2 generally, there are a number of pieces of software that can 3 be used so that even if you do send an exploit to someone's 4 computer, even if they know it's happening, even if they try 5 to record it, there are certain pieces of software that could 6 prevent people from doing it successfully. 7 However, speaking I'm not authorized to answer whether or not such 8 software was used in this case or how it would have been 9 used; however, the statement that if it is sent to your 10 computer you can see it and analyze it, that on its own is 11 not always accurate. 12 THE COURT: Well, I'm going to recognize now the law 13 enforcement privilege until I find out if there's any 14 materiality to it, and I'll look at that based on the rest of 15 the evidence that I hear in this case. 16 17 MR. GRINDROD: I understand, Your Honor. Just for the record, I would note an objection to that. 18 THE COURT: I note your objection. 19 BY MR. GRINDROD: 20 Q. 21 whom the government sent the exploit that now may or may not 22 be classified -- did any of those people have security 23 clearances? Agent Alfin, to your knowledge, did any of the people to 24 THE COURT: 25 MS. YUSI: Does that make any difference? Objection, Your Honor; relevance. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 135 of 157 PageID# 668 135 D. Alfin - Cross 1 THE COURT: Do you think somebody important may have 2 been on the Internet and wasn't prosecuted? 3 question is? 4 Is that what the I hope it's political. MR. GRINDROD: The government is claiming that this 5 information is now retroactively classified. 6 thousands of people before, and I want to know whether they 7 made any effort to determine whether those people were 8 authorized to handle classified information. 9 wasn't marked "Classified" at the time, but -- 10 THE WITNESS: They sent it to I guess it The source code that you are seeking 11 in discovery was not sent to anyone. 12 BY MR. GRINDROD: 13 Q. Was the exploit sent? 14 A. Obviously, the exploit was. 15 Q. Okay. 16 determine whether the people receiving the exploit had some 17 sort of security clearance or were going to handle the 18 exploit properly. 19 A. 20 were not known to us before they were identified by the NIT, 21 so we did not know whether or not someone that we were 22 attempting to identify had a security clearance. And there was no effort made on the FBI's part to As the Court is aware, the users of the Playpen Web site 23 MR. GRINDROD: 24 THE COURT: 25 MS. YUSI: No further questions, Your Honor. Thank you. Just very briefly. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 136 of 157 PageID# 669 136 D. Alfin - Redirect 1 THE COURT: 2 MS. YUSI: 3 You don't have to be brief, but -Just to follow up. REDIRECT EXAMINATION 4 BY MS. YUSI: 5 Q. 6 correct? 7 A. Correct. 8 Q. The source code is what the defense is requesting, 9 correct? The exploit was sent, but that's not the source code, 10 A. Correct. 11 Q. Okay. 12 talked about and the Judge brought up about the IP addresses 13 being different on the PCAP report -- 14 A. 15 government was changed in transit. Just to clarify something that Dr. Soghoian had Dr. Soghoian testified that the data received by the 16 THE COURT: 17 THE WITNESS: 18 21 This is inaccurate and misleading. The actual data -- 19 20 That's what he said. THE COURT: recall. He said the IPs were changed, as I Go ahead. THE WITNESS: Again, that statement is misleading. 22 So the IP address that was used to identify the defendant did 23 not change. 24 changed in transit. 25 paragraph 19 -- is, again, true and accurate. That, in my declaration, as it states, was not So my declaration -- I believe it was Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 137 of 157 PageID# 670 137 D. Alfin - Redirect 1 What Dr. Soghoian is referring to is the IP address 2 of the government server that is visible in the data that we 3 turned over. 4 a public IP address that it had to change through multiple 5 government servers. 6 of how the government servers are configured. 7 supported by any testimony in the record or any evidence that 8 the FBI or defense has put in. 9 He suggests that because that IP address is not That statement is based on an assumption It is not A computer can have multiple IP addresses on it, 10 both public and private, the distinction being a public IP 11 address is used to communicate over the Internet. 12 one that was used to identify both of the defendants in the 13 matter at hand. 14 government's end occurred on a private IP address on a server 15 connected to the Internet which also had a public IP address. 16 The data that was turned over represents the government's 17 private IP address. 18 It is the The actual network capture on the Again, the important thing is that the actual data 19 from the defendant's computers did not change in transit, nor 20 did Dr. Soghoian allege that it did change in transit. 21 THE COURT: Am I to understand that the computer 22 that sent the material to the government was a different 23 computer than the Playpen computer? 24 25 THE WITNESS: So the government ran the Playpen Web site. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 138 of 157 PageID# 671 138 D. Alfin - Redirect 1 THE COURT: 2 THE WITNESS: 3 Correct. The defendant connected to our Web site -- 4 THE COURT: 5 THE WITNESS: 6 Virginia. 7 computer. Correct. -- in the Eastern District of He downloaded the NIT and the exploit to his 8 THE COURT: Right. 9 THE WITNESS: And then the NIT sent that information 10 back to another government computer. It was not the same 11 computer that had the Web site on it. 12 BY MS. YUSI: 13 Q. 14 send the information to this third computer to -- as a 15 repository? And that's how it was designed, is that the NIT would 16 MR. GRINDROD: 17 THE COURT: 18 THE WITNESS: Objection, Your Honor; leading. Objection sustained. So that was how the operation was 19 designed. 20 download the NIT from the Eastern District of Virginia, and 21 then the NIT sends the information back to another 22 government-controlled computer in the Eastern District of 23 Virginia. 24 25 A user connects to the Playpen Web site, they THE COURT: So that computer would have been different from the number -- the identification number would Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 139 of 157 PageID# 672 139 D. Alfin - Redirect 1 have been different from the identification number for the 2 Playpen computer? 3 THE WITNESS: 4 relevant to the investigation. 5 the Web site, and we hosted it within the Tor network. 6 the IP address of the Playpen server could not be publicly 7 seen, and it's not part of any of the information that's been 8 discussed today. 9 THE COURT: The actual Playpen Web site was not That was just where we hosted So Well, what were the two IP 10 identifications that were utilized in the correspondence, or 11 the e-mails, or whatever it was that was transmitted? 12 13 THE WITNESS: computer -- 14 THE COURT: 15 THE WITNESS: 16 17 One of them was the defendant's Yes. -- and the other one was the government's computer. And so the network data stream that we can see that 18 has been turned over to defense, you can see that entire 19 communication, which includes the information that the 20 government was authorized to collect. 21 THE COURT: All right. But when Mr. -- I don't 22 quite know how to pronounce his name, Soghoian -- when he 23 testified, he indicated that there was a difference between 24 the number of the IP number and what the government sent. 25 There were two different numbers. Or did he? Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 140 of 157 PageID# 673 140 D. Alfin - Redirect 1 2 THE WITNESS: the data came back to the government computer -- 3 THE COURT: 4 THE WITNESS: 5 What Dr. Soghoian suggested was that Yes. -- and then went to another government computer. 6 THE COURT: Correct. 7 THE WITNESS: That is based on an assumption. That 8 is based on an assumption based on nothing that the 9 government has put in the record, and it is not supported by 10 any evidence that the defense has put on, either. 11 12 THE COURT: involved that he was speaking of? 13 14 Well, how did the two IP numbers get THE WITNESS: So the NIT transmitted data back to the government. 15 THE COURT: Yes. 16 THE WITNESS: And when it did that we could see the 17 defendant's IP address. The NIT knew where to send the 18 information, the government's IP address, because that 19 information is included in the NIT. 20 where to send the data to because it's included in that 21 package. 22 address, so it knows where to initiate that connection to. 23 And, so, that is the data that is collected by the NIT, is 24 what can be seen in the evidence that has been turned over. 25 BY MS. YUSI: And, so, the NIT knows And, so, it has with it the government's IP Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 141 of 157 PageID# 674 141 D. Alfin - Redirect 1 Q. And, just to clarify, Dr. Soghoian talked about headers, 2 correct? 3 A. Yes. 4 Q. And did any of the information change? 5 referring to that changed? 6 A. 7 he was referring -- again, the PCAP data has a private 8 government IP address on it, not the public IP address, and 9 so that can be thought of as sending a package through UPS. What was he When Dr. Soghoian suggested that the PCAP data changed, 10 When it goes through a mail delivery facility, a sorting 11 facility, they slap another sticker on it, it goes where it 12 needs to go, but the package is never opened. 13 ripped open and tampered with, in general. 14 It's not And, again, as I described previously, we had a 15 number of precautions in place to prevent such tampering. 16 However, the important thing is that the data that was sent 17 from the defendant's computer was done so accurately, and we 18 captured it accurately. 19 Q. 20 data. 21 A. 22 of the data was tampered with, is my recollection. And Dr. Soghoian agrees that nothing had changed in the Dr. Soghoian agrees that there was no evidence that any 23 MS. YUSI: 24 MR. GRINDROD: 25 That 's all of my follow-up, Your Honor. Your Honor, may I briefly address those points with the witness? Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 142 of 157 PageID# 675 142 D. Alfin - Recross 1 THE COURT: Is it something new? 2 MR. GRINDROD: No, Your Honor. Well, it is limited 3 to points that were directly raised about what our expert's 4 testimony was and whether it should be credited, two quick 5 lines of questioning, Your Honor. 6 THE COURT: 7 You've got two questions. RECROSS-EXAMINATION 8 BY MR. GRINDROD: 9 Q. You just testified that when Dr. Soghoian said that, 10 based on his observations of the PCAP data, it looked like 11 the information that was sent back to the NIT went to a 12 public government IP address and then went to another 13 government computer, right? 14 speculation; there was no evidence in the record of that, 15 right? 16 A. 17 make sense from a technical standpoint. 18 please? 19 Q. 20 how he said that by looking at the PCAP data it was his 21 opinion that the information that was sent from our clients' 22 computer to -- was sent initially to an FBI server and then 23 to some other FBI server, and that he could tell that because 24 the PCAP data indicated that the IP address was associated 25 with this second private server, nonpublic government server, And you said that was That's not an accurate quote, and the question doesn't Sure. Can you restate it, So you talked about Dr. Soghoian's testimony and Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 143 of 157 PageID# 676 143 D. Alfin - Recross 1 remember? 2 A. Yes, that is what he testified to. 3 Q. And you said that was speculation and there was no 4 evidence in the record to support it, correct? 5 A. I did. 6 Q. But that is, in fact, what happened, right? 7 A. No. 8 address on it. 9 doesn't mean it went to another server. As I stated, a server can have more than one IP Okay. So just because the IP address changes 10 Q. 11 with that? 12 A. Which IP address? 13 Q. The IP address that's reflective of the government's 14 receipt of the information in the NIT. 15 So in this case the IP address changed. THE COURT: Let's get a specific -- you know, I get 16 lost. I try to understand everything. 17 what IP address we're speaking of that changed. 18 You agree So far I'm not sure There was an IP address, according to the expert, 19 the good doctor, that the numbers were different, okay? 20 the data was different, the numbers were different, the IP 21 numbers. 22 MR. GRINDROD: 23 THE COURT: Not Right. But I'm not sure it was material that 24 was transmitted to the FBI, so I don't know where it was 25 transmitted from or to whom it was transmitted. Heidi L. Jeffreys, Official Court Reporter And we have Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 144 of 157 PageID# 677 144 D. Alfin - Recross 1 so many computers in this case I'm beginning to get confused 2 about the computers. 3 He indicated, the expert did, that there was a 4 computer that received the information; that is, it went into 5 the defendant's computer, got certain information, 6 transferred it to a government computer, which then 7 transferred it to another government computer, which 8 transferred it to the FBI. 9 testimony to be, or am I wrong? 10 11 12 13 MR. GRINDROD: Is that what you understand his I think there may be one extra computer in there, Your Honor, but that is essentially -THE COURT: Well, tell me what you understood it to be so I can be on the safe side. 14 They obtained it from the defendant's computer. 15 MR. GRINDROD: 16 THE COURT: 17 MR. GRINDROD: That's correct. And then it went to where? It was routed through our clients' 18 wireless router, not directly but eventually went to an 19 FBI -- a government computer, and then, after that point, 20 went to either -- went -- there were some further transfers, 21 and between when it went to the FBI initially and when it was 22 subsequently transferred there was a change in the IP 23 address, of the receiving IP address, as displayed in the 24 PCAP data. 25 THE COURT: It wasn't the defendants' IP address. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 145 of 157 PageID# 678 145 D. Alfin - Recross 1 MR. GRINDROD: 2 Your Honor. 3 address that -- 4 5 Not that I was talking about there, There's a separate issue as to whether the IP THE COURT: The IP address that we're speaking of was the government's IP address, correct? 6 MR. GRINDROD: 7 THE COURT: In that instance, yes, Your Honor. Okay. I just want to make sure. 8 Everything else there's been no contest over. 9 contest about what was received was a different IP address 10 11 We're in a for the government. MR. GRINDROD: Well, and for our clients, Your 12 Honor, but that's for a slightly different reason. 13 very similar reason but based on -- 14 THE COURT: Well, a I thought it was in the receipt of the 15 information that the FBI had -- 16 MR. GRINDROD: 17 THE COURT: 18 computer someplace. It's both, Your Honor. -- and it received it from a government 19 MR. GRINDROD: 20 THE COURT: Yes, that's correct, Your Honor. And when they received it I understand 21 that we had an IP address that was different from some 22 government IP address, correct? 23 MR. GRINDROD: 24 THE COURT: 25 Yes, Your Honor. Okay. It was not the difference of the defendants' IP address. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 146 of 157 PageID# 679 146 D. Alfin - Recross 1 MR. GRINDROD: 2 THE COURT: It was that, also, Your Honor. I never heard him testify about the 3 defendants' IP address. 4 about it. He's still here, so I'll ask him 5 Okay, that's it. 6 it was the government's IP address. 7 8 MR. GRINDROD: Let's go. I'm pretty sure he said Well, I think, Your Honor, that he testified -- 9 THE COURT: I don't want to "think" anymore. 10 MR. GRINDROD: 11 THE COURT: 12 BY MR. GRINDROD: 13 Q. 14 Okay. I'll find out what he said. Let me ask you this question, Dr. Alfin: So you made this distinction between the information 15 that was inside the package and the information that may be 16 displayed on the outside of the package, right? 17 A. 18 to be clear. 19 Q. So, Agent Alfin. 20 A. I just wanted to make sure I'm not -- 21 22 23 There is a distinction. I am not a doctor. THE COURT: testimony. And, for the record, I just want We're not going back over all the No more. You've got one more question. 24 I've allowed you plenty. 25 that's it. You said you had two. You have one more question, and Make sure it's a good question. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 147 of 157 PageID# 680 147 1 BY MR. GRINDROD: 2 Q. 3 information that's in the package not changing, whereas, 4 perhaps the information on the outside did, in fact, the 5 information that allowed you to find my client was the 6 information on the outside of the package, correct? 7 A. 8 never changed. 9 Q. That's not what I asked you. 10 A. It was on the outside of the package, but it never 11 changed. 12 Q. Even though you make this distinction between the The information that allowed us to identify your client Thank you. 13 MR. GRINDROD: 14 THE COURT: 15 MS. YUSI: 16 MR. GRINDROD: 17 THE COURT: 18 No further questions, Your Honor. Anything else from this witness? Not from the government, Your Honor. Not from the defense. Thank you very much, sir. You may step down. 19 THE WITNESS: 20 THE COURT: 21 (There was a pause in the proceedings.) 22 MR. GRINDROD: 23 Thank you, Your Honor. Do you want to recall your witness, sir? I will briefly, Your Honor, just to address that one point that we were talking about. 24 THE COURT: All right, I'm going to allow you to. 25 MR. GRINDROD: Your Honor, the defense recalls Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 148 of 157 PageID# 681 148 C. Soghoian - Direct 1 Dr. Soghoian. 2 THE COURT: 3 CHRISTOPHER SOGHOIAN, Ph.D., recalled as a witness, 4 You're reminded you're still under oath. having been first duly sworn, testified as follows: 5 DIRECT EXAMINATION 6 BY MR. GRINDROD: 7 Q. 8 Agent Alfin? 9 A. I was. 10 Q. And there was some question as to which IP address we 11 were talking about, whether it was the government IP address 12 or our clients' IP addresses. 13 A. I do. 14 Q. Can you explain to the Judge what, if any, IP address 15 changed? 16 A. 17 displayed in the PCAP file; the IP address of the computer 18 that ran the NIT, the defendants' computers, and then there's 19 an IP address for the government. 20 Dr. Soghoian, were you present for the last exchange with Yes, Your Honor. Do you remember that? There were two IP addresses that are What I believe is that the IP address -- that both 21 IP addresses, in fact, changed between when the data left the 22 computer of the defendant and when the data was received 23 ultimately by the final government server. 24 25 THE COURT: All right. Now, it's very simple. There has to be some documentation that you reviewed that saw Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 149 of 157 PageID# 682 149 C. Soghoian - Direct 1 2 it. Where is that documentation? THE WITNESS: So the government has provided us a 3 copy of the -- or provided counsel, who then provided me, a 4 copy of the PCAP file, which is the recording, and when I 5 looked at the PCAP file -- 6 7 8 9 THE COURT: Well, let me have the PCAP file. the PCAP file now. THE WITNESS: The PCAP file is not in a form that is easy for the -- for someone not skilled in the art to 10 understand. 11 office, I can provide a screenshot -- 12 After this hearing, when I get back to their THE COURT: I don't want you to provide anything 13 when you get back to the office. 14 thing now. 15 I want I want to see the PCAP I can employ an expert, don't worry. Let me have the PCAP file right this minute. 16 Somebody's got it, the one that was shown to Mr. -- this 17 expert witness. 18 19 It's on a disk? There wasn't anything -- nothing printed out? 20 MR. GRINDROD: 21 from the government, Your Honor. 22 THE COURT: 23 THE WITNESS: This is exactly as we received it Is this what you reviewed? Counsel e-mailed me a copy of the 24 files that were encrypted. I decrypted those files. 25 believe the encryption was performed by the government. Heidi L. Jeffreys, Official Court Reporter I Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 150 of 157 PageID# 683 150 C. Soghoian - Direct 1 2 THE COURT: Let me see what you e-mailed to the witness. 3 MR. GRINDROD: 4 this disk, Your Honor. 5 THE COURT: 6 MR. GRINDROD: 7 Well, where is the copy of it? THE COURT: to people? MR. GRINDROD: 11 THE COURT: Well, Your Honor, it's -- You don't keep copies of what you send in your mail? 13 MR. GRINDROD: 14 other copy of this. 15 THE COURT: 16 Your Honor, I don't have a copy in You don't keep copies of what you send 10 12 I didn't -- any other form than on this disk. 8 9 It's the files that are contained on It was -- it was -- I don't have any I didn't ask you about the copy of this. What did you send to this witness? 17 MR. GRINDROD: It wasn't that. Your Honor, I dragged the files from 18 this disk into an e-mail, I sent that to Dr. Soghoian, I 19 sent, through separate means, an encryption code, and -- 20 THE COURT: 21 MR. GRINDROD: 22 THE COURT: 23 You sent an e-mail to him. That's correct, Your Honor. Okay. And you don't have a copy of the e-mail? 24 MR. GRINDROD: 25 THE COURT: Not with me, no, Your Honor. I know you don't have it with you. Heidi L. Jeffreys, Official Court Reporter The Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 151 of 157 PageID# 684 151 C. Soghoian - Direct 1 computer isn't here. 2 MR. GRINDROD: 3 THE COURT: 4 So you have a copy. Tomorrow morning get that copy to me. 5 MR. GRINDROD: 6 THE COURT: 7 That's correct. Yes, Your Honor. Now, that's a copy furnished to you by the government? 8 MR. GRINDROD: 9 THE COURT: That's correct, Your Honor. And who encrypted it? 10 MR. GRINDROD: The government, Your Honor. 11 THE COURT: 12 Do you have a copy of what you gave him, Ms. Yusi? 13 MS. YUSI: Oh, so the government gave you a copy. Your Honor, I did not bring it. It's 14 actually a program file, I understand, and so it's not 15 something that you just -- it doesn't come up in a Word 16 document that you can print out. 17 at it along with other technology in order for it to appear 18 as anything. 19 20 THE COURT: It's getting too So the only way you can determine it is to look at it with other technology. 23 MS. YUSI: 24 THE COURT: 25 Well, forget it. complex now. 21 22 You actually have to look That's my understanding. Okay. But you sent him an e-mail, correct? Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 152 of 157 PageID# 685 152 1 MR. GRINDROD: 2 THE COURT: 3 Are you sure somebody didn't hack your e-mail on the way? 4 MR. GRINDROD: 5 THE COURT: 6 MR. GRINDROD: 7 THE COURT: 8 Okay. 9 Yes, Your Honor, containing the file. Well, we used encryption, Your Honor. Oh, you used an encrypted e-mail? Yes, Your Honor. Oh, that's excellent. We'll see where we're going. I'm still worried about the materiality, but I am concerned about the 10 fact that IP addresses were changed. 11 that is. 12 I'm curious about what And I'm going to request you to see if you can't 13 copy the e-mail and send it to me. 14 to send me a copy of the encryption of this concerning the IP 15 addresses. 16 MR. GRINDROD: I'm asking the government And, Your Honor, if it also would be 17 helpful -- I know the Court wants the data itself, but 18 Dr. Soghoian showed me the data -- 19 20 THE COURT: I don't want to hear from Dr. Soghoian any more. 21 MR. GRINDROD: 22 THE COURT: 23 MR. GRINDROD: 24 THE COURT: 25 Not -- just -- That's it. He's testified. That's it. Just the raw data. I just want to see what's on the encryption. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 153 of 157 PageID# 686 153 C. Soghoian (recalled) - Cross 1 MR. GRINDROD: 2 THE COURT: Will do, Your Honor. I mean, whatever was encrypted. I want 3 to see the e-mail, the various -- the original document and 4 what the government says it gave to the defendant in relation 5 to some encryption, okay? 6 Anything else? 7 MR. GRINDROD: 8 THE COURT: Anything else, ma'am? 9 MS. YUSI: A follow-up, Your Honor. 10 No, Your Honor. CROSS EXAMINATION 11 BY MS. YUSI: 12 Q. 13 to the FBI server -- 14 A. That was received, you mean? 15 Q. That was received, yes, sent by his computer through the 16 NIT. 17 A. 18 ask me about the IP address, that changed along the way. 19 Q. 20 ISP -- went to the defendant's residence. 21 A. 22 if that's what left the defendants' computer? 23 Q. 24 to the defendants, correct? 25 A. The defendant's IP address that was sent in the package The NIT sent it, correct? The PCAP shows it was received, and if you're going to Okay. But that's the IP address that Cox or the local Is that right? Are you asking me if that's what is in the PCAP file or What's in the PCAP file contains an IP address that led I believe so. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 154 of 157 PageID# 687 154 1 Q. Thank you. 2 MR. GRINDROD: 3 THE COURT: 4 you very much. 5 I have nothing further, Your Honor. I don't have anything further. Thank You may step down, sir. All right. Tomorrow I want those furnished to me, 6 by 12:00 noon tomorrow, that e-mail you sent, the encryption 7 that you gave them, whatever that encryption was, and a copy 8 of this thing that was given to the government. 9 interested in the change in the IP address than anything 10 I'm more else. 11 In relation to the materiality, is there any other 12 evidence concerning the materiality, to the defense, of the 13 code? 14 (There was a pause in the proceedings.) 15 MR. GRINDROD: 16 Nothing further from the defense, Your Honor. 17 THE COURT: 18 MS. YUSI: 19 THE COURT: Anything else, Ms. Yusi? Not from the government. Insofar as the motion to suppress is 20 concerned, that is denied at this time. 21 opinion. 22 get the opinion out. 23 I will forward an It will probably take maybe a couple of weeks to As well, I'm going to look at this question of the 24 materiality of the information of the code. I'm having lots 25 of problems finding any materiality, but I want to look Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 155 of 157 PageID# 688 155 1 through all of these -- I have not read the testimony that 2 was filed given in Judge Morgan's court, except that I did 3 not necessarily agree with everything in his decision. 4 Although, I found it a brilliant decision and a great law 5 review article; however, I must say -- and I mean that 6 sincerely. 7 It thoroughly investigated the law. Insofar as the materiality is concerned, I want to 8 look at what's testified to there, and then I can probably 9 give you a decision. I'll try to give you a decision, but I 10 can't get a written out because it's somewhat complex, and I 11 figure it will take a couple of weeks to get the opinion out. 12 It's not the only case I have. 13 Anything else? 14 MS. YUSI: 15 16 17 18 19 20 21 22 23 24 25 Not from the government. Thank you, Your Honor. THE COURT: Now, the question is do you want to take some time to argue this matter tomorrow morning? MS. YUSI: Your Honor, I don't have anything to add that the Court hasn't heard at this point. THE COURT: Do you want to argue the matter tomorrow, Mr. Grindrod or Mr. Cejas or Mr. Colgan? MR. GRINDROD: Your Honor, unless -- I mean, we'd be happy to address any concerns the Court has, but -THE COURT: I'm not trying to -- I'm just giving you the opportunity if you want to. Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 156 of 157 PageID# 689 156 1 MR. GRINDROD: I appreciate it, Your Honor. 2 THE COURT: 3 (The hearing adjourned at 6:02 p.m.) Okay. Thank you very much. 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Heidi L. Jeffreys, Official Court Reporter Case 2:16-cr-00092-RBS-RJK Document 19-3 Filed 08/12/16 Page 157 of 157 PageID# 690 1 CERTIFICATION 2 3 4 I certify that the foregoing is a correct transcript from the record of proceedings in the above-entitled matter. 5 6 /s 7 Heidi L. Jeffreys 8 9 10 July 14, 2016 Date 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Heidi L. Jeffreys, Official Court Reporter