Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

United States v. Anzalone

United States District Court, D. Massachusetts

September 22, 2016



          Patti B. Saris Chief United States District Judge.


         Defendant Vincent Anzalone is charged with one count of possession of child pornography in violation of 18 U.S.C. § 2252A(a)(5)(B) and one count of receipt of child pornography in violation of 18 U.S.C. § 2252A(a)(2)(A). The government also seeks forfeiture of any child pornography images in the defendant's possession.

         This case arises from an FBI investigation into users of Playpen, a child pornography website. Playpen operates on the Tor network, which enables anonymous internet browsing. In February 2015, the government acquired control of Playpen's server. For two weeks, the government operated the website. To obtain the IP addresses of the site's users, the government applied for and received a search warrant from a magistrate judge in the Eastern District of Virginia. The search warrant allowed the FBI to deploy a Network Investigative Technique (NIT) on users' computers. The NIT caused users' computers to transmit identifying information, including IP addresses, to the government. The defendant asserts the government unreasonably searched his computer by using the NIT in violation of the Fourth Amendment. Specifically, the defendant contends that the warrant lacked probable cause, that the magistrate judge in the Eastern District of Virginia did not have the authority to authorize a search in the District of Massachusetts, and that suppression is required. The defendant moves to suppress all evidence gathered by the NIT as well as all fruits of the allegedly unconstitutional search.

         For the reasons set forth below, the defendant's motion to suppress (Docket No. 47) is DENIED.


         The following facts are undisputed unless otherwise noted. The Court has not held an evidentiary hearing. The facts are primarily drawn from FBI Special Agent Douglas Macfarlane's affidavit in support of the February 20, 2015 search warrant application. The defendant initially requested a Franks hearing, but later withdrew that request. See Docket No. 65 at 5 n.4. The Court requested the parties to supplement the record with more information about the NIT, which the Court considered.

         I. The Tor Network

         Special Agent Macfarlane has worked as an FBI Special Agent for two decades. At the time of the investigation at issue, he was assigned to the FBI's Violent Crimes Against Children Section. On February 20, 2015, Macfarlane submitted a search warrant application to Magistrate Judge Theresa Carroll Buchanan of the Eastern District of Virginia. Macfarlane appended his affidavit to that application. The statements contained in the affidavit were based on information provided by other federal and foreign law enforcement agents, information obtained from subpoenas, the results of physical and electronic surveillance, forensic computer analysis, and Macfarlane's own experience and training as a special agent.

         In his affidavit, Agent Macfarlane described the mechanics of the Tor network. The Tor network, also known as The Onion Router, is an anonymity network that masks a user's IP address. Designed by the U.S. Naval Laboratory to protect government communications, Tor is now available to the public. To access the Tor network, a user must download an add-on to the user's existing browser or download the Tor browser bundle. To ensure anonymity for its users, the Tor network bounces communications through various relay computers. When a user accesses a website, the IP address of the last computer in that chain is displayed, rather than the user's IP address. The network therefore “prevents someone attempting to monitor an Internet connection from learning what sites a user visits, prevents the sites the user visits from learning the user's physical location, and it lets the user access sites which could otherwise be blocked.” Macfarlane Aff. ¶ 8, Docket No. 48, Ex. 2.

         Within the Tor network, sites can be designed as “hidden services.” Hidden services are only accessible if the user is using the Tor network. Hidden services allow websites and other servers to hide their location. Like traditional websites, these sites “are hosted on computer servers that communicate through IP addresses.” Id. ¶ 9. Unlike such websites, however, the “IP address for the web server is hidden and instead is replaced with a Tor-based web address, which is a series of algorithm-generated characters” followed by the suffix “.onion.” Id.

         II. The Playpen Website

         Playpen operated as a hidden service on the Tor network. The site was only accessible via the Tor network. According to Agent Macfarlane, even then, a user was required to know the site's address: “Tor hidden services are not indexed like websites on the traditional internet. Accordingly, unlike on the traditional internet, a user may not simply perform a Google search for the name of one of the websites on Tor to obtain and click on a link to the site.” Id. ¶ 10. To learn Playpen's unique .onion address, a user might communicate directly with others on Tor or he might consult another site that lists links to child pornography hidden service sites. Agent Macfarlane concluded that accessing Playpen “therefore requires numerous affirmative steps by the user, making it extremely unlikely that any user could simply stumble upon [Playpen] without understanding its purpose and content.” Id.[1]

         Agent Macfarlane described Playpen's homepage as it appeared on February 18, 2015, two days before he signed the affidavit. At the top left corner of the page, the name Playpen was prominently displayed. On either side of the site name were images depicting partially clothed prepubescent girls with their legs spread apart. Below these images, the site stated: “No cross-board reports, .7z preferred, encrypt filenames, include preview.” Id. ¶ 12. Agent Macfarlane explained that “no-cross-board reports” was an instruction to users not to post material appearing on other sites. Id. The “.7z preferred” statement referred to a method of compressing large files for distribution. Id. At the top right corner, to the right of the site name, users could enter a username and password, and select a session length. A login button appeared to the right of those login fields.

         Below the site name, the image of the two partially clothed girls, and the login fields was a textbox that read: “Warning! Only registered members are allowed to access this section. Please login below or ‘register an account' with Playpen.” Id. The “register an account” text was hyperlinked to the site's registration page. Another set of login fields appeared below this warning, asking users to enter their username, password, minutes to stay logged in, and whether they wanted to permanently remain logged in.

         When a prospective user clicked the “register an account” hyperlink, the user saw a message from the forum operators. The message explained that the forum required new users to enter an email address and that the software “checks that what you enter looks approximately valid.” Id. ¶ 13. However, the forum operators encouraged users to enter fake email addresses: we “do NOT want you to enter a real address, just something that matches the xxx@yyy.zzz pattern. No confirmation will be sent. This board has been intentionally configured so that it WILL NOT SEND EMAIL, EVER.” Id. The message further cautioned new users: “For your security you should not post information here that can be used to identify you.” Id. The forum operators further emphasized the site's focus on anonymity: “The website is not able to see your IP and can not collect or send any other form of information to your computer except what you expressly upload, ” explaining that only a text file with the user's username and password reside in the browser's cache. Id.

         The defendant and the government agree that one aspect of the homepage changed between February 18, 2015, when Agent Macfarlane last visited the Playpen site, and February 20, 2015, when Agent Macfarlane signed his affidavit and submitted the search warrant application. As of February 3, 2015, the homepage featured the two photos of the partially clothed prepubescent girls described above. Sometime after February 3, 2015, Agent Macfarlane learned that the site's URL had changed. On February 18, 2015, he visited the Playpen site at its new URL. He confirmed that its content had not changed. However, on February 19, 2015, the logo on Playpen's site changed. Instead of two prepubescent, partially clothed girls with their legs spread, the site featured one young girl (age unclear) wearing a short dress and black stockings with her legs crossed. Agent Macfarlane did not know of this change when he signed the affidavit on February 20, 2015. Therefore, the affidavit incorrectly described the homepage.

         After logging into Playpen with a username and password, visitors to the site had access to various forums, many of which contained child pornography. The table of contents included nearly fifty topics, including “pre-teen photos, ” “pre-teen videos, ” “jailbait photos, ” “jailbait videos, ” “kinky fetish, ” “webcams, ” and “family -- incest.” Id. ¶ 14. Agent Macfarlane noted in the affidavit that “jailbait” refers to underage, but post-pubescent minors. Id. ¶ 14 n.4. He also explained that the photos and videos were denominated as “HC” or “SC/NN.” Id. ¶ 14 n.5. Agent Macfarlane stated that “HC” stands for hardcore and depicts “penetrative sexually explicit content, ” “SC” stands for softcore and includes “depictions of non-penetrative sexually explicit conduct, ” and “NN” stands for non-nude and depicts “subjects who are fully or partially clothed.” Id. Agent Macfarlane provided various examples of photos and videos depicting child pornography within these forum sections.

         Agent Macfarlane described other features of the site that allowed for the dissemination of child pornography: a private messaging function; an image hosting feature, which allowed users to upload links to images of child pornography; a file hosting feature, which allowed users to upload videos of child pornography; and a chat feature, which allowed those logged into the chat service to view and post images of child pornography. For each of these components of the website, Agent Macfarlane identified specific examples of child pornography being posted or transmitted.

         III. The Network Investigative Technique

         In December 2014, a foreign law enforcement agency alerted the FBI of an IP address connected with Playpen. The FBI identified the server hosting company that owned this IP address. The FBI then obtained a search warrant and seized a copy of the server assigned to the IP address at issue. After reviewing the server copy, FBI agents determined that it contained a copy of Playpen. Further investigation revealed that Playpen's suspected administrator lived in Naples, Florida. On February 19, 2015, the FBI executed a search warrant at the administrator's Florida residence. As of February 19, 2015, the FBI assumed control of Playpen. The government operated the website for the following two weeks.

         While operating Playpen, the government sought permission from a magistrate judge in the Eastern District of Virginia to deploy the NIT. Because Playpen resided on the Tor network, Agent Macfarlane explained in his affidavit that the NIT was necessary to identify the site's users and administrators. Macfarlane stated that other methods typically used in criminal investigations “have been tried and have failed or reasonably appear to be unlikely to succeed if they are tried.” Id. ¶ 31.

         The search warrant requested the authority to deploy the NIT at the point when a user accesses Playpen, enters a username and password, and logs into the site. Agent Macfarlane noted that, despite a request to deploy the NIT at this stage, “in order to ensure technical feasibility and avoid detection of the technique by suspects under investigation, in executing the requested warrant, the FBI may deploy the NIT more discretely against particular users, ” such as those who post most often or those who visit those forum sections dedicated solely to child pornography. Id. ¶ 32 n.8.

         Agent Macfarlane detailed the technical aspects of the NIT deployment. He explained that the NIT would deploy from the Eastern District of Virginia. Macfarlane stated that generally, when a user visits a website, the computer downloads content that is used to display web pages on the user's computers. The NIT “would augment that content with additional computer instructions.” Macfarlane Aff. ¶ 33, Docket No. 48, Ex. 2. “When a user's computer successfully downloads those instructions from [Playpen], located in the Eastern District of Virginia, the instructions, which comprise the NIT, are designed to cause the user's ‘activating' computer to transmit certain information to a computer controlled by or known to the government.” Id.

         The affidavit enumerated the seven categories of information that would be transmitted back to the government and would help identify Playpen users: the activating computer's IP address, a unique identifier generated by the NIT to distinguish data from other activating computers, the type of operating system running on the activating computer, information about whether the NIT had previously been delivered to the activating computer, the activating computer's Host Name, [2] the activating computer's active operating system username, and the activating computer's media access control (MAC) address.[3] These seven pieces of information were to be transmitted to the government every time a user logged into Playpen. In addition, when accessing Playpen, a user sends “request data” to the website. The government recorded that data and paired it ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.