https ecf.cand.uscourts.gov cgi-bin show temp.pl file=8665248-0--15132

7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132

1/15

Motion to Suppress Page 1

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

JAMES McNAIR THOMPSONSBN 67807LAW OFFICES OF JAMES McNAIR THOMPSONPO BOX 636LOS GATOS CA 95031(408) 358-6047

Attorney for Tracy Ann Valenzuela

UNITED STATES OF CALIFORNIA,

Plaintiff,

vs.

TRACY ANN VALENZUELA

Defendant

)))))))))))

Case No.: CR 11 00471 DLJ

DEFENDANT VALENZUELASMOTION TO SUPPRESS EVIDENCE

Date: July 19, 2012Time: 9:00 a.m.Dept: Courtroom 7 - 4th Floor

TO THE CLERK OF THE ABOVE ENTITLED COURT, AND TO THE

PARTIES TO THE ABOVE-CAPTIONED MATTER: PLEASE TAKE NOTICE that

on July 19, 2012, at 9:00 a.m., in Courtroom 7 - 4th Floor of the above captioned

court, or as soon thereafter as the matter may be heard, defendant Tracy Ann

Valenzuela will move this court for an order suppressing all evidence seized from

that certain Dell Laptop seized from defendant Valenzuelas home on or about

January 27, 2011, together with all copies, mirrored images, files, images other

material or data derived there from, and all fruits of any searches of or seizures of

the foregoing, on the basis that all such searches and seizures were in violation of

Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page1 of 15


2/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

the defendants rights under the Fourth Amendment to the United States

Constitution.

On January 26, 2011, Magistrate Judge Lloyd signed a search warrant

authorizing federal authorities to search the defendants home for certain electronic

devices, as more precisely set forth in Attachments B and C to the warrant1; the

federal authorities searched the defendants home on January 27, 2011 and seized,

among other things, a Dell laptop computer.

Although the warrant required the authorities to search the computer,

identify such data and files as were authorized by the warrant to be seized within a

specific time, and return or destroy all remaining data, the government did not

perform that search, and data segregation, and did not seize any data authorized by

the warrant, within the time authorized. Defendant is informed and believes that

such a search, and such a seizure, was executed by the government after the time

expired.

A search of the computer, and seizure of data, after the time expired was

warrantless, and thus unreasonable, and the fruits of that untimely search and

seizure must be suppressed.2

1 The Search Warrant is attached to the Declaration of James McNair Thompson as Exhibit 1, theAffidavit as Exhibit 2, Attachment B as Exhibit 3 and Attachment C as Exhibit 4.2 Defendant Valenzuela here attacks the search as warrantless because it was executed after thewarrant had expired; defendant Valenzuela also believes that the warrant was not properly issued,because of inadequacies appearing on the face of the affidavit, however does not present thatargument, or raise that ground, at this time because of her belief that this motion will summarilyresult in the suppression of the fruits of the search.



3/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

A public controversy arose when Paypal, a subsidiary of EBay, announced

that it was no longer willing to process donations to Wikileaks in view of Wikileaks

publication of certain United States State Department cables. (Aff. 9)3 Paypal and

EBay complained to the FBI that it had been subjected to a Denial of Service Attack

on December 4, 2010 which it attributed to public dissatisfaction with its refusal to

continue to process donations. (Aff. 9)4

EBay later complained to the FBI about high traffic on its system through

December 10, 2010. (Aff. 10 11). EBay contended that this traffic consisted of a

sequence of characters (Aff 6) specifically enabled by a program called a Low Orbit

Ion Cannon. (Aff 6). LOIC was written in the C-Sharp language, or more

commonly referred to simply as C#. C# is a language written and published by

Microsoft, and is commonly available to developers. C# is an internationally known

computer language used to create custom applications for Windows-based systems,

the most popular computer operating system in the world. (Aff. 13)

On December 15, 2010, EBay turned over to the FBI a list of 1,000 IP

addresses which it contended had transmitted unwelcome communications to its

servers. (Aff 14) One IP address was ultimately linked to defendant Valenzuelas

residence (Aff 15), and the affiant, a special agent with the FBI, therefore requested

a search warrant. (Aff 25)

3 The warrant, affidavit, Attachment B to the warrant and Attachment C to the warrant areattached as exhibits to the Declaration of James McNair Thompson, filed with this motion.4 A denial of service attack involves saturating the target machine with external communicationsrequests, such that it cannot respond to legitimate traffic, or responds slowly as to be renderedeffectively unavailable. (Aff. 6) Legitimate traffic presumably includes traffic facilitatingpayments and money transfers to be made through the Internet (Aff 8), and speech protected bythe First Amendment.



4/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

A warrant authorizing the search of the defendants home was issued on

January 26, 2011. It authorized the federal authorities to search the defendants

home for certain property, namely See Attachment B & Attachment C

Attachment B told the government what it could look for when searching the

defendants home. For example, it authorized the government to look for

communications between the seized computer hard drive and other computers

involved in the denial of service attack, (Att B 5) and application, utility

programs, compilers, interpreters and other software used to facilitate direct or

indirect communication with the digital device. (Att. B 13)

Attachment B further authorized the government to look for these things in,

among other places, any digital device and/or computer. (Att B1)

However, Attachment C told the government whenit could look in a

computer for the specified materials.

In the first place, if the search could be completed at the site, then the

government was not authorized to even remove a device from the premises. (Att. C,

1)

If the government determines that a search reasonably cannotbe completed on site within a reasonable time period, the governmentmust determine whether all or part of the authorized search can becompleted by making a mirror image of, or in some other mannerduplicating, the contents of the device and then conducting the forensicreview of the mirror image or duplication off site.

(Att. C, 2; emphasis added)

Attachment C, Paragraph 6 provided

Within a reasonable period of time, but not to exceed 60 calendar daysafter completing the forensic review of the device or image, thegovernment must use reasonable efforts to return, delete, or destroy



5/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

any data outside the scope of the warrant unless the government isotherwise permitted by law to retain such data.

The search having been conducted on January 27, 2011, the government was

required to complete its forensic review not later than July 26, 2011, and to return

or destroy all data not responsive to the search warrant by a date not later than

September 24, 2011.

Defendant is informed and believes that as of July 26, 2011, and even as of

September 24, 2011, the government had not conducted a forensic review of the

defendants laptop.

The government said so at the Status Conference held on May 3, 2012.

Mr. Parrella: So, your honor, since the last time that we werehere, the government has endeavored to comply with the discoveryorder from Magistrate Grewal and we have in part complied with that.We have asked for an extension, and we're continuing to review theorder and will attempt to comply with it.

Hopefully by the middle of next week we will -- well, let me backup.

(sic)The purpose of that is to allow each defendant to review the

evidence obtained from his codefendant.We had attempted to address that issue by providing the

complete drives that were imaged from each defendant. However, thedefendants objected to that because they said that there is other

personal information on those computers that they did not wish toshare.The Court: Only the relevant information on the computer be

disclosed.Mr. Parrella: Right.

Thatwas unacceptable.



6/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

We are in the midst right now of actually completing that andhopefully by

[]The Court: And

Mr. Parrella: .The Court: And then the rest of the personal material doesn't go

anywhere, back to the defendant or back to the --Mr. Parrella: Correct. We actually have returned many hard

drives and computers that had no evidence on them at all, but just tofollow the final step and the process you were talking about is

(sic) andhe will then have a database of all of that and they can access thatwith no interference from the government.

The Court: Okay.Mr. Parrella: Anyway, it's taking a bit of time. Mr. Chew has

spoken with many of the defense counsel here today and I think mostof them, if not all of them, have agreed that on July 19th, as apotential status date that is okay by the government.

The Court: Does that anticipate that you will complete thissegregation process?

Mr. Parrella: Yes. (See Exhibit 5 TX May 3, 2012 StatusConference 6:22 9:6; emphasis added)

The government here has openly and unequivocally admitted that it had not

searched the defendants laptop to identify relevant data, and seized that relevant

data, within the time permitted by the search warrant.

The government also said so on April 19, 2012, when it admitted

In its March 16, 2012 order, the Court stated that: In sum, . . .the government has no claim to data outside the scope of the warrant.By some other reasonable effort that minimizes the governmentsexposure to non-targeted documents, no later than 30 days from thedate of this order, the government must endeavor to give back to the

defendants data outside the scope of the warrants. The Court alsoordered the government mak[e] the targeted data available to thedefendants. However, the government needs additional time tocomply with the Courts March 16, 2012 order. (Doc 247, p.2)

On May 15, 2012, the government admitted in Doc. 265 that it had not

conducted the required forensic review at a time authorized by the warrant:



7/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

The government has also provided a copy of all the electronicinformation of all the defendants, other than Christopher (sic) Covelli,that the government has determined falls within the scope of the

search warrants, to Mr. Aoki to be shared by defendants and defensecounsel. (p2)

That discovery was sent to Mr. Aoki on May 11, 2012, which, being more than

30 days after Magistrate Judge Grewals order, presumably means that government

had not conducted its forensic review of defendant Valenzuelas hard drive before

the 30 days expired on April 15, 2012.5

Furthermore, the government even now appears not to have completed its

forensic review, saying in Doc. 265, filed on May 15, 2012, that it has encountered

difficulty in determining what constitutes data within the scope of the warrants, for

example, dates and times associated with each file item in a file system may be used

to establish the identity of the user who was utilizing the computer when an

computer-related offense was created. (Doc 265, p3)

In other words, even as of May 15, 2012, the government has not completed

its forensic review, has not seized the relevant data, and has not thereafter deleted,

destroyed or returned all non-responsive data. It is still in the process of searching

the defendants digital devices.

5 Of course, had the government completed its search of the defendants laptop on March 17, 2012,and seized data at that time, the search and the seizure would have been untimely, andunauthorized by the warrant.



8/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

On February 4, 2012, defendant Valenzuela moved for an order to compel

the government to identify information responsive to the warrants upon which the

government relied in seizing any digital device or medium, to distribute that

information to all defendants in accord with the current protocol, and to return all

such devices and media to the defendant from whom it was seized forthwith. (Doc.

192, p2) Footnote 1 of that motion said, This is not a motion to suppress the fruits

of a defective warrant or warrant defectively executed; defendant Valenzuela

reserves her right to bring any such motions. (p 2)

In that motion, defendant Valenzuela said

The most probable other reason is that the government does notwant to go to the bother and expense of returning the devices, anddeleting and destroying all data outside the scope of the warrant onits mirror images.

If the government admitted this, it would be admitting that itflagrantly and unlawfully violated the terms of the search warrant, assurely as if it searched a different residence.

Since the government has not admitted this, defendantValenzuela will presume that they have complied with therequirement that the government has deleted from all mirrors andcopies of devices seized from defendant Valenzuela and hercodefendants data outside the scope of the warrant, and therefore canproduce the data described in the search warrant to the defendantswithin 10 days, without disclosing or producing non-pertinent and, inmany cases. personal and confidential data (which it presumably no

longer has.) (Doc. 192 pp 10 11)

In short, Magistrate Judge Grewals March 16, 2012 order was not an order

authorizing a search of the defendants lap top, but an order requiring the

government to disclose the fruits of a search it had presumably conducted almost



9/15


10/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

A warrant which did not specify the items to be seized with particularity is

invalid as a general warrant. As the Court said in United States v. Kow, 58 F.3d

423, 427 (9th Cir. 1995)

The warrant authorized the seizure of virtually every documentand computer file at HK Video. To the extent that it provided anyguidance to the officers executing the warrant, the warrant apparentlysought to describe every document on the premises and direct that

everything be seized. The government emphasizes that the warrantoutlined fourteen separate categories of business records. However, thewarrant contained no limitations on which documents within eachcategory could be seized or suggested how they related to specificcriminal activity. By failing to describe with any particularity theitems to be seized, the warrant is indistinguishable from the generalwarrants repeatedly held by this court to be unconstitutional. E.g.,Center Art Galleries-Hawaii, Inc. v. United States, 875 F.2d 747, 750(9th Cir.1989); United States v. Stubbs, 873 F.2d 210, 211 (9thCir.1989) (warrant invalid "because of the complete lack of anystandard by which an executing officer could determine what to seize").

Only the specification set forth in paragraphs 4 15 of Attachment B saves

the warrant from being overbroad. These paragraphs clarify that what the federal

authorities are authorized to look for in any digital device and/or computer capable

of being used to commit, further commit or store evidence of a violation of 18

U.S.C. 1030 (Attachment B, 1) was specific evidence related to the alleged

violation of that particular statute.



11/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

If the government was authorized to simply seize all digital devices, including

all computers, and keep all files and data on those devices, then the limitation of

paragraphs 4 through 15 of Attachment B would have been transformed into

meaningless surplusage.

Central to the validity of the warrant was the requirement in Paragraph 2 of

Attachment C that the government complete a forensic review of the defendants

laptop within 120 days of the seizure, and [w]ithin a reasonable period of time, but

not to exceed 60 calendar days after completing the forensic review of the device or

image, the government must use reasonable efforts to return, delete, or destroy any

data outside the scope of the warrant unless the government is otherwise permitted

by law to retain such data. (Attachment C, 6)

Only through the imposition of these time limits did the warrant authorize a

search for specific evidence such as data gathered or collected by means of the

operation of the denial of service attack and/or botnet (Attachment B, 9) or

records, documents, and materials that relate to malicious software, code, or other

programs associated with Trojans, botnets, denial of service attacks, to include but

not limited to LOIC and/or HOIC. (Attachment B, 4)

Without the imposition of these time limits, the warrant simply becomes a

general warrant such as the one condemned in Koh, supra.



12/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

As a general rule, a warrant authorizing the seizure of property must be

executed within 14 days. FRCP 41(e)(2)(A)(i)

However, searching a computer in order to seize data or files described in a

warrant can be complicated business. Searching computer systems for the

evidence described in Attachment B may require a range of data analysis

techniques. (Aff. p.20)

For this reason, FRCP 41(e)(2)(B) exempts seizure of electronically stored

information from the 14 day rule.

However, the affiant, in securing the warrant at issue here, declared that

government will complete a forensic review of that mirror image within 120 days of

the execution of the search warrant. (Aff. p.23)

The government further asserted in the affidavit, Within a reasonable period

of time, but not to exceed 60 calendar days after completing the forensic review of

the device or image, the government must use reasonable efforts to return, delete,

or destroy any data outside the scope of the warrant unless the government is

otherwise permitted by law to retain such data. (Aff, p.24)

The magistrate imposed those time limits as a condition of the warrant, and

thereby limited the warrant to a warrant to seize particularized files and data,

rather than an invalid general warrant.

The distinction between the device in this case the laptop computer and

the data stored on the device was carefully set forth in the warrant and must be

borne in mind.



13/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

Assuming for the sake of argument that the government had the right to

retain the laptop as a forfeitable instrumentality of the alleged crime,6 it clearly did

not have the right to retain any data on the laptop.

Nothing about the governments obligation to return, delete, or destroy any

data outside the scope of the warrant interfered with any right it may assert to

retain the device.

This should be a self evident proposition. As was made clear in United

States v. Shetler, 665 F.3d 1150, 1156 1157 (9th Cir. 2011)

The exclusionary rule bars the prosecution from using at trialevidence that has been obtained through a violation of the Fourth

Amendment. Wong Sun v. United States, 371 U.S. 471, 484-85, 83S.Ct. 407, 9 L.Ed.2d 441 (1963). Although exclusion is not itself apersonal constitutional right, it serves to enforce the underlyingpersonal right to be free from unreasonable searches and seizures bydeterring violations of the Fourth Amendment. See Davis v. United

States, __ U.S. __, 131 S.Ct. 2419, 2426, 180 L.Ed.2d 285 (2011). Theexclusionary rule applies both to direct products of an illegal searchi.e., the physical evidence found during the search itself and toindirect products of the illegal search i.e., statements or physicalevidence subsequently obtained in part as a result of the search ifthey " bear a sufficiently close relationship to the underlyingillegality." United States v. Ladum, 141 F.3d 1328, 1336-37 (9thCir.1998); see also Wong Sun, 371 U.S. at 485, 83 S.Ct. 407; UnitedStates v. Rodgers, 656 F.3d 1023, 1031 (9th Cir.2011); United States v.Crawford, 372 F.3d 1048, 1054 (9th Cir.2004) (en banc) (" It is wellestablished that the Fourth Amendment's exclusionary rule applies to

statements and evidence obtained as a product of illegal searches andseizures." ).

6 This assumption is not one which the defendant would concede, however. In the first place, noforfeiture allegations appear in the Indictment. More importantly, defendant Valenzuela assertsthat she committed no crime.



14/15


15/15


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

seizure of such data and files was warrantless, unreasonable and in derogation of

her rights under the Fourth Amendment of the United States Constitution.

As such, the data, files and any fruits thereof must be suppressed.

Dated: June 10, 2012

Respectfully submitted,

James McNair Thompson

Attorney for Tracy Valenzuela


https ecf.cand.uscourts.gov cgi-bin show temp.pl file=8665248-0--15132

Documents