https ecf.cand.uscourts.gov cgi-bin show temp.pl file=8665248-0--15132
TRANSCRIPT
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
1/15
Motion to Suppress Page 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
JAMES McNAIR THOMPSONSBN 67807LAW OFFICES OF JAMES McNAIR THOMPSONPO BOX 636LOS GATOS CA 95031(408) 358-6047
Attorney for Tracy Ann Valenzuela
UNITED STATES OF CALIFORNIA,
Plaintiff,
vs.
TRACY ANN VALENZUELA
Defendant
)))))))))))
Case No.: CR 11 00471 DLJ
DEFENDANT VALENZUELASMOTION TO SUPPRESS EVIDENCE
Date: July 19, 2012Time: 9:00 a.m.Dept: Courtroom 7 - 4th Floor
TO THE CLERK OF THE ABOVE ENTITLED COURT, AND TO THE
PARTIES TO THE ABOVE-CAPTIONED MATTER: PLEASE TAKE NOTICE that
on July 19, 2012, at 9:00 a.m., in Courtroom 7 - 4th Floor of the above captioned
court, or as soon thereafter as the matter may be heard, defendant Tracy Ann
Valenzuela will move this court for an order suppressing all evidence seized from
that certain Dell Laptop seized from defendant Valenzuelas home on or about
January 27, 2011, together with all copies, mirrored images, files, images other
material or data derived there from, and all fruits of any searches of or seizures of
the foregoing, on the basis that all such searches and seizures were in violation of
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page1 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
2/15
Motion to Suppress Page 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
the defendants rights under the Fourth Amendment to the United States
Constitution.
On January 26, 2011, Magistrate Judge Lloyd signed a search warrant
authorizing federal authorities to search the defendants home for certain electronic
devices, as more precisely set forth in Attachments B and C to the warrant1; the
federal authorities searched the defendants home on January 27, 2011 and seized,
among other things, a Dell laptop computer.
Although the warrant required the authorities to search the computer,
identify such data and files as were authorized by the warrant to be seized within a
specific time, and return or destroy all remaining data, the government did not
perform that search, and data segregation, and did not seize any data authorized by
the warrant, within the time authorized. Defendant is informed and believes that
such a search, and such a seizure, was executed by the government after the time
expired.
A search of the computer, and seizure of data, after the time expired was
warrantless, and thus unreasonable, and the fruits of that untimely search and
seizure must be suppressed.2
1 The Search Warrant is attached to the Declaration of James McNair Thompson as Exhibit 1, theAffidavit as Exhibit 2, Attachment B as Exhibit 3 and Attachment C as Exhibit 4.2 Defendant Valenzuela here attacks the search as warrantless because it was executed after thewarrant had expired; defendant Valenzuela also believes that the warrant was not properly issued,because of inadequacies appearing on the face of the affidavit, however does not present thatargument, or raise that ground, at this time because of her belief that this motion will summarilyresult in the suppression of the fruits of the search.
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page2 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
3/15
Motion to Suppress Page 3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
A public controversy arose when Paypal, a subsidiary of EBay, announced
that it was no longer willing to process donations to Wikileaks in view of Wikileaks
publication of certain United States State Department cables. (Aff. 9)3 Paypal and
EBay complained to the FBI that it had been subjected to a Denial of Service Attack
on December 4, 2010 which it attributed to public dissatisfaction with its refusal to
continue to process donations. (Aff. 9)4
EBay later complained to the FBI about high traffic on its system through
December 10, 2010. (Aff. 10 11). EBay contended that this traffic consisted of a
sequence of characters (Aff 6) specifically enabled by a program called a Low Orbit
Ion Cannon. (Aff 6). LOIC was written in the C-Sharp language, or more
commonly referred to simply as C#. C# is a language written and published by
Microsoft, and is commonly available to developers. C# is an internationally known
computer language used to create custom applications for Windows-based systems,
the most popular computer operating system in the world. (Aff. 13)
On December 15, 2010, EBay turned over to the FBI a list of 1,000 IP
addresses which it contended had transmitted unwelcome communications to its
servers. (Aff 14) One IP address was ultimately linked to defendant Valenzuelas
residence (Aff 15), and the affiant, a special agent with the FBI, therefore requested
a search warrant. (Aff 25)
3 The warrant, affidavit, Attachment B to the warrant and Attachment C to the warrant areattached as exhibits to the Declaration of James McNair Thompson, filed with this motion.4 A denial of service attack involves saturating the target machine with external communicationsrequests, such that it cannot respond to legitimate traffic, or responds slowly as to be renderedeffectively unavailable. (Aff. 6) Legitimate traffic presumably includes traffic facilitatingpayments and money transfers to be made through the Internet (Aff 8), and speech protected bythe First Amendment.
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page3 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
4/15
Motion to Suppress Page 4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
A warrant authorizing the search of the defendants home was issued on
January 26, 2011. It authorized the federal authorities to search the defendants
home for certain property, namely See Attachment B & Attachment C
Attachment B told the government what it could look for when searching the
defendants home. For example, it authorized the government to look for
communications between the seized computer hard drive and other computers
involved in the denial of service attack, (Att B 5) and application, utility
programs, compilers, interpreters and other software used to facilitate direct or
indirect communication with the digital device. (Att. B 13)
Attachment B further authorized the government to look for these things in,
among other places, any digital device and/or computer. (Att B1)
However, Attachment C told the government whenit could look in a
computer for the specified materials.
In the first place, if the search could be completed at the site, then the
government was not authorized to even remove a device from the premises. (Att. C,
1)
If the government determines that a search reasonably cannotbe completed on site within a reasonable time period, the governmentmust determine whether all or part of the authorized search can becompleted by making a mirror image of, or in some other mannerduplicating, the contents of the device and then conducting the forensicreview of the mirror image or duplication off site.
(Att. C, 2; emphasis added)
Attachment C, Paragraph 6 provided
Within a reasonable period of time, but not to exceed 60 calendar daysafter completing the forensic review of the device or image, thegovernment must use reasonable efforts to return, delete, or destroy
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page4 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
5/15
Motion to Suppress Page 5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
any data outside the scope of the warrant unless the government isotherwise permitted by law to retain such data.
The search having been conducted on January 27, 2011, the government was
required to complete its forensic review not later than July 26, 2011, and to return
or destroy all data not responsive to the search warrant by a date not later than
September 24, 2011.
Defendant is informed and believes that as of July 26, 2011, and even as of
September 24, 2011, the government had not conducted a forensic review of the
defendants laptop.
The government said so at the Status Conference held on May 3, 2012.
Mr. Parrella: So, your honor, since the last time that we werehere, the government has endeavored to comply with the discoveryorder from Magistrate Grewal and we have in part complied with that.We have asked for an extension, and we're continuing to review theorder and will attempt to comply with it.
Hopefully by the middle of next week we will -- well, let me backup.
(sic)The purpose of that is to allow each defendant to review the
evidence obtained from his codefendant.We had attempted to address that issue by providing the
complete drives that were imaged from each defendant. However, thedefendants objected to that because they said that there is other
personal information on those computers that they did not wish toshare.The Court: Only the relevant information on the computer be
disclosed.Mr. Parrella: Right.
Thatwas unacceptable.
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page5 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
6/15
Motion to Suppress Page 6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
We are in the midst right now of actually completing that andhopefully by
[]The Court: And
Mr. Parrella: .The Court: And then the rest of the personal material doesn't go
anywhere, back to the defendant or back to the --Mr. Parrella: Correct. We actually have returned many hard
drives and computers that had no evidence on them at all, but just tofollow the final step and the process you were talking about is
(sic) andhe will then have a database of all of that and they can access thatwith no interference from the government.
The Court: Okay.Mr. Parrella: Anyway, it's taking a bit of time. Mr. Chew has
spoken with many of the defense counsel here today and I think mostof them, if not all of them, have agreed that on July 19th, as apotential status date that is okay by the government.
The Court: Does that anticipate that you will complete thissegregation process?
Mr. Parrella: Yes. (See Exhibit 5 TX May 3, 2012 StatusConference 6:22 9:6; emphasis added)
The government here has openly and unequivocally admitted that it had not
searched the defendants laptop to identify relevant data, and seized that relevant
data, within the time permitted by the search warrant.
The government also said so on April 19, 2012, when it admitted
In its March 16, 2012 order, the Court stated that: In sum, . . .the government has no claim to data outside the scope of the warrant.By some other reasonable effort that minimizes the governmentsexposure to non-targeted documents, no later than 30 days from thedate of this order, the government must endeavor to give back to the
defendants data outside the scope of the warrants. The Court alsoordered the government mak[e] the targeted data available to thedefendants. However, the government needs additional time tocomply with the Courts March 16, 2012 order. (Doc 247, p.2)
On May 15, 2012, the government admitted in Doc. 265 that it had not
conducted the required forensic review at a time authorized by the warrant:
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page6 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
7/15
Motion to Suppress Page 7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
The government has also provided a copy of all the electronicinformation of all the defendants, other than Christopher (sic) Covelli,that the government has determined falls within the scope of the
search warrants, to Mr. Aoki to be shared by defendants and defensecounsel. (p2)
That discovery was sent to Mr. Aoki on May 11, 2012, which, being more than
30 days after Magistrate Judge Grewals order, presumably means that government
had not conducted its forensic review of defendant Valenzuelas hard drive before
the 30 days expired on April 15, 2012.5
Furthermore, the government even now appears not to have completed its
forensic review, saying in Doc. 265, filed on May 15, 2012, that it has encountered
difficulty in determining what constitutes data within the scope of the warrants, for
example, dates and times associated with each file item in a file system may be used
to establish the identity of the user who was utilizing the computer when an
computer-related offense was created. (Doc 265, p3)
In other words, even as of May 15, 2012, the government has not completed
its forensic review, has not seized the relevant data, and has not thereafter deleted,
destroyed or returned all non-responsive data. It is still in the process of searching
the defendants digital devices.
5 Of course, had the government completed its search of the defendants laptop on March 17, 2012,and seized data at that time, the search and the seizure would have been untimely, andunauthorized by the warrant.
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page7 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
8/15
Motion to Suppress Page 8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
On February 4, 2012, defendant Valenzuela moved for an order to compel
the government to identify information responsive to the warrants upon which the
government relied in seizing any digital device or medium, to distribute that
information to all defendants in accord with the current protocol, and to return all
such devices and media to the defendant from whom it was seized forthwith. (Doc.
192, p2) Footnote 1 of that motion said, This is not a motion to suppress the fruits
of a defective warrant or warrant defectively executed; defendant Valenzuela
reserves her right to bring any such motions. (p 2)
In that motion, defendant Valenzuela said
The most probable other reason is that the government does notwant to go to the bother and expense of returning the devices, anddeleting and destroying all data outside the scope of the warrant onits mirror images.
If the government admitted this, it would be admitting that itflagrantly and unlawfully violated the terms of the search warrant, assurely as if it searched a different residence.
Since the government has not admitted this, defendantValenzuela will presume that they have complied with therequirement that the government has deleted from all mirrors andcopies of devices seized from defendant Valenzuela and hercodefendants data outside the scope of the warrant, and therefore canproduce the data described in the search warrant to the defendantswithin 10 days, without disclosing or producing non-pertinent and, inmany cases. personal and confidential data (which it presumably no
longer has.) (Doc. 192 pp 10 11)
In short, Magistrate Judge Grewals March 16, 2012 order was not an order
authorizing a search of the defendants lap top, but an order requiring the
government to disclose the fruits of a search it had presumably conducted almost
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page8 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
9/15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
10/15
Motion to Suppress Page 10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
A warrant which did not specify the items to be seized with particularity is
invalid as a general warrant. As the Court said in United States v. Kow, 58 F.3d
423, 427 (9th Cir. 1995)
The warrant authorized the seizure of virtually every documentand computer file at HK Video. To the extent that it provided anyguidance to the officers executing the warrant, the warrant apparentlysought to describe every document on the premises and direct that
everything be seized. The government emphasizes that the warrantoutlined fourteen separate categories of business records. However, thewarrant contained no limitations on which documents within eachcategory could be seized or suggested how they related to specificcriminal activity. By failing to describe with any particularity theitems to be seized, the warrant is indistinguishable from the generalwarrants repeatedly held by this court to be unconstitutional. E.g.,Center Art Galleries-Hawaii, Inc. v. United States, 875 F.2d 747, 750(9th Cir.1989); United States v. Stubbs, 873 F.2d 210, 211 (9thCir.1989) (warrant invalid "because of the complete lack of anystandard by which an executing officer could determine what to seize").
Only the specification set forth in paragraphs 4 15 of Attachment B saves
the warrant from being overbroad. These paragraphs clarify that what the federal
authorities are authorized to look for in any digital device and/or computer capable
of being used to commit, further commit or store evidence of a violation of 18
U.S.C. 1030 (Attachment B, 1) was specific evidence related to the alleged
violation of that particular statute.
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page10 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
11/15
Motion to Suppress Page 11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
If the government was authorized to simply seize all digital devices, including
all computers, and keep all files and data on those devices, then the limitation of
paragraphs 4 through 15 of Attachment B would have been transformed into
meaningless surplusage.
Central to the validity of the warrant was the requirement in Paragraph 2 of
Attachment C that the government complete a forensic review of the defendants
laptop within 120 days of the seizure, and [w]ithin a reasonable period of time, but
not to exceed 60 calendar days after completing the forensic review of the device or
image, the government must use reasonable efforts to return, delete, or destroy any
data outside the scope of the warrant unless the government is otherwise permitted
by law to retain such data. (Attachment C, 6)
Only through the imposition of these time limits did the warrant authorize a
search for specific evidence such as data gathered or collected by means of the
operation of the denial of service attack and/or botnet (Attachment B, 9) or
records, documents, and materials that relate to malicious software, code, or other
programs associated with Trojans, botnets, denial of service attacks, to include but
not limited to LOIC and/or HOIC. (Attachment B, 4)
Without the imposition of these time limits, the warrant simply becomes a
general warrant such as the one condemned in Koh, supra.
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page11 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
12/15
Motion to Suppress Page 12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
As a general rule, a warrant authorizing the seizure of property must be
executed within 14 days. FRCP 41(e)(2)(A)(i)
However, searching a computer in order to seize data or files described in a
warrant can be complicated business. Searching computer systems for the
evidence described in Attachment B may require a range of data analysis
techniques. (Aff. p.20)
For this reason, FRCP 41(e)(2)(B) exempts seizure of electronically stored
information from the 14 day rule.
However, the affiant, in securing the warrant at issue here, declared that
government will complete a forensic review of that mirror image within 120 days of
the execution of the search warrant. (Aff. p.23)
The government further asserted in the affidavit, Within a reasonable period
of time, but not to exceed 60 calendar days after completing the forensic review of
the device or image, the government must use reasonable efforts to return, delete,
or destroy any data outside the scope of the warrant unless the government is
otherwise permitted by law to retain such data. (Aff, p.24)
The magistrate imposed those time limits as a condition of the warrant, and
thereby limited the warrant to a warrant to seize particularized files and data,
rather than an invalid general warrant.
The distinction between the device in this case the laptop computer and
the data stored on the device was carefully set forth in the warrant and must be
borne in mind.
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page12 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
13/15
Motion to Suppress Page 13
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Assuming for the sake of argument that the government had the right to
retain the laptop as a forfeitable instrumentality of the alleged crime,6 it clearly did
not have the right to retain any data on the laptop.
Nothing about the governments obligation to return, delete, or destroy any
data outside the scope of the warrant interfered with any right it may assert to
retain the device.
This should be a self evident proposition. As was made clear in United
States v. Shetler, 665 F.3d 1150, 1156 1157 (9th Cir. 2011)
The exclusionary rule bars the prosecution from using at trialevidence that has been obtained through a violation of the Fourth
Amendment. Wong Sun v. United States, 371 U.S. 471, 484-85, 83S.Ct. 407, 9 L.Ed.2d 441 (1963). Although exclusion is not itself apersonal constitutional right, it serves to enforce the underlyingpersonal right to be free from unreasonable searches and seizures bydeterring violations of the Fourth Amendment. See Davis v. United
States, __ U.S. __, 131 S.Ct. 2419, 2426, 180 L.Ed.2d 285 (2011). Theexclusionary rule applies both to direct products of an illegal searchi.e., the physical evidence found during the search itself and toindirect products of the illegal search i.e., statements or physicalevidence subsequently obtained in part as a result of the search ifthey " bear a sufficiently close relationship to the underlyingillegality." United States v. Ladum, 141 F.3d 1328, 1336-37 (9thCir.1998); see also Wong Sun, 371 U.S. at 485, 83 S.Ct. 407; UnitedStates v. Rodgers, 656 F.3d 1023, 1031 (9th Cir.2011); United States v.Crawford, 372 F.3d 1048, 1054 (9th Cir.2004) (en banc) (" It is wellestablished that the Fourth Amendment's exclusionary rule applies to
statements and evidence obtained as a product of illegal searches andseizures." ).
6 This assumption is not one which the defendant would concede, however. In the first place, noforfeiture allegations appear in the Indictment. More importantly, defendant Valenzuela assertsthat she committed no crime.
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page13 of 15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
14/15
-
7/31/2019 Https Ecf.cand.Uscourts.gov Cgi-bin Show Temp.pl File=8665248-0--15132
15/15
Motion to Suppress Page 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
seizure of such data and files was warrantless, unreasonable and in derogation of
her rights under the Fourth Amendment of the United States Constitution.
As such, the data, files and any fruits thereof must be suppressed.
Dated: June 10, 2012
Respectfully submitted,
James McNair Thompson
Attorney for Tracy Valenzuela
Case5:11-cr-00471-DLJ Document280 Filed06/10/12 Page15 of 15