Read full article here
On February 1, 2019, Human Rights Watch sent a letter to the US Department of Justice raising concerns about the use of software owned by a private non-profit company, Child Rescue Coalition (CRC), to investigate suspected crimes related to the sharing of child sexual exploitation images. Human Rights Watch strongly opposes sexual exploitation and abuse of children, and supports efforts to eradicate these practices. However, the use of surveillance software to scan networks without warrants for violators raised concerns over whether this technology was sufficiently controlled and tested to protect rights.
On April 3, 2019, ProPublica published, "Prosecutors Dropping Child Porn Charges After Software Tools Are Questioned," about this software and linked to our letter. Human Rights Watch is now publishing our letter to the Department of Justice (see below) to which we did not receive a response. We also wrote a letter to CRC and TransUnion, a private databroker, raising similar concerns. We received a response from CRC but not from TransUnion.
Human Rights Watch is also publishing an excerpt from a users manual for the software, copyrighted in 2010, that discusses law enforcement access to personal data about internet users. The material, which we found as a document filed in relation to a court case, formed the basis of our concerns regarding potential law enforcement access to personal information when using the software. The document had overlays on some parts through which we could nonetheless read material. We have reproduced it here without the overlays.
 The Child Protection System (2010), filed as docs. 25-4 and 25-5 in United States v. Dunning, no. 7:15-cr-00004 (E.D. Ky.), August 26, 2015.
Letter to US Department of Justice About Child Protection System Software
Matt Dummermuth Principal Deputy Assistant Attorney General US Department of Justice 810 Seventh St. NW Washington, DC 20531
Cc: Caren Harp Administrator, Office of Juvenile Justice and Delinquency Prevention US Department of Justice
Michael Horowitz Inspector General US Department of Justice
Peter Winn Acting Chief Privacy and Civil Liberties Officer US Department of Justice
Re: Child Protection System software suite
February 1, 2019
Dear Mr. Dummermuth:
We write to ask questions and express concerns about Child Protection System (CPS), a software suite that federal and state law enforcement—including members of the Internet Crimes Against Children Task Force Program established by the Justice Department—use to investigate crimes related to the sharing of child sexual exploitation images.
Human Rights Watch has long promoted accountability for sexual abuse of children around the world, and recognizes that lawful and rights-protecting efforts to prosecute and punish those who commit such crimes are of utmost importance. Our examination of CPS, however, raises several concerns that tie into broader problems in the US criminal justice system.
Specifically, we are concerned that:
As has proven to be the case regarding other technical investigative methods US authorities have previously employed, the CPS software may not have been subject to thorough independent testing of its accuracy and functioning. Since the system is designed to flag people as suspected of having committed crimes, both its error rates and its potential to exceed constitutional bounds have implications for rights. It is unclear what information the Justice Department has about CPS’ potential for error (and on what basis), although prosecutors stated in one court filing that CPS mistakes are “practically nonexistent.”
CPS is provided by a non-profit organization that has repeatedly stated it offers the system exclusively to law enforcement, while prosecutors have argued that they cannot provide the software to criminal defense experts for testing because it is proprietary and not in the government’s possession. We fear that the government may be shielding its methods from scrutiny by relying on its arrangements with the non-profit—one whose close relationship with police may, in fact, make it a government agent.
The CPS software may be facilitating undisclosed police access, without legal process, to personal data about internet subscribers held by a datamining program that private credit reporting agency TransUnion owns. There appears to be a close relationship between the non-profit organization that offers CPS and this private credit reporting agency. If this is indeed occurring, such a practice would give rise to constitutional, federal, and human rights law and policy concerns.
Among the potential issues arising from any such secret law enforcement access to personal data is that defendants and trial courts may not learn about, or be able to challenge, the breadth of information police obtain—and the potential for that information to facilitate decision-making based on implicit bias or other improper factors.
Law enforcement may be concealing any such secret use of personal data by deliberately creating a new and different paper trail—a practice known as “parallel construction,” which our prior reporting suggests is a common and rights-harming problem in US prosecutions.
Potential errors by officers in identifying files as illicit—and registering them as such in a shared database—may harm legitimate free expression in a lasting manner. It is unclear whether any systematic review occurs to prevent this from happening.
The available sources do not indicate what efforts the Justice Department or other law enforcement agencies make to ensure that any data incorrectly linking innocent people to the highly stigmatized offense of possessing child sexual abuse images is corrected or deleted.
This letter provides background and details regarding these concerns and seeks information from the Justice Department on or before February 18, 2019 about current policies and practices related to law enforcement uses of CPS.
The discussion below is based on research we conducted between May 2016 and October 2018, including an examination of records from 20 federal prosecutions in which the government explicitly disclosed the use of CPS, as well as information appearing in a set of federal civil-rights lawsuits brought against local authorities in Mississippi in 2011 following the use of CPS there. (See Appendix for a list of these cases.) Although we do not address state cases here, media coverage and other sources suggest that prosecutions in state courts involving CPS use may be common.
The CPS Software Suite
CPS is a set of software tools and databases designed to help law enforcement identify individuals who allegedly share child exploitation images on peer-to-peer networks, which enable internet users to connect to one another and trade files such as pictures, music, and videos. A US-based non-profit organization, Child Rescue Coalition (CRC), reports that it provides the software suite to law enforcement—including the Internet Crimes Against Children Task Force run by the Justice Department.
It is our understanding that a CPS component called Peer Spectre monitors file-sharing traffic on peer-to-peer networks. Anyone on a peer-to-peer network can search for files by keyword, and we understand that Peer Spectre carries out continuous, automated keyword searching for suspicious file titles and identifies Internet Protocol (IP) addresses that are allegedly sharing those files. The results of these searches are logged in servers law enforcement can access.
We understand that a second component of CPS, Shareaza LE, then enables law enforcement to single out a particular IP address and attempts to download all the files it is sharing, a technique known as a “sole source download.” This gives police a means of investigating the tips CPS generates when it monitors the peer-to-peer network. Our information suggests that without Shareaza LE (which is not available to the public), peer-to-peer network users typically cannot carry out sole source downloads.
We understand that at these initial stages, suspected child exploitation images are identified using “hash values,” or unique digital identifiers roughly analogous to fingerprints, that can be calculated for many files using certain algorithms.
What is now CPS was apparently developed as part of a collaborative effort by law enforcement authorities and then was acquired by a data broker known as TLO, LLC, in 2009. TLO was purchased by credit reporting agency TransUnion in 2013 after filing for bankruptcy and is now known as TLOxp. CRC, the non-profit organization that now offers CPS, was established in the wake of TLO’s bankruptcy and continues to share a physical address with TLOxp.
Reliability Testing Concerns: Accuracy and Reach
Concern has grown in recent years about how US courts regard technical investigative methods and whether those methods have been adequately tested to ensure their accuracy and consistency. Without rigorous testing, it is impossible to know objectively how often an investigative method produces false positives or false negatives, and what factors may affect those rates.
However, to date we have not found any public information on CPS having been tested by qualified independent experts or results of such testing.
Knowing the accuracy of investigative methods is important for human rights and constitutional reasons. Except in an emergency or other exceptional circumstance, US police may force people to submit to intrusive searches of their homes or electronic devices only if the authorities first obtain a warrant from a court based on a demonstration that they have probable cause to believe they will find evidence of a crime. To show that such probable cause exists, they may rely wholly or partly on results from an investigative tool such as CPS. If the tool has accuracy problems, its results may not provide a sufficiently sound basis for a court to include in the justification for issuing a warrant—and a warrant issued without probable cause is unconstitutional under the Fourth Amendment. In turn, under the “fruit of the poisonous tree” rule, trial courts will normally prohibit prosecutors from introducing any evidence that derives from an initial illegal search, such as one based on a warrant that lacked probable cause.
This means establishing a technique’s error rates is critical both to protecting people from unconstitutional searches and to ensuring that in a criminal trial, the prosecution cannot unfairly benefit from illegal police activities.
Where software is concerned, the Justice Department’s policy guidance states that such tools “used to support evidence discovery, extraction and examination, case examination and evaluation and method development shall be technically reviewed by qualified experts and validated prior to use.” Materials the US Commerce Department’s National Institute of Standards and Technology (NIST) has published help demonstrate that it is possible to develop a methodology for objectively testing how, and how reliably, software operates. For example, as part of a project concerning computer forensic tools, NIST has set out a testing process that includes, inter alia:
The development of test cases, which are then posted online, along with other information, for “peer review by members of the computer forensics community and for public comment by other interested parties”;
The incorporation of feedback from the peer-review and public-comment processes;
NIST’s acquisition of the tool for testing;
An examination of the available documentation;
The selection of appropriate test cases;
The development of a test strategy;
The execution of the test; and
The production and online posting of a test report.
As noted above, despite the existence of such scientific methodologies and the Justice Department’s policy, we have been unable to locate any evidence that CPS has been subjected to complete, independent, peer-reviewed testing. If such tests have been carried out, we request that you make the studies publicly available.
When defendants have made motions seeking to arrange for expert testing of the software, federal prosecutors have sometimes sought to avoid producing CPS’ source code for testing on the grounds that it is protected from disclosure by law enforcement privilege, that the code is proprietary and not in the government’s possession—or both. We have identified only one case—United States v. Ocasio—in which prosecutors ultimately produced the CPS source code to a defendant, and a statement submitted in a later case suggests that Ocasio was resolved through a plea agreement before any expert testing took place.
By contrast, in a 2015 decision in United States v. Naylor, a West Virginia federal court simply accepted an officer’s assertion that in his personal experience, the tool had never erred and was (in the court’s words) “100% reliable.” The court therefore concluded that “[t]he CPS software appears to be a reliable investigative tool for law enforcement in these types of cases” and rejected the defendant’s motion to suppress evidence found through the software. In at least one case, the government itself has asserted in a motion that “[e]rror is practically nonexistent in the Shareaza LE and CPS systems” without citing any sources for this claim.
We fear this situation—in which prosecutors resist defense testing of CPS but are willing to make, or apparently allow witnesses to make, assertions about the software’s accuracy—may interfere with the judiciary’s ability to assess the tool’s potential for malfunction, and thus jeopardize fair-trial rights.
Regarding assertions that CPS’ source code is proprietary or otherwise not in the government’s possession, we note that CRC has consistently described itself as heavily enmeshed with and dedicated to furthering the operations of law enforcement. In its tax filings, the organization has stated that it “offers space at its operational location to law enforcement agencies in order to easily access the tracking system.” Affidavits by the group’s president, William Wiltse, have described access to CPS as “made available to specifically trained and licensed law enforcement officers and … restricted to only those law enforcement officers in the performance of law enforcement activity” (emphasis added).
Testimony by Wiltse in 2013 concerning CPS-enabled investigations (prior to the establishment of CRC) described a “restricted area” on TLO’s property: “The only people allowed into this area are sworn law enforcement officers. Even our boss, our CEO, cannot get into this area without being escorted,” Wiltse told the court. Wiltse himself is a reserve deputy sheriff for Florida’s Palm Beach County, according to his affidavits and CRC’s website.
We therefore regard government arguments that prosecutors cannot produce the CPS source code for testing as both inappropriate and jeopardizing fair-trial rights, insofar as access to the source code is necessary for scientifically sound testing.
Accuracy is not the only aspect of CPS that is susceptible to testing and should be subject to scientifically sound validation prior to law enforcement use. The software suite’s reach also has potential constitutional consequences.
Federal courts have found that police do not need a search warrant to monitor peer-to-peer network activities that take place in public, and CRC’s president has maintained that the CPS software only locates information that peer-to-peer network users have publicly shared. If this description of CPS is correct, then under current US constitutional law, police may use or rely on the software without obtaining a warrant first.
However, defendants in several federal cases have offered evidence that files (or traces of files) officers have identified using CPS may have been stored in areas of their devices that were not publicly shared, raising Fourth Amendment concerns. We acknowledge that the strength of this evidence is open to debate and that federal prosecutors have challenged the credibility of the forensic expert who produced the relevant reports. However, nowhere in the records we reviewed does the government actually set out evidence refuting the claims that CPS can reach beyond publicly shared folders, let alone persuasively show that the software cannot do so or is not being so used.
This, too, is a matter that rigorous independent testing can and should resolve.
Free Speech and Related Concerns
To function accurately, CPS depends not only on the correct identification of IP addresses and the hash values of shared files, but on police officers correctly designating files as containing illegal child exploitation images. The potential for mistakes in this respect prompts concerns about the resulting impact on legitimate free expression, particularly if the Justice Department does not ensure that these designations are regularly reviewed.
An affidavit by Wiltse in an Ohio federal prosecution, United States v. Clements, and his 2013 testimony in Thomas indicate that officers using CPS may designate newly discovered files as “Child Notable” based on their own opinions and proceed to register hash values for those files in one or more of the system’s networked databases. Wiltse’s testimony in Thomas further indicates that CPS’ reliance on these officer-made designations is extensive. However, the records we have examined do not disclose any systematic safeguards for ensuring that these designations are accurate. This raises concerns that people’s right to access and receive information—part of the right to free expression—could be at risk if officers mischaracterize files, or generate records when someone possesses lawful files (such as legal adult pornography).
Additionally, we understand that the element of the software suite called Shareaza LE gives officers the technical ability to view the hash values of, and download, any file an IP address is sharing on a peer-to-peer network—regardless of whether those files are believed to be illicit. The Justice Department should explain whether it takes steps to ensure officers are not monitoring legitimate free expression in a manner that would be inconsistent with rights laws or policies.
Personal Data and Discrimination Concerns
Through our research, we have become aware of potential law enforcement access to personal information when using CPS. This potential for access could undermine privacy and consumer protections found in federal law, reduce defendants’ ability to learn about and challenge any abusive practices, and facilitate improper decision-making.
An undated user agreement for the CPS software submitted as evidence in a 2015 California criminal prosecution, United States v. Hartman, suggests that CPS users have—or have had—free access to “Unconfirmed Subscriber Data provided by TLO.” “Subscriber” is apparently a reference to people who subscribe to internet services and therefore are associated with an IP address, while “TLO” is a reference to the datamining operation now known as TLOxp.
This “Unconfirmed Subscriber Data” might include marketing data about individuals—such as names, telephone numbers, addresses, and dates of birth—that corporate sources have linked to their IP addresses and email accounts. It is our understanding that officers using CPS have been told that no logs will be kept of any search they may perform of this corporate data.
Can you confirm what “Unconfirmed Subscriber Data” includes, from whence it is derived, and the means by which TLOxp could identify IP addresses with specific individuals? We would also like to understand why no records would be kept of law enforcement queries of this data, and whether that is, in fact, the practice.
TLOxp’s website indicates that the information the datamining system possesses about an individual may include addresses and phone numbers; records from automated license plate readers, which can reveal where a car has traveled; information from drivers’ licenses; Social Security numbers; employment records; social media profiles, including photographs; criminal records; and connections to other people. Please provide your understanding of what types of data CPS users, via TLOxp, may be able to view.
Under the Electronic Communications Privacy Act (ECPA), electronic communications service providers normally may only disclose information identifying the subscriber linked to an IP address in response to a subpoena or other legal process—thus leaving a paper trail defendants can obtain and scrutinize. ECPA also limits the types of subscriber information the provider is obligated to disclose when responding to such a subpoena: primarily name, address, dates and durations of online sessions, and payment information. While ECPA is outdated in many respects and subpoena powers are themselves susceptible to misuse, these provisions nevertheless impose a significant privacy protection and create transparency about both the law enforcement demand and the data disclosed in response to it.
Our understanding is that TLOxp and CRC are not communications service providers and that ECPA therefore does not technically apply to their disclosure of data concerning people linked to IP addresses. However, we are concerned that the use of data from a data broker to identify subscribers without a subpoena or other legal process would subvert the protections Congress intended to establish in the law. Can you provide the details of what types of personal data law enforcement may be able to obtain when using CPS—and whether that data may go beyond what a communications service provider would normally disclose under ECPA?
As noted above, TLOxp’s technical means of linking individuals to IP addresses also remain unclear. These methods could raise further constitutional or other legal questions when the data is used by law enforcement, rendering the disclosure of information about them desirable to ensure respect for rights. We would appreciate any information you may have as to these technical means, and whether and to what sort of technical or legal review they may have been subjected.
Our understanding of the typical progression of a CPS-enabled investigation is that the software’s broad monitoring of peer-to-peer networks results in a database of IP addresses that are suspected of offering illicit files, and that officers can then use a different component of CPS in an attempt to create a complete log of all the files a specific IP address is sharing. At this stage, under ECPA, officers would have the power to issue a subpoena directly to the internet service provider and thereby obtain the name and address of the relevant internet subscriber. Our review of relevant cases suggests that such subpoenas are typically disclosed to defendants, who are then able to review these records. Can you explain why officers may choose to not use the ECPA, which provides a record to courts and defendants, to obtain a defendant’s name and address, opting instead to use TLOxp for this purpose?