Letter to US Department of Justice About Child Protection System Software
Read full article here
On February 1, 2019, Human Rights Watch sent a letter to the US Department of Justice raising concerns about the use of software owned by a private non-profit company, Child Rescue Coalition (CRC), to investigate suspected crimes related to the sharing of child sexual exploitation images. Human Rights Watch strongly opposes sexual exploitation and abuse of children, and supports efforts to eradicate these practices. However, the use of surveillance software to scan networks without warrants for violators raised concerns over whether this technology was sufficiently controlled and tested to protect rights.
On April 3, 2019, ProPublica published, "Prosecutors Dropping Child Porn Charges After Software Tools Are Questioned," about this software and linked to our letter. Human Rights Watch is now publishing our letter to the Department of Justice (see below) to which we did not receive a response. We also wrote a letter to CRC and TransUnion, a private databroker, raising similar concerns. We received a response from CRC but not from TransUnion.
Human Rights Watch is also publishing an excerpt from a users manual for the software, copyrighted in 2010, that discusses law enforcement access to personal data about internet users. The material, which we found as a document filed in relation to a court case, formed the basis of our concerns regarding potential law enforcement access to personal information when using the software. The document had overlays on some parts through which we could nonetheless read material. We have reproduced it here without the overlays.
 The Child Protection System (2010), filed as docs. 25-4 and 25-5 in United States v. Dunning, no. 7:15-cr-00004 (E.D. Ky.), August 26, 2015.
Letter to US Department of Justice About Child Protection System Software
Matt Dummermuth Principal Deputy Assistant Attorney General US Department of Justice 810 Seventh St. NW Washington, DC 20531
Cc: Caren Harp Administrator, Office of Juvenile Justice and Delinquency Prevention US Department of Justice
Michael Horowitz Inspector General US Department of Justice
Peter Winn Acting Chief Privacy and Civil Liberties Officer US Department of Justice
Re: Child Protection System software suite
February 1, 2019
Dear Mr. Dummermuth:
We write to ask questions and express concerns about Child Protection System (CPS), a software suite that federal and state law enforcement—including members of the Internet Crimes Against Children Task Force Program established by the Justice Department—use to investigate crimes related to the sharing of child sexual exploitation images.
Human Rights Watch has long promoted accountability for sexual abuse of children around the world, and recognizes that lawful and rights-protecting efforts to prosecute and punish those who commit such crimes are of utmost importance. Our examination of CPS, however, raises several concerns that tie into broader problems in the US criminal justice system.
Specifically, we are concerned that:
As has proven to be the case regarding other technical investigative methods US authorities have previously employed, the CPS software may not have been subject to thorough independent testing of its accuracy and functioning. Since the system is designed to flag people as suspected of having committed crimes, both its error rates and its potential to exceed constitutional bounds have implications for rights. It is unclear what information the Justice Department has about CPS’ potential for error (and on what basis), although prosecutors stated in one court filing that CPS mistakes are “practically nonexistent.”
CPS is provided by a non-profit organization that has repeatedly stated it offers the system exclusively to law enforcement, while prosecutors have argued that they cannot provide the software to criminal defense experts for testing because it is proprietary and not in the government’s possession. We fear that the government may be shielding its methods from scrutiny by relying on its arrangements with the non-profit—one whose close relationship with police may, in fact, make it a government agent.
The CPS software may be facilitating undisclosed police access, without legal process, to personal data about internet subscribers held by a datamining program that private credit reporting agency TransUnion owns. There appears to be a close relationship between the non-profit organization that offers CPS and this private credit reporting agency. If this is indeed occurring, such a practice would give rise to constitutional, federal, and human rights law and policy concerns.
Among the potential issues arising from any such secret law enforcement access to personal data is that defendants and trial courts may not learn about, or be able to challenge, the breadth of information police obtain—and the potential for that information to facilitate decision-making based on implicit bias or other improper factors.
Law enforcement may be concealing any such secret use of personal data by deliberately creating a new and different paper trail—a practice known as “parallel construction,” which our prior reporting suggests is a common and rights-harming problem in US prosecutions.
Potential errors by officers in identifying files as illicit—and registering them as such in a shared database—may harm legitimate free expression in a lasting manner. It is unclear whether any systematic review occurs to prevent this from happening.
The available sources do not indicate what efforts the Justice Department or other law enforcement agencies make to ensure that any data incorrectly linking innocent people to the highly stigmatized offense of possessing child sexual abuse images is corrected or deleted.
This letter provides background and details regarding these concerns and seeks information from the Justice Department on or before February 18, 2019 about current policies and practices related to law enforcement uses of CPS.
The discussion below is based on research we conducted between May 2016 and October 2018, including an examination of records from 20 federal prosecutions in which the government explicitly disclosed the use of CPS, as well as information appearing in a set of federal civil-rights lawsuits brought against local authorities in Mississippi in 2011 following the use of CPS there. (See Appendix for a list of these cases.) Although we do not address state cases here, media coverage and other sources suggest that prosecutions in state courts involving CPS use may be common.
The CPS Software Suite
CPS is a set of software tools and databases designed to help law enforcement identify individuals who allegedly share child exploitation images on peer-to-peer networks, which enable internet users to connect to one another and trade files such as pictures, music, and videos. A US-based non-profit organization, Child Rescue Coalition (CRC), reports that it provides the software suite to law enforcement—including the Internet Crimes Against Children Task Force run by the Justice Department.
It is our understanding that a CPS component called Peer Spectre monitors file-sharing traffic on peer-to-peer networks. Anyone on a peer-to-peer network can search for files by keyword, and we understand that Peer Spectre carries out continuous, automated keyword searching for suspicious file titles and identifies Internet Protocol (IP) addresses that are allegedly sharing those files. The results of these searches are logged in servers law enforcement can access.
We understand that a second component of CPS, Shareaza LE, then enables law enforcement to single out a particular IP address and attempts to download all the files it is sharing, a technique known as a “sole source download.” This gives police a means of investigating the tips CPS generates when it monitors the peer-to-peer network. Our information suggests that without Shareaza LE (which is not available to the public), peer-to-peer network users typically cannot carry out sole source downloads.
We understand that at these initial stages, suspected child exploitation images are identified using “hash values,” or unique digital identifiers roughly analogous to fingerprints, that can be calculated for many files using certain algorithms.
What is now CPS was apparently developed as part of a collaborative effort by law enforcement authorities and then was acquired by a data broker known as TLO, LLC, in 2009. TLO was purchased by credit reporting agency TransUnion in 2013 after filing for bankruptcy and is now known as TLOxp. CRC, the non-profit organization that now offers CPS, was established in the wake of TLO’s bankruptcy and continues to share a physical address with TLOxp.
Reliability Testing Concerns: Accuracy and Reach
Concern has grown in recent years about how US courts regard technical investigative methods and whether those methods have been adequately tested to ensure their accuracy and consistency. Without rigorous testing, it is impossible to know objectively how often an investigative method produces false positives or false negatives, and what factors may affect those rates.
However, to date we have not found any public information on CPS having been tested by qualified independent experts or results of such testing.
Knowing the accuracy of investigative methods is important for human rights and constitutional reasons. Except in an emergency or other exceptional circumstance, US police may force people to submit to intrusive searches of their homes or electronic devices only if the authorities first obtain a warrant from a court based on a demonstration that they have probable cause to believe they will find evidence of a crime. To show that such probable cause exists, they may rely wholly or partly on results from an investigative tool such as CPS. If the tool has accuracy problems, its results may not provide a sufficiently sound basis for a court to include in the justification for issuing a warrant—and a warrant issued without probable cause is unconstitutional under the Fourth Amendment. In turn, under the “fruit of the poisonous tree” rule, trial courts will normally prohibit prosecutors from introducing any evidence that derives from an initial illegal search, such as one based on a warrant that lacked probable cause.
This means establishing a technique’s error rates is critical both to protecting people from unconstitutional searches and to ensuring that in a criminal trial, the prosecution cannot unfairly benefit from illegal police activities.
Where software is concerned, the Justice Department’s policy guidance states that such tools “used to support evidence discovery, extraction and examination, case examination and evaluation and method development shall be technically reviewed by qualified experts and validated prior to use.” Materials the US Commerce Department’s National Institute of Standards and Technology (NIST) has published help demonstrate that it is possible to develop a methodology for objectively testing how, and how reliably, software operates. For example, as part of a project concerning computer forensic tools, NIST has set out a testing process that includes, inter alia:
The development of test cases, which are then posted online, along with other information, for “peer review by members of the computer forensics community and for public comment by other interested parties”;
The incorporation of feedback from the peer-review and public-comment processes;
NIST’s acquisition of the tool for testing;
An examination of the available documentation;
The selection of appropriate test cases;
The development of a test strategy;
The execution of the test; and
The production and online posting of a test report.
As noted above, despite the existence of such scientific methodologies and the Justice Department’s policy, we have been unable to locate any evidence that CPS has been subjected to complete, independent, peer-reviewed testing. If such tests have been carried out, we request that you make the studies publicly available.
When defendants have made motions seeking to arrange for expert testing of the software, federal prosecutors have sometimes sought to avoid producing CPS’ source code for testing on the grounds that it is protected from disclosure by law enforcement privilege, that the code is proprietary and not in the government’s possession—or both. We have identified only one case—United States v. Ocasio—in which prosecutors ultimately produced the CPS source code to a defendant, and a statement submitted in a later case suggests that Ocasio was resolved through a plea agreement before any expert testing took place.
By contrast, in a 2015 decision in United States v. Naylor, a West Virginia federal court simply accepted an officer’s assertion that in his personal experience, the tool had never erred and was (in the court’s words) “100% reliable.” The court therefore concluded that “[t]he CPS software appears to be a reliable investigative tool for law enforcement in these types of cases” and rejected the defendant’s motion to suppress evidence found through the software. In at least one case, the government itself has asserted in a motion that “[e]rror is practically nonexistent in the Shareaza LE and CPS systems” without citing any sources for this claim.
We fear this situation—in which prosecutors resist defense testing of CPS but are willing to make, or apparently allow witnesses to make, assertions about the software’s accuracy—may interfere with the judiciary’s ability to assess the tool’s potential for malfunction, and thus jeopardize fair-trial rights.
Regarding assertions that CPS’ source code is proprietary or otherwise not in the government’s possession, we note that CRC has consistently described itself as heavily enmeshed with and dedicated to furthering the operations of law enforcement. In its tax filings, the organization has stated that it “offers space at its operational location to law enforcement agencies in order to easily access the tracking system.” Affidavits by the group’s president, William Wiltse, have described access to CPS as “made available to specifically trained and licensed law enforcement officers and … restricted to only those law enforcement officers in the performance of law enforcement activity” (emphasis added).
Testimony by Wiltse in 2013 concerning CPS-enabled investigations (prior to the establishment of CRC) described a “restricted area” on TLO’s property: “The only people allowed into this area are sworn law enforcement officers. Even our boss, our CEO, cannot get into this area without being escorted,” Wiltse told the court. Wiltse himself is a reserve deputy sheriff for Florida’s Palm Beach County, according to his affidavits and CRC’s website.
We therefore regard government arguments that prosecutors cannot produce the CPS source code for testing as both inappropriate and jeopardizing fair-trial rights, insofar as access to the source code is necessary for scientifically sound testing.
Accuracy is not the only aspect of CPS that is susceptible to testing and should be subject to scientifically sound validation prior to law enforcement use. The software suite’s reach also has potential constitutional consequences.