Filing # 118708256 E-Filed 12/23/2020 04:54:33 PM

IN THE CIRCUIT COURT OF THE SECOND JUDICIAL CIRCUIT,

IN AND FOR LEON COUNTY, FLORIDA

REBEKAH JONES,

Plaintiff,

v. Case No.: 2020 CA 002349

RICK SWEARINGEN, individually, and in

his official capacity as Commissioner of
The FLORIDA DEPARTMENT OF
LAW ENFORCEMENT; NOEL PRATTS,
individually; and FDLE AGENT JOHN DOE,
individually.

Defendants.

________________________________________/

MOTION TO COMPEL RETURN OF PROPERTY

Plaintiff Rebekah Jones, pursuant to, § 933.14, Florida Statutes, respectfully

moves for an Order compelling Defendant Rick Swearingen, in his official capacity,

to return all property seized by his agents pursuant to a search warrant on December

7, 2020 and to erase or otherwise destroy any copies already made. The specific

items at issue are those listed in the inventory attached to the search warrant. In the

event this case is removed to federal court, this motion is brought pursuant to

Fed.R.Crim.P. 41(g).

As more thoroughly detailed in the Verified Complaint filed in this case on

December 20, 2020, FDLE agents raided Plaintiff’s home pursuant to a search
warrant, on the strength of a claim that she had sent an anonymous message to a

Department of Health (DOH) message board to which she was not allowed access.

FDLE alleged this to be an unlawful intrusion into the DOH computer system

pursuant to § 815.06(2)(a), Florida Statutes. Plaintiff is not the one who wrote or

sent the message. She never saw it until FDLE came banging on her door. But that

is not the basis for this motion. The basis for this motion is twofold: first, the act

alleged against Plaintiff is not even theoretically a crime and thus could not support

a search warrant against anybody; and second, no probable cause was shown

sufficient to link Plaintiff to the alleged message transmission.

MEMORANDUM OF LAW

The appropriate vehicle for seeking return of property wrongfully taken in

connection with a search warrant is § 933.14, Florida Statutes, which provides, in

pertinent part, “If it appears to the judge before whom the warrant is returned that

the property or papers taken are not the same as that described in the warrant, or

that there is no probable cause for believing the existence of the grounds upon

which the warrant was issued, or if it appears to the judge before whom any

property is returned that the property was secured by an ‘unreasonable’ search, the

judge may order a return of the property taken . . .[excepting certain articles of

contraband not relevant here].” Emphasis added. The instant warrant lacks both the

2
commission of a crime and any cognizable link between Plaintiff and the subject

transmission.

The property at issue is Plaintiff’s personal property, including audio-visual

media protected by the First Amendment and Plaintiff’s attorney/client privileged

communications. The property is not the fruit of any possible criminal activity. It is

not being held as evidence of any crime. Bolden v. State, 875 So.2d 780, 783 (Fla.

2d DCA 2004). This is so because the crime alleged is not a crime at all and there

is no probable cause linking Plaintiff to the alleged activity. Where the State is

“unable to connect the items to specific criminal activity, and no one else can be

identified who can demonstrate a superior possessory interest in the property, it

should be returned.” Id., quoting, Stone v. State, 630 So.2d 660, 661 (Fla. 2d DCA

1994).

I. NO PROBABLE CAUSE FOR LACK OF A CRIME

Plaintiff’s alleged offense is violating § 815.06(2)(a), Florida Statutes, which

provides,

A person commits an offense against users of computers, computer

systems, computer networks, or electronic devices if he or she
willfully, knowingly, and without authorization or exceeding
authorization: (a) Accesses or causes to be accessed any
computer, computer system, computer network, or electronic
device with knowledge that such access is unauthorized or the
manner of use exceeds authorization.

3
Emphasis added. FDLE Special Agent Noel Pratts, who drafted the affidavit

(Exhibit 1, hereto) supporting the search warrant and who drafted the search warrant

(Exhibit 2, hereto) that Judge Joshua Hawkes signed, provided no evidence that

access was unauthorized for Plaintiff or any other person in the world. The closest

Special Agent Pratts ever came to supporting his claim that whoever sent the subject

message intruded on a restricted site was the statement, “The group

StateESF8.Planning is utilized by multiple users, some of which are not employees

of FDOH but are employees of other government agencies. Once they are no longer

associated with ESF8, they are no longer authorized to access the multi-user group.”

Ex. 1, at p. 3. No source is cited for this ipse dixit. Nor does S.A. Pratts offer any

explanation of why his word alone on what online sectors of the DOH website are

restricted is sufficient evidence to support a search warrant. DOH has many a policy,

but nothing presented in the probable-cause affidavit designates any rule, policy, or

classification that made this emergency alert system restricted in any way. There is

nothing anywhere that defines or designates the forum as confidential, limited to

certain users, or restricted in any way. S.A. Pratts cites nothing but his own

unsupported belief that the message to this site was unauthorized and thus a crime.

The public website, taken down in the wake of publicity about this search, contains

no warning of any kind to the universe of users to whom it provides the user ID and

password for the message board.

4
 There is no evidence that the site was restricted or “members only.” There is

much evidence to the contrary. In the wake of the publicity resulting from the

service of the search warrant at issue, computer enthusiasts around the nation took

an interest in the site at issue. A report from a technology news site, Ars Technica,

said that readers of Reddit discovered that the Department of Health’s private

messaging system that Jones allegedly accessed had published the email address and

password and posted it in at least seven .pdf files that were widely available on the

internet to anyone who had the address.1 Following FDLE’s raid on Plaintiff’s home

on December 7, 2020, and the Ars Technica report on December 9, 2020, the Miami

Herald found the user name and password still available on the DOH website on the

evening of December 9, 2020, but gone by December 11, 2020.2 Florida Today, in

an article of December 10, 2020, reported that, as of that very morning, the username

and password for the system were on a document that was publicly available on a

Department of Health site.3 The fact that DOH made the site available to anyone in

the world who had an electronic device with internet access, and that DOH did

nothing to restrict access to the site or declare it to be of limited access, is the same

1
COVID data manager investigated, raided for using publicly available password |
Ars Technica
2
DeSantis defends handling of whistle blower search warrant | Miami Herald
(archive.is)
3
Evidence to justify raid on home of Rebekah Jones weak, experts say
(floridatoday.com)

5
as an open invitation for anyone in the world to access and contribute to the site.

Under these circumstances, no reasonable officer would regard accessing the site to

be a crime under § 815.06(2)(a), Florida Statutes, which makes such access a crime

by a user only if, “he or she willfully, knowingly, and without authorization: (a)

Accesses or causes to be accessed any computer, computer system, computer

network, or electronic device with knowledge that such access is unauthorized...”

There is no possibility that access could be unauthorized when the DOH website, in

seven places, describes how anyone can access the site with no indication that access

is restricted in any way. An unredacted copy of one of the seven instances where

the access credentials were published online by DOH was downloaded before it shut

down the sites and is attached hereto as Exhibit 3.

It is not even theoretically possible that whoever sent the message committed

a crime, so there is no possibility that a legitimate search warrant could issue to find

out whether Plaintiff sent the message. Accordingly, the search warrant was

obtained in bad faith and with no legitimate object or purpose. The search warrant

was never valid and would never have been signed if a fair presentation of the facts

had been given to Judge Joshua Hawkes, who signed the warrant.

DOH or FDLE may come up with some policy or designation of the site as

confidential, but that will not alter the fact that nothing of the sort was presented to

Judge Hawkes at the time of the signing of the warrant. Nor will it alter the fact that

6
any such hidden policy was not available to anyone relying on the contrary message

to be derived from placing the user name and password in seven places on a public

website of a government agency whose records are presumed to be public under

Chapter 119, Florida Statutes, unless some public records exception is expressly

stated.

A material omission voids a search warrant in the same way that a material

falsehood does. See State v. Van Pieterson, 550 So.2d 1162, 1164 (Fla. 1st DCA

1989) (stating an omission is material “if a substantial possibility exists that the

omission would have altered a reasonable magistrate's probable cause

determination”); see also, Sotolongo v. State, 530 So.2d 514, 516 (Fla. 2d DCA

1988) (same, noting that it does not matter if the omission was intentional or in “good

faith”). In such instance, a law enforcement officer cannot in good faith rely upon a

warrant because probable cause is lacking. See Thorp v. State, 777 So.2d 385, 393

n. 11 (Fla. 2000) (there is no “good faith exception to an invalid search warrant” that

was “based on a misleading or false affidavit”); see also, Sotolongo, 530 So.2d at

516 (same, citing Franks v. Delaware, 438 U.S. 154 (1978)). FDLE omitted all facts

concerning DOH placing the user ID and password for the message board in seven

public places on its website. FDLE also omitted the lack of any warning or other

indication that the site in question was restricted in any way or to any class of

potential users. Had these disclosures been made, the search warrant would never

7
have been issued by any reasonable judge nor sought by any reasonable law

enforcement officer.

In U.S. v. Stanert, 762 F.2d 775, 778 (9th Cir.1985), the court applied the

rationale of the landmark case, Franks v. Delaware, 438 U.S. 154 (1978), to hold

that a defendant could challenge an otherwise facially valid affidavit by making a

substantial preliminary showing that “the affiant intentionally or recklessly omitted

facts required to prevent technically true statements in the affidavit from being

misleading.” Stanert, 762 F.2d at 781 (noting that “[b]y reporting less than the total

story, an affiant can manipulate the inferences a magistrate will draw. To allow a

magistrate to be misled in such a manner could denude the probable cause

requirement of all real meaning.”) In addition, the accused must show that the

“affidavit, once corrected and supplemented,” would not “provide ... a substantial

basis for concluding that probable cause existed” to search defendant's residence.

Id., at 782. That is an easy showing in this case. Had the signing judge known of

DOH’s open invitation to its message board and the absence of any admonitory

language restricting access, the warrant would never have been signed. See

Strickland v. City of Dothan, 399 F. Supp. 2d 1275, 40 (M.D. Ala. 2005) (“No officer

‘reasonably could have believed that probable cause existed, in light of the

information the officer possessed.’”); see also, James v. City of Birmingham, 926 F.

Supp. 2d 1260, 1270 (N.D. Ala. 2013) (“The court finds that a reasonable officer

8
would not believe there was probable cause in such a situation” regardless of the

possession of a signed warrant).

Moreover, the warrant and its supporting affidavit allege that Plaintiff used her

own computer in her own home to access the DOH emergency message board.

Under the controlling law in this district, Crapps v. State of Florida, 180 So. 3d 1125

(Fla. 1st DCA 2015), there is no crime unless the accused accesses “tangible devices,

not the data and other information located on the device. Thus, to prove a violation

of section § 815.06(1)(a), the State must establish that the defendant accessed one of

the listed tangible devices without authorization, not that the defendant accessed a

program or information stored on the device without authorization.” Id., at 1127,

citing, Rodriguez v. State, 956 So.2d 1226, 1230 (Fla. 4th DCA 2007). FDLE alleges

the Plaintiff used her own computer from her own home, not that she gained

unauthorized access to any Department of Health hardware. Accordingly, the search

warrant lacks probable cause and is void ab initio.

II. NO PROBABLE CAUSE FOR LACK OF CONNECTION TO

PLAINTIFF

S.A. Pratts swears in his affidavit that through “the use of investigative

resources your Affiant determined that the IPv6 address 21601:4c1: 4000:3a80:286e

:3dd1:fcd:5c4a resolved to Comcast subscriber Rebekah Jones with a service address

of 2540 Centerville Ct., Tallahassee, FL 32308, Comcast account:

85351011682713212 and email address rebekah.coastal@comcast.net.”

9
 Governor Ron DeSantis said later at a press conference that FDLE issued a

subpoena to Comcast, but there is no evidence of that. It is certainly outside the four

corners of Pratts’ affidavit. The “investigative resources” could have been anything.

The judge who signed the warrant could not have known what the “investigative

resources” were or how reliable they might be. It is unlikely it was a confirmation

from Comcast. If the connection between the offending message and Rebekah Jones

were a subpoena to Comcast, that is too strong a proof to leave out. The mere fact of

Pratts being evasive and cagey about the “investigative resources” is evidence that

it was something weak. Whatever was not presented to the judge cannot be used

later to establish probable cause.

Moreover, even if S.A. Pratts had a more respectable-sounding preliminary

nexus between Rebekah Jones and the IP address in question, that would still be

insufficient basis to establish probable cause, as shown in what has become the

leading case, In re BitTorrent Adult Film Copyright Infringement Cases, 296 F.R.D.

80 (E.D.N.Y. 2012), which has, to date, been cited 2315 times, according to a

Westlaw search on December 21, 2020. BitTorrent reviewed the science of IP

addresses and concluded:

In sum, although the complaints state that IP addresses are assigned to

“devices” and thus by discovering the individual associated with that
IP address will reveal “defendants' true identity,” this is unlikely to be
the case. Most, if not all, of the IP addresses will actually reflect a
wireless router or other networking device, meaning that while the ISPs
will provide the name of its subscriber, the alleged infringer could be

10
 the subscriber, a member of his or her family, an employee, invitee,
neighbor or interloper.

Id. at 85. Because the affidavit does not say the IP link came from the ISP, Comcast,

one must assume, for probable cause purposes, that it did not. But even if this

established a nexus between a router in Plaintiff’s home and the message at issue,

the message could have been sent by a neighbor, or even a stranger parked on the

street in the neighborhood. The BitTorrent opinion’s reasoning is instructive. In

granting several motions to quash subpoenas for subscriber information linked to IP

addresses identified in several copyright infringement lawsuits, the court held that

“the assumption that the person who pays for Internet access at a given location is

the same individual who allegedly downloaded a single sexually explicit film is

tenuous, and one that has grown more so over time.” Id. at 84. The BitTorrent court

continued, “[t]hus, it is no more likely that the subscriber to an IP address carried

out a particular computer function—here the purported illegal downloading of a

single pornographic film—than to say an individual who pays the telephone bill

made a specific telephone call.” Id.

All the BitTorrent themes are developed at length in the attached expert

Declaration of Bennett Cyphers, who is Staff Technologist at the Electronic Frontier

Foundation (EFF), a leading organization with special expertise is the use of IP

addresses by law enforcement to secure search warrants against certain accused

persons. See Ex. 4, Cyphers’ Declaration. Cyphers’ Declaration was written

11
specifically for this case and details the relevant science and the history of that

science and applies it to the particular situation of the search and seizure at issue in

this case. In addition to the points developed in BitTorrent and its prodigy, Cyphers’

declaration explores at length the failure of FDLE to seize the router from Plaintiff’s

home – the single piece of equipment that would have helped most in accomplishing

the stated mission of establishing whether Plaintiff sent the disputed message to the

DOH message board. By leaving behind both router and modem, FDLE sends the

message that it is less interested in finding a message to the DOH message board

than in finding the confidential sources feeding information to Rebekah Jones about

the misconduct of the DeSantis regime in its handling of the worst public health

crisis in the nation’s history.

III. IF ANY SEARCH IS ALLOWED, IT SHOULD BE RESTRICTED

TO A SEARCH FOR THE SINGLE NOVEMBER 10, 2020,
MESSAGE AT ISSUE

Professor Charles Ehrhardt, the legendary evidence expert at the Florida State

University College of Law, has told his students for 50 years that police can’t search

a breadbox for an elephant. “The Fourth Amendment requirement ‘that things to be

seized be particularly described is to prevent a general, exploratory rummaging in a

person's belongings. This is accomplished by removing from the officer executing

the warrant all discretion as to what is to be seized. The particularity requirement is

even more stringent where the things to be seized have the presumptive protection

12
of the First Amendment.’” State v. Johnson, 605 So.2d 545, 548 (Fla. 2d DCA 1992)

(cleaned up), quoting, United States v. Torch, 609 F.2d 1088, 1089 (4th Cir.1979),

cert. denied, 446 U.S. 957 (1980). The warrant issued in the instant case was not

limited to evidence of transmission of the disputed message (the router) but was

essentially a general warrant allowing wholesale seizure of all of Plaintiff’s First

Amendment protected media and communications, and is presumptively

unreasonable. This is precisely the situation against which the Fourth Amendment

was intended to protect. See Lo-Ji Sales, Inc. v. New York, 442 U.S. 319, 328 (1979)

(stating the courts “will scrutinize” the untargeted seizure of First Amendment

protected materials); see also, United States v. Medlin, 842 F.2d 1194, 1199 (10th

Cir.1988) (“When law enforcement officers grossly exceed the scope of a search

warrant in seizing property, the particularity requirement is undermined and a valid

warrant is transformed into a general warrant thereby requiring suppression of all

evidence seized under that warrant.”). Execution of the warrant resulted in a prior

restraint on speech which is presumed unconstitutional. Near v. Minnesota, 283 U.S.

697 (1931).

IV. ALTERNATIVELY, PETITION FOR INJUNCTION

Plaintiff submits this motion on the premise that § 933.14, Florida Statutes, is

an adequate remedy at law and is, in itself, a proper vehicle for all the relief sought

in this motion. If, however, that premise is incorrect, Plaintiff respectfully petitions

13
this Court for an injunction granting all the relief specified above and states:

1. There is no adequate remedy at law if § 933.14, Florida Statutes, does

not afford the full relief sought herein.

2. There is a strong likelihood of success on the merits, as shown in the

demonstration, supra, that there was no crime committed, that the nexus between

Plaintiff and the alleged criminal act is not shown; and that, in any event, the warrant

allows the proverbial search for an elephant in a bread box.

3. The Plaintiff will suffer irreparable harm if FDLE accesses her

confidential sources and attorney/client privileged material and deprives her of her

property and access to First Amendment protected communications. See Elrod v.

Burns, 427 U.S. 347, 373 (1976) (the loss of First Amendment rights, even for

minimal periods of time, unquestionably constitutes irreparable injury). FDLE

suffers no harm by giving back property unlawfully seized.

4. The relief sought is consistent with the public interest. The public has

an interest in free speech and in preserving the right of the people to be secure in

their person, papers, and property. See League of Women Voters of Florida v.

Browning, 863 F.Supp. 1155, 1167 (N.D. Fla. 2012) (vindication of constitutional

rights serves the public interest “almost by definition”).

14
WHEREFORE, Plaintiff requests the following relief:

A. Issuance of an order compelling Defendants to return Plaintiff’s

property seized during the search;

B. Issuance of an Order compelling Defendants to destroy of all copies,

images or other duplication of the information contained on the property

seized, which includes proprietary information as well as privileged

information under the attorney-client and attorney work product privileges.

C. Alternatively, a temporary injunction ordering Defendants to confine

any search to evidence of transmission of the message at issue along with

return and deletion of any copies of all other materials seized.

[Remainder of this page intentionally left blank.]

15
Respectfully submitted this 23d day of December 2020,

/s/ Richard E. Johnson

Richard E. Johnson
Florida Bar No. 858323
Law Office of Richard E. Johnson
314 West Jefferson St.
Tallahassee, FL 32301
850-425-1997
850-561-0836 (fax)
rick@rej-law.com

Lawrence G. Walters
Florida Bar No. 776599
195 W. Pine Ave.
Longwood, FL 32750
407-975-9150
larry@firstamendment.com

Lisa C. Lambert
Florida Bar No. 495298
245 N. Highland Avenue NE
Suite 230-139
Atlanta, GA 30307-1936
404-556-8759
lisa@civil-rights.attorney

Attorneys for Plaintiff

16
 CERTIFICATE OF SERVICE

I HEREBY CERTIFY that I have served a true and correct copy of the foregoing to

Lauren L. Gonzalez, Esq., Florida Department of Law Enforcement, Regional Legal

Advisor, by email at LaurenGonzalez@fdle.state.fl.us, this 23d day of December,

2020.

/s/Richard E. Johnson
Richard E. Johnson

17
Exhibit 1
ID#: 2174

IN THIE_ _ _COURT OF THE SECOND JUDICIAL

CIRCUIT IN AND FOR LEON COUNTY, FLORIDA

AFFIIDAVIT FOR SEARCH WARRANT

COMES NOW, the Affiant, Noel Pratts, a Special! Agent of the Florida
Department of Law Enforcement, who personally appeared before a sworn
officer, ma.k.es this affidavit, which has been submiitted to the Court. The Affi.ant
swears under oath that he has probable cause to lbeliev,e, that cert:aii11 l aws are
being violated in or about a certain p:rem ises and the curtilage thereof and that
eViidence of the violat!on of certain laws 1in the form of computer equipment and
data, or p.rinted or written documents and other rellated items described herein,
are being kept in or about certa·11 premi1ses and the cuirtilage· thereof, in LEON
County, Florida, being known and described as follows :

2540 CENTERVILLE CT., TALLAJHASSEE, F,L 32308

......... ~, _,, ___ .

, I
~

I .. 1 '" ""I 1 •11 I~ I .-u " •I 11 j I' 1, , 1 11

I ~. '. ,. I II""'"' I I II 1 ' I " II I II

ID#: 2174

Di1rections and Descriptl,on:

2451 Centerville Road , travel l,eff/north onto Centerville Rd., for approximately
0 .1 miles, then tum right onto Centerville Ct. approximately 0.3 Miles. The
premises will be o:n the left/no.rth side of Centerville Ct approximately 354ft fmm
1

Cente.rvllle Road.

The formal address of the pr-emises to be searched is 2540 CE TERVILLE CT.

TALLAHASSEE, F 32308 and the premises and its curtillage is referred to as
"The Pr,e mises." The pr,e mises is described as a s·ngle family Condom inium
1

home. The residence ha.s off-whi e· siding with red brick accent around tile green
door. The number 2540 is clearly displayed on ttle condomlnilum near the front
door of the residence.

The, Premises and the curtllage ~hereof are being used for the purpose of storing
compu er 0 1r electronic devices 1 re'lating to the unauthoriiLz,ed access of a
compute:r, computer system. compw:er network, or electronic devioe. Accesses
or ,c auses to be accessed any ,computer. computer system, computer network., or
electronic device with !k nowledge that such access is unauthoirized. in violation of
section 815.06(2}(a), Flo.rida Statutes, and contains ,evidence of, or evidence
rielevant to pmving, the refer,enced felony has been, o:r is being committed.

INVESTIGATOR BACKGROUND

Your Affiant, Noell Pratts is a Special! Agent (SA) with the floriioa ·D epartment of
Law Enforcement (FDLIE), ass.igned to, the Tallahassee Regional Operations
Center, (TROC) Cyber Hligh/T,ech Cnimes Squad and has been a .l aw
enfor-cement officer for the past 1S. years.. Your Affiant na_s .approximately 13
years of experience iin criminal investigations.. Your affiant is a Certiliied Cyber
Orlme:s Investigator by The National White-Collar Crime Center Board o,f
Diirectors and has successfully completed numerous hours of training specific to
cyberictimes to include the FBl's Cyber Intrusions, FBl's Exploiting Network
CommunicaUons, NW3C Basic Network Intrusion Investigations, SANS
Introduction to .lnformafiion Security, Comp TIA. Network+,. and several others.

Your affiant m s a memlber of the Federalll Burem.J Investigation (FBI) Cyber Task
Force. This Task Force ·s comprised of federal and state law ,e nforcement
agencies engaged in ~he investigation of computer related crimes invollving cyber
intrusion. As a Special Agent ~tlh fl)LE. your affiant is au~horized to invesfg.ate
rida, specifically any and all crimes involving
all criminal! mauers in the state of Flo1
computers.

Based on .all the above described tira.iningi and ·experience, and the investigative
facts .and activity se-t forth herein, your affi.ant has developed probable cause to

2
ID#: 2174

belllieve and doe.s believe that ~he crimes described hereiin are rnr were being
committed at or within the Premises. or ,evidence of the satd crimes is conmined
with·n the herein descdbed account at the Premises. The following facts suppo:rt
your Affiant's probable cause::

CURRENT INVESTIGATION:

On Nov,embe:r 10, 2020, Speciall Ag,ent (SA) Noe,I Pratt.s spok•e to Derrick Smith
from, the Bureau of Preparedness and Response w·t:i, the Flor,id.a Department of
Health (FDOH) via telephone and he adv,ised that FDOH utiHzes a customamade
communicaUons application for IEmerg:ency Management designed by ReadlyOP.

ReadyOP is a web-based platform developed for Incident and -emerg.ency

planning, immediate access to information, and fas.tt flexible. and -efficient
,communications. ReadyOp 1 integraites multipre da1talbases. and communicaUons
platform for fast, •efficient access to infoJimation, as well as the ability to plan,
coo111rnate, direct and communicate with multiple pe:rsons, giroups and ag:encies.

On !November 10, 2020~ at appro,xlmately 1420 hours and 1442 hours. an

unrdentifiied subject g1ained aooess. to a multi-user account group '"StateESF-
8.Planniing"' and sent: a ,group text stating the foHowiing.: "it's .time, to speak up
before another 17,000 people are dead. You know ,this is wrong. You don't have
to be part of this. Be a hero. Speak out .before it's too late. - From
Sta-t&E.SF8.Planning''. FDOH estimates that approxiimately 1,750 messages were
dellivered before the software vendor was able to stop the message from being
transmitted.

iFDOH has several groups within ReadyOp's application platform, one of which iis
StateESFS.Planniing. ESF8 iis Florida1s Emergency Suppo.rt Function for P'ubHc
1-tiealth and Medical with which the,y coordinate the state's health and medical
resources. -capa'bi1
lities, and capacities. They also pmvide ~he me.ans for a pub :ic
health response, triage, trea·;ment,. and transportation. The group,
StateESF8.Planniing is utilized by multiple users, some of whi:ch are not
employees of FOOH but are employees ,of other government agencie·s. Once
they are no longer associated with ESFS, they are no ,l!onger authorized to access
the multi-user group,.

All users assigned to StateESF8.Planning group share the· same usemame and
passwoird. SA Pratts reQuested .and received a copy of the ·teohnicall logs
oontain1iing the Internet Protocol ( P) address for users accessing the ReadyOp
web~based platfoirm for the multi~use1 r State.ESF8 .Plliann ·ng.

SA Pratts reviewed the logs .and identif1i:ed an IPv6 address

2601 :4c1 :4000:3a80:286e:3dd1 :f,oo:5c4a sent the group text on November 10,
2020 at 1420 hours. ·

3
ID#: 2174

.An open--source search through WHOIS IP lookup revealed the IPv6 address is
under the control and domain of Comcast Cable Communications.

Thr-ough the use of investigative resouroes your Affiant. determined that the IPv6
address 2601 :4c1 :4000:3a80:28'6e:3dd 1:.Jcd:5,c4a resolved to Comcast
1

subscriber Rebekah Jones with a service address of 2540 Centerville Ct.,

Talllahass,ee, Fil 32,308 , Comcast aooou11t: 853510116827113.212 and email
address rebekah.ooastal@comcast.net. Jones is a former employ,ee of FDOHI
who was terminated by FDOH in May of 20.20 and is no longer authorized to
access the FDOH ReadyOp system.

COMIPUTER EVID ENCE 1

Your Affiant knows from training and experience th at d r:gita I evide nee is not
limltedl to computers. Your Affiant has been involved in numerous cases where
persons can access the lnteme·t , st:01 r-e data and ,communicate wUh other
indivi:duals with the same, 1interests using digital communications devices to
indude oellullar telephones, emaiil devioes and personal digita assistants among
several others. These devices are frequently found to contain chat
oornmunica ions in the form of short message service (SMS) messages., texts. or
email as well as e11abl1
iing Internet access and digital eel ular network access.

Your Affiiant 'knows from training and experience that persons using computers
for criminal purposes will frequently transfer data to o~her dig1ital media storage
devices. Digital storage•med a may include lbut is not Hmited to fl.oppy disks, hard
drives, tapes,, 1 DVD disks, GD-ROM diisks or other magne ic1 opti:cal or
mechanica storage which can be acoessed by computers or other electronic
devices to store or retrieve data, which can store the equivalent of thousands of
pages of information. Users may store i11formation in random order with
deceptive fi!le· names, which requ ires searching aut1horiUes to examine a.II the
stored daffl to detenni11e whether it is included in the warrant This sorting
process renders it limpractJical to attempt this kind of data search on sit,e.

Your Affiant knows ·from training and experience that searching digital evidence
systems for criminal evidence requires experience in the oomputer and ce lular
telephone field and a properly contra lledl environ me11t in order to protect the
integrity of the evidence and reoover even ''hidden", erased, compressed,
password-protected,, or encrypted files. Since digiital evidence is extremelly
vulnerable to tampering or destruction ,(both hum external sources or fir-om
destructive· oode imbedded in ·~he system, known as a "'booby trap"), a controlled
environment is essential to its complete and accurate anallysis.

Your Affia.nt lknows from training and experiences that computers and other
dig1ital oommunications devices oontain volatil!e memory that contains information
only whil,e the deviice iis in a powered on and/or rur11ning1state. Your Affiiant knows
1

4
ID#: 2174

that poweriing off ~he device may r,esulrt in the loss of the volatile information. Your
Affiant also knows that adding an extemal ,evi'denoo storage device w11IIII cause
minor changes to the s.tate of the· computer but willll allow for the best ,effort in fully
capturing the state of the running evidence.. Your Affiant rknows that this capture
of information requi res technical expertise to ,ensuire the resulting data can be
examined by all subsequelillt investigators.. Your Affiia nt knows that th is captured
information may include current and recent use of the computer, use of
encryption, use of othe:r communications devices. routes of Inter-net traffic and
other digital communications traffic and passwords, encryption keys or other
dynamic detam ls relevant to use of the system.

Your Affiirant knows from trai,rfng and experience that n order to ful~y retrieve data
from a com purer or other digital ,communications system, the analyst needs all
magnetic storage media as wellil as the storage devices. In addition.,. the analyst
needs all the system software {operating systems or interfaces, and 'hardware
access software or drivers) and any applications software which may have been
used to create the data ,(whether stored on hard drives or on external media) as
well as documentation, Items conaining1or displayling passwords, access c-odes,
usemames or ,other identifiers neoessary to examine or operate items, software
or information seized or to activate specific equipment or software.

Your Afflant knows from b':aining and experience that digital software or hardware
exists that allows persons to share digital access ov:er wired orwiir-ele·ss. networks
aHm6Jfing mulitiple persons to appear on the Internet from the same IP address.
Examination of these items can r,eveal information about the authorized or
unauthorized use of Internet connection at the residence.

Your Amant knows from training and experience that computers or other dig1 ital
devices used to aocess the !Internet usually •contain fil,es., logs or file remnants
which would tend to show ownership and use of the de,v:ioe as weH as. ownership
and use of Internet service accounts used fo:r the l nt,ernet 01r cellular data network
acce·ss.

Your Affiant knows from training and experience that digita · ,crime scenes usualllly
include items o,r di.gital information that would tend to es,tabli:sh ownership or use
1

of digital devices and !Internet access equipment and ownership or use of any
!Internet service or digirtall oellular service accounts to participate in the exchange,
receipt. possession, collection or distribution of data..

Your Affiant knows from training1 and experience that search warrants of
residences involved in computer Olli digitally related ciriminal actiM ty usually
produce· · ·ems that tend to estab:lish ownership or use of d gltal devices and
ownership• or use o,f any ~ntemet service accounts accessed to further their
criminal behavior to indiude credit card bills, telep,hone bills, oo,rrespondence and
other identification documents.

5
ID#: 2174

Your Affiant knows from trai111ii:ng and experii:ence that search wartants of
residence:S usually revea~ items that ten:d to show dominion and control of the
property searched, to include utility ibiilllls, tel:ephone bills, correspondence, r,ental
agreements. and other identification documents.
llhe above information has led yourr Affiant to beli.eve that pmbab1!e cause exists
to sear,oh for the items lis,ted bellow. llhere· is evidence of a violation of Flonda
State Statute 815.06(2){a) Offenses Against Users, of Comput,ers,. computer
system, computer networks, and electronic devices, .and a person commits an
offense against users of computers, c-omputer systems , computer networks, or
ef!ectronic de:v-ices if he or she· wi!l!lfully, knowingly, and without .authorization: {a)
Accesses or causes, to be accessed any computer, computer system, computer
network, or •electronic device with knowledge that such access 1 is unauthorized:
and this evidence 11s concealed In the 1 resid•e:nce at 2540 Centerville Ct.,
Tallahassee, Florida

Your Aff1
iant hereby requests the Court's permission to seize the following: items,
and to ,conduct an off-site search and analysis. or to del,e gate the sea1 rch and
analysis to an off~site computer forensii c .analryst, of ·t he following items 1 through
15 (hereinafter the 11Property"). which are evidence of, or evidenoe· relevant to
proving,. the felony( s), noted herein;

11. Computer hardware to 1includa any and au computer

e,quipmer,t used to collect, analyze, create, display, convert,
store1 conceal1 or transmit electronic, magnetic., optical, or
simi1
,ar computer impulses or data. Hardware 1includes (but
is not lli mited to) any data-processing devices (such as
1

central processing uniits, cellular devices., personal

compute,rs to include· "laptop" or "notebooik" ,..tabletu or
1

,,1P
__ ocketJ'
-_ _ com -)~ inte1
_ _---p ute_rs, rnal a-nd__ p~ eriipheral
____ __ storage
devices. ,( such as fixed disks, external hard disks, floppy
dis!k drives and dls.k ettes, tape drives and tapes, optical
sto1rage devices, and other electrome media devl ces). 1

2. Computer input and o'Ulput devices to include but not

limilted to keyboards, mme·, scanners, printerst mo,n itors,
network communii:cation devicesl modems and extemal or
connected deviices used fo.r accessing compute,r storage
media.

3. Computer storag:e media and the di:gital content to include

but not limited to fJ,opip y disks,, ha.rd drives, USB flash
drives, SD cards, VHS tapes, tapes. DVD disks, CD-ROM
disks or other magnetic, optical or m,e chanical st.o rag,e
whlich can be accessed by computers t-o store or re:tri'eve
data.

6
ID#: 2174

4 Computer software and applicatiion software insta.l lati1on

and ·O·p eration media, and any other computer software
r-elatedl to the unautihoriz:ed access of a1 n y com1puter,
computer Sy.st.e ms, c 0:mputer network1 or electroni1c device.
1

5 Computer software, hardware or di•g ital contents related to

the sharing of Internet ac cess over wired or wir-eless
1

networks allowiin g imaltiple pe,r sons to appear ,o n the

Internet from the same IIP address.

6 Manuals and other documents (whe•ther digital or wri.tten)

whiich describe operation of items or software sei~ed.

7 Items containing, or displaying passwords., access codes.,

username.s or other identifiers necessary to examine or
operate items, softwar:e· or information seized.

8 Correspondence or other documents (whether digital or

written) pertaii nlng to the possession, receipt, origin or
distribution of data involving the facilitation of ,c,ompute,r
crimes offenses.

9 Items that would tend to establish ow.nership or use of

compute·rs and owne1rshii p or use of any Internet service
accounts accessed to further computer crimes offenses to
include credit card bins, telephone bins, corr-es1
p ondence
and othe•r identiii ication documents.•
10 Items that would tend to show dominion and control of the
property searched,, to i1n clude utilli ty bil,l s, telephone bills,
correspondence, rental agreements and other i dentifica~ion
do-cuments.

11 FHes and data on the •c omputer that show the s.u spect's
ownershiip , possession and control at time ·o f the offense.

12 Any and al'I so,f tware that may be utilized to create, receiv,e,
distributet store,. or· modify the ,ev;idence soug,h t and an
software that may· be used to communicate or store onliine
communie;ations.

13 Encrypted, deleted and unaHocated flies on electronic

media dlat contain any o,f the information listed in prev,i,ous
para.gra1
p hs.

7
ID#: 2174

14 Nota.t ions,, fi les or docum.e,ntat ion conta ining passw·ords or

codes necessary 'to unfoc k co mputer f'Hes or to acc,ess the
computer or storag:e media.

15 Any computer or computer..related device, software

program, Information pertaining to the use of lntruslion
s•oftware, manuals, log flies or other docume,nts related to
the unauthorized access of any computer 1, computer
system, co'fflputer network, or electronic dev,lce

Your Affiant is aware that the recovery of data by a computer for,ensfc analyst
takes significant time, and much in the way recovery of nair:oo,tics must later be
·forensically e,valuated in a lab, digital ,evidence will also unde.rgo a similar
process. For th·s reason 1 the "return" inventory will contain a list of only the
tangible items recovered from "the Premises~. Un less otherwise oirdered by the·
1

Court, the return wiJI not include, evidence later examined by a forensic analyst
WHEREFORE, affiant makes this .affidavit and prays for the· issuance of a SeafCih
Warrant in due form of law commandjng the Executive 1 0irector of the Florida
Department o,f Law Enforcement 1 or any of hiis duly constituted Special Agentst
and ~he S~eriff of LEON County, or any of hi,s duly constituted depuies, including
Jorensic computer analyst experts, to search the above de,scribed "Premises" and
the curtiila,g,e thereof, and! .any vehicles thereon , or persons lfocated wUlhin the
"Premises" and the curtil age reasonab ly believed lo be connected with said
1

illegal! actlivity, for the said "P:roperty" heretofore dlescnibed, and to search said
".Property'' described above and to saize and safely keep same, either in the
dayt"me or in the nighttime, o:r on Sunday, as the ex:i:g,encies of the occasion may
demand , in order that the evidence may be procured to be used in the
prosecution of such person or persons who have unlawfully used, possessed, or
are us1ing or possessing1the s m · , . violation o.f the ·1aws of the State of Florida.

Speci Ag:ent Noelll Pratts

Florida Departnient of Law Enforcement

:y~reme~5~
~ c e:r
day of . Ulro,...., br,c . 2020.

x1 Personally Known
~ - Produced identificatiion
-Type:

8
Exhibit 2
Exhibit 3
 56789
89ÿ 89986ÿ8
ÿ5ÿ89
ÿ
ÿ
ÿ"#ÿ$%%&&ÿ'()*ÿ#%+ÿ%,%ÿ+ÿ$ÿ#,+-ÿ,%#",%+-ÿÿ
%&$+-ÿ%.ÿ,$+/ÿÿÿ
ÿ
19
2
8693ÿÿ456ÿ756789:;<ÿ=692>ÿ?@6;6A<;ÿ<56ÿB:A:BCBÿ@6DC:@6B6A<;ÿ32@ÿ<56ÿ?2;:<:2AEÿF2<6ÿ<5G<ÿ;2B6ÿ:<6B;ÿG@6ÿ2A6H<:B6ÿG7<:2A;Iÿ>5:96ÿ
2<56@;ÿG@6ÿ2AJ2:AJÿ2@ÿ@6?6<:<:K6ÿ<5@2CJ52C<ÿ<56ÿ:A7:L6A<EÿF2<ÿG99ÿ<G;8;ÿBGMÿG??9Mÿ<2ÿ6K6@Mÿ:A7:L6A<ÿGALÿGLL:<:2AG9ÿ<G;8;ÿBGMÿ=6ÿG;;:JA6LÿLC@:AJÿ
GAÿ:A7:L6A<Eÿ
ÿ
NOPQRQPQSTÿPVÿWSÿOVXYZSPS[ÿ \VXYZSPSÿ ]Nÿ
^_à_bÿ̀acÿd_efÿ̀ghcei`_jbikÿlce_jmÿ ÿ ÿ
0Eÿn676:K6ÿ:A:<:G9ÿ=@:63:AJÿGALÿ:BB6L:G<6ÿ?@:2@:<:6;ÿ3@2Bÿo2J:;<:7;ÿp67<:2Aÿq5:63Eÿ ÿ ÿ
4Eÿp:JAH:Ar2C<ÿG<ÿ<56ÿ=6J:AA:AJÿGALÿ6AL:AJÿ23ÿ;5:3<Eÿ ÿ ÿ
sEÿt;<G=9:;5ÿ>2@8ÿ927G<:2AÿG<ÿptuqEÿ ÿ ÿ
vEÿw@:63ÿxA:<ÿ?6@;2AA69ÿ@6JG@L:AJÿ;:<CG<:2Aÿ;<G<C;ÿGALÿ6y?67<G<:2A;Eÿ ÿ ÿ
zEÿq2ALC7<ÿtp{|ÿ}C;<H:AH<:B6ÿ<@G:A:AJÿG;ÿA66L6LEÿ ÿ ÿ
~EÿtA;C@6ÿ<5G<ÿ:;;:2AÿxA:<ÿ:;ÿB2A:<2@:AJrBGAGJ:AJÿB:;;:2A;ÿ:Aÿtÿq2A;<699G<:2Aÿ ÿ ÿ
€‚ƒtp{ÿ|ÿo2J:;<:7;„Eÿ
…Eÿq2A3:@Bÿ<5G<ÿ†tÿ4675A292JMÿ:A79CL:AJÿG776;;ÿ<2ÿtÿq2A;<699G<:2Aÿ:;ÿ3CA7<:2A:AJÿ ÿ ÿ
?@2?6@9MEÿ‡;ÿA66L6LIÿA2<:3Mÿ†tÿˆ4ÿ23ÿ72B?C<6@ÿA66L;r:;;C6;Eÿn6?2@<ÿ:;;C6;ÿ<2ÿ<56ÿ
o2J:;<:7;ÿp67<:2Aÿq5:63Eÿ
|Eÿq2A3:@Bÿ<5G<ÿ<56ÿBG:9=2y6;ÿG@6ÿ>2@8:AJÿ?@2?6@9MÿGALÿG@6ÿ=6:AJÿB2A:<2@6LEÿ€‰ÿ ÿ ÿ
Šÿ1‹6Œ
86ÿÿŽ3‰‘ÿ’ÿ56789
89„Eÿn6?2@<ÿ:;;C6;ÿ<2ÿ<56ÿo2J:;<:7;ÿp67<:2Aÿ
q5:63Eÿ
“Eÿq2A3:@Bÿ<5G<ÿGÿB:;;:2Aÿ:;ÿ6A<6@6Lÿ:A<2ÿtÿq2A;<699G<:2AÿA2<:AJÿ<56ÿG7<:KG<:2Aÿ23ÿp<G<6ÿ ÿ ÿ
tp{|Eÿÿ
0”Eÿ†6K692?ÿGALÿ?@2K:L6ÿ<2ÿ<56ÿo2J:;<:7;ÿp67<:2Aÿq5:63ÿGÿ:;;:2AÿxA:<ÿp<G33:AJÿn2;<6@ÿ32@ÿGÿ ÿ ÿ
32C@<66Aÿ€0v„ÿLGMÿG7<:KG<:2Aÿ?6@:2LEÿ
00Eÿu=<G:Aÿ<56ÿq@:<:7G9ÿn6;2C@76ÿo:;<ÿGALÿL:;<@:=C<6ÿ:<ÿ<2ÿ<56ÿ:;;:2Aÿp?67:G9:;<Eÿ ÿ ÿ
04Eÿq2A3:@Bÿ<5G<ÿ<56ÿ:;;:2AÿxA:<ÿ5G;ÿ72A<G7<ÿ:A32@BG<:2Aÿ32@ÿp<G33:AJIÿtDC:?B6A<ÿ•ÿ ÿ ÿ
pC??9MIÿGALÿG<6@:G9;ÿxA:<;ÿ32@ÿ6G75ÿ2?6@G<:2AG9ÿ?6@:2LEÿq2A3:@Bÿ<5G<ÿ72A<G7<ÿACB=6@;ÿ
GALÿ6HBG:9;ÿG@6ÿ3CA7<:2A:AJÿ?@2?6@9MEÿ–‰ÿŠÿ1‹6Œ
86ÿ96ÿŽ3‰‘ÿ’ÿ
56789
89—ÿ
0sEÿq2A3:@Bÿ<5G<ÿ<56ÿo2J:;<:7;ÿp67<:2Aÿq5:63ÿ5G;ÿ<56ÿB2;<ÿ7C@@6A<ÿ‡7<:2Aÿn6DC6;<ÿ{2@Bÿ ÿ ÿ
€‡n{„ÿ<6B?9G<6Eÿˆ<ÿ7GAÿ=6ÿ2=<G:A6Lÿ3@2Bÿ<56ÿ{6L6@G9ÿtp{ÿ|ÿ?2:A<ÿ23ÿ72A<G7<ÿ:Aÿ<56ÿ
ptuqEÿ
0vEÿq2A3:@Bÿ<5G<ÿ<56ÿ:;;:2AÿxA:<ÿ:;;:2Aÿp?67:G9:;<ÿ<G;8;ÿG@6ÿ?6@32@B6LÿG772@L:AJÿ<2ÿ ÿ ÿ
<56:@ÿ756789:;<ÿ€‚ƒtp{ÿ|ÿo2J:;<:7;„Eÿ
0zEÿ˜9GAÿ32@ÿL6B2=:9:™G<:2Aÿ23ÿ;<G33ÿGALÿ@672K6@Mÿ23ÿL6?92M6LÿG;;6<;ÿGALÿ6DC:?B6A<Eÿ ÿ ÿ
0~Eÿ˜@2K:L6ÿC?LG<6r;5:3<ÿ@6?2@<ÿ<2ÿ2Aÿ72B:AJÿ:;;:2AÿxA:<ÿo6GL6@Eÿ ÿ ÿ
^_à_bÿš›jÿghcei`_jbikÿlce_jmfÿ ÿ ÿ
0Eÿn6HG;;6;;ÿ2@:J:AG9ÿ;<G33:AJÿ?9GAEÿ ÿ ÿ
4Eÿn6HG;;6;;ÿA66L;ÿ32@ÿGLL:<:2AG9ÿ>2@8ÿ;?G76Eÿÿ ÿ ÿ
œiaÿghcei`_jbikÿlce_jmÿ ÿ ÿ
0Eÿp:JAH:Ar2C<ÿG<ÿ<56ÿ=6J:AA:AJÿGALÿ6AL:AJÿ23ÿ;5:3<Eÿ ÿ ÿ
4Eÿn676:K6ÿ=@:63:AJÿ3@2Bÿo2J:;<:7;ÿp67<:2Aÿq5:63Eÿ ÿ ÿ
sEÿ˜G@<:7:?G<6ÿ:Aÿtp{|ÿGALÿ†tÿo2J:;<:7;ÿˆ‡˜ÿ?@276;;ÿG;ÿA66L6LEÿÿ ÿ ÿ
vEÿw@:63ÿCA:<ÿ23ÿ7C@@6A<ÿ;:<CG<:2AÿGALÿ6y?67<G<:2A;Eÿ ÿ ÿ
zEÿ‡;;:JAÿˆ‡˜ÿ2?6@G<:2AG9ÿ?6@:2Lÿ<G;8;ÿ<2ÿCA:<ÿ?6@;2AA69Eÿ ÿ ÿ
~Eÿq2A3:@Bÿ<5G<ÿ<56ÿ:;;:2AÿxA:<ÿ<G;8;ÿG@6ÿ?6@32@B6Lÿ€@636@ÿ<2ÿ<56:@ÿ;?67:3:7ÿ756789:;<;ÿHÿ ÿ ÿ
‚ƒtp{ÿ|ÿo2J:;<:7;„Eÿ
…Eÿž2@8ÿ>:<5ÿo2J:;<:7;ÿp67<:2Aÿq5:63ÿGALÿ˜9GAA:AJÿp67<:2Aÿ<2ÿC?LG<6ÿ<56ÿq@:<:7G9ÿ ÿ ÿ
n6;2C@76;ÿo:;<Eÿ
|Eÿ†:;<@:=C<6ÿq@:<:7G9ÿn6;2C@76;ÿo:;<ÿ<2ÿ:;;:2AŸ;ÿxA:<Eÿÿ ÿ ÿ
ÿ
0ÿ23ÿ4ÿ
ÿ
 456787679
ÿ6ÿ 9ÿ5969ÿ 969ÿ 4ÿ
ÿ23ÿÿ2ÿÿ! "ÿ" #$% &'#$&2()#ÿÿ ÿ((2(ÿ ÿ ÿ
 3 ÿ
*+ÿ,&(ÿ)ÿ#ÿ33"ÿ #ÿ23ÿ ÿ %ÿ2( 2)ÿ( 2#-.ÿ ÿ ÿ
**ÿ,&(ÿ/20ÿ33"ÿ#ÿ/20ÿ(& ÿ #ÿ10 ÿ&2 #2ÿ2ÿ ÿ ÿ ÿ
22"&ÿ3 &2ÿ3ÿÿ
*0ÿ4 5' ÿ##2)ÿ33"ÿ$ÿ# 2!)6ÿ' & 7ÿ32ÿ&ÿ2( 2)ÿ( 2#ÿ ÿ ÿ
89:;ÿ=>?:@ABACDEA:;ÿ ÿ ÿ
*ÿ2()ÿ#ÿ'!ÿF3ÿ32ÿGÿ,HFIFHJÿ2KLÿ-F3ÿ0*M.ÿN 2!)62ÿ &0G ÿ ÿ
K'ÿ-F3ÿ00*.OÿH ÿP 32& ÿQR)'2ÿF3ÿS2ÿ00MOÿF3ÿ00TÿF#R#')ÿ
P 32& ÿQR)'2ÿ-UVWQ3SÿXÿ22"&.ÿ
0ÿ23ÿ/ÿ4 2'& ÿYÿ ÿ&2R7ÿ23ÿ# ()27#ÿ( 2 )Oÿ Oÿ5'( Oÿ ÿ ÿ
#ÿ'(()ÿ
Zÿ2 #ÿQ3SXÿ22"&ÿ3 &2ÿ[2/ÿ ÿ ÿ
MÿP&(ÿÿ,3ÿ,&2ÿP2& ÿ ÿ ÿ
Tÿ4 'ÿ7ÿ5'( ÿ' #ÿ#'"ÿ&R2ÿ ÿ ÿ
\ÿQ'ÿÿY]ÿ/20(& ÿÿ&) #ÿ! 32ÿ# ('ÿ ÿ ÿ
^ÿN G&RÿYÿ( 2 )ÿ/ÿ ÿ((2R)ÿ23ÿ ÿ22"&ÿ3 &2ÿ3ÿ ÿ ÿ
Xÿ2()ÿ ÿ Oÿ237ÿR 7#7ÿ'( R2ÿ23ÿ'G2G#'7ÿ'ÿ-#$ .ÿ ÿ ÿ
ÿL ÿGÿ )3G&ÿ ÿ ÿ ÿ
*+ÿ4 'ÿ2ÿ2)ÿ2( 2ÿ ÿ ÿ
ÿ ÿ ÿ
ÿ
_`a`bcdÿfaghbicjkhaÿ
ÿ
ÿ
{cjk̀ajÿ}h€`i`ajÿhajczjÿfaghbicjkhaÿ
lmnoÿphqrfaÿ ÿ
sÿ Y ÿt ÿVÿ3Q4Hÿ ‚iƒ„dcaz`ÿ…`†dh‡i`ajÿ{dcaÿ
sÿ P/2#ÿVÿu2*^vÿ sÿ 3ÿHÿ272ÿ
mlwÿxÿphqkyjkzyÿ{|ha`yÿ ˆÿ M+^G^^G*ZZTÿ-2 .ÿ
sÿ XT+G\*^G+M+ÿ ˆÿ M+^GXZ0GZZ^Tÿ-2!).ÿ
sÿ XT+G\*^G+M*ÿ ˆÿ )72~&3)&2ÿ
mr}ckdÿ ÿ
sÿ (V$$)#23)'$%&" ÿ ‚kbÿ}`‰kzcdÿ‚yy`jyÿ
sÿ 3Q3SXSG,#~3) )"2Rÿ sÿ Š2ÿ3&2ÿ-P7.ÿ
sÿ 3Q3SX22"333"~3) )"2Rÿ ˆÿ X*ZGXMMG^^TXÿ-/20.ÿ
sÿ 3Q3SXP)"~3) )"2Rÿ ˆÿ X*ZG0+G*+^ÿ-2 .ÿ
phqkyjkzyÿ ˆÿ X*ZGZ\ZG*TTZÿ-& )).ÿ
sÿ (V$$/ !)73)2#&2ÿ ˆÿ X*ZGZZ0G^^TXÿ-(" .ÿ
sÿ Y ÿt Vÿ R& W3+Xÿ sÿ ‹7ÿ‹2&ÿ-3 &2#7.ÿ
sÿ P/2#Vÿ1)2%u*0Zÿ ˆÿ X*ZGZ\ZG*TZÿ
sÿ ,##Vÿ3+X~ 73)2#&2ÿ ÿ
wdhcj`bÿ{|ha`yÿ Œ„y`yÿca‰ÿ{cbcÿobcaykjÿ
sÿ 333"ÿYÿ2 # ÿVÿXT+G\MGZ*X+ÿ sÿ 2!!7ÿ 220ÿ-P7.ÿ
sÿ S& ÿ#ÿ,#2ÿVÿXT+GMMTGX*Zÿ ˆÿ XZG\Z\Xÿ-2 .ÿ
ÿ ˆÿ M*MGMTZZÿ-/20.ÿ
ÿ ˆÿ 0XMG\\Mÿ-& )).ÿ
ÿ ˆÿ 42! / !220~3) )"2Rÿ
ÿ
ÿ sÿ 26ÿ3'ÿ-3 &2#7.ÿ
ÿ ˆÿ M*MGMTZ+ÿ-/20.ÿ
ÿ ˆÿZ0*GZMT+ÿ-&)).ÿ
ÿ

0ÿ23ÿ0ÿ
ÿ
Exhibit 4
 IN THE CIRCUIT COURT OF THE SECOND JUDICIAL CIRCUIT,
IN AND FOR LEON COUNTY, FLORIDA

REBEKAH JONES,

Plaintiff,
Case No. _________________
v.

RICK SWEARINGEN, individually and

in his Official Capacity as Commissioner
of the FLORIDA DEPARATMENT OF
LAW ENFORCEMENT; NOEL PRATTS,
Individually; and FDLE AGENT JOHN
DOE, individually.

Defendants.
/

DECLARATION BENNETT CYPHERS

I, BENNETT CYPHERS, hereby declare as follows:

1. I am a Staff Technologist at the Electronic Frontier Foundation (EFF). This

declaration is based on my own personal knowledge, training, and familiarity with Internet

protocols. It is also based on my review of the affidavit and related materials filed in support of

the warrant issued to search Rebekah Jones’ home that gave rise to the complaint in this case and

the instant injunction motion. Further, this declaration is based on my review of a white paper

written by EFF on the topic of Internet Protocol (IP) addresses and their probative value in law

enforcement investigations.1

2. I earned Bachelor of Science and Master of Engineering degrees in Computer

Science and Engineering from the Massachusetts Institute of Technology. At EFF, I research

1
Aaron Mackey, Seth Schoen, and Cindy Cohn, Unreliable Informants: IP Addresses, Digital Tips, and Police
Raids (September 2016), https://www.eff.org/wp/unreliable-informants-ip-addresses-digital-tips-and-police-raids
(“Unreliable Informants”).
how technology companies, data brokers, and advertisers track consumers over the Internet and

collect highly sensitive information about people.

3. I believe the technical descriptions related to IP addresses presented in this

declaration are generally known to computer scientists and to others familiar with the operations

of the Internet.

4. Below I will outline the technical issues of how IP addresses work, what role they

serve and what they can and cannot definitely reveal by themselves. Based on this information

and the affidavit presented to the Court in support of the search warrant at issue in this case, I

conclude that the Court was not provided with sufficient evidence linking the IP address alleged

to have accessed the ReadyOps system with Ms. Jones’ home. As a result, the affidavit lacked

necessary information to support the issuance of a search warrant for Ms. Jones’ home. Further,

the raid itself appears not to have searched a device -- the router -- that would be most likely to

contain evidence linking the IP address named in the affidavit with a particular device. This

omission is strange, and seems potentially consistent with plaintiff’s assertion that the raid was

retaliatory.

Definition, Purpose and Use of IP Addresses

5. The Internet allows any user connected to it to send, receive, and request all types

of information, including sending communications, watching videos, and surfing websites. To

ensure this information is routed to where it's requested, the Internet relies on a series of

standards, called protocols.

6. One foundational protocol is called the Internet Protocol (IP). As the name

suggests, the protocol standardizes how traffic can reliably traverse distinct networks. This is

accomplished through the use and distribution of IP addresses.

2
 7. An IP address is a string of numbers used to identify a specific public facing

endpoint connection to the Internet and to route traffic to it, from anywhere in the world. The

simplicity of IP addresses is in part what makes it possible for devices on the Internet to quickly

route traffic around the world.

8. IP addresses were designed to allow machines to identify one another on the

Internet for the sake of exchanging information. They were not designed to identify any

individual using the Internet or to identify the exact physical location of any person using the

Internet.

9. Public-facing IP addresses are allocated to geographical regions throughout the

world in large, consecutive blocks. The IP addresses are eventually allocated to Internet Service

Providers (ISPs), which then further delegate the addresses under their control to consumers,

businesses, and other ISPs.

10. There are different versions of IP addresses used on the Internet. Older versions,

known as IPv4, are more scarce and as a result, require multiple devices on a local network to

share a single public IP address. A newer version, known as IPv6, allows for exponentially more

IP addresses. As a result, ISPs often allocate large blocks of IPv6 addresses to a given Internet

account, which allows each device on a local network to connect to the Internet using a separate

public address.

11. The affidavit in support of a search warrant for Jones’s house specified that the IP

address connected to her account uses IPv6. As a result, the rest of the information I cover will

pertains specifically to IPv6.

12. When a consumer connects to the Internet through their ISP, the ISP issues a

portion of its allocated public-facing IP addresses to the customer’s account. This portion of IP

3
addresses is often called a “block,” and typically has a common prefix, so that all of a customer’s

IP addresses start with the same few numbers. That customer then uses a router to manage the

connections of devices using their Internet account. The router and the devices connected to it

comprise a local area network (LAN). Importantly, every device that connects to the Internet

through the subscriber’s LAN will use an IP address from the block allocated to the subscriber.

13. An ISP will usually know which IP addresses it has allocated to a particular

subscriber at a given time. But generally the ISP does not know which individuals or devices are

connected to the subscriber’s local network. As a result, on its own, an IP address cannot be used

to identify a particular device or person.

14. Additionally, ISPs can sometimes change which IP address blocks are assigned to

a given customer’s Internet account, meaning that IP addresses used by one customer this week

may be used by a different customer next week. Both ISPs and consumer routers can be

configured to re-allocate IP addresses on a regular basis, so even a device that stays connected to

the same network for a long time may change IP addresses often. For this reason, any records of

IP address assignment by an ISP must be considered with respect to time of and duration of

assignment.

15. Further, any device able to connect to the Internet may do so through different

networks at different times, and thus use different IP addresses. This often occurs over the course

of a single day: a person using a mobile phone may connect to the Internet via their home

network in the morning, use a mobile network as they commute into work, and then use their

employer’s network throughout the day. Each time the device connects to a different network, it

receives a different IP address.

4
Limitations of Law Enforcement Using IP Addresses to Identify Internet Users

16. In summary: it is wrong to assume that the subscriber paying an ISP for access to

the Internet is responsible for any or all activity occurring over the IP address linked to their

account. Making the leap to accuse an account holder of illegal activity, without additional

information or investigation, is analogous to assuming that the person who pays the phone bill is

responsible for every call made from a home telephone.

17. Here’s why: there is no central map or phone book that connects IP addresses to

particular locations or to particular Internet users. Some data brokers claim to be able to associate

public-facing IP addresses with specific devices or identities, but their services are imprecise and

prone to errors. My organization has written a white paper, titled Unreliable Informants, on this

and similar problems.2

18. Public-facing IP addresses are allocated by ISPs to their subscribers, and ISPs

may keep records that link a set of IP addresses to an individual customer. However, each

customer may share their connection with dozens of different devices on their local network. As

a result, residential ISPs rarely know for sure who is using a particular IP address at a given time.

19. Operators of local networks often do not monitor, much less control, the Internet

activities of devices that use their connection. It is common for a local network to be shared by

not only family or friends, but also complete strangers. For example, companies and individuals

often operate open wireless networks out of their homes, cafés, public libraries, and businesses.

An open network may be used by anyone in range for any purpose, often without the network

operator’s knowledge. During the pandemic, many users opened up their WiFi networks in order

to provide aid to their neighbors.

2
See n.1, supra.

5
 20. It is sometimes possible to connect specific devices on a local network to

particular activity observed on the Internet. But making that further connection typically requires

knowing much more about the local network using a particular IP address and the router

managing that connection. One cannot use subscriber information alone to connect activity

associated with an IP address to a real person.

21. This is because some routers are configured to record a unique identifier, known

as a Media Access Control (MAC) address, for each device that connects to them. A router may

store a timestamped log of the association of IPv6 addresses with the MAC addresses of specific

devices. While not an infallible source of truth, such records could provide insight into the

likelihood of certain traffic originating from a specific device. This kind of historical record is

usually not available to the ISP, and can only be seen by those with access to the router.

Furthermore, in order to identify which devices correspond to which MAC addresses, it is often

necessary to have access to the devices themselves.

Use of IP Address Evidence In Support of Search Warrant of Rebekah Jones’ Home

22. To summarize: there are many reasons why relying solely on an IP address to link

an individual to a crime, without any additional investigation, is irresponsible and threatens the

civil liberties of innocent people. Here, the search warrant affidavit does not describe how the IP

address which accessed the ReadyOp system was linked with Rebekah Jones’s account, leaving

the Court without enough information to determine that the link was sufficiently strong to justify

issuance of a search warrant.

23. As I described above, IP addresses associated with customers’ accounts can

change over time, such that an IP address used by one customer may later be used by another.

That’s why law enforcement investigating crimes online often try to obtain records from ISPs

6
that connect a public IP address to a particular account at a particular time. The Affidavit makes

no mention of any assistance by the ISP.

24. To connect an IP address with a subscriber, police usually send subpoenas or

other legal process to ISPs for records that can authenticate these links, including seeking records

showing that a particular IP address was assigned to a specific customer at the exact time the

activity being investigated occurred.

25. Based on my review of the affidavit filed in support of the warrant to search

Rebekah Jones’ home, there is no assertion that law enforcement sought or obtained these types

of records connecting the IP address to Ms. Jones’ Comcast Internet service account, via a

subpoena or other legal process.

26. The affidavit states only that the affiant used “investigative resources” to

determine that the IP address that connected to the ReadyOp system “resolved” to Ms. Jones’

Comcast account. The affidavit provides no further details as to how the affiant made this

connection.

27. Based on my own experience and knowledge of IP addresses, I do not know how

law enforcement could link an IP address to a particular ISP customer without either (a)

obtaining records from the ISP via legal process as described above or (b) having direct access to

the records created by the ISP that record which of its customers are using a particular IP address

at any given time.

28. Even assuming law enforcement was able to link the IP address used to access the

ReadyOp system to Rebekah Jones’ Comcast account, the affidavit provides no further

information about whether law enforcement did anything more to attempt to identify the device

or individual that accessed the ReadyOp system.

7
 29. As I stated above, multiple people and devices can connect to the Internet via a

single residential Internet account. Further, many residential Internet users provide WiFi access

to guests, neighbors, and others. Some residents even provide open WiFi access, meaning no

password is required to access the Internet via their residential network. From the ISP’s

perspective, all the activity from any devices connected to an open WiFi network will appear to

be associated with a single customer’s account.

30. Additionally, I know that the operator of a local network may run a service which

causes Internet traffic from other sources to appear to originate from their own IP addresses. For

example, Tor is an anonymizing service designed to protect individual privacy that masks the IP

addresses of its users and then routes traffic through “exit nodes” operated by volunteers.

31. Tor and its volunteer exit node operators provide an important public service for

political dissidents, activists, or anyone who wants to browse the web anonymously. An exit

node is the last computer that anonymized Tor traffic goes through before reaching its final

destination. A key feature of Tor is that the individuals operating its exit nodes have no control

of the Internet activity coming through the relays, and no knowledge of its source. Internet

activity coming through a Tor exit relay appears to have originated from the IP address

associated with the exit relay, even though by design that is not the case. A list of the IP

addresses of Tor exit nodes is publicly available online, and investigators should always check to

make sure that traffic which appears to be coming from a particular Internet subscriber is not

actually being redirected through a Tor exit node.

32. In light of what I described above, the search warrant affidavit fails to

demonstrate that the IP address was properly connected to Ms. Jones sufficient to justify a search

warrant. As I note, it is possible that someone other than those in the Jones household could

8
have connected to the Internet through the Joneses’ Comcast account and accessed the ReadyOp

system. This could include a friend, neighbor, a former work colleague, or anyone else who was

able to obtain the password and who was close enough to the home to connect to its WiFi

network. And if Ms. Jones provided open WiFi access to her Internet service, anyone nearby

could have used her connection to access the Internet and ReadyOp.

33. The affidavit does not indicate whether police took any steps to determine

whether Ms. Jones’s local network had any of these characteristics prior to seeking authorization

to search her home and seize her property. Without taking those additional steps or conducting

further investigation, it is difficult for anyone to know to a degree of certainty sufficient to justify

a search warrant, who may have used the network to connect to the ReadyOp system.

Law Enforcement Overlook Key Digital Evidence During Search Warrant Execution

34. In summary: Even assuming there was a sufficient factual basis to support the

search warrant, law enforcement did not appear to search or seize Ms. Jones’ router during the

raid, which could contain evidence key to establishing a connection between the IP address

logged by the ReadyOp system and a specific device.

35. As I stated above, even if someone did use Ms. Jones’ network to access the

ReadyOp system, that does not mean that a member of the Jones household, or even anyone they

knew, was necessarily responsible for the activity. The affidavit supporting a search warrant

reflects this possibility, and requested the Court’s permission to seize “Computer software,

hardware or digital contents related to the sharing of Internet access over wired or wireless

networks allowing multiple persons to appear on the Internet from the same IP address.”

36. Based on my review of the inventory returned to Ms. Jones after execution of the

search warrant, however, it appears that law enforcement did not seize the router or modem that

9
facilitated the home’s Internet access. Public reporting also confirms that police did not seize the

router or modem.

37. In my opinion, without searching the router, it is difficult to see how officials will

produce evidence establishing that a particular device used Jones’ home Internet connection to

access the ReadyOp system, much less that the device was used by a particular individual in

Jones’s home.

38. In order to link the IP address associated with Ms. Jones’ Comcast account to a

particular device, law enforcement would need to determine which specific device was

connected to Ms. Jones’ network and was using the account’s IP address to access the ReadyOp

system. The affidavit does not contain any information about what kind of device was used for

that access. As I explained previously, routers are sometimes configured to keep logs of the

particular devices that use the router to access the Internet by recording each device’s unique

MAC address and other details, including the specific times the device accessed the network to

get to the Internet. Therefore, I believe the router is the device most likely to contain evidence

linking a particular IP address to a particular device at a specific time. Importantly, it is also the

most likely piece of hardware to contain evidence that a particular device was not assigned a

particular IP address at a specific time.

39. Law enforcement neglected to seize the one device that would most likely identify

a culprit, whether a member of Ms. Jones' household or otherwise, in favor of only Jones'

personal computing devices. In my opinion, this calls into question whether or not officials

considered the possibility that someone outside the Jones household accessed the ReadyOp

system.

10
 40. As I explained, it’s likely that many different devices had access to Jones’ Internet

connection. It’s also possible that the Joneses shared their connection via an “open” network

with anyone who might have been nearby. Although these possibilities were considered in the

affidavit, I do not believe the execution of the warrant bore that consideration out.

41. Under penalties of perjury, I declare that I have read the foregoing document and

that the facts stated in it are true to the best of my knowledge and belief.

Executed on this 22nd day of December 2020 at Plattsburgh, New York.

__________________________
Bennett Cyphers

11