Professional Documents
Culture Documents
Rebekah Jones Motion Return Property
Rebekah Jones Motion Return Property
Rebekah Jones Motion Return Property
REBEKAH JONES,
Plaintiff,
Defendants.
________________________________________/
moves for an Order compelling Defendant Rick Swearingen, in his official capacity,
to return all property seized by his agents pursuant to a search warrant on December
7, 2020 and to erase or otherwise destroy any copies already made. The specific
items at issue are those listed in the inventory attached to the search warrant. In the
event this case is removed to federal court, this motion is brought pursuant to
Fed.R.Crim.P. 41(g).
December 20, 2020, FDLE agents raided Plaintiff’s home pursuant to a search
warrant, on the strength of a claim that she had sent an anonymous message to a
Department of Health (DOH) message board to which she was not allowed access.
FDLE alleged this to be an unlawful intrusion into the DOH computer system
pursuant to § 815.06(2)(a), Florida Statutes. Plaintiff is not the one who wrote or
sent the message. She never saw it until FDLE came banging on her door. But that
is not the basis for this motion. The basis for this motion is twofold: first, the act
alleged against Plaintiff is not even theoretically a crime and thus could not support
a search warrant against anybody; and second, no probable cause was shown
MEMORANDUM OF LAW
pertinent part, “If it appears to the judge before whom the warrant is returned that
the property or papers taken are not the same as that described in the warrant, or
that there is no probable cause for believing the existence of the grounds upon
which the warrant was issued, or if it appears to the judge before whom any
property is returned that the property was secured by an ‘unreasonable’ search, the
judge may order a return of the property taken . . .[excepting certain articles of
contraband not relevant here].” Emphasis added. The instant warrant lacks both the
2
commission of a crime and any cognizable link between Plaintiff and the subject
transmission.
communications. The property is not the fruit of any possible criminal activity. It is
not being held as evidence of any crime. Bolden v. State, 875 So.2d 780, 783 (Fla.
2d DCA 2004). This is so because the crime alleged is not a crime at all and there
is no probable cause linking Plaintiff to the alleged activity. Where the State is
“unable to connect the items to specific criminal activity, and no one else can be
should be returned.” Id., quoting, Stone v. State, 630 So.2d 660, 661 (Fla. 2d DCA
1994).
provides,
3
Emphasis added. FDLE Special Agent Noel Pratts, who drafted the affidavit
(Exhibit 1, hereto) supporting the search warrant and who drafted the search warrant
(Exhibit 2, hereto) that Judge Joshua Hawkes signed, provided no evidence that
access was unauthorized for Plaintiff or any other person in the world. The closest
Special Agent Pratts ever came to supporting his claim that whoever sent the subject
of FDOH but are employees of other government agencies. Once they are no longer
associated with ESF8, they are no longer authorized to access the multi-user group.”
Ex. 1, at p. 3. No source is cited for this ipse dixit. Nor does S.A. Pratts offer any
explanation of why his word alone on what online sectors of the DOH website are
restricted is sufficient evidence to support a search warrant. DOH has many a policy,
but nothing presented in the probable-cause affidavit designates any rule, policy, or
classification that made this emergency alert system restricted in any way. There is
certain users, or restricted in any way. S.A. Pratts cites nothing but his own
unsupported belief that the message to this site was unauthorized and thus a crime.
The public website, taken down in the wake of publicity about this search, contains
no warning of any kind to the universe of users to whom it provides the user ID and
4
There is no evidence that the site was restricted or “members only.” There is
much evidence to the contrary. In the wake of the publicity resulting from the
service of the search warrant at issue, computer enthusiasts around the nation took
an interest in the site at issue. A report from a technology news site, Ars Technica,
said that readers of Reddit discovered that the Department of Health’s private
messaging system that Jones allegedly accessed had published the email address and
password and posted it in at least seven .pdf files that were widely available on the
internet to anyone who had the address.1 Following FDLE’s raid on Plaintiff’s home
on December 7, 2020, and the Ars Technica report on December 9, 2020, the Miami
Herald found the user name and password still available on the DOH website on the
evening of December 9, 2020, but gone by December 11, 2020.2 Florida Today, in
an article of December 10, 2020, reported that, as of that very morning, the username
and password for the system were on a document that was publicly available on a
Department of Health site.3 The fact that DOH made the site available to anyone in
the world who had an electronic device with internet access, and that DOH did
nothing to restrict access to the site or declare it to be of limited access, is the same
1
COVID data manager investigated, raided for using publicly available password |
Ars Technica
2
DeSantis defends handling of whistle blower search warrant | Miami Herald
(archive.is)
3
Evidence to justify raid on home of Rebekah Jones weak, experts say
(floridatoday.com)
5
as an open invitation for anyone in the world to access and contribute to the site.
Under these circumstances, no reasonable officer would regard accessing the site to
be a crime under § 815.06(2)(a), Florida Statutes, which makes such access a crime
by a user only if, “he or she willfully, knowingly, and without authorization: (a)
There is no possibility that access could be unauthorized when the DOH website, in
seven places, describes how anyone can access the site with no indication that access
is restricted in any way. An unredacted copy of one of the seven instances where
the access credentials were published online by DOH was downloaded before it shut
It is not even theoretically possible that whoever sent the message committed
a crime, so there is no possibility that a legitimate search warrant could issue to find
out whether Plaintiff sent the message. Accordingly, the search warrant was
obtained in bad faith and with no legitimate object or purpose. The search warrant
was never valid and would never have been signed if a fair presentation of the facts
had been given to Judge Joshua Hawkes, who signed the warrant.
DOH or FDLE may come up with some policy or designation of the site as
confidential, but that will not alter the fact that nothing of the sort was presented to
Judge Hawkes at the time of the signing of the warrant. Nor will it alter the fact that
6
any such hidden policy was not available to anyone relying on the contrary message
to be derived from placing the user name and password in seven places on a public
Chapter 119, Florida Statutes, unless some public records exception is expressly
stated.
A material omission voids a search warrant in the same way that a material
falsehood does. See State v. Van Pieterson, 550 So.2d 1162, 1164 (Fla. 1st DCA
1989) (stating an omission is material “if a substantial possibility exists that the
determination”); see also, Sotolongo v. State, 530 So.2d 514, 516 (Fla. 2d DCA
1988) (same, noting that it does not matter if the omission was intentional or in “good
faith”). In such instance, a law enforcement officer cannot in good faith rely upon a
warrant because probable cause is lacking. See Thorp v. State, 777 So.2d 385, 393
n. 11 (Fla. 2000) (there is no “good faith exception to an invalid search warrant” that
was “based on a misleading or false affidavit”); see also, Sotolongo, 530 So.2d at
516 (same, citing Franks v. Delaware, 438 U.S. 154 (1978)). FDLE omitted all facts
concerning DOH placing the user ID and password for the message board in seven
public places on its website. FDLE also omitted the lack of any warning or other
indication that the site in question was restricted in any way or to any class of
potential users. Had these disclosures been made, the search warrant would never
7
have been issued by any reasonable judge nor sought by any reasonable law
enforcement officer.
In U.S. v. Stanert, 762 F.2d 775, 778 (9th Cir.1985), the court applied the
rationale of the landmark case, Franks v. Delaware, 438 U.S. 154 (1978), to hold
facts required to prevent technically true statements in the affidavit from being
misleading.” Stanert, 762 F.2d at 781 (noting that “[b]y reporting less than the total
story, an affiant can manipulate the inferences a magistrate will draw. To allow a
requirement of all real meaning.”) In addition, the accused must show that the
“affidavit, once corrected and supplemented,” would not “provide ... a substantial
basis for concluding that probable cause existed” to search defendant's residence.
Id., at 782. That is an easy showing in this case. Had the signing judge known of
DOH’s open invitation to its message board and the absence of any admonitory
language restricting access, the warrant would never have been signed. See
Strickland v. City of Dothan, 399 F. Supp. 2d 1275, 40 (M.D. Ala. 2005) (“No officer
‘reasonably could have believed that probable cause existed, in light of the
information the officer possessed.’”); see also, James v. City of Birmingham, 926 F.
Supp. 2d 1260, 1270 (N.D. Ala. 2013) (“The court finds that a reasonable officer
8
would not believe there was probable cause in such a situation” regardless of the
Moreover, the warrant and its supporting affidavit allege that Plaintiff used her
own computer in her own home to access the DOH emergency message board.
Under the controlling law in this district, Crapps v. State of Florida, 180 So. 3d 1125
(Fla. 1st DCA 2015), there is no crime unless the accused accesses “tangible devices,
not the data and other information located on the device. Thus, to prove a violation
of section § 815.06(1)(a), the State must establish that the defendant accessed one of
the listed tangible devices without authorization, not that the defendant accessed a
citing, Rodriguez v. State, 956 So.2d 1226, 1230 (Fla. 4th DCA 2007). FDLE alleges
the Plaintiff used her own computer from her own home, not that she gained
S.A. Pratts swears in his affidavit that through “the use of investigative
resources your Affiant determined that the IPv6 address 21601:4c1: 4000:3a80:286e
9
Governor Ron DeSantis said later at a press conference that FDLE issued a
subpoena to Comcast, but there is no evidence of that. It is certainly outside the four
corners of Pratts’ affidavit. The “investigative resources” could have been anything.
The judge who signed the warrant could not have known what the “investigative
resources” were or how reliable they might be. It is unlikely it was a confirmation
from Comcast. If the connection between the offending message and Rebekah Jones
were a subpoena to Comcast, that is too strong a proof to leave out. The mere fact of
Pratts being evasive and cagey about the “investigative resources” is evidence that
it was something weak. Whatever was not presented to the judge cannot be used
nexus between Rebekah Jones and the IP address in question, that would still be
insufficient basis to establish probable cause, as shown in what has become the
leading case, In re BitTorrent Adult Film Copyright Infringement Cases, 296 F.R.D.
80 (E.D.N.Y. 2012), which has, to date, been cited 2315 times, according to a
10
the subscriber, a member of his or her family, an employee, invitee,
neighbor or interloper.
Id. at 85. Because the affidavit does not say the IP link came from the ISP, Comcast,
one must assume, for probable cause purposes, that it did not. But even if this
established a nexus between a router in Plaintiff’s home and the message at issue,
the message could have been sent by a neighbor, or even a stranger parked on the
addresses identified in several copyright infringement lawsuits, the court held that
“the assumption that the person who pays for Internet access at a given location is
the same individual who allegedly downloaded a single sexually explicit film is
tenuous, and one that has grown more so over time.” Id. at 84. The BitTorrent court
single pornographic film—than to say an individual who pays the telephone bill
All the BitTorrent themes are developed at length in the attached expert
11
specifically for this case and details the relevant science and the history of that
science and applies it to the particular situation of the search and seizure at issue in
this case. In addition to the points developed in BitTorrent and its prodigy, Cyphers’
declaration explores at length the failure of FDLE to seize the router from Plaintiff’s
home – the single piece of equipment that would have helped most in accomplishing
the stated mission of establishing whether Plaintiff sent the disputed message to the
DOH message board. By leaving behind both router and modem, FDLE sends the
message that it is less interested in finding a message to the DOH message board
than in finding the confidential sources feeding information to Rebekah Jones about
the misconduct of the DeSantis regime in its handling of the worst public health
Professor Charles Ehrhardt, the legendary evidence expert at the Florida State
University College of Law, has told his students for 50 years that police can’t search
even more stringent where the things to be seized have the presumptive protection
12
of the First Amendment.’” State v. Johnson, 605 So.2d 545, 548 (Fla. 2d DCA 1992)
(cleaned up), quoting, United States v. Torch, 609 F.2d 1088, 1089 (4th Cir.1979),
cert. denied, 446 U.S. 957 (1980). The warrant issued in the instant case was not
limited to evidence of transmission of the disputed message (the router) but was
unreasonable. This is precisely the situation against which the Fourth Amendment
was intended to protect. See Lo-Ji Sales, Inc. v. New York, 442 U.S. 319, 328 (1979)
(stating the courts “will scrutinize” the untargeted seizure of First Amendment
protected materials); see also, United States v. Medlin, 842 F.2d 1194, 1199 (10th
Cir.1988) (“When law enforcement officers grossly exceed the scope of a search
evidence seized under that warrant.”). Execution of the warrant resulted in a prior
697 (1931).
Plaintiff submits this motion on the premise that § 933.14, Florida Statutes, is
an adequate remedy at law and is, in itself, a proper vehicle for all the relief sought
in this motion. If, however, that premise is incorrect, Plaintiff respectfully petitions
13
this Court for an injunction granting all the relief specified above and states:
demonstration, supra, that there was no crime committed, that the nexus between
Plaintiff and the alleged criminal act is not shown; and that, in any event, the warrant
confidential sources and attorney/client privileged material and deprives her of her
Burns, 427 U.S. 347, 373 (1976) (the loss of First Amendment rights, even for
4. The relief sought is consistent with the public interest. The public has
an interest in free speech and in preserving the right of the people to be secure in
their person, papers, and property. See League of Women Voters of Florida v.
Browning, 863 F.Supp. 1155, 1167 (N.D. Fla. 2012) (vindication of constitutional
14
WHEREFORE, Plaintiff requests the following relief:
15
Respectfully submitted this 23d day of December 2020,
Lawrence G. Walters
Florida Bar No. 776599
195 W. Pine Ave.
Longwood, FL 32750
407-975-9150
larry@firstamendment.com
Lisa C. Lambert
Florida Bar No. 495298
245 N. Highland Avenue NE
Suite 230-139
Atlanta, GA 30307-1936
404-556-8759
lisa@civil-rights.attorney
16
CERTIFICATE OF SERVICE
I HEREBY CERTIFY that I have served a true and correct copy of the foregoing to
2020.
/s/Richard E. Johnson
Richard E. Johnson
17
Exhibit 1
ID#: 2174
COMES NOW, the Affiant, Noel Pratts, a Special! Agent of the Florida
Department of Law Enforcement, who personally appeared before a sworn
officer, ma.k.es this affidavit, which has been submiitted to the Court. The Affi.ant
swears under oath that he has probable cause to lbeliev,e, that cert:aii11 l aws are
being violated in or about a certain p:rem ises and the curtilage thereof and that
eViidence of the violat!on of certain laws 1in the form of computer equipment and
data, or p.rinted or written documents and other rellated items described herein,
are being kept in or about certa·11 premi1ses and the cuirtilage· thereof, in LEON
County, Florida, being known and described as follows :
2451 Centerville Road , travel l,eff/north onto Centerville Rd., for approximately
0 .1 miles, then tum right onto Centerville Ct. approximately 0.3 Miles. The
premises will be o:n the left/no.rth side of Centerville Ct approximately 354ft fmm
1
Cente.rvllle Road.
home. The residence ha.s off-whi e· siding with red brick accent around tile green
door. The number 2540 is clearly displayed on ttle condomlnilum near the front
door of the residence.
The, Premises and the curtllage ~hereof are being used for the purpose of storing
compu er 0 1r electronic devices 1 re'lating to the unauthoriiLz,ed access of a
compute:r, computer system. compw:er network, or electronic devioe. Accesses
or ,c auses to be accessed any ,computer. computer system, computer network., or
electronic device with !k nowledge that such access is unauthoirized. in violation of
section 815.06(2}(a), Flo.rida Statutes, and contains ,evidence of, or evidence
rielevant to pmving, the refer,enced felony has been, o:r is being committed.
INVESTIGATOR BACKGROUND
Your Affiant, Noell Pratts is a Special! Agent (SA) with the floriioa ·D epartment of
Law Enforcement (FDLIE), ass.igned to, the Tallahassee Regional Operations
Center, (TROC) Cyber Hligh/T,ech Cnimes Squad and has been a .l aw
enfor-cement officer for the past 1S. years.. Your Affiant na_s .approximately 13
years of experience iin criminal investigations.. Your affiant is a Certiliied Cyber
Orlme:s Investigator by The National White-Collar Crime Center Board o,f
Diirectors and has successfully completed numerous hours of training specific to
cyberictimes to include the FBl's Cyber Intrusions, FBl's Exploiting Network
CommunicaUons, NW3C Basic Network Intrusion Investigations, SANS
Introduction to .lnformafiion Security, Comp TIA. Network+,. and several others.
Your affiant m s a memlber of the Federalll Burem.J Investigation (FBI) Cyber Task
Force. This Task Force ·s comprised of federal and state law ,e nforcement
agencies engaged in ~he investigation of computer related crimes invollving cyber
intrusion. As a Special Agent ~tlh fl)LE. your affiant is au~horized to invesfg.ate
rida, specifically any and all crimes involving
all criminal! mauers in the state of Flo1
computers.
Based on .all the above described tira.iningi and ·experience, and the investigative
facts .and activity se-t forth herein, your affi.ant has developed probable cause to
2
ID#: 2174
belllieve and doe.s believe that ~he crimes described hereiin are rnr were being
committed at or within the Premises. or ,evidence of the satd crimes is conmined
with·n the herein descdbed account at the Premises. The following facts suppo:rt
your Affiant's probable cause::
CURRENT INVESTIGATION:
On Nov,embe:r 10, 2020, Speciall Ag,ent (SA) Noe,I Pratt.s spok•e to Derrick Smith
from, the Bureau of Preparedness and Response w·t:i, the Flor,id.a Department of
Health (FDOH) via telephone and he adv,ised that FDOH utiHzes a customamade
communicaUons application for IEmerg:ency Management designed by ReadlyOP.
iFDOH has several groups within ReadyOp's application platform, one of which iis
StateESFS.Planniing. ESF8 iis Florida1s Emergency Suppo.rt Function for P'ubHc
1-tiealth and Medical with which the,y coordinate the state's health and medical
resources. -capa'bi1
lities, and capacities. They also pmvide ~he me.ans for a pub :ic
health response, triage, trea·;ment,. and transportation. The group,
StateESF8.Planniing is utilized by multiple users, some of whi:ch are not
employees of FOOH but are employees ,of other government agencie·s. Once
they are no longer associated with ESFS, they are no ,l!onger authorized to access
the multi-user group,.
All users assigned to StateESF8.Planning group share the· same usemame and
passwoird. SA Pratts reQuested .and received a copy of the ·teohnicall logs
oontain1iing the Internet Protocol ( P) address for users accessing the ReadyOp
web~based platfoirm for the multi~use1 r State.ESF8 .Plliann ·ng.
3
ID#: 2174
.An open--source search through WHOIS IP lookup revealed the IPv6 address is
under the control and domain of Comcast Cable Communications.
Thr-ough the use of investigative resouroes your Affiant. determined that the IPv6
address 2601 :4c1 :4000:3a80:28'6e:3dd 1:.Jcd:5,c4a resolved to Comcast
1
Your Affiant knows from training and experience th at d r:gita I evide nee is not
limltedl to computers. Your Affiant has been involved in numerous cases where
persons can access the lnteme·t , st:01 r-e data and ,communicate wUh other
indivi:duals with the same, 1interests using digital communications devices to
indude oellullar telephones, emaiil devioes and personal digita assistants among
several others. These devices are frequently found to contain chat
oornmunica ions in the form of short message service (SMS) messages., texts. or
email as well as e11abl1
iing Internet access and digital eel ular network access.
Your Affiiant 'knows from training and experience that persons using computers
for criminal purposes will frequently transfer data to o~her dig1ital media storage
devices. Digital storage•med a may include lbut is not Hmited to fl.oppy disks, hard
drives, tapes,, 1 DVD disks, GD-ROM diisks or other magne ic1 opti:cal or
mechanica storage which can be acoessed by computers or other electronic
devices to store or retrieve data, which can store the equivalent of thousands of
pages of information. Users may store i11formation in random order with
deceptive fi!le· names, which requ ires searching aut1horiUes to examine a.II the
stored daffl to detenni11e whether it is included in the warrant This sorting
process renders it limpractJical to attempt this kind of data search on sit,e.
Your Affiant knows ·from training and experience that searching digital evidence
systems for criminal evidence requires experience in the oomputer and ce lular
telephone field and a properly contra lledl environ me11t in order to protect the
integrity of the evidence and reoover even ''hidden", erased, compressed,
password-protected,, or encrypted files. Since digiital evidence is extremelly
vulnerable to tampering or destruction ,(both hum external sources or fir-om
destructive· oode imbedded in ·~he system, known as a "'booby trap"), a controlled
environment is essential to its complete and accurate anallysis.
Your Affia.nt lknows from training and experiences that computers and other
dig1ital oommunications devices oontain volatil!e memory that contains information
only whil,e the deviice iis in a powered on and/or rur11ning1state. Your Affiiant knows
1
4
ID#: 2174
that poweriing off ~he device may r,esulrt in the loss of the volatile information. Your
Affiant also knows that adding an extemal ,evi'denoo storage device w11IIII cause
minor changes to the s.tate of the· computer but willll allow for the best ,effort in fully
capturing the state of the running evidence.. Your Affiant rknows that this capture
of information requi res technical expertise to ,ensuire the resulting data can be
examined by all subsequelillt investigators.. Your Affiia nt knows that th is captured
information may include current and recent use of the computer, use of
encryption, use of othe:r communications devices. routes of Inter-net traffic and
other digital communications traffic and passwords, encryption keys or other
dynamic detam ls relevant to use of the system.
Your Affiirant knows from trai,rfng and experience that n order to ful~y retrieve data
from a com purer or other digital ,communications system, the analyst needs all
magnetic storage media as wellil as the storage devices. In addition.,. the analyst
needs all the system software {operating systems or interfaces, and 'hardware
access software or drivers) and any applications software which may have been
used to create the data ,(whether stored on hard drives or on external media) as
well as documentation, Items conaining1or displayling passwords, access c-odes,
usemames or ,other identifiers neoessary to examine or operate items, software
or information seized or to activate specific equipment or software.
Your Afflant knows from b':aining and experience that digital software or hardware
exists that allows persons to share digital access ov:er wired orwiir-ele·ss. networks
aHm6Jfing mulitiple persons to appear on the Internet from the same IP address.
Examination of these items can r,eveal information about the authorized or
unauthorized use of Internet connection at the residence.
Your Amant knows from training and experience that computers or other dig1 ital
devices used to aocess the !Internet usually •contain fil,es., logs or file remnants
which would tend to show ownership and use of the de,v:ioe as weH as. ownership
and use of Internet service accounts used fo:r the l nt,ernet 01r cellular data network
acce·ss.
Your Affiant knows from training and experience that digita · ,crime scenes usualllly
include items o,r di.gital information that would tend to es,tabli:sh ownership or use
1
of digital devices and !Internet access equipment and ownership or use of any
!Internet service or digirtall oellular service accounts to participate in the exchange,
receipt. possession, collection or distribution of data..
Your Affiant knows from training1 and experience that search warrants of
residences involved in computer Olli digitally related ciriminal actiM ty usually
produce· · ·ems that tend to estab:lish ownership or use of d gltal devices and
ownership• or use o,f any ~ntemet service accounts accessed to further their
criminal behavior to indiude credit card bills, telep,hone bills, oo,rrespondence and
other identification documents.
5
ID#: 2174
Your Affiant knows from trai111ii:ng and experii:ence that search wartants of
residence:S usually revea~ items that ten:d to show dominion and control of the
property searched, to include utility ibiilllls, tel:ephone bills, correspondence, r,ental
agreements. and other identification documents.
llhe above information has led yourr Affiant to beli.eve that pmbab1!e cause exists
to sear,oh for the items lis,ted bellow. llhere· is evidence of a violation of Flonda
State Statute 815.06(2){a) Offenses Against Users, of Comput,ers,. computer
system, computer networks, and electronic devices, .and a person commits an
offense against users of computers, c-omputer systems , computer networks, or
ef!ectronic de:v-ices if he or she· wi!l!lfully, knowingly, and without .authorization: {a)
Accesses or causes, to be accessed any computer, computer system, computer
network, or •electronic device with knowledge that such access 1 is unauthorized:
and this evidence 11s concealed In the 1 resid•e:nce at 2540 Centerville Ct.,
Tallahassee, Florida
Your Aff1
iant hereby requests the Court's permission to seize the following: items,
and to ,conduct an off-site search and analysis. or to del,e gate the sea1 rch and
analysis to an off~site computer forensii c .analryst, of ·t he following items 1 through
15 (hereinafter the 11Property"). which are evidence of, or evidenoe· relevant to
proving,. the felony( s), noted herein;
,,1P
__ ocketJ'
-_ _ com -)~ inte1
_ _---p ute_rs, rnal a-nd__ p~ eriipheral
____ __ storage
devices. ,( such as fixed disks, external hard disks, floppy
dis!k drives and dls.k ettes, tape drives and tapes, optical
sto1rage devices, and other electrome media devl ces). 1
6
ID#: 2174
11 FHes and data on the •c omputer that show the s.u spect's
ownershiip , possession and control at time ·o f the offense.
12 Any and al'I so,f tware that may be utilized to create, receiv,e,
distributet store,. or· modify the ,ev;idence soug,h t and an
software that may· be used to communicate or store onliine
communie;ations.
7
ID#: 2174
Your Affiant is aware that the recovery of data by a computer for,ensfc analyst
takes significant time, and much in the way recovery of nair:oo,tics must later be
·forensically e,valuated in a lab, digital ,evidence will also unde.rgo a similar
process. For th·s reason 1 the "return" inventory will contain a list of only the
tangible items recovered from "the Premises~. Un less otherwise oirdered by the·
1
Court, the return wiJI not include, evidence later examined by a forensic analyst
WHEREFORE, affiant makes this .affidavit and prays for the· issuance of a SeafCih
Warrant in due form of law commandjng the Executive 1 0irector of the Florida
Department o,f Law Enforcement 1 or any of hiis duly constituted Special Agentst
and ~he S~eriff of LEON County, or any of hi,s duly constituted depuies, including
Jorensic computer analyst experts, to search the above de,scribed "Premises" and
the curtiila,g,e thereof, and! .any vehicles thereon , or persons lfocated wUlhin the
"Premises" and the curtil age reasonab ly believed lo be connected with said
1
illegal! actlivity, for the said "P:roperty" heretofore dlescnibed, and to search said
".Property'' described above and to saize and safely keep same, either in the
dayt"me or in the nighttime, o:r on Sunday, as the ex:i:g,encies of the occasion may
demand , in order that the evidence may be procured to be used in the
prosecution of such person or persons who have unlawfully used, possessed, or
are us1ing or possessing1the s m · , . violation o.f the ·1aws of the State of Florida.
:y~reme~5~
~ c e:r
day of . Ulro,...., br,c . 2020.
x1 Personally Known
~ - Produced identificatiion
-Type:
8
Exhibit 2
Exhibit 3
56789
89ÿ
89986ÿ8
ÿ5ÿ89
ÿ
ÿ
ÿ"#ÿ$%%&&ÿ'()*ÿ#%+ÿ%,%ÿ+ÿ$ÿ#,+-ÿ,%#",%+-ÿÿ
%&$+-ÿ%.ÿ,$+/ÿÿÿ
ÿ
19
2
8693ÿÿ456ÿ756789:;<ÿ=692>ÿ?@6;6A<;ÿ<56ÿB:A:BCBÿ@6DC:@6B6A<;ÿ32@ÿ<56ÿ?2;:<:2AEÿF2<6ÿ<5G<ÿ;2B6ÿ:<6B;ÿG@6ÿ2A6H<:B6ÿG7<:2A;Iÿ>5:96ÿ
2<56@;ÿG@6ÿ2AJ2:AJÿ2@ÿ@6?6<:<:K6ÿ<5@2CJ52C<ÿ<56ÿ:A7:L6A<EÿF2<ÿG99ÿ<G;8;ÿBGMÿG??9Mÿ<2ÿ6K6@Mÿ:A7:L6A<ÿGALÿGLL:<:2AG9ÿ<G;8;ÿBGMÿ=6ÿG;;:JA6LÿLC@:AJÿ
GAÿ:A7:L6A<Eÿ
ÿ
NOPQRQPQSTÿPVÿWSÿOVXYZSPS[ÿ \VXYZSPSÿ ]Nÿ
^_à_bÿ̀acÿd_efÿ̀ghcei`_jbikÿlce_jmÿ ÿ ÿ
0Eÿn676:K6ÿ:A:<:G9ÿ=@:63:AJÿGALÿ:BB6L:G<6ÿ?@:2@:<:6;ÿ3@2Bÿo2J:;<:7;ÿp67<:2Aÿq5:63Eÿ ÿ ÿ
4Eÿp:JAH:Ar2C<ÿG<ÿ<56ÿ=6J:AA:AJÿGALÿ6AL:AJÿ23ÿ;5:3<Eÿ ÿ ÿ
sEÿt;<G=9:;5ÿ>2@8ÿ927G<:2AÿG<ÿptuqEÿ ÿ ÿ
vEÿw@:63ÿxA:<ÿ?6@;2AA69ÿ@6JG@L:AJÿ;:<CG<:2Aÿ;<G<C;ÿGALÿ6y?67<G<:2A;Eÿ ÿ ÿ
zEÿq2ALC7<ÿtp{|ÿ}C;<H:AH<:B6ÿ<@G:A:AJÿG;ÿA66L6LEÿ ÿ ÿ
~EÿtA;C@6ÿ<5G<ÿ:;;:2AÿxA:<ÿ:;ÿB2A:<2@:AJrBGAGJ:AJÿB:;;:2A;ÿ:Aÿtÿq2A;<699G<:2Aÿ ÿ ÿ
tp{ÿ|ÿo2J:;<:7;Eÿ
Eÿq2A3:@Bÿ<5G<ÿtÿ4675A292JMÿ:A79CL:AJÿG776;;ÿ<2ÿtÿq2A;<699G<:2Aÿ:;ÿ3CA7<:2A:AJÿ ÿ ÿ
?@2?6@9MEÿ;ÿA66L6LIÿA2<:3Mÿtÿ4ÿ23ÿ72B?C<6@ÿA66L;r:;;C6;Eÿn6?2@<ÿ:;;C6;ÿ<2ÿ<56ÿ
o2J:;<:7;ÿp67<:2Aÿq5:63Eÿ
|Eÿq2A3:@Bÿ<5G<ÿ<56ÿBG:9=2y6;ÿG@6ÿ>2@8:AJÿ?@2?6@9MÿGALÿG@6ÿ=6:AJÿB2A:<2@6LEÿÿ ÿ ÿ
ÿ16
86ÿÿ3ÿÿ56789
89Eÿn6?2@<ÿ:;;C6;ÿ<2ÿ<56ÿo2J:;<:7;ÿp67<:2Aÿ
q5:63Eÿ
Eÿq2A3:@Bÿ<5G<ÿGÿB:;;:2Aÿ:;ÿ6A<6@6Lÿ:A<2ÿtÿq2A;<699G<:2AÿA2<:AJÿ<56ÿG7<:KG<:2Aÿ23ÿp<G<6ÿ ÿ ÿ
tp{|Eÿÿ
0Eÿ6K692?ÿGALÿ?@2K:L6ÿ<2ÿ<56ÿo2J:;<:7;ÿp67<:2Aÿq5:63ÿGÿ:;;:2AÿxA:<ÿp<G33:AJÿn2;<6@ÿ32@ÿGÿ ÿ ÿ
32C@<66Aÿ0vÿLGMÿG7<:KG<:2Aÿ?6@:2LEÿ
00Eÿu=<G:Aÿ<56ÿq@:<:7G9ÿn6;2C@76ÿo:;<ÿGALÿL:;<@:=C<6ÿ:<ÿ<2ÿ<56ÿ:;;:2Aÿp?67:G9:;<Eÿ ÿ ÿ
04Eÿq2A3:@Bÿ<5G<ÿ<56ÿ:;;:2AÿxA:<ÿ5G;ÿ72A<G7<ÿ:A32@BG<:2Aÿ32@ÿp<G33:AJIÿtDC:?B6A<ÿÿ ÿ ÿ
pC??9MIÿGALÿG<6@:G9;ÿxA:<;ÿ32@ÿ6G75ÿ2?6@G<:2AG9ÿ?6@:2LEÿq2A3:@Bÿ<5G<ÿ72A<G7<ÿACB=6@;ÿ
GALÿ6HBG:9;ÿG@6ÿ3CA7<:2A:AJÿ?@2?6@9MEÿÿÿ16
86ÿ96ÿ3ÿÿ
56789
89ÿ
0sEÿq2A3:@Bÿ<5G<ÿ<56ÿo2J:;<:7;ÿp67<:2Aÿq5:63ÿ5G;ÿ<56ÿB2;<ÿ7C@@6A<ÿ7<:2Aÿn6DC6;<ÿ{2@Bÿ ÿ ÿ
n{ÿ<6B?9G<6Eÿ<ÿ7GAÿ=6ÿ2=<G:A6Lÿ3@2Bÿ<56ÿ{6L6@G9ÿtp{ÿ|ÿ?2:A<ÿ23ÿ72A<G7<ÿ:Aÿ<56ÿ
ptuqEÿ
0vEÿq2A3:@Bÿ<5G<ÿ<56ÿ:;;:2AÿxA:<ÿ:;;:2Aÿp?67:G9:;<ÿ<G;8;ÿG@6ÿ?6@32@B6LÿG772@L:AJÿ<2ÿ ÿ ÿ
<56:@ÿ756789:;<ÿtp{ÿ|ÿo2J:;<:7;Eÿ
0zEÿ9GAÿ32@ÿL6B2=:9:G<:2Aÿ23ÿ;<G33ÿGALÿ@672K6@Mÿ23ÿL6?92M6LÿG;;6<;ÿGALÿ6DC:?B6A<Eÿ ÿ ÿ
0~Eÿ@2K:L6ÿC?LG<6r;5:3<ÿ@6?2@<ÿ<2ÿ2Aÿ72B:AJÿ:;;:2AÿxA:<ÿo6GL6@Eÿ ÿ ÿ
^_à_bÿjÿghcei`_jbikÿlce_jmfÿ ÿ ÿ
0Eÿn6HG;;6;;ÿ2@:J:AG9ÿ;<G33:AJÿ?9GAEÿ ÿ ÿ
4Eÿn6HG;;6;;ÿA66L;ÿ32@ÿGLL:<:2AG9ÿ>2@8ÿ;?G76Eÿÿ ÿ ÿ
iaÿghcei`_jbikÿlce_jmÿ ÿ ÿ
0Eÿp:JAH:Ar2C<ÿG<ÿ<56ÿ=6J:AA:AJÿGALÿ6AL:AJÿ23ÿ;5:3<Eÿ ÿ ÿ
4Eÿn676:K6ÿ=@:63:AJÿ3@2Bÿo2J:;<:7;ÿp67<:2Aÿq5:63Eÿ ÿ ÿ
sEÿG@<:7:?G<6ÿ:Aÿtp{|ÿGALÿtÿo2J:;<:7;ÿÿ?@276;;ÿG;ÿA66L6LEÿÿ ÿ ÿ
vEÿw@:63ÿCA:<ÿ23ÿ7C@@6A<ÿ;:<CG<:2AÿGALÿ6y?67<G<:2A;Eÿ ÿ ÿ
zEÿ;;:JAÿÿ2?6@G<:2AG9ÿ?6@:2Lÿ<G;8;ÿ<2ÿCA:<ÿ?6@;2AA69Eÿ ÿ ÿ
~Eÿq2A3:@Bÿ<5G<ÿ<56ÿ:;;:2AÿxA:<ÿ<G;8;ÿG@6ÿ?6@32@B6Lÿ@636@ÿ<2ÿ<56:@ÿ;?67:3:7ÿ756789:;<;ÿHÿ ÿ ÿ
tp{ÿ|ÿo2J:;<:7;Eÿ
Eÿ2@8ÿ>:<5ÿo2J:;<:7;ÿp67<:2Aÿq5:63ÿGALÿ9GAA:AJÿp67<:2Aÿ<2ÿC?LG<6ÿ<56ÿq@:<:7G9ÿ ÿ ÿ
n6;2C@76;ÿo:;<Eÿ
|Eÿ:;<@:=C<6ÿq@:<:7G9ÿn6;2C@76;ÿo:;<ÿ<2ÿ:;;:2A;ÿxA:<Eÿÿ ÿ ÿ
ÿ
0ÿ23ÿ4ÿ
ÿ
456787679
ÿ6ÿ
9ÿ5969ÿ 969ÿ 4ÿ
ÿ23ÿÿ2ÿÿ! "ÿ" #$% &'#$&2()#ÿÿ ÿ((2(ÿ ÿ ÿ
3 ÿ
*+ÿ,&(ÿ)ÿ#ÿ33"ÿ #ÿ23ÿ ÿ %ÿ2( 2)ÿ( 2#-.ÿ ÿ ÿ
**ÿ,&(ÿ/20ÿ33"ÿ#ÿ/20ÿ(& ÿ #ÿ10 ÿ&2 #2ÿ2ÿ ÿ ÿ ÿ
22"&ÿ3 &2ÿ3ÿÿ
*0ÿ4 5' ÿ##2)ÿ33"ÿ$ÿ# 2!)6ÿ' & 7ÿ32ÿ&ÿ2( 2)ÿ( 2#ÿ ÿ ÿ
89:;ÿ=>?:@ABACDEA:;ÿ ÿ ÿ
*ÿ2()ÿ#ÿ'!ÿF3ÿ32ÿGÿ,HFIFHJÿ2KLÿ-F3ÿ0*M.ÿN 2!)62ÿ &0G ÿ ÿ
K'ÿ-F3ÿ00*.OÿH ÿP 32& ÿQR)'2ÿF3ÿS2ÿ00MOÿF3ÿ00TÿF#R#')ÿ
P 32& ÿQR)'2ÿ-UVWQ3SÿXÿ22"&.ÿ
0ÿ23ÿ/ÿ4 2'& ÿYÿ ÿ&2R7ÿ23ÿ# ()27#ÿ( 2 )Oÿ Oÿ5'( Oÿ ÿ ÿ
#ÿ'(()ÿ
Zÿ2 #ÿQ3SXÿ22"&ÿ3 &2ÿ[2/ÿ ÿ ÿ
MÿP&(ÿÿ,3ÿ,&2ÿP2& ÿ ÿ ÿ
Tÿ4 'ÿ7ÿ5'( ÿ' #ÿ#'"ÿ&R2ÿ ÿ ÿ
\ÿQ'ÿÿY]ÿ/20(& ÿÿ&) #ÿ! 32ÿ# ('ÿ ÿ ÿ
^ÿN G&RÿYÿ( 2 )ÿ/ÿ ÿ((2R)ÿ23ÿ ÿ22"&ÿ3 &2ÿ3ÿ ÿ ÿ
Xÿ2()ÿ ÿ Oÿ237ÿR 7#7ÿ'( R2ÿ23ÿ'G2G#'7ÿ'ÿ-#$ .ÿ ÿ ÿ
ÿL ÿGÿ )3G&ÿ ÿ ÿ ÿ
*+ÿ4 'ÿ2ÿ2)ÿ2( 2ÿ ÿ ÿ
ÿ ÿ ÿ
ÿ
_`a`bcdÿfaghbicjkhaÿ
ÿ
ÿ
{cjk̀ajÿ}h`i`ajÿhajczjÿfaghbicjkhaÿ
lmnoÿphqrfaÿ ÿ
sÿ Y ÿt ÿVÿ3Q4Hÿ idcaz`ÿ
`dhi`ajÿ{dcaÿ
sÿ P/2#ÿVÿu2*^vÿ sÿ 3ÿHÿ272ÿ
mlwÿxÿphqkyjkzyÿ{|ha`yÿ ÿ M+^G^^G*ZZTÿ-2 .ÿ
sÿ XT+G\*^G+M+ÿ ÿ M+^GXZ0GZZ^Tÿ-2!).ÿ
sÿ XT+G\*^G+M*ÿ ÿ )72~&3)&2ÿ
mr}ckdÿ ÿ
sÿ (V$$)#23)'$%&" ÿ kbÿ}`kzcdÿyy`jyÿ
sÿ 3Q3SXSG,#~3) )"2Rÿ sÿ 2ÿ3&2ÿ-P7.ÿ
sÿ 3Q3SX22"333"~3) )"2Rÿ ÿ X*ZGXMMG^^TXÿ-/20.ÿ
sÿ 3Q3SXP)"~3) )"2Rÿ ÿ X*ZG0+G*+^ÿ-2 .ÿ
phqkyjkzyÿ ÿ X*ZGZ\ZG*TTZÿ-& )).ÿ
sÿ (V$$/ !)73)2#&2ÿ ÿ X*ZGZZ0G^^TXÿ-(" .ÿ
sÿ Y ÿt Vÿ R& W3+Xÿ sÿ 7ÿ2&ÿ-3 &2#7.ÿ
sÿ P/2#Vÿ1)2%u*0Zÿ ÿ X*ZGZ\ZG*TZÿ
sÿ ,##Vÿ3+X~ 73)2#&2ÿ ÿ
wdhcj`bÿ{|ha`yÿ y`yÿcaÿ{cbcÿobcaykjÿ
sÿ 333"ÿYÿ2 # ÿVÿXT+G\MGZ*X+ÿ sÿ 2!!7ÿ 220ÿ-P7.ÿ
sÿ S& ÿ#ÿ,#2ÿVÿXT+GMMTGX*Zÿ ÿ XZG\Z\Xÿ-2 .ÿ
ÿ ÿ M*MGMTZZÿ-/20.ÿ
ÿ ÿ 0XMG\\Mÿ-& )).ÿ
ÿ ÿ 42! / !220~3) )"2Rÿ
ÿ
ÿ sÿ 26ÿ3'ÿ-3 &2#7.ÿ
ÿ ÿ M*MGMTZ+ÿ-/20.ÿ
ÿ ÿZ0*GZMT+ÿ-&)).ÿ
ÿ
0ÿ23ÿ0ÿ
ÿ
Exhibit 4
IN THE CIRCUIT COURT OF THE SECOND JUDICIAL CIRCUIT,
IN AND FOR LEON COUNTY, FLORIDA
REBEKAH JONES,
Plaintiff,
Case No. _________________
v.
Defendants.
/
declaration is based on my own personal knowledge, training, and familiarity with Internet
protocols. It is also based on my review of the affidavit and related materials filed in support of
the warrant issued to search Rebekah Jones’ home that gave rise to the complaint in this case and
the instant injunction motion. Further, this declaration is based on my review of a white paper
written by EFF on the topic of Internet Protocol (IP) addresses and their probative value in law
enforcement investigations.1
Science and Engineering from the Massachusetts Institute of Technology. At EFF, I research
1
Aaron Mackey, Seth Schoen, and Cindy Cohn, Unreliable Informants: IP Addresses, Digital Tips, and Police
Raids (September 2016), https://www.eff.org/wp/unreliable-informants-ip-addresses-digital-tips-and-police-raids
(“Unreliable Informants”).
how technology companies, data brokers, and advertisers track consumers over the Internet and
declaration are generally known to computer scientists and to others familiar with the operations
of the Internet.
4. Below I will outline the technical issues of how IP addresses work, what role they
serve and what they can and cannot definitely reveal by themselves. Based on this information
and the affidavit presented to the Court in support of the search warrant at issue in this case, I
conclude that the Court was not provided with sufficient evidence linking the IP address alleged
to have accessed the ReadyOps system with Ms. Jones’ home. As a result, the affidavit lacked
necessary information to support the issuance of a search warrant for Ms. Jones’ home. Further,
the raid itself appears not to have searched a device -- the router -- that would be most likely to
contain evidence linking the IP address named in the affidavit with a particular device. This
omission is strange, and seems potentially consistent with plaintiff’s assertion that the raid was
retaliatory.
5. The Internet allows any user connected to it to send, receive, and request all types
ensure this information is routed to where it's requested, the Internet relies on a series of
6. One foundational protocol is called the Internet Protocol (IP). As the name
suggests, the protocol standardizes how traffic can reliably traverse distinct networks. This is
2
7. An IP address is a string of numbers used to identify a specific public facing
endpoint connection to the Internet and to route traffic to it, from anywhere in the world. The
simplicity of IP addresses is in part what makes it possible for devices on the Internet to quickly
Internet for the sake of exchanging information. They were not designed to identify any
individual using the Internet or to identify the exact physical location of any person using the
Internet.
world in large, consecutive blocks. The IP addresses are eventually allocated to Internet Service
Providers (ISPs), which then further delegate the addresses under their control to consumers,
10. There are different versions of IP addresses used on the Internet. Older versions,
known as IPv4, are more scarce and as a result, require multiple devices on a local network to
share a single public IP address. A newer version, known as IPv6, allows for exponentially more
IP addresses. As a result, ISPs often allocate large blocks of IPv6 addresses to a given Internet
account, which allows each device on a local network to connect to the Internet using a separate
public address.
11. The affidavit in support of a search warrant for Jones’s house specified that the IP
address connected to her account uses IPv6. As a result, the rest of the information I cover will
12. When a consumer connects to the Internet through their ISP, the ISP issues a
portion of its allocated public-facing IP addresses to the customer’s account. This portion of IP
3
addresses is often called a “block,” and typically has a common prefix, so that all of a customer’s
IP addresses start with the same few numbers. That customer then uses a router to manage the
connections of devices using their Internet account. The router and the devices connected to it
comprise a local area network (LAN). Importantly, every device that connects to the Internet
through the subscriber’s LAN will use an IP address from the block allocated to the subscriber.
13. An ISP will usually know which IP addresses it has allocated to a particular
subscriber at a given time. But generally the ISP does not know which individuals or devices are
connected to the subscriber’s local network. As a result, on its own, an IP address cannot be used
14. Additionally, ISPs can sometimes change which IP address blocks are assigned to
a given customer’s Internet account, meaning that IP addresses used by one customer this week
may be used by a different customer next week. Both ISPs and consumer routers can be
configured to re-allocate IP addresses on a regular basis, so even a device that stays connected to
the same network for a long time may change IP addresses often. For this reason, any records of
IP address assignment by an ISP must be considered with respect to time of and duration of
assignment.
15. Further, any device able to connect to the Internet may do so through different
networks at different times, and thus use different IP addresses. This often occurs over the course
of a single day: a person using a mobile phone may connect to the Internet via their home
network in the morning, use a mobile network as they commute into work, and then use their
employer’s network throughout the day. Each time the device connects to a different network, it
4
Limitations of Law Enforcement Using IP Addresses to Identify Internet Users
16. In summary: it is wrong to assume that the subscriber paying an ISP for access to
the Internet is responsible for any or all activity occurring over the IP address linked to their
account. Making the leap to accuse an account holder of illegal activity, without additional
information or investigation, is analogous to assuming that the person who pays the phone bill is
17. Here’s why: there is no central map or phone book that connects IP addresses to
particular locations or to particular Internet users. Some data brokers claim to be able to associate
public-facing IP addresses with specific devices or identities, but their services are imprecise and
prone to errors. My organization has written a white paper, titled Unreliable Informants, on this
18. Public-facing IP addresses are allocated by ISPs to their subscribers, and ISPs
may keep records that link a set of IP addresses to an individual customer. However, each
customer may share their connection with dozens of different devices on their local network. As
a result, residential ISPs rarely know for sure who is using a particular IP address at a given time.
19. Operators of local networks often do not monitor, much less control, the Internet
activities of devices that use their connection. It is common for a local network to be shared by
not only family or friends, but also complete strangers. For example, companies and individuals
often operate open wireless networks out of their homes, cafés, public libraries, and businesses.
An open network may be used by anyone in range for any purpose, often without the network
operator’s knowledge. During the pandemic, many users opened up their WiFi networks in order
2
See n.1, supra.
5
20. It is sometimes possible to connect specific devices on a local network to
particular activity observed on the Internet. But making that further connection typically requires
knowing much more about the local network using a particular IP address and the router
managing that connection. One cannot use subscriber information alone to connect activity
21. This is because some routers are configured to record a unique identifier, known
as a Media Access Control (MAC) address, for each device that connects to them. A router may
store a timestamped log of the association of IPv6 addresses with the MAC addresses of specific
devices. While not an infallible source of truth, such records could provide insight into the
likelihood of certain traffic originating from a specific device. This kind of historical record is
usually not available to the ISP, and can only be seen by those with access to the router.
Furthermore, in order to identify which devices correspond to which MAC addresses, it is often
22. To summarize: there are many reasons why relying solely on an IP address to link
an individual to a crime, without any additional investigation, is irresponsible and threatens the
civil liberties of innocent people. Here, the search warrant affidavit does not describe how the IP
address which accessed the ReadyOp system was linked with Rebekah Jones’s account, leaving
the Court without enough information to determine that the link was sufficiently strong to justify
change over time, such that an IP address used by one customer may later be used by another.
That’s why law enforcement investigating crimes online often try to obtain records from ISPs
6
that connect a public IP address to a particular account at a particular time. The Affidavit makes
other legal process to ISPs for records that can authenticate these links, including seeking records
showing that a particular IP address was assigned to a specific customer at the exact time the
25. Based on my review of the affidavit filed in support of the warrant to search
Rebekah Jones’ home, there is no assertion that law enforcement sought or obtained these types
of records connecting the IP address to Ms. Jones’ Comcast Internet service account, via a
26. The affidavit states only that the affiant used “investigative resources” to
determine that the IP address that connected to the ReadyOp system “resolved” to Ms. Jones’
Comcast account. The affidavit provides no further details as to how the affiant made this
connection.
27. Based on my own experience and knowledge of IP addresses, I do not know how
law enforcement could link an IP address to a particular ISP customer without either (a)
obtaining records from the ISP via legal process as described above or (b) having direct access to
the records created by the ISP that record which of its customers are using a particular IP address
28. Even assuming law enforcement was able to link the IP address used to access the
ReadyOp system to Rebekah Jones’ Comcast account, the affidavit provides no further
information about whether law enforcement did anything more to attempt to identify the device
7
29. As I stated above, multiple people and devices can connect to the Internet via a
single residential Internet account. Further, many residential Internet users provide WiFi access
to guests, neighbors, and others. Some residents even provide open WiFi access, meaning no
password is required to access the Internet via their residential network. From the ISP’s
perspective, all the activity from any devices connected to an open WiFi network will appear to
30. Additionally, I know that the operator of a local network may run a service which
causes Internet traffic from other sources to appear to originate from their own IP addresses. For
example, Tor is an anonymizing service designed to protect individual privacy that masks the IP
addresses of its users and then routes traffic through “exit nodes” operated by volunteers.
31. Tor and its volunteer exit node operators provide an important public service for
political dissidents, activists, or anyone who wants to browse the web anonymously. An exit
node is the last computer that anonymized Tor traffic goes through before reaching its final
destination. A key feature of Tor is that the individuals operating its exit nodes have no control
of the Internet activity coming through the relays, and no knowledge of its source. Internet
activity coming through a Tor exit relay appears to have originated from the IP address
associated with the exit relay, even though by design that is not the case. A list of the IP
addresses of Tor exit nodes is publicly available online, and investigators should always check to
make sure that traffic which appears to be coming from a particular Internet subscriber is not
32. In light of what I described above, the search warrant affidavit fails to
demonstrate that the IP address was properly connected to Ms. Jones sufficient to justify a search
warrant. As I note, it is possible that someone other than those in the Jones household could
8
have connected to the Internet through the Joneses’ Comcast account and accessed the ReadyOp
system. This could include a friend, neighbor, a former work colleague, or anyone else who was
able to obtain the password and who was close enough to the home to connect to its WiFi
network. And if Ms. Jones provided open WiFi access to her Internet service, anyone nearby
could have used her connection to access the Internet and ReadyOp.
33. The affidavit does not indicate whether police took any steps to determine
whether Ms. Jones’s local network had any of these characteristics prior to seeking authorization
to search her home and seize her property. Without taking those additional steps or conducting
further investigation, it is difficult for anyone to know to a degree of certainty sufficient to justify
a search warrant, who may have used the network to connect to the ReadyOp system.
Law Enforcement Overlook Key Digital Evidence During Search Warrant Execution
34. In summary: Even assuming there was a sufficient factual basis to support the
search warrant, law enforcement did not appear to search or seize Ms. Jones’ router during the
raid, which could contain evidence key to establishing a connection between the IP address
35. As I stated above, even if someone did use Ms. Jones’ network to access the
ReadyOp system, that does not mean that a member of the Jones household, or even anyone they
knew, was necessarily responsible for the activity. The affidavit supporting a search warrant
reflects this possibility, and requested the Court’s permission to seize “Computer software,
hardware or digital contents related to the sharing of Internet access over wired or wireless
networks allowing multiple persons to appear on the Internet from the same IP address.”
36. Based on my review of the inventory returned to Ms. Jones after execution of the
search warrant, however, it appears that law enforcement did not seize the router or modem that
9
facilitated the home’s Internet access. Public reporting also confirms that police did not seize the
router or modem.
37. In my opinion, without searching the router, it is difficult to see how officials will
produce evidence establishing that a particular device used Jones’ home Internet connection to
access the ReadyOp system, much less that the device was used by a particular individual in
Jones’s home.
38. In order to link the IP address associated with Ms. Jones’ Comcast account to a
particular device, law enforcement would need to determine which specific device was
connected to Ms. Jones’ network and was using the account’s IP address to access the ReadyOp
system. The affidavit does not contain any information about what kind of device was used for
that access. As I explained previously, routers are sometimes configured to keep logs of the
particular devices that use the router to access the Internet by recording each device’s unique
MAC address and other details, including the specific times the device accessed the network to
get to the Internet. Therefore, I believe the router is the device most likely to contain evidence
linking a particular IP address to a particular device at a specific time. Importantly, it is also the
most likely piece of hardware to contain evidence that a particular device was not assigned a
39. Law enforcement neglected to seize the one device that would most likely identify
a culprit, whether a member of Ms. Jones' household or otherwise, in favor of only Jones'
personal computing devices. In my opinion, this calls into question whether or not officials
considered the possibility that someone outside the Jones household accessed the ReadyOp
system.
10
40. As I explained, it’s likely that many different devices had access to Jones’ Internet
connection. It’s also possible that the Joneses shared their connection via an “open” network
with anyone who might have been nearby. Although these possibilities were considered in the
affidavit, I do not believe the execution of the warrant bore that consideration out.
41. Under penalties of perjury, I declare that I have read the foregoing document and
that the facts stated in it are true to the best of my knowledge and belief.
__________________________
Bennett Cyphers
11