Minerva26

U.S. v. Cragg

2025 WL 459649 (E.D. Cal. 2025)

February 11, 2025

Thurston, Jennifer L., United States District Judge

Download PDF

To Cite List

Summary

The court upheld the validity of a search warrant for the defendant's electronic devices, rejecting arguments that the warrant was based on false information and that the search exceeded its scope. The court found that the use of SHA1 hash values and off-site analysis were valid investigative techniques, and that the warrant's language was broad enough to cover all items seized. The defendant's arguments were deemed hypertechnical and impractical.

Additional Decisions

UNITED STATES OF AMERICA, Plaintiff,
v.
EDWARD CRAGG, Defendant

1:17-cr-00012 JLT SKO

United States District Court, E.D. California

Signed February 10, 2025

Filed February 11, 2025

Thurston, Jennifer L., United States District Judge

ORDER DENYING MOTION TO SUPPRESS AND FOR FRANKS HEARING

I. INTRODUCTION

*1 On January 19, 207, a grand jury charged Mr. Cragg with one count of receipt and distribution of material involving the sexual exploitation of minors, in violation of 18 U.S.C. § 2252(a)(2). (Doc. 1.) A two-day jury trial commenced May 22, 2018, before U.S. District Judge Lawrence J. O'Neill, at which Mr. Cragg represented himself. (Docs. 92, 93.) The jury returned a guilty verdict. (Doc. 96.) On March 31, 2020, the Ninth Circuit reversed the conviction because the record did not indicate that Mr. Cragg had been advised of the potential penalty associated with the charge before the Court permitted him to proceed to trial without counsel. (Doc. 190.)

Through counsel, Mr. Cragg has filed a motion to suppress evidence seized pursuant to a warrant that authorized the search of his apartment in Turlock, California. (Doc. 299.) The Government opposes the motion. (Doc. 303.) Defendant replied. (Doc. 304.) The Government filed a sur-reply purporting to address ways Mr. Cragg “misstated the government's position” (Doc. 306), to which Defendant has also replied. (Doc. 308.) At the scheduled hearing on the matter, the Parties agreed to submit the matter on the papers. (Doc. 309.) Having considered the briefing in light of the entire record, the Court DENIES the motion to suppress and DENIES the request for a Franks hearing.

II. FACTUAL BACKGROUND

A. The February 25, 2016 Warrant

On February 25, 2016, Turlock Police Department Detective Timothy Redd requested the court issue a warrant to search Mr. Cragg's apartment in Turlock, California. (See Doc. 299-1.) Stanislaus County Superior Court Judge Joseph Distaso issued the warrant that same day. (Id.) The entire warrant packet presented to Judge Distaso is attached to Mr. Cragg's motion. (See Doc. 299-1, 299-2.)

a. The “Search Warrant and Affidavit”

The first part of the packet (bearing internal page references 1–3) consists of a form entitled “State of California-County of Stanislaus Search Warrant and Affidavit” referenced hereinafter as the “Search Warrant and Affidavit.” (Doc. 299-1 at 2.) The top section of that form, which takes up approximately one quarter of the first page, is entitled “(Affidavit)” and contains the following statement:

I, Detective Timothy Redd, swears [sic] under oath that the facts expressed by him/her in the attached and incorporated Statement of Probable Cause are true and that based thereon he/she has probable cause to believe and does believe that the property described below is lawfully seizable pursuant to Penal Code 1524, as indicated below, and is now located at the locations set forth below. Wherefore, affiant requests that this Search Warrant be issued.

(Id.) Detective Redd affixed his signature directly below the above language. (Id.)

Following Detective Redd's signature is a second section entitled “(Search Warrant),” which over the course of approximately two and a half pages delineates the legal grounds for any seizure; the premises, vehicles, and person(s) to be searched; the property to be seized; and certain other procedures to be followed during the execution of the warrant. (Id. at 2–4.) At the bottom of that section, Judge Distaso signed off on the warrant by, among other things, adopting the following statement: “This Search Warrant and Affidavit and attached and incorporated Statement of Probable Cause were sworn as true and subscribed before me on this 25th day of February, 2016, at 1720 [hours]. Wherefore, I find probable cause for the issuance of this Search Warrant and do issue it” (Id. at 4.)

b. Affidavit in Support of Search Warrant

*2 The next part of the warrant packet (bearing internal page numbers 4–23) is entitled “Affidavit in Support of Search Warrant,” and contains numerous sub-sections, roughly including: approximately fifteen pages of background information (Doc. 299-2 at 2–14); a five-page section entitled “Statement of Probable Cause” (id. at 15–19); a one-page “Opinions & Conclusions” section (id. at 19); a repeat of the description of the locations, vehicles, and persons to be searched (id. at 19–20); and a list of the property subject to seizure. (Id. at 20–21.) No part of the Affidavit in Support of Search Warrant contains a separate oath, affirmation, or signature. The following additional details included in the Affidavit in Support of Search Warrant provide context or are relevant here:

i. Detective Redd's Training and Experience

At the time the warrant was authored, Detective Redd's had been in law enforcement for over twenty years and was then assigned to the Investigations Unit investigating crimes against children and hi-technology crimes. (Doc. 299-2 at 2.) In addition to general police training and training related to investigating crimes against persons and property, Detective Redd attended the following trainings related to sex crimes, sex crimes against children, and the use of technology related to such crimes:

In 1996, a 40-hour POST certified training on sexual assault investigations, which included some training about sexual assaults against children. (Id.)
In 2013, a 40-hour POST certified course on child abuse investigations.
In 2013, an 8-hour POST certified course on the trafficking of minors, which covered issues related to the sexual exploitation of minors. (Id.)
In 2016, a 36-hour POST-certified course concerning computer crimes and high-tech investigations, which dealt with the investigation of crimes using technology, including but not limited to the sexual exploitation of minors. (Id.)

Detective Redd indicated that during his tenure as a law enforcement officer, he completed more than a thousand investigations regarding crimes against persons and property, but does not detail how many of those involved child pornography or the distribution of such material on the internet. (See generally id.)

ii. Peer-to-Peer Child Pornography Investigation Methods

On February 8, 2016, Detective Redd spoke with Sacramento County Sheriff's Department Detective James Williams, who was assigned to the Sacramento Internet Crimes Against Children Task Force. (Doc. 299-2 at 8.) Detective Williams had been investigating Peer-to-Peer (P2P) Child Pornography distribution networks since 2005 and gained knowledge about these investigations from training and experience that he then shared with Detective Redd. (Id.) Among other things, Detective Williams learned that P2P networks are frequently used to trade child pornography. (Id.) Computer users can choose to install publicly available P2P software that facilitates the trading of digital media. (Id.) The software allows users to search for media by entering text as search terms, which then uses an index server to examine submitted file lists from other users. (Id.) That index server then sends a file list back to the requesting user who can choose to download files from other P2P users. (Id.) Users can receive selected files from numerous sources at once, and the P2P software can “balance the network load” and recover from network failures by accepting pieces of the file from different users and then reassembling the file on the local computer. (Id.) This reassembly process only works if all the parts come from the same original file. (Id.)

The P2P networks at issue in this case used a particular method to ensure that files are the same. (Doc. 299-2 at 8–9.) That method involves a “compressed digital representation” of the file, known as Secure Hash Algorithm Version 1 (SHA1). (Id. at 9.)[1] At the time the warrant was authored (2016), the SHA1 value was a well-accepted method of generating a digital signature. (Id.) As of that date, there had never been a documented occurrence of two different files being found on the Internet having different content while sharing the same SHA1 value. (Id.) As such, Detective Williams indicated that one can use a SHA1 value to conclude whether two files are or are not identical with 99.999 percent certainty. (Id.)

*3 According to Detective Redd, Detective Williams employs several methods and tools to search for users attempting to trade child pornography on P2P networks. One of those methods involves manually entering search terms into P2P software, followed by additional steps:

Entering search terms in the P2P software results in a list of SHA1 digital signatures that Detective Williams can choose for download. By using this type of search Detective Williams compares the offered SHA1 signatures with SHA1 signatures known to belong to movies or images of child pornography. Detective Williams confirms these SHA1 values as belonging to child pornography by examining the files from previous investigations with the matching SHA1 value. By watching these movies or viewing these images Detective Williams is able to determine the exact file referenced by the given SHA1 value. Once matchings set of digital signatures is identified, Detective Williams submits a download request for the file.

This method has proven to be extremely reliable, working just like software used by end users around the world in locating and downloading precise files. Once the download is initiated, Detective Williams receives a list of download candidates who are participating in the possession, receipt, and/or distribution of child pornography.

(Doc. 299-2 at 9.) Initiating searches on P2P networks in the method described above also returns a list of Internet Protocol (IP) addresses[2] identifying locations where a computer has P2P software installed and individual files are available for download with a specific SHA1 signature. (Id.) IP addresses can typically be used to identify the account holder by name and physical address. (Id.) In addition, P2P software may display the Globally Unique Identifier (GUID) identification number of computers offering to share files on the network. (Id. at 10.) A GUID is a pseudorandom number used in software applications and may be produced when some P2P applications are installed on a computer. (Id.) While a GUID is not guaranteed to be unique, the probability that the same number would be generated twice is very small. (Id.)

Detective Williams has employed one or more automated means to search for users attempting to share child pornography on P2P networks. One of those automated systems is a suite of tools known as the Child Protection System (CPS), which is “law enforcement maintained.” (Doc. 299-2 at 11.)

CPS maintains a log of IP addresses that have been previously involved in the possession and distribution of child pornography. Detective Williams has used this database and its predecessor for more than six years investigating hundreds of cases and making over 100 arrests ... Files are automatically compared to a known set of hash values as contained in the database that evidence child pornography from previous investigations by other law enforcement officers. [The CPS system] reads in a consistent and reliable manner the publicly available advertisements from computers that are identifying child sexual abuse images available for distribution. The software reads these reported offers to participate in the sharing of child pornography and reports the time, date, SHA values and filename for each individual computer in the same way every time. Detective Williams has validated this software by running identical search terms through the manual method described above and the automated system, and has confirmed that the automated software performs in the same way with matching results as the previous manual investigative techniques used in this operation to date.

*4 (Id.) CPS offers an option that allows the investigator to monitor a particular IP address. When the IP address was online, the investigator's computer would automatically begin to download the files available for trade by the suspect computer. (Id. at 12.) According to the information relayed to Detective Redd by Detective Williams, “[t]his is done through a law enforcement-only designed system, which is referred to as an Undercover Investigative Software (hereinafter referred to as UIS), currently used in state and local Peer-to-Peer peer to peer file sharing investigations and utilized through the CPS suite of tools.” (Id.) UIS is designed to download files only from a single source – the target IP address. (Id.) This ensures that files are obtained directly from the target IP address. (Id.) Detective Williams has validated the UIS system by performing parallel manual searches that returned the same results. (Id.) In addition, the UIS system can capture information about the GUID of the computer being used to offer files through the P2P network. (Id.)[3]

c. “Statement of Probable Cause”

Immediately following the description of the various investigative methods outlined above is a four-page sub-section entitled “Statement of Probable Cause.” (Doc. 299-2 at 15–19.) In that section, Detective Redd relays the following information provided by Detective Williams on February 8, 2016. First, Detective Williams “noted” that the IP address 24.176.167.2, which had the GUID D8FF4F2B96C763439FB889AA0DD2E75D was “identified as a download candidate for at least 766 files containing child pornography between August 1, 2015.” (Id.) Detective Williams determined that this IP Address was controlled by Charter Communications and had an approximate location within Turlock, California. (Id.) He then noted the filenames reported as advertised by the computer located at IP address 24.176.167.2, all of which contained terms that in Detective Williams’ experience were consistent with child pornography. (Id.) The warrant offered nine examples of the filenames, all of which support Detective Williams’ assertion that the filenames are consistent with child pornography. (See Doc. 299-1 at 15.)

Because Detective Williams “knows that filenames do not always accurately depict the content of the file,” he compared at least some of the SHA1 values reported as available from IP address 24.176.167.2 with files bearing that same SHA1 value recovered in previous investigations. (Doc. 299-2 at 15.) Upon making that comparison, he “noted them to depict the listed content.” (Id.) The warrant then listed the SHA1 value for each of the nine example filenames and provided a description of the content of each file. (Id. at 15–18.)

Detective Redd obtained a search warrant on February 10, 2016, for the subscriber information related to IP address 24.176.167.2, which returned information identifying the subscriber/account holder as Mr. Cragg, with a specific service address at an apartment in Turlock, CA. (Doc. 299-2 at 18.) Other records confirmed that address as Mr. Cragg's address of record on his California Driver License and that Mr. Cragg's vehicle was registered to him at that address. (Id.) Law enforcement surveillance confirmed that registered vehicle was parked in front of the target address. (Id. at 18–19.)

d. Remainder of the Warrant Packet

Finishing off the Affidavit in Support of Search Warrant is a brief “Opinions & Conclusions” section (Doc. 299-2 at 19); followed by a description of the locations, vehicles, and persons to be searched (id. at 19–20); and a list of the property subject to seizure. (Id. at 20–21.) Of note in relation to this motion is the description of computer paraphernalia to be seized.

*5 6) Any computer hard drive, computer system, tablet, video gaming console containing a hard disk drive, external hard drives, Compact Discs, USB flash drives, memory cards, any other electronic media capable storing data, Cellular phones capable of storing electronic images and/or videos (hereafter referred to as “COMPUTER”) found to contain information otherwise called for by this warrant including but not limited to:

a. Evidence of who used, owned or controlled the COMPUTER at the time the items described in this warrant were created, edited, viewed or deleted, such as logs, registry entries, saved user names and passwords, documents and browsing history, to include bookmarked sites; Evidence of malicious software (“Malware”);
b. Evidence identifying the location from which images of child pornography were downloaded, including date and time of such downloads;
c. Evidence identifying whether image and, or, video files containing child pornography were ever viewed, in include date and time of such viewing;
d. Evidence identifying whether image and, or, video files were deleted, to include date and time of deletion;
e. Contents of volatile memory related to computers and other digital communication devices that would tend to show the current and recent use of the computer, use of encryption, use of communication devices, routes of Internet and other digital communications traffic and passwords, encryption keys or other dynamic details necessary to preserve the true state of running evidence;
f. If computers or other digital devices are found in a running state evidence may be acquired from the devices prior to shutting the devices off;
g. Examination of each of the above listed digital items for digital files, data, images, videos, audio files, software, operating systems and supporting files, deleted files, related to the possession of child pornography.

(Id. at 20–21.)

B. Execution of the Search Warrant

On March 1, 2016, at 10:00 am, Detective Timothy Redd and other law enforcement officers went to Mr. Cragg's apartment to execute the warrant. (See Doc. 299-6.) The detectives took photographs prior to searching. (Id. at 5.) Twenty-eight line items, plus several magazines of ammunition, were seized, including the following in dispute here:

Item 17: TT Model Thermaltake Computer in a large black tower (operating)

Item 22: OCZ Technology 2 1/2-inch solid state drive, 60 gigabytes, Serial No. 017681101002713
Item 23: Republic of Gamers Model AX850 computer tower, Serial No. XHSA011070070395

(Id. at 3; see also Doc. 299-4 (Return on Search Warrant).)

C. Off-Site Examination of Items

On March 30, 2016, Detective Redd brought Items 17, 22, and 23 to Ceres Police Detective Arthur Hively for examination and Detective Hively examined those items. (Doc. 299-5.)

1. Item 22

For Item 22, Detective Hively prepared a forensic image/copy of the drive. (Id.) Upon review, Detective Hively discovered 173 video files with names consistent with child pornography. (Id.) He reviewed fifteen of the files to determine if they in fact were child pornography and found the fifteen files “all had prepubescent children involved in sexual acts alone or with other children or adults.” (Id.)

2. Item 17

Detective Hively explained that Item 17 was a highly sophisticated computer with three hard disk drives. (Id. at 4–5.) Detective Hively created forensic images from two of the hard drives that were set up together as a “Stripe Redundant Array of Independent Disks (RAID)” and then “rebuilt” the Stripe RAID inside his forensic software for analysis. (Id. at 4–5, 9.) Therein he recovered from certain parts of the device some incomplete files that appeared to be child pornography. (See id. at 5.) These were provided to Detective Redd for further analysis. (Id.) The third drive on this device contained no child pornography. (Id. at 5–6.)

3. Item 23

*6 Detective Hively performed a similar forensic examination of Item 23, which he also described as a “very sophisticated computer system.” (Doc. 299-5 at 6.) Detective Hively discovered that the device contained eight Hard Drive Disks (HDDs) and two Solid State Disks (SSDs) on that device. (Id.) He created forensic copies of the SSDs but could not create forensic evidence files for the eight HDDs because of their “sheer volume.” (Id. at 6–7.) Instead, Detectives Hively and Redd connected the machine to a monitor, keyboard and mouse and examined the machine in a live condition. (Id.) In one of the drives, they discovered some adult pornographic movies, including two files that had names consistent with child pornography, but which, upon examination, were adult pornography. (Id. at 7.)

III. LEGAL STANDARDS

The Fourth Amendment states, “(t)he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” U.S. Const. amend. IV. A “search” occurs for purposes of the Fourth Amendment if the police seek information by intruding on a person's reasonable expectation of privacy or by means of trespassing upon one's person, house, papers, or effects. Florida v. Jardines, 569 U.S. 1, 5 (2013). A judge may issue a search warrant if, under the totality of the circumstances, there is a fair probability that contraband or evidence of a crime will be found in a particular location.” Illinois v. Gates, 462 U.S. 213, 238 (1983); United States v. Alaimalo, 313 F.3d 1188, 1193 (9th Cir. 2002) (probable cause requires only a fair probability or substantial chance of criminal activity). “Whether there is a fair probability depends upon the totality of the circumstances, including reasonable inferences, and is a commonsense, practical question.” United States v. Kelley, 482 F.3d 1047, 1050 (9th Cir. 2007) (quotation marks omitted). The affiant's expertise may be considered in the totality of the circumstances analysis; however, the reviewing court is necessarily limited to those facts recited in the affidavit. United States v. Underwood, 725 F.3d 1076, 1081 (9th Cir. 2013).

A reviewing court does not conduct a de novo review of the sufficiency of the affidavit and must accord great deference to another jurist's finding of probable cause. Gates, 462 U.S. at 236. A search warrant should not be found invalid “if the magistrate judge had a ‘substantial basis’ for concluding that the supporting affidavit established probable cause.” United States v. Crews, 502 F.3d 1130, 1135 (9th Cir. 2007). “[C]ourts should not invalidate [a] warrant by interpreting [an] affidavit in a hypertechnical, rather than a commonsense, manner.” Gates, 462 U.S. at 236 (cleaned up).

IV. ANALYSIS

D. Bare Bones Affidavit Arguments

Mr. Cragg first argues that the warrant is a constitutionally infirm, “bare bones” warrant because critical supporting information attached to the Search Warrant and Affidavit was not properly sworn. (Doc. 299 at 21–23.) Alternatively, even assuming that information was sworn under the penalty of perjury, Mr. Cragg argues that warrant lacks indicia of probable cause because it relies on “foundationless and conclusory statements.” (Id. at 23–24.)

1. Incorporation by Reference

Mr. Cragg does not dispute that the first part of the warrant packet—the “State of California – County of Stanislaus Search Warrant and Affidavit” is sworn to under oath. (Doc. 308 at 8.) Defendant likewise does not dispute that the approximately four-page Statement of Probable Cause sub-section of the Affidavit in Support of Search Warrant (Doc. 299-2 at 15–19) is incorporated in the Search Warrant and Affidavit and, therefore, also sworn to under oath. (Id.) As mentioned, Detective Redd swore under oath to the facts “expressed by him[ ] in the attached and incorporated Statement of Probable Cause,” (Doc. 299-1 at 2 (emphasis added)), and Judge Distaso's stated “[t]his Search Warrant and Affidavit and attached and incorporated Statement of Probable Cause were sworn as true and subscribed before me.” (Id. at 4 (emphasis added).)

*7 Because neither attestation explicitly mentions the approximately 15 pages of background material contained in the sections of the Affidavit in Support of Search Warrant that precede the Statement of Probable Cause, Mr. Cragg contends that the background material remains unsworn and therefore cannot be considered support for a finding of probable cause. (See Doc. 299 at 21.) Absent that material, Mr. Cragg argues that “the four corners of the Statement of Probable Cause” do not contain sufficient information to allow the magistrate judge to draw the inferences required to make the requisite probable cause finding. (Id.) The Government contends that the background material in dispute was incorporated by reference into the sworn Search Warrant and Affidavit and therefore can be considered a factual material to support the Judge Distaso's probable cause finding. (See Doc. 303 at 7–8.)

None of the cases cited by the parties directly addresses the incorporation issue presented here. Mr. Cragg relies heavily on United States v. Wilson, 13 F.4th 961, 967 (9th Cir. 2021), for other points (see Doc. 299 at 21–22) some of which are discussed herein, but Wilson does not address incorporation by reference. The Government cites United States v. King, 737 F. Supp. 3d 1020, 1027 (D. Nev. 2024), which discussed the “cure by affidavit” rule. That rule grew from the general principle that “[t]he Fourth Amendment requires that a warrant particularly describe both the place to be searched and the person or things to be seized,” and operates to cure an insufficiently particular warrant by allowing the individual executing the warrant to rely on an affidavit that is “expressly incorporated” into and accompanies the warrant when agents execute the search. Id. An affidavit that is both incorporated by and accompanies the warrant can operate to limit “the discretion of the officers executing the warrant and [ensure] that the person being searched has notice of the specific items the officer is entitled to seize.” Id. As King explained, documents incorporated into a warrant “simply are ‘the search warrant’ for purposes of constitutional analysis.” Id. (emphasis in original). But there was “no legitimate debate” that the affidavit in support of the King warrant was incorporated into that warrant by reference. Id. at 1028; see also id. at 1028 n. 61 (explaining that the King warrant stated: “Proof having been made to me by Detective Troy Starr, said Affidavit attached hereto as exhibit 3, and incorporated by reference herein by this reference”). Thus, King does not address how a court should evaluate the situation presented here, where the warrant at least arguably appears to expressly incorporate only part of the attached Affidavit in Support of Search Warrant.

Somewhat more helpful is United States v. Vesikuru, 314 F.3d 1116, 1121 (9th Cir. 2002), another case that addressed the “cure by affidavit” doctrine, though without labeling it as such. Vesikuru concerned an anticipatory[4] search warrant for a residential address matching the recipient's address on a package containing narcotics. Id. at 1118. It was undisputed that the preprinted warrant form did not itself state the required preconditions for the anticipatory warrant, namely that before executing the warrant law enforcement agents must first observe residents at the location accept the package and take it inside. Id. at 1118. Rather, those preconditions were articulated within an affidavit attached to the warrant as a supplemental form. Id. As in King, Vesikuru explained that a warrant that might otherwise be insufficiently particular because it fails to set forth within its four corners a condition precedent may be cured by an affidavit that is (1) “sufficiently incorporate[d]” into the warrant and (2) accompanies the warrant at the time of the search. Id. at 1120. Relevant here is the Ninth Circuit's analysis of the “sufficient incorporation” prong. The Vesikuru warrant stated: “Upon the sworn complaint made before me there is probable cause.” Id. at 1121 (emphasis in original). Even though the affidavit in question was entitled “Affidavit for Search Warrant” not “Complaint,” the Ninth Circuit deemed the incorporation language sufficient, reasoning that “there are no required magic words of incorporation.” Id. a 1121. Rather, “suitable words of incorporation” are sufficient. Id.[5]

*8 As the Government points out (see Doc. 306 at 3), Vesikuru appears to have found the word “complaint” to be synonymous with “affidavit” for purposes of the incorporation analysis. (Doc. 306 at 3.) This suggests that by extension the term “Statement of Probable Cause” referenced in the Search Warrant and Affidavit at issue here may be considered synonymous with the term “Affidavit in Support of Search Warrant.” This Court does not conduct a de novo review of the sufficiency of the approving jurist's finding of probable cause. Illinois, 462 U.S. at 236. Indeed, it seems “hypertechnical, rather than a commonsense,” (id.), to view the warrant packet in the manner suggested by the Defense. Nothing in the record suggests Judge Distaso considered only the five page “Statement of Probable Cause” subsection of the entire Affidavit in Support of Search Warrant when he found probable cause for the issuance of the warrant. It simply makes no sense to interpret the language of the warrant in that way.[6] In sum, the Court is not persuaded by Mr. Cragg's argument that only the material in the Statement of Probable Cause sub-section of the Affidavit in Support of Search Warrant was sworn. Therefore, it was appropriate for Judge Distaso (and by extension this Court) to consider that material as factual support for the probable cause finding.

Given this conclusion, the Court declines to address Mr. Cragg's related contention that, when considered on its own, the Statement of Probable Cause is impermissibly “bare bones” because it relies on “foundationless and conclusory statements.” (Doc. 299 at 23.) For example, he argues that the Statement of Probable Cause” does not on its own identify how his IP address was identified as a download candidate, nor explain the significance, if any, of hash values. (Id.) The separate question of whether the entire warrant packet, considered as a whole, is barebones is addressed below.

The Court likewise declines to engage with Mr. Cragg's speculations as to why Detective Redd might not have wanted to swear to the content of the background information. For example, Mr. Cragg suggests Redd may not have known whether the information he gathered from Detective Williams was true. (See Doc. 304 at 3.) An affiant may rely on information learned from fellow officers. See United States v. Binford, No. 1:20-CR-00150-ADA-BAM-1, 2023 WL 5628764, at *8 (E.D. Cal. Aug. 31, 2023) (allowing affiant to rely on information gained by an in-depth investigation undertaken by a co-investigator). Given the incorporation finding above, there is nothing inherently improper about Detective Redd relying on information from Detective Williams.

2. The Warrant's Probable Cause Showing

Mr. Cragg argues that even if the entire Affidavit in Support of Search Warrant is incorporated into the Search Warrant and Affidavit, the entire packet is nonetheless impermissibly “bare bones” because it “relies on (i) conclusions without supporting facts; and (ii) foundationless ‘expert’ testimony.” (Doc. 299 at 23.)

a. Bare Bones Standard

As a threshold matter, the Court notes that Mr. Cragg focuses his probable cause arguments on the “bare-bones” standard, which was articulated as an exception to the good faith exception to the exclusionary rule. “The good-faith exception precludes suppression of evidence seized by officers who acted ‘in objectively reasonable reliance’ on a search warrant that is later declared invalid.” United States v. Artis, 919 F.3d 1123, 1133 (9th Cir. 2019) (quoting United States v. Leon, 468 U.S. 897, 922 (1984)). Leon “identified four situations that per se fail to satisfy the good faith exception.” Underwood, 725 F.3d at 1085. One such circumstance is “where the affidavit is ‘so lacking in indicia of probable cause as to render official belief in its existence entirely unreasonable.’ ” Id. (quoting Leon, 468 U.S. at 922–23). As the Ninth Circuit explained in Underwood: “An affidavit is so lacking in indicia of probable cause, or bare bones, when it fails to provide a colorable argument for probable cause.” Id. (citing United States v. Hove, 848 F.2d 137, 139–40 (9th Cir. 1988)). A “colorable argument” exists “when thoughtful and competent judges could disagree” about the existence of probable cause. Id. (internal quotations omitted).

*9 The government bears the burden of showing that the good-faith exception applies. Artis, 919 F.3d at 1134 (citing Underwood, 725 F.3d at 1085). “When it invokes the exception, the government bears the burden of proving that officers relied on the search warrant in an objectively reasonable manner.” United States v. SDI Future Health, Inc., 568 F.3d 684, 706 (9th Cir. 2009) (internal quotation omitted). Moreover, “objective reasonableness is to be determined not only with respect to the officers who executed the warrant, but also to the officer who provided the affidavit upon which the warrant was based.” United States v. Clark, 31 F.3d 831, 835 (9th Cir. 1994) (citing Leon, 468 U.S. at 923 n. 24). However, the Government appears not to have invoked the exception in this case, and the Court declines to raise it for the government. See United States v. Walker, No. 2:19-CR-00234-KJM, 2020 WL 3841312, at *4 (E.D. Cal. July 8, 2020).

As mentioned, normally a reviewing court would review a search warrant to determine “if the magistrate judge had a ‘substantial basis’ for concluding that the supporting affidavit established probable cause.” Crews, 502 F.3d 1130, 1135 (9th Cir. 2007). Obviously, however, a warrant that is “so lacking in indicia of probable cause” (i.e. is “bare-bones”) such that it precludes application of the good-faith exception would also be facially invalid. The Court therefore interprets Mr. Cragg's arguments to generally request an evaluation of whether the warrant lacks probable cause.

b. Discussion

Mr. Cragg argues that even if the entire warrant packet may be considered as support for the finding of probable cause, the warrant is nonetheless “bare bones” because it lacks foundation and relies on conclusory statements without supporting facts to establish that a computer associated with IP address 24.176.167.2 had files that contain child pornography. (Doc. 299 at 7, 23.) In support of this argument, Mr. Cragg relies almost entirely on Wilson, 13 F.4th 961, which addressed whether the private search doctrine justified a warrantless review of digital media containing apparent child pornography. Because Wilson is central to much of the analysis in this section, a thorough review of the facts is warranted. In the interest of efficiency, the Court reproduces the Ninth Circuit's factual summary here:

The events giving rise to Luke Wilson's conviction and this appeal were triggered when Google, as required by federal law, reported to the National Center for Missing and Exploited Children (NCMEC) that Wilson had uploaded four images of apparent child pornography to his email account as email attachments. No one at Google had opened or viewed Wilson's email attachments; its report was based on an automated assessment that the images Wilson uploaded were the same as images other Google employees had earlier viewed and classified as child pornography. Someone at NCMEC then, also without opening or viewing them, sent Wilson's email attachments to the San Diego Internet Crimes Against Children Task Force (ICAC), where an officer ultimately viewed the email attachments without a warrant. The officer then applied for warrants to search both Wilson's email account and Wilson's home, describing the attachments in detail in the application.

***

A. Google's Identification of Apparent Child Pornography

Electronic communication service providers are not required “affirmatively [to] search, screen, or scan” for apparent violations on their platforms of federal child pornography laws. 18 U.S.C. §§ 2258A(f), 2258E. But “[i]n order to reduce ... and ... prevent the online sexual exploitation of children,” such providers, including Google, are directed, “as soon as reasonably possible after obtaining actual knowledge” of “any facts or circumstances from which there is an apparent violation of ... child pornography [statutes],” to “mak[e] a report of such facts or circumstances” to NCMEC. 18 U.S.C. § 2258A(a). NCMEC then forwards what is known as a CyberTip to the appropriate law enforcement agency for possible investigation. Id. at §§ 2258A(a)(1)(B)(ii), (c).

*10 According to a two-page declaration from a senior manager at Google, the company “independently and voluntarily take[s] steps to monitor and safeguard [its] platform,” including using a “proprietary hashing technology” to identify apparent child pornography.2

As described in the record—vaguely, and with the gaps noted—the process works as follows:
First, a team of Google employees are “trained by counsel on the federal statutory definition of child pornography and how to recognize it.” Neither the training materials themselves nor a description of their contents appear in or are attached to the Google manager's declaration.

Second, these employees “visually confirm[ ]” an image “to be apparent child pornography.” According to an industry classification standard created by various electronic service providers, there are four industry categorizations: “A1” for a sex act involving a prepubescent minor; “A2” for a lascivious exhibition involving a prepubescent minor; “B1” for a sex act involving a pubescent minor; and “B2” for a lascivious exhibition involving a pubescent minor.

Third, “[e]ach offending image” judged to be “apparent child pornography as defined in 18 USC § 2256” is given a hash value, which is “added to [the] repository of hashes.” As far as the record shows, Google “stores only the hash values” of images identified as apparent child pornography, not the actual images. The government does not represent otherwise.

Finally, Google “[c]ompare[s] these hashes to hashes of content uploaded to [their] services.” The exact manner in which hash values are assigned to either the original photographs or the ones deemed to replicate them is not described in the Google manager's declaration or anywhere else in the record.

B. Government Search
On June 4, 2015, Google, using its propriety technology, “became aware” that Wilson had attached to emails in his email account—which may or may not have been sent—four files that included apparent child pornography. United States v. Wilson, No. 3:15-cr-02838-GPC, 2017 WL 2733879, at *3 (S.D. Cal. June 26, 2017). In compliance with its reporting obligations, Google automatically generated and sent an electronic CyberTipline report to NCMEC. The CyberTipline report included Wilson's four email attachments. According to the Google manager's declaration, “a Google employee did not view the images ... concurrently to submitting the report to NCMEC.” The CyberTipline report did specify that Google had classified each of Wilson's four email attachments as “A1” under an industry classification standard for “content [which] contain[s] a depiction of a prepubescent minor engaged in a sexual act.”

Google's report included Wilson's email address, secondary email address, and IP addresses. NCMEC supplemented Google's report with geolocation information associated with Wilson's IP addresses, but did “not open[ ] or view[ ] any uploaded files submitted with this report.”
NCMEC then forwarded the CyberTip to the San Diego Internet Crimes Against Children Task Force (“ICAC”). Agent Thompson, a member of the San Diego ICAC, received the report. He followed San Diego ICAC procedure, which at the time called for inspecting the images without a warrant whether or not a Google employee had reviewed them.3

*11 After Agent Thompson looked at Wilson's four email attachments, he applied for a search warrant of Wilson's email account. His affidavit asserted that probable cause for the warrant was based on two facts: first, that “Google became aware of four (4) image files depicting suspected child pornography;” and second, that he had “reviewed the four (4) images reported by Google to NCMEC and determined they depict child pornography.” In support of his own child pornography assessment, he included in the warrant application detailed “descriptions of each of these images.” The affidavit did not include the fact that Google had originally classified the images as “A1” or provide any detail about how Google had either classified or later automatically identified Wilson's images as apparent child pornography.

Id. at 964–66.

The private search doctrine “concerns circumstances in which a private party's intrusions would have constituted a search had the government conducted it and the material discovered by the private party then comes into the government's possession.” Id. at 967. (internal citation and quotation omitted). Generally, “when private parties provide evidence to the government on their own accord, it is not incumbent on the police to avert their eyes.” Id. (quoting Coolidge v. New Hampshire, 403 U.S. 443, 489 (1971)) (cleaned up). As Wilson explained “an antecedent private search excuses the government from obtaining a warrant to repeat the search but only when the government search does not exceed the scope of the private one.” Id. at 968.

Applying these principles, Wilson concluded that Agent Thompson's actions exceeded the scope of the private search because it allowed him to learn new, critical information that was used first to obtain a warrant and then to prosecute Wilson. Id. at 971–72. As the Ninth Circuit explained:

Google keeps a repository of unique hash values corresponding to illicit images, and tags each image with one of four generic labels. All Google communicated to NCMEC in its CyberTip was that the four images Wilson uploaded to his email account matched images previously identified by some Google employee at some time in the past as child pornography and classified as depicting a sex act involving a prepubescent minor (the “A1” classification).

Id. Based only on that CyberTip, which the Ninth Circuit labeled as “barebones,” Agent Thompson opened and reviewed each of Wilson's images to determine “whether or not it is a case that ... can be investigated” for violations of federal law. Id. This was improper because, among other things, opening those email attachments “substantively expanded the information available to law enforcement far beyond what the [A1] label alone conveyed,” as the A1 label specified only the general age of the child and the general nature of the acts shown. Id. (“A detailed description of the images was included [by Agent Thompson] in the applications for search warrants. The gulf between what Agent Thompson knew about Wilson's images from the CyberTip and what he subsequently learned is apparent from those descriptions.”). The Ninth Circuit as a “critical fact” that “no Google employee viewed Wilson's files before Agent Thompson did.” Id. at 974. Because the government viewed something other than the specific materials Google saw during its private search, the government search exceeded the scope of the private search. Id.

For obvious reasons, Mr. Cragg focuses on the fact that the Ninth Circuit labeled the CyberTip “barebones.” (See Doc. 299 at 23 (arguing that “a tip that files alleged to possess child pornography match files previously identified by an unidentified individual at some time in the past as child pornography is barebones”).) It is somewhat unclear whether Wilson meant to use the term “barebones” in this context to mean “wholly lacking in probable cause,” given that the central issue in Wilson was whether Agent Thompson's warrantless search was justified. The Ninth Circuit even acknowledged that its analysis relied “only contingently on the adequacy of the record with regard to the hash match technology” because that was not a critical factor in the private search analysis. Id. at 979 (“The reliability of Google's proprietary technology, in our estimation, is pertinent to whether probable cause could be shown to obtain a warrant, not to whether the private search doctrine precludes the need for the warrant.”). Nonetheless, Wilson noted elsewhere that “the warrant application here contained inadequate information about Google's proprietary technology to establish probable cause without reliance on the descriptions of the actual images.” Id. The Ninth Circuit explained:

*12 The record does not identify the Google analyst who could have stated that the images Agent Thompson viewed were identical to images the analyst previously viewed, nor does it explain Google's algorithm in any detail. Given these gaps, there is no way to be “at all sure” that the images Agent Thompson viewed were the same images a Google analyst had earlier viewed, so the government search exceeded the scope of Google's search.

Id. at 977. Thus, the Court concludes that Wilson at least provides guidance as to what a barebones warrant might look like in related circumstances.

That said, the Court is not persuaded by the Defense's argument, grounded in Wilson, that “it is unreasonable to infer that files on a computer associated with IP address 24.176.167.2 contain child pornography based on files with the same reported hash values ‘recovered in previous investigations’ without more supporting facts, such as who, if anyone, actually viewed and verified that any of the files from the ‘previous investigations’ contain child pornography.” (Doc. 299 at 23.)[7] To be sure, the record does not clearly indicate that Detective Williams himself reviewed the content of the files from previous investigations used in the SHA1 hash value matching process he employed. Though the Search Warrant Affidavit certainly could be read to assert that he did (see, e.g., Doc. 299-2 at 15–18 (listing descriptions of each video)), the government appears to concede that Detective Williams may not have done so. (Doc. 306 at 4; but see Doc. 299-2 at 9 (indicating that “Detective Williams confirms these SHA 1 values as belonging to child pornography by examining the files from previous investigations with the matching SHA 1 value. By watching these movies or viewing these images Detective Williams is able to determine the exact file referenced by the given SHA1 value.”). The Government insists, however, that the files were viewed (and presumably the summaries drafted) either by “Detective Williams or other law enforcement officers.” (Doc. 306 at 4.) This is a logical inference that can be drawn from the fact that there are reasonably detailed descriptions of the child pornography in the warrant application. As the Government suggests “to write descriptions of the child pornography files, a law enforcement officer must have viewed the files at one point.” (Id.) On this crucial point, the situation is distinct from Wilson, where it was unclear whether anyone at all Google had viewed the alleged child pornography. To the extent Mr. Cragg means to argue that the warrant here must identify the name of the law enforcement officer who viewed the child pornography from previous investigations to create the description, he cites no authority for that assertion. Wilson suggests no such rule. Mr. Cragg likewise does not suggest why it would be impermissible for Detectives Redd and Williams to have relied on those descriptions provided by other law enforcement officers to define the content of the files flagged as child pornography in previous investigations.

*13 To the extent Mr. Cragg is arguing that the information contained in the complete warrant packet fails to sufficiently connect his IP address to child pornography,[8] the Court disagrees. The warrant packet explains that Detective Williams used CPS in his investigation; that CPS uses SHA1 hash value matching to identify IP addresses that are likely offering child pornography over the internet; that CPS does so by comparing the SHA1 hash values of files being offered to the SHA1 hash values of files previously identified (and logged) by law enforcement as containing child pornography. (Doc. 299-2 at 11.) The warrant further explains that IP address 24.176.167.2 was identified through this process as offering numerous files containing child pornography and that Detective Williams manually cross-checked the SHA1 hash values of a number of the filenames being offered by that IP address against files with the same hash value recovered in previous investigations. (Id. at 14–18.)

Even assuming the files being offered from IP address 24.176.167.2 were identified as containing child pornography by SHA1 hash value matching only (i.e., no one involved in this investigation viewed any copy—either downloaded from IP address 24.176.167.2 or from CPS—of any file identified as containing child pornography), this still would not be fatal to the probable cause showing in the warrant. This issue was discussed in a very closely related situation in United States v. McKinion, No. 2:14-CR-00124-CAS-1, 2017 WL 3137574, at *6 (C.D. Cal. July 21, 2017), where the defendant sought a Franks v. Delaware, 438 U.S. 154 (1978), hearing, arguing that the affiant, Special Agent Rodriguez, failed to state that he downloaded any files from defendant's computer. The court concluded that whether Rodriguez viewed the files was immaterial in light of his use of SHA1 hash value matching:

Based upon the Affidavit, the magistrate judge might reasonably have inferred that Rodriguez did not download any files from defendant's computer because the Affidavit explained that Rodriguez only reviewed the contents of files after he “searched for files with SHA1 values that matched” those suspected of being shared over the Suspect IPs. Affidavit ¶¶ 31(b), 32(b). There would have been no reason for Rodriguez to go through the additional step of finding files with the same SHA1 values if he had downloaded suspect files directly from the Suspect IPs via a P2P network. More to the point, Rodriguez's failure to state expressly whether he directly downloaded any files from the Suspect IPs was immaterial to the magistrate judge's conclusion because Rodriguez was not required to download any files from the Suspect IPs in order to establish probable cause. Courts routinely find probable cause based upon an investigator's review of files with the same SHA1 values or a comparison of SHA1 values alone. See United States v. Thomas, 788 F.3d 345, 348 n. 5 (2d Cir. 2015), cert. denied, 136 S. Ct. 848 (2016); United States v. Miknevich, 638 F.3d 178 (3d Cir. 2011).

Id.; see also United States v. Thomas, No. 5:12-CR-37, 2013 WL 6000484, at *23 (D. Vt. Nov. 8, 2013), aff'd, 788 F.3d 345 (2d Cir. 2015) (“Defendants cite to no authority for their claim that hash values are inherently unreliable or that a direct download of the file is necessary to establish probable cause.”) (collecting cases).[9] For the same reason, given the warrant's explanation of how SHA1 hash value matching was applied in Detective William's investigation, the warrant did not lack probable cause.[10] The warrant only needed to establish there was “fair probability” that devices at Mr. Cragg's location contained child pornography. It did so.

c. “Foundationless Expert Testimony”

*14 As an alternative challenge to the probable cause finding, Mr. Cragg argues that the warrant relies on “foundationless ‘expert’ testimony.” (Doc. 299 at 23–24.) First, Mr. Cragg argues that the warrant provides no facts from which one could infer that Detective Redd he has experience investigating crimes involving computers. (Id. at 24.) Though the warrant discloses that Redd completed a 36-hour training on computer crimes that dealt with investigation of the sexual exploitation of minors using technology, that course took place in 2016, and Mr. Cragg questions whether the course was completed before or after Detective Redd spoke to Detective Williams on February 8, 2016. This is a red herring. There is no dispute that Redd completed the training before drafting the warrant application and nothing in the record suggests Redd would have been unable to accurately digest and record information provided to him by Detective Williams without that training.

Second, Mr. Cragg correctly indicates that the warrant appears to attempt to establish Detective Williams as an expert based on experience. (Doc. 299 at 24.) He argues that the warrant fails to do so because it presents “rambling boilerplate” recitations of experience in an alternate investigative method not utilized in this case. (Id. at 24.) Indeed, the warrant does include several pages of information about an investigative technique that does not appear to be relevant. (See Doc. 299-2 at 13–15.) Mr. Cragg cites United States v. Weber, 923 F.2d 1338, 1345 (9th Cir. 1990), in which the Ninth Circuit examined a warrant that contained “expert” testimony indicating that a detective “knew the habits of ‘child molesters,’ ‘pedophiles,’ and ‘child pornography collectors’ and that from his knowledge of these classes of persons he could expect certain things to be at their houses, from diaries to sexual aids to photo developing equipment.” But, crucially “there was not a whit of evidence in the affidavit indicating that Weber was a ‘child molester,’ ” so the “rambling boilerplate recitations” about these classes of individuals that were “designed to meet all law enforcement needs” was unhelpful because it “was not drafted with the facts of this case or this particular defendant in mind.” Id. The situation here is entirely different. Though extraneous background information may have been included, the relevant investigatory techniques (i.e., those that were applied to Mr. Cragg's conduct) were described in sufficient detail. As such, the inclusion of the extraneous background information is not fatal to the warrant.

Finally, Mr. Cragg argues that the warrant fails to set forth facts to establish that either Redd or Williams “have prior investigative experience determining that a file contains child pornography without viewing the file.” (Doc. 299.) To the extent Mr. Cragg is again suggesting that either Detective Redd or Williams must have reviewed the files identified from prior investigations as child pornography, that argument has been addressed above. To the extent he is suggesting that the warrant fails to explain how Detective Williams could have connected IP 24.176.167.2 address to child pornography without himself viewing the files available there, this argument has also been rejected above.

E. Franks: Intentional or Reckless False Statement

Mr. Cragg next argues that the Affidavit in Support of Search Warrant “contains two false statements that are intentional or reckless and material to the probable cause determination.” (Doc. 299 at 25.) He requests a Franks hearing to determine any disputed facts. (See Doc, 298 at 1.)

1. Franks Standard

The standards applicable to such a challenge brought under Franks v. Delaware, 438 U.S. 154 (1978), are well-established. “A defendant is entitled to an evidentiary hearing if he ‘makes a substantial preliminary showing that a false statement knowingly and intentionally, or with reckless disregard for the truth, was included by the affiant in the warrant affidavit, and if the allegedly false statement is necessary to the finding of probable cause.’ ” United States v. Craighead, 539 F.3d 1073, 1080–81 (9th Cir. 2008) (quoting Franks, 438 U.S. at 155–56); United States v. Chavez Miranda, 306 F.3d 973, 979 (9th Cir. 2002) (A defendant “bears the burden of proof and must make a substantial showing to support both elements.”).

*15 To be entitled to a Franks hearing, a defendant must come forward with specific allegations, allege a deliberate falsehood or reckless disregard for the truth, and support that claim with a sufficient offer of proof. Craighead, 539 F.3d at 1080; see also Franks, 438 U.S. at 171 (“To mandate an evidentiary hearing, the challenge's attack must be more than conclusory and must be supported by more than a mere desire to cross examine.”). Where such a substantial preliminary showing is made, “the court must hold a hearing to determine if any false statements [or omissions] deliberately or recklessly included in the affidavit were material to the magistrate's finding of probable cause.” United States v. Johns, 851 F.2d 1131, 1133 (9th Cir. 1988) (quoting United States v. Burnes, 816 F.2d 1354, 1357 (9th Cir. 1987)). In contrast, where the defendant fails to make a “substantial preliminary showing” with respect to either intentional or reckless inclusion or omission, or materiality, the district court should not conduct a Franks hearing. See United States v. Shryock, 342 F.3d 948, 977 (9th Cir. 2003); United States v. Bash, No. 1:20-CR-00238-NONE-SKO, 2022 WL 992932, at *6 (E.D. Cal. Apr. 1, 2022) (refusing to hold Franks hearing where defendant failed to make a preliminary showing that omission of information was material).

1. Certainty that two files cannot share same SHA1 value

Mr. Cragg first maintains that the warrant falsely asserts that by comparing SHA1 hash values “Detective Williams can conclude that two files are or are not identical with a precision that greatly exceeds 99.9999 percent certainty.” (Id. (citing Doc. 299-2 at 9).) According to the Defense, this statement “is false” (see Doc. 299 at 25) because a Defense expert discovered that two sets of files that are “different video file formats and file sizes” have the same SHA1 hash values. (See Doc. 300, Declaration of Joshua Michael).) Mr. Michael's declaration indeed indicates that after a forensic examination of Item 17, he was “able to observe two sets for files with matching SHA1 hash values in a list of search results presented in the Shareaza peer-to-peer file sharing application” (Id. at ¶ 2) as follows:

Tabular or graphical material not displayable at this time.

(Doc. 300 at 2 (omitting information about file location).)

Notably, Mr. Michael does not indicate that these overlapping SHA1 values demonstrate that the challenged assertion in the warrant is false (see generally Doc. 300); that argument comes from Defense counsel only. (See Doc. 299 at 25.)[11] The Court finds counsel's argument unpersuasive. Crucially, there is no suggestion in the record that Detectives Redd or Williams had any reason to know of the SHA1 overlap discovered by Mr. Michael during his forensic examination of Item 17. The fact that a Defense expert discovered this hash value overlap amounts to potentially exculpatory information discovered after the warrant was approved and executed, which is inapposite to the Franks analysis. Nor does the record otherwise suggest that either Detective Redd or Williams had any reason to doubt Detective Williams’ assertion that using SHA1 hash values allows for the matching of files with a high degree of precision. Among other things, the warrant explains—and Mr. Cragg does not even attempt to refute—that the P2P software platforms themselves use SHA1 hash value matching to improve the efficiency and reliability of delivery of files to users, as SHA1 hash value matching allows those platforms to accept parts of files from various locations. (Doc. 299-1 at 8–9.)

One more related issue deserves some attention. In its sur-reply, the Government presents the Declaration of James Fottrell, the Director of the High Technology Investigative Unit at the Child Exploitation and Obscenity Section (CEOS) of the Department of Justice, who reiterates that SHA1 hash values are commonly used to verify that original media matches copies of that media. (Doc. 306-1, ¶ 5.)[12] At the same time, his declaration also states that SHA1 “hashing” only “retain[s] its reliability” in the field of computer forensics because users put files through a “process of verification” whereby law enforcement officers apply the same SHA1 algorithm to both the original and a forensically copied version of a file and then verify that the hash values match. (Id.)

*16 Mr. Cragg reads this statement to mean that hash value matching is not reliable without this verification process, and that, resultingly, the hash value matching used by investigators to support the warrant in this case cannot possibly be reliable because no such validation is alleged to have occurred. (Doc. 308 at 18.) Even assuming it is appropriate to interpret Mr. Fottrell's declaration to suggest hash value matching is not reliable without file-to-file verification, Mr. Cragg is comparing apples to oranges by conflating his Franks burden with possible reasons to question the way SHA1 hash value matching was employed in this case. Again, nothing in the record suggests that at the time the warrant was drafted either Detective Redd or Williams had reason to doubt the reliability of the SHA1 hash value matching techniques Detective Williams employed.

2. Detective Williams’ Viewing of the Files in CPS

Mr. Cragg next argues that if the affidavit is interpreted to mean that Detective Williams viewed the nine files from the “previous investigations” and “noted them to depict” child pornography, this statement is false because the warrant only suggests Detective Williams utilized the CPS suite of tools, which does not maintain the child pornographic media themselves, only hash values associated with those media files. (See Doc. 299 at 26.) As the discussion above indicates, the probable cause determination does not turn on any such assumption. So, even if the (1) the warrant is read to make such an assertion and (2) that assertion is false, it is immaterial, so this Franks argument fails.

F. Scope of Warrant

Mr. Cragg argues that law enforcement's actions in executing the warrant exceeded the warrants terms. (See Doc. 299 at 26–28.) “[T]o determine whether the government exceeded the scope of a warrant, [a court] compare[s] the terms of the warrant to the search actually conducted.” Snitko v. United States, 90 F.4th 1250, 1263 (9th Cir. 2024); see also United States v. Payton, 573 F.3d 859, 864 (9th Cir. 2009) (concluding that search of defendant's computer “exceeded the scope of that warrant” because it was done “without explicit authorization in the warrant”); United States v. Comprehensive Drug Testing, Inc., 621 F.3d 1162, 1166 (9th Cir. 2010) (holding that government disregarded terms of warrant where it “failed to comply with the procedures specified in the warrant”) (en banc) (per curiam), overruled in part on other grounds as recognized by Demaree v. Pederson, 887 F.3d 870, 876 (9th Cir. 2018) (per curiam). “When officers violate the terms of a warrant in execution, partial suppression is the norm unless the officers engaged in a general search.” United States v. Sears, 411 F.3d 1124, 1131 (9th Cir. 2005). “Wholesale suppression is an ‘extraordinary remedy’ that is appropriate ‘only when the officers transform the search into an impermissible general search by ignoring the terms of the warrant and engaging in indiscriminate fishing.’ ” Id. (quoting United States v. Chen, 979 F.2d 714, 717 (9th Cir. 1992)).

1. Items 17, 22, and 23

Mr. Cragg first argues that (the seizure of Items 17, 22, and 23, as well as the subsequent off-site examination of those Items, exceeded the scope of the warrant and therefore evidence derived from those items should be suppressed. (Doc. 299 at 26–27.) Mr. Cragg contends that because Items 17, 22, and 23 were seized but not examined until March 30, 2016, those items were seized without having been “found to contain information otherwise called for by th[e] warrant.” (Doc. 299 at 26.) The warrant commanded law enforcement to search for, among other things, “[a]ny computer hard drive, computer system, tablet, video gaming console containing a hard disk drive, external hard drives, Compact Discs, USB flash drives, memory cards, any other electronic media capable [of] storing data, Cellular phones capable of storing electronic images and/or videos found to contain information otherwise called for by th[e] warrant.” (Doc. 299-1 at 3–4.) The warrant further authorized law enforcement to “ANALYZE those items seized during the service of this warrant off-site, without further order from the Court, using technology not readily available at the time of service.” (Id. at 4.)

*17 In response, the Government argues that because all three items were analyzed off site and “found to have child pornography, artifacts of child pornography, or information called for by the warrant (who, what, when information) on the devices,” their seizure did not exceed the scope of the warrant. (Doc. 306 at 6.) Mr. Cragg parses the language differently, insisting that the seizure and off-site analysis of these three items exceeded the scope because (1) the items were seized without first having been “found to contain” information called for by the warrant and (2) the off-site analysis of items 17, 22, and 23 did not use “technology not readily available at the time of service.” (Doc. 308 at 23.)

Though Mr. Cragg's interpretation of the warrant's terms is not utterly illogical, the Court is obliged to avoid a “hypertechnical and narrow reading of the warrant language” Vesikuru, 314 F.3d at 1123, and instead should interpret the terms in a “common sense and realistic fashion.” United States v. Federbush, 625 F.2d 246, 251 (9th Cir. 1980) (rejecting the defendants’ “hypertechnical” argument that “warrants limit[ing] the items to be seized to those held ‘in violation of’ [a particular statute] precluded the seizure of ‘mere evidence’ of the commission of the crime”). Mr. Cragg's position here is hypertechnical and impractical. How, for example, is law enforcement to “find” that a sophisticated computer system contains child pornography—without risking corrupting that evidence—if not by applying off-site forensic analysis tools.[13] In federal practice, the off-site application of such forensic tools is so routine that the practice has been codified as part of Federal Rule of Criminal Procedure 41. See Fed. R. Crim P. 41(e)(2)(B)(“Unless otherwise specified, the warrant authorizes a later review of the media or information consistent with the warrant. The time for executing the warrant in Rule 41(e)(2)(A) and (f)(1)(A) refers to the seizure or on-site copying of the media or information, and not to any later off-site copying or review.”); see also id., advisory committee's (2009 amendments) (“Computers and other electronic storage media commonly contain such large amounts of information that it is often impractical for law enforcement to review all of the information during execution of the warrant at the search location. This rule acknowledges the need for a two-step process: officers may seize or copy the entire storage medium and review it later to determine what electronically stored information falls within the scope of the warrant.”). Though Mr. Cragg is correct (see Doc. 340 at 11) that searches conducted by state officers with state warrants issued by state judges, with minimal or no federal involvement, are not governed by the provisions of Rule 41. See United States v. Towne, 997 F.2d 537, 542 n. 3 (9th Cir. 1993), Rule 41 certainly provides a practical touchstone for interpreting this warrant's language.

It is undisputed that Items 17 and 22 were examined by Detective Hively off site by creating forensic images of those drives. (See Doc. 299-5.) Adopting a practical interpretation of the warrant's language, using such forensic techniques qualifies as applying “technology not readily available at the time of service.”

Part of Item 23, which consisted of multiple drives, was examined in a similar way, with Detective Hively creating a forensic image of one drive. (Id. at 6.) Ultimately, however, Detective Hively determined that a forensic copy could not be made of the other drives within Item 23 because they were too large. (Id. at 7.) Instead, he and Detective Redd examined those drives manually by connecting a monitor, keyboard, and mouse. (Id.) Mr. Cragg contends that this reversion to more commonplace methods demonstrates that “examination of [all three of these] items could have easily been performed during execution of the search warrant using the same technology.” (Doc. 299 at 27.) Common sense suggests otherwise. The warrant, for example, permits searching officers to “employ the use of outside experts, acting under the direct control of the investigating officers, to access and preserve any computer data.” (Doc. 299-1 at 4.) Detective Hively did just this, by applying or attempting to apply forensic software (see Doc. 299-5) to each device. Only when that proved impossible as to Item 23 did he and Detective Redd revert to the use of more other, seemingly more straightforward, methods to search that Item. To interpret the warrant's terms to preclude this ordering of business would again be “hypertechical” and therefore inappropriate. See also Paige Bartholomew, Seize First, Search Later: The Hunt for Digital Evidence Court of Appeals of New York People v. Deprospero (Decided March 26, 2013), 30 Touro L. Rev. 1027, 1039 (2014) (“Amidst all the ambiguity regarding off-site searches of electronic data, one thing is perfectly clear--a valid warrant entitles investigators to seize computers and search them off-site at a later date.”).

2. Indiscriminate Seizure Argument

*18 Finally, Mr. Cragg argues that law enforcement officers who searched his apartment “flagrantly disregarded” the terms of the warrant by seizing hundreds of things not described by the warrant, thereby requiring suppression of all evidence seized. (Doc. 299 at 20.) Mr. Cragg suggests that the warrant did not authorize law enforcement to “indiscriminately” seize devices not capable of storing evidence related to child pornography or things which officers knew did not contain evidence related to child pornography. (Doc. 299 at 27.) But, as mentioned, the warrant did explicitly and particularly authorize seizure of devices “found to contain” evidence on a number of subjects not directly related to child pornography, including ownership or control of digital devices and routes of internet and other digital communications traffic. (Doc. 299-1 at 3.) Mr. Cragg points to no specific item in his motion that was seized that has absolutely no connection to a search subject particularized in the warrant. Mr. Cragg does assert Items 1 (CDs containing copies of various pieces of software), 2 (blank CDs), 3 (blank DVR-s), 6 (a micro SD card), 11 (23 DVD-Rs containing various movies), and 12 (additional DVD-Rs, CD-Rs, and CDs, some of which contained media or software, others of which were blank) and either contained no data or no information called for by the warrant but fails to explain why this is so, or more importantly, why the law enforcement officers executing the warrant should have known this to be the case at the time the warrant was executed. Relatedly, he asserts in argument that Items 9 (a motherboard), 13 (a graphics card), 14 (another graphics card),18 (a monitor that was operating at the time of the search), 24 (a 54-inch TV monitor), 25 (a modem) and 26 (a router) were not capable of storing evidence related to child pornography, but he fails to explain why this is the case or why these items might not otherwise fall within one of the warrant's other search subjects. To the extent there are any exceptions to this rule, such as blank CDs, those are de minimis and do not demonstrate flagrant disregard for the warrant's terms.

V. CONCLUSION

For the reasons set forth above, the motion to suppress and for a Franks hearing (Doc. 299) is DENIED.

IT IS SO ORDERED.

Dated: February 10, 2025

Footnotes

[1]

The definitions section of the Affidavit in Support of Search Warrant explains that a “Hash Value” is a “mathematical algorithm generated against data to produce a numeric value that is representative of that data. A hash value may be run on media to find the precise data from which the value was generated.” (Doc. 299-2 at 4.)

[2]

The Affidavit in Support of Search Warrant explains that “Every computer or device on the Internet is referenced by a unique Internet Protocol address the same way every telephone has a unique telephone number.... [S]ome ISP's, including most cable providers, employ static IP addressing, that is a customer or subscriber's computer is assigned one IP address that is used to identify each and every Internet session initiated through that computer. In other words, a static IP address is an IP address that does not change over a period of time and is typically assigned to a specific computer.” (Doc. 299-2 at 5.)

[3]

In addition to describing the above manual and automated methods for searching P2P networks, the Affidavit in Support of Search Warrant also described the “E-Donkey Network,” which uses a different kind of hash value (MD4 root hash). (See Doc. 299-2 at 13–15.) It does not appear that this method is relevant to the investigatory results described elsewhere in the warrant packet (see id. at 15–19), which only mentions SHA1 hash values.

[4]

“The execution of an anticipatory search warrant is conditioned upon the occurrence of a triggering event. If the triggering event does not occur, probable cause to search is lacking.” Vesikuru, 314 F.3d at 1119.

[5]

The decision in Vesikuru appeared to offer further support for this conclusion by noting that the authorizing state court judge and all agents involved recognized that the attached affidavit was part of the warrant; and that it was sate practice to attach the affidavit to the warrant and to read the affidavit and warrant as one document. 314 F.3d at 1121. However, in United States v. SDI Future Health, Inc., 568 F.3d 684, 700 (9th Cir. 2009), the Ninth Circuit indicated that this aspect of Vesikuru’s reasoning is “logically applicable to the second prong of the [cure by affidavit] test, that ‘the affidavit either [be] attached physically to the warrant or at least accompan[y] the warrant while agents execute the search.’ ” Because the second prong is not relevant here, the Court finds it unnecessary to evaluate this additional line of reasoning.

[6]

It is also notable that the “Statement of Probable Cause” section that Defendant concedes was properly incorporated is not a stand-alone sub-section. Rather, it begins part way down on internal page 17 (Doc. 299-2 at 15) of the warrant packet, below two lines of text from a previous section, and includes the top two lines on internal page 21 (Doc. 299-2 at 19), which are followed by material in the “Opinions & Conclusions” section. It would be nonsensical to conclude that the reviewing judge would have considered material on some parts of pages in this packet while ignoring (or effectively having to ignore material because it must be considered unsworn) other material on the same page.

[7]

As mentioned, Detective Williams indicated to Detective Redd that he uses both manual searches and the Child Protection System (CPS) suite of tools to discover IP addresses that are offering child pornography for download. It is not entirely clear which method he used to identify IP address 24.176.17.2 as “a download candidate for at least seven hundred and sixty-six files containing child pornography between August 1, 2015 to January 24, 2016,” once can reasonably infer from (a) the Statement of Probable Cause's language (i.e., using passive voice to indicate the IP address “was identified as a download candidate”) and (2) the duration of the timeframe (more than a year) during which files were apparently offered for download, that the identification was at least initially made by the automated CPS suite of tools.

[8]

Defendant appears to only make this argument directly in the context of arguing that the entire Affidavit in Support of Search Warrant was not sworn under oath. (See Doc. 299 at 7, 21 (arguing that sufficient facts are not found within the “four corners of the Statement of Probable Cause that provide the ability of the magistrate judge to draw the inferences and form the conclusions necessary to determine (i) that files containing child pornography were “available from” IP address 24.176.167.2; ... or (iii) the significance, if any, of SHA1 hash values “reported as available from” IP address 24.176.167.2 being the same as those from files “recovered in previous investigations”).)

[9]

Contrary to Defendant's suggestion (Doc. 308 at 19), Thomas is not an example of a case in which investigators downloaded images from the target's computer using CPS. Rather, as the Second Circuit made clear on appeal, the detective who applied for the search warrant “did not attempt to directly download the files from the IP address but, instead, relied upon ‘historical’ information to establish that they constituted child pornography. Specifically, [the] Detective [ ] compared the hash values—or the ‘digital fingerprints’—of the defendant's files with the hash values of images known to be child pornography that had previously been downloaded from the Internet by law enforcement. Using this base of comparison, he was able to establish that the defendant's files were child pornography for the purpose of the affidavit. Thomas, 788 F.3d at 348.

[10]

Defendant makes his own, related Franks argument, which is addressed below.

[11]

Mr. Michael's declaration offered in reply likewise does not assert that the 99.999% certainty figure is false. (See Doc. 304-1.)

[12]

Mr. Fottrell states in the manner of a conclusion that: “There has never been a documented case, absent an academic laboratory setting, where two identical files had the same SHA-1 hash value after verification.” (Doc. 306-1, ¶ 5.) The Court assumes that this is a typo and that he meant to state: “There has never been a documented case, absent an academic laboratory setting, where two different files had the same SHA-1 hash value after verification.”

[13]

In his opening brief, Defendant suggests that off-site analysis was only permitted under the warrant if law enforcement “encountered technological—rather than practical—problems with any particular thing that prevented them from conducting an on-site search.” (Doc. 299 at 26–27.) The warrant certainly does not say this explicitly and interpreting it this way would again be hypertechnical and impractical.