P2P Applications and Child Pornography | Criminal Defense Blog

Decentralized P2P Applications and Child Pornography

Peer to Peer Transactions

Historically, possession and distribution of child pornography cases stemmed from user activity on classic peer-to-peer applications.  These applications are well understood by anyone who grew up with Napster and Limewire.  Classic peer-to-peer networks are software applications which provide a central hub for various computers to connect.  Once connected, individual users may search for, and download, various files from other computers within the application.

These programs were used for decades to distribute music, video games, and movies to users online.  Many millennials were the guinea pigs for this technology; likely, having a huge library of music by the time they turned sixteen.  Before Apple and Amazon music, there was only one way to avoid buying a cassette or CD, peer-to-peer systems.

While distributing copyright material was common, these applications were not relegated to that use. Since their advent, these applications have provided the main distribution points for child pornography.  Users would share specific video and images series onto the networks, and other users would seek out these videos for their own collections.  These transfers were executed identically to the music downloads we all know.  The only difference was the search terms and the content being transferred.

Law enforcement has been tracking the dissemination of child pornography through peer-to-peer networks for decades.  Through their work, they have identified numerous illegal videos and images.  Each of the identified images and videos have unique markers allowing law enforcement to note every time one of the known files is transferred on various applications.  Once the IP addresses involved in the transaction are identified, search warrants are executed, and a child pornography prosecution begins.  This simple process is the route taken for the majority of the child pornography cases prosecuted in the United States.

Today, the government understands the architecture behind programs like BitTorrent, Limewire, and e-Donkey.  They have set up investigative procedures to identify and prosecute persons downloading or transferring child pornography through these platforms. These classic peer-to-peer networks are dependent on users sharing their libraries for a robust downloading environment.  The only files available on the application are those shared by other users within the protocol.  This allows law enforcement to link downloads and storage of certain contraband to a particular user with relative ease.

Our firm has handled numerous federal child pornography cases; this includes charges for production, possession, distribution, and receipt of the files.  Almost all the cases involving distribution or receipt could be linked back to a classic peer-to-peer system.  Long gone are the days where contraband was printed in a magazine and mailed to a person’s home.  These applications are the central component of child pornography dissemination, and thus, the focus of criminal prosecutions.

Recently, we came across a case that involved a different application stack for distributing contraband, Freenet.  Freenet was built to combat the openness of the classic peer-to-peer model and obfuscate the ownership or requesting status of all transfers within the system.  The application justifies the architecture by championing censorship resistance.  In other words, the technology was built to allow users to transfer files without fear of government oversight.  Freenet’s software function presents unique problems for enforcement.

Freenet Architecture

Freenet is a peer-to-peer network that allows users within the protocol to share various files.  However, the way they achieve their mission is far different than Napster or Limewire.  On Freenet, no one user possesses any complete files within the system.  The Freenet code takes known files and breaks them down into thousands of encrypted blocks.  These encrypted blocks are then scattered like ashes across the active computers on the network.

When a person wants to download a file, child pornography or otherwise, they must enter a special check key hash value.  This check key will start a relay of requests.  This relay will jump from computer to computer requesting blocks that are relevant to the request.  Once all relevant information is obtained from the first computer it jumps to the second.  And third.  And so on.  The system will repeat this process until it either a) finds all the encrypted blocks or b) determines the blocks are not currently available on Freenet.  If the system finds the encrypted blocks, the file is assembled and available for download.  If it cannot, the request fails.

The architecture of the site is somewhat confusing.  An example will likely assist in understanding the software.  Let’s say user 1 entered the following check key request “45938264654CBDGHTJYaJoael.”  The user entered that request because he knows it will ask Freenet to assemble a video relating to child pornography.  Once entered, the Freenet system will jump to user 2 to request a relevant block.  User 2 then relays that request to user 3.  User 3 requests the blocks from User 4, and so on.  At each step, Freenet is assembling relevant shards of the file requested in the check key above.  If Freenet can obtain every encrypted block, it will assemble the file and make it available for User 1.

Freenet Makes Enforcement Difficult

The Freenet architecture makes investigation and enforcement difficult for multiple reasons.  First, the user is not searching for files using terms that are suggestive of child pornography.  The check key request is an alphanumeric string (though some have file names at the end).  The only way one would know it relates to child pornography is if they had seen that string before or successfully assembled the file.

Second, the system masks the requestor of the item.  On a standard peer-to-peer network there is little doubt which user is searching for and downloading the content.  On Freenet, each user is a part of the relay request chain.  And 99% of those did not initiate the request.  Simply being connected to the network will place the user in the chain.  This makes it difficult to differentiate between the IP address that is searching for the files and ones that are merely pawns in the Freenet process.

Third, no users hold entire files on their computers.  Normally, a distribution count accompanies a simple possession count when the defendant uses a peer-to-peer network.  Generally, if the government can download child pornography from the defendant’s computer, the elements of distribution are met.  In a classic peer-to-peer process, a user will share all files stored in the application’s shared folder.  The investigator merely needs to search for and download a particular file to meet the distribution elements.

With Freenet, that investigative tactic is useless.  The target user does not hold a file that can be searched for or downloaded.  He may hold relevant blocks to a child pornography file, but even then, he did not choose which blocks Freenet placed on his system.  It is impossible for an investigator to make a distribution count by entering the check key request.

These three factors make Freenet, and other decentralized peer to peer applications, a challenge for the current investigative model.  The reliable practices of the last decade are undercut by the architecture within these applications.

Peer to Peer Transactions with Child Pornography

How the Government Can Still Make Their Case

The government’s goal in analyzing peer-to-peer activity is to develop enough information to establish probable cause for a search warrant.  The investigators need to establish there is a “reasonable likelihood contraband will be found in the place to be searched.”  In the child pornography context, this normally means obtaining a warrant to search the home linked to an IP address involved in child pornography transactions.

While Freenet does a good job of hiding the requestor and sharding individual files, it has one vulnerability.  Through investigative tactics, law enforcement can determine where a particular IP address falls on the relay request chain.  They do this by determining a “hops to live” value.  Hops to live gives each user in the request chain a numerical value starting with 17 or 18.  Each successive user in the relay chain will receive a lower value than the one prior.  Put differently, a user with a hops to live value of 18 is far more likely to be the original requestor than one with a value of 11.

While hops to live will not tell law enforcement the requesting IP address with precision, it gives them a statistically significant fact.  Each time an IP address comes back as a 17/18, they get closer to establishing probable cause.  If a user is coming up as a 17/18 in ten check key requests related to child pornography, the government has likely established probable cause to believe the home with that IP address has a reasonable likelihood of containing child pornography.

Once the warrant is obtained, and the home is searched, the government’s case no longer depends on the intricacies of the Freenet program.  If the warrant is valid (probable cause is established), the government can charge the user with possession of child pornography based on any videos or images found within the user’s home.

Freenet Still Provides Protection for Distribution Counts

The Freenet system may not protect the user from a valid search warrant, and a resulting possession count, but it certainly places substantial obstacles to proving distribution.  Under the current law, it is impossible to prove a user distributed child pornography by showing a transfer of 1/100th of a file through Freenet (or shard/block).  Additionally, Freenet is designed so each user has no knowledge of the particular blocks stored on their computer.  It is all encrypted and only relevant to the system itself.  Under those conditions, the government will struggle to show that any particular user distributed any particular file.

Freenet “Dark Mode” Strips Law Enforcement of the Hops to Live Calculation

On Freenet, there are two search modes – open and closed.  The closed dark mode ensures the only members of the relay request chain are “trusted” computers.  These trusted computers are highly unlikely to be members of law enforcement.  The way law enforcement calculates “hops-to-live” is by being on the system as a relay requestor.  If they are shut out from the request chain, they have no way of knowing a request exists; let alone, the identity of the initial requestor.

This last functionality makes Freenet a daunting application for law enforcement.  At this stage, there is no way to prevent users from downloading and distributing child pornography through Freenet if the proper precautions are taken.  If investigators cannot isolate an IP address for possible child pornography activity, they are handcuffed in a probable cause analysis.  Without the warrant capabilities, Freenet is an effective bar to enforcement.

The Technology Race Continues

Freenet is not the only application which addresses the exposures of classic peer-to-peer networks.  Tor and ZeroNet are two others with a similar goal and process.  As law enforcement continues to get exposure to these systems, they will develop ways to counteract their safety measures.  For now, investigators will have their hands full as they continue to adapt to decentralized peer-to-peer options.

Other articles drafted by our child pornography defense attorneys, can be found here.