Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

State v. Combest

Court of Appeals of Oregon

May 13, 2015

STATE OF OREGON, Plaintiff-Respondent,
NATHAN COMBEST, Defendant-Appellant

Argued and submitted August 19, 2014.

201203470. Lane County Circuit Court. Mustafa T. Kasubhai, Judge.

Mary M. Reese, Senior Deputy Public Defender, argued the cause for appellant. With her on the brief was Peter Gartlan, Chief Defender, Office of Public Defense Services.

Michael J. Slauson, Senior Assistant Attorney General, argued the cause for respondent. With him on the brief were Ellen F. Rosenblum, Attorney General, and Anna M. Joyce, Solicitor General.

Before Sercombe, Presiding Judge, and Hadlock, Judge, and Tookey, Judge.


Page 223

[271 Or.App. 40] SERCOMBE, P. J.

Defendant appeals a judgment of conviction for multiple counts of encouraging child sexual abuse, assigning error to the trial court's denial of his motion to suppress evidence. Defendant shared files, including files containing child pornography, on a peer-to-peer computer network. Using software

Page 224

called Shareaza LE, officers accessed that peer-to-peer network; searched for shared files that, in light of file name and other attributes, were likely child pornography; identified an IP address for a user sharing those files; and then downloaded two files from that user. They later identified defendant as that user and uncovered other evidence from defendant's computer that he possessed child pornography. On appeal, defendant argues, as he did in the trial court, that all evidence of his distribution and possession of child pornography should be suppressed because the officers conducted a warrantless " search" under Article I, section 9, of the Oregon Constitution[1]-- i.e., they invaded defendant's protected privacy interest--when they used Shareaza LE to locate and access his files on the peer-to-peer network. As detailed below, we conclude that, because the officers used Shareaza LE to access selective information that defendant made available to any other user of the peer-to-peer network by targeting shared network files containing child pornography, their use of that software did not amount to a search under Article I, section 9. Accordingly, we affirm.

We review the trial court's denial of defendant's motion to suppress for legal error, and we describe the facts consistently with the trial court's explicit and implicit findings, which the evidence supports. State v. Ehly, 317 Or. 66, 75, 854 P.2d 421 (1993). We start by detailing the operation of Shareaza LE, as explained by a detective and a forensics analyst from the Lane County Sheriff's Office, before describing how they used that software in this case.

Peer-to-peer file sharing permits a computer user to share files with other users on a particular peer-to-peer [271 Or.App. 41] network. To access the peer-to-peer network that defendant used in this case, eDonkey, a user must download client application software. Defendant used software called eMule. That software allows a user to search all the files that other online network users are sharing by entering search terms. A user is online if he has logged into eMule and has it running on his computer; the number of users running eMule at any given time ranges from several hundred thousand to many million.

After a user enters search terms, eMule creates a list of results, and a user can then click on a file to download. When downloading a file, eMule puts the file immediately into a " Temp" folder; when a file is completely downloaded, eMule moves the file to an " Incoming" folder. The eMule software automatically creates those folders, and the files in those folders are automatically shared with other users on the network. A user can prevent other users from gaining access to a downloaded file by moving that file out of the Temp or Incoming folders on the user's computer. But downloaded files that remain in those folders are available for download by other users.

The peer-to-peer network, eDonkey, " hashes" the files on the network; that is, it uses a complex mathematical algorithm to generate an alphanumeric identifier--a hash value--unique to each file. One of the officers in this case described a hash value as " more accurate than DNA." [2] He testified that, if a user downloaded a digital picture and " remove[d] one pixel out of that, the whole hash value changes." But if a user changes the file name without changing the file itself, the hash value stays the same. Two files that are exactly the same (even if they have different file names) will have the same hash value.

Hash values are therefore useful to police officers who monitor peer-to-peer networks for the exchange of child [271 Or.App. 42] pornography.[3]

Page 225

The National Center for Missing and Exploited Children (NCMEC) keeps a list of the hash values of shared files--pictures and videos--that are known to contain child pornography. One way for law enforcement to quickly identify files that contain child pornography, then, is to look for hash values that match those on the NCMEC list, because hash values stay constant as the same file is copied and exchanged, even if the file name is changed.

In this case, the Lane County Sheriff's Office used software called Shareaza LE to find files on the eDonkey network that it suspected contain child pornography. Shareaza LE performs an automated search for child pornography by automatically ticking through and entering a rotating list of search terms commonly used to obtain child pornography. For the files that match those search terms, Shareaza LE goes through a " vetting" process and targets those files that have a hash value identified by the NCMEC as " child notable."

Shareaza LE narrows its search to a particular jurisdiction. It does this by identifying the Internet Protocol (IP) address associated with users on the network and narrowing its search to a particular set of IP addresses. An IP address is a unique number assigned by an Internet Service Provider (ISP) like Comcast or Charter Cable to a customer's modem, and police can generally track particular IP addresses to a particular geographic region.[4] Assuming that a customer has only one ISP, the customer has one IP address, no matter how many devices are connected to the Internet using that service. Because Shareaza LE can narrow its search to IP addresses in a particular region, officers [271 Or.App. 43] do not have to " search thousands and thousands" of files to find one with an IP address in their jurisdiction.

Besides the IP address, Shareaza LE identifies the Globally Unique Identifier (GUID) given to a specific computer on the peer-to-peer network. In contrast to an IP address, the GUID is specific to a particular user's eMule software installed on a particular computer. Because the probability of two eMule software applications having the same GUID is extremely small, officers can confidently match the GUID from a downloaded file containing child pornography with the GUID of particular eMule software on a computer.

Once an officer finds a specific file with a particular IP address to download, the officer uses Shareaza LE to download that file from the user at that IP address. In that respect, Shareaza LE is different than other software, like eMule, that takes pieces of ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.