ONTARIO

SUPERIOR COURT OF JUSTICE

COURT FILE NO.: 10-50000653-0000

DATE: 20120627

BETWEEN:

HER MAJESTY THE QUEEN

– and –

OLDRICH PELICH

Accused

Amanda Camara, for the Crown

Christopher Biscoe, for the Accused

HEARD: May 14 – 29, 2012

DUNNET J.:

REASONS FOR JUDGMENT

OVERVIEW

[1] Oldrich Pelich has been charged with the following child pornography offences under the Criminal Code, R.S.C. 1985, c. C-46:

• Possession, s. 163.1(4)(a)

• Accessing, s. 163.1(4.1)(a)

• Making available, s. 163.1(3)(a)

• Making, s. 163.1(2)(a)

THE EVIDENCE

Christopher Purchas

[2] On June 5, 2008, Christopher Purchas, a member of the Toronto Police Service Child Exploitation Section of the Sex Crimes Unit, was conducting an undercover investigation of a publicly available internet file sharing network called “Gnutella”. Gnutella allows users of a peer to peer file sharing program called “LimeWire” to search for and share music, photo, video and text files with other internet users of the same or a similar program.

[3] At 5:04 pm, Officer Purchas made a direct connection with a computer using Internet Protocol address 99.232.248.238 (“the IP address”) through the Gnutella network. An IP address is a numeric identifier assigned to an internet subscriber by the subscriber’s internet service provider.

[4] Officer Purchas observed that the computer at the IP address was actively downloading files. Downloading is the transmission of a file from one computer system to another – it refers to receiving a file from another computer. The reverse process is uploading, also the transmission of a file, but from a user’s point of view, uploading refers to the sending of a file.

[5] To download a file using LimeWire, a user selects a file that he or she wishes to download. The program then obtains the selected file from one or more other users who have a copy of it on their computer.

[6] The evidence of Officer Purchas was that typically, users can adjust their settings to control whether or not other users can obtain a list of the files being shared by their computers on the network. The ability of one user to see the contents of another user’s “shared folder” is called “browsing”.

[7] Officer Purchas browsed the shared folder of the computer to which he had connected. He observed that the content of this shared folder was increasing and numerous files had names consistent with child pornography. The number of files increased from twenty-seven at 5:25 pm to fifty at 5:35 pm. He selected five files and downloaded them.

[8] He then conducted an on-line search query and received information that the IP address was registered to internet service provider Rogers Communications Inc. (“Rogers”). He captured the globally unique identifier (“GUID”) assigned to the Gnutella client at the IP address. The GUID was FC17321F4E5185DBF4A26A835BAA1500.

[9] On June 6, 2008, Officer Purchas made a request to Rogers under the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”). Rogers advised Officer Purchas that on June 5, 2008 at 5:04 pm, Oldrich Pelich at a particular address in Toronto, Ontario was the customer name and account holder associated with the IP address.

[10] On June 19, 2008, the officer began monitoring the IP address using an automated investigative tool that periodically attempts to connect to and browse computers at specific IP addresses connected to the Gnutella network. The automated tool was able to establish a connection with the computer at the IP address and capture a listing of files, compare the hash values of the files in the shared folder with the Peer to Peer Hash Database and log the results.

[11] A hash value is a mathematical fingerprint of a digital photograph or movie. The Peer to Peer Hash Database (“the Database”) is a database of hash values calculated from known child pornography images and videos that American law enforcement personnel consider to be child pornography.

[12] Officer Purchas testified that although the hash values in the Database conform to the Canadian definition of child pornography, he refers to the files as “suspected child pornography” until he physically views the files and ascertains whether they meet the definition of “child pornography” in s. 163.1(1) of the Criminal Code.

[13] On June 20, 2008 at 5:40 pm, a direct connection was established with the IP address and a file list with seven files was captured. All of the files had names consistent with child pornography. Five files matched the Database.

[14] On June 21, 2008 at 8:28 pm, a direct connection was established with the IP address and a file list containing fifty-seven files was captured. Twenty-four files matched the Database. On June 22, 2008 at 12:11 am, a direct connection was established with the IP address and a file list containing sixty-five files was captured. Twenty-four files matched the Database.

[15] On July 13, 2008 at 12:49 am, a direct connection was established with the IP address and a file list containing two files was captured. One file matched the Database. On July 15, 2008 at 2:34 am, a direct connection was established with the IP address and a file list containing ten files was captured. Four files matched the Database.

[16] In response to a request under PIPEDA, Rogers confirmed that on June 21, 2008 at 8:28 pm, on June 22, 2008 at 12:11 am and on July 13, 2008 at 12:49 am, Oldrich Pelich was the customer name and account holder associated with the IP address.

[17] On July 15, 2008 at 5:49 am, Officer Purchas made a direct connection with the computer at the IP address. He browsed the contents of the shared folder and observed that numerous files contained names consistent with child pornography. The number of files with these names increased from thirty-eight at 5:49 am to ninety-six at 6:13 am. The files that Officer Purchas had observed on June 5, 2008 had been moved out of the shared folder. He downloaded and viewed fourteen files. Rogers confirmed that on July 15, 2008 at 5:50 am, Oldrich Pelich was the customer name and account holder associated with the IP address.

[18] Officer Purchas applied for a warrant to search the residence of Mr. Pelich. On July 16, 2008 at 6:05 am, the warrant was executed. On entering the apartment, the officer observed Mr. Pelich standing near a computer in the living room. The officer showed him the search warrant and told him that it was authorized and issued in relation to someone using LimeWire to download child pornography. Mr. Pelich uttered, “There’s nothing on the computer. I get rid of it.”

[19] During the search, computer related equipment and media were removed, including a Toshiba laptop computer (“the laptop”), a computer tower (“the tower”) and a quantity of CDs and DVDs (“the disks”).

[20] During the trial, Officer Purchas was qualified as an expert in child pornography internet investigations and peer to peer file sharing programs. He visually reproduced the LimeWire installation and setup processes. The LimeWire “Welcome” screen read that LimeWire is “the most advanced file sharing program on the planet”. The word “share”, or the icon that showed that the user was sharing files, appeared seven times on the installation screens.

[21] The “Setup Dialog” included a prompt for the user to choose a “Save Folder” to which all downloaded files would be directed. The screen informed the user, “This folder will also be shared with other Gnutella users by default”.

[22] Once the program was in use, a “tag line” was displayed at the top of each screen, which read: “LimeWire: Enabling Open Information Sharing”. At the bottom of each screen, there were a number of icons that continuously displayed the status and number of any downloading and/or uploading files occurring within the program. A button at the bottom of the screen showed the user the number of shared files. A “down” arrow continuously detailed the number of downloads and an “up” arrow continuously told the user the number of files that were being uploaded or shared.

[23] The “Monitor” tab displayed additional detail regarding files being downloaded and/or uploaded. The “Library” tab allowed the user to see and sort all of the files or folders that were being shared from the shared folder.

[24] Officer Purchas explained that Gnutella files are stored on computers that are interconnected on the internet. Whenever a user who was connected to the network had a significant bandwidth or speed that could be leveraged to assist in the functioning of the network at large, LimeWire would designate that specific computer as an “Ultra Peer” to assist in channelling search requests.

[25] The officer testified that under the program’s default settings, LimeWire could elevate a user’s status to an Ultra Peer without the user being aware of it. This designation would affect the speed and efficiency of the resources on the Ultra Peer computer.

[26] The default settings also allowed others to access files stored in the shared folder. The user could make adjustments to these default settings.

[27] Officer Purchas testified that a number of adjustments to the default settings of the LimeWire program had been made on the laptop seized from Mr. Pelich’s apartment:

• “System Startup” was changed from allowing the program to start automatically when the user logged onto the computer to requiring that the program be started manually.

• The Directory for saving and sharing files was changed to “Documents and Settings\oldrich\Desktop\My Music”, allowing the user to search for files stored in the My Music folder on the desktop.

• “Maximum Download” slots were changed from eight (the default setting) to twelve, allowing the user to download twelve files simultaneously.

• “Clear Screen” was changed to remove the downloaded file from being automatically displayed on the desktop.

• “Content Filtering” was initially changed to filter out adult pornography content and was changed again so that adult pornography was not removed.

• “Supernode” was changed to disable any functionality as an Ultra Peer and to override the ability of LimeWire to designate the computer as an Ultra Peer.

[28] Officer Purchas testified that the “Maximum Upload” slots were not changed from twenty (the default setting), which allowed twenty files to be uploaded or shared simultaneously. He explained that the only way to prevent anyone from uploading files would be to change the setting to zero and if the setting had been changed, the user would not have been able to download any files from the IP address.

Peter Hansen

[29] Peter Hansen, a member of the Toronto Police Service Technological Crimes Section of the Intelligence Division, testified as an expert in the area of computer forensics involving the identification, extraction, preservation, and interpretation of storage and recovery of data from electronic media. In order to preserve the original data that was seized, he used a forensic data extraction software program called “EnCase” to generate a mirror image of the hash values found in the files in the seized material.

[30] With respect to the data on the laptop hard drive, Officer Hansen determined that there was no password to get into the Windows program. The “last logon” was on July 15, 2008 at 4:46 am. “CHECHMATE” was the user generated name in the network information.

[31] In the LimeWire properties file, the IP address and GUID matched the numbers identified by Officer Purchas on June 5 and July 15, 2008. LimeWire was installed on December 14, 2006 under the user name “oldrich” and it was last accessed on July 16, 2008 at 4:05 am. During that time period, there were 325 connections to LimeWire and 306 sessions. At the time that the laptop was seized, downloaded files went into the My Music folder on the desktop.

[32] Officer Hansen used a “C4P” script to analyze the files on the laptop hard drive. He described the specific findings generated by the C4P script with respect to suspected child pornography images and movies that were accessible to the user. For example, the image file “Tara 5yr being fucked” was found within a folder called Employment in the My Music folder. The file was “created” on June 15, 2008 at 1:21:29 am, “last written” (modified or saved) at 1:21:34 am and “last accessed” (previewed or touched by the file system viewing it) at 1:47:16 am.

[33] The movie file “(PTHC) 9Yo Niece – Backfuck.mpg” was found in the My Music folder. “PTHC” is an acronym for preteen hard core. The file was created on June 16, 2008 at 3:59:42 am, last written at 4:03:03 am and last accessed at 4:03:04 am. Officer Hansen acknowledged that the time when the file was last accessed did not necessarily mean that the user had opened the file.

[34] He agreed that it is possible for a virus to download an image and access it. He testified that his lab work station is protected by software that scans for viruses and in this case, there was no such notice of a virus emanating from his computer or any evidence that a virus was attacking child pornography files.

[35] To explain his evidence, Officer Hansen made specific reference to two files found in the Employment folder within the My Music folder on the desktop. The file “Natasha13 – lolitas young 12yr old virgins little child preteens underaged pussy is-models bd-company” was created on June 15, 2008 at 1:07:52 am, last written at 1:08:02 am and last accessed at 1:39:27 am. The file “! 01 Qsh 02 morlok FKK selfpik Tori 017” was created on the same day at 1:44:44 am, last written at 1:44:48 am and last accessed at 1:51:20 am. Officer Hansen’s opinion was that the two files were last accessed eleven minutes apart, which was more consistent with file creation, active downloading and previewing rather than the presence of a virus.

[36] He found image data in unallocated space on the laptop hard drive that had either been deleted or erased with a window washing program (a software program that deletes a user’s web history and downloaded files). He explained that when files are deleted, they are sent to the unallocated space until the operating system needs the area for storage. Once in the unallocated space, the data in the deleted files remains on the hard drive, though the files are inaccessible to the user.

[37] Fifty-six suspected child pornography movies were located under the file name “$MFT”. They were created and last accessed on December 14, 2006 at 2:32:02 am. Officer Hansen’s opinion was that it was likely that the operating system on the laptop was not operating optimally and was repaired before the master file was recreated on December 14, 2006. Although these movie files were not in the unallocated space, they became inaccessible to the user after the master file was recreated.

[38] With respect to the information on the tower hard drive, EnCase identified the registered owner as “whoisit”. Microsoft Windows XP was installed in January 2005 and shut down in February 2008. The last time that the tower was actively connected to the internet was in December 2006. The C4P script identified images with hash values on the hard drive and compared them to a police database with hash values of child pornography.

[39] Officer Hansen prepared reports outlining his findings and sent them to Nathan Dayler, who was the officer in charge of the investigation.

Nathan Dayler

[40] Officer Dayler viewed the images on the C4P scripts that he received from Officer Hansen and categorized each image as child pornography or “other”. He testified that there were 136 child pornography images on the laptop and 4730 child pornography images on the tower. The vast majority were of six to ten year old girls in oral, anal and vaginal sexual acts with adult males or in compromising positions with aroused males. The focus of the images was on the girls’ genital and anal areas.

[41] On the laptop, there were 125 unique images (one hash value and not duplicated). There were 46 accessible images (readily available to the common user by logging on and double clicking) and 90 inaccessible images (deleted or stored in a temporary internet file folder or cache). On the tower, there were 1617 unique images. Six images were accessible and 4724 images were inaccessible.

[42] On the compact disks, Officer Dayler viewed each image and movie file and identified them by name, size, type and “last modified” date or range of dates. His findings were as follows:

Name of Disk

Number of Images

Date Last Modified

Blank Gold Maxell

213 images

July 4, 2008

Blank Gold Maxell 2

300 images

July 5 – 8, 2008

Blank Gold Maxell CD 2001

239 images

June 19 – August 7, 2001

“Kiss”

53 videos

June 5 – 10, 2008

“Kiss 2”

95 images

June 5 – 10, 2008

“Kiss 3”

65 images, 17 videos

June 20 – 21, 2008

“Kiss 4”

189 images, 5 videos

June 26, 2008

Silver Blank Imation CD

2417 images, 17 videos

August – September 2005

Oldrich Pelich

[43] Mr. Pelich is forty-five years old. He came to Canada from Czechoslovakia with his parents when he was a child. He has a diploma in film and television production. At the time of his arrest, he was working for a television network as a “master control operator” responsible for program acquisition and technical control. He testified that his job required him to sit in front of fifty or sixty computer screens and deal with databases for programs that were broadcast on the television network.

[44] On July 15, 2008, Mr. Pelich left work at midnight and went to a pub. He left the pub at 2:30 am and went home and watched television before falling asleep on the sofa. He was awakened when he heard a bang at the front door.

[45] When the police entered his apartment, he remembered that he had received an email from abuse@rogers.com alleging that he had downloaded music or television that infringed a copyright law and demanding that he remove the offending material from his hard drive. He had asked his father if the email was legitimate and his father told him that the message was about American law, which was not applicable in Canada. He thought that these officers were “copyright police” who were there to take his computer. He testified that he told Officer Purchas that he “[got] rid of it” to explain that he had removed the alleged copyright material from his computer.

[46] Mr. Pelich testified that when his computer tower began to malfunction in late 2006, he bought the laptop and installed LimeWire in order to download music and television documentaries. He understood that LimeWire was a peer to peer program for sharing files with people in different parts of the world but he never intended to share files. He testified that downloading from the internet is a risky proposition, because there are a lot of individuals who make it their work to spread viruses or hack into computers and control them from remote locations.

[47] Mr. Pelich denied that he used his laptop to access, view or download child pornography or to share it through LimeWire. He testified that if he had been involved in “this nefarious activity”, he would have used a password. He suggested that there must have been a virus that attacked his laptop.

[48] He had no explanation for the child pornography found on the tower, which was not functioning. He said that it was purchased by his former wife from a small company and they had assured her that the hard drive had been wiped clean. He denied that he copied child pornography onto the compact disks found in his apartment.

[49] In cross-examination, Mr. Pelich denied that he reinstalled the Windows program on the laptop on December 14, 2006 at 10:24 am, which was the date and time recorded by EnCase, according to the evidence of Officer Hansen. Mr. Pelich acknowledged that this was the same day that he installed LimeWire.

[50] He testified that he was fully aware that LimeWire was a file sharing program. He maintained that he prevented file sharing by removing the check marks for all file extension types on the “Sharing Extensions” screen. He also changed the default settings to prevent LimeWire from starting automatically when the computer was turned on and to prevent his computer from being elevated to Ultra Peer status. He denied that he changed the Download slots to twelve or adjusted the Filtering option.

[51] He recalled seeing the LimeWire hyperlink that read: “View My Shared Files” and the arrows on the same screen that would operate if files were being uploaded or downloaded. He testified that that there was always a zero in the button below the hyperlink that showed the number of shared files. He acknowledged that he could have prevented sharing by changing the Upload slots to zero but he maintained that it was not necessary to do so because of the steps he had taken to remove the check marks on the Sharing Extensions screen.

[52] Mr. Pelich could not explain why Officer Purchas was able to download shared files from his IP address on June 5 and July 15, 2008. He suggested that the IP address could have been assigned to a different customer at the time. He also suggested that a virus or someone at a remote location could have manipulated his IP address and GUID to download child pornography and store it in his computer, or that someone could have “piggybacked” off a Wi-Fi connection, because his laptop was connected to a wireless router.

[53] When it was pointed out to him that EnCase listed October 1, 2007 as the last date the wireless network connection had been used, Mr. Pelich replied that he had configured the connection so that he was able to access the internet without being tethered to a cable. He suggested that the EnCase data had been manipulated by persons unknown.

[54] He testified that on occasion, he had viewed adult pornography and this might explain how viruses could have been introduced to the hard drive.

[55] He agreed that music or television episodes that he downloaded would, more than likely, go into the My Music folder on his desktop and that he would access the folder from time to time.

[56] He was referred to the EnCase data of suspected child pornography movies located in the My Music folder and specifically to the file (PTHC) 9YoNiece – Backfuck.mpg that was created on July 16, 2008 at 3:59 am and last accessed at 4:03 am just before the search warrant was executed. He agreed that he was alone in the apartment at the time. He maintained that he could not have downloaded the file, because he was sleeping.

[57] Mr. Pelich could not explain the origin or ownership of the compact disks that the police found in his apartment near his laptop. He agreed that no one had ever taken his passports or his television or computers and that he had never reported anything stolen to the police.

[58] He testified that he used the window washing software program that the police found in his apartment to “clean up clutter” on his laptop. He denied that he used the program to “clear” child pornography, because it took up too much space on his hard drive.

[59] He testified that he was planning to move at the end of July 2008 and his apartment was being shown by the superintendent to potential lessees. He had no explanation as to why someone would want to “target” him, although he recalled that in 2007, he had been a whistleblower in his workplace. He also remembered that the day before the search warrant was executed, he had been offered a promotion by his employer to work in Edmonton or Calgary, and he was told that he would have to quit his position first before being considered for the promotion. He suggested that his employer may have been involved in “the entire ordeal”.

ANALYSIS

[60] There is no issue between the parties that the images and movies found on the laptop, tower and disks located in Mr. Pelich’s apartment are child pornography, as defined in s. 163.1(1) of the Criminal Code.

[61] It is necessary to approach the evidence and the issues of credibility that it raises, in accordance with the principles established in R. v. W. (D.), [1991] S.C.R. 742. In particular, even if I am not left in doubt by the evidence of Mr. Pelich, I must ask myself whether, on the basis of the evidence which I do accept, I am convinced beyond a reasonable doubt by that evidence of his guilt. I am mindful that the burden never shifts from the Crown to prove every element of the offence beyond a reasonable doubt.

Was the laptop that was seized the same laptop from which Officer Purchas downloaded child pornography files on June 5 and July 15, 2008?

[62] It is Mr. Pelich’s position that the IP address was assigned to a different user on June 5 and July 15, 2008. Alternatively, someone remotely accessed the laptop or piggybacked onto the wireless connection to change the IP address or manipulate the GUID.

[63] The evidence of Rogers network security analyst, Lorne Ellison, was that Mr. Pelich was the account holder for the IP address on June 5 and July 15, 2008. The serial number of the modem leased to Mr. Pelich on those dates matched the serial number of the modem found in his apartment on July 16, 2008. The IP address matched the address listed in the screen captures made by Officer Purchas as he was downloading the child pornography files on those dates. While he was directly connected to the computer at the IP address, Officer Purchas captured the GUID assigned to the Gnutella client when LimeWire was installed on the laptop. The IP address matched the GUID recovered in the LimeWire properties file on the seized laptop.

[64] I do not believe that Mr. Pelich’s assertions have any air of reality. His speculations about viruses and hackers were unconvincing, self-serving and appeared to have been designed to explain away the evidence found on his laptop. I accept the evidence of Officer Purchas as forthright, truthful and the product of experience and expertise. I find that the laptop that was found in Mr. Pelich’s apartment was the same laptop that Officer Purchas browsed on June 5, 2008 and on July 15, 2008 and from which he downloaded child pornography files on those days.

Was the laptop that was seized Mr. Pelich’s computer and was he using it on June 5 and July 15, 2008?

[65] Mr. Pelich admitted that the laptop in his apartment belonged to him and that he was the person who installed LimeWire on the laptop.

[66] His position is that others had access to his apartment and may have been using his laptop to download child pornography. I do not find it reasonable to conclude that the superintendent or Mr. Pelich’s parents or brother, whom he “trusted”, or a elderly woman who lived next door, or a former girlfriend were in a position to download child pornography on June 5, 2008 or on July 15, 2008 at 5:49 am. I note parenthetically that Mr. Pelich said that he was alone in his apartment in the early hours of July 16, 2008 and the evidence of Officer Hansen was that the movie (PTHC) 9YoNiece – Backfuck.mpg was downloaded at 4:03 am on that day.

[67] It was evident from Mr. Pelich’s testimony that he was concerned about the integrity and security of his personal space. I do not find it to be reasonable that he would allow others to have access to his laptop and if he did, such access would have been limited.

[68] Mr. Pelich suggested that a virus must have been present on his laptop or that someone was remotely accessing it. Officer Hansen did not discover a virus or anything out of the ordinary. I was impressed by Officer Hansen’s knowledge and experience and I have no reason to disbelieve his evidence. Moreover, the wireless network connection had not been used since 2007. Even if Mr. Pelich did configure the connection so that he would have had access to the internet without being “tethered” to a cable, it defies logic that someone would piggyback onto the wireless connection, change the GUID and change the computer settings with the result that Officer Purchas was able to download child pornography from the shared folder.

[69] Accordingly, I reject the evidence of Mr. Pelich as untruthful. On the evidence that I accept, I find that the laptop belonged to Mr. Pelich and that he was the person who was using it on June 5, 2008 and on July 15, 2008 to download files into the shared folder.

Did Mr. Pelich know that what he was downloading was child pornography?

[70] Mr. Pelich maintained that he downloaded music and television documentaries and that he did not download child pornography. He testified that he was unaware that the laptop, tower and disks contained child pornography.

[71] The language used in the vast majority of the file names in the shared folder on June 5 and July 15, 2008 was graphic and accurately depicted images of child pornography. The search terms - pedo, PTHC, 08 yo and 9yo, were common to the files names. The images in the shared folder captured by Officer Purchas were not mixed with any music or television files.

[72] The sheer number of child pornography files in the shared folder could not logically be the result of accidental downloading or an accidental visit to a website. As Officer Purchas captured them on June 5, 2008, the number of files increased from twenty-seven at 5:25 pm to fifty at 5:35 pm. On July 15, 2008, the number increased from thirty-eight at 5:49 am to ninety-six at 6:13 am. The logical inference is that someone was actively searching and downloading files into the shared folder.

[73] I find that Mr. Pelich downloaded child pornography images and movies from LimeWire. These images stayed in the shared folder for a period of time, during which he moved them to a disk. He then deleted them from the shared folder because he did not want to impede his ability to search for more files. Once the images were deleted, they went into the unallocated space on the laptop.

[74] The fact that disks containing child pornography were found in a number of locations in the apartment demonstrates a repeated handling of the files and leads to the inference that Mr. Pelich knew that they contained child pornography. He stored the files on disks labeled innocuously with the name of an American rock band in order to hide the content from others.

[75] All but two of the files downloaded by Officer Purchas were also found on the disks that were seized. In some cases, the same files were found on several media. For example, the image “O-Kiddy-Pthc Bw 026-Fucking My 5Yo Daughter (2).jpg” was downloaded from the shared folder on June 5, 2008. The same image was found on the Blank Gold Maxell 2 disk, in two places on the disk labeled Kiss 2 and in two places on the disk labeled Kiss 4. The image was also found in the unallocated space on the laptop.

[76] Thus, I conclude that the reason Mr. Pelich told the police that he “[got] rid of it” was because he knew that he was downloading child pornography and he knew that there was child pornography on his laptop.

Did Mr. Pelich know that he was sharing files from LimeWire?

[77] When Mr. Pelich installed LimeWire in December 2006, he knew that it was a file sharing program. He was familiar with the hyperlink that read: View My Shared Files. He was aware that the button below the hyperlink and the arrows beside the button would show the number of files being shared.

[78] Mr. Pelich’s position is that he prevented file sharing by deleting the file extension check marks. He admitted that he did not change the default setting in the Upload slots. He said that there was no need to do so, because the steps he had taken prevented LimeWire from knowing what to share.

[79] The position of the Crown is that Mr. Pelich did not change the file extensions, because Officer Purchas was able to download the shared files on June 5 and July 15, 2008. The Crown submits that in any event, Officer Purchas was not asked in cross-examination whether any changes to the file extensions had been made. The defence submitted that the issue was not raised during cross-examination, because there was no evidence about file extensions in the LimeWire properties file and the issue arose for the first time during the cross-examination of Mr. Pelich. It may well be that there was a breach of the requirements of Brown v. Dunn (1893), 1893 CanLII 65 (FOREP), 6 R. 67 (H.L.) but in this case, I find that nothing turns on it, because I do not believe the evidence of Mr. Pelich in any event.

[80] I reject his evidence that he made changes to LimeWire to prevent sharing. Moreover, I do not accept the submission that his intent was not to share files but his attempt to prevent sharing was ineffective. There is no air of reality to the submission that Mr. Pelich lacked the knowledge or sophistication to understand how to effectively prevent others from accessing his files. On the basis of his own testimony, Mr. Pelich was not at all naïve about computers or about the LimeWire program. He had a technical background and he knew that LimeWire was a peer to peer file sharing program. His sophistication with and knowledge of LimeWire is aptly demonstrated by the changes that he made to the default settings.

[81] Therefore, I find that Mr. Pelich knew or should have known that he was sharing files from LimeWire.

Possession of Child Pornography

[82] Mr. Pelich is charged with possession of child pornography on June 5, 2008, July 15, 2008 and July 16, 2008.

[83] In order to commit the offence of possession, one must knowingly acquire the underlying data files and store them in a place under one’s control. See R. v. Morelli, 2010 SCC 8 at paras. 15-24, 66.

[84] The defence asserted that many of the images on the laptop and tower were inaccessible and thus, they were not in a place under Mr. Pelich’s control. Moreover, the images in the unallocated space were inaccessible to the user without forensic software. The defence submitted that there were 4600 inaccessible images on the hard drive of the tower and no evidence of a working computer. The defence argued, therefore, that possession of a working hard drive without the ability to view what is on the hard drive does not constitute possession.

[85] In R. v. Daniels, 2004 NLCA 73 at paras. 12-14, the Newfoundland and Labrador Court of Appeal held that possession began as soon as the accused began downloading the illegal image files to his hard drive. It was not necessary for the accused to have viewed the images.

[86] The approach in Daniels has been cited with approval as a “sensible interpretation” by the Supreme Court in Morelli at para. 25. Fish J. pointed out that this interpretation fit with Parliament’s intention in creating two different offences, accessing and possessing child pornography. The Court explained at para. 27:

What made a charge of possession “problematic”, of course, is that possessing a digital file and viewing it are discrete operations – one could be criminalized without also criminalizing the other. In the case of child pornography, Parliament has now criminalized both. But viewing and possessing should nevertheless be kept conceptually separate, lest the criminal law be left without the analytical tools necessary to distinguish between storing the underlying data file and merely viewing the representation that is produced when that data, residing elsewhere, is decoded.

[87] Mr. Pelich asserted that he did not knowingly acquire the child pornography files and that the downloading must have been accidental or the work of a hacker or trojan.

[88] In R. v. Missions, 2005 NSCA 82, the Nova Scotia Court of Appeal upheld the trial judge’s finding that the accused had knowledge and possession of child pornography. At paras. 21 and 22, Roscoe J.A. held:

The question thus becomes, was it unreasonable, based on the evidence presented, for the trial judge to have concluded that someone could not have unintentionally acquired sixty-four images of child pornography and stored them in four separate places? The trial judge, in my view, did not misconstrue the evidence of the expert. He accepted the possibility of accidental downloading. It was not necessary to have further evidence of the probability of more than one accidental acquisition. That is a matter of common sense. The normal inference that one intends the natural consequences of one's actions is applicable to computer usage just as it is to any other human activity, especially in light of the lack of any evidence to rebut the inference.

There was other evidence within the report of Mr. Kearley that supported the finding that the downloading was not accidental or unintended. To begin with, the fact that the images were stored on four separate disks demonstrates at least four separate incidents of downloading or copying from another computer or disk. As well the file structure on the disks suggests some effort at organization and some knowledge of the content of the images. … In almost every instance, the file name included an indication that it depicted a child involved in sexual activity. This supports the trial judge's conclusion that the acquisition of the images was not unintended.

[89] In R. v. Smith, [2008] O.J. No. 4558 (S.C.), the accused downloaded child pornography from the internet through a peer to peer file sharing network. At para. 28, Clark J. stated:

Given the amount of child pornography the accused had in his possession, and the manner in which he later dealt with it, that is to say storing it to disks, I am sceptical of this account given of the accused encountering child pornography for the first time by accident, as it were.

[90] Mr. Pelich denied that he had any knowledge or control over the child pornography being downloaded into his designated LimeWire account. I do not believe his evidence that the presence of the offending material was the result of a virus or hacker or others. As I said earlier in these reasons, his suggestions were designed to explain away the damning evidence found on his laptop, tower and disks.

[91] On June 5, 2008, Officer Purchas connected with the computer using the IP address assigned to Mr. Pelich. He downloaded five of its shared files and found that they were child pornography. On July 15, 2008, Officer Purchas connected with the computer using the IP address and downloaded fourteen of its shared files that were child pornography. On July 16, 2008, pursuant to a warrant, Mr. Pelich’s laptop, tower and disks were seized. Officer Dayler found that they contained hundreds of child pornography images and video. No evidence of a virus was discovered. Mr. Pelich acquired the underlying child pornography data files and stored them on disks.

[92] Applying W.(D) and in the context of all of the other evidence, including the evidence that some of the images were inaccessible, I am satisfied beyond a reasonable doubt that Mr. Pelich had child pornography in his possession on June 5, 2008, July 15, 2008 and July 16, 2008.

Accessing Child Pornography

[93] Mr. Pelich is charged with accessing child pornography between June 5, 2008 and July 16, 2008.

[94] As set out above, in Morelli, Fish J. discussed the rationale behind Parliament’s intention to make accessing child pornography a crime as distinct from the crime of possessing child pornography. He cited three appellate decisions [R. v. Panko (2007), 2007 CanLII 41894 (ON SC), 52 C.R. (6th) 378, R. v. Weir, 2001 ABCA 181 and R. v. Daniels, 2004 NLCA 73] which proceeded on the understanding that the object illegally possessed by the accused was the image file, not a visual display or rendering of the image. He held, at paras. 25 and 26:

This is a sensible interpretation for a number of reasons. First, and most important, because Parliament, in s. 163.1 (4.1) of the Criminal Code, has made accessing illegal child pornography a separate crime, different from possession. By virtue of s. 163.1 (4.2), a person accesses child pornography by knowingly causing the child pornography to be viewed by, or transmitted to, himself or herself.

Parliament's purpose in creating the offence of accessing child pornography, as explained by the then Minister of Justice, was to “capture those who intentionally viewed child pornography on the [inter]net but where the legal notion of possession may be problematic” (Hon. Anne McLellan, House of Commons Debates, vol. 137, 1st Sess., 37th Parl., May 3, 2001, at p. 3581).

[95] Officer Purchas testified that on June 5 and July 15, 2008, the computer at the IP address assigned to Mr. Pelich was actively downloading files, because the content of the shared folder was increasing.

[96] A direct connection was also established with the IP address on June 20, June 21, June 22, July 13 and July 15, 2008. Pursuant to a PIPEDA request, Rogers confirmed that Mr. Pelich was the account holder associated with the IP address. A hash comparison revealed that a number of the files matched the Database of suspected child pornography files.

[97] Mr. Pelich denied that he viewed or transmitted child pornography to himself. For the reasons stated above, I do not believe his evidence, nor am I left with a reasonable doubt. I accept the evidence of Officer Purchas as truthful and thorough. In the context of all of the evidence, I find that the Crown has proven beyond a reasonable doubt that between June 5, 2008 and July 16, 2008, Mr. Pelich accessed child pornography.

Making Child Pornography Available

[98] Mr. Pelich is charged with making child pornography available on June 5, 2008 and on July 15, 2008.

[99] Section 163.1(3) of the Criminal Code provides:

Every person who transmits, makes available, distributes, sells, advertises, imports, exports or possesses for the purpose of transmission, making available, distribution, sale, advertising or exportation any child pornography is guilty of

(a) an indictable offence and liable to imprisonment for a term not exceeding 10 years and to a minimum punishment of imprisonment for a term of one year.

[100] Mr. Pelich’s position is that he did not use his laptop to make child pornography available to others on LimeWire. He submitted that he took steps to prevent file sharing and if the steps he took were ineffective, it was always his intention not to share files with others. He asserted that if others were able to upload child pornography files from his laptop, then it was the result of someone else manipulating his IP address and GUID.

[101] In the alternative, he submitted that as soon as the files were downloaded, they were moved out of the shared folder or deleted, and thus, there was no intention on his part to make the files available. He pointed out that on June 20, 2008, none of the five files that Officer Purchas downloaded two weeks earlier remained in the shared folder.

[102] Mr. Pelich relies upon R. v. Pressacco, 2010 SKQB 114. In that case, the police identified child pornography on the accused’s computer. There was no dispute that the accused understood the nature of the file sharing program. The accused used the program to download files from the Gnutella network and store them in his shared folder, where they were made available to other Gnutella users. The court found, however, that the element of intention was not proven beyond a reasonable doubt:

Mr. Pressacco intended to view child pornography to see what it was like, and upon viewing it he decided to delete it. He put that decision into effect. I cannot be sure that at any time he intended to make the material available to others, because it is within the realm of possibility that he immediately decided to delete the material, and that he was reasonably prompt in doing so. In these circumstances I am not prepared to infer, from his intentional accessing and possessing and from his knowledge of file sharing, that he intended to make the material available to others. (para. 33)

[103] In Pressacco, the accused had not stored the child pornography on compact disks.

[104] Mr. Pelich also relies on R. v. Lamb, 2010 BCSC 1911. In that case, the police were monitoring the activity at a suspected IP address and downloaded eleven files on one day. Only one file was established to be child pornography. When the search warrant was executed, there were no files in the shared folder. The court found that any of the adults living in the residence had access to the computer and there was no direct evidence that the accused had used the computer or was home on the days in question. Further, the act of quickly moving the files out of the shared folder was evidence of an intention to prevent sharing. With respect to the mens rea required for the offence of making child pornography available, the court stated at paras. 74, 75:

In accordance with the decision of R. v. Pressacco I conclude that the mens rea required for the offence of making child pornography available under s. 163.1(3) of the Criminal Code is an actual intention to make the material available.

Even if the Crown had proved in this case that the accused had committed the actus reus of the offence, I would have had a reasonable doubt that he possessed the necessary intention.

[105] In R. v. Spencer, 2011 SKCA 144, the Saskatchewan Court of Appeal reviewed the jurisprudence on the mens rea requirement in s. 163.1(3), including Pressacco and Lamb. At para. 64, Caldwell J.A. held:

In R. v. Buzzanga (1979), 1979 CanLII 1927 (ON CA), 49 C.C.C. (2d) 369, the Ontario Court of Appeal commented on the basic mens rea requirement for criminal offences (at p. 381):

… The general mens rea which is required and which suffices for most crimes where no mental element is mentioned in the definition of the crime, is either the intentional or reckless bringing about of the result which the law, in creating the offence, seeks to prevent …

As such, per Buzzanga, it must be presumed the mens rea of s. 163.1(3) is subjective (ie., an aware state of mind or guilty mind) and, therefore, the mens rea element of the offence may be met by sufficient evidence of intention or actual knowledge, recklessness coupled with knowledge of the consequences, or wilful blindness, but not mere negligence.

[106] Caldwell J.A. concluded that Parliament intentionally used the term “make available” in s. 163.1(3) to expressly prohibit electronic dissemination of child pornography:

… [T]he offence of making child pornography available covers those who download child pornography which is thereafter publicly accessible through file sharing. In this sense, if an overt act or positive step is required, that requirement is satisfied by an accused downloading child pornography using a file sharing program which makes it publicly available as a shared file. …

If making available requires a “positive step”, other than as discussed above, then it would cease to have the effect intended by Parliament as it would no longer impugn the conduct it was plainly meant to criminalize. Therefore, in my opinion, the mens rea of the offence of making available child pornography under s. 163.1(3) is satisfied where an accused has downloaded child pornography or otherwise made child pornography available to others via a file sharing program over the Internet. No other steps or actions to distribute it are required … .

In the context of a file sharing program, the mens rea element of making available child pornography under section 163.1(3) requires proof of the intent to make computer files containing child pornography available to others using that program or actual knowledge that the file sharing program makes files available to others. However, the Crown could also satisfy the knowledge requirement of the mens rea element of the section 163.1(3) “makes available” offence on the basis of wilful blindness by proving the accused’s file sharing program had actually made child pornography files available to others and the accused had actual suspicion that it had done so, but had made a conscious decision not to determine whether his suspicion was in fact an actuality. … (para. 87)

[107] In R. v. Rivet, 2011 ONCA 122, the Ontario Court of Appeal dismissed an appeal from a decision where the court found that the mens rea component of the offence of making child pornography available included recklessness. Mr. Rivet had obtained child pornography through LimeWire. The trial judge found that he was a sophisticated computer user and understood the nature of the LimeWire sharing system. He had claimed that he changed the settings to prevent others from accessing materials on his computer. However, the Crown established that he did not in fact change the settings until after the police were able to download child pornography from his computer.

[108] Mr. Pelich was both a knowledgeable and sophisticated computer user. Indeed, this knowledge and sophistication was a requirement of his occupation. He was well aware that LimeWire was a file sharing program. He claimed that he changed the settings to prevent sharing. I do not believe his testimony.

[109] I find that when the police entered his apartment and told Mr. Pelich that someone was using LimeWire to download child pornography, he said that he got rid of it, because he was moving files out of the shared folder. The logical inference is that he knew that the files were in the shared folder for the period of time that he left them there.

[110] The offending material that Officer Purchas downloaded from Mr. Pelich’s shared folder was put in Mr. Pelich’s shared folder by his deliberate action. Mr. Pelich knew or he ought to have known that the child pornography in his shared folder would be available for uploading by other users of the file sharing program. In the alternative, he was willfully blind to the fact that illegal material on his laptop was being made available to others via the LimeWire file sharing program that he had installed on his laptop.

[111] Officer Purchas was able to download files from the shared folder on June 5, 2008 and July 15, 2008. I find that after Mr. Pelich downloaded child pornography images and movies from LimeWire, they remained in the shared folder for a period of time, during which he moved them onto discs and then deleted them.

[112] Accordingly, applying W.(D.) and in the context of all the other evidence, I am convinced beyond a reasonable doubt that Mr. Pelich was making child pornography available on June 5, 2008 and on July 15, 2008.

Making Child Pornography

[113] Mr. Pelich is charged with making child pornography between January 1, 2001 and July 16, 2008 by downloading child pornography from the internet and transmitting it to disks.

[114] Section 163.1(2) of the Criminal Code provides:

Every person who makes, prints, publishes or possesses for the purpose of publication any child pornography is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years and to a minimum punishment of imprisonment for a term of one year.

[115] In Ontario, courts have found that downloading child pornography from the internet and transmitting it to disks constitutes the offence of “making” within the meaning of s. 163.1(2) of the Criminal Code. See R. v. Mohanto, [2002] O.J. No. 5840 (C.J.), R. v. B.W., [2002] O.J. No. 5727 (C.J.), R. v. Horvat, [2006] O.J. No. 1673 (S.C.), aff’d on other grounds, 2008 ONCA 75 and R. v. Dittrich, [2008] O.J. No. 1617 (S.C.).

[116] In Horvat, Lack J. held at paras 14, 15:

… Today data can be stored in a number of ways. It usually is first stored on the hard drive of a computer. When data from that hard drive is put on a CD or a DVD or memory cards, often the storage medium itself must be formatted or prepared to receive the data. The data must generally be selected from the available data on the hard drive. It must be processed and saved to complete the transfer. Some knowledge and skill is required. What is done, in my view, is an act of creation. The entire process is commonly referred to as “making” a disk or a DVD or a memory card.

Before the process, the data did not exist in that medium. After, the data on the disk or DVD or memory card can be used in different ways than it could have been if left on the hard drive. It can be transported without effort. It can be used on another computer, or in the case of a memory card, on an iPAQ. It can be added to, modified or deleted without changing anything on the original hard drive. It survives modification or destruction of the data on the original hard drive. All of this is common knowledge among computer users. All of this leads me to conclude that the copying of child pornography onto a DVD, the copying of child pornography onto a CD and the copying of child pornography onto memory cards on an iPAQ constitutes “making” child pornography within the meaning of s. 163.1(2).

[117] The defence submitted that the Ontario cases were decided before the Supreme Court of Canada decision in Morelli. The defence urged me to adopt the reasoning in R. v. Keough, 2011 ABQB 48, where the court concluded that a person offends s. 163.1(2) if the person creates novel child pornography or creates a copy of child pornography for the purpose of publishing or distribution.

[118] Mr. Keough’s home was searched by the RCMP who uncovered a number of video materials that depicted sexual activities. Some of these materials allegedly represented child pornography or were recorded surreptitiously and thus fell into the Criminal Code voyeurism offences.

[119] The facts in Keough that are relevant to the defence’s particular argument are that when S.C. was fifteen and M.A. was eighteen, S.C. agreed to allow M.A. to make a video recording of their sexual activities on a mini-cassette. S.C. agreed that the accused could transfer the recording to a VHS videotape. At S.C.’s request, M.A. agreed to destroy the VHS recording. The court concluded that M.A. gave the VHS recording to the accused in exchange for some kind of consideration. S.C. testified that she never gave permission for the accused to have a copy of the VHS recording.

[120] It was alleged that the accused made child pornography in two ways: he took the original mini-cassette recording and from that he made a VHS copy and at some point, he made multiple copies of the S.C./M.A. recording.

[121] It was argued by the defence in Keough that simply copying pre-existing child pornography without any intention to distribute does not offend s. 163.1(2). The Crown relied upon the Ontario cases and argued that the purpose of the copying was irrelevant.

[122] The Alberta court found that the Ontario line of cases seemed to conclude that child pornography is made whenever either the copy number of a particular instance of child pornography increased, or where child pornography was relocated onto a different media, or media format, causing an overlap between the making and possession offences. Thus, the court held that the Ontario cases incorrectly broadened making child pornography beyond its intended scope.

[123] The court stated at para. 231:

I also note that the end reasoning of the [Ontario] line of cases is that any person who possesses any electronic version of child pornography must have ‘made’ that child pornography. Adapting the often repeated aphorism of Marshall McLuhan, the medium has become the offence. Surely this cannot be the intention of Parliament when it composed the current s. 163.1 child pornography regime.

[124] The court in Keough concluded that “making” in s. 163.1(2) involves the creation of novel child pornography that did not previously exist. Further, copying child pornography without the intent to publish or distribute is not an offence under s. 163.1(2) and the same would be true for a simple transformation in form or medium of child pornography materials. The court reasoned that the type of activities involving the creation of novel child pornography deserve stronger social sanction than possession of child pornography and this is why Parliament has mandated a longer period of imprisonment for s. 163.1(2).

[125] The court in Keough seemed to find support for its reasoning in the words of Fish J. in Morelli at para. 27, cited above, where he stated that “viewing and possession should be kept conceptually separate, lest the criminal law be left without the analytical tools necessary to distinguish between storing the underlying data and merely viewing the representation that is produced when that data, residing elsewhere, is decoded”.

[126] Fish J. explained, at para. 29 in Morelli, that it is the underlying data that is the stable object that has some sort of permanence and can be transferred, stored and possessed. The court in Keough found an analogous distinction between possession and making an electronic file that is child pornography.

[127] In Keough, the court concluded that the accused was in possession of child pornography by having the S.C./M.A. recordings without S.C.’s consent. However, the copying of the recording did not constitute “making” child pornography under s. 163.1(2) of the Criminal Code. Moreover, the initial format change copying the mini-cassette to VHS did not qualify as “making”, because it was the same child pornography but in a different form.

[128] In its reasons, the court stated that collecting or assembling or organizing child pornography is not, in itself, an act of creation. It is not ‘new’ child pornography. All the child pornography previously existed, but in a different form:

… to use an electronic example, it would seem very strange that if a person with child pornography were to organize electronic files into categories, for example as stored in ‘folders’ on their computer, that such act would have ‘made’ child pornography. That is not to say that any transformation of pre-existing child pornography would never ‘make’ child pornography, but there needs to be some kind of substantive change, which causes the initial child pornography to take on a new form and in essence to become a completely separate and new work. (para. 233)

[129] Alberta is not the only jurisdiction to take this approach. In R. v. Ballendine, 2009 BCSC 1938, Cullen J. held that transferring child pornography from one medium to another for personal use did not constitute the offence of “making” under s. 163.1(2).

[130] Applying Drieger’s modern principle of statutory interpretation, Cullen J. looked at the textual context of the ‘make’ offence. He found that the offences were grouped by sentence into consumption or production offences and that ‘make’ was grouped as a production offence. He held at para. 76:

As I read s. 163.1(2) in the context of s. 163.1(3), (4), and (4.1), it appears that the section creates a distinction between producers and distributors of child pornography, on the one hand, and the consumers on the other. Those who produce in the sense of causing pornography to exist and those who undertake to disseminate it to others commit aggravated offences reflected in the sentencing provisions of s. 163.1(2) and (3). Those who are the end users or consumers have lesser overall moral complicity and are treated differently under s. 163.1(4) and (4.1).

[131] I agree with the reasoning set out in Keough and in Ballendine and find that Mr. Pelich collected his pre-existing child pornography files on disks and to some extent, organized them according to the names on the disks (Kiss, Kiss 2, Kiss 3, Kiss 4) and the dates when they were last modified. Some of the images were the same images found on other disks or in the unallocated space on the hard drive. There was no evidence that by moving or copying the images to disks, the initial child pornography became a completely separate and new work. Rather, this was a simple transfer from one medium to another in an effort to maintain a collection of child pornography images.

[132] Accordingly, I do not agree that by copying child pornography onto disks, Mr. Pelich “made” child pornography within the meaning of s. 163.1(2) of the Criminal Code.

DISPOSITION

[133] For the reasons set out above, there will be a finding of guilt with respect to the following offences:

• Possession of child pornography on June 5, 2008

• Making child pornography available on June 5, 2008

• Possession of child pornography on July 15, 2008

• Making child pornography available on July 15, 2008

• Possession of child pornography on July 16, 2008

• Accessing child pornography between June 5, 2008 and July 16, 2008

There will be a finding of not guilty to the charge of making child pornography between January 1, 2001 and July 16, 2008. The court will hear submissions concerning the application of R. v. Kineapple, 1974 CanLII 14 (SCC), [1975] 1 S.C.R. 729 at the time of the sentence hearing.

DUNNET J.

Released: June 27, 2012

COURT FILE NO.: 10-50000653-0000

DATE: 20120627

ONTARIO

SUPERIOR COURT OF JUSTICE

HER MAJESTY THE QUEEN

– and –

OLDRICH PELICH

Accused

REASONS FOR JUDGMENT

DUNNET J.

Released: June 27, 2012

Her Majesty the Queen v. Oldrich Pelich, 2012 ONSC 3611

Case Summary

ONTARIO

SUPERIOR COURT OF JUSTICE

REASONS FOR JUDGMENT

OVERVIEW

THE EVIDENCE

Christopher Purchas

Peter Hansen

Nathan Dayler

Oldrich Pelich

ANALYSIS

Possession of Child Pornography

Accessing Child Pornography

Making Child Pornography Available

Making Child Pornography

DISPOSITION

Judge

Counsel

Parties

Areas of Law

Fact Patterns

Expert Witnesses

Issues

Statutory Provisions 6

Legal Tests 1

Legislation 2