SUPERIOR COURT OF JUSTICE – ONTARIO

COURT FILE NO.: 13-00000216-0OMO
DATE: 2013 11 05

IN THE MATTER OF a search warrant executed on October 22, 2012 at the business premise of YesUp Ecommerce Solutions Inc., 565 Gordon Baker Road, Toronto, Ontario

• and -

IN THE MATTER OF a subsequent search warrant executed on November 7, 2012 at Ontario Provincial Police Headquarters, 777 Memorial Avenue, Orillia, Ontario

• and -

IN THE MATTER OF an application pursuant to section 490(3) of the Criminal Code for an order for the further detention of things seized during execution of this warrant

BEFORE: Justice Croll

COUNSEL:
L. Henderson, for the Crown/Applicant
T. Richards, for the Respondent YesUp Ecommerce Solutions Inc.

HEARD: October 28, 2013

E N D O R S E M E N T

[1] Pursuant to section 490(3) of the Criminal Code, R.S.C. 1985, c. C-46, the Crown seeks an Order for Further Detention of Things Seized from the business premises of YesUp Ecommerce Solutions Inc. (“YesUp”) in Toronto and from the Ontario Provincial Police Headquarters in Orillia. YesUp opposes the continued detention sought; however, the factual background of this application is not in dispute.

Factual Background

[2] Commencing in May 2012, the Toronto Police Service (“TPS”) began to receive a series of complaints through a cyber-tip website about two file-sharing websites providing links to child pornography. The complaints involved more than 800 alleged links to child pornography materials. A police investigation followed many of the links and discovered that while some of the files had been removed from the websites, many of the links were intact. Those links that were intact led to material consistent with the definition of child pornography set out in section 153.1 of the Code.

[3] The websites in question were www.lumfile.com (“Lumfile”), which investigation revealed was based out of Vietnam and www.filerose.com, which investigation revealed was based out of Panama. Open source investigations indicated that, while the links to the alleged child pornography files passed through www.lumfile.com and www.filerose.com, the files themselves resolved to YesUp, based at 56 Gordon Baker Road in Toronto. YesUp has a 40,000 square foot facility that houses 50,000 servers.

[4] As a result of this information, the TPS obtained a search warrant for the business premises of YesUp. The expectation was that the police would recover and copy the necessary files from the computer systems at YesUp. The warrant was granted for the period between 8 a.m. to 6 p.m., October 22-23, 2012; however the authorizing judge indicated that, “If the search leads to relevant evidence of the commission of an offence, and upon the viva voce evidence of the informant, I will extend this warrant to an additional 3 days”.

[5] The original warrant requested information related to the 800 links that had been identified, including the Internet Protocols and user information of the persons responsible for uploading and downloading the files associated to the links, along with the files themselves. It also asked for all of the files uploaded by the same users who uploaded any of the 800 links and any information identifying who downloaded those files.

[6] Members of the TPS attended at YesUp on October 22, 2012. YesUp advised that Lumfile leased and had exclusive use of 32 of its servers. It was discovered that these servers were “raided”, which means that they were set up to operate as one very large server. The storage capacity from this arrangement amounts to almost 1 petabyte. A petabyte is approximately 1,000 terabytes or 1 quadrillion bytes. In lay person’s terms, a petabyte has been described as having a volume equal to about 100 times the volume of the collection at the United States Library of Congress. Suffice it to say, these servers have the capacity to store enormous volumes of material.

[7] This particular network also allowed for parts of any file to be stored on any number of servers, requiring the servers to be interconnected in order for the police to have access to and obtain a complete version of any given file. In light of the magnitude of the data and intricacy of the connection among the 32 servers, the TPS requested the assistance of the Ontario Provincial Police Technological Crimes Unit (“TCU”). It was the evidence of Special Constable Sean Ford of the TCU that this was the first time that the TPS had sought the assistance of the TCU for this type of matter.

[8] Although the staff at YesUp and Lumfile (through email) were cooperative, the days granted by the original search warrant were not sufficient to conduct the investigation. Supplementary information was provided to the issuing justice and the warrant was extended for 3 additional days, on a 24 hour basis.

[9] Based on the criteria in the warrant, investigators identified approximately 12,000 unique files to be downloaded. Scripts were written by police (TPS and OPP) to extract the needed data, which amounted to less than 4 terabytes. However, when the files had finished copying, the police investigators noticed a discrepancy and determined that they were missing 418 files that were covered by the warrant. This prompted the investigators to start looking for the files manually, by generating a text file listing all of the files present on two of the servers. When reviewing these text files, it was apparent that, based on the file names alone, there was a greater volume of child pornography on the Lumfile servers beyond those named or alluded to in the warrant. As a result, the decision was made to remove the servers from YesUp and take them to the OPP Headquarters in Orillia to be held in a secure location until a further search warrant was obtained.

[10] On October 31, 2012, the TPS filed a Report to a Justice indicating that a forensic copy of the administrative server had been seized, together with copies of 12,214 files as provided for in the search warrant executed on October 22, 2012. The Report to a Justice also indicated that the 32 servers had been seized from YesUp as the police believed they had been used in the commission of a criminal offence. An Order of Detention was obtained authorizing the TPS to detain these items until January 25, 2013.

[11] Also on October 31, 2012, the TPS obtained a search warrant authorizing the seizure of the 32 servers from the OPP Headquarters in Orillia for the purpose of examining them for evidence related to the commission of various pornography offences. This warrant was executed on November 7, 2012, and a Report to a Justice was filed with respect to the seizure of the 32 servers on November 20, 2012. An Order of Detention was obtained authorizing detention of these items until February 7, 2013.

[12] Interestingly, despite these police actions in Ontario, as of October 31, 2012, Lumfile was operational again. Investigation revealed that it had leased new server space in both the Netherlands and the Ukraine.

[13] On February 4, 2013 the TPS sought and obtained an Order of Continued Detention of Things Seized with respect to the 32 servers. Counsel for YesUp did not contest this order.

[14] On May 2, 2013, and then subsequently on August 1, 2013, the TPS again brought applications for Continued Detention of Things Seized. YesUp did not contest the application for continued detention on either date.

Data, Data Users and Data Storage Mechanics of the 32 Servers

[15] Special Constable Sean Ford provided affidavit and viva voce evidence, which included a series of slides, to explain the challenges of this investigation. He has been qualified in other cases as an expert in forensic analysis of computers, data recovery, child pornography and child pornography subculture, although there was no qualification at this application.

[16] Special Constable Ford described how the 32 seized servers are configured as individual “RAIDs” (meaning that all 16, or in some cases 24, hard drives contained in each server act in synchronicity as one large “drive”). Subsequently, each of these RAID servers act together in a similar fashion, acting as component parts of the larger singular data storage pool, such that all 32 servers work together as one extremely large drive. As a result, it was not feasible for investigators to remove each hard drive, forensically image it, and then reassemble each of the drives back into a cohesive overall whole. According to Special Constable Ford, the size and complexity of the architecture would consistently crash the existing forensic tools and offer no prospect of success.

[17] In addition, the 32 servers are configured to optimize performance through the use of “load balancing”. This means that file storage is controlled to ensure that all servers comprising the total available storage contain an even amount of data to bolster performance and responsiveness. The result is that individual files associated to individual users can be stored across all servers somewhat randomly, based on how “full” each individual server is at any time. Consequently, portions of any given file containing child pornography may be stored on any number of the servers. This was analogized in simple terms to a jigsaw puzzle, with component parts scattered over many servers, and as such, content cannot be assembled and related to various users without examining all servers.

[18] Special Constable Ford further explained that because of the extremely large size of the data to be copied and the fact that all 32 servers act as one, it was necessary for the TCU to procure equipment capable of assessing, copying and storing a copy of the data. He again applied an analogy that made the complications of this technology more understandable. Just as a physical crime scene must be protected to ensure that the evidence does not become tainted or does not disappear, necessary steps must be taken to ensure that the evidence on the various servers does not become tainted or disappear. Given this need to protect the integrity of the material on the servers, the OPP has spent in excess of $4 million to purchase and install the equipment required to perform the copying in a forensically sound fashion. This equipment was developed by Hewlett Packard for the American military, and was originally constructed in Houston, Texas. It is a self-contained POD, which is the acronym for a Performance Optimized Data center. This POD has special systems to deal with power outages, temperature fluctuations and storage, and preservation of evidence, among other features. Its construction necessitated physical adjustments to the building in Ontario in which it is housed, including removal of a wall, and a crane was used to put the POD in place. This POD is currently in the testing phase, and it is anticipated that it will be operational by December 2013.

[19] The volume of the registered users of Lumfile is a further challenge in this investigation. So far the police have determined that there were over 60,000 registered users of Lumfile, and information indicates that these users are located all around the world. According to Special Constable Ford, the users are located in at least 75% of the world’s countries. Police are currently in the process of ascertaining how many of the users appear to be involved in uploading, downloading, or otherwise contributing to the distribution and proliferation of child pornography.

[20] Special Constable Ford further explained how the data itself is predominantly stored in 1.4 million RAR files. A RAR file is like a folder containing any number of compressed files which expand when the RAR file is opened, akin to a ZIP file. As approximately half of the RAR files are encrypted, it is anticipated that the assistance of the RCMP or American police agencies with specialized technical knowledge and programs will be needed to decrypt these files. Based on the files the police were able to copy and the names of many of the other files, there is reason to believe that many of these files also contain material depicting sexual abuse of real children, many of whom are prepubescent. Once the material can be fully reviewed, there are some 18 various police agencies in Ontario involved in the enterprise of categorization of the material and protection of the abused children.

[21] When the files are copied and accessed, it will also be necessary to deploy police officers with specialization in victim identification to identify, locate and, where possible, rescue these children. This operation will involve multinational partnerships with international agencies.

[22] Additionally, the 32 servers were set up to avoid storing duplicate copies of files. This means that if a user uploaded a copy of a file that someone else had already stored on one of the servers, the user’s information would become associated with the previously stored file. This process is known as de-duplication. The net result is that, in addition to the fact that pieces of any given file may be stored on any number of the servers, any given file may be traced back to any number of users. This configuration on the seized servers takes this investigation out of the realm of one user, one hard drive, one computer.

[23] There is also robust evidence that this was crime for profit. The investigators have thus far located a “master database” contained within the Lumfile “Admin Server”. This database contains a great deal of information about user accounts, email addresses, PayPal accounts, Web money accounts, and file listings associated to individual users.

[24] In particular, Lumfile had several revenue streams, including monthly subscriptions for pay per sale, pay per download, or a combination of both schemes; affiliate advertising; and web referral schemes. Preliminary analysis indicates that revenue of some $18,000,000 is generated every 3 months. There also appear to be affiliate programs with other websites wherein Lumfile receives 50% of the sales of files in return for hosting the files. According to the investigation to date, these “affiliate programs” predominately involve child pornography or copyright infringement.

[25] Methods of payment for these accounts appear to be made primarily by PayPal, Web Money and Liberty Reserve. While PayPal accounts can be identified, Web Money and Liberty Reserve transfers present further difficulties. These alternative currencies are designed to offer anonymity and are processed through Costa Rica and Belize. Special Constable Ford referenced a large operation in the United States, in which Homeland Security prosecuted a billion dollar money laundering and contraband scheme, involving a site known as Megaupload.com. Liberty Reserve was the alternative currency used in that operation. As a result, Homeland Security has financial information about users of Liberty Reserve and a joint investigation between the OPP, TPS and Homeland Security is underway. The evidence indicates that the database will require a large amount of reverse engineering in order to fully map out and identify individual users tied to child pornography content.

[26] Given the connectedness of the 32 servers and how they operate, the sheer number of registered users, that the service appears to be using “symbolic links” to original files between users, and that users appear to be exercising the ability to download content between each other (in addition to external parties), it is an arduous exercise to fully establish the nature of the connections between the parties and any associated child exploitation content. In summary, Special Constable Ford described this as the largest digital seizure ever undertaken by the OPP.

The Law

[27] Section 490 of the Code provides for retention of seized items. In particular, subsection 490(3) provides as follows:

More than one order for further detention may be made under paragraph (2)(a) but the cumulative period of detention shall not exceed one year from the day of the seizure, or any longer period that ends when an application made under paragraph (a) is decided, unless

(a) a judge of a superior court of criminal jurisdiction or a judge as defined in section 552, on the making of a summary application to him after three clear days notice thereof to the person from whom the thing detained was seized, is satisfied, having regard to the complex nature of the investigation, that the further detention of the thing seized is warranted for a specified period and subject to such other conditions as the judge considers just, and the judge so orders;

[28] YesUp acknowledges the challenges faced by the TPS and the OPP and, as stated, has conceded the three previous extensions. However, it submits that the OPP has not moved swiftly enough and that the current request to detain the things seized until October 31, 2014 is excessive. In particular, YesUp points to the fact that the specialized POD was received in April 2013, but the necessary optic fibers will not be laid until December 2013. As well, YesUp submits that the investigation is unnecessarily slow because Special Constable Ford is the only investigator on this case. It is the position of YesUp that it is not the complexity of the investigation that necessitates further detention; rather, it is because the investigation has not been conducted in the timeliest fashion.

[29] The critical phrase in section 490(3) is having regard to the complex nature of the investigation. This phrase was examined in Canada Revenue Agency v. Okoroafor, 2010 ONSC 2477. In that case, Durno J. stated, at para. 15, “While the initial detention periods are governed by whether or not the items are required ‘for the purpose of the investigation,’ the longer detention can only be permitted having regard to the complexity of the investigation, not the complexity of the potential charge(s) or number of hours required to review the material seized.” (emphasis in original).

[30] The key issue is how the complexity of the investigation impacts the need for continued detention. In Okoroafor, at paras. 19-20, Durno J. explained that:

In assessing the complexity of the investigation, the Court may consider what work is yet to be done, the estimated time for completion and whether the work should reasonably have been done earlier. Tran, para. 36; Bromley, para. 22. Put bluntly, is it a complex investigation requiring further detention or a non-complex investigation that investigators have had insufficient time to complete? The former leads to further detention. The latter does not.

A complex investigation is one that has many varied interrelated parts, patterns, or elements and consequently is hard to understand fully. It is an investigation that involves many parts, aspects, details, and notions necessitating earnest study or examination to understand or cope with: Alberta (Attorney General) at para. 23. It is “something intricate and composite, something requiring analysis and reflection before moving forward to results and always considering the implications”: R. v. Westmorland Fisheries Ltd. [Citations omitted].

Analysis

[31] I have considered the case law provided by the Crown, including Okoroafor and the cases cited therein; Alberta (Attorney General) v. Black, 2001 ABQB 216; Tran (Re), 2004 BCSC 339; R. v. Westmorland Fisheries Ltd. (1995), 1995 4128 (NB KB), 168 N.B.R. (2d) 395 (Q.B.), aff’d (1996), 1996 4874 (NB CA), 173 N.B.R. (2d) 138, leave to appeal to SCC refused, [1996] S.C.C.A. No. 211; Moyer (Re) (1994), 1994 7551 (ON SC), 95 C.C.C. (3d) 174 (Ont. Gen. Div.); Canada (Revenue) v. Welford (1996), 97 D.T.C. 5048 (Ont. Gen. Div.); Canada (Minister of National Revenue – M.N.R.) v. Hunter, [2000] O.J. No. 5424 (S.C.); Edmonton Police Service v. A.H., 2011 ABPC 124; and R. v. Bromley, 2002 BCSC 149.

[32] I am satisfied that the Crown has met its burden to establish that this is a complex investigation requiring further detention. I come to this conclusion for the following reasons:

i. The investigation involves 2 police services, potentially 18 police agencies, and the Department of Homeland Security in the United States (see Black).

ii. The investigation requires the assistance of highly trained computer technicians to properly extract and store the information. I am not persuaded by YesUp’s submission that the investigation is not moving as quickly as it should because Special Constable Ford is the only officer working on it. While Special Constable Ford currently is the only investigator trying to extract data, his evidence is that even if more people were tasked with this function, the current data transfer is at capacity. He made this comprehensible when he stated “only a certain amount of data can come through the pipe”. As well, the Affidavit of Staff Sgt. Carole Matthews of the TCU attests to the involvement of other police officers, beyond Special Constable Ford. Staff Sgt. Matthews consulted with and travelled to Houston with senior officers regarding the capability of, and specifications for, the POD. She states that there were several meetings with Hewlett Packard executives and OPP personnel. As well, other officers are dealing with Homeland Security to track down the money trail.

iii. Once the information on the servers has been more fully accessed, it is anticipated that this investigation will involve the cooperation of other foreign governments, beyond Homeland Security, both with respect to the money trail and with respect to the identification and protection of the children who are being abused (see Edmond (Re), 2002 BCSC 524).

iv. In R. v. Wilson, [1999] N.S.J. No. 88 (Prov. Ct.), at para. 11, the court considered that “a paper chase where targeted individuals may have taken steps to cover their tracks” added to complexity. While in due course this investigation may encounter a confusing paper trail, at this stage it is dealing with a complex digital storage arrangement, involving, among other things, a de-duplication system which makes it very challenging to determine which users are responsible for any particular criminal uploading or downloading. In my view, the police are facing a modern day, technologically sophisticated version of the paper chase where the parties have taken steps to cover their tracks.

v. As stated, Lumfile originates out of Vietnam and the over 60,000 users are located all around the world. As such, the offences were committed in different jurisdictions and it will be necessary to interview witnesses outside of Canada (see Edmond).

vi. In Okoroafor, the need to translate documents was considered when assessing complexity. While in this case there is no need for translation from one spoken language to another, there is the need to decrypt some 50% of the files. In other words, the investigators must take steps to convert the language of the encryption codes to a language that can be understood.

vii. Also as stated in Okoroafor, at para. 22:

In assessing whether the complexity of the investigation requires further detention, the absence of evidence of ‘foot dragging,’ other delay, procrastination, prejudice and bad faith are relevant considerations as is the training and experience of those involved in the investigation, the time dedicated to date by thos