U.S. Department of Justice Carmen M. Ortiz United States Attorney District of Massachusetts ‘Main Reception: (617) 73100 Tohn Joseph Moakley United States Courthouse 1.Courthouse Way Suite 9200 ‘Boston, Massachusetts 02210 August 14, 2017 By FedEx and E-mail Jane Peachy, Esq. Federal Public Defender Office SI Sleeper Street Boston, MA 02210 Re: United States v. Martin Gottesfeld, Criminal No. 16-cr-10305-NMG Dear Jane: lam writing to document the governments production of records relating to a pen register and trap-and-trace device associated with Martin Gottesfeld’s RCN account. By email, you will receive the government’s application for the pen register and trap-and- trace device and the corresponding Order (Bates No. Gottesfeld01338-01346). As previously discussed, we do not believe that these documents are discoverable but are producing them in order to avoid a discovery dispute. By FedEx, you will receive a CD containing the returns of the pen register and trap-and- irace device (Bates No. Gottesfeld01347). Please call Dave or me if you have any questions. Sincerely, /s/ Adam J. Bookbinder Enclosures (PDF files, Bates No. Gottesfeld01338-01346; CD, Bates No. Gottesfeld01347) ce Dave D’AddioAPPLICATION AND MOTION TO SEAL The United States, by Assistant U.S. Attomey Adam J. Bookbinder, (the applicant’), applies othe Court for an Order authorizing the installation and use of a pen register and trap and trace device on the RCN Telecom Services LLC ("RCN") account providing internet service to 28 Albion St, Apt. 1, Somerville, Massachusetts, in the name of Martin S. Gottesfeld (“the designated account’). This application seeks an Order authorizing, for a period of 60 days, the use of a pen register and trap and trace device to trace the source and destination of all electronic communications directed to or originating from the designated account, and to record the date, time, and duration of these communications, The United States further applies to this Court for an Order directing Internet Service Providers (“ISPs”) to provide subscriber information for IP addresses sending communications to, and receiving communications from, the designated account, ‘The United States does not seek “content,” in any form, of any electronic communication. Statutory Framework The applicant is an “attorney for the government,” as defined in Fed. R. Crim, P. 1(b)(1)(D), and therefore, pursuant to 18 U.S.C. § 3122, may apply for an order authorizing the installation and use of pen registers and trap and trace devices and for records conceming electronic communication service (including internet service) pursuant to 18 U.S.C. § 2703. In the Matter of Application of the United States of America for an Order AuthorizingCase 1:14-mj-07135-JCB *SEALED* Document 2 Filed 07/17/14 Page 2 of 6 Installation and Use of a Pen Register and a Trap Trace Device on E-Mail Account, 416 F. Supp. 24 13 (D.D.C. 2006) (Chief Judge Hogan analyzing the application of the pen register and trap and trace statutes to e-mail and other intemet signaling information). The Court has jurisdiction under 18 U.S.C, § 3123(a)(1) to enter an ex parte order authorizing the installation and use of pen registers and trap and trace device anywhere within the United States. Similarly, the Court has jurisdiction to enter an order under 18 U.S.C. § 2703(4) directing any clectronic communication service provider within the United States to produce ‘subscriber information. Technical Background Data packets transmitted over the intemet — the mechanisms for all internet ‘communications — contain addressing and routing information analogous to the destination phone numbers captured by traditional pen registers and the origination phone numbers captured by traditional trap and trace devices. One example of this addressing and routing information is an IP address, which is a unique numeric address used by computers on the intemet. Another example of this addressing and routing information is a “port,” which is a numeric identifier of a particular type of service being offered by a computer or server. For example, port 80 is typically reserved for World Wide Web traffic, so that a computer that wishes to retrieve information from a web server would typically connect to port 80.' As with traditional telephone pen registers and trap and trace devices, ISPs can use hardware, software, or a combination of the two, to determine the routing, addressing, and ‘signaling information for electroni ¢ commun jons. Depending on the technology that RCD using, the government may not physically install its own pen register or trap and trace device to * Itis thus similar to 011 identifying international long distance telephone service.Case 1:14-mj-07135-JCB *SEALED* Document 2 Filed 07/17/14 Page 3 of6 capture the routing, addressing, and signaling information described above. Rather, the government may provide the proposed Order to RCN, and RCN, through its existing hardware and software, will capture the incoming and outgoing routing, addressing, and signaling information and then forward the results to the government. Factual Predicate for the Application The FBI is conducting a criminal investigation of possible violations of 18 U.S.C. §1030 (computer fraud and abuse) relating to computer attacks on Boston Children’s Hospital and other entities. I have discussed this case with the FBI agents who are handling the investigation. Based on those discussions, I believe and hereby certify, as required by 18 U.S.C. §3123(a), that the information likely to be obtained by use of the pen register and trap and trace device on the designated account is relevant to the ongoing criminal investigation. Additionally, this application sets forth specific and articulable facts showing that there are reasonable grounds to believe that the subscriber and billing records for (a) individuals or entities communicating with the designated account, and (b) any other electronic communication service being accessed from the designated account, are relevant and material to an ongoing criminal investigation, as required by 18 U.S.C. §2703(d). Based on my discussions with the FBI agents conducting this investigation, the following facts are truc to the best of my knowledge, information and belief: 1 Boston Children’s Hospital reported a Distributed Denial of Service (DDOS) attack against its public internet website www.childrenshospitaL.org on April 20, 2014, This attack may have begun a week earlier and caused disruptions to the BCH website and the network on which BCH and other Harvard University affiliated hospitals communicate. In response, BCH was forced to shut down, for a period of time, online service portals for patients, providers and, SEALED* Document2 Filed 07/17/14 Page 4 of 6 ‘The loss of these services and the impact to the hospital communication network a direct threat to the ability of BCH and other hospitals to care for their patients. The attack against BCH is suspected to be related to the recent activist effort concerning the custody battle over Justina Pelletier, who was a BCH patient, 2. A YouTube video posted on March 23, 2014 by the user, “Shutdown Logan River Academy,” claiming to be from the hacking group Anonymous, and accompanied by an online posting, proposed a call for action against BCH. The posting stated that Anonymous “will punish all those held accountable and will not relent until Justina is free.” This posting also listed the website and IP address for BCH. 3. Subscriber information for the Shutdown Logan River Academy YouTube account shows that this account is owned and managed by Martin Gottesfeld. 4. Additionally, the IP address 209.6.193.140 was used to post the YouTube video on March 23, 2014 and to log in to the account on April 1, 2014. RCN lists Martin Gottesfeld as the customer assigned to that IP address on both dates with a service address of 28 Albion St Apt. 1, Somerville MA. The Proposed Order Accordingly, for the above reasons, the applicant requests that the Court enter an authorizing, for the period of 60 days, the use of a pen register and trap and trace device the source and destination IP address and port of all electronic communications: originating from the designated account, and to re rd the date, time, size, and duration communications. The United States does not seek the URL for websites visited by designated account, as this URL could contain content.” sale j For example, while the website, “Amazon.com” does not contain the ec 4“ of the pen register and trap and trace device, including ' and operation of them unobtrusively and with a minimum of disruption of normal ‘service. These entities shall be compensated by the FBI for reasonable expenses incurred in providing such facilities and assistance. ‘The applicant requests that the Order direct that the government have access to the information collected by the pen register and trap and trace device continuously, 24 hours per day, so that the information will be furnished to the government during, or immediately after, the transmission of the electronic communications directed to or originating from the designated account. The applicant requests that the Order direct that the tracing shall encompass tracing the communications to their true source, if possible, without geographic limit. The applicant further requests that the Court issue an Order, pursuant to 18 U.S.C. §§ 2703(c) and (4), directing that RCN and any other ISP that operates any of the IP addresses that are contacting or being contacted by the designated account, provide to FBI agents and law enforcement offic working with them: (a) subscriber information for IP addresses contacting and being contacted by the designated account, and (b) subscriber information for any: + electronic communication service being accessed from the designated account, This sul information should include the name, address, instrument number or other subscriber ‘dentity (including any temporary assigned network address), and means or source of pa such service. communication, a URL that lists what book the user is searching for on A mazon.c considered to contain the content of a communication, 5ICB*SEALED* Document 2 Filed 07/17/14 Page 6 of 6 Further, the applicant requests that the Court order, pursuant to 18 U.S.C. § 3123(d)(2) and § 2705(b), that RCN, and any other person or entity whose assistance is used to facilitate the execution of this Order, and their agents and employees, not disclose of the existence of this Application and Order, except as necessary to effectuate it, unless authorized to do so by this Court. The applicant also asks that this Application and Order be sealed pursuant to Local Rule 7.2 and 18 U.S.C. § 3123(d)(1), until further order of this Court. The applicant makes these requests because providing notice to the subjects of the investigation could seriously jeopardize the ongoing investigation by giving them an opportunity to destroy evidence, change patterns of behavior to evade detection, notify confederates, or flee from prosecution. I declare that the foregoing is true and correct, based on information provided to me by FBI agents. Dated: July 17, 2014. 4s/ Adam Bookbinder Adam J. Bookbinder Assistant U.S. AttorneyCase 1:14-mj-07135-JCB *SEALED* Document 3 Filed 07/17/14 Page 1 of 3 UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS IN RE AN APPLICATION FOR A ) M.J. No, 14-mj-7135-JCB PEN REGISTER AND TRAP AND ) TRACE DEVICE ON RCN ACCOUNT) ORDER This matter has come before the Court pursuant to an application under 18 U.S.C. § 3122 by Assistant United States Attomey Adam J. Bookbinder, an attomey for the government, requesting an order under 18 U.S.C. §3123, authorizing the installation and use of a pen register and trap and trace device on the RCN Telecom Services LLC account providing internet service to 28 Albion St., Apt. 1, Somerville, Massachusetts, in the name of Martin S. Gottesfeld ed to in this application as “the designated account”). The application further asks the Court, under 18 U.S.C. §2703(d), for an Order directing Internet Service Providers (“ Ps") to provide subscriber information for IP addresses sending communications to, and receiving ‘communications from, the designated account. The court finds that the applicant has certified that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation by the FBI into possible violations of 18 U.S.C. §1030, ‘The court further finds that the application sets forth specific and articulable facts showing that there are reasonable grounds to believe that the ted subscriber and billing records for (a) individuals or entities communicating with the de account, and (b) any other electronic communication service being accessed from the designated account, are relevant and material to this ongoing criminal investigation. It is therefore ordered that: 1. FBI agents, assisted by RCN employees, may (pursuant to 18 U.S.C. $3123), 1 —Case 1:14-mj-07135-JCB *SEALED* Document 3 Filed 07/17/14 Page 2 of 3 install a pen register and trap and trace device to trace, for a period of 60 days, the source and destination IP address and port of all electronic communications directed to or originating from the designated account, and to record the date, time, size, and duration of these communications The tracing shall encompass tracing the communications to their true source, if possible, without geographic limit. RCN shall not provide to the FBI, the URL for websites visited by the designated account D. RCN, and any other electronic communications provider whose assistance may facilitate the execution of the Order, shall (pursuant to 18 U.S.C. §3123(b)(2)), furnish information, facilities, and technical assistance necessary to accomplish the installation of the pen register and trap and trace device unobtrusively and with a minimum of disruption of normal service. 3. The FBI shall compensate RCN, and any other person or entity whose assistance is used to facilitate the execution of this Order, for expenses reasonably incurred in complying with this Order. 4. The government shall have access to the information collected by the pen register and trap and trace device continuously, 24 hours per day, so that the information will be furnished to the FBI during, or immediately after, the transmission of the electronic communications directed to or originating from the designated account, RCN, and any other ISP that operates any of the IP addresses that are contacting or being contacted by the designated account, shall (pursuant to 18 U.S.C. §§2703(c) and (d)) provide FBI agents and other law enforcement officers working with them: (@) subseniber information for IP addresses contacting and being contacted by the designated account, and (b) subscriber information for other electronic communication services being accessed from theCase 1:14-mj-07135-JCB *SEALED* Document 3 Filed 07/17/14 Page 3 of 3 designated account. ‘This subscriber information shall include the name, address, instrument number or other subscriber number or identity (including any temporary assigned network address), and means or source of payment for such service The court finds that providing prior notice to the subjects of the investigation could seriously jeopardize the ongoing investigation, by giving them an opportunity to destroy evidence, change pattems of behavior to evade detection, notify confederates, or flee from prosecution The court therefore orders that: 6. RCN, and any other person or entity whose assistance is used to facilitate the execution of this Order, and their agents and employees, make no disclosure of the existence of this Application and Order, except as necessary to effectuate it, unless authorized to do so by this Court 7. The Clerk of Court shall seal the Government's Application and this Order (pursuant to Local Rule 7.2 and 18 U.S.C. §3123(d)(1)) until further order of the Court, except that the United States and the FBI may serve a copy of the Order upon RCN and any other ISP, person, or entity whose assistance is necessary to facilitate the execution of the Order. Entered: July_17 , 2014.