Filed 4/6/23 Doe v. Regents of the University of California CA2/4 NOT TO BE PUBLISHED IN THE OFFICIAL REPORTS California Rules of Court, rule 8.1115(a), prohibits courts and parties from citing or relying on opinions not certified for publication or ordered published, except as specified by rule 8.1115(b). This opinion has not been certified for publication or ordered published for purposes of rule 8.1115.

IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA SECOND APPELLATE DISTRICT DIVISION FOUR

JOHN DOE, B318015 Plaintiff and Appellant, (Los Angeles County Super. Ct. No. 20STCP01526) v. THE REGENTS OF THE UNIVERSITY OF CALIFORNIA, Defendant and Respondent.

APPEAL from a judgment of the Superior Court of Los Angeles County, Mitchell Beckloff, Judge. Affirmed.

Revolve Law Group and Kimberly A. Wright for Plaintiff and Appellant.

Paul, Plevin, Sullivan & Connaughton, Sandra L. McDonough and Joanne Alnajjar Buser for Defendant and Respondent.

INTRODUCTION John Doe was dismissed from the graduate dental program at the University of California, Los Angeles (University) for accessing child pornography on the University’s network. Doe sought review by writ of administrative mandate. The superior court denied the writ petition and Doe appealed from the judgment. Doe contends the University’s findings were not supported by substantial evidence. We disagree and affirm the judgment.

FACTUAL AND PROCEDURAL HISTORY 1 In 2017 and 2018, Doe was attending dental school at the University.

He planned to become a Doctor of Dental Surgery candidate in 2019.

On January 1, 2018, the National Center for Missing and Exploited Children (the Center) received a CyberTiplineReport (cyber report) from Dropbox2 that child pornography had been uploaded to a Dropbox account.

The cyber report stated the following information. The email address [email protected] created the suspect Dropbox account with the username “Leo Sim.” The suspect Dropbox account was accessed on August 20, 2017, at 2:04:49, 2:10:50, and 2:16:13 UTC (Coordinated Universal Time) with the IP address 104.32.99.146, and again on November 23, 2017, at 7:00:17 UTC, with the IP address 164.67.234.100.

On May 8, 2018, the Los Angeles County Sheriff’s Department (LASD) obtained an arrest warrant for Doe based on an affidavit prepared by

Detective Gilbert Dominguez. Detective Dominguez attested he believed Doe violated Penal Code section 311.11, subdivision (a), which proscribes possession of child pornography.

According to the statement of probable cause in the (now redacted) arrest warrant, the Center received a cyber report from Dropbox that child pornography was found on a Dropbox account. Detective Dominguez viewed copies of some of the pornographic videos provided by Dropbox. The videos depicted several children ranging in age from approximately 3 to 15 years old in multiple sex acts, including intercourse, oral copulation, and sodomy, with adults and other children. Dropbox provided information that the account was created and accessed by a user named “Leo Sim” with the email address [email protected]. A search warrant served on Google for data associated with the [email protected] account revealed that the email address was registered to “Leo Simmons.” The account contained emails and messages to and from someone with the username “Leo Sim.” The recovery email for [email protected] was [email protected]. A search warrant served on Google for the [email protected] account revealed that the email address [email protected] was created using the [email protected] account on December 29, 2016, at 8:32 a.m.

Further, on April 2, 2017, an email titled “motherless” was sent from the [email protected] account to the email address [email protected]. The email stated, “hey, saw your profile on motherless . . . would love to see your hot body :).” The sender identified himself as “Leo.” Detective Dominguez attested that “motherless” is a common term employed by persons seeking to obtain child pornography.

There were multiple emails sent from the email address

[email protected] in which the sender referred to himself as “Leo,” and provided a picture of himself, which depicted Doe.

One of the IP addresses used to access the suspect Dropbox account was associated with the University; a search warrant served on Charter Communications, Inc. revealed the other IP address used to access the Dropbox account was registered to Doe’s parents’ residence in Diamond Bar, California. Detective Dominguez subsequently spoke with Doe, who confirmed he was a student at the University but denied any knowledge of the email addresses [email protected] or [email protected] On May 9, 2018, LASD arrested Doe at the dental school on the University’s campus. On May 14, 2018, the University placed Doe on an interim suspension and excluded him from campus pending a University investigation into whether Doe’s conduct violated the University’s Student Code of Conduct for computer misuse, and/or conduct that threatens the health or safety of others. On July 26, 2018, Doe requested a hold on any student misconduct proceedings because he believed information from his

active criminal case could be used to support his defense in the pending student conduct case. The University granted Doe’s request and resumed review of Doe’s student conduct in January 2019.

The University’s IT department generated a document showing the IP address on the UCLA network (164.67.234.100) with various time stamps from November 22, 2017, at 17:39 UTC, through November 23, 2017, at 14:24 UTC. The document reflected that a unique “MAC address”4 associated with Doe’s computer accessed this IP address at 6:49 UTC. The records also demonstrated that Doe’s MAC address appeared consistently from November 22, 2017, at 17:39 UTC, through November 23, 2017, at 14:24 UTC.

On July 24, 2018, the Los Angeles County District Attorney’s Office filed a criminal complaint against Doe alleging possession and distribution of child pornography (Pen. Code, §§ 311.1, subd. (a), 311.11, subd. (a).) On March 1, 2019, the prosecution announced it was “unable to proceed” against Doe. Therefore, the trial court dismissed the criminal charges pursuant to Penal Code section 1382, for failure to timely prosecute. Because the charges against Doe were dismissed, Doe’s bail bond was exonerated.

On March 19, 2019, Doe requested to return to the University, given the dismissal of the criminal charges. The University’s Associate Dean of Students (Dean) asked for Doe’s responses to the claims in the LASD’s arrest warrant. Doe denied any connection to the suspect Dropbox account.

Although the arrest warrant stated that Doe had denied any knowledge of

the [email protected] email address, Doe admitted to the Dean that this was indeed his personal email address.

On April 1, 2019, the Dean informed Doe that the matter would be referred to the Student Conduct Committee Panel (Panel) for a hearing.

Matters are referred to the Panel for a hearing pursuant to the Student Conduct Code “when the Student does not acknowledge engaging in behavior prohibited by the Student Conduct Code, but the Dean concludes from the available information that the Student Conduct Committee may find that it is more likely than not that a violation of the [University’s] Student Conduct Code has occurred.”

On May 21, 2019, the University notified Doe that a hearing had been set for November 12, 2019 to adjudicate the following alleged violations of the Student Conduct Code: (1) section 102.05, computer misuse; (2) section 102.07, violations of University policy; and (3) section 102.08, conduct that threatens health or safety. Doe received an advance copy of the evidence packet to be provided to the Panel, including the Dean’s notes from interviews with witnesses, IP address information, Doe’s redacted arrest warrant, and information provided by Doe’s attorney as well as his forensic expert, Jeffrey Fischbach. Prior to the hearing, Doe’s attorney also submitted for the Panel a packet of information and exhibits in support of Doe.

At the November 12, 2019 evidentiary hearing, Doe was present with his former counsel, brother, and a campus advocate. At the outset, the Dean presented an overview of the information she had gathered.

David Shaw, the University’s chief information security officer, then explained the University’s computer network and the process of identifying an individual network user based on system time stamps, records of usage of specific IP addresses, and MAC addresses associated with individual devices.

Whenever a device connects to a network, the device asks for an IP address, and the IP address routes the traffic across the network. A device will maintain a lease of its specific IP address as long as it is connected to the network. That device can be identified by the unique MAC address with which it is associated, which in turn is associated with the network IP address.

Dropbox had provided an IP address from the University network that was in communication with the suspect Dropbox account on November 23, 2017, at 7:00 UTC. The University’s IT department was able to trace the use of that IP address on the University’s network on November 23, 2017, to a particular MAC address. The network records reflected that the IP address was issued to the MAC address associated with Doe’s device within the timeframe of the login to the suspect Dropbox account from the same IP address. When asked how the University could be certain it was Doe using the IP address on campus and not another user, Shaw explained that the leasing system ensures that two computers on the University’s network cannot simultaneously use the same IP address.

Detective Dominguez also addressed the Panel, explaining that the case originated from a cyber report to the Center regarding child pornography on a Dropbox account. He subsequently learned that a Dropbox user had accessed that suspect account from two different locations (Diamond Bar and the University campus). A search warrant served on internet service providers yielded information that the Diamond Bar residence belonged to Doe’s parents. Doe’s family informed Detective Dominguez that Doe was a student at the University during the time period the suspect Dropbox account was accessed on the University’s network.

Detective Dominguez also stated that the MAC address associated with the computer seized from Doe matched the MAC address that the University had indicated was associated with the IP address in communication with the suspect Dropbox account. Detective Dominguez confirmed that the University’s records demonstrated Doe had logged onto the campus network at 6:49 UTC 5 on November 23, 2017, and the suspect Dropbox account was accessed at 7:00 UTC on the same date and using the same IP address.

Dominguez also confirmed that Doe’s login to the University’s system was “consistent with the time frame” in which the suspect Dropbox account was accessed.

Detective Dominguez further stated the email address [email protected] was used as a recovery email for the [email protected] account. In addition, an email sent from the [email protected] account included a photograph of Doe, and the sender referred to himself as “Leo.” When asked about the website “motherless.com” referenced in the arrest warrant, Detective Dominguez stated it was advertised as an adult website, but “based on my training and experience, it is most commonly used for the purposes of obtaining child pornography.” He acknowledged there was no child pornography found on any of Doe’s devices.

Doe’s forensic expert, Jeffrey Fischbach, stated his opinion that the evidence did not establish Doe had accessed the suspect Dropbox account. He explained that Dropbox had not provided a MAC address that would directly link Doe’s computer to the suspect Dropbox account access. He

acknowledged, however, that the University had provided a spreadsheet of MAC addresses that were connected to the University IP address during the time frame in question and that the spreadsheet included the MAC address associated with Doe’s device. He also stated that given the size of the data, including pornographic videos, one would expect to find some evidence on a device that had accessed it, but none of Doe’s devices searched by law enforcement contained child pornography. Fischbach opined that whatever device accessed the suspect Dropbox account was never located. Fischbach acknowledged that Doe’s personal email address was set as the recovery email address for [email protected]. He also conceded that it was very possible that Doe had access to both email addresses at issue, [email protected] and [email protected]. Fischbach opined that Doe had been framed, however.

Doe then made a statement of his own. He stated his criminal case had been dismissed “because there was no evidence found.” He explained his disagreements with Detective Dominguez’s assessment of the evidence. He reiterated that law enforcement could not locate anything illegal on his devices, and that there was no evidence connecting his MAC address to the suspect Dropbox account. Doe confirmed that [email protected] was his personal email address, and that it was used as the recovery email for both the suspect Dropbox account and the [email protected] account.

However, Doe alleged someone else must have used his personal email address without his knowledge to set up both of these accounts. He suggested that another UCLA student lived next door to his parents’ house and that person could have logged into their IP address. However, when asked if he done anything to probe the possibility that his neighbor was the true culprit, Doe said he had not.

Doe admitted that he authored an email sent from [email protected], attaching his photograph and referring to himself as “Leo” for the purpose of pursuing legal online sexual activities. He stated that he used a fictitious name to obscure his true identity so as to avoid harm to his reputation. Doe denied the term “motherless,” used in one of his personal emails, was associated with child pornography.6 The Panel issued a detailed report finding that Doe violated sections 102.05, 102.07, and 102.08 of the Student Conduct Code. The Panel explained that, given that a “preponderance of the evidence” standard of proof applied in hearings concerning violations of the Student Conduct Code, while a higher “beyond a reasonable doubt” standard applied in criminal proceedings, it could not merely rely on the dismissal of the criminal charges to conclude Doe had not violated the Student Conduct Code. Parsing through the evidence, the Panel noted the name “Leo” connected Doe to the [email protected] account used to set up the suspect Dropbox account. Doe had admitted identifying himself as “Leo” in emails sent from his personal email address, [email protected]. The [email protected] address contained the name “Leo,” and it used Doe’s personal email address as its recovery email. Further, Doe’s personal email address was used as the recovery email for the suspect Dropbox account.

Given this evidence, the Panel did not find credible Doe’s denial of any association with the [email protected] account or the suspect Dropbox account.

With respect to the two IP addresses used to access the same suspect Dropbox account, the Panel did not find credible Doe’s claim that someone else likely used his family’s internet in Diamond Bar to access it. The Panel focused on the fact that the Dropbox account had been accessed on two different dates from two different locations, both associated with Doe. The Panel concluded Doe had not provided a reasonable alternative scenario to explain this supposed coincidence.

The Panel further stressed that during the time period the suspect Dropbox account containing child pornography was accessed on November 23, 2017, Doe’s MAC address was connected on the University’s network to the IP address used to access the Dropbox account. The Panel thus found it “more likely than not” that Doe’s device accessed child pornography while connected to the University network. The Panel found by a preponderance of the evidence that Doe had violated Student Conduct Code sections 102.05, 102.07, and 102.08, and recommended dismissal from the University as the appropriate sanction.

On December 5, 2019, Doe appealed the Panel’s findings and his dismissal to the University’s Vice Chancellor of Student Affairs. On January 10, 2020, the appeal was denied and the Panel’s recommendation upheld.

On April 29, 2020, Doe sought a writ of administrative mandate (Code Civ. Proc., § 1094.5) in the superior court.7 Following briefing and oral argument, the court denied the writ petition on July 13, 2021, and entered

Doe filed a petition for either a writ of administrative mandate (§ 1094.5) or a traditional writ of mandate (§ 1085). However, Doe exclusively sought relief under section 1094.5 in his briefing before the superior court.

judgment on November 9, 2021. On January 5, 2022, Doe filed a notice of appeal from the judgment.

DISCUSSION A. Administrative Mandate and Standard of Review The remedy of administrative mandamus applies “‘to the case of a student who is subject to university disciplinary proceedings,’ when the university ‘provides for an evidentiary hearing.’” (Teacher v. California Western School of Law (2022) 77 Cal.App.5th 111, 127; Doe v. Claremont McKenna College (2018) 25 Cal.App.5th 1055, 1065.) “The inquiry of the reviewing court extends to questions about the [university’s] jurisdiction to proceed, whether there was a fair trial, and ‘whether there was any prejudicial abuse of discretion.’ (§ 1094.5, subd. (b).) An abuse of discretion is established if the [university] has failed to proceed ‘in the manner required by law, [or] the [university’s] order or decision is not supported by the findings, or the findings are not supported by the evidence.’ (Ibid.) We review the factual basis behind the [university’s] order or decision for ‘substantial evidence in . . . light of the whole record.’ (Id., subd. (c).)” (Akella v. Regents of University of California (2021) 61 Cal.App.5th 801, 813–814, (Akella)) “‘In applying the standard, we focus on the decision of the [university] rather than that of the trial court and “‘answer the same key question as the trial court . . . whether the [university’s] findings were based on substantial evidence.’”’ (Colony Cove Properties, LLC v. City of Carson (2013) 220 Cal.App.4th 840, 866.) This requires the reviewing court to consider all relevant evidence in the administrative record and view that evidence in the light most favorable to the [university’s] findings, drawing all inferences in

support of those findings. (Do v. Regents of University of California (2013) 216 Cal.App.4th 1474, 1490 (Do).) The reviewing court does not substitute its own findings and inferences for that of the [university]. (McAllister v. California Coastal Com. (2008) 169 Cal.App.4th 912, 921 (McAllister).) ‘Only if no reasonable person could reach the conclusion reached by the [university], based on the entire record before it, will a court conclude that the [university’s] findings are not supported by substantial evidence.’ (Do, supra, at p. 1490; accord, McAllister, supra, at p. 921.)” (Akella, supra, 61 Cal.App.5th at p. 814.)

B. Analysis Doe challenges the Panel’s decision to dismiss him from the University.

He contends substantial evidence does not support the findings that he was connected to the email address [email protected] used to create the suspect Dropbox account and that he had accessed the account. Based on our review of the entire administrative record, we conclude there was substantial evidence that it was “more likely than not” that Doe accessed the suspect Dropbox account containing child pornography.

Here, it was undisputed that the suspect Dropbox account contained child pornography. The [email protected] account was used to create and access the suspect Dropbox account. The recovery email for both the [email protected] account and the suspect Dropbox account was Doe’s personal email address, [email protected] The

However, in his reply brief, Doe concedes “[t]he recovery email for the Dropbox is Doe’s personal email address.” Indeed, Doe confirmed at the [email protected] account was created using this personal email address.

Doe admittedly referred to himself as “Leo” and attached a picture of himself while using his personal email address to correspond with other adults regarding sexual activities.

Moreover, Dropbox provided two IP addresses that had accessed the suspect Dropbox account; IP address 104.32.99.146 on August 20, 2017, and 164.67.234.100 on November 23, 2017, specifically at 7:00:17 UTC. The former IP address was associated with Doe’s parents’ residence in Diamond Bar, and the latter IP address was associated with the University, where Doe was a student (at the time).

University records indicated that Doe’s unique MAC address was connected to the IP address (164.67.234.100) associated with the University at 6:49 UTC on November 23, 2017, which was consistent with the timeframe of the login to the suspect Dropbox account (7:00 UTC on Nov. 23, 2017).

Although Doe points out that University IT records showed Doe’s device session was interrupted and expired at 6:49 UTC on November 23, 2017 and a new device session was not detected until 103 minutes later, at 8:32 UTC, Shaw testified Doe’s lease on the IP address did not expire, nor was it released, because he continued to use it beyond 7:00 UTC on November 23, 2017, through November 23, 2017 at 14:24 UTC. Further, Shaw testified that an IP address is leased to only one device at a time—here Doe’s. Thus, substantial evidence supports the determination that Doe was the individual who accessed Dropbox at 7:00 UTC on November 23, 2017. Doe’s conclusory assertion that the IP address associated with the University could have been

student conduct hearing that the suspect Dropbox account had been created using his personal email address as the recovery email.

used by another student to access the suspect Dropbox account with a different device is directly refuted by the same evidence that only one person—here Doe—could have been using the IP address during the November 22-23 timeframe.9 Doe’s reliance on the dismissal of criminal charges against him is unavailing. First, Doe incorrectly assumes that the standards of proof in the criminal and student conduct proceedings are the same, and that there was a ruling on the merits in the criminal matter. As the Panel correctly noted, it could not rely on the dismissal of criminal charges to find that Doe did not violate the Student Conduct Code, given that a criminal proceeding applies the higher beyond a reasonable doubt standard, while a student conduct proceeding rests on the preponderance of the evidence standard.

Furthermore, the dismissal of the criminal charges was based on the failure to timely prosecute the case, not a determination by the court that the charges lacked merit. Contrary to Doe’s contention, he was not “exonerated” by the court; rather, his bail bond was exonerated after the charges were dismissed.

We conclude substantial evidence supports the Panel’s finding that it was “more likely than not” that Doe accessed the suspect Dropbox account containing child pornography. Doe’s disagreement with the reasonable inferences the Panel drew from the evidence is not sufficient to overturn his dismissal from the University. (Doe v. Regents of California (2016) 5 Cal.App.5th 1055, 1074 [“We are required to accept all evidence which

supports the successful party, disregard the contrary evidence, and draw all reasonable inferences to uphold the verdict”].)

DISPOSITION The judgment is affirmed. The University is awarded its costs on appeal.10 NOT TO BE PUBLISHED IN THE OFFICIAL REPORTS

STONE, J.* We concur:

CURREY, Acting P. J.

COLLINS, J.