Search Execution Issues

National Center for Justice and the Rule of LawThe University of Mississippi School of Law

Don Mason

ObjectivesDescribe search warrant scope and other legal issues relating to execution of searches for digital evidence

Outline reasons computer searches are executed in certain ways

Describe considerations regarding materials held by businesses or for publication

Summarize how statutory or rule based time limits may apply to computer searches

Identify the legal issues that arise if the government seeks to compel disclosure of a computer password or passphrase

Search Execution Issues

Expert and third party assistanceOn-site vs. off-site searchScope of the warrantBusinesses and networksCommingling of materialsGetting second warrantsApplying time limitsFirst Amendment considerationsFifth Amendment considerations

Technical Expert

Technical person, involved early, can help with– type of equipment used– hardware or software to be seized– on-site or in-lab hardware examination

previewcopy storage devices and leave in placeremove to facility to examine data & devices

Skills

Who will do the exam?

Do “outside” experts need to be named in the warrant?

Investigators should get the forensic examiner involved as early as possible.

Advice and help with making forensic duplicate (“image”).

Complications

Multiple locations . . . Server - where is the server?

How many warrants do you need?

Are there backup tapes and are they admissible?

The “Innocent Owner”

Justification for removal

Image on site?

Is the computer partitioned for each user?– Logical search only

Image or original left behind?

Generally, gov’t CAN remove computer, hard drive, & discs to police station for detailed forensic examination because of

intermingling of legit. & illegit. items

technical difficulty of examination

volume of info seized

fundamental premise: “current technology does not permit proper on-site examination of computer files.”

Search Devices On Site or Off Site?

HeldIt would be unreasonable to require police to carry out search of (all) storage media at location specified in the warrant.

• Would place undue burden on smaller LE agencies to purchase and maintain computers capable of such searches

• Would make search much more intrusive, compromising 4th Amendment value of making searches as brief and non-intrusive as possible.

United States v. Hill

Even if police had properly equipped computer and expert with them …– On-site search poses “serious risk that

police might damage storage medium or compromise the integrity of the evidence”.

– The process of searching files at the scene can take a long time.

United States v. Hill

Wholesale Seizure Concerns

Potential disruption of business, professional practice, personal lives

RESPONSES

1. Some urge gov't to copy data & return equipment ASAP

2. "special approach:" -- some require police to set outminimization procedures in warrant

Intermingled Documents

Responses to

1. "Special approach": may require 2nd warrant before search

RATIONALE:

“we cannot easily condone the wholesale removal of file cabinets and documents not covered by the warrant”

2. Other courts reject – apply container analogy

Follow-up Warrants

No additional warrant required to break passwords & encryption– but be careful

Discovery of evidence of other crimes– initial evidence of other crimes

probably admissible under plain view exception– subsequent evidence of other crimes

second or supplementary warrant required to change focus of the search

View2. "special approach":imposing limitations on search

E.G., by file name or file type

[ex] opening files w/ child porn (after first file opened), executing SW for documents relating to drug dealing, not plain view:

files were “closed” and “unambiguously” named

Carey

[ex] where large volume of data seized from D's law office:

special master to decide what data responsive to SW or w/in exception such as plain view

Abbell

Time Limits

Primary Question: Does the Government have to complete the

forensic examination within the 10-day limit set forth in F.R.C.P. Rule 41?

Answer: NO(generally)

“Neither Rule 41 nor the Fourth Amendment impose any time limitation on the government’s forensic examination of the evidence seized.”– U.S. v. Triumph Capital Group, Inc. 211 F.R.D. 31, 66 (D. Conn. 2002).

Why?Primarily because the Rule is:– Meant to prevent staleness which is not

usually an issue;– Ministerial in nature; and– Procedural not Constitutional, thus the

remedy is not always suppression of the evidence.

When is search “executed”?

Fact-specificWhen carrying out directions in warrant– Seizing evidence

Subsequent examination is forensic analysis

Purpose of rules

To insure that– Items sought are in the place to be searched– The PC supporting the warrant has not grown

stale– The integrity of the evidence is not

compromised“Staleness ceases to be a concern after the evidence has been lawfully seized.”

Key questions

Has the Probable Cause dissipated during the interim?Is the defendant prejudiced by any delay?– Is there reason to believe gov’t may find

something they would not have found if the search was completed immediately?

Remember…

If not having the computer presents a legitimate hardship for the defendant or a third party (commonly an employer):– Party can file Motion to Return Property under

Rule 41(g); and / or– Common courtesy – many times the

prosecutor / agency will simply work with the party to reduce inconvenience and / or legitimate hardship.

Court-created time limits

While neither Rule 41 or the Fourth Amendment impose any time limitation on the Government’s forensic examination certain courts have:– Imposed time-limitations created by the court.– In certain cases invoked the suppression

doctrine for violations.E.g., United States v. Brunette, 76 Supp. 2d 30 (D. Maine 1999) aff’d 256 F.3d 14 (1st Cir. 2001).

2 “Schools” of thought

Majority View: (of the few courts that have addressed)

– Rule 41 regulates the initial time period for searching for and seizing the (digital) evidence and that the forensic examination of the digital evidence—like the forensic examination of other seized evidence—is not a new search.

“Schools of thought” (cont’d)

Minority View:– Rather than the usual one-step process, with

normal search warrant execution (enter the place to be searched, seize the property named in the warrant, leave), it’s a two (or more)-step process (enter, seize the computer hardware, take it off-site, then search the computer for data).

Court embracing minority view(digital evidence is unique)

In the Matter of: The Search of the Premises Known As… [*] [unreported] [W.D. Mich.] [procedural history and Government censorship of ideas; papers, books, etc.]

In addressing F.R.C.P. 41(e)(2) the court was concerned that the warrant did not “state any time period during which the search of the seized material would be conducted.”

Search protocol was at issue.

“This would allow the Government to seize all computers and digital media found at the residence, retain that material, and search it at its convenience.”

“Furthermore, the Court was concerned that without a time limit, the proposed warrant was an unreasonable seizure and search which could authorize the Government to seize the private documents of individuals living at the residence for an unreasonable amount of time.”

Additional Cautions

Searching business computer or network that may contain trade secrets or other confidential information not sought– Investigators should work with business;

ask if such info might be encountered; document.

Information might be protected by special privacy laws – e.g., HIPAA

Special Consideration —Privacy Protection Act of 1980

Response to Zurcher v. Stanford Daily (1978)

To protect media / publishers by restricting search or seizure of materials innocently held for publication

"work product materials""documentary materials"

possessed by persons intending to disseminate them to the public

in a “newspaper, book, broadcast, or. . . similar form of public communication.”

42 U.S.C. § 2000aa

PPA Protects

Potential PPA Applicability

The PPA prohibits searching for orseizing protected materials– Thus, encourages use of subpoenas

Anyone can be a “publisher” via Internet

Does the computer contain materials that appear to be held for publication?

Principal PPA Exception

Evidence of crime exception– Probable cause to believe possessor

committed a crime– The materials to be seized relate to the

crime– More than mere possession offense (unless

national security or child exploitation involved)

PPA Liability

Federal, municipal & county agencies may be liable for violations

State law enforcement personnel may be individually liable for violations

Compelling Passphrases/wordsCan an individual invoke the Fifth Amendment and refuse to comply with a grand jury subpoena to enter a password to allow access to the files on his computer?

In re Boucher, 2007 WL 4246473 (Nov. 29, 2007).

Essential Facts of BoucherDec. 17, 2006, defendant was arrested at Canadian border after ICE agent found child pornography on his laptop. The government seized the laptop and subsequently found that the laptop files were encrypted, password-protected and inaccessible. Grand jury issued a subpoena ordering Boucher to enter his password to allow access to files on the computer. Boucher moved to quash the subpoena on the ground that it violated his Fifth Amendment privilege against self-incrimination.

Fifth Amendment requirements

The Government must be:– (1) compelling you to…– (2) give testimony that…– (3) incriminates you.

In this case the primary question was:

Is it testimonial?

Court’s Ruling:The D. Vt. (Magistrate Judge) held that:– Entering / disclosing the password is testimonial as it

“implicitly communicates facts” (e.g., he knows the password / has control of files, etc.)

– Other types of production (e.g., fingerprints, blood samples, voice recordings) are unprivileged as they are not testimonial. It is undeniable that a person possesses his own fingerprints, voice, etc. and does not indicate anything as to a defendant’s thoughts. (Same as asking a question?).

– Court used key / combination analysis to strongbox or safe.

Government Appealed to D.C.

How would you rule?

Late, breaking news

Don MasonAssociate Director

National Center for Justice and the Rule of Law662-915-6898

drmason@olemiss.eduwww.ncjrl.org

Questions?