COMPUTER SEARCHES AND SEIZURES:
SOME UNRESOLVED ISSUES
Susan W. Brenner*
Barbara A. Frederiksen**
Cite as: Susan W. Brenner and Barbara A. Frederiksen, Computer
Searches and Seizures: Some Unresolved Issues,
8
available
at http://www.mttlr.org/voleight/Brenner.pdf
Introduction
I. A Hypothetical
II. Off-Site Versus On-Site Computer Searches
A. Off-Site Document
Searches
B. Off-Site Computer
Searches
1. Department
of Justice Guidelines
2. 1994
Guidelines
3. 2001
Revised Guidelines
C. When are Off-Site
Computer Searches Reasonable?
D. Off-Site Document Search
E. Off-Site Computer Search
F. Off-Site Document Search
Rationale Inapplicable
to Off-Site Computer Searches
G. Automated Search
Techniques
H. Technical Considerations
I. Back-Up Copies Made on-Site
for Off-Site Search
J. Spoliation—Inadvertent
K. Spoliation—Advertent
L. General Affidavit
Language not Sufficient
M. On-Site Search May be
Reasonable
N. On-Site Copy with
Off-Site Review
O. Off-Site Searches: A
Proposal
III. The Plain View Doctrine and Computer Searches
IV. Is Copying Data a Search? A Seizure?
Conclusion
[I]n the application of a constitution, . . . our contemplation cannot be only of what has been but of what may be. . . .
. . . .
. . . Ways may some day be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. . . . Can it be that the Constitution affords no protection against such invasions of individual security?[1]
Society has come a long way toward realizing the scenario Justice Brandeis hypothesized in the dissent in Olmstead , especially with regard to computer-generated “papers.” As society moves into the cyberworld,[2] the novel, distinctive characteristics of electronic information are generating a host of questions as to how traditional Fourth Amendment jurisprudence is, and should be, transposed to this new environment.
The rise of the cyberworld has given us cybercrime, a new variety of unlawful behavior in which computers are used in committing crimes.[3] Evidence-gathering by law enforcement officers investigating cybercrime cases can implicate any of several legal standards, including the Fourth Amendment prohibition on unreasonable searches and seizures,[4] the Fifth Amendment privilege against self-incrimination[5] and statutory guarantees such as those created by the Electronic Communications Privacy Act.[6] Statutory guarantees like the Electronic Communications Privacy Act were deliberately crafted to deal with technological issues, but constitutional guarantees evolved in a world in which technology was essentially unknown.[7] It can, therefore, be difficult to translate constitutional guarantees into a technical environment.
The Fourth Amendment is the most troubling provision because applying its guarantees to computer searches and seizures requires extrapolating concepts that were devised to deal with the “real” physical world to the cyberworld.[8] The Fourth Amendment guarantees citizens the right to be free from “unreasonable searches and seizures”.[9] A “search” or a “seizure” is reasonable if it meets certain requirements. Officers may conduct a search and/or seizure pursuant to a search warrant that is based on probable cause.[10] The warrant must be issued by a neutral and detached Magistrate Judge and certain other requirements.[11] The officers’ conduct will be “reasonable,” not in violation of the Fourth Amendment, as long as they stay within the scope of that warrant, or, in other words, as long as their actions are calculated to locate evidence for which the warrant authorizes them to search and seize.[12] There are also a number of exceptions to the warrant requirement; if officers carry out a search and/or seizure pursuant to one of these exceptions, their conduct will be deemed to be reasonable even though they acted without a warrant.[13] If officers carry out a search or seizure that is not authorized by a warrant or by an exception to the warrant requirement, their conduct will be deemed unreasonable, and in violation of the Fourth Amendment.[14]
The parameters used to implement Fourth Amendment guarantees in the context of real world searches and seizures are well-established. The cyberworld lacks the real world’s unambiguous physical boundaries, therefore it is often difficult to translate these guarantees into the context of computer searches where simply determining when a “search” or “seizure” occurs can be a complicated endeavor, as can differentiating a “search” from a “seizure.”[15]
The areas of Fourth Amendment difficulty are myriad and seem to increase almost every day, so a comprehensive treatment of these issues is outside the scope of this article. The goal of this article is to illustrate the issues that arise in the context of computer search and seizures by examining several areas in which the application of Fourth Amendment concepts to computer searches and/or seizures can be problematic. In order to illustrate this point, the article will build on a hypothetical. The hypothetical situation assumes law enforcement officers have lawfully obtained a warrant to search for and seize evidence concerning the commission of one or more crimes. It will also be assumed that computer technology played some role in the commission of these crimes, so computer equipment and computer data are legitimate objects of the search. This hypothetical is used to explore three issues, each of which concerns the execution of a computer search and seizure warrant:
Under what circumstances is it reasonable to conduct a search of computers and/or computer files off-site, as opposed to on-site?
What, if any, role should the plain view doctrine play in computer searches and seizures?
Is copying data contained on a hard drive or in some other electronic storage media[16] a search? A seizure?
Federal agents spent several years investigating the possible commission of insurance fraud involving the submission of false and/or inflated claims for reimbursement of medical expenses. The agents came to believe that attorneys and employees working for the law firm of Doe & Doe were centrally involved in the commission of the fraud, and concluded that a search of the law firm’s files was needed for evidence of that involvement.
To that end, agents obtained a warrant authorizing them to search the office of Doe & Doe and to seize specified “computer hardware, software, and peripherals” at that office. The warrant was based on probable cause, was issued by a “neutral and detached” Magistrate Judge, and in every other way satisfied the requirements of the Fourth Amendment. In addition to authorizing the seizure of computer hardware, software and peripherals, the warrant authorized the investigators to search the seized computer system for data concerning individuals who were targets of the investigation, medical appointment logs, accounting records and other evidence itemized in a schedule attached to the warrant application. The warrant required the agents executing the search to make a back-up copy of the information contained in the seized computer hardware, “as soon as reasonably practicable.” The judge issuing the warrant ordered that the back-up be sufficient to give Doe & Doe a copy of all the information stored on its seized computer equipment. The warrant also ordered the investigators to make a mirror image[18] of the computer system using the system’s own peripherals. The mirror image was to capture all the data on the system to the extent possible, including data purged or deleted from the system. It was also to be used to identify all users who had access to particular data on the system.
The agents charged with
executing the warrant entered the Doe & Doe office early one morning,
and began by disabling the office’s network server. They seized the server and
related equipment. The agents then went to each stand-alone computer with
independent storage capacity and ran a “key-word” search of its hard drive,
using a program called DiskSearch II.[19]
If the search produced any key-word “hits,” they seized the computer. The
agents ultimately seized twenty-two computers, all but four of Doe & Doe’s
computers. The agents executing the warrant also seized thirteen computer
back-up tapes and a printer. The printer was seized to facilitate their
off-site searching of the seized computers.
The agents moved the seized computers and computer equipment to an off-site location, where the server and computer were reassembled. Two back-up copies of the data contained on the system were not made until four days after the initial search. One of these copies was then returned to Doe & Doe. The search of the system was not completed for almost two years.
Officers executing an authorized Fourth Amendment intrusion have traditionally searched for and then seized evidence (if, indeed, any was to be found), rather than the reverse. Indeed, this essential, but generally unarticulated, Fourth Amendment practice is implicitly recognized when referring to search and seizure warrants.[20]
Toward the end of the last century, the practicability of this assumption came into question with regard to certain kinds of Fourth Amendment intrusions. A doctrine was established under which the traditional sequence was reversed, evidence was seized and then searched. This doctrine emerged in the context of “document” searches, cases in which officers executed search warrants requiring them to search through large volumes of paper records and seize specified documents.[21] Instead of searching through the documents on-site and only seizing those documents which fell within the scope of the warrant, officers began seizing all of the documents and removing them to an off-site location where they searched the entire body of documents, seized those that were within the scope of the warrant and then returned the others.[22]
Often, those whose documents were seized challenged the officers’ actions, claiming they were not “reasonable” under the Fourth Amendment.[23] Since the officers acted pursuant to a lawfully-issued warrant, the challengers did not claim that the officers’ conduct was unreasonable from the outset; instead, they argued that the officers acted unreasonably in the way they executed the warrant.[24] Specifically, the challengers alleged that it was not reasonable for the officers to seize a large volume of documents and take them away for an off-site search. They pointed out, among other things, that in doing so the officers exceeded the scope of the warrant by seizing both relevant and irrelevant documents, e.g., documents which fell within the scope of the search and seizure warrant and those that did not.[25] Courts consistently upheld this practice as “reasonable” under the Fourth Amendment relying, in part, on the premise that having officers search through the entire volume of documents on site is more intrusive than having them do so off-site.[26] One factor often cited in upholding this practice is that clearly incriminating documents are so often intermingled with other non incriminating documents that it simply is not reasonable to require officers to sort the documents on-site.[27]
The application of the off-site document search doctrine is not limited to searches conducted on business property, it also applies to the home. Several decisions apply the doctrine to searches conducted at a person’s home, on the premise that it would be even more intrusive to have officers conduct a lengthy sorting and searching process at a home than at a business.[28]
Warrants that require officers to search for and seize computer generated evidence can also create a large volume of evidence. The various elements of which are often intermingled with each other. For example, a keyword search may identify many files and file fragments which contain the responsive phrase, but depending on the nature of the investigation, not all of these will be relevant or discoverable. The same search term may yield results that identify text contained in relevant documents and text in documents which are not relevant to the crime under investigation or contain correspondence between the suspect and their attorney. The search results may also include text that is found in deleted files or e-mails. The terms of the search warrant will dictate whether text located in deleted files can be used as evidence. It is therefore not surprising that officers began to deal with these computer “document” in the same way they had become accustomed to dealing with paper documents. The officers seize the containers in which the computer records are stored and take the records off-site[29], to be searched and sorted.[30]
In 1994, the Department of Justice issued the Federal Guidelines for Searching and Seizing Computers [hereinafter “Guidelines”], the purpose of which was to try to “illustrate some of the ways in which searching a computer is different from searching a desk, a file cabinet, or an automobile.”[31] The authors of the Guidelines explained that they had attempted to translate traditional search and seizure principles into the context of computer searches, noting that they “often had to extrapolate from existing law or policies to try to strike old balances in new areas.”[32] As to their authoritativeness, the Preface to the Guidelines explains that, while the Guidelines are drafted by an interagency working group:[33]
[t]hese Guidelines have not been officially adopted by any of the agencies, and are intended only as assistance, not as authority. They have no regulatory effect, and confer no right or remedy on anyone. Moreover, the facts of any particular case may require you to deviate from the methods we generally recommend, or may even demand that you try a completely new approach.[34]
This caveat notwithstanding, the Guidelines became an influential, often-cited source of information on how computer searches and seizures should be conducted.[35]
Because of changes in technology, the Guidelines were updated by Supplements issued in 1997 and 1999 and a revision was issued early in 2001.[36] The 2001 revision supersedes the 1994 Guidelines, as well as the 1997 and 1999 Supplements to the 1994 Guidelines.[37] Like the 1994 Guidelines, the 2001 revision is not represented as binding authority.[38] But like the 1994 Guidelines, the 2001 revision will certainly influence how computer searches and seizures are conducted. It is therefore necessary, when examining any issue involving a search or seizure of computers executed by federal agents, to consider the extent to which the positions articulated in the Guidelines correctly extrapolate Fourt