US: Important Case ...
 
Notifications
Clear all

US: Important Case on Search Warrants

15 Posts
5 Users
0 Likes
575 Views
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

This case seems to be causing quite a stir in the US regarding digital evidence

U.S. v. Comprehensive Drug Testing, Inc., 2009 WL 2605378 (U.S. Court of Appeals for the Ninth Circuit 2009)

The Court announced that it was updating its precedents to include the following guidelines for warrants seeking to examine or seize a computer or other electronic storage media.

1) The government's search protocols must be designed to uncover only that information for which it has probable cause, and only that information may be examined by the case agents.

2) Segregation and redaction of data must be done by specialized personnel or an independent third party. If the segregation is to be done by government personnel, the government must agree in the warrant application that the reviewing personnel will not dislcose to the investigators any information other than that which is the target of the warrant.

3) The government must destroy or return the non-responsive data, keeping the magistrate judge informed as to when it has done so and what is has kept.

4) The government must waive reliance on the plain view doctrine.

5) Warrants and subpoenas must disclose the actual risks of destruction of information, as well as prior efforts to seize that information in other judicial fora.

 
Posted : 12/09/2009 10:36 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

I blogged on this, so I'll link that.

http//www.memphis-computer-forensics.com/blog/2009/08/us-v-comprehensive-drug-testing/

 
Posted : 13/09/2009 4:16 am
(@seanmcl)
Posts: 700
Honorable Member
 

Actually, these guidelines pretty much parallel the protocol that I frequently see on the civil side. A lot of judges are unwilling to allow the opposing party free reign when it comes to the examination of a subject's hard drive, especially when it is a personal (home) computer.

In some cases, we've been restricted to files which are visible to the user (i.e., no recovery of files from unallocated space, temp space, etc.).

While I don't find this particularly troubling on its own, I worry that the courts are addressing the issues of computer forensics on a piecemeal basis rather than via a comprehensive analysis. For example, we now have the judicial response to the drug testing incident, the Crist case in which the court ruled that generating a list of MD5 hashes constituted a Fourth Amendment violation (although imaging the disk and reviewing the images in gallery mode apparently did not), and Boucher, where he invoked his Fifth Amendment rights in refusing to divulge the password to encrypted data on his hard drive.

If these issues continue to be adjudicated at the level of district courts, we could end up with a totally unworkable system of electronic evidence gathering.

 
Posted : 13/09/2009 4:51 pm
Beetle
(@beetle)
Posts: 318
Reputable Member
 

This is interesting. The court has set out pretty much the same thing we have been putting in our Information(s) to Obtain a Search Warrant up here or the last couple of years as a result of a case from New Brunswick (Daley).

Here's the link

http//www.canlii.org/en/nb/nbpc/doc/2008/2008nbpc29/2008nbpc29.pdf

 
Posted : 13/09/2009 6:36 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

I know you guys will know better than me how this case impacts in the States, but if 1) were implemented in the UK it could mean an arrested co-conspirator's seized mobile phone that during an examination an incoming text message that could be received during examination that may be potentially important in a child abduction cases would not be allowed

1) The government's search protocols must be designed to uncover only that information for which it has probable cause, and only that information may be examined by the case agents

 
Posted : 13/09/2009 6:51 pm
Beetle
(@beetle)
Posts: 318
Reputable Member
 

I know you guys will know better than me how this case impacts in the States, but if 1) were implemented in the UK it could mean an arrested co-conspirator's seized mobile phone that during an examination an incoming text message that could be received during examination that may be potentially important in a child abduction cases would not be allowed

1) The government's search protocols must be designed to uncover only that information for which it has probable cause, and only that information may be examined by the case agents

I think that one could argue exigent circumstances with a threat to safety would permit the use of the information from the text message.

 
Posted : 13/09/2009 7:24 pm
(@seanmcl)
Posts: 700
Honorable Member
 

I know you guys will know better than me how this case impacts in the States, but if 1) were implemented in the UK it could mean an arrested co-conspirator's seized mobile phone that during an examination an incoming text message that could be received during examination that may be potentially important in a child abduction cases would not be allowed

I'm not so sure.

First, as I noted, in this case the Appeals Court was particularly angered by the fact that the government had twice, previously, applied to the Northern District Court for, first, an overly broad subpoena and, second, a more restricted subpoena, both of which were under appeal. During the appeal process, the parties agreed that all of the data would be preserved pending the outcome of the appeal.

Without waiting for the outcome of the appeal, the government went to the Central District Court requesting a third, limited, subpoena, but it failed to inform the court of the previous subpoenas, the fact that they were under appeal, and the fact that the subjects of the subpoena had already agreed to preserve all the data pending the outcome of the appeals. They also requested that they be allowed to seize all of the records (even though they only wanted to examine ten of them), on the grounds that there was the potential for the data to be deleted, again, without telling the court that they had a prior agreement with the parties to preserve evidence.

The government, then, seized even more data than they had specified in the subpoena. Counsel for the subjects asked for an appointed special master to assist in redaction and the government refused.

Moreover, other lower courts in the same circuit had already held that search warrants on the data contained in electronic devices need to be specific as to what was recovered and limited to what was specified in the subpoena.

So this wasn't really an earthshaking decision.

As for your specific example, I'm not so sure. If the Court allowed you to seize the phone in order to search for evidence of a specific crime and you found evidence of another, unrelated crime, you would probably be excluded from using this as evidence.

But, if you are in legal possession of the phone for the purposes of looking for evidence of a crime and a call or text message comes in while you are in legal possession, indicating that another crime was or was going to be committed, that might be sufficient for probable cause.

Incoming messages would not, I believe, fall under the guidelines of what is an unreasonable search since you weren't looking for them and since, in surrendering the phone, the owner gives up a reasonable expectation of privacy for messages delivered while the phone is in the possession of another.

 
Posted : 13/09/2009 7:50 pm
Beetle
(@beetle)
Posts: 318
Reputable Member
 

But, if you are in legal possession of the phone for the purposes of looking for evidence of a crime and a call or text message comes in while you are in legal possession, indicating that another crime was or was going to be committed, that might be sufficient for probable cause.

Incoming messages would not, I believe, fall under the guidelines of what is an unreasonable search since you weren't looking for them and since, in surrendering the phone, the owner gives up a reasonable expectation of privacy for messages delivered while the phone is in the possession of another.

When we have situations like this, except in exigent circumstances with a threat to safety, we apply for a new warrant in respect of the newly discovered evidence of another offence.

 
Posted : 13/09/2009 8:24 pm
(@seanmcl)
Posts: 700
Honorable Member
 

When we have situations like this, except in exigent circumstances with a threat to safety, we apply for a new warrant in respect of the newly discovered evidence of another offence.

I would agree. I was suggesting, though, that if a message arrived while you were conducting a legal examination of the phone, that this would fall into the plain view category and could be used as probable cause for a warrant even if it was not part of the initial warrant.

On the other hand, the opposition might try to argue that you should have examined the phone in a RF shielded setting where you would not have been able to receive the message and, therefore, that the message was the fruit of the poisoned tree.

Isn't technology fun?

 
Posted : 13/09/2009 9:23 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

I would agree. I was suggesting, though, that if a message arrived while you were conducting a legal examination of the phone, that this would fall into the plain view category and could be used as probable cause for a warrant even if it was not part of the initial warrant.

On the other hand, the opposition might try to argue that you should have examined the phone in a RF shielded setting where you would not have been able to receive the message and, therefore, that the message was the fruit of the poisoned tree.

Isn't technology fun?

Depending on your jurisdiction, any message that arrives after the execution of the warrant may be considered still part of the telecommunications system, and require a specific wiretap warrant. It's the same concept as how unopened mail is different to opened mail in the real world.

This is why my old unit built a Faraday room for mobile phone examination… so that no new messages could be received whilst the phone was switched on and under examination.

 
Posted : 14/09/2009 12:51 am
Page 1 / 2
Share: