Join Us!

Notifications
Clear all

US: Important Case on Search Warrants  

  RSS
trewmte
(@trewmte)
Community Legend

This case seems to be causing quite a stir in the US regarding digital evidence

U.S. v. Comprehensive Drug Testing, Inc., 2009 WL 2605378 (U.S. Court of Appeals for the Ninth Circuit 2009)

The Court announced that it was updating its precedents to include the following guidelines for warrants seeking to examine or seize a computer or other electronic storage media.

1) The government's search protocols must be designed to uncover only that information for which it has probable cause, and only that information may be examined by the case agents.

2) Segregation and redaction of data must be done by specialized personnel or an independent third party. If the segregation is to be done by government personnel, the government must agree in the warrant application that the reviewing personnel will not dislcose to the investigators any information other than that which is the target of the warrant.

3) The government must destroy or return the non-responsive data, keeping the magistrate judge informed as to when it has done so and what is has kept.

4) The government must waive reliance on the plain view doctrine.

5) Warrants and subpoenas must disclose the actual risks of destruction of information, as well as prior efforts to seize that information in other judicial fora.

Quote
Posted : 12/09/2009 11:36 pm
Patrick4n6
(@patrick4n6)
Senior Member

I blogged on this, so I'll link that.

http//www.memphis-computer-forensics.com/blog/2009/08/us-v-comprehensive-drug-testing/

ReplyQuote
Posted : 13/09/2009 5:16 am
seanmcl
(@seanmcl)
Senior Member

Actually, these guidelines pretty much parallel the protocol that I frequently see on the civil side. A lot of judges are unwilling to allow the opposing party free reign when it comes to the examination of a subject's hard drive, especially when it is a personal (home) computer.

In some cases, we've been restricted to files which are visible to the user (i.e., no recovery of files from unallocated space, temp space, etc.).

While I don't find this particularly troubling on its own, I worry that the courts are addressing the issues of computer forensics on a piecemeal basis rather than via a comprehensive analysis. For example, we now have the judicial response to the drug testing incident, the Crist case in which the court ruled that generating a list of MD5 hashes constituted a Fourth Amendment violation (although imaging the disk and reviewing the images in gallery mode apparently did not), and Boucher, where he invoked his Fifth Amendment rights in refusing to divulge the password to encrypted data on his hard drive.

If these issues continue to be adjudicated at the level of district courts, we could end up with a totally unworkable system of electronic evidence gathering.

ReplyQuote
Posted : 13/09/2009 5:51 pm
Beetle
(@beetle)
Active Member

This is interesting. The court has set out pretty much the same thing we have been putting in our Information(s) to Obtain a Search Warrant up here or the last couple of years as a result of a case from New Brunswick (Daley).

Here's the link

http//www.canlii.org/en/nb/nbpc/doc/2008/2008nbpc29/2008nbpc29.pdf

ReplyQuote
Posted : 13/09/2009 7:36 pm
trewmte
(@trewmte)
Community Legend

I know you guys will know better than me how this case impacts in the States, but if 1) were implemented in the UK it could mean an arrested co-conspirator's seized mobile phone that during an examination an incoming text message that could be received during examination that may be potentially important in a child abduction cases would not be allowed

1) The government's search protocols must be designed to uncover only that information for which it has probable cause, and only that information may be examined by the case agents

ReplyQuote
Posted : 13/09/2009 7:51 pm
Beetle
(@beetle)
Active Member

I know you guys will know better than me how this case impacts in the States, but if 1) were implemented in the UK it could mean an arrested co-conspirator's seized mobile phone that during an examination an incoming text message that could be received during examination that may be potentially important in a child abduction cases would not be allowed

1) The government's search protocols must be designed to uncover only that information for which it has probable cause, and only that information may be examined by the case agents

I think that one could argue exigent circumstances with a threat to safety would permit the use of the information from the text message.

ReplyQuote
Posted : 13/09/2009 8:24 pm
seanmcl
(@seanmcl)
Senior Member

I know you guys will know better than me how this case impacts in the States, but if 1) were implemented in the UK it could mean an arrested co-conspirator's seized mobile phone that during an examination an incoming text message that could be received during examination that may be potentially important in a child abduction cases would not be allowed

I'm not so sure.

First, as I noted, in this case the Appeals Court was particularly angered by the fact that the government had twice, previously, applied to the Northern District Court for, first, an overly broad subpoena and, second, a more restricted subpoena, both of which were under appeal. During the appeal process, the parties agreed that all of the data would be preserved pending the outcome of the appeal.

Without waiting for the outcome of the appeal, the government went to the Central District Court requesting a third, limited, subpoena, but it failed to inform the court of the previous subpoenas, the fact that they were under appeal, and the fact that the subjects of the subpoena had already agreed to preserve all the data pending the outcome of the appeals. They also requested that they be allowed to seize all of the records (even though they only wanted to examine ten of them), on the grounds that there was the potential for the data to be deleted, again, without telling the court that they had a prior agreement with the parties to preserve evidence.

The government, then, seized even more data than they had specified in the subpoena. Counsel for the subjects asked for an appointed special master to assist in redaction and the government refused.

Moreover, other lower courts in the same circuit had already held that search warrants on the data contained in electronic devices need to be specific as to what was recovered and limited to what was specified in the subpoena.

So this wasn't really an earthshaking decision.

As for your specific example, I'm not so sure. If the Court allowed you to seize the phone in order to search for evidence of a specific crime and you found evidence of another, unrelated crime, you would probably be excluded from using this as evidence.

But, if you are in legal possession of the phone for the purposes of looking for evidence of a crime and a call or text message comes in while you are in legal possession, indicating that another crime was or was going to be committed, that might be sufficient for probable cause.

Incoming messages would not, I believe, fall under the guidelines of what is an unreasonable search since you weren't looking for them and since, in surrendering the phone, the owner gives up a reasonable expectation of privacy for messages delivered while the phone is in the possession of another.

ReplyQuote
Posted : 13/09/2009 8:50 pm
Beetle
(@beetle)
Active Member

But, if you are in legal possession of the phone for the purposes of looking for evidence of a crime and a call or text message comes in while you are in legal possession, indicating that another crime was or was going to be committed, that might be sufficient for probable cause.

Incoming messages would not, I believe, fall under the guidelines of what is an unreasonable search since you weren't looking for them and since, in surrendering the phone, the owner gives up a reasonable expectation of privacy for messages delivered while the phone is in the possession of another.

When we have situations like this, except in exigent circumstances with a threat to safety, we apply for a new warrant in respect of the newly discovered evidence of another offence.

ReplyQuote
Posted : 13/09/2009 9:24 pm
seanmcl
(@seanmcl)
Senior Member

When we have situations like this, except in exigent circumstances with a threat to safety, we apply for a new warrant in respect of the newly discovered evidence of another offence.

I would agree. I was suggesting, though, that if a message arrived while you were conducting a legal examination of the phone, that this would fall into the plain view category and could be used as probable cause for a warrant even if it was not part of the initial warrant.

On the other hand, the opposition might try to argue that you should have examined the phone in a RF shielded setting where you would not have been able to receive the message and, therefore, that the message was the fruit of the poisoned tree.

Isn't technology fun?

ReplyQuote
Posted : 13/09/2009 10:23 pm
Patrick4n6
(@patrick4n6)
Senior Member

I would agree. I was suggesting, though, that if a message arrived while you were conducting a legal examination of the phone, that this would fall into the plain view category and could be used as probable cause for a warrant even if it was not part of the initial warrant.

On the other hand, the opposition might try to argue that you should have examined the phone in a RF shielded setting where you would not have been able to receive the message and, therefore, that the message was the fruit of the poisoned tree.

Isn't technology fun?

Depending on your jurisdiction, any message that arrives after the execution of the warrant may be considered still part of the telecommunications system, and require a specific wiretap warrant. It's the same concept as how unopened mail is different to opened mail in the real world.

This is why my old unit built a Faraday room for mobile phone examination… so that no new messages could be received whilst the phone was switched on and under examination.

ReplyQuote
Posted : 14/09/2009 1:51 am
seanmcl
(@seanmcl)
Senior Member

Depending on your jurisdiction, any message that arrives after the execution of the warrant may be considered still part of the telecommunications system, and require a specific wiretap warrant. It's the same concept as how unopened mail is different to opened mail in the real world.

Well, the operative words are "Depending on your jurisdiction". For example, in some jurisdictions, the wiretap law applies to interception of transmissions, but does not apply to the transmissions, themselves. For example, in Massachusetts, the Supreme Court decided that the wiretap laws did not apply to Instant Messages, e-mail, and text messages because the law was restricted to interception of transmissions, not of the stored message, and text messages are, presumably, stored.

In Pennsylvania, the wiretap laws have been interpreted to apply to the transmission of e-mail but not the examination of e-mail once it has been delivered.

Examining a cell text message would be more akin to examining an e-mail in that when you read it on the phone, the transmission has already occurred. Implicit in a lot of wiretap laws is that voice, radio and cell phone voice transmissions are ephemeral, i.e., they last only for the time it takes to transmit them and, therefore, there is a reasonable expectation that the conversations are private.

This does not always apply to stored messages, such as text messages, since these, by their nature, are persistent.

A similar situation exists with answering machines. Courts have ruled that persons who leave messages on answering machines have no reasonable expectation of privacy because they can't know who will hear them. Remember the case of Dean Tistadt whose wife left a message on the cellphone of a student calling him a "snotty-nosed kid" after the student called Tistadt's home asking if school would be cancelled due to a snowstorm?

He (the student), posted the conversation to YouTube and there was some brief discussion, then, about whether this violated wiretap laws but the decision was that it did not because she had the expectation that the message would be stored and no implied assurance as to who would hear it.

ReplyQuote
Posted : 14/09/2009 2:25 am
Patrick4n6
(@patrick4n6)
Senior Member

The operative word is AFTER, as in after the execution of the search warrant. A message stored on a device at the time of the warrant is certainly akin to an opened letter, but if you continue to receive messages after that, you're effectively intercepting.

It is most certainly not in plain view, because to re-do the analogy of postal mail, you are collecting the mail from the mailbox, not something that the subject has already brought into the house and opened.

ReplyQuote
Posted : 14/09/2009 3:03 am
seanmcl
(@seanmcl)
Senior Member

It is most certainly not in plain view, because to re-do the analogy of postal mail, you are collecting the mail from the mailbox, not something that the subject has already brought into the house and opened.

I disagree, though I have no case law to support or refute it and I suspect that you don't, either.

Even if a message arrives in the mail, it is in an envelope and, therefore, opening the envelope without probable cause would be a problem. But if the contents were on a postcard, where the mail deliverer could read them, they would hardly be subject to the expectation of privacy.

Actually, I disagree with this

The operative word is AFTER, as in after the execution of the search warrant. A message stored on a device at the time of the warrant is certainly akin to an opened letter

If the search warrant only included messages related to A, you have little to support your recovery of messages related to B. However, if you are a witness to a crime being committed, or to someone who is admitting the commision of a crime, you have probable cause.

And, I'll repeat my claim that text messages may be illegal to intercept but the cellphone is a storage device, like a computer. And, as such, you could argue that you are not intercepting the message but merely reading it as though it had been delivered on a postcard. The persom who sends the message has no expectation of privacy because the message is not enclosed in a protective envelope (unlike a letter).

ReplyQuote
Posted : 14/09/2009 5:21 am
 Anonymous

The [person] who sends the message has no expectation of privacy because the message is not enclosed in a protective envelope (unlike a letter).

I must respectfully disagree.

The "envelope" in text messaging is the point-to-point circuit through which the message is transmitted and received. I fully expect that any and all of my communication over wired or wireless phone systems, voice or text, are private. Sure, I know my conversations *can* be intercepted, but I expect that they are not.

In, Quon v. Arch Wireless Operating Company, Inc., the Ninth U.S. Circuit Court of Appeals held that users of text-messaging services do, in fact, have a reasonable expectation of privacy as to the contents of the messages.

ReplyQuote
Posted : 14/09/2009 6:35 am
seanmcl
(@seanmcl)
Senior Member

In, Quon v. Arch Wireless Operating Company, Inc., the Ninth U.S. Circuit Court of Appeals held that users of text-messaging services do, in fact, have a reasonable expectation of privacy as to the contents of the messages.

Read the opinion, carefully. The Court did not rule that e-mail and text messages were unconditionally protected under the Fourth Amendment. In fact

Ultimately, as to the Fourth Amendment claims, the district court found that, in light of the OPD’s informal policy that the text messages would not be audited, Quon had a reasonable expectation of privacy in his messages. Quon, 445 F. Supp. 2d at 1140-43. Our unanimous panel agreed. Quon, 529 F.3d at 906 (“We agree with the district court that the Department’s informal policy that the text messages would not be audited if he paid the overages rendered Quon’s expectation of privacy in those messages reasonable.”).

And, later

The opinion in fact adheres to O’Connor’s holding, explicitly acknowledging that “ ‘[t]he operational realities of the workplace . . . may make some employees’ expectations of privacy unreasonable,’ ” and that privacy “ ‘may be reduced by virtue of actual office practices and procedures, or by legitimate regulation,’

In fact, the appeals court ruled that the seach was "reasonable at its inception" because the stated purpose was to determine whether or not the actual character limit for text pagers needed to be increased to meet the demands of work. The person ordering the search took the top two officers, by volume of pager traffic, and looked at their messages, ostensibly for the purpose of determining whether the limit should be increased. The court viewed this as reasonable. What was unreasonable was the eventual use of these messages for disciplinary action.

Read, also, the dissenting opinion, in which it is mentioned that other Circuit Courts had held different opinions as well as the Supreme Court.

ReplyQuote
Posted : 14/09/2009 6:57 pm
Share: