c. Unique Problems: Unknown Targets and Commingled Materials

Applying the PPA to computer BBS searches is especially difficult for two reasons. First, early in an investigation, it is often impossible to tell whether the BBS sysop is involved in the crime under investigation. But unless agents have probable cause to arrest the sysop at the time of the search, the evidence-held-by-a-target exception in 42 U.S.C. 2000aa would not apply.

Second, because most computers store thousands of pages of information, targets can easily mix contraband with protected work product or documentary materials. For example, a BBS trafficking in illegally copied software (which, along with the computers used to make the copies, is subject to forfeiture) may also be publishing a newsletter on stamp collecting. If agents seized the computer (or even all the data), the seizure would necessarily include both the pirated software and the newsletter. Assuming the stamp-collectors' newsletter was completely unrelated to the criminal copyright violations and also that it qualified as a "similar form of public communication," the seizure might violate the plain wording of the PPA.

There are, as yet, no cases addressing the status of PPA-protected materials which are commingled with contraband or evidence of crime. However, in construing the Fourth Amendment, the courts have recognized that there is sometimes no practical alternative to seizing non-evidentiary items and sorting them out later. See National City Trading Corp. v. United States, 635

[page 84]

F.2d 1020 (2d Cir. 1980)(space used by a law office and by a targeted business operation was so commingled that the entire suite, really being one set of offices, was properly subject to search); United States v. Hillyard, 677 F.2d 1336, 1340 (9th Cir. 1982)("Cases may arise in which stolen goods are intermingled with and practically indistinguishable from legitimate goods. If commingling prevents on site inspection, and no practical alternative exists, the entire property may be seizable, at least temporarily."); United States v. Tropp, 725 F. Supp. 482, 487-88 (D. Wyo. 1989)("Some evidence not pertinent to the warrant was seized ... only because it had been commingled or misfiled with relevant documents. That evidence was returned.... In sum, the search warrant comported with the mandate of the Fourth Amendment and the search conducted pursuant thereto was not unreasonable."). (For a more extensive discussion of commingled materials and off-site searches, see "DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR TO REMOVE HARDWARE TO ANOTHER LOCATION," supra p. 55.) Of course, these commingling cases involve the Fourth Amendment, not 42 U.S.C. 2000aa, and it remains to be seen whether these holdings will apply to the Privacy Protection Act

5. Approval of Deputy Assistant Attorney General Required

On September 15, 1993, Deputy Attorney General Philip B. Heymann issued a memorandum which requires that all applications for a warrant issued under 42 U.S.C. 2000aa(a) must be authorized by the Assistant Attorney General for the Criminal Division (AAG), upon the recommendation of the U.S. Attorney or (for direct Department of Justice cases) the supervising Department of Justice attorney.

On December 9, 1993, Jo Ann Harris, the Assistant Attorney General (AAG) for the Criminal Division, delegated this authority by memorandum to the Deputy Assistant Attorneys General of the Criminal Division. There are emergency procedures for expediting the approval in cases which require it. All requests for authorization--emergency or routine--should be directed to the Chief, Legal Support Unit of the Office of Enforcement Operations in the Criminal Division (202-514-0856).

If agents or prosecutors are planning a search and seizure of electronic evidence in a case in which the PPA may apply, we urge them to contact the

[page 85]

Computer Crime Unit (202-514-1026) immediately to discuss the investigation and any new legal developments in this area.

C. STORED ELECTRONIC COMMUNICATIONS

There are special statutory rules protecting some electronic communications in electronic storage. Anyone who provides an electronic communication service or remote computing services to the public, is prohibited by 18 U.S.C. 2702 from voluntarily disclosing the contents of the electronic communications it stores or maintains on the service. A "remote computing service" means the provision to the public of computer storage or processing services by means of an electronic communications system. 18 U.S.C. 2711(2).

It is not entirely clear what sorts of electronic communications services will be found to provide "public" service. Generally speaking, "public" means available to all who seek the service, even if there is some requirement, such as a fee. It is probably safe to assume that any service permitting "guest" or "visitor" access is "public." On the other hand, the term should not be read to cover business networks open only to employees for company business. If that business network is connected to the Internet (an extensive world-wide network), it may be part of a "public" system, but this does not necessarily mean that the corporate LAN (local-area network) becomes a "public" service.

There are several important exceptions to 2702's non-disclosure rule, including (1) a provision under 18 U.S.C. 2702(b)(3) allowing a person or entity to disclose the contents of a communication with the lawful consent of the originator, an addressee, or the intended recipient of such communication (or the subscriber in the case of a remote computing service), and (2) a provision under 18 U.S.C. 2702(b)(6) allowing disclosure to a law enforcement agency if the contents were inadvertently obtained and appear to pertain to the commission of a crime.

For the government to obtain access to a "stored electronic communication," it must follow the dictates of 18 U.S.C. 2703, which sets out different rules depending upon how long the particular communication has been in electronic storage. That section provides that "a governmental entity

[page 86]

may require the disclosure by a provider of electronic communication service of the contents of an electronic communication, that is in electronic storage ... for one hundred and eighty days or less, only pursuant to a warrant issued under the Federal Rules of Criminal Procedure or equivalent state warrant." 18 U.S.C. 2703(a) (emphasis added). If the information has been stored for more than 180 days, prosecutors may use either a Rule 41 search warrant (without notice to the customer or subscriber) or an administrative subpoena, grand jury subpoena, trial subpoena, or a court order pursuant to 18 U.S.C. 2703(d) (with notice to the customer or subscriber).

The two terms underlined above merit further discussion. First of all, it is important to note that not all electronically stored communications are covered by this section. The electronic communication must be transmitted on a system that affects interstate or foreign commerce, 18 U.S.C. 2510(12), and must be in electronic storage. "Electronic storage" means any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof or any backup of this communication. 18 U.S.C. 2510(17).

To understand the importance of this definition, it is critical to know how electronic mail works. Generally speaking, e-mail messages are not transmitted directly from the sender's machine to the recipient's machine; rather, the e-mail message goes from the sending machine to an e-mail server where it is stored (i.e., kept in "electronic storage"). A message is then sent from the server to the addressee indicating that a message for the addressee has been stored. The actual message remains on the server, however, until the addressee retrieves it by having a copy sent to his machine. Often, both the sender and receiver can delete the e-mail from the server.

Section 2703 protects the electronic communication while it is stored in the server in this intermediate state.8 Once a message is opened, however, its storage is no longer "temporary" nor "incidental to. . .transmission," and it thus takes on the legal character of all other stored data. Therefore, the statute

[page 87]

8 When a sysop backs up the mail server to protect against system failure, all e-mails stored on the server will be copied. Thus, if the e-mail is later deleted from the server, the backup copy remains. The statute protects this copy as well. 18 U.S.C. 2510(17)(B).

does not apply to all stored communications, such as word processing files residing on a hard drive, even when these files were once transmitted via e~-mail.

The other highlighted term--"require the disclosure"--seems to suggest that 2703 only applies when the government seeks to compel the service provider to produce the electronic mail, not when government agents actually seize it. With this in mind, the statute's cross-reference to Rule 41 is confusing, because Rule 41 authorizes the government to "seize" items, not to "require [their] disclosure." To speak in terms of requiring the disclosure of electronic mail, rather than of seizing it, seems to connote a process of serving subpoenas, not of executing warrants.

On the other hand, Congress may have simply assumed that most system providers would be disinterested in the "search," and that, as a practical matter, the service provider would actually retrieve and turn over to the government those files of suspect-users listed in the warrant. In mentioning Rule 41, Congress may not have been focusing on who would actually do the retrieval, but rather on what level of proof would be required before electronic communications in electronic storage could be procured for a criminal investigation. Therefore, the statute's references to warrants and Rule 41 seem designed to insure that, no matter who actually searches the system, the government will be held to a probable-cause standard--even if the system provider would have been just as willing to honor a subpoena. See H.R. Rep. No. 647, 99th Cong., 2d Sess., at 68 ("The Committee required the government to obtain a search warrant because it concluded that the contents of a message in storage were protected by the Fourth Amendment.... To the extent that the record is kept beyond [180 days] it is closer to a regular business record maintained by a third party and, therefore, deserving of a different standard of protection.").

Indeed, it is entirely reasonable to read this statute as Congress's effort to regulate primarily the duties of service providers to protect the privacy of their subscribers in regard to all third parties, including law enforcement. The statute may not have fully contemplated those cases in which the system provider (rather than the subscriber) is, or may be, implicated in the criminal investigation.

There is, unfortunately, no case law clearly addressing this issue. In a recent civil suit, the government was held liable for seizing electronic mail on

[page 88]

an electronic bulletin board service (BBS), even though the agents had a valid warrant.9 Steve Jackson Games. Inc. v. U.S. Secret Service, 816 F. Supp. 432 (W.D. Tex. 1993), appeal filed on other grounds, (Sept. 17, 1993). In that case, plaintiffs sued following a search by the Secret Service of computers and other electronic storage devices which belonged to the company. (For a more complete description of the facts of the case, see the discussion at p. 80.) One of the computers seized by the Secret Service was the computer used by Steve Jackson Games to operate its BBS. The hard disk of the BBS computer contained a number of private e-mail messages, some of which had not yet been accessed by their addressees. The district court found that the Secret Service read e-mail messages on the computer and subsequently deleted certain information and communications, either intentionally or accidentally, before returning the computer to Steve Jackson Games. Id. at 441. Here, the court held that the Secret Service "exceeded the Government's authority under the statute" by seizing and examining the contents of "all of the electronic communications stored in the [company's] bulletin board" without complying with the statute's requirements for government access. The court's opinion never addressed, however, the interplay between 2703 and Rule 41, so it sheds no light on the proper interpretation of 2703(a). In fact, the court never cited 2703(a) at all. Instead, the court discussed the requirements of 2703(d), a provision that allows the government to get a court order, upon a showing that the communication sought is relevant to a legitimate law enforcement inquiry, when the communication has been in storage more than 180 days or is held by a remote computing service. (The court did not find how long the searched communications were in storage, but did hold that Steve Jackson was a remote computing service.) Even under this lesser standard-- 2703(a) requires a search warrant based upon probable cause--the court held that the government's search was improper, noting that the government did not advise the magistrate, by affidavit or otherwise, that the BBS contained private electronic communications between users, nor how the disclosure of the contents of those communications related to the investigation.

In most cases, of course, the electronic communications sought will be in storage 180 days or less, and, therefore, may be obtained "only pursuant to a warrant." 18 U.S.C. 2703(a)(emphasis added). When preparing a warrant to

9 Pursuant to 18 U.S.C. 2707(d), a good faith reliance on a court warrant is a complete defense to any civil action. The court summarily rejected the defense, stating that it "declines to find this defense by a preponderance of the evidence in this case." Id. at 443.

[page 89]

search a computer, investigators should specifically indicate whether there is electronic mail on the target computer. If the agents intend to read those electronic communications, the warrant should identify whose mail is to be read, and establish that those electronic communications are subject to search under Fed. R. Crim. P. 41(b) (Search and Seizure, Property Which May Be Seized With a Warrant).

[no page 90]

[page 91]

VI. DRAFTING THE WARRANT

A. DRAFTING A WARRANT TO SEIZE HARDWARE

If a computer component is contraband, an instrumentality of the offense, or evidence, the focus of the warrant should be on the computer component itself and not on the information it contains. The warrant should be as specific as possible about which computer components to seize and, consistent with other types of warrants, it should describe the item to be seized in as much detail as possible, especially if there may be two or more computers at the scene. Include, where possible, the manufacturer, model number, and any other identifying information regarding the device. (For further information, see "SAMPLE COMPUTER LANGUAGE FOR SEARCH WARRANTS," APPENDIX A, p. 125.)

It may also be appropriate-to seek a "no-knock" warrant in cases where knocking and announcing may cause (1) the officer or any other individual to be hurt; (2) the suspect to flee; or (3) the evidence to be destroyed. (See "Seeking Authority for a No-Knock Warrant," infra p. 100.)

In computer cases, the evidence is especially perishable, and agents should never underestimate the subjects of the investigation. They may be knowledgeable about telecommunications and may have anticipated a search. As a result, computers and memory devices on telephone speed dialers may be "booby-trapped" to erase if they are improperly entered or if the power is cut off.

[page 92]

B. DRAFTING A WARRANT TO SEIZE INFORMATION

1. Describing the Place to be Searched

Until recently, when a warrant specified where a search was to occur, the exercise was bound by physical laws: agents took objects they could carry from places they could touch. But computers create a "virtual" world where data exists "in effect or essence though not in actual fact or form." The American Heritage Dictionary, (2d ed. 1983).

Rule 41(a) failed to anticipate the creation of this "virtual" world. By its very terms, a warrant may be issued "for a search of property ... within the district." Specifically, it provides that,

Upon the request of a federal law enforcement officer or an attorney for the government, a search warrant authorized by this rule may be issued (1) by a federal magistrate, or a state court of record within the federal district, for a search of property or for a person within the district and (2) by a federal magistrate for a search of property or for a person either within or outside the district if the property or person is within the district when the warrant is sought but might move outside the district before the warrant is executed.

Fed. R. Crim. P. 41(a)(emphasis added).

In a networked environment, however, the physical location of stored information may be unknown. For example, an informant indicates that the business where he works has a duplicate set of books used to defraud the Internal Revenue Service. He has seen these books on his computer terminal in his Manhattan office. Based upon this information, agents obtain a warrant in the Southern District of New York authorizing a search for, and seizure of, these records. With the informant's help, agents access his computer workstation, bring up the incriminating documents, and copy them to a diskette.

[page 93]

Unfortunately, unbeknownst to the agents, prosecutor, or informant, the file server that held those documents was physically located in another office, building, district, state, or country.10

There are, under Rule 41, at least three variations on this problem. First, information is stored off-site, and agents know this second site is within the same district. Second, information is stored off-site, but this second site is outside the district. Third, information is stored off-site, but its location is unknown.

a. General Rule: Obtain a Second Warrant

Whenever agents know that the information is stored at a location other than the one described in the warrant, they should obtain a second warrant. In some cases, that will mean going to another federal district--nearby or across the country. If the data is located overseas, the Criminal Division's Office of International Affairs (202-514-0000) and our foreign law enforcement counterparts can assist in obtaining and executing the foreign warrant. The Computer Crime Unit (202-514-1026) can help in expediting international computer crime investigations.

b. Handling Multiple Sites within the Same District

Assuming that the server was simply in another office on the same floor, the warrant might well be broad enough to cover the search. Indeed, even with physical searches, courts have sometimes allowed a second but related search to be covered by one warrant. In United States v. Judd, 687 F. Supp. 1052, 1057-9 (N.D. Miss. 1988), aff'd 889 F.2d 1410 (5th Cir. 1989), cert. denied,

10 In this example, the storage of information in an out-of-district server was fortuitous; i.e., a product of the network architecture. In fact, hackers may deliberately store their information remotely. This allows them to recover after their personal computers fail (essentially by creating off-site backup copies). Additionally, if agents seize a hacker's personal computer, no evidence will be found, and the hacker can still copy or destroy the remotely stored data by accessing it from another computer.

[page 94]

494 U.S. 1036 (1989), the FBI executed a search warrant for records at Address #1, and learned that additional records were located at Address #2. Without obtaining a second warrant, and relying only on the first, the agents entered Address #2 and seized the additional records.

The district court framed the question like this: was the partially incorrect description in the warrant sufficient to include both business addresses, which in this case, happened to be in the same building? The court held that since Address #2 was "part" of Address #l, and since they were both used for the business pursuits of the same company, the search was proper. See also United States v. Prout, 526 F.2d 380, 388 (5th Cir.) (search of adjacent separate apartment that was omitted from the warrant was proper), cert. denied, 429 U.S. 840 (1976).

It becomes more problematic when the server is in another building, one clearly not described in the warrant. In situations where a second warrant was not obtained, there is still an argument that remotely accessing information from a computer named in the warrant does not violate Fourth Amendment law. See discussion of United States v. Rodriguez, infra.

c. Handling Multiple Sites in Different Districts

What if, unbeknownst to the agents executing the search warrant, the property seized was located in another district? Although the defense could argue that the court lacked jurisdiction to issue the warrant, the agents executing the warrant never left the district in which the warrant was issued. Moreover, in some cases, it may be difficult, if not impossible, to ascertain the physical location of a given file server and obtain the evidence any other way. In these cases, prosecutors should argue that the warrant authorized the seizure.

If agents have reason to believe the second computer may be in a different district, however, the issue should be addressed with the magistrate. While some courts may strictly construe the language of Rule 41 and require data to be retrieved only from the district where it permanently resides, other courts may follow the logic of the recent Second Circuit case United States v. Rodriguez, 968 F.2d 130 (2d Cir.), cert. denied, 113 S. Ct. 140 (1992). Although that case addressed the issue of "place" under the wiretap statute (18

[page 95]

U.S.C. 2518) and not under Rule 41, the constraints of the statute were quite similar. ("Upon such application the judge may enter an ex parte order ... approving interception ... within the territorial jurisdiction of the court in which the judge is sitting.... ")

In Rodriguez, the Second Circuit held that a wiretap occurs in two places simultaneously: the place where the tapped phone is located and the place where law enforcement overhears it. If those two places are in different jurisdictions, a judge in either one can authorize the interception. In this case, the DEA was tapping several phones in New York from its Manhattan headquarters. In addition, they tapped a phone in New Jersey by leasing a phone line from the service carrier and running it to the same New York office from which they monitored all the calls on all the lines. The court cited "sound policy reasons" for allowing one court to authorize all the taps, since all the reception and monitoring occurred in that same jurisdiction.

If the DEA can lease a phone line running from New Jersey to New York in order to consolidate its efforts, courts may also find it completely reasonable lo conclude that computer network data searches, like telecommunications interceptions, can occur in more than one place.

d. Information at an Unknown Site

Unfortunately, it may be impossible to isolate the location of information. What then? Does a warrant authorizing the search and seizure of one computer automatically allow agents to search and seize any data that it has sent to other computers? If the original warrant does not allow investigators to physically enter another building and search another computer, does it permit them to "go" there electronically, using as their vehicle only the computer that they have been authorized to search? What if the other computer is physically located in another district? Finally, if the warrant does not authorize seizing the off-site data (no matter how it is obtained), are there circumstances under which it could be taken without a warrant?

If agents have reason to believe there is off-site storage but no way to identify the site, they should tell the magistrate. Of course, the standard to use in evaluating a description in the warrant is whether "the description is such

[page 96

that the officer with a search warrant can, with reasonable effort ascertain and identify the place intended." Steele v. United States, 267 U.S. 498, 503 (1925). See also United States v. Darensbourg, 520 F.2d 985, 987 (5th Cir. 1975), quoting United States v. Sklaroff, 323 F. Supp. 296, 321 (S.D. Fla. 1971).

Drawing upon Steele, it may be prudent for the warrant to specifically include any data stored off-site in devices which the subject computer has been configured by its operator to readily access, and which have been regularly used as a component of the subject computer. This is more likely to be upheld if the government has reason to believe the suspect is using an off-site computer and has no way to determine where it is, either geographically or electronically, until the suspect's computer is examined. In such cases, the affidavit should indicate why a complete address is not available, including any attempts that have been made to get the information (e.g., informants, undercover agents, pen registers, electronic or video surveillance) on the subject computer. It will be important to show a clear relationship between the computer described in the warrant and the second computer at the different location. If the second computer is somewhere in the same district, that also holds the second data search closer to the physical terms of Rule 41.

e. Information/Devices Which Have Been Moved

What happens if the targets: (1) move computers and storage devices (disk drives, floppies, etc.) between two or more districts (e.g., a laptop computer); or (2) transmit data to off-site devices located in another district?

Under Rule 41(a)(2), a magistrate in one district can issue a warrant to be executed in another district provided the property was "within" District A when the warrant was issued. Again, this rule is relatively easy to apply when physical devices are the object of the search. But how does that rule apply to electronic data? If a suspect creates data in District A and uploads11 that data

11 "Upload" means to transfer data from a user's system to a remote computer system. Wehster's, supra. Of course, only a copy is transferred, and the original remains on the user's machine. It may be significant to search for the uploaded data even if the original has been seized. For example, the user may have altered the original.

[page 97]

to a computer in District B, has he "moved" it between districts, thus authorizing a District A magistrate to issue a warrant for a search of the District B computer, even though the District B computer was never physically transported from or even located in District A?

The key to resolving these issues is understanding what agents are seizing. If they are going to seize the computer hardware in District B to get the data, they must get a warrant in District B (after all, the District B computer was never moved). If agents are simply copying data, however, it could be argued that the data uploaded from District A to District B is property that has been moved. Since the item to be seized is data and not its storage device, the "within the district" requirement is fulfilled.

2. Describing the Items to be Seized

When the evidence consists of information in a computer system, but the computer itself is not an instrumentality of the offense or otherwise seizable, the hardware is simply a storage device. First and foremost, all technical matters aside, searching the computer is conceptually similar to searching a file cabinet for papers. One important difference is that while the storage capacity of a file cabinet is limited, the storage capacity of computers continues to increase. A standard 40-megabyte hard drive contains approximately 20,000 pages of information, and 200+ megabyte drives are already quite common. Therefore, although the computer itself is no more important to an investigation than the old cabinet was, the technology may complicate enormously the process of extracting the information.

Bearing this analogy in mind, if agents have probable cause only for the documents in the computer and not for the box itself, they should draft the warrant with the same degree of specificity as for any other document or business record in a similar situation. For example, the detail used to describe a paper sales receipt (for a certain product sold on a certain date) should not be any less specific merely because the record is electronic.

As with other kinds of document cases, the breadth of a warrant's authority to search through a suspect's computer will depend on the breadth of the criminality. Where there is probable cause to believe that an enterprise

[page 98]

is pervasively illegal, the warrant will authorize the seizure of records (both paper and electronic) far more extensively than if probable cause is narrow and specific. "When there is probable cause to seize all [items], the warrant may be broad because it is unnecessary to distinguish things that may be taken from things that must be left undisturbed." United States v. Bentley, 825 F.2d 1104, 1110 (7th Cir.), cert. denied, 484 U.S. 901 (1987). But by the same token, "[w]hen the probable cause covers fewer documents in a system of files, the warrant must be more confined and tell officers how to separate documents to be seized from others." Id. at 1110. See also Application of Lafayette Academy, Inc., 610 F.2d 1 (lst Cir. 1979). There is nothing about the nature of searching for documents on a computer which changes this underlying legal analysis. Each warrant must be crafted broadly or specifically according to the extent of the probable cause, and it should focus on the content of the relevant documents rather than on the storage devices which may contain them.

The difficulties arise when, armed with a narrow and specific warrant, agents begin the search. If agents know exactly what they are looking for (a certain letter; a voucher filed on a particular date), it may be simple enough to state it in the warrant. But because computers, like file cabinets, can store thousands of pages of information, the specific letter may be much easier to describe than to find. Some may argue, with good reason, that the sheer volume of evidence makes it impractical to search on site. (For a more extensive discussion of these issues, see "DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR TO REMOVE HARDWARE TO ANOTHER LOCATION," supra p. 55.)

Even so, the volume-of-evidence argument, by itself, may not justify seizing all the information storage devices--or even all of the information on them--when only some of it is relevant. In In Re Grand Jury Subpoena Duces Tecum Dated November 15. 1993, 846 F. Supp. 1 1 (S.D.N.Y. 1994), the district court applied a similar analysis to a grand jury subpoena for digital storage devices. In that case, the government had subpoenaed the central processing units, hard disks, floppy disks, and any other storage devices supplied by the target corporation ("X Corporation") to specified officers and employees of the corporation. Of course, these storage devices also contained unrelated information, including some that was quite personal: an employee's will and individual financial records and information. When "X Corporation" moved to quash the subpoena, the government acknowledged that searching the storage devices by 'key word' would identify the relevant documents for the grand jury's investigation. Even so, prosecutors continued to argue for

[page 99]

enforcement of the subpoena as written, particularly because the grand jury was also investigating the corporation for obstruction of justice. In quashing the subpoena, the judge clearly distinguished between documents or records and the computer devices which contain them.

The subpoena at issue here is not framed in terms of specified categories of information. Rather, it demands specified information storage devices.... Implicit in [an earlier case] is a determination that subpoenas properly are interpreted as seeking categories of paper documents, not categories of filing cabinets. Because it is easier in the computer age to separate relevant from irrelevant documents, [the] ontological choice between filing cabinets and paper documents has even greater force when applied to the modern analogues of these earlier methods of storing information.

Although the judge found that investigating the corporation for "obstruction and related charges indeed justifies a commensurately broader subpoena ...," he declined to modify, rather than quash, the subpoena at issue because "this Court does not have sufficient information to identify relevant documents (including directory files)...." The court's reference to directory files seems to imply that the directory would necessarily list everything in the storage device--which is, of course, not true. A directory would not display hidden, erased, or overwritten files which could still be recoverable by a computer expert. Perhaps the judge's conclusion might have been different if the government had proceeded by search warrant rather than subpoena. In any case, it is interesting to note that the court, in trying to find a balance, suggested that when a grand jury suspects "that subpoenaed documents are being withheld, a court-appointed expert could search the hard drives and floppy disks."

3. Removing Hardware to Search Off-Site: Ask the Magistrate for Explicit Permission.

Because the complexities of computer data searches may require agents to remove computers from a search scene, agents and prosecutors should anticipate this issue and, whenever it arises, ask for the magistrate's express

[page 100]

permission. Obviously, the more information they have to support this decision, the better--and the affidavit should set out all the relevant details. It will be most important to have this explicit permission in the warrant for those cases where (as in Tamura, supra p. 58) agents must seize the haystack to find the needle.

If the original warrant has not authorized this kind of seizure, but the agent discovers that the search requires it, she should return to the magistrate and amend the warrant, unless exigencies preclude it.

4. Seeking Authority for a No-Knock Warrant

a. In General

Under 18 U.S.C. 3109, an agent executing a search warrant must announce his authority for acting and the purpose of his call. See, e.g., United States v. Barrett, 725 F. Supp. 9 (D.D.C. 1989)("Police, search warrant, open up"). This knock-and-announce requirement, although statutory, has been incorporated into the Fourth Amendment, United States v. Bustamante-Gamez, 488 F.2d 4, 11-12 (9th Cir. 1973), cert. denied, 416 U.S. 970 (1974), and therefore a statutory violation may also be a constitutional one. United States v. Murrie, 534 F.2d 695, 698 (6th Cir. 1976); United States v. Valenzuela, 596 F.2d 824, 830 (9th Cir.), cert. denied, 441 U.S. 965 (1979). The knock~-and-announce rule is designed to reduce the possibility of violence (the occupant of the premises may believe a burglary is occurring), reduce the risk of damage to private property (by allowing the occupant to open the door), protect the innocent (the agent may be executing the warrant at the wrong location), and symbolize the government's respect for private property.

Of course, if no one is present, there is no one to notify, and agents can search the place without waiting for its occupant. United States v. Brown, 556 F.2d 304 (5th Cir. 1977). The knock-and-announce requirement also does not apply when the door is open. United States v. Remigio, 767 F.2d 730 (10th Cir.), cert. denied, 474 U.S. 1009 (1985). It is unclear whether the rule applies to businesses, as different courts have reached different conclusions.

[page 101]

Cf. United States v. Agrusa, 541 F.2d 690 (8th Cir. 1976)( 3109 applies to businesses), cert. denied, 429 U.S. 1045 (1977), with United States v. Francis, 646 F.2d 251 (6th Cir.)( 3109 applies only to dwellings), cert. denied, 454 U.S. 1082 (1981).

After knocking and announcing, agents must give the occupants a reasonable opportunity to respond, although exigent circumstances may justify breaking in without an actual refusal. Compare United States v. Ruminer, 786 F.2d 381 (10th Cir. 1986)(break-in authorized where police waited five seconds and saw people running in house), with United States v. Sinclair, 742 F. Supp. 688, 690-1 (D.D.C. 1990)(one- to two-second delay, even with noise inside, was insufficient to warrant break-in).

Moreover, exigent circumstances may justify forcible entry without "knocking and announcing" at all. Circumstances are exigent if agents reasonably believe that giving notice to people inside could cause (1) the officer or any other individual to be hurt; (2) a suspect to flee; or (3) the evidence to be destroyed. Additionally, investigators need not knock and announce when it would be a "useless gesture" because the people inside already know their authority and purpose.

b. In Computer-Related Cases

In many computer crime cases, the primary concern will be preserving the evidence. Technically adept suspects may "hot-wire" their computers in an effort to hide evidence. Although there are many ways to do this, two more common practices involve "hot keys" and time-delay functions. A "hot key" program is designed to destroy evidence, usually by overwriting or reformatting a disk, when a certain key is pressed.12 Thus, when officers knock at the door and announce their presence, the subject of the search can hit the key that activates the program. A time-delay function is a program that monitors the keyboard to determine whether the user has pressed any key. If no key is

12 Of course, the fact that this occurs does not mean the evidence cannot he salvaged. Experts can often recover data which has been deleted or overwritten.

[page 102]

pressed within a certain period of time, such as 30 seconds, the program activates and destroys data. A target may, therefore, answer the door slowly and attempt to delay the agent's access to the machine.

These problems, which may be present in every computer crime investigation, are not, standing alone, sufficient to justify dispensing with the knock-and-announce rule. Most courts have required agents to state specifically why these premises or these people make it either dangerous or imprudent to knock and announce before a search. See United States v. Carter, 566 F.2d 1265 (5th Cir. 1978)(someone inside yelled "It's the cops" and the agent, who had a warrant to search for heroin, heard running inside), cert. denied, 436 U.S. 956 (1978); United States v. Stewart, 867 F.2d 581 (10th Cir. 1989)(collecting cases). But cf. United States v. Wysong, 528 F.2d 345 (9th Cir. 1976)(mere fact that police knew defendant was trafficking in an easily destroyable liquid narcotic created exigent circumstance that justified entry without knocking and announcing).

In short, most cases hold that agents must have some reasonable, articulable basis to dispense with the knock-and-announce requirement. Moreover, in light of the salutary purposes served by the rule, they should have very good reasons before deviating from it. In appropriate cases, however, a no-knock warrant should be obtained. In deciding whether to seek a no-knock warrant, agents should consider, among other things: (1) what offense is being investigated (is it a narcotics case where the subjects may be armed, or is it non-violent hacking?); (2) is there information indicating evidence will be destroyed (in one recent hacker case, the targets talked about destroying evidence if raided by the police); (3) the age and technical sophistication of the target; and (4) whether the target knows, or may know, he is under investigation.

[page 103]

VII. POST-SEARCH PROCEDURES A. INTRODUCTION

As noted above, the government is permitted to search for and to seize property that is contraband, evidence, or an instrumentality of the offense. The law does not authorize the government to seize items which do not have evidentiary value, and generally agents cannot take things from a search site when their non-evidentiary nature is apparent at the time of the search.

With computer crimes, however, it is not always possible to examine and separate wheat from chaff at the search location. There may be thousands of pages of data on the system; they may be encrypted or compressed (and thus unreadable); and searching computers frequently requires expert computer skills and equipment. All these factors contribute to the impracticality of on-site processing. Accordingly, agents will often seize evidentiary materials that are mixed in with collateral items. (See "DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR TO REMOVE HARDWARE TO ANOTHER LOCATION," supra p. 55.)

For several reasons, it is important to separate evidence (and contraband, fruits, and instrumentalities) from irrelevant items. First, as noted above, the law does not generally authorize seizing non-evidentiary property. But to the extent agents sort and return these materials after a search, the courts are less likely to require that large amounts of data be sorted at the scene. Put another way, if law enforcement authorities routinely retain boxes of property that are not evidence, the courts surely will become less sympathetic in those cases where it is, in fact, appropriate to seize entire systems and analyze them later at the lab.

A second reason to promptly sort seized evidence is that the process will help to organize the investigation. Agents and prosecutors will obviously want to focus on the evidence when preparing complaints or indictments. Getting a handle on the items that advance the case will help agents assess quickly and accurately where the case should go. As much as overbroad seizures offend the

[page 104]

law, they are just as bad for the investigation. Investigators should cull out the things that do not help the case right away to avoid endlessly sifting through unimportant materials as the investigation progresses.

Procedures for sorting, searching, and returning seized items will depend in part upon the type of evidence involved. There are, however, certain basic concepts that apply across the board. The basics include the following.

B. PROCEDURES FOR PRESERVING EVIDENCE

1. Chain of Custody

Computer evidence requires the same chain of custody procedures as other types of evidence. Of course, the custodian must strictly control access and keep accurate records to show who has examined the evidence and when. (For a further discussion of this issue, see "EVIDENCE: Chain of Custody," infra p. 119.)

2. Organization

As with other parts of the investigation, the sorting process should be as organized as possible. If there are only a few agents involved, each with discrete tasks, the job is likely to be quick and efficient. Many agents, unsure of their tasks, are more likely to misplace or overlook evidence. An organized review process, which is part of a larger, well-briefed search plan, is also easier to describe and defend in court.

[page 105] 3. Keeping Records

Agents should always document their investigative activities. This allows other agents and attorneys to keep track of complex investigations, and will help the case agent reconstruct the sorting process at a later time if necessary. A log should be kept that describes each item seized, whether it was examined, and whether it contained evidence.

When items are returned, a receipt should set out: (a) a clear description of the item, (b) the person who received it (with a signature and identification), and (c) when the item was released. It often makes sense to return all items at one time rather than to do it piecemeal. Also, it is a good idea to keep photographs of the property returned in order to avoid disputes.

4. Returning Seized Computers and Materials

Once agents have removed the computer system from the scene, an expert should examine the seized material as soon as practicable. This examination may be conducted by a trained field office agent, a special agent sent to the field office for this purpose, or by a properly-qualified private expert. Some agencies may require that the computer system be shipped to a laboratory. Each agency should establish and follow a reasonable procedure for handling computerized evidence.

Once the analyst has examined the computer system and data and decided that some items or information need not be kept, the government should return this property as soon as practicable. The courts have acknowledged an individual's property interest in seized items, and the owner of seized property can move the court for a return of property under Fed. R. Crim. P. 41(e). That remedy is available not only when the search was illegal, but also if the person simply alleges a "deprivation of property by the Government." In Re Southeastern Equipment Co. Search Warrant, 746 F. Supp. 1563 (S.D. Ga. 1990).

[page 106]

Agents and prosecutors must remember that while a computer may be analogous to a filing cabinet for the agents who search it, it is much more to most computer users. It can be a data processor, graphics designer, publisher, and telecommunications center. Courts will no doubt recognize the increasingly important role computers play in our society, and the public's extensive reliance on these computers to support the way we live and do business. As a result, law enforcement should be prepared to look carefully at the circumstances of each case and to seize computers only as needed, keeping them only as necessary.

a. Federal Rules of Criminal Procedure: Rule 41(e)

While computer-owners may be especially eager for return of their hardware, software, data, and related materials, the issue of whether to retain or return lawfully seized property before trial is not unique to computers. Rule 41(e) of the Federal Rules of Criminal Procedure sets out the standards and procedures for returning all property seized during the execution of a search warrant. The Rule, in general, provides that a party who is "aggrieved by an unlawful search and seizure or by the deprivation of property" may file a motion for the return of the property on the ground that the party is entitled "to lawful possession of the property." 13

A Rule 41(e) motion for return of property can be made either before or after indictment. However, a district court's jurisdiction over a pre-indictment motion is more limited than if the indictment has been returned. Pre-indictment remedies are equitable in nature and must only be exercised with "caution and restraint." Floyd v. United States, 860 F.2d 999, 1003 (10th Cir. 1988). The Tenth Circuit, the only Circuit to address this issue, held that two conditions must be satisfied before a district court may assume jurisdiction over a pre~indictment Rule 41(e) motion: "a movant must demonstrate that being deprived

13 Rule 41(e) does not distinguish according to how the property was used in the offense; thus, a computer used as an instrumentality of an offense (e.g., to duplicate copyrighted software or hack into other systems) is not treated differently for Rule 41 analysis from a computer used as a "storage cabinet" for documents. Of course the government's interest in seizing and keeping the computer in each case is different and, thus, from a realistic standpoint, how the computer was used in the offense is important in determining whether to retain or return it.