|
Federal Guidelines for Searching and Seizing Computers
Tuesday, October 19, 1999 5:16 PM
[Editor´s Note: We received this document from an individual who attained it through the Freedom of Information Act. Thanks to the guys at NFSG for providing us with this document.]
Agents and prosecutors who anticipate searching and seizing computers should include a computer expert in the planning team as early as possible. Experts can help immeasurably in anticipating the technical aspects of the search. This not only makes the search smoother, it is important information for designing the scope of the warrant. In particular, if agents can give the expert any information about the target's specific computer system, the expert may be better able to predict which items can be searched at the scene, which must be seized for later analysis, and which may be left behind.
Further, if the computer system is unusual or complex, technical experts can be invaluable help at the scene during the search. Particularly when evidence resides on computer networks, backup tapes, or in custom-tailored systems, the evidence will be safest in the hands of an expert.
b. Electronic Analysis
The experts will examine all the seized computer items (so long as they are properly preserved and sealed) and will recover whatever evidence they can. Most forensic computer examiners will perform at least the following: (1) make the equipment operate properly; (2) retrieve information; (3) unblock "deleted" or "erased" data storage devices; (4) bypass or defeat passwords; (5) decipher encrypted data; and (6) detect the presence of known viruses.
The data to be searched can consist of hundreds or even thousands of files and directories. In some cases, there will be evidence in most of the files seized, and in others, only a small fraction of them. Once the analyst has protected the original data from change, she must begin to search for the relevant material.
[page 69]
A good first step is to print out a directory of the information contained on a hard drive or floppy disk. Directories give valuable information about what is in the files, when they were created, and how long they are. Of course, analysts will not entirely trust file names, as hackers have been known to hide highly incriminating material in files with innocuous names and misleading dates.
Once the analyst has printed a directory, he will probably log onto the hard or floppy drive and look at each file, noting on the printed directory (or a separate log sheet if available) the type of information in each file and whether it appears relevant. Relevant files can be copied onto a separate disk or printed out in hard copy. It is a good idea always to review files from bit-stream copies (which record each separate bit of information, including hidden files) or in "read only" mode so that the reviewer can read the document but cannot edit it. This way, the agents can later testify that the seized material could not have been mistakenly altered during the review. Of course, there is more than one "right way" to analyze electronic evidence, and experts must deal with the circumstances of each case. Ultimately the analyst must adhere to sound scientific protocols in recovering and examining computer-related evidence, and keep clear and complete records of the process.
c. Trial Preparation
Computer forensic experts can help prosecute the case with advice about how to present computer-related evidence in court. Many are experienced expert witnesses and they can (1) help prepare the direct case; and (2) anticipate and rebut defense claims. In addition, computer experts can assist prosecutors in complying with the new federal rules pertaining to expert witnesses, Fed. R. Evid. 16(a)(1)(E) and 16(b)(1)(C), effective December 1, 1993. Under these rules, the government must provide, upon request, a written summary of expert testimony which it intends to use during its case in chief. There is a reciprocal requirement for the summary of defense expert witness testimony, as long as the defense has requested a summary from the government, and the government has complied.
[page 70]
d. Training for Field Agents
Before a computer case ever arises, experts can train agents and prosecutors about computer search problems and opportunities. They can teach investigators how to preserve and submit computer evidence for examination, and many will also provide field support as time permits.
[page 71]
V. NETWORKS AND BULLETIN BOARDS
A. INTRODUCTION
Electronic Bulletin Board Services (BBSs) are computers set up to serve in the electronic world as places where users can post and read messages--much like traditional bulletin boards. In addition, however, a BBS may also permit users to communicate via private electronic mail, to engage in "chat sessions" (real-time conversations where the "speakers" talk by using their keyboards instead of their voices), to upload and download files, and to share information on topics of common interest (e.g., a newsletter on stamp collecting). A sysop runs the bulletin board, and BBS users access it with their computers over regular telephone lines.
Some bulletin boards, known as "pirate bulletin boards," are maintained for illegal purposes such as distributing copyrighted software, credit card numbers, telephone access codes, and pornography. A BBS dedicated to phone fraud is also called a "phone phreaker board," and those which distribute child pornography and adult obscenity are called, not surprisingly, "porn boards." The illegal material on these boards is not protected by the First Amendment since such items are "fruits of crime" and "contraband" and do not convey any thought, opinion, or artistic expression. Nor can these operations claim some sort of "press protection" for publishing these items, since the Constitution does not shield the press against laws of general applicability. In short, the First Amendment is not a license to commit crimes. See Securities and Exchange Commission v. McGoff, 647 F.2d 185 (D.C. Cir.), cert. denied, 452 U.S. 963 (1981); Cf. Pell v. Procunier, 417 U.S. 817, 833-5 (1974)(the right to speak and publish does not carry an unrestrained right to gather information; a prison may restrict the press's access to its inmates in accord with the state's legitimate incarceration policy objectives).
It gets more complex, however, because many bulletin boards are not devoted solely to illegal activities, but are hybrid boards: they contain both illegal and legal material. To complicate matters further, the legitimate material on the board (or stored on the same computer which runs the board) may be statutorily protected. For example, some private electronic mail may be covered under 18 U.S.C. 2701, et seq., Stored Wire
[page 72]
and Electronic Communications. (For further discussion, see "STORED ELECTRONIC COMMUNICATIONS," infra p. 85). Even more difficult, some material may be specifically protected from search and seizure by a complex statute called the Privacy Protection Act, 42 U.S.C. 2000aa. In order to understand the scope and intricacy of this statute and how it might apply to computer searches, it helps to begin with the case which prompted it.
B. THE PRIVACY PROTECTION ACT, 42 U.S.C. 2000aa
1. A Brief History of the Privacy Protection Act
On April 9, 1971, nine police officers in California responded to Stanford University Hospital to disperse a large group of demonstrators. The demonstrators resisted, and they ultimately attacked and injured all nine officers. Two days later, on April 11, The Stanford Daily, a student newspaper, carried articles and photographs devoted to the student protest and the clash between these protestors and the police. Believing that The Stanford Daily might possess additional photographs that would identify other protestors, the police sought and obtained a search warrant to search the newspaper's offices.
A month after the search, The Stanford Daily brought a civil action alleging violations of the First, Fourth and Fourteenth Amendments. In support of their claims, the plaintiffs alleged that (1) the Fourth Amendment forbade the issuance of search warrants for evidence in the possession of those not suspected of criminal activity and (2) the First Amendment prohibited the use of search warrants against members of the press and, instead, required the use of subpoenas duces tecum. Zurcher v. Stanford Daily, 436 U.S. 547 (1978). The Supreme Court disagreed with both claims, holding that the use of a search warrant, even for the pursuit of "mere evidence," was permitted on both non~suspect third parties and members of the news media.
[page 73]
In response to Zurcher, Congress passed the Privacy Protection Act of 1980, 42 U.S.C. 2000aa (hereinafter the PPA). The purpose of this legislation, as stated in the Senate Report, is to afford "the press and certain other persons not suspected of committing a crime with protections not provided currently by the Fourth Amendment." S. Rep. No. 874, 96th Cong., 2d Sess. 4 (1980). As the legislative history indicates,
the purpose of this statute is to limit searches for materials held by persons involved in First Amendment activities who are themselves not suspected of participation in the criminal activity for which the materials are sought, and not to limit the ability of law enforcement officers to search for and seize materials held by those suspected of committing the crime under investigation.7 Id. at 11.
The PPA protects two classes of materials--defined as "work product materials" and "documentary materials"--by restricting beyond the existing limits of the Fourth Amendment when government agents can get warrants to search for or seize them.
It is important to note that, although victims of a search which violates the PPA may not move to suppress the results, the statute does create civil remedies. Moreover, the PPA specifically precludes the government from asserting a good faith defense to civil claims, so in this respect 2000aa is a strict liability statute.
2. Work Product Materials
In general terms, the first category of protected material covers original work in the possession of anyone (including authors and publishers) who intends (from an objective view) to publish it. In construing this statute, the exact language of the definitions is important. Specifically, "work product materials" are defined in 42 U.S.C. 2000aa-7(b) as
7 The Department had previously promulgated regulations on issuing subpoenas directly to members of the news media or indirectly for their telephone toll records. The regulations also addressed interrogating, indicting, or arresting members of the press. See 28 C.F.R. 50.10.
[page 74]
materials, other than contraband or the fruits of a crime or things otherwise criminally possessed, or property designed or intended for use, or which is or has been used, as the means of committing a criminal offense, and--
(1) in anticipation of communicating such materials to the public, are prepared, produced, authored, or created, whether by the person in possession of the materials or by any other person;
(2) are possessed for the purposes of communicating such materials to the public; and
(3) include mental impressions, conclusions, opinions, or theories of the person who prepared, produced, authored, or created such material.
When "work product materials" are involved, Title 42, Section 2000aa(a) provides that:
Notwithstanding any other law, it shall be unlawful for a government officer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication, in or affecting interstate or foreign commerce. . (emphasis added). . .[unless]
(1) there is probable cause to believe that the person possessing such materials has committed or is committing the criminal offense to which the materials relate: Provided, however, That a government officer or employee may not search for or seize such materials under the provisions of this paragraph if the offense to which the materials relate consists of the receipt, possession, communication, or withholding of such materials or the information contained therein (but such a search or seizure may be conducted under the provisions of this paragraph if the offense consists of the receipt, possession, or communication of information relating to the national defense, classified information, or restricted data under the provisions of section 793, 794, 797, or
[page 75]
798 of Title 18, or section 2274, 2275 or 2277 of this title, or section 783 of Title 50); or
(2) there is reason to believe that the immediate seizure of such materials is necessary to prevent the death of, or serious bodily injury to, a human being.
Thus, under 2000aa(a), there are three situations in which government agents may search for or seize these materials without running afoul of the statute. First, the definition itself specifically excludes contraband or the fruits or instrumentalities of a crime. 42 U.S.C. 2000aa-7(b). As the drafting Committee noted,
[T]hese kinds of evidence are so intimately related to the commission of a crime, and so often essential to securing a conviction, that they should be available for law enforcement purposes, and, therefore, must fall outside the no search rule that is applied to work product.
S. Rep. 96-874, 96th Cong., 2d Sess. 17, reprinted in 1980 U.S. Code Cong. & Admin. News 3964. In BBS cases, the most common objects of the warrant--stolen access codes, child pornography, and illegally copied software--would clearly fall within the contraband exclusion, so the PPA would not affect a warrant drawn for these materials.
In addition, as quoted above, the PPA creates two exceptions to the general prohibition against seizing "work product." One excepts situations in which life and limb are at stake. The other applies when (1) the work product is evidence of crime, and (2) the person who possesses the materials probably committed it. Even so, this evidence-of-crime exception does not apply if the particular crime "consists of the receipt, possession, communication or withholding of such material....'' unless the work product was classified or restricted, and the offense is specifically listed in the PPA. 42 U.S.C. 2000aa(a)(1) and (b)(1). This general evidence-of-crime exception was intended to
codify a core principle of this section, which is to protect from search only those persons involved in First Amendment activities who are themselves not implicated in the crime under investigation, and not to shield those who participate in crime.
[page 76]
H.R. Rep. No. 1064, 96th Cong., 2d Sess. 7. To trigger the exception, however, law enforcement officials are held to a higher-than-usual requirement: they must show probable cause to believe the person who holds the evidentiary materials is a suspect of the crime--the same showing of cause required for an arrest warrant. S. Rep. No. 874, 96th Cong., 2d Sess. 11, reprinted in 1980 U.S. Code Cong. & Admin. News 3950, 3957.
It may, of course, be difficult to invoke this evidence-of-crime exception, particularly at early stages of the investigation. As the Supreme Court noted in Zurcher (and a number of commentators have reiterated since), a search warrant is often most useful early in an investigation when agents have probable cause to believe there is evidence on the premises, but are not ready to arrest any particular person. See Zurcher v. Stanford Daily, 436 U.S. at 561; Testimony of Richard J. Williams, Vice President, National District Attorney's Association, in Hearing before the Committee on the Judiciary, United States Senate, 96th Cong., 2d Sess. on S. 115, S. 1790, and S. 1816 (Mar. 28, 1980) Serial No. 96-59, at 152-3.
The receiving-stolen-property exemption--which prevents agents from using the evidence-of-crime exception when the crime is receipt, possession, communication, or withholding of the same work product materials--was included to prevent law enforcement officials from classifying work product as "stolen goods" to justify seizing it. The Committee report gave as its primary example the case of a reporter who receives an under-the-table copy of a corporate memo discussing a defective product. Knowing the report to be stolen, the reporter might be guilty of receiving or possessing stolen property and thus unprotected by the PPA.
The Committee believed that it would unduly broaden the suspect exception to use the reporter's crime of simple "possession" or "receipt" of the materials (or the similar secondary crimes of "withholding" or "communicating" the materials) as a vehicle for invoking the exception when the reporter himself had not participated in the commission of the crimes through which the materials were obtained
H. Rep. No. 1064, 96th Cong., 2d Sess. 7 (emphasis added). In light of Congress's stated concern, perhaps this counter-exception does not apply when anything more than simple possession is involved: that is, possession is combined with the mens rea necessary to constitute some other offense (e.g.,
[page 77]
possession with intent to defraud). See 18 U.S.C. 1029(a)(3) (making it a crime to "knowingly and with intent to defraud" possess fifteen or more devices which are counterfeit or unauthorized access devices); 18 U.S.C. 1030(a)(6) (making it a crime to "knowingly and with intent to defraud" traffic in any password or similar information through which a computer may be accessed without authorization).
3. Documentary Materials
In addition to protecting work product, the PPA covers a second, larger class of items called "documentary materials." The statute defines this term in extraordinarily broad fashion--a definition which covers almost all forms of recorded information which are "... possessed by a person in connection with a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication...." 42 U.S.C. 2000aa(b) (emphasis added). Specifically, "documentary materials" encompass materials upon which information is recorded, and includes, but is not limited to, written or printed materials, photographs, motion picture films, negatives, video tapes, audio tapes, and other mechanically, magnetically or electronically recorded cards, tapes, or discs, but does not include contraband or the fruits of a crime or things otherwise criminally possessed, or property designed or intended for use, or which is or has been used as, the means of committing a criminal offense.
42 U.S.C. 2000aa-7(a).
As with "work product materials," the statute excludes from the definition of "documentary materials" any items which are contraband or the fruits or instrumentalities of a crime. 42 U.S.C. 2000aa-7(a). Further, the two exceptions to the work-product search prohibition, discussed above, also apply to searches for documentary materials: they may be searched and seized under warrant in order to (1) prevent death or serious injury; or (2) to search for evidence of crime held by a suspect of that crime. (This last exception includes all its attendant internal exemptions, examined above, relating to crimes of possession or receipt.)
[page 78
Additionally, the PPA allows agents to get a warrant for documentary materials under two more circumstances found at 42 U.S.C. 2000aa(b):
(3) there is reason to believe that the giving of notice pursuant to a subpena duces tecum would result in the destruction, alteration, or concealment of such materials; or
(4) such materials have not been produced in response to a court order directing compliance with a subpena duces tecum, and--
(A) all appellate remedies have been exhausted; or
(B) there is reason to believe that the delay in an investigation or trial occasioned by further proceedings relating to the subpena would threaten the interests of justice.
In drawing these additional exceptions, Congress anticipated some of the factors a court might consider in determining whether relevant documentary materials could be lost to the government. These factors include whether there is (1) a close relationship (personal, family, or business) between the suspect and the person who holds the material, or (2) evidence that someone may hide, move, or destroy it. S. Rep. 96-874, 96th Cong., 2d Sess. 13, reprinted in U.S. Code Cong. & Admin. News 3950, 3959-60.
4. Computer Searches and the Privacy Protection Act
The Privacy Protection Act only applies to situations where law enforcement officers are searching or seizing (1) work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication; or (2) documentary materials possessed by a person in connection with a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication. 42 U.S.C.
[page 79]
2000aa(a) and (b). Before the computer revolution, the statute's most obvious application was to traditional publishers, such as newspaper or book publishers. The legislative history makes clear, however, that the PPA was not intended to apply solely to the traditional news media but was meant to have a more sweeping application. As then-Assistant Attorney General for the Criminal Division Phillip B. Heymann testified:
While we considered the option of a press-only bill, this format was rejected partially because of the extreme difficulties of arriving at a workable definition of the press, but more importantly because the First Amendment pursuits of others who are not members of the press establishment are equally as important and equally as susceptible to the chilling effect of governmental searches as are those of members of the news media.
H. Rep. No. 1064, 96th Cong., 2d Sess., Transcript of Statement on File, at 4.
With the widespread proliferation of personal computers, desktop publishing, and BBS services, virtually anyone with a personal computer and modem can disseminate to other members of the public (especially those who have appropriate hardware and software) a "newspaper ... or other similar form of public communication." Thus, the scope of the PPA may have been greatly expanded as a practical consequence of the revolution in information technology--a result which was probably not envisioned by the Act's drafters.
Before searching any BBS, therefore, agents must carefully consider the restrictions of the PPA, along with its exceptions. Additionally, they should include any information bearing on the applicability of this statute (and its many exceptions and sub-exceptions) in the warrant affidavit. That said, it is also important to recognize that not every sysop who possesses information necessarily has an intent to disseminate it to the public. Nor is every BBS engaged in a "similar form of public communication."
a. The Reasonable Belief Standard
When addressing work product materials, the statute, by its terms, only applies when the materials are possessed by a person "reasonably believed
[page 80]
to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication." 42 U.S.C. 2000aa(a). In non~computer contexts, the courts have concluded that it is not enough just to possess materials a professional reporter might possess. In addition, there must be some indication the person intended to disseminate them. In Lambert v. Polk County, Iowa, 723 F. Supp. 128 (S.D. Iowa 1989), for example, the plaintiff Lambert captured a fatal beating on videotape. Police investigating the incident seized the tape from Lambert and, shortly thereafter, Lambert contracted to sell the tape to a local television station. After the police refused to relinquish the tape, the television station and Lambert sued for injunctive relief claiming, among other things, a violation of 42 U.S.C. 2000aa. While the district court granted relief on other grounds, it held that neither the television station nor Lambert was likely to prevail on a 42 U.S.C. 2000aa claim. The television station was not the aggrieved party, and "there was nothing about the way Lambert presented himself [to the officers] that would have led them to reasonably believe that Lambert's purpose was to make a dissemination of the videotape to the public." Lambert, 723 F. Supp. at 132. But cf. Minneapolis Star & Tribune Co. v. United States, 713 F. Supp. 1308 (D. Minn. 1989)(plaintiffs from whom videotapes were seized at robbery scene were successful in PPA claim because agents apparently had independent knowledge that plaintiffs represented the established media).
The reasonable belief standard was also important in the district court opinion in Steve Jackson Games v. United States, 816 F. Supp. 432 (W.D. Tex. 1993), appeal filed on other grounds, (Sept. 17, 1993). To understand the scope of this opinion, it is important to put it in the context of its facts. In early 1990, the United States Secret Service began investigating potential federal computer crimes under 18 U.S.C. 1030. The Secret Service learned that a Bell South computer system had been invaded, and that the computer hackers were attempting to decrypt passwords which would allow them into computer systems belonging to the Department of Defense.
During the course of this investigation, the Secret Service received information implicating an individual who was employed by Steve Jackson Games, a Texas company that published books, magazines, box games, and related products. Steve Jackson Games used computers for a variety of business purposes, including operating an electronic bulletin board system ("BBS"). The Secret Service was informed that the suspect was one of the sysops of the Steve Jackson Games BBS, and that he could delete any documents or information in the Steve Jackson Games computers and bulletin
[page 81]
board. Even so, none of the other sysops nor the company itself was ever a suspect in the investigation.
On February 28, 1990, the Secret Service obtained a federal warrant to search the offices of Steve Jackson Games and to seize various computer materials. The warrant covered:
Computer hardware * * * and computer software * * * and written material and documents relating to the use of the computer system, documentation relating to the attacking of computers and advertising the results of computer attacks * * *, and financial documents and licensing information relative to the computer programs and equipment at [the company's offices] which constitute evidence, instrumentalities and fruits of federal crimes, including interstate transportation of stolen property (18 U.S.C. 2314) and interstate transportation of computer access information (18 U.S.C. 1030(a)(6)). This warrant is for the seizure of the above described computer and computer data and for the authorization to read information stored and contained in the above described computer and computer data.
The Secret Service executed the warrant on March 1, 1990. The agents seized two of thirteen functioning computers, and one other computer that was disassembled for repair. The Secret Service also seized a large number of floppy disks, a printer, other computer components, and computer software documentation. Steve Jackson Games immediately requested the return of the seized materials, but the agency retained most of the materials for several months before returning them. No criminal charges were brought as a result of this investigation.
In May 1991, plaintiffs (Steve Jackson Games; the company's owner and sole shareholder, Steve Jackson; and several individual users of the company's BBS) filed suit against the Secret Service and the United States, alleging violations of the Privacy Protection Act. They also claimed violations of the Stored Electronic Communications Statute, discussed in greater detail at "STORED ELECTRONIC COMMUNICATIONS," infra p. 85.
Following a bench trial, the court determined that the defendants had violated the Privacy Protection Act. The court held that the materials seized by the Secret Service (in particular, the draft of a book about to be published)
[page 82]
included "work product materials" and "documentary materials" protected by the Privacy Protection Act. The court decided that seizing these materials did not immediately violate the statute, however, because at the time of the seizure, the agents did not (in the language of the statute) "reasonably believe[]" that Steve Jackson Games "ha[d] a purpose to disseminate to the public a news~paper, book, broadcast, or other similar form of public communication * * * ." This was true even though "only a few hours of investigation" would have revealed it. Id. at 440 n.8. However, the court held that a violation did occur on the day after the search when at least one agent learned the materials were protected by the statute and failed to return them promptly.
b. Similar Form of Public Communication
As noted above, the PPA applies only when the materials are possessed by a person reasonably believed to have a purpose to disseminate to the public "a newspaper, book, broadcast, or other similar form of public communication." 42 U.S.C. 2000aa (emphasis added). Not every BBS will satisfy this standard. For example, a BBS that supplies unauthorized access codes to a small group of phone phreakers is not disseminating information to the public, nor is it engaging in a form of public communication similar to a newspaper. (Of course, the contraband exception will probably also apply in such a case).
The exact scope of the PPA remains uncertain, and the recent opinion in Steve Jackson Games does not clarify the issue. There the court found a cognizable PPA violation arising from the Secret Service's search and prolonged seizure of the successive drafts of a book Steve Jackson was soon to publish. But, just as important, the court did not hold that seizing the Steve Jackson BBS likewise violated the statute. Instead, the court held that "[i]n any event, it is the seizure of the 'work product materials' that leads to the liability of the United States Secret Service and the United States in this case." 816 F. Supp at 441. Indeed, one of the attorneys who represented Steve Jackson Games reached a similar conclusion:
Though the results in the SJG case were very good on balance, a couple of major BBS issues were left for better resolution on another day.... [One issue] is the finding that SJG was a
CONTINUED... |
|
