Transcription
H. Marshall JarrettDirector, EOUSAMichael W. BailieDirector, OLEOLELitigationSeriesSearching andSeizing Computersand ObtainingElectronic Evidencein CriminalInvestigationsComputer Crime andIntellectual Property SectionCriminal DivisionEd HagenAssistant Director,OLENathan JudishComputer Crimeand IntellectualProperty SectionPublished byOffice of Legal EducationExecutive Office forUnited States AttorneysThe Office of Legal Education intends that this book be used byFederal prosecutors for training and law enforcement purposes.The contents of this book provide internal suggestions toDepartment of Justice attorneys. Nothing in it is intended tocreate any substantive or procedural rights, privileges, or benefitsenforceable in any administrative, civil, or criminal matter byany prospective or actual witnesses or parties. See United States v.Caceres, 440 U.S. 741 (1979).
Table of ContentsPreface and Acknowledgements. viiIntroduction. ixChapter 1. Searching and Seizing ComputersWithout a Warrant. 1A. Introduction. 1B. The Fourth Amendment’s “Reasonable Expectation of Privacy”in Cases Involving Computers. 21. General Principles. 22. Reasonable Expectation of Privacy in Computersas Storage Devices. 23. Reasonable Expectation of Privacy and Third-Party Possession. . 64. Private Searches. . 105. Use of Specialized Technology to Obtain Information. 14C. Exceptions to the Warrant Requirement in CasesInvolving Computers. 151. Consent. 152. Exigent Circumstances. 273. Search Incident to a Lawful Arrest. . 314. Plain View. 345. Inventory Searches. 376. Border Searches. . 387. Probation and Parole. 40D. Special Case: Workplace Searches. 421. Private-Sector Workplace Searches. . 422. Public-Sector Workplace Searches. . 45E. International Issues. 56Chapter 2. Searching and Seizing ComputersWith a Warrant. 61A. Introduction. 61B. Devising a Search Strategy. 61C. Drafting the Affidavit, Application, and Warrant. 631. Include Facts Establishing Probable Cause. 632. Describe With Particularity the Things to be Seized. 69iii
3. Establishing the Necessity for Imaging andOff-Site Examination. 764. Do Not Place Limitations on the Forensic TechniquesThat May Be Used To Search. 795. Seeking Authorization for Delayed Notification Search Warrants.836. Multiple Warrants in Network Searches.84D. Forensic Analysis. 861. The Two-Stage Search. 862. Searching Among Commingled Records. 873. Analysis Using Forensic Software. 894. Changes of Focus and the Need for New Warrants. . 905. Permissible Time Period for Examining Seized Media. . 916. Contents of Rule 41(f ) Inventory Filed With the Court. 95E. Challenges to the Search Process. 961. Challenges Based on “Flagrant Disregard”. 962. Motions for Return of Property. 98F. Legal Limitations on the Use of Search Warrantsto Search Computers.1001. Journalists and Authors: the Privacy Protection Act.1012. Privileged Documents.1093. Other Disinterested Third Parties.1114. Communications Service Providers: the SCA.112Chapter 3. The Stored Communications Act. 115A. Introduction.115B. Providers of Electronic Communication Service vs.Remote Computing Service. .1171. Electronic Communication Service.1172. Remote Computing Service.119C. Classifying Types of Information Held by Service Providers.1201. Basic Subscriber and Session Information Listedin 18 U.S.C. § 2703(c)(2).1212. Records or Other Information Pertainingto a Customer or Subscriber.1223. Contents and “Electronic Storage”.1224. Illustration of the SCA’s Classifications in the Email Context.125D. Compelled Disclosure Under the SCA.1271. Subpoena. .128ivSearching and Seizing Computers
E.F.G.H.I.2. Subpoena with Prior Notice to the Subscriber or Customer.1293. Section 2703(d) Order. .1304. 2703(d) Order with Prior Notice to the Subscriber or Customer. .1325. Search Warrant.133Voluntary Disclosure.135Quick Reference Guide.138Working with Network Providers: Preservation of Evidence,Preventing Disclosure to Subjects, Cable Act Issues,and Reimbursement. .1391. Preservation of Evidence under 18 U.S.C. § 2703(f ).1392. Orders Not to Disclose the Existence of a Warrant,Subpoena, or Court Order. .1403. The Cable Act, 47 U.S.C. § 551.1414. Reimbursement.142Constitutional Considerations.144Remedies.1471. Suppression.1472. Civil Actions and Disclosures. .148Chapter 4. Electronic Surveillance in CommunicationsNetworks. 151A. Introduction.151B. Content vs. Addressing Information .151C. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127. .1531. Definition of Pen Register and Trap and Trace Device.1532. Pen/Trap Orders: Application, Issuance, Service, and Reporting. .1543. Emergency Pen/Traps. .1584. The Pen/Trap Statute and Cell-Site Information.159D. The Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522.1611. Introduction: The General Prohibition.1612. Key Phrases.1623. Exceptions to Title III’s Prohibition.167E. Remedies For Violations of Title III and the Pen/Trap Statute. .1831. Suppression Remedies.1832. Defenses to Civil and Criminal Actions .188Contents
Chapter 5. Evidence. 191A. Introduction.191B. Hearsay.1911. Hearsay vs. Non-Hearsay Computer Records. .1922. Confrontation Clause.196C. Authentication.1971. Authentication of Computer-Stored Records.1982. Authentication of Records Created by a Computer Process. .2003. Common Challenges to Authenticity.202D. Other Issues.2051. The Best Evidence Rule.2052. Computer Printouts as “Summaries”.207AppendicesA. Sample Network Banner Language. .209B. Sample 18 U.S.C. § 2703(d) Application and Order.213C. Sample Language for Preservation Requestsunder 18 U.S.C. § 2703(f ). .225D. Sample Pen Register/Trap and Trace Application and Order.227E. Sample Subpoena Language.239F. Sample Premises Computer Search Warrant Affidavit .241G. Sample Letter for Provider Monitoring .251H. Sample Authorization for Monitoring of ComputerTrespasser Activity.253I. Sample Email Account Search Warrant Affidavit.255J. Sample Consent Form for Computer Search.263Table of Cases. . 265Index. 281viSearching and Seizing Computers
Preface andAcknowledgementsThis publication (the Manual) is the third edition of “Searching and SeizingComputers and Obtaining Electronic Evidence in Criminal Investigations” andupdates the previous version published in September 2002. During this sevenyear period, case law related to electronic evidence has developed significantly.Of particular note has been the development of topics such as the procedures forwarrants used to search and seize computers, the procedures for obtaining cellphone location information, and the procedures for the compelled disclosureof the content of electronic communications. In addition, as possession ofelectronic devices has become the norm, courts have had the opportunity in alarge number of cases to address questions such as the application of the searchincident to arrest doctrine to electronic devices.Nathan Judish took primary responsibility for the revisions in this Manual,under the supervision of Richard Downing. Tim O’Shea and Jared Strausstook responsibility for revising Chapters 1 and 5, Josh Goldfoot for revisingChapter 2, Michelle Kane for revising Chapter 3, and Jenny Ellickson forrevising Chapter 4. Scott Eltringham provided critical support to the editingand publishing of this Manual. Further assistance was provided by (inalphabetical order): Mysti Degani, Michael DuBose, Mark Eckenwiler, JohnLynch, Jaikumar Ramaswamy, Betty Shave, Joe Springsteen, and Mick Stawasz.This edition continues to owe a debt to Orin S. Kerr, principal author of the2001 edition. The editors would also like to thank the members of the CHIPworking group.This manual is intended as assistance, not authority. The research, analysis,and conclusions herein reflect current thinking on difficult and dynamic areasof the law; they do not represent the official position of the Department ofJustice or any other agency. This manual has no regulatory effect, confers norights or remedies, and does not have the force of law or a U.S. Department ofJustice directive. See United States v. Caceres, 440 U.S. 741 (1979).Electronic copies of this document are available from the ComputerCrime and Intellectual Property Section’s website, www.cybercrime.gov. Theelectronic version will be periodically updated, and prosecutors and agents areadvised to check the website’s version for the latest developments. Inquiries,vii
comments, and corrections should be directed to Nathan Judish at (202) 5141026. Requests for paper copies or written correspondence may be honoredonly when made by law enforcement officials or by public institutions. Suchrequests should be sent to the following address:Attn: Search and Seizure ManualComputer Crime and Intellectual Property Section10th & Constitution Ave., NWJohn C. Keeney Bldg., Suite 600Washington, DC 20530viiiSearching and Seizing Computers
IntroductionComputers and the Internet have entered the mainstream of Americanlife. Millions of Americans spend hours every day using computers and mobiledevices to send and receive email, surf the Internet, maintain databases, andparticipate in countless other activities.Unfortunately, those who commit crimes have not missed the informationrevolution. Criminals use mobile phones, laptop computers, and networkservers in the course of committing their crimes. In some cases, computersprovide the means of committing crime. For example, the Internet can be usedto deliver a death threat via email; to launch hacker attacks against a vulnerablecomputer network, to disseminate computer viruses, or to transmit imagesof child pornography. In other cases, computers merely serve as convenientstorage devices for evidence of crime. For example, a drug dealer might keep alist of who owes him money in a file stored in his desktop computer at home,or a money laundering operation might retain false financial records in a file ona network server. Indeed, virtually every class of crime can involve some formof digital evidence.The dramatic increase in computer-related crime requires prosecutors andlaw enforcement agents to understand how to obtain electronic evidence storedin computers. Electronic records such as computer network logs, email, wordprocessing files, and image files increasingly provide the government withimportant (and sometimes essential) evidence in criminal cases. The purpose ofthis publication is to provide Federal law enforcement agents and prosecutorswith systematic guidance that can help them understand the legal issues thatarise when they seek electronic evidence in criminal investigations.The law governing electronic evidence in criminal investigations has twoprimary sources: the Fourth Amendment to the U.S. Constitution, and thestatutory privacy laws codified at 18 U.S.C. §§ 2510-22, 18 U.S.C. §§ 270112, and 18 U.S.C. §§ 3121-27. Although constitutional and statutory issuesoverlap in some cases, most situations present either a constitutional issue underthe Fourth Amendment or a statutory issue under these three statutes. Thismanual reflects that division: Chapters 1 and 2 address the Fourth Amendmentlaw of search and seizure, and Chapters 3 and 4 focus on the statutory issues,which arise mostly in cases involving computer networks and the Internet.ix
Chapter 1 explains the restrictions that the Fourth Amendment placeson the warrantless search and seizure of computers and computer data. Thechapter begins by explaining how the courts apply the “reasonable expectationof privacy” test to computers, turns next to how the exceptions to the warrantrequirement apply in cases involving computers, and concludes with acomprehensive discussion of the difficult Fourth Amendment issues raisedby warrantless workplace searches of computers. Questions addressed in thischapter include: When does the government need a search warrant to searchand seize a suspect’s computer? Can an investigator search without a warrantthrough a suspect’s mobile phone seized incident to arrest? Does the governmentneed a warrant to search a government employee’s desktop computer located inthe employee’s office?Chapter 2 discusses the law that governs the search and seizure of computerspursuant to search warrants. The chapter begins by briefly addressing thedifferent roles computers can play in criminal offenses and the goals investigatorsand prosecutors should keep in mind when drafting search warrants. It thenaddresses issues that arise in drafting search warrants, in the forensic analysisof computers seized pursuant to warrants, and in post-seizure challenges tothe search process. Finally, it addresses special limitations on the use of searchwarrants to search computers, such as the limitations imposed by the PrivacyProtection Act, 42 U.S.C. § 2000aa. Questions addressed in the chapter include:How should prosecutors draft search warrant language so that it complies withthe particularity requirement of the Fourth Amendment and Rule 41 of theFederal Rules of Criminal Procedure? What are the time requirements forthe review of computers seized pursuant to a search warrant? What is the lawgoverning when the government must search and return seized computers?The focus of Chapter 3 is the Stored Communications Act, 18 U.S.C. §§2701-12 (“SCA”). The SCA governs how investigators can obtain stored accountrecords and contents from network service providers, including Internet serviceproviders (“ISPs”), telephone companies, and cell phone service providers. SCAissues arise often in cases involving the Internet: when investigators seek storedinformation concerning Internet accounts from providers of Internet service,In previous versions of this Manual, the SCA was referred to as the ElectronicCommunications Privacy Act. The SCA was included as Title II of the ElectronicCommunications Privacy Act of 1986 (“ECPA”), but ECPA itself also included amendmentsto the Wiretap Act and created the Pen Register and Trap and Trace Devices statute addressedin Chapter 4. See Pub. L. No. 99-508, 100 Stat. 1848 (1986). In this Manual, “the SCA” willrefer to 18 U.S.C. §§ 2701-12, and “ECPA” will refer to the 1986 statute. Searching and Seizing Computers
they must comply with the statute. Topics covered in this section include: Howcan the government obtain email and account logs from ISPs? When doesthe government need to obtain a search warrant, as opposed to an 18 U.S.C.§ 2703(d) order or a subpoena? When can providers disclose email and recordsto the government voluntarily? What remedies will courts impose when theSCA has been violated?Chapter 4 reviews the legal framework that governs electronic surveillance,with particular emphasis on how the statutes apply to surveillance oncommunications networks. In particular, the chapter discusses the WiretapAct, 18 U.S.C. §§ 2510-22 (referred to here as “Title III”), as well as thePen Register and Trap and Trace Devices statute, 18 U.S.C. §§ 3121-27.These statutes govern when and how the government can conduct real-timesurveillance, such as monitoring a computer hacker’s activity as he breaks intoa government computer network. Topics addressed in this chapter include:When can victims of computer crime monitor unauthorized intrusions intotheir networks and disclose that information to law enforcement? Can network“banners” generate consent to monitoring? How can the government obtain apen register/trap and trace order that permits the government to collect packetheader information from Internet communications? What remedies will courtsimpose when the electronic surveillance statutes have been violated?Of course, the issues discussed in Chapters 1 through 4 can overlap inactual cases. An investigation into computer hacking may begin with obtainingstored records from an ISP according to Chapter 3, move next to an electronicsurveillance phase implicating Chapter 4, and then conclude with a search ofthe suspect’s residence and a seizure of his computers according to Chapters 1and 2. In other cases, agents and prosecutors must understand issues raised inmultiple chapters not just in the same case, but at the same time. For example,an investigation into workplace misconduct by a government employee mayimplicate all of Chapters 1 through 4. Investigators may want to obtain theemployee’s email from the government network server (implicating the SCA,discussed in Chapter 3); may wish to monitor the employee’s use of thetelephone or Internet in real-time (raising surveillance issues from Chapter 4);and may need to search the employee’s desktop computer in his office for cluesof the misconduct (raising search and seizure issues from Chapters 1 and 2).Because the constitutional and statutory regimes can overlap in certain cases,agents and prosecutors will need to understand not only all of the legal issuescovered in Chapters 1 through 4, but will also need to understand the precisenature of the information to be gathered in their particular cases.Introductionxi
Chapters 1 through 4 are followed by Chapter 5, which discusses evidentiaryissues that arise frequently in computer-related cases. Prosecutors should alwaysbe concerned with admissibility issues that may arise in court proceedings.Chapter 5 addresses both hearsay and Confrontation Clause issues associatedwith computer records. It then discusses authentication of computer-storedrecords and records created by computer processes, including commonchallenges to authenticity, such as claims that computer records have beentampered with. It also discusses the best evidence rule and the use of summariescontaining electronic evidence. Questions addressed in this chapter include:When are computer-generated records not hearsay? How can the contents ofa website be authenticated? This Manual then concludes with appendices thatoffer sample forms, letters, and orders.Computer crime investigations raise many novel issues. Agents andprosecutors who need more detailed advice can rely on several resources forfurther assistance. At the federal district level, every United States Attorney’sOffice has at least one Assistant United States Attorney who has beendesignated as a Computer Hacking and Intellectual Property (“CHIP”)attorney. Every CHIP attorney receives extensive training in computer crimeissues and is primarily responsible for providing expertise relating to the topicscovered in this manual within his or her district. CHIPs may be reached intheir district offices. Further, several sections within the Criminal Division ofthe United States Department of Justice in Washington, D.C., have expertisein computer-related fields. The Office of International Affairs ((202) 5140000) provides expertise in the many computer crime investigations that raiseinternational issues. The Office of Enforcement Operations ((202) 514-6809)provides expertise in the wiretapping laws and other privacy statutes discussedin Chapters 3 and 4. Also, the Child Exploitation and Obscenity Section((202) 514-5780) provides expertise in computer-related cases involving childpornography and child exploitation.Finally, agents and prosecutors are always welcome to contact theComputer Crime and Intellectual Property Section (“CCIPS”) directly bothfor general advice and specific case-related assistance. During regular businesshours, a CCIPS attorney is on duty to answer questions and provide assistanceto agents and prosecutors on the topics covered in this document, as well asother matters that arise in computer crime cases. The main number for CCIPSis (202) 514-1026. After hours, CCIPS can be reached through the JusticeCommand Center at (202) 514-5000.xiiSearching and Seizing Computers
Chapter 1Searching and SeizingComputers Without a WarrantA. IntroductionThe Fourth Amendment limits the ability of government agents to search forand seize evidence without a warrant. This chapter explains the constitutionallimits of warrantless searches and seizures in cases involving computers.The Fourth Amendment states:The right of the people to be secure in their persons, houses,papers, and effects, against unreasonable searches and seizures,shall not be violated, and no Warrants shall issue, but uponprobable cause, supported by Oath or affirmation, andparticularly describing the place to be searched, and the personsor things to be seized.According to the Supreme Court, a “‘seizure’ of property occurs when thereis some meaningful interference with an individual’s possessory interests inthat property,” United States v. Jacobsen, 466 U.S. 109, 113 (1984), and theCourt has also characterized the interception of intangible communications asa seizure. See Berger v. New York, 388 U.S. 41, 59-60 (1967). Furthermore, theCourt has held that a “‘search’ occurs when an expectation of privacy that societyis prepared to consider reasonable is infringed.” Jacobsen, 466 U.S. at 113. Ifthe government’s conduct does not violate a person’s “reasonable expectationof privacy,” then formally it does not constitute a Fourth Amendment “search”and no warrant is required. See Illinois v. Andreas, 463 U.S. 765, 771 (1983).In addition, a warrantless search that violates a person’s reasonable expectationof privacy will nonetheless be constitutional if it falls within an establishedexception to the warrant requirement. See Illinois v. Rodriguez, 497 U.S. 177,185-86 (1990). Accordingly, investigators must consider two issues whenasking whether a government search of a computer requires a warrant. First,does the search violate a reasonable expectation of privacy? And if so, is the
search nonetheless permissible because it falls within an exception to thewarrant requirement?B. The Fourth Amendment’s “Reasonable Expectationof Privacy” in Cases Involving Computers1. General PrinciplesA search is constitutional if it does not violate a person’s “reasonable” or“legitimate” expectation of privacy. Katz v. United States, 389 U.S. 347, 361(1967) (Harlan, J., concurring). This inquiry embraces two discrete questions:first, whether the individual’s conduct reflects “an actual (subjective) expectationof privacy,” and second, whether the individual’s subjective expectation ofprivacy is “one that society is prepared to recognize as ‘reasonable.’” Id. at 361.In most cases, the difficulty of contesting a defendant’s subjective expectationof privacy focuses the analysis on the objective aspect of the Katz test, i.e.,whether the individual’s expectation of privacy was reasonable.No bright line rule indicates whether an expectation of privacy isconstitutionally reasonable. See O’Connor v. Ortega, 480 U.S. 709, 715 (1987).For example, the Supreme Court has held that a person has a reasonableexpectation of privacy in property lo
x Searching and Seizing Computers Chapter 1 explains the restrictions that the Fourth Amendment places on the warrantless search and seizure of computers and computer data. The chapter begins by explaining how the courts apply the "reasonable expectation of privacy" test to computers, turns next to how the exceptions to the warrant
