United States v. Syphers and the Timing of Computer Search Warrants:
In United States v. Syphers, a case decided last week, the First Circuit opined on a tremendously interesting question of Fourth Amendment law: When the police execute a warrant to seize a computer, are there any temporal limits on when the government needs to analyze the computer that has been seized? Unfortunately, the court's opinion is remarkably confusing.
The timing of computer searches is an interesting question because computer warrants usually are executed in a two-step process. First, the police go to the place to be searched and take the computer away; and second, a trained government computer forensic analyst examines the computer for the evidence the computer contains. Existing Fourth Amendment rules on the timing of searches focus entirely on the first step. That's understandable: this is the only step in most traditional searches. After the evidence has been retrieved, the search is done.
Under the existing law that regulates only the first step, the basic rule is that the initial search has to occur in 10 days after the warrant is sighed under statutory rules such as the Federal Rule of Criminal Procedure 41. The constitutional concern driving this rule is that if the police wait for too long, the probable cause that led to the warrant may become stale. The question is, what rules govern the second step, the electronic search through the defendant's computer? At this point, the police have the seized computer in their custody. Most offices and agencies have a considerable backlog of computer forensic work, though, so they don't get to a newly seized computer for months. Is this too long? For that matter, is any period too long?
The handful of district courts that have addressed the issue have agreed that the 10-day requirement of Rule 41 does not apply to the second step. Agents have to seize the computer in the 10 days, but they don't need to analyze it within that window. The harder question is what if anything the Fourth Amendment has to say. A few district courts have suggested that there are no rules on when the government must search a seized computer, but a few others have suggested that the Fourth Amendment requires investigators to search seized computers in a "reasonable" time.
This issue came up at the appellate level for the first time in the Syphers case, in an opinion by Judge Patti Saris, a district judge sitting by designation. Syphers involved a state investigation in which the government applied for and obtained an order permitting the government to search the computer in a one-year window. The computer was searched five months into the one year. Judge Saris first held that Rule 41 was not applicable because this was a state investigation, not a federal investigation. Saris then turned to the Fourth Amendment question:
Can anyone make more sense of this analysis than I can? I'm not sure I understand what the Court did.
For more on these issues, see my forthcoming article Search Warrants in an Era of Digital Evidence.
The timing of computer searches is an interesting question because computer warrants usually are executed in a two-step process. First, the police go to the place to be searched and take the computer away; and second, a trained government computer forensic analyst examines the computer for the evidence the computer contains. Existing Fourth Amendment rules on the timing of searches focus entirely on the first step. That's understandable: this is the only step in most traditional searches. After the evidence has been retrieved, the search is done.
Under the existing law that regulates only the first step, the basic rule is that the initial search has to occur in 10 days after the warrant is sighed under statutory rules such as the Federal Rule of Criminal Procedure 41. The constitutional concern driving this rule is that if the police wait for too long, the probable cause that led to the warrant may become stale. The question is, what rules govern the second step, the electronic search through the defendant's computer? At this point, the police have the seized computer in their custody. Most offices and agencies have a considerable backlog of computer forensic work, though, so they don't get to a newly seized computer for months. Is this too long? For that matter, is any period too long?
The handful of district courts that have addressed the issue have agreed that the 10-day requirement of Rule 41 does not apply to the second step. Agents have to seize the computer in the 10 days, but they don't need to analyze it within that window. The harder question is what if anything the Fourth Amendment has to say. A few district courts have suggested that there are no rules on when the government must search a seized computer, but a few others have suggested that the Fourth Amendment requires investigators to search seized computers in a "reasonable" time.
This issue came up at the appellate level for the first time in the Syphers case, in an opinion by Judge Patti Saris, a district judge sitting by designation. Syphers involved a state investigation in which the government applied for and obtained an order permitting the government to search the computer in a one-year window. The computer was searched five months into the one year. Judge Saris first held that Rule 41 was not applicable because this was a state investigation, not a federal investigation. Saris then turned to the Fourth Amendment question:
The Fourth Amendment itself "contains no requirements about when the search or seizure is to occur or the duration." United States v. Gerber, 994 F.2d 1556, 1559-60 (11th Cir.1993). However, "unreasonable delay in the execution of a warrant that results in the lapse of probable cause will invalidate a warrant." United States v. Marin-Buitrago, 734 F.2d 889, 894 (2d Cir.1984). The restrictions in Rule 41 "not only ensure that probable cause continues to exist, but also that it is the neutral magistrate, not the executing officers, who determines whether probable cause continues to exist." Id. The policy behind the ten-day time limitation in Rule 41 is to prevent the execution of a stale warrant. "A delay in executing a search warrant may render stale the probable cause finding." United States v. Gibson, 123 F.3d 1121, 1124 (8th Cir.1997).I confess I am quite puzzled by this. If Rule 41 is inapplicable, as Judge Saris found, why is the court looking to "the policies embedded in Rule 41" to decide the case? Why is this the "primary question," and what other questions are there? For that matter, just what "policies" are "embedded" in Rule 41? The "prejudice" test is used to determine when Rule 41 violations lead to suppression; why it is being used if Rule 41 isn't implicated here? And what kind of prejudice might be relevant, given that the search occurs back at the government's lab — and that if the computer is found to contain evidence, the computer can be kept in government custody until the trial? For that matter, how can delay in the search of a seized computer cause a lapse in probable cause, given that all of the evidence is stored inside the computer?
A delay in execution of the warrant under Rule 41 does not render inadmissible evidence seized, absent a showing of prejudice to the defendants resulting from the delay. See United States v. Cafero, 473 F.2d 489, 499 (3d Cir.1973). Courts have permitted some delay in the execution of search warrants involving computers because of the complexity of the search. See, e.g., United States v. Gorrell, 360 F.Supp.2d 48, 55 n. 5 (D.D.C.2004) (ten-month delay in processing of computer and camera seized, although "lengthy," "did not take the data outside the scope of the warrant such that it needs to be suppressed"); United States v. Triumph Capital Group, Inc., 211 F.R.D. 31, 66 (D.Conn.2002) ("[C]omputer searches are not, and cannot be subject to any rigid time limit because they may involve much more information than an ordinary document search, more preparation and a greater degree of care in their execution.").
The primary question is whether, under the policies embedded in Rule 41, the one-year extension order issued by the court because of a backlog in computer crimes investigations provided an excessive amount of time to allow for the search of a computer already in police custody pursuant to a warrant. Under the circumstances, the five-month delay did not invalidate the search of appellant's computer because there is no showing that the delay caused a lapse in probable cause, that it created prejudice to the defendant, or that federal or state officers acted in bad faith to circumvent federal requirements.
Can anyone make more sense of this analysis than I can? I'm not sure I understand what the Court did.
For more on these issues, see my forthcoming article Search Warrants in an Era of Digital Evidence.
I discuss this issue at some length in my article linked to above. In Syphers, though, the warrant was obtained to seize child pornography; if the computer contained such images, it was an instrumentality of crime containing contraband and the owner had no legal right to its return.
Surely there are reported cases seeking return of seized property on the grounds the Government has held it too long where the Government argues it needs more time to test or examine the seized property? As an example, the backlog for DNA testing in some jurisdictions is a year or more. Can the Government hold a car indefinitely because it intends to get around to testing it for DNA or blood or whatever at some point? I'd be surprised if there were no such cases, particularly where valuable or unique property has been seized.
My question is why, when the computer itself was seized within the 10-day window, there's any issue concerning Rule 41 policy at all. Orin, you've actually practiced in this area -- isn't it the case that DNA analysis, fiber analysis, visual examination of physical evidence, handwriting analysis, ballistics, etc., can all be completed weeks or months after collection without having to get a new warrant every 10 days? If so, why is inventory and analysis of a hard drive any different? If the concern is merely that the evidence collected not be too tenuously related to the probable cause, that concern is met when collection occurs within 10 days; the computer data is then essentially "frozen" until it is analyzed, the same as any other evidence. Why is there any need for an "extension"?
So computers can be seized under the same justification as a car used to pick up a prostitute. Makes sense. Query: Does the owner have a legal right to have his files returned to him? Most of us don't care about our computers - just the stuff on them. It'd be an awfully harsh rule to hold that if someone used his computer to, say, cheat on his taxes, that he'd lose every file.
When police go to the target's house after getting a warrant to sieze a gun, do they have to do the ballistics test to match it against the bullets taken from the victom's body within ten days?
-dk
I'm a security professional and as we all know, viruses, spyware, adware, and rootkits (hidden software to remotely control your PC) are rampant. I regularly clean PCs of various infections and these malicious software packages leave more than just back doors and program files. I've come across machines that were distributing very illegal data (usually via spam). No child porn yet, but it is inevitable that it will be distributed in a similar manner.
I know quite a bit about real world computer forensics. What I don't know is what, exactly, an official computer forensic investigation entails. Everything that I've read leads me to believe that the examiner will duplicate the hard drive and then specifically search (using various tools) for evidence outlined in the warrant. I'm also under the impression that they can't just go "browsing around" on the hard drive in question.
If they can't fully examine the machine's data as a whole, how can they determine whether or not a back door is installed? Not only that, but even with specialized tools it can be difficult to identify and find rootkits (you know they're there based on the network traffic coming from the machine, but you can't find it on the machine itself).
In my professional opinion I cannot, beyond a reasonable doubt, link contraband files with the owner of the machine in question (on a Windows machine anyway). Not at least without loads of secondary evidence (preferably a video of the person disseminating or downloading the contraband and traffic reports showing that the data in question was retrieved or sent only at times when the owner was at the machine).
Far too often do I read news stories of people having their equipment seized based solely on the machine's IP address. An IP address does not equal an identity.
That said, since the computer can be seized whay not rip out the phone lines? Why not confiscate the entire internet? Slippery slope best avoided.
Still the time limit is my biggest concern. A search warrant has a time limit. On the 11th day the suspect should be able to call up and ask; "Did you find anything?" There are only 2 answers; Yes/No. We all know that if you could actually ask such a question the answer will always be "we aren't finished." That's a "No" and needs to be treated as such. This isn't the same as "we found a gun and have booked it as evidence." They weren't looking for a computer they were looking for child porn.
Riskable makes several larger points. The fact that child porn is in your data doesn't establish anything. For that matter is it child porn until you actually view it? What about encrypted child porn? Unsolicited email child porn that automatically goes to the trash folder? Trashed but not deleted? So what if you even did delete it but the evidence is recoverable?
Another slippery slope, while searching for child porn tax fraud is found. Can the forensics team actually say they were looking for folders of JPEG photos when they reasonably opened a spreadsheet? Any claims of a search limited to the wording of the warrant deny reality.
Let's be honest here. Computers are confiscated because there is intent to punish the accused. There's no reason law enforcement couldn't run a configuration recording program and global copy routine in place in a few hours. Ask Tom Delay about the power of mere accusation.
I even see a business opportunity. Destructive boot sequences or disk burnouts after 10 days and no key or sequence. I can even see software folder encryption where the password you "volunteer" to the police not only destroys the evidence but records the time and circumstances of the unauthorized access so you can recover damages in a civil suit. [These can be device specific so when they say their copy didn't work you explain that that is to be expected. Then you say they can expect a massive lawsuit for destroying the chain of custody of your propietary data in unprotected folders. Tell them it was a low cost replacement for Windows XP and worth xx bazillion dollars.
Hopefully the reader is beginning to get the picture. The horse is out of the barn. Personally if this nightmare ever visited me I'd supoena the reference machine and prove it had spyware/viruses/security flaws and as such cannot be trusted to be the determinant of any kind of source "contamination."
Of course it will prove amusing when the nyphet in the so called child porn photos shows up to testify, grandchildren in tow and under oath claims to have been 18 and two weeks old, producing her yellowed and worn model release to prove it. Gosh, and if the defense forensics team shows how the "timeworn" 25 year old model shown posing was subject to post editing will the prosecutor raid and shut down Adobe Systems for publishing Photoshop?
Copying a hard drive only takes a few hours. Police could easily return the computer the next day. Given how many people run their lives and their businesses on computers these days, taking the entire computer is punitive.
The "instrumentality of crime" argument doesn't hold water for me either. I have 260,000 files on my computer. The idea that a handful of them could result in seizure of the entire computer is absurd. If a guy walks into a liquor store and robs it, do the cops seize his shoes as an instrumentality of the crime? I'm aware that they seize cars for prostitution busts and drug buys, but I think those too are strictly a form of punishment without trial.
In other cases -where the digital information is mere evidence- the government will take an exact copy of the hard drive, leaving the computer in place. Why? Because it's quick, it's easy, it doesn't clutter the evidence room with excess computer parts, and it keeps sue-happy criminals from harrassing agents with baseless civil claims.
The 10-day rule's impact on computer searches is still an open question, and one the government agents would like a solid answer to. Believe me, cops don't like the uncertainty any better than defense lawyers.
As to the other issues discussed, I'd suggest reading the CCIPS Manual for digital evidence