United States v. Syphers and the Timing of Computer Search Warrants:
In United States v. Syphers, a case decided last week, the First Circuit opined on a tremendously interesting question of Fourth Amendment law: When the police execute a warrant to seize a computer, are there any temporal limits on when the government needs to analyze the computer that has been seized? Unfortunately, the court's opinion is remarkably confusing.

  The timing of computer searches is an interesting question because computer warrants usually are executed in a two-step process. First, the police go to the place to be searched and take the computer away; and second, a trained government computer forensic analyst examines the computer for the evidence the computer contains. Existing Fourth Amendment rules on the timing of searches focus entirely on the first step. That's understandable: this is the only step in most traditional searches. After the evidence has been retrieved, the search is done.

  Under the existing law that regulates only the first step, the basic rule is that the initial search has to occur in 10 days after the warrant is sighed under statutory rules such as the Federal Rule of Criminal Procedure 41. The constitutional concern driving this rule is that if the police wait for too long, the probable cause that led to the warrant may become stale. The question is, what rules govern the second step, the electronic search through the defendant's computer? At this point, the police have the seized computer in their custody. Most offices and agencies have a considerable backlog of computer forensic work, though, so they don't get to a newly seized computer for months. Is this too long? For that matter, is any period too long?

  The handful of district courts that have addressed the issue have agreed that the 10-day requirement of Rule 41 does not apply to the second step. Agents have to seize the computer in the 10 days, but they don't need to analyze it within that window. The harder question is what if anything the Fourth Amendment has to say. A few district courts have suggested that there are no rules on when the government must search a seized computer, but a few others have suggested that the Fourth Amendment requires investigators to search seized computers in a "reasonable" time.

  This issue came up at the appellate level for the first time in the Syphers case, in an opinion by Judge Patti Saris, a district judge sitting by designation. Syphers involved a state investigation in which the government applied for and obtained an order permitting the government to search the computer in a one-year window. The computer was searched five months into the one year. Judge Saris first held that Rule 41 was not applicable because this was a state investigation, not a federal investigation. Saris then turned to the Fourth Amendment question:
  The Fourth Amendment itself "contains no requirements about when the search or seizure is to occur or the duration." United States v. Gerber, 994 F.2d 1556, 1559-60 (11th Cir.1993). However, "unreasonable delay in the execution of a warrant that results in the lapse of probable cause will invalidate a warrant." United States v. Marin-Buitrago, 734 F.2d 889, 894 (2d Cir.1984). The restrictions in Rule 41 "not only ensure that probable cause continues to exist, but also that it is the neutral magistrate, not the executing officers, who determines whether probable cause continues to exist." Id. The policy behind the ten-day time limitation in Rule 41 is to prevent the execution of a stale warrant. "A delay in executing a search warrant may render stale the probable cause finding." United States v. Gibson, 123 F.3d 1121, 1124 (8th Cir.1997).
  A delay in execution of the warrant under Rule 41 does not render inadmissible evidence seized, absent a showing of prejudice to the defendants resulting from the delay. See United States v. Cafero, 473 F.2d 489, 499 (3d Cir.1973). Courts have permitted some delay in the execution of search warrants involving computers because of the complexity of the search. See, e.g., United States v. Gorrell, 360 F.Supp.2d 48, 55 n. 5 (D.D.C.2004) (ten-month delay in processing of computer and camera seized, although "lengthy," "did not take the data outside the scope of the warrant such that it needs to be suppressed"); United States v. Triumph Capital Group, Inc., 211 F.R.D. 31, 66 (D.Conn.2002) ("[C]omputer searches are not, and cannot be subject to any rigid time limit because they may involve much more information than an ordinary document search, more preparation and a greater degree of care in their execution.").
  The primary question is whether, under the policies embedded in Rule 41, the one-year extension order issued by the court because of a backlog in computer crimes investigations provided an excessive amount of time to allow for the search of a computer already in police custody pursuant to a warrant. Under the circumstances, the five-month delay did not invalidate the search of appellant's computer because there is no showing that the delay caused a lapse in probable cause, that it created prejudice to the defendant, or that federal or state officers acted in bad faith to circumvent federal requirements.
  I confess I am quite puzzled by this. If Rule 41 is inapplicable, as Judge Saris found, why is the court looking to "the policies embedded in Rule 41" to decide the case? Why is this the "primary question," and what other questions are there? For that matter, just what "policies" are "embedded" in Rule 41? The "prejudice" test is used to determine when Rule 41 violations lead to suppression; why it is being used if Rule 41 isn't implicated here? And what kind of prejudice might be relevant, given that the search occurs back at the government's lab — and that if the computer is found to contain evidence, the computer can be kept in government custody until the trial? For that matter, how can delay in the search of a seized computer cause a lapse in probable cause, given that all of the evidence is stored inside the computer?

  Can anyone make more sense of this analysis than I can? I'm not sure I understand what the Court did.

  For more on these issues, see my forthcoming article Search Warrants in an Era of Digital Evidence.
Matt Eric:
One thing that is worth noting here is that the government's interest is not in searching through the computer itself, rather the data on it. Copying all the data off a computer hard drive is not a particularly complex nor time-consuming task; private businesses do it constantly, and there are innumerable commercial tools to do it. I'm wondering whether it compromises the chain of evidence to obtain a complete, bit-identical copy of the data on the disk, then return the physical property (the computer) to the defendant. Surely if the data is what the police wish to search, they could do it at their leisure once the copy has been obtained.
10.25.2005 2:46pm

I discuss this issue at some length in my article linked to above. In Syphers, though, the warrant was obtained to seize child pornography; if the computer contained such images, it was an instrumentality of crime containing contraband and the owner had no legal right to its return.
10.25.2005 2:49pm
Visitor Again:
I think the court went on to discuss rule 41 after holding it inapplicable on the theory that if there is no rule 41 violation, there is no fourth amendment violation. Hence if the inapplicable rule 41 would not require suppression, neither does the fourth amendment.

Surely there are reported cases seeking return of seized property on the grounds the Government has held it too long where the Government argues it needs more time to test or examine the seized property? As an example, the backlog for DNA testing in some jurisdictions is a year or more. Can the Government hold a car indefinitely because it intends to get around to testing it for DNA or blood or whatever at some point? I'd be surprised if there were no such cases, particularly where valuable or unique property has been seized.
10.25.2005 3:10pm
Mary Katherine Day-Petrano (mail):
A very interesting area of law, and, being a long-time student of the Nation's disability laws, I can only imagine the added complexities if the computer seizure involved a customized (months long-training, too) of a severely disabled person's facilicated communication assisitve technology device necessary on a day-to-day basis. Or don't these law enforcement agencies subject to such laws think about such issues?
10.25.2005 3:14pm
It looks to me like the court held that while Rule 41 is not directly applicable to state searches, the policy underlying it comes in the back door through the Fourth Amendment when state-seized evidence is used in a federal prosecution:

"The products of a search conducted under the authority of a validly issued state warrant are lawfully obtained for federal prosecutorial purposes if that warrant satisfies constitutional requirements and does not contravene any Rule-embodied policy designed to protect the integrity of the federal courts or to govern the conduct of federal officers. United States v. Mitro, 880 F.2d 1480, 1485 (1st Cir. 1989) (quoting United States v. Sellers, 483 F.2d 37, 43 (5th Cir. 1973)).

My question is why, when the computer itself was seized within the 10-day window, there's any issue concerning Rule 41 policy at all. Orin, you've actually practiced in this area -- isn't it the case that DNA analysis, fiber analysis, visual examination of physical evidence, handwriting analysis, ballistics, etc., can all be completed weeks or months after collection without having to get a new warrant every 10 days? If so, why is inventory and analysis of a hard drive any different? If the concern is merely that the evidence collected not be too tenuously related to the probable cause, that concern is met when collection occurs within 10 days; the computer data is then essentially "frozen" until it is analyzed, the same as any other evidence. Why is there any need for an "extension"?
10.25.2005 3:18pm
George of the Legal Jungle (mail):
if the computer contained such images, it was an instrumentality of crime containing contraband and the owner had no legal right to its return.

So computers can be seized under the same justification as a car used to pick up a prostitute. Makes sense. Query: Does the owner have a legal right to have his files returned to him? Most of us don't care about our computers - just the stuff on them. It'd be an awfully harsh rule to hold that if someone used his computer to, say, cheat on his taxes, that he'd lose every file.
10.25.2005 3:37pm
Dick King:
Is this situation really all that new?

When police go to the target's house after getting a warrant to sieze a gun, do they have to do the ballistics test to match it against the bullets taken from the victom's body within ten days?

10.25.2005 3:41pm
Riskable (mail) (www):
What I'd like to know more than anything is what connects the machine to the person in the chain of evidence. If the machine was seized after the fact, what evidence do they have linking the files on the hard drive with the owner of the machine other than the fact that the owner sits at the machine regularly?

I'm a security professional and as we all know, viruses, spyware, adware, and rootkits (hidden software to remotely control your PC) are rampant. I regularly clean PCs of various infections and these malicious software packages leave more than just back doors and program files. I've come across machines that were distributing very illegal data (usually via spam). No child porn yet, but it is inevitable that it will be distributed in a similar manner.

I know quite a bit about real world computer forensics. What I don't know is what, exactly, an official computer forensic investigation entails. Everything that I've read leads me to believe that the examiner will duplicate the hard drive and then specifically search (using various tools) for evidence outlined in the warrant. I'm also under the impression that they can't just go "browsing around" on the hard drive in question.

If they can't fully examine the machine's data as a whole, how can they determine whether or not a back door is installed? Not only that, but even with specialized tools it can be difficult to identify and find rootkits (you know they're there based on the network traffic coming from the machine, but you can't find it on the machine itself).

In my professional opinion I cannot, beyond a reasonable doubt, link contraband files with the owner of the machine in question (on a Windows machine anyway). Not at least without loads of secondary evidence (preferably a video of the person disseminating or downloading the contraband and traffic reports showing that the data in question was retrieved or sent only at times when the owner was at the machine).

Far too often do I read news stories of people having their equipment seized based solely on the machine's IP address. An IP address does not equal an identity.
10.25.2005 4:05pm
Robert Cote (mail) (www):
The physical harware has probitive value, not just the data. Is there high-speed access? CD-Rom burning? A removable media storage mechanism? A second internal drive normally left disconnected?

That said, since the computer can be seized whay not rip out the phone lines? Why not confiscate the entire internet? Slippery slope best avoided.

Still the time limit is my biggest concern. A search warrant has a time limit. On the 11th day the suspect should be able to call up and ask; "Did you find anything?" There are only 2 answers; Yes/No. We all know that if you could actually ask such a question the answer will always be "we aren't finished." That's a "No" and needs to be treated as such. This isn't the same as "we found a gun and have booked it as evidence." They weren't looking for a computer they were looking for child porn.

Riskable makes several larger points. The fact that child porn is in your data doesn't establish anything. For that matter is it child porn until you actually view it? What about encrypted child porn? Unsolicited email child porn that automatically goes to the trash folder? Trashed but not deleted? So what if you even did delete it but the evidence is recoverable?

Another slippery slope, while searching for child porn tax fraud is found. Can the forensics team actually say they were looking for folders of JPEG photos when they reasonably opened a spreadsheet? Any claims of a search limited to the wording of the warrant deny reality.

Let's be honest here. Computers are confiscated because there is intent to punish the accused. There's no reason law enforcement couldn't run a configuration recording program and global copy routine in place in a few hours. Ask Tom Delay about the power of mere accusation.

I even see a business opportunity. Destructive boot sequences or disk burnouts after 10 days and no key or sequence. I can even see software folder encryption where the password you "volunteer" to the police not only destroys the evidence but records the time and circumstances of the unauthorized access so you can recover damages in a civil suit. [These can be device specific so when they say their copy didn't work you explain that that is to be expected. Then you say they can expect a massive lawsuit for destroying the chain of custody of your propietary data in unprotected folders. Tell them it was a low cost replacement for Windows XP and worth xx bazillion dollars.

Hopefully the reader is beginning to get the picture. The horse is out of the barn. Personally if this nightmare ever visited me I'd supoena the reference machine and prove it had spyware/viruses/security flaws and as such cannot be trusted to be the determinant of any kind of source "contamination."

Of course it will prove amusing when the nyphet in the so called child porn photos shows up to testify, grandchildren in tow and under oath claims to have been 18 and two weeks old, producing her yellowed and worn model release to prove it. Gosh, and if the defense forensics team shows how the "timeworn" 25 year old model shown posing was subject to post editing will the prosecutor raid and shut down Adobe Systems for publishing Photoshop?
10.25.2005 4:51pm
Windypundit (www):
I agree with several of the other posters that the more important issue is the seizing of the computer, when a copy of the data would do just as well. I doubt the evidence technicians ever even turn on the computer, because running the operating system would alter the contents of the hard drive.

Copying a hard drive only takes a few hours. Police could easily return the computer the next day. Given how many people run their lives and their businesses on computers these days, taking the entire computer is punitive.

The "instrumentality of crime" argument doesn't hold water for me either. I have 260,000 files on my computer. The idea that a handful of them could result in seizure of the entire computer is absurd. If a guy walks into a liquor store and robs it, do the cops seize his shoes as an instrumentality of the crime? I'm aware that they seize cars for prostitution busts and drug buys, but I think those too are strictly a form of punishment without trial.
10.25.2005 5:15pm
DM Andy (mail):
The famous (in gamer-geek circles) Steve Jackson Games v United States Secret Service (Western District of Texas, 1993) was a case where computing equipment and more importantly files vital to the wellbeing of the business were seized on 1 March 1990 and not returned until 21 June 1990. The judge in that case awarded $50,000 compensation to SJG for the economic damage that the failure to promptly return the seized items caused.
10.25.2005 7:10pm
In NY, where the police seize vehicles as an instrumentality of a crime (think pros or DWI cases), a civil forfeiture hearing must be held, within a reasonable period of time,with all due process rights preserved. This is now being extended to computers as well.
10.25.2005 8:09pm
carpundit (www):
Robert Cote's comment was confusing to me until I came to the bit about "so called child porn," (emphasis added) which explains his operating theory's hostility to law enforcement. His own potential involvement on the wrong side of such charges aside, it's important to point out why government agents don't always just take an image of the hard drive and leave. Because, Robert, it is a federal crime to possess child pornography. The Agents can't leave your copy with you, because they would be abetting your felony.

In other cases -where the digital information is mere evidence- the government will take an exact copy of the hard drive, leaving the computer in place. Why? Because it's quick, it's easy, it doesn't clutter the evidence room with excess computer parts, and it keeps sue-happy criminals from harrassing agents with baseless civil claims.

The 10-day rule's impact on computer searches is still an open question, and one the government agents would like a solid answer to. Believe me, cops don't like the uncertainty any better than defense lawyers.
10.25.2005 8:56pm
18 USC 1030 (mail):
It seems as though this has become a discussion on subjects different than that which Prof. Kerr initially suggested. It seems, IMHO, that rule 41 wasn't used to gauge legality but merely attributes of the actions taken. This is to say we will use rule 41 to describe what happened and to determine whether or not the specifics conflict with the Fourth Amendment.

As to the other issues discussed, I'd suggest reading the CCIPS Manual for digital evidence
10.26.2005 8:20pm