Searching and Seizing Computers and Obtaining Electronic Evidence Manual

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to: navigation, search

Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations

Search and Seizure Preface and Acknowledgments

Search and Seizure Introduction

Searching and Seizing Computers Without a Warrant

The Fourth Amendment limits the ability of government agents to search for and seize evidence without a warrant. This chapter explains the constitutional limits of warrantless searches and seizures in cases involving computers.

The Fourth Amendment states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

According to the Supreme Court, a "'seizure' of property occurs when there is some meaningful interference with an individual's possessory interests in that property,"United States v. Jacobsen, 466 U.S. 109, 113 (1984), and the Court has also characterized the interception of intangible communications as a seizure. See Berger v. New York, 388 U.S. 41, 59-60 (1967). Furthermore, the Court has held that a "'search' occurs when an expectation of privacy that society is prepared to consider reasonable is infringed." Jacobsen,. If the government's conduct does not violate a person's "reasonable expectation of privacy," then formally it does not constitute a Fourth Amendment "search" and no warrant is required. See Illinois v. Andreas, 463 U.S. 765, 771 (1983). In addition, a warrantless search that violates a person's reasonable expectation of privacy will nonetheless be constitutional if it falls within an established exception to the warrant requirement. SeeIllinois v. Rodriguez, 497 U.S. 177, 185-86 (1990). Accordingly, investigators must consider two issues when asking whether a government search of a computer requires a warrant. First, does the search violate a reasonable expectation of privacy? And if so, is the search nonetheless permissible because it falls within an exception to the warrant requirement?

Searching and Seizing Computers With a Warrant

This Chapter discusses the legal and practical rules governing the use of warrants to search for and seize evidence stored in computers and electronic media. Section B discusses the strategic considerations any investigator or attorney should bear in mind before applying to the court for a warrant. Section C discusses the issues that arise in drafting a computer search warrant and affidavit. Section D addresses forensic analysis of the media. Section E discusses challenges to the search process. Finally, Section F discusses the limited circumstances in which statutes or other rules prohibit the government from using search warrants to obtain computers or electronic media. A sample computer search warrant appears in Appendix F.

The Stored Communications Act

The SCA regulates how the government can obtain stored account information from network service providers such as ISPs. Whenever agents or prosecutors seek stored email, account records, or subscriber information from a network service provider, they must comply with the SCA. The SCA's classifications are summarized in the chart that appears in Section F of this chapter.

The Stored Communications Act, 18 U.S.C. §§ 2701-2712 ("SCA"), sets forth a system of statutory privacy rights for customers and subscribers of computer network service providers.[1] There are three main substantive components to this system, which serves to protect and regulate the privacy interests of network users with respect to government, network service providers, and the world at large. First, § 2703 creates a code of criminal procedure that federal and state law enforcement officers must follow to compel disclosure of stored communications from network service providers. Second, § 2702 regulates voluntary disclosure by network service providers of customer communications and records, both to government and non-government entities. Third, § 2701 prohibits unlawful access to certain stored communications; anyone who obtains, alters, or prevents authorized access to those communications is subject to criminal penalties.

The structure of the SCA reflects a series of classifications that indicate the drafters' judgments about what kinds of information implicate greater or lesser privacy interests. For example, the drafters saw greater privacy interests in the content of stored emails than in subscriber account information. Similarly, the drafters believed that computing services available "to the public" required more strict regulation than services not available to the public. (Perhaps this judgment reflects the view that providers available to the public are not likely to have close relationships with their customers, and therefore might have less incentive to protect their customers' privacy.) To protect the array of privacy interests identified by its drafters, the SCA offers varying degrees of legal protection depending on the perceived importance of the privacy interest involved. Some information can be obtained from providers with a subpoena; other information requires a special court order; and still other information requires a search warrant. In addition, some types of legal process require notice to the subscriber, while other types do not.

Agents and prosecutors must apply the various classifications devised by the SCA's drafters to the facts of each case to figure out the proper procedure for obtaining the information sought. First, they must classify the network service provider (e.g., does the provider provide "electronic communication service," "remote computing service," or neither). Next, they must classify the information sought (e.g., is the information content "in electronic storage," content held by a remote computing service, a non-content record pertaining to a subscriber, or other information enumerated by the SCA). Third, they must consider whether they are seeking to compel disclosure or seeking to accept information disclosed voluntarily by the provider. If they seek compelled disclosure, they need to determine whether they need a search warrant, a 2703(d) court order, or a subpoena to compel the disclosure. If they are seeking to accept information voluntarily disclosed, they must determine whether the statute permits the disclosure. The chart contained in Section F of this chapter provides a useful way to apply these distinctions in practice.

The organization of this chapter will follow the SCA's various classifications. Section B explains the SCA's classification structure, which distinguishes between providers of "electronic communication service" and providers of "remote computing service." Section C explains the different kinds of information that providers can divulge, such as content "in electronic storage" and "records . . . pertaining to a subscriber." Section D explains the legal process that agents and prosecutors must follow to compel a provider to disclose information. Section E looks at the flip side of this problem and explains when providers may voluntarily disclose account information. A summary chart appears in Section F. Section G discusses important issues that may arise when agents obtain records from network providers: steps to preserve evidence, steps to prevent disclosure to subjects, Cable Act issues, and reimbursement to providers. Section H discusses the Fourth Amendment's application to stored electronic communications. Finally, Section I discusses the remedies that courts may impose following violations of the SCA.

Electronic Surveillance in Communications Networks

Criminal investigations often involve real-time electronic surveillance. In computer crime cases, agents may want to monitor a hacker as he breaks into a victim computer system or set up a "cloned" email account to monitor a suspect sending or receiving child pornography. In cases involving cellular telephones, agents may wish to obtain "cell-site" location information for a suspect's cellular telephone to determine the suspect's approximate location at the time of a call. Agents may wish to wiretap a suspect's telephone or learn whom the suspect has called. This chapter explains how the electronic surveillance statutes apply to criminal investigations involving computers and also discusses how to obtain cell-site location information for cellular phones.

Real-time electronic surveillance in federal criminal investigations is governed primarily by two statutes. The first is the federal Wiretap Act, 18 U.S.C. §§ 2510-2522, first passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (and generally known as "Title III"). The second statute is the Pen Registers and Trap and Trace Devices chapter of Title 18 ("the Pen/Trap statute"), 18 U.S.C. §§ 3121-3127, first passed as part of the Electronic Communications Privacy Act of 1986. Failure to comply with these statutes may result in civil and criminal liability, and in the case of Title III, may also result in suppression of evidence.


Although the primary concern of this manual is obtaining computer records in criminal investigations, prosecutors must also bear in mind the admissibility of that evidence in court proceedings. Computer evidence can present novel challenges. A complete guide to offering computer records into evidence is beyond the scope of this manual. However, this chapter addresses some of the more important evidentiary issues arising when the government seeks to admit computer records in court, including hearsay and the foundation to establish the authenticity of computer records.

Search and Seizure Appendices

Search and Seizure Table of Cases

Search and Seizure Index