There was a recent case, Unites States v. Robert Ellsworth Crist, III, which concerned the search of Robert’s computer for evidence of Child Pornography. (See here for more detail) While there are many twists as to how the computer ended up in the hands of law enforcement, and, ultimately, Robert did confess, what most columnists and bloggers see as interesting about this ruling was that calculating HASH values was considered a search. Prosecution argued that, during the imaging and HASHing of the drive in Robert’s computer, that they never “accessed the computer” and therefore did not perform a search. Of course they did! This is not notable, this is just common sense. Reading every byte of every file on a drive and performing a matching algorithm to identify files is clearly a search. To argue otherwise is simply a desperate effort to salvage a lost legal cause. However, there are many other aspects of this case that are notable: the rulings concerning of the scope of a search without a warrant, based upon the private search doctrine; the disregard for proper chain of custody for Electronically Stored Information, and, the Court’s technological confusion between platters and containers and the potential impact on other cases relating to information stored on hard drives.
As far as the scope of search goes, Chief Judge Kane references four Supreme Count rulings that held that it was appropriate to rely upon evidence obtained by a third party. However, the government is limited in its warrantless search to the scope of the private search, and not materially broader. In United States v. Runyan, this was further held that “the expectation of privacy in all files contained on a single computer disk is breached by a private examination of any files on the disk, but the expectation of privacy in other unmarked disks located near the privately searched disk remains intact”. What is notable here is that this ruling was based upon evidence presented in 1999. In 1999, the “containers” were floppy disks (1.44MB), CDs, and 100MB ZIP drives. If a private party discovered one contraband file in a “container” and turned the “container” over to authorities, the entire container was then subject to search without warrant, but other containers that the private party did not search were held to require a search warrant. While that makes sense with a floppy disk, how should it apply in 2008 when a USB thumb drive can be 64 Gigabytes? (Kingston Datatraveler 150) How is this to be interpreted when a single $150 SATA drive can be 1Terabyte (1,000 Gigabytes!)? While this interpretation was considered a prevention of overzealous search in its time, it now could be used as an instrument for overreaching searches. This seems to be Judge Kane’s position, though not stated quite so succinctly, when she writes, “The Court cannot embrace the Government’s view of Jacobsen and Runyan. The Court finds that the EnCase search exceeded the scope of the private party search, and all further searches were, likewise, unreasonable under the Fourth Amendment”. Expect there to be more cases that are materially impacted by interpretations of these rulings.
A second aspect of this case that is interesting is the Chain of Custody. How long can a computer be in the hands of a 3rd party, without following recognized forensic procedures, before the evidence is considered contaminated? How many people can sit at the keyboard, and for how long, before the evidence derived later is questioned? In this case, the computer was taken from the suspect’s apartment and placed at the curb. Another party (Hipple) came by later in the day and picked the computer up and took it to yet a 3rd person’s house. At this friend’s house, presumably a computer knowledgeable individual, they logged onto the computer to “basically just cleaned it up, get past profiles”. After this invasive interaction, Hipple brought the computer home and logged on again to, as he postured “go through and see what [he] could delete”. He then claims to have found the contraband, “freaked out” and deleted the entire folder where the contraband was found. It was three days before Hipple finally contacted authorities to report the contraband. It was not until the responding officer entered the computer into evidence that it was treated in a forensically sound manner! So, apparently the time frame is at least three days. How long does it take for malware to take over a computer? How long does it take to copy 1600 pictures to a computer? Did the forensic investigator make a compelling argument, based on his investigation, including a timeline of events, internet cache folder, temporary internet files folder, the history folder, and the index.dat files, that made a case for the contraband to be undeniably the result of action taken by the computer’s owner? If not, what was done to validate that the files found were not a plant? This three day gap in accountability should be unnerving to those of us that use computers.
Perhaps the questions asked above would have been the line of questioning had the Judge ruled differently on other aspects of admissibility (scope of search).
The final area of interest is the Court’s confusion over what constitutes a “container”. Judge Kane writes “A hard drive is not analogous to an individual disk. Rather, a hard drive is comprised of many platters, or magnetic data storage units, mounted together. Each platter as opposed to the hard drive in its entirety is analogous to a single disk as discussed in Runyan. As such, the EnCase search implicates Crist’s Fourth amendment rights”. Wow. While the Judge deserves some recognition for an attempt at technical savvy, this analogy falls quite short. Under the guise of this analogy, the geometry of the hard drives platter’s determined what is searchable and what is not. If the target is a 500GB Seagate drive with four platters and eight read/write heads, is less data is to be considered within the scope of the search than if the exact same information were stored on a 500GB Samsung drive with one platter and two read write heads? If the data is stored on a RAID array, how do you determine which platters in which drives are within the scope of the search? The judge also skips over the fact that even in the Runyan case, there were two recording surfaces for each floppy disk. Since the introduction of MS-DOS 1.1, the Microsoft operating system has used both sides of a diskette, these are distinctly two separate recording surfaces of a floppy disk, yet it appears to the computer user as a single “container”. Using the single platter logic, in the Runyan case, they would have only been within bounds to search the side of the floppy disk that contained the file that the third party found/viewed. In this context, it appears that a logical volume should be the boundary for a container, but, with the advances in drive density, considering this as a boundary is disconcerting.
What is apparent here is that there is no clear precedent on the boundaries of a digital container, the restrictions on the scope of a warrantless search, or requirement for strict adherence to proper digital chain of custody procedures. The courts have a huge challenge keeping pace with the changes in technology and its impact on Fourth Amendment rights. Eventually there will be precedent set by the Supreme Court, in the mean time, in Lower Courts your justice will vary. If you are in law enforcement, protect your case by obtaining search warrants when digital searches go beyond the scope of third-party information. If you are a defense attorney, hold prosecution accountable to following proper Chain of Custody procedures and respecting the boundaries of warrantless searches.
