EPIC Analysis of Draft Guidelines on Searching and Seizing Computers
by Dave Banisar
EPIC Analysis of New Justice Department Draft Guidelines on Searching and
Seizing Computers
Dave Banisar
Electronic Privacy Information Center
The Electronic Privacy Information Center (EPIC) has obtained the
Department of Justice's recently issued draft "Federal Guidelines for
Searching and Seizing Computers." EPIC obtained the document under the
Freedom of Information Act. The guidelines provide an overview of the
law surrounding searches, seizures and uses of computer systems and
electronic information in criminal and civil cases. They discuss current
law and suggest how it may apply to situations involving computers. The
draft guidelines were developed by the Justice Department's Computer
Crime Division and an informal group of federal agencies known as the
Computer Search and Seizure Working Group.
Seizing Computers
A major portion of the document deals with the seizure of computers. The
draft recommends the use of the "independent component doctrine" to
determine if a reason can be articulated to seize each separate piece of
hardware. Prosecutors are urged to "seize only those pieces of equipment
necessary for basic input/output so that the government can successfully
execute the warrant." The guidelines reject the theory that because a
device is connected to a target computer, it should be seized, stating
that "[i]n an era of increased networking, this kind of approach can lead
to absurd results."
However, the guidelines also note that computers and accessories are
frequently incompatible or booby trapped, thus recommending that
equipment generally should be seized to ensure that it will work. They
recommend that irrelevant material should be returned quickly. "[O]nce
the analyst has examined the computer system and data and decided that
some items or information need not be kept, the government should return
this property as soon as possible." The guidelines suggest that it may
be possible to make exact copies of the information on the storage
devices and return the computers and data to the suspects if they sign
waivers stating that the copy is an exact replica of the original data.
On the issue of warrantless seizure and "no-knock warrants," the
guidelines note the ease of destroying data. If a suspect is observed
destroying data, a warrantless seizure may occur, provided that a warrant
is obtained before an actual search can proceed. For "no-knock"
warrants, the guidelines caution that more than the mere fact that the
evidence can be easily destroyed is required before such a warrant can be
issued. "These problems . . . are not, standing alone, sufficient to
justify dispensing with the knock-and-announce rule."
Searching Computers
Generally, warrants are required for searches of computers unless there
is a recognized exception to the warrant requirement. The guidelines
recommend that law enforcement agents use utility programs to conduct
limited searches for specific information, both because the law prefers
warrants that are narrowly tailored and for reasons of economy. "The
power of the computer allows analysts to design a limited search in other
ways as well . . . by specific name, words, places. . . ."
For computer systems used by more than one person, the guidelines state
that the consent of one user is enough to authorize a search of the
entire system, even if each user has a different directory. However, if
users have taken "special steps" to protect their privacy, such as using
passwords or encryption, a search warrant is necessary. The guidelines
suggest that users do not have an expectation of privacy on commercial
services and large mainframe systems because users should know that
system operators have the technical ability to read all files on such
systems. They recommend that the most prudent course is to obtain a
warrant, but suggest that in the absence of a warrant prosecutors should
argue that "reasonable users will also expect system administrators to be
able to access all data on the system." Employees may also have an
expectation of privacy in their computers that would prohibit employers
from consenting to police searches. Public employees are protected by
the Fourth Amendment and searches of their computers are prohibited
except for ""non-investigatory, work related intrusions" and
"investigatory searches for evidence of suspected work-related employee
misfeasance."
The guidelines discuss the Privacy Protection Act of 1980, which was
successfully used in the Steve Jackson Games case against federal agents.
They recommend that "before searching any BBS, agents must carefully
consider the restrictions of the PPA." Citing the Jackson case, they
leave open the question of whether BBS's by themselves are subject to the
PPA and state that "the scope of the PPA has been greatly expanded as a
practical consequence of the revolution in information technology -- a
result which was probably not envisioned by the Act's drafters." Under
several DOJ memos issued in 1993, all applications for warrants under the
Privacy Protection Act must be approved by a Deputy Assistant Attorney
General of the Criminal Division or the supervising DOJ attorney.
For computers that contain private electronic mail protected by the
Electronic Communications Privacy Act of 1986, prosecutors are advised to
inform the judge that private email may be present and avoid reading
communications not covered in the warrant. Under the ECPA, a warrant is
required for email on a public system that is stored for less than 180
days. If the mail is stored for more than 180 days, law enforcement
agents can obtain it either by using a subpoena (if they inform the
target beforehand) or by using a warrant without notice.
For computers that contain confidential information, the guidelines
recommend that forensic experts minimize their examination of irrelevant
files. It may also be possible to appoint a special master to search
systems containing privileged information.
One important section deals with issues relating to encryption and the
Fifth Amendment's protection against self-incrimination. The guidelines
caution that a grant of limited immunity may be necessary before
investigators can compel disclosure of an encryption key from a suspect.
This suggestion is significant given recent debates over the Clipper Chip
and the possibility of mandatory key escrow.
Computer Evidence
The draft guidelines also address issues relating to the use of
computerized information as evidence. The guidelines note that "this
area may become a new battleground for technical experts." They
recognize the unique problems of electronic evidence: "it can be created,
altered, stored, copied, and moved with unprecedented ease, which creates
both problems and opportunities for advocates." The guidelines discuss
scenarios where digital photographs can be easily altered without a trace
and the potential use of digital signatures to create electronic seals.
They also raise questions about the use of computer generated evidence,
such as the results of a search failing to locate an electronic tax
return in a computer system. An evaluation of the technical processes
used will be necessary: "proponents must be prepared to show that the
process is reliable."
Experts
The DOJ guidelines recommend that experts be used in all computer
seizures and searches -- "when in doubt, rely on experts." They provide
a list of experts from within government agencies, such as the Electronic
Crimes Special Agent program in the Secret Service (with 12 agents at the
time of the writing of the guidelines), the Computer Analysis and
Response Team of the FBI, and the seized recovery specialists (SERC) in
the IRS. The guidelines reveal that "[m]any companies such as IBM and
Data General employ some experts solely to assist various law enforcement
agencies on search warrants." Other potential experts include local
universities and the victims of crimes themselves, although the
guidelines caution that there may be potential problems of bias when
victims act as experts.
Obtaining a Copy of the Guidelines
EPIC, with the cooperation of the Bureau of National Affairs, is making
the guidelines available electronically. The document is available via
FTP/Gopher/WAIS/listserv from the EPIC online archive at cpsr.org
/cpsr/privacy/epic/fed_computer_siezure_guidelines.txt. A printed version
appears in the Bureau of National Affairs publication, Criminal Law
Reporter, Vol. 56, No. 12 (December 21 1994).
About EPIC
The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues relating to the National Information
Infrastructure, such as the Clipper Chip, the Digital Telephony proposal,
medical record privacy, and the sale of consumer data. EPIC is sponsored
by the Fund for Constitutional Government and Computer Professionals for
Social Responsibility. EPIC publishes the EPIC Alert and EPIC Reports,
pursues Freedom of Information Act litigation, and conducts policy
research on emerging privacy issues. For more information email
[email protected], or write EPIC, 666 Pennsylvania Ave., S.E., Suite 301,
Washington, DC 20003. +1 202 544 9240 (tel), +1 202 547 5482 (fax).
The Fund for Constitutional Government is a non-profit organization
established in 1974 to protect civil liberties and constitutional rights.
Computer Professionals for Social Responsibility is a national membership
organization of people concerned about the impact of technology on
society. For information contact: [email protected].
Tax-deductible contributions to support the work of EPIC should be made
payable to the Fund for Constitutional Government.
|