Computer Crime and Intellectual Property Section (CCIPS) |
Computer Crime and Intellectual Property Section (CCIPS) |
A. DRAFTING A WARRANT TO SEIZE HARDWARE
If a computer component is contraband, an instrumentality of the offense, or evidence, the focus of the warrant should be on the computer component itself and not on the information it contains. The warrant should be as specific as possible about which computer components to seize and, consistent with other types of warrants, it should describe the item to be seized in as much detail as possible, especially if there may be two or more computers at the scene. Include, where possible, the manufacturer, model number, and any other identifying information regarding the device. (For further information, see "SAMPLE COMPUTER LANGUAGE FOR SEARCH WARRANTS," APPENDIX A, p. 119.)
It may also be appropriate to seek a "no-knock" warrant in cases where knocking and announcing may cause (1) the officer or any other individual to be hurt; (2) the suspect to flee; or (3) the evidence to be destroyed. (See "Seeking Authority for a No-Knock Warrant," infra p. 96.)
In computer cases, the evidence is especially perishable, and agents should never underestimate the subjects of the investigation. They may be knowledgeable about telecommunications and may have anticipated a search. As a result, computers and memory devices on telephone speed dialers may be "booby-trapped" to erase if they are improperly entered or if the power is cut off.
Table of Contents - Main Guidelines
Supplement - Drafting a warrent to seize hardware
B. DRAFTING A WARRANT TO SEIZE INFORMATION
1. Describing the Place to be Searched
Until recently, when a warrant specified where a search was to occur, the exercise was bound by physical laws: agents took objects they could carry from places they could touch. But computers create a "virtual" world where data exists "in effect or essence though not in actual fact or form." The American Heritage Dictionary, (2d ed. 1983).
Rule 41(a) failed to anticipate the creation of this "virtual" world. By its very terms, a warrant may be issued "for a search of property. . .within the district." Specifically, it provides that,
Upon the request of a federal law enforcement officer or an attorney for the government, a search warrant authorized by this rule may be issued (1) by a federal magistrate, or a state court of record within the federal district, for a search of property or for a person within the district and (2) by a federal magistrate for a search of property or for a person either within or outside the district if the property or person is within the district when the warrant is sought but might move outside the district before the warrant is executed.
Fed. R. Crim. P. 41(a)(emphasis added).
In a networked environment, however, the physical location of stored information may be unknown. For example, an informant indicates that the business where he works has a duplicate set of books used to defraud the Internal Revenue Service. He has seen these books on his computer terminal in his Manhattan office. Based upon this information, agents obtain a warrant in the Southern District of New York authorizing a search for, and seizure of, these records. With the informant's help, agents access his computer workstation, bring up the incriminating documents, and copy them to a diskette. Unfortunately, unbeknownst to the agents, prosecutor, or informant, the file server that held those documents was physically located in another office, building, district, state, or country. [10]
There are, under Rule 41, at least three variations on this problem. First, information is stored off-site, and agents know this second site is within the same district. Second, information is stored off-site, but this second site is outside the district. Third, information is stored off-site, but its location is unknown.
Table of Contents - Main Guidelines
a. General Rule: Obtain a Second Warrant
Whenever agents know that the information is stored at a location other than the one described in the warrant, they should obtain a second warrant. In some cases, that will mean going to another federal district--nearby or across the country. If the data is located overseas, the Criminal Division's Office of International Affairs (202-514-0000) and our foreign law enforcement counterparts can assist in obtaining and executing the foreign warrant. The Computer Crime Unit (202-514-1026) can help in expediting international computer crime investigations.
b. Handling Multiple Sites within the Same District
Assuming that the server was simply in another office on the same floor, the warrant might well be broad enough to cover the search. Indeed, even with physical searches, courts have sometimes allowed a second but related search to be covered by one warrant. In United States v. Judd, 687 F. Supp. 1052, 1057-9 (N.D. Miss. 1988), aff'd 889 F.2d 1410 (5th Cir. 1989), cert. denied, 494 U.S. 1036 (1989), the FBI executed a search warrant for records at Address #1, and learned that additional records were located at Address #2. Without obtaining a second warrant, and relying only on the first, the agents entered Address #2 and seized the additional records.
The district court framed the question like this: was the partially incorrect description in the warrant sufficient to include both business addresses, which in this case, happened to be in the same building? The court held that since Address #2 was "part" of Address #1, and since they were both used for the business pursuits of the same company, the search was proper. See also United States v. Prout, 526 F.2d 380, 388 (5th Cir.) (search of adjacent separate apartment that was omitted from the warrant was proper), cert. denied, 429 U.S. 840 (1976).
It becomes more problematic when the server is in another building, one clearly not described in the warrant. In situations where a second warrant was not obtained, there is still an argument that remotely accessing information from a computer named in the warrant does not violate Fourth Amendment law. See discussion of United States v. Rodriguez, infra.
Table of Contents - Main Guidelines
c. Handling Multiple Sites in Different Districts
What if, unbeknownst to the agents executing the search warrant, the property seized was located in another district? Although the defense could argue that the court lacked jurisdiction to issue the warrant, the agents executing the warrant never left the district in which the warrant was issued. Moreover, in some cases, it may be difficult, if not impossible, to ascertain the physical location of a given file server and obtain the evidence any other way. In these cases, prosecutors should argue that the warrant authorized the seizure.
If agents have reason to believe the second computer may be in a different district, however, the issue should be addressed with the magistrate. While some courts may strictly construe the language of Rule 41 and require data to be retrieved only from the district where it permanently resides, other courts may follow the logic of the recent Second Circuit case United States v. Rodriguez, 968 F.2d 130 (2d Cir.), cert. denied, 113 S. Ct. 140 (1992). Although that case addressed the issue of "place" under the wiretap statute (18 U.S.C. § 2518) and not under Rule 41, the constraints of the statute were quite similar. ("Upon such application the judge may enter an ex parte order. . . approving interception. . .within the territorial juris-diction of the court in which the judge is sitting. . . . ")
In Rodriguez, the Second Circuit held that a wiretap occurs in two places simultaneously: the place where the tapped phone is located and the place where law enforcement overhears it. If those two places are in different jurisdictions, a judge in either one can authorize the interception. In this case, the DEA was tapping several phones in New York from its Manhattan headquarters. In addition, they tapped a phone in New Jersey by leasing a phone line from the service carrier and running it to the same New York office from which they monitored all the calls on all the lines. The court cited "sound policy reasons" for allowing one court to authorize all the taps, since all the reception and monitoring occurred in that same jurisdiction.
If the DEA can lease a phone line running from New Jersey to New York in order to consolidate its efforts, courts may also find it completely reasonable to conclude that computer network data searches, like telecommunications interceptions, can occur in more than one place.
Table of Contents - Main Guidelines
d. Information at an Unknown Site
Unfortunately, it may be impossible to isolate the location of information. What then? Does a warrant authorizing the search and seizure of one computer automatically allow agents to search and seize any data that it has sent to other computers? If the original warrant does not allow investigators to physically enter another building and search another computer, does it permit them to "go" there electronically, using as their vehicle only the computer that they have been authorized to search? What if the other computer is physically located in another district? Finally, if the warrant does not authorize seizing the off-site data (no matter how it is obtained), are there circumstances under which it could be taken without a warrant?
If agents have reason to believe there is off-site storage but no way to identify the site, they should tell the magistrate. Of course, the standard to use in evaluating a description in the warrant is whether "the description is such that the officer with a search warrant can, with reasonable effort ascertain and identify the place intended." Steele v. United States, 267 U.S. 498, 503 (1925). See also United States v. Darensbourg, 520 F.2d 985, 987 (5th Cir. 1975), quoting United States v. Sklaroff, 323 F. Supp. 296, 321 (S.D. Fla. 1971).
Drawing upon Steele, it may be prudent for the warrant to specifically include any data stored off-site in devices which the subject computer has been configured by its operator to readily access, and which have been regularly used as a component of the subject computer. This is more likely to be upheld if the government has reason to believe the suspect is using an off-site computer and has no way to determine where it is, either geographically or electronically, until the suspect's computer is examined. In such cases, the affidavit should indicate why a complete address is not available, including any attempts that have been made to get the information (e.g., informants, undercover agents, pen registers, electronic or video surveillance) on the subject computer. It will be important to show a clear relationship between the computer described in the warrant and the second computer at the different location. If the second computer is somewhere in the same district, that also holds the second data search closer to the physical terms of Rule 41.
Table of Contents - Main Guidelines
e. Information/Devices Which Have Been Moved
What happens if the targets: (1) move computers and storage devices (disk drives, floppies, etc.) between two or more districts (e.g., a laptop computer); or (2) transmit data to off-site devices located in another district?
Under Rule 41(a)(2), a magistrate in one district can issue a warrant to be executed in another district provided the property was "within" District A when the warrant was issued. Again, this rule is relatively easy to apply when physical devices are the object of the search. But how does that rule apply to electronic data? If a suspect creates data in District A and uploads [11] that data to a computer in District B, has he "moved" it between districts, thus authorizing a District A magistrate to issue a warrant for a search of the District B computer, even though the District B computer was never physically transported from or even located in District A?
The key to resolving these issues is understanding what agents are seizing. If they are going to seize the computer hardware in District B to get the data, they must get a warrant in District B (after all, the District B computer was never moved). If agents are simply copying data, however, it could be argued that the data uploaded from District A to District B is property that has been moved. Since the item to be seized is data and not its storage device, the "within the district" requirement is fulfilled.
Table of Contents - Main Guidelines
2. Describing the Items to be Seized
When the evidence consists of information in a computer system, but the computer itself is not an instrumentality of the offense or otherwise seizable, the hardware is simply a storage device. First and foremost, all technical matters aside, searching the computer is conceptually similar to searching a file cabinet for papers. One important difference is that while the storage capacity of a file cabinet is limited, the storage capacity of computers continues to increase. A standard 40-megabyte hard drive contains approximately 20,000 pages of information, and 200+ megabyte drives are already quite common. Therefore, although the computer itself is no more important to an investigation than the old cabinet was, the technology may complicate enormously the process of extracting the information.
Bearing this analogy in mind, if agents have probable cause only for the documents in the computer and not for the box itself, they should draft the warrant with the same degree of specificity as for any other document or business record in a similar situation. For example, the detail used to describe a paper sales receipt (for a certain product sold on a certain date) should not be any less specific merely because the record is electronic.
As with other kinds of document cases, the breadth of a warrant's authority to search through a suspect's computer will depend on the breadth of the criminality. Where there is probable cause to believe that an enterprise is pervasively illegal, the warrant will authorize the seizure of records (both paper and electronic) far more extensively than if probable cause is narrow and specific. "When there is probable cause to seize all [items], the warrant may be broad because it is unnecessary to distinguish things that may be taken from things that must be left undisturbed." United States v. Bentley, 825 F.2d 1104, 1110 (7th Cir.), cert. denied, 484 U.S. 901 (1987). But by the same token, "[w]hen the probable cause covers fewer documents in a system of files, the warrant must be more confined and tell officers how to separate documents to be seized from others." Id. at 1110. See also Application of Lafayette Academy, Inc., 610 F.2d 1 (1st Cir. 1979). There is nothing about the nature of searching for documents on a computer which changes this underlying legal analysis. Each warrant must be crafted broadly or specifically according to the extent of the probable cause, and it should focus on the content of the relevant documents rather than on the storage devices which may contain them.
The difficulties arise when, armed with a narrow and specific warrant, agents begin the search. If agents know exactly what they are looking for (a certain letter; a voucher filed on a particular date), it may be simple enough to state it in the warrant. But because computers, like file cabinets, can store thousands of pages of information, the specific letter may be much easier to describe than to find. Some may argue, with good reason, that the sheer volume of evidence makes it impractical to search on site. (For a more extensive discussion of these issues, see "DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR TO REMOVE HARDWARE TO ANOTHER LOCATION," supra p. 53.)
Even so, the volume-of-evidence argument, by itself, may not justify seizing all the information storage devices --or even all of the information on them--when only some of it is relevant. In In Re Grand Jury Subpoena Duces Tecum Dated November 15, 1993, 846 F. Supp. 11 (S.D.N.Y. 1994), the district court applied a similar analysis to a grand jury subpoena for digital storage devices. In that case, the government had subpoenaed the central processing units, hard disks, floppy disks, and any other storage devices supplied by the target corporation ("X Corporation") to specified officers and employees of the corporation. Of course, these storage devices also contained unrelated information, including some that was quite personal: an employee's will and individual financial records and information. When "X Corporation" moved to quash the subpoena, the government acknowledged that searching the storage devices by 'key word' would identify the relevant documents for the grand jury's investigation. Even so, prosecutors continued to argue for enforcement of the subpoena as written, particularly because the grand jury was also investigating the corporation for obstruction of justice. In quashing the subpoena, the judge clearly distinguished between documents or records and the computer devices which contain them.
The subpoena at issue here is not framed in terms of specified categories of information. Rather, it demands specified information storage devices . . . . Implicit in [an earlier case] is a determination that subpoenas properly are interpreted as seeking categories of paper documents, not categories of filing cabinets. Because it is easier in the computer age to separate relevant from irrelevant documents, [the] ontological choice between filing cabinets and paper documents has even greater force when applied to the modern analogues of these earlier methods of storing information.
Although the judge found that investigating the corporation for "obstruction and related charges indeed justifies a commensurately broader subpoena. . .," he declined to modify, rather than quash, the subpoena at issue because "this Court does not have sufficient information to identify relevant documents (including directory files) . . . ." The court's reference to directory files seems to imply that the directory would necessarily list everything in the storage device--which is, of course, not true. A directory would not display hidden, erased, or overwritten files which could still be recoverable by a computer expert. Perhaps the judge's conclusion might have been different if the government had proceeded by search warrant rather than subpoena. In any case, it is interesting to note that the court, in trying to find a balance, suggested that when a grand jury suspects "that subpoenaed documents are being withheld, a court-appointed expert could search the hard drives and floppy disks."
Table of Contents - Main Guidelines
3. Removing Hardware to Search Off-Site: Ask the Magistrate for Explicit Permission.
Because the complexities of computer data searches may require agents to remove computers from a search scene, agents and prosecutors should anticipate this issue and, whenever it arises, ask for the magistrate's express permission. Obviously, the more information they have to support this decision, the better--and the affidavit should set out all the relevant details. It will be most important to have this explicit permission in the warrant for those cases where (as in Tamura, supra p. 56) agents must seize the haystack to find the needle.
If the original warrant has not authorized this kind of seizure, but the agent discovers that the search requires it, she should return to the magistrate and amend the warrant, unless exigencies preclude it.
Table of Contents - Main Guidelines
4. Seeking Authority for a No-Knock Warrant
a. In General
Under 18 U.S.C. § 3109, an agent executing a search warrant must announce his authority for acting and the purpose of his call. See, e.g., United States v. Barrett, 725 F. Supp. 9 (D.D.C. 1989)("Police, search warrant, open up"). This knock-and-announce requirement, although statutory, has been incorporated into the Fourth Amendment, United States v. Bustamante-Gamez, 488 F.2d 4, 11-12 (9th Cir. 1973), cert. denied, 416 U.S. 970 (1974), and therefore a statutory violation may also be a constitutional one. United States v. Murrie, 534 F.2d 695, 698 (6th Cir. 1976); United States v. Valenzuela, 596 F.2d 824, 830 (9th Cir.), cert. denied, 441 U.S. 965 (1979). The knock-and-announce rule is designed to reduce the possibility of violence (the occupant of the premises may believe a burglary is occurring), reduce the risk of damage to private property (by allowing the occupant to open the door), protect the innocent (the agent may be executing the warrant at the wrong location), and symbolize the government's respect for private property.
Of course, if no one is present, there is no one to notify, and agents can search the place without waiting for its occupant. United States v. Brown, 556 F.2d 304 (5th Cir. 1977). The knock-and-announce requirement also does not apply when the door is open. United States v. Remigio, 767 F.2d 730 (10th Cir.), cert. denied, 474 U.S. 1009 (1985). It is unclear whether the rule applies to businesses, as different courts have reached different conclusions. Cf. United States v. Agrusa, 541 F.2d 690 (8th Cir. 1976)(§ 3109 applies to businesses), cert. denied, 429 U.S. 1045 (1977), with United States v. Francis, 646 F.2d 251 (6th Cir.)(§ 3109 applies only to dwellings), cert. denied, 454 U.S. 1082 (1981).
After knocking and announcing, agents must give the occupants a reasonable opportunity to respond, although exigent circumstances may justify breaking in without an actual refusal. Compare United States v. Ruminer, 786 F.2d 381 (10th Cir. 1986)(break-in authorized where police waited five seconds and saw people running in house), with United States v. Sinclair, 742 F. Supp. 688, 690-1 (D.D.C. 1990)(one- to two-second delay, even with noise inside, was insufficient to warrant break-in).
Moreover, exigent circumstances may justify forcible entry without "knocking and announcing" at all. Circumstances are exigent if agents reasonably believe that giving notice to people inside could cause (1) the officer or any other individual to be hurt; (2) a suspect to flee; or (3) the evidence to be destroyed. Additionally, investigators need not knock and announce when it would be a "useless gesture" because the people inside already know their authority and purpose.
Table of Contents - Main Guidelines
b. In Computer-Related Cases
In many computer crime cases, the primary concern will be preserving the evidence. Technically adept suspects may "hot-wire" their computers in an effort to hide evidence. Although there are many ways to do this, two more common practices involve "hot keys" and time-delay functions. A "hot key" program is designed to destroy evidence, usually by overwriting or reformatting a disk, when a certain key is pressed. [12] Thus, when officers knock at the door and announce their presence, the subject of the search can hit the key that activates the program. A time-delay function is a program that monitors the keyboard to determine whether the user has pressed any key. If no key is pressed within a certain period of time, such as 30 seconds, the program activates and destroys data. A target may, therefore, answer the door slowly and attempt to delay the agent's access to the machine.
These problems, which may be present in every computer crime investigation, are not, standing alone, sufficient to justify dispensing with the knock-and-announce rule. Most courts have required agents to state specifically why these premises or these people make it either dangerous or imprudent to knock and announce before a search. See United States v. Carter, 566 F.2d 1265 (5th Cir. 1978)(someone inside yelled "It's the cops" and the agent, who had a warrant to search for heroin, heard running inside), cert. denied, 436 U.S. 956 (1978); United States v. Stewart, 867 F.2d 581 (10th Cir. 1989)(collecting cases). But cf. United States v. Wysong, 528 F.2d 345 (9th Cir. 1976)(mere fact that police knew defendant was trafficking in an easily destroyable liquid narcotic created exigent circumstance that justified entry without knocking and announcing).
In short, most cases hold that agents must have some reasonable, articulable basis to dispense with the knock-and-announce requirement. Moreover, in light of the salutary purposes served by the rule, they should have very good reasons before deviating from it. In appropriate cases, however, a no-knock warrant should be obtained. In deciding whether to seek a no-knock warrant, agents should consider, among other things: (1) what offense is being investigated (is it a narcotics case where the subjects may be armed, or is it non-violent hacking?); (2) is there information indicating evidence will be destroyed (in one recent hacker case, the targets talked about destroying evidence if raided by the police); (3) the age and technical sophistication of the target; and (4) whether the target knows, or may know, he is under investigation.
Go to . . . Table of Contents - Main Guidelines
----- footnotes ------
[10] In this example, the storage of information in an out-of-district server was fortuitous; i.e., a product of the network architecture. In fact, hackers may deliberately store their information remotely. This allows them to recover after their personal computers fail (essentially by creating off-site backup copies). Additionally, if agents seize a hacker's personal computer, no evidence will be found, and the hacker can still copy or destroy the remotely stored data by accessing it from another computer. [Back]
[11] "Upload" means to transfer data from a user's system to a remote computer system. Webster's, supra. Of course, only a copy is transferred, and the original remains on the user's machine. It may be significant to search for the uploaded data even if the original has been seized. For example, the user may have altered the original. [Back]
[12] Of course, the fact that this occurs does not mean the evidence cannot be salvaged. Experts can often recover data which has been deleted or overwritten. [Back]