Computer Crime and Intellectual Property Section (CCIPS) |
Computer Crime and Intellectual Property Section (CCIPS) |
A. INTRODUCTION
As noted above, the government is permitted to search for and to seize property that is contraband, evidence, or an instrumentality of the offense. The law does not authorize the government to seize items which do not have evidentiary value, and generally agents cannot take things from a search site when their non-evidentiary nature is apparent at the time of the search.
With computer crimes, however, it is not always possible to examine and separate wheat from chaff at the search location. There may be thousands of pages of data on the system; they may be encrypted or compressed (and thus unreadable); and searching computers frequently requires expert computer skills and equipment. All these factors contribute to the impracticality of on-site processing. Accordingly, agents will often seize evidentiary materials that are mixed in with collateral items. (See "DECIDING WHETHER TO CONDUCT THE SEARCH ON-SITE OR TO REMOVE HARDWARE TO ANOTHER LOCATION," supra p. 53.)
For several reasons, it is important to separate evidence (and contraband, fruits, and instrumentalities) from irrelevant items. First, as noted above, the law does not generally authorize seizing non-evidentiary property. But to the extent agents sort and return these materials after a search, the courts are less likely to require that large amounts of data be sorted at the scene. Put another way, if law enforcement authorities routinely retain boxes of property that are not evidence, the courts surely will become less sympathetic in those cases where it is, in fact, appropriate to seize entire systems and analyze them later at the lab.
A second reason to promptly sort seized evidence is that the process will help to organize the investigation. Agents and prosecutors will obviously want to focus on the evidence when preparing complaints or indictments. Getting a handle on the items that advance the case will help agents assess quickly and accurately where the case should go. As much as overbroad seizures offend the law, they are just as bad for the investigation. Investigators should cull out the things that do not help the case right away to avoid endlessly sifting through unimportant materials as the investigation progresses.
Procedures for sorting, searching, and returning seized items will depend in part upon the type of evidence involved. There are, however, certain basic concepts that apply across the board. The basics include the following.
Table of Contents - Main Guidelines
B. PROCEDURES FOR PRESERVING EVIDENCE
1. Chain of Custody
Computer evidence requires the same chain of custody procedures as other types of evidence. Of course, the custodian must strictly control access and keep accurate records to show who has examined the evidence and when. (For a further discussion of this issue, see "EVIDENCE: Chain of Custody," infra p. 114.)
2. Organization
As with other parts of the investigation, the sorting process should be as organized as possible. If there are only a few agents involved, each with discrete tasks, the job is likely to be quick and efficient. Many agents, unsure of their tasks, are more likely to misplace or overlook evidence. An organized review process, which is part of a larger, well-briefed search plan, is also easier to describe and defend in court.
3. Keeping Records
Agents should always document their investigative activities. This allows other agents and attorneys to keep track of complex investigations, and will help the case agent reconstruct the sorting process at a later time if necessary. A log should be kept that describes each item seized, whether it was examined, and whether it contained evidence.
When items are returned, a receipt should set out: (a) a clear description of the item, (b) the person who received it (with a signature and identification), and (c) when the item was released. It often makes sense to return all items at one time rather than to do it piecemeal. Also, it is a good idea to keep photographs of the property returned in order to avoid disputes.
4. Returning Seized Computers and Materials
Once agents have removed the computer system from the scene, an expert should examine the seized material as soon as practicable. This examination may be conducted by a trained field office agent, a special agent sent to the field office for this purpose, or by a properly-qualified private expert. Some agencies may require that the computer system be shipped to a laboratory. Each agency should establish and follow a reasonable procedure for handling computerized evidence.
Once the analyst has examined the computer system and data and decided that some items or information need not be kept, the government should return this property as soon as practicable. The courts have acknowledged an individual's property interest in seized items, and the owner of seized property can move the court for a return of property under Fed. R. Crim. P. 41(e). That remedy is available not only when the search was illegal, but also if the person simply alleges a "deprivation of property by the Government." In Re Southeastern Equipment Co. Search Warrant, 746 F. Supp. 1563 (S.D. Ga. 1990).
Agents and prosecutors must remember that while a computer may be analogous to a filing cabinet for the agents who search it, it is much more to most computer users. It can be a data processor, graphics designer, publisher, and telecommunications center. Courts will no doubt recognize the increasingly important role computers play in our society, and the public's extensive reliance on these computers to support the way we live and do business. As a result, law enforcement should be prepared to look carefully at the circumstances of each case and to seize computers only as needed, keeping them only as necessary.
Table of Contents - Main Guidelines
Supplement - Returning seized computers and materials
a. Federal Rules of Criminal Procedure: Rule 41(e)
While computer-owners may be especially eager for return of their hardware, software, data, and related materials, the issue of whether to retain or return lawfully seized property before trial is not unique to computers. Rule 41(e) of the Federal Rules of Criminal Procedure sets out the standards and procedures for returning all property seized during the execution of a search warrant. The Rule, in general, provides that a party who is "aggrieved by an unlawful search and seizure or by the deprivation of property" may file a motion for the return of the property on the ground that the party is entitled "to lawful possession of the property." [13]
A Rule 41(e) motion for return of property can be made either before or after indictment. However, a district court's jurisdiction over a pre-indictment motion is more limited than if the indictment has been returned. Pre-indictment remedies are equitable in nature and must only be exercised with "caution and restraint." Floyd v. United States, 860 F.2d 999, 1003 (10th Cir. 1988). The Tenth Circuit, the only Circuit to address this issue, held that two conditions must be satisfied before a district court may assume jurisdiction over a pre-indictment Rule 41(e) motion: "a movant must demonstrate that being deprived of actual possession of the seized property causes 'irreparable injury' and must be otherwise without adequate remedy at law." Matter of Search of Kitty's East, 905 F.2d 1367, 1371 (10th Cir. 1990).
Because of the paucity of cases in this area, it is very difficult to say what facts will satisfy this two-part test. However, the reported decisions do offer guidance in responding to a request for the return of seized property. The Tenth Circuit in Kitty's East held that the "irreparable injury" element is not satisfied by the threat of an imminent indictment. 905 F.2d at 1371, citing Blinder, Robinson & Co. v. United States, 897 F.2d 1549, 1557 (10th Cir. 1990). The appellate court in Kitty's East upheld the district court's decision to take jurisdiction because the nature of the seized materials--pornographic videotapes--invoked the First Amendment right of free speech. "Although the interests of the commercial speech at issue here may not equate with those of political speech, we agree that the special protections of the First Amendment justified the exercise of equitable jurisdiction in this case." Id. Conversely, the Blinder court rejected the movant's contention that it was irreparably injured by the government's failure to return original documents: "[T]he record strongly suggests that [the movant] is able to operate with photocopies of the documents seized by the government and either has copies or can make copies of all the property that the government seized." Blinder, 897 F.2d at 1557.
Once jurisdiction has been established, Rule 41(e), according to the Tenth Circuit, requires the party to also show that the retention of the property by the government is unreasonable:
Reasonableness under all of the circumstances must be the test when a person seeks to obtain the return of property. If the United States has a need for the property in an investigation or prosecution, its retention of the property generally is reasonable. But, if the United States' legitimate interests can be satisfied even if the property is returned, continued retention of the property would become unreasonable.
Id., quoting Committee Note to 1989 Amendment at 30, 124 F.R.D. at 428.
As described, the Kitty's East court initially held the district court had properly exercised jurisdiction over the motion because of the possibility that the movant's First Amendment rights would be impaired. However, the court then denied the Rule 41(e) motion for the return of the seized property. The court held that Kitty's East failed to demonstrate that it was aggrieved by an unreasonable retention of the property:
With regard to the videotapes seized, Kitty's has made no argument that the seizure has precluded all exhibition or rental of the videotapes in question. Kitty's First Amendment rights are not sufficiently infringed by the government's seizure for evidence of a few copies of a limited number of videotapes to be 'aggrieved' under Rule 41(e) . . . . Further, return of the videotapes would pose too great a risk of loss of potential evidence. As the Supreme Court has noted, 'such films may be compact, readily transported for exhibition in other jurisdictions, easily destructible, and particularly susceptible to alteration by cutting and splicing critical areas of film.' We hold therefore, that the government's retention of no more than two evidentiary copies of each film is reasonable and does not 'aggrieve' Kitty's under Rule 41(e).
905 F.2d at 1376 (citations omitted).
In United States v. Taft, 769 F. Supp. 1295, 1307 (D. Vt. 1991) the court relied on Kitty's East to deny a motion for the return of two firearms which had been legally seized by the government during the execution of a search warrant. Moreover, the court refused to second guess the government about the evidentiary value of the guns: "[H]aving decided that the government legally seized the two firearms, this court will not opine as to the evidentiary value of the guns in the instant prosecution for cultivation of marijuana."
The decisions addressing Rule 41(e) impose a heavy burden on a party seeking the return of property, including computers, lawfully seized by the government. However, unless there is a reason not to do it, agents should explore giving the computer owner copies of the computer disks seized--even when Rule 41(e) does not require it. This is especially true if the owner needs the data to run a business. Of course, if the information stored on the disks is contraband or if copying the information would jeopardize the investigation, agents should not make copies for the owner.
Similarly, if the owner of a seized computer needs it for business, there may be intermediate solutions. For example, using careful scientific protocols and keeping exacting records, an analyst can make printouts from the hard drives to have "original" records to admit in court. Following the same process, the analyst can then make a mirror image (or "bit-stream") data copy of the hard drives for later analysis. Before returning the computers, agents should explain the printout and copying processes used, and give the defense an opportunity to object to the integrity and admissibility of the printouts and copies at that time. Best practice is to ask the defense counsel to sign an explicit waiver of those issues at the time the computer is returned and to stipulate that printouts and electronic copies will be admissible under Fed. R. Evid. 1001. (For a more extensive discussion of admitting electronic evidence, see "EVIDENCE," infra p. 108.) If the defense refuses to concede the accuracy and admissibility of the printouts and copies, the government should keep the computer. (For a form "Stipulation for Returning Original Electronic Data," see APPENDIX A, p. 129).
Table of Contents - Main Guidelines
Supplement - Federal Rules of Criminal Procedure: Rule 41(e)
b. Hardware
In deciding whether to retain hardware, agents should consider several factors. Aspects that weigh in favor of keeping hardware include: (1) the hardware was used to commit a crime, was obtained through criminal activity, or is evidence of criminal activity, (2) the owner of the hardware would use it to commit additional crimes if it were returned, (3) the hardware is unique and is either essential for recovering data from storage devices or difficult to describe without the physical item present in court, and (4) the hardware does not serve legitimate purposes. Factors that weigh in favor of returning hardware include: (1) a photograph of the hardware would serve the same evidentiary purpose as having the machines in court, (2) the hardware is an ordinary, unspecialized piece of equipment such as a telephone, (3) the hardware is used primarily for legal purposes, and (4) the hardware is unlikely to be used criminally if returned.
Although the result will depend on the precise facts of each case, some basic principles are clear. Where hardware was used to commit a crime (instrumentality) or is the proceeds of crime (fruit) and it belongs to the suspect, agents should generally keep it. When the hardware clearly is not evidence of a crime (e.g. an electronic wristwatch which turns out to have no memory), it should generally be returned.
The difficult situations arise when hardware was only tangential in the crime, played primarily a non-criminal role, or does not belong to the suspect. In these cases, agents and prosecutors must balance the government's need to retain the original items against the property owner's interest in getting them back. In any case, aggrieved property owners can ask the court to order the government to return even lawfully-seized items. See Fed. R. Crim. P. 41(e).
Table of Contents - Main Guidelines
c. Documentation
Warrants often include computer books, programming guides, user manuals and the like. These items may have evidentiary significance in several ways: they may be proprietary (e.g. telephone company technical manual for employees); they may indicate that software, hardware, or the manuals themselves were obtained illegally; they may be necessary for searching a particular, customized machine also covered by the warrant; or they may contain handwritten notes about how the subject used the machine. In this case, agents should treat the books and manuals as evidence and retain them.
Very often, however, books and manuals are not unique. Most of the time, they will be publicly available user guides without significant handwritten notes. They may be convenient references for investigators, but they do not add anything that could not be commercially purchased. In such cases, Rule 41(e) does not require subjects to supply such equipment or technical information, so these items (if they contain no evidence) should be returned.
Table of Contents - Main Guidelines
d. Notes and Papers
Notes and papers often contain extremely valuable information like passwords, login sequences, and other suspects' telephone numbers or names. Notes also tend to be rather cryptic, so agents will not always know right away what they are. Accordingly, it may be appropriate to retain notes and papers until they can be carefully examined, but agents should return records that are clearly not evidence or instrumentality.
Table of Contents - Main Guidelines
e. Third-Party Owners
The retain-or-return question is particularly delicate when the evidence (usually hardware) belongs to innocent third parties. While the government is clearly entitled to seize evidence no matter who owns it, Rule 41(e) of the Federal Rules of Criminal Procedure recognizes that the property owner may move for return of unreasonably held items. See Fed. R. Crim. P. 41(e) advisory committee note (1989)("reasonableness under all of the circumstances must be the test when a person seeks to obtain the return of property"). The committee notes further point out that the government's legitimate interests can often be satisfied "by copying documents or by conditioning the return on government access to the property at a future time." Id.
When a third party claims ownership, it is important to evaluate competing claims before deciding what to do. The worst solution is to return property to someone who later turns out not to have been the rightful owner. Thus, whenever it is appropriate to return property, agents must verify ownership with documents or other reliable evidence. If in doubt, it is best to retain the item and let the aggrieved parties assert their various claims in court. This way, the government will not become embroiled in complicated ownership investigations, and will not release property to the wrong party.
Go to . . . Table of Contents - Main Guidelines
----- footnotes ------
[13] Rule 41(e) does not distinguish according to how the property was used in the offense; thus, a computer used as an instrumentality of an offense (e.g., to duplicate copyrighted software or hack into other systems) is not treated differently for Rule 41 analysis from a computer used as a "storage cabinet" for documents. Of course the government's interest in seizing and keeping the computer in each case is different and, thus, from a realistic standpoint, how the computer was used in the offense is important in determining whether to retain or return it. [Back]