1996 EPIC Analysis on DOJ Computer Search and Seizure

EPIC Analysis of New Justice Department Guidelines on Searching and Seizing Computers
Dave Banisar

The Electronic Privacy Information Center (EPIC) has obtained the Department of Justice's recently issued "Federal Guidelines for Searching and Seizing Computers." EPIC obtained the document under the Freedom of Information Act. The guidelines provide an overview of the law surrounding searches, seizures and uses of computer systems and electronic information in criminal and civil cases. They discuss current law and suggest how it may apply to situations involving computers. The guidelines were developed by the Justice Department's Computer Crime Division and an informal group of federal agencies known as the Computer Search and Seizure Working Group.

Seizing Computers

A major portion of the document deals with the seizure of computers. The document recommends the use of the "independent component doctrine" to determine if a reason can be articulated to seize each separate piece of hardware. Prosecutors are urged to "seize only those pieces of equipment necessary for basic input/output so that the government can successfully execute the warrant." The guidelines reject the theory that because a device is connected to a target computer, it should be seized, stating that "[i]n an era of increased networking, this kind of approach can lead to absurd results."

However, the guidelines also note that computers and accessories are frequently incompatible or booby trapped, thus recommending that equipment generally should be seized to ensure that it will work. They recommend that irrelevant material should be returned quickly. "[O]nce the analyst has examined the computer system and data and decided that some items or information need not be kept, the government should return this property as soon as possible." The guidelines suggest that it may be possible to make exact copies of the information on the storage devices and return the computers and data to the suspects if they sign waivers stating that the copy is an exact replica of the original data.

On the issue of warrantless seizure and "no-knock warrants," the guidelines note the ease of destroying data. If a suspect is observed destroying data, a warrantless seizure may occur, provided that a warrant is obtained before an actual search can proceed. For "no-knock" warrants, the guidelines caution that more than the mere fact that the evidence can be easily destroyed is required before such a warrant can be issued. "These problems . . . are not, standing alone, sufficient to justify dispensing with the knock-and-announce rule."

Searching Computers

Generally, warrants are required for searches of computers unless there is a recognized exception to the warrant requirement. The guidelines recommend that law enforcement agents use utility programs to conduct limited searches for specific information, both because the law prefers warrants that are narrowly tailored and for reasons of economy. "The power of the computer allows analysts to design a limited search in other ways as well . . . by specific name, words, places. . . ."

For computer systems used by more than one person, the guidelines state that the consent of one user is enough to authorize a search of the entire system, even if each user has a different directory. However, if users have taken "special steps" to protect their privacy, such as using passwords or encryption, a search warrant is necessary. The guidelines suggest that users do not have an expectation of privacy on large mainframe systems because users should know that system operators have the technical ability to read all files on such systems. They recommend that the most prudent course is to obtain a warrant, but suggest that in the absence of a warrant prosecutors should argue that "reasonable users will also expect system administrators to be able to access all data on the system." Employees may also have an expectation of privacy in their computers that would prohibit employers from consenting to police searches. Public employees are protected by the Fourth Amendment and searches of their computers are prohibited except for ""non-investigatory, work related intrusions" and "investigatory searches for evidence of suspected work-related employee misfeasance."

The guidelines discuss the Privacy Protection Act of 1980, which was successfully used in the Steve Jackson Games case against federal agents. They recommend that "before searching any BBS, agents must carefully consider the restrictions of the PPA." Citing the Jackson case, they leave open the question of whether BBS's by themselves are subject to the PPA and state that "the scope of the PPA has been greatly expanded as a practical consequence of the revolution in information technology -- a result which was probably not envisioned by the Act's drafters." Under several DOJ memos issued in 1993, all applications for warrants under the Privacy Protection Act must be approved by a Deputy Assistant Attorney General of the Criminal Division or the supervising DOJ attorney.

For computers that contain private electronic mail protected by the Electronic Communications Privacy Act of 1986, prosecutors are advised to inform the judge that private email may be present and avoid reading communications not covered in the warrant. Under the ECPA, a warrant is required for email on a public system that is stored for less than 180 days. If the mail is stored for more than 180 days, law enforcement agents can obtain it either by using a subpoena (if they inform the target beforehand) or by using a warrant without notice.

For computers that contain confidential information, the guidelines recommend that forensic experts minimize their examination of irrelevant files. It may also be possible to appoint a special master to search systems containing privileged information.

One important section deals with issues relating to encryption and the Fifth Amendment's protection against self-incrimination. The guidelines caution that a grant of limited immunity may be necessary before investigators can compel disclosure of an encryption key from a suspect. This suggestion is significant given recent debates over the Clipper Chip and the possibility of mandatory key escrow.

Computer Evidence

The draft guidelines also address issues relating to the use of computerized information as evidence. The guidelines note that "this area may become a new battleground for technical experts." They recognize the unique problems of electronic evidence: "it can be created, altered, stored, copied, and moved with unprecedented ease, which creates both problems and opportunities for advocates." The guidelines discuss scenarios where digital photographs can be easily altered without a trace and the potential use of digital signatures to create electronic seals. They also raise questions about the use of computer generated evidence, such as the results of a search failing to locate an electronic tax return in a computer system. An evaluation of the technical processes used will be necessary: "proponents must be prepared to show that the process is reliable."

Experts

The DOJ guidelines recommend that experts be used in all computer seizures and searches -- "when in doubt, rely on experts." They provide a list of experts from within government agencies, such as the Electronic Crimes Special Agent program in the Secret Service (with 12 agents at the time of the writing of the guidelines), the Computer Analysis and Response Team of the FBI, and the seized recovery specialists (SERC) in the IRS. The guidelines reveal that "[m]any companies such as IBM and Data General employ some experts solely to assist various law enforcement agencies on search warrants." Other potential experts include local universities and the victims of crimes themselves, although the guidelines caution that there may be potential problems of bias when victims act as experts.

Obtaining a Copy of the Guidelines