########## | ########## | ### | THE DOCUMENT CASE ####### | ####### | A collection of briefs, judgments ### | white papers, rulings, and references of ########## | moment to the issues of law and order on ########## | The Electronic Frontier | ########## | ########## | ### | Document #: 2 ####### | Title: Civil Liberties Implications of Computer ####### | Searches and Seizures: Some Proposed Guidelines for ### | Magistrates Who Issue Search Warrants ### | Archived/Published to the Net: August 7, 1991 ### | | ########## | ########## | Anonymous ftp archive maintained by ### | Mike Godwin and Chris Davis at ####### | The Electronic Frontier Foundation (eff.org) ####### | ### | These documents are in the "docs" subdirectory ### | of the ftp directory. Related files may be ### | found in the EFF and SJG subdirectories. --------------------------------------------------------- Civil Liberties Implications of Computer Searches and Seizures: Some Proposed Guidelines for Magistrates Who Issue Search Warrants Submitted by: Mitchell Kapor, B.A. Yale (1971), M.A. Beacon College (1978) President, The Electronic Frontier Foundation Mike Godwin, B.A. University of Texas at Austin (1980), J.D. (1990) Staff Counsel, The Electronic Frontier Foundation I. Introduction. We are now about a decade and a half into the era of affordable desktop computers. Yet for most people--and especially for the legal community--the civil-liberties implications of this new consumer technology have only barely begun to register. Only by acquiring a knowledge of the new technology, of its uses, and of its importance to traditional civil liberties can we guarantee the protection of those civil liberties in the future. Currently, the Electronic Frontier Foundation (EFF) is focusing on two major aspects of this failure of the law-enforcement community to fully incorporate civil-liberties awareness in its investigations of computer-related crime: 1) When law enforcement officials lack understanding both of the new technology and--just as important--of how it is normally used, they simply cannot conduct the discretion-less, "particular" searches and seizures required by the Fourth Amendment1 when those searches and seizures involve computer equipment and data. 2) The electronic conferencing systems offered by computer- based electronic bulletin-board systems (BBSs), commercial information services, and noncommercial computer networks--which may, to various degrees, be subject to law-enforcement searches and seizures--have created an environment for some of the most vigorous exercise of First Amendment prerogatives this nation has ever seen. When law enforcement does not routinely recognize the First Amendment significance of BBSs and other forms of electronic speech and publishing, its broad searches and seizures can "chill" the free exercise of those First Amendment rights. This paper is adapted from the EFF's response to the American Bar Association Criminal Justice Section's suggested guidelines for the issuance of search warrants relating to business records (July 1990)2. The guidelines seemed to be based in large part on J. McEwan, Dedicated Computer Crime Units (1989), D. Parker, Computer Crime: Criminal Justice Resource Manual (1989), and C. Conly, Organizing for Computer Crime Investigation and Prosecution. Published by the National Institute of Justice, all three publications were oriented toward informing law enforcement of the kinds of abuses to which computer technology potentially lends itself. But while such a focus may be useful for prosecutors, who may need to be brought up to speed on the technology, it is not a good focus for magistrates, who must evaluate law enforcement's claims that there is probable cause for particular searches and seizures in particular cases. For example, it may be useful for prosecutors to know that "the data in the storage device or media can be erased, replaced with other data, hidden, encrypted, modified, misnamed, misrepresented, physically destroyed, or otherwise made unusable."3 But this does not mean that the magistrate should always find probable cause to believe that a particular computer owner or operator has done so, and then authorize a highly intrusive and disruptive seizure of a BBS so that investigators can do a low-level search for hidden or encrypted data. Similarly, the fact that a clever hobbyist can find criminal uses for all sorts of equipment does not create probable cause to believe that every piece of electronic property that could conceivably be used in any type of computer crime -- or that could conceivably be evidence in some type of computer crime -- should be seized in every investigation.4 Moreover, the kind of exhaustive listing of potential computer- crimes and crime techniques in these references, together with their instructive but not particularly representative anecdotal evidence, cannot help but give both law-enforcement agents and magistrates the impression that BBSs and similar systems are likely to be used for computer-related crimes of various sorts. Our criticism of the original ABA Criminal Justice Section suggested guidelines was basically threefold: 1) There was no guidance to the magistrate as to when the computer or related equipment should not be seized, either because it is not necessary as evidence or because such a seizure would intolerably "chill" the lawful exercise of First Amendment rights or abridge a property owner's Fourth Amendment rights. 2) There was inadequate recognition of the business or individual computer owner's interest in continuing with lawful commercial business, which might be hindered or halted by the seizure of an expensive computer. 3) There was no effort to measure the actual likelihood that investigators would find computers equipped with such justice- obstructing measures as automatic-erasure software or "degausser" boobytrap hardware, the presence of which might justify a "no-knock" search and seizure, among other responses. Section II of this paper, infra, contains the EFF's general comments on the suggested guidelines. while Section III contains our amended version of those guidelines. II. Comments on Proposed Guidelines on Searches and Seizures A. Searches and seizures of computers used for publishing or electronic bulletin boards. While the same legal principles apply to searches and seizures of computerized records as to other records, when the search is of records on a computer used for publishing or for operating an electronic bulletin board system (BBS), the need for particularity is heightened since the material to be searched may be protected by the First Amendment. Particularity is also needed because First Amendment rights of association and statutory rights of privacy may be impinged by seizure of electronic mail or other private and third-party correspondence. Also, seizure of a computer used by a publication or for running an electronic bulletin board system (BBS) may violate the First Amendment by acting as a prior restraint on future speech and by interfering with the rights of expression and association of the operator and users of the system. B. No-knock entries because of risk of destruction of data. We believe the concern with possible destruction of data, whether stored internally or externally, is overstated in the proposed commentary. Such a concern can justify a "no-knock" entry only in rare circumstances on a strong factual showing by law enforcement personnel. First, we are not aware of any data showing that a device like a degausser is frequently or commonly used to destroy evidence during a search. Second, the only data that can be destroyed "at the flip of a [power] switch" is the relatively small amount of information in the internal memory (RAM) of a computer, and not information stored on an internal hard disc. Information is only contained in RAM when a computer is being actively operated, and then only information about the current application the computer is running. Thus, in order for a no-knock entry to be warranted, there must be credible evidence presented to the judicial officer either that (l) it is likely that the suspects have a device like a degausser by which data will be destroyed, or (2) the computer user will be using the computer for illegal purposes at the time of the search, e.g., when a warrant is sought at the moment a telephone tap demonstrates that computer user is in the act of using the computer to illegally access a computer database without authorization. C. Searches and seizures when the computer is used for electronic communications (e-mail). E-mail and other stored electronic communications are protected by the Electronic Communications Privacy Act, 18 U.S.C. 2701-2711. E- mail should thus be protected from search and seizure, unless there is probable cause to search and seize a specific electronic communication. Accordingly, if a search is likely to take place of a computer which provides an e-mail service to users, such as most BBSs, the affiant should inform the judicial officer of this possibility so that the judicial officer can establish procedures to ensure that the officers executing the warrant do not view e-mail for which no probable cause exists, and to ensure that the BBS computer is not seized unnecessarily as this will prevent the authorized access of users to their e-mail. D. Search vs. seizure We suggest that the commentary make a stronger distinction between the factors applicable to searches of computers, and those which demonstrate that the seizure itself of a computer or of discs is warranted. Because of this, we propose that several of the paragraphs be rearranged. E. Seizure of computer discs. Often, warrants have provided for the wholesale seizure of all computer discs, without any requirement that the officers executing the warrant review the data contained on each disc and seize copies only of relevant files. Because of the voluminous amount of materials that can be stored on a computer disc, such a seizure is often equivalent to a prohibited general search, as it permits the seizure of a great many files for which there is no probable cause to seize. The commentary does mention the possibility of establishing a procedure to ensure that not all files on a disc are seized, but we believe this should be further emphasized. We believe that that only in the situation where an entire organization is permeated with fraud or other misconduct is the wholesale seizure of computer discs appropriate. In all other circumstances, the search of the computer discs for seizable data should be conducted on the organization's premises. While this type of on- premises search may be time-consuming, the same exact procedure is followed when officers executing a warrant are searching through hard-copy files for seizable material. The judicial officer should allow the wholesale seizure of discs and a search off-premises of these discs for seizable material only if the affiant can present specific factors which demonstrate a necessity for an off-premises search. Further, if the judicial officer does permit an off-premises search of the computer discs, the warrant should require that such a search take place promptly (presumptively within a matter of days), and that the officers executing the warrant then promptly copy only the relevant parts of the discs and immediately return the originals to the owner or custodian. The citation to Voss v. Bergsgaard, 774 F.2d 402 (10th Cir. 1985), does not support the proposition it is cited for, in that it suggests the description there was sufficiently particular when in fact the Court held the warrant unconstitutionally overbroad. F. Seizure of computer where isolated information or records stored on the computer is the object of the search. While the seizure of a computer should be authorized when the computer is the instrumentality of a crime, in most other circumstances, where officials seek isolated information or records stored on the computer, seizure should not be authorized. In the first place, such a seizure would violate the particularity requirement as many non-seizable records would be seized. Secondly, the seizure may force a halt to legitimate business operations. In such circumstances, the judicial officer should require that the search of the computer hard drive take place at the organization's premises, and that the officers executing the warrant make copies only of the seizable files or data. III. Revisions to Business Record Guidelines and Guideline Commentary The original ABA Criminal Justice Section Suggested Guideline appeared in the form of a two-paragraph "Guideline" articulating the general principles underlying Constitutional searches and seizures of business records, followed by four pages of "Commentary" laying out the legal issues raised by business-record searches and seizures, with a particular focus on computer-based records. We prepared suggested modifications to the guideline and to the commentary which incorporates the discussion in Sections I and II. A. As to the guideline, the first two paragraphs read as follows: As is the case generally, the description for searches and seizures of business records should be so definite that it eliminates officer discretion in determining which items are covered, which are not, and when the search must come to an end. However, because it is not always possible to meet this standard, the particularity requirement may be applied with less rigidity than in other settings. The judicial officer, in assessing particularity, must determine if the description of the records (whether in writing or electronically maintained) is as specific as the circumstances allow -- or, in the alternative, whether the description is sufficiently specific to prevent the searching party >from unnecessarily examining non-relevant records in order to find the desired records. The particularity requirement is most likely to be met when (1) probable cause exists to seize all the items within a particular category, as when the entire enterprise is permeated with fraud or other misconduct, or (2) when the warrant sets out some objective standard, a limiting feature, that allows the officers to differentiate between what can and cannot be seized, or (3) when the application describes as fully as possible, in light of what the investigators know, what is to be seized, or (4) when the warrant spells out a method for executing the search that limits the exposure of non-relevant materials, such as appointing a third- party monitor. To this Guideline EFF proposed adding the following paragraph: "Warrants for computerized records must be drawn narrowly and with enough specificity to eliminate or minimize the researchers' discretion and intrusion into other materials stored on the computer. Seizure of the computer itself, while proper in the limited circumstances where it is the instrumentality of a crime (as when the computer is itself a tool directly used to commit telecommunications fraud), is generally not justified when the object of the search is evidence stored on the computer, particularly since seizure of the computer may force a legitimate business to cease operations. Where the computer being searched is used in the publication or communication of information, warrants must be drawn even more narrowly to avoid infringing on First Amendment rights of expression and association, and seizures of such computers may also violate First Amendment rights unless the computer is the instrumentality of a crime." In the commentary, the additions we suggested are underlined, and at any point where we suggest deleting some material we have indicated this by brackets ([]). In addition, our proposal rearranged several of the paragraphs: (Beginning after Second Paragraph on p. 39) When the records are electronically stored in a computer, as is frequently the situation, the same legal principles apply. [] In most respects, search and seizure issues in computer cases are like those in other criminal cases. J. McEWAN, DEDICATED COMPUTER CRIME UNITS 55-56 (189); CF. D. PARKER, COMPUTER CRIME: CRIMINAL JUSTICE RESOURCE MANUAL (1989). When computerized records are sought, they must be described, as in the case with written records, with enough specificity to eliminate or minimize the searchers' discretion as to what may be examined and seized. When the information sought can be made definite (e.g., a memorandum from sales manager Jones to field agent Smith, dated March 11, 1980, concerning the sale of certain chemicals), the particularity requirement is easily satisfied whether the record is in writing or electronically stored. If it is likely that the record of this document exists only in electronic form, the particular computer and storage media should be identified, and the affidavit should be clear that the searchers have the technical capacity to access the information. The need for particularity is heightened where the computer to be searched is used for a newspaper, magazine, electronic publishing or to operate an electronic bulletin board.5 There are "special restraints upon searches for and seizures of material arguably protected by the First Amendment." Lo-Ji Sales, Inc. v. New York, 442 U.S. 319, 326 n.5 (1970). Where the materials to be seized may be protected by the First Amendment, both the particularity requirement and the probable cause requirement must be met with "scrupulous exactitude." See, e.g., Voss v. Bergsgaard, 774 F.2d 402, 405 (10th Cir. 1985) (quoting Stanford v. Texas, 379 U.S. 476, 485 (1965) and citing Zurcher v. Stanford Daily, 436 U.S. 547, 565 (1978). In addition, when a computer used to operate a BBS is searched, there is significant danger that First Amendment rights of association and statutory rights of privacy may be impinged by seizure of electronic mail (e-mail) or other private communications which have no relation to the alleged criminal activity justifying the search. Seizure and search of e-mail isgoverned by the procedures of the Electronic Communications Privacy Act, 18 U.S.C. 2701-2711. Similarly, seizure of material on a BBS meant for publication or dissemination which is not related to the alleged crime may violate First Amendment rights of free expression. When the affiant describes [] the records to be seized only in general terms, such as "books, letters, papers, memoranda, contracts, files, computer tape logs, computer operation manuals, and computer tape printouts," there is a likelihood that the particularity requirements have not been met. In such a circumstance, the judicial officer should question the affiant to see whether any additional limiting standards -- time period, authorship, transaction, or offense, for example -- can be established. The more limitations in the affidavit, the more likely that Fourth Amendment particularity exists.6 In some instances, the affidavit may contemplate so extensive a seizure of computerized data that a successful search would cripple the business. Under these circumstances,the judicial officer should explore with the applicant the feasibility of copying or otherwise acquiring the information sought without depriving the owner or custodian of its use. Since the justification for a search is to gather evidence, not close a business, it is important that the seizure be no more intrusive than necessary. To this end, the judicial officer may require the applicant to demonstrate technical expertise or access to such. One troubling problem arises from the way computerized records are stored. Because computer discs have such a large storage capacity, it is common to store unrelated data on the same disc. This means that a seizure of an entire disc may involve substantial amounts of information that is not relevant to the inquiry. When the discs are maintained by an innocent third party, such as a large accounting firm, the invasion of privacy is compounded, since the relevant discs may also contain data for other clients of the firm. To protect the rights of these third parties, special procedures may be necessary. Similarly, the wholesale seizure of a large number of computer discs would appear to violate the particularity requirement, and be a prohibited general search, in a situation where the entire organization is not permeated with fraud or other misconduct.7 In such cases, the search of the computer discs for seizable items preferably should be conducted on the organization's premises. Wholesale removal of discs for off-premises searches should be authorized only if identifiable particular circumstances so mandate, and in such case the officers executing the warrant should promptly copy only relevant parts of the discs and promptly return the discs to the owner or custodian. To limit the scope of the seizure and the invasion of the rights of the third parties, and to protect the owner's rights (and the custodian as well), the judicial officer should consider (1) appointing an expert to accompany the law enforcement officers on the search to provide guidance to them in identifying the named items; (2) directing that all searches of discs for seizable items be conducted on the organization's premises, and (3) in situations where an on-premise search of the discs is not feasible because of specific reasons, establishing a procedure whereby the relevant parts of the disc may be promptly copied and then the original returned to the owner or custodian within a reasonable period of time, presumptively no longer than several days. The computer itself may be subject to seizure when it is an instrumentality for the commission of an offense, for example when it is employed to commit a host of illegal acts: software piracy, embezzlement, and telecommunications fraud are among these.8 For a fuller description of offenses committed with computers, see McEWAN, DEDICATED COMPUTER CRIME, Units 1-5, 38 (1989). Computers may also serve criminal enterprises by maintaining databases of, for example, drug distributions or customers for child pornography. In terms of establishing probable cause and particularity, the affidavit must, as is generally true, provide reason to believe that an offense has been committed, and that the object to be seized -- the computer -- is implicated. The computer should be identified as fully as possible, i.e., by manufacturer, model number and serial number to meet the particularity requirement. Seizure of the computer itself should not be authorized where information or records stored on the computer are the only object of the search. Such computer seizures and the attendant seizure of all data on the computer's hard drive would not meet the particularity requirement. In addition, as with the wholesale seizure of computerized records, the seizure of the computer will often make it impossible for a lawful business to continue operating. If the computer is used for publishing or communicating information, e.g., if it is used by a newspaper, publication or for running a BBS, seizure may violate the First Amendment, because the seizure may act as a prior restraint on future speech or may interfere with the rights of expression and association of the operator and users of the system. Because a computer is actually a system of several parts, the affidavit should specify what exactly is to be seized. An expert may be necessary in order to ensure a complete and precise listing. When the affidavit, of necessity, employs technical language to explain the offense involved, such as "patching a long distance phone call to avoid paying the toll," See Ottensmeyer v. Chesapeake and Potomac Tel. Co., 756 F.2d 986 (4th Cir. 1985), the affiant's credentials, training, and education in computer sciences should be set forth so that the judicial officer has a basis for evaluating the analysis and interpretation in the affidavit. In unusual situations when the judicial officer has difficulty comprehending the nature of the offense alleged, or questions the expertise of the affiant or the affiant's witnesses, the judicial officer can summon an expert witness to provide additional testimony. Ordinarily, however, the procedure is to require the affiant to further supplement the affidavit, or attempt to rewrite it to meet the judicial officer's objections. The judicial officer may also require an expert to accompany the affiant in order to insure that the seizable items are properly identified and removed in a reasonable manner to avoid injury to property, [] needless exposure of unrelated records, or infringement of First Amendment rights. In Ottensmeyer, 756 F.2d at 986, an expert accompanied the searching party. Cf. De Massa v. Nunez, 747 F.2d 1283 (9th Cir. 1984) (special master appointed to supervise the seizure of documents during execution of warrant at attorney's office); Forro Precision Inc. v. International Business Machine Corp., 673 F.2d 1045 (9th Cir. 1982) (discussing the role of an expert during the execution of the warrant). Because computer systems increasingly rely on complicated access procedures and may also have the capacity to destroy data when an unauthorized user attempts to access them there is an additional need for expertise. The judicial officer should make sure that the officers executing the warrant have the capacity to make the seizure without destroying data or damaging property unnecessarily, and thus may appoint an outside expert to monitor or supervise the execution of the warrant. The appointment of an expert provides added assurance that (1) there will not be an inadvertent interruption in the electric power during data manipulation by the officers that could result in the loss of information, (2) that if there is a hard disc drive, the heads on the drive will be "parked" before moving the system to avoid destroying stored information, (3) that when such equipment as telephone modems, auto-dialers, and printers are connected to the computer, they will be disconnected without loss of information, and (4) that the officers executing the search warrant will not unintentionally change data while collecting evidence. See generally, C. CONLY, ORGANIZING FOR COMPUTER CRIME INVESTIGATION AND PROSECUTION 22 (1989). IV. Conclusion. These suggestions were submitted to the ABA through Judge William R. McMahon of Ohio, who chairs the ABA, NCSCJ committee on Modern Technology and the Courts. It is the EFF's hope that these suggestions can also be used as a resource by state and federal legislatures, by state and federal judiciaries, and--perhaps most importantly--by the front-line law-enforcement officials and prosecutors whose job it is to integrate the enforcement of the law with the preservation of our civil liberties. 1The Fourth Amendment to the U.S. Constitution states that "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." 2Sections II and III of this paper were originally researched and written for EFF by Nick Poser, Esq., and Terry Gross, Esq., of Rabinowitz, Boudin, Standard, Krinsky & Lieberman. Harvey Silverglate, Esq., and Sharon Beckman, Esq., of Silverglate & Good reviewed these sections and offered valuable suggestions and comments. 3D. Parker, Computer Crime: Criminal Justice Resource Manual (1989), page 68. 4 A "sample" search warrant in Conly, Organizing for Computer Crime Investigation and Prosecution includes the following language: "In the County of Baltimore, there is now property subject to seizure, such as computers, keyboards, central processing units, external and/or internal drives, internal and/or external storage devices such as magnetic tapes and/or disks, terminals and/or video display units and/or receiving devices and peripheral equipment such as, but not limited to, printers, automatic dialers, modems, acoustic couplers, and or [sic] direct line couplers, peripheral interface boards and connecting cables or ribbons, diaries, logs, and other records, correspondence, journals, ledgers memoranda [sic], computer software, programs and source documentation, computer logs, magnetic audio tapes and recorders used in the obtaining, maintenance, and or [sic] dissemination of information obtained from the official files and computers of the [sic] MCI Telecommunications Inc. and other evidence of the offense." Although clearly taken from a warrant drafted for a specific crime involving MCI, this language is frequently copied almost verbatim in warrants involving far different crimes. Moreover, the drafters, perhaps afraid that their language was not sufficiently inclusive, made sure to add the phrase "such as, but not limited to" in reference to what qualifies as a "peripheral" for the purposes of the warrant. One may wonder how such a broad description meets the "particularly describing" clause of the Fourth Amendment, or how it limits the discretion of the executing officer as to which property he or she will seize. 5 There is growing recognition that bulletin board systems (BBSs) are a form of press. See, e.g., An Electronic Soapbox: Computer Bulletin Boards and the First Amendment, 39 Fed. Com. L. J. 217, 240 (1988), citing Legi-Tech, Inc. v. Keiper, 766 F.2d 728, 734-36 (2d Cir. 1985). 6Two problems, unrelated to particularity, may arise with respect to the seizure of computerized data. [] First, in certain circumstances, affiants may have specific information that the suspects have devices by which computerized data may be rapidly destroyed, and in such cases affiants may seek permission to enter the premises without announcing their authority and purpose. Affiants may also seek such permission in cases where it is known that the suspect will be using the computer for illegal purposes at the time of the search, e.g., when a warrant is sought at the moment a telephone tap demonstrates that the computer user is in the act of illegally accessing a computer database over the telephone lines, as evidence of the crime could be lost if the computer user shuts off the computer. For an analysis of the standard for "no-knock" entries in business premises see Guideline 10.3 infra. The second problem relates to the time period in which the computerized data are stored. In addition, unlike written records, data internal to the system are not likely to be so maintained for long periods. Although computers commonly have book-length or longer storage capacity, the typical procedure is to transfer the data to external storage, typically in the form of a disc or tape. Given the practice, the judicial officer must evaluate the affidavit with care to ascertain the likelihood that the data is in the computer and has not been transferred to a different location or erased. If electronic communications are maintained on the computer, such as with computers operating electronic bulletin boards, reference must be made to the Electronic Communications Privacy Act, 18 U.S.C. 2701- 2711, and the affiants should inform the judicial officer, so that he can establish procedures to ensure that the privacy of these communications is protected, and that no communications are searched unless probable cause exists as to that communication. 7 Generic listings which would permit the seizure of virtually all computer related materials fail to meet the particularity requirement. See, e.g., Voss v. Bergsgaard, 774 F.2d 402, 407 (10th Cir. 1985), [] (affidavit held insufficient which described the computer records and materials to be seized as follows: "One Alpha Micro computer processing unit, approximately four Alpha Micro computer terminals, computer printers, and computer manuals, logs, printout files, operating instructions, including coded and handwritten notations, and computer storage materials, including magnetic tapes, magnetic discs, floppy discs, programs and computer source documents" 8A computer is certainly "property" and hence theoretically might be subject to seizure if it is forfeitable pursuant to a specific statute authorizing such forfeiture, e.g., the Racketeer Influenced and Corrupt Organizations Act, 18 U.S.C. $ 1913. Because a computer is also a communications device much as a typewriter or printing press is, however, seizure of the computer raises First Amendment issues not present in other types of forfeitures. For this reason, the better procedure when dealing with an arguably forfeitable computer system is not to seize it, which raises First Amendment and prior- restraint problems, but to allow the government to proceed instead by subpoena or motion, where the delicate issues can be litigated without the prior restraint that seizure pendente lite would cause. -- Mike Godwin, (617) 864-0665 | "You gotta put down the ducky mnemonic@eff.org | if you wanna play the saxophone." Electronic Frontier | Foundation | Downloaded From P-80 International Information Systems 304-744-2253