• Save
Nac 1 21 03
Upcoming SlideShare
Loading in...5
×
 

Nac 1 21 03

on

  • 1,183 views

 

Statistics

Views

Total Views
1,183
Views on SlideShare
1,182
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://192.168.10.100 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Nac 1 21 03 Nac 1 21 03 Presentation Transcript

  • Computer Searches Abigail Abraham Assistant State Attorney Cook County, Illinois Ivan Orton Sr. Deputy Prosecuting Attorney King County, Washington
  • You Remember Law School Exams, Don’t You?
  • You sign off on a routine drug warrant. Undercover says he bought drugs at the house you want to search. The warrant authorizes the seizure of drugs, records of drug transactions and evidence of dominion and control
  • When search is executed of multi-room house, drugs are found in one bedroom. One computer is found in the living room and a second is found in a second bedroom. There is a small quantity of marijuana in the first bedroom.
  • Upon your advice, the police seize the computers and the drugs and turn the computers over to private computer experts for examination. Because the experts are backed up with other computers, they don’t get to these two computers for two weeks.
  • The search of the computer found in the living room finds:
    • files identifying the owner of the computer
    • files that appear to be related to drug transactions.
    • e-mail files containing copies of sent mail, received mail and drafts of e-mail not yet sent.
  • After Charges are Filed
    • You issue a trial subpoena to the ISP hosting the owner’s e-mail account, requesting copies of all unopened e-mail.
  • The search of the computer found in the living room - cont.
    • In searching the computer the expert notices a file called “babyfuk”.
    • He opens the file and finds it is a graphic image – child pornography.
    • The expert then does a search for all graphics files, copies them to disk and examines each of these files.
    • Many of them contain child pornography.
  • A search of the other computer reveals several things.
    • Evidence showing the name of the owner of the second computer and that he is a rent-paying tenant in the house. There are rental records showing the occupant of the drug bedroom is the owner.
    • The computer was being used to host a web site for a right wing, Aryan nation type group. Although access to the Website is password protected, by gaining access to the computer hosting the Website the expert is able to bypass the password protection.
    • The Website, among other things, offers for sale, numerous books and pamphlets written by the owner of the computer. The writings themselves are stored on the computer. The writings can be purchased online.
    • Also on the computer is a personal diary, copies of correspondence between the computer owner and his ex-wife about their marital difficulties, correspondence with the psychiatrist of the owner’s 14 year old daughter discussing her recent suicide threats and a family tree showing that the owner’s great grandmother was an African American.
    Contents of Second Computer
  • Possession with intent charges are filed against both occupants of the house. Sexual Exploitation of a Minor charges are filed against the owner of the house.
    • The attorney for the owner demands discovery of all computer files found on the second computer – not his client’s computer.
    • Discovery is provided, including all the contents of the second computer.
    • In an attempt to paint the tenant as the bad guy, the attorney for the owner leaks much of this information to the press and to the local Aryan Nation chapter.
    Discovery
  • Two days later the daughter of the tenant, whose emotional troubles were presented in the media in coverage of this case, commits suicide .
  • The defense attorneys move to suppress all evidence found on both computers. In a separate civil action they bring an action for violation of the Privacy Protection Act, and the Electronic Communications Privacy Act.
  • The Judge grants the motions to suppress, holding that:
    • Owner of house
    • No probable cause to search the computer in the owner’s bedroom
    • No authorization to take computers off-site
    • No authorization for non police expert to search computers
    • Search of computers exceeded time limit of 10 days (Limit set by jurisdiction’s criminal rules)
    • Owner of house (cont.)
    • While first child pornography image was in plain view, others were not. Search exceeded scope of warrant
    • Obtaining unopened e-mail by way of subpoena violated the ECPA. Awarded damages and attorney fees
    • Dismisses all counts
    • Tenant
    • No PC to search tenant’s bedroom
    • No PC to search tenant’s computer
    • No authorization to take tenant’s computer off-site
    • No authorization for non police expert to examine
    • Search exceeded 10 day limit
    • Tenant (cont.)
    • Citing a recent 9 th circuit opinion, finds access to password protected Website to be an interception of a private communication and a violation of the federal and state wiretap statute Washington Privacy Act:
      • Suppresses
      • Awards damages and attorneys fees
    • Finds the owner of the computer to be a publisher and finds the search to be a violation of the Privacy Protection Act. Awards damages and attorneys fees.
    This opinion has since been withdrawn .
    • Tenant (cont.)
    • Finds the access to the diary, correspondence and other personal records to be without probable cause and done in bad faith, creating a 1983 cause of action.
    • Grants plaintiff motion for summary judgment in 1983 action, awarding 13.5 million.
    • Dismisses all counts.
  • Then you wake up in a cold sweat. The detective didn’t bring that warrant to you yesterday. He’s bringing it to you tomorrow. The rest of this presentation will be spent trying to help you avoid the mistakes made in this nightmare case.
  • Disclaimer: The Judge’s rulings in this example are not necessarily accurate rulings.
  • Searching and Seizing Electronic Evidence
  • Whose Computer
  • Role of Computer in Crime
  • Our Primary Focus Today Suspect’s Computer where computer is a container of evidence
  • We Will Also Examine the laws governing access to Third Party Computers where computer is a container of evidence
  • The Things You’ll Find
    • Peter Rilling
      • Police interviewed him between 12:30 and 13:30 on September 13
      • Seized his computer under a warrant the next day
  • Rilling’s Log Files
  • The Things You’ll Find
    • Homicide
      • Husband suspected of killing wife
      • Employer searched through husband’s work computer
  • Accidental death search
  • Accidental death search
  • Poison search
  • Poison search
  •  
  •  
  •  
  •  
  • General Search Law for Containers
    • United States v. Ross (US Supreme - 1982)
      • “ A lawful search of fixed premises generally extends to the entire area in which the object of the search may be found and is not limited by the possibility that separate acts of entry or opening may be required to complete the search”
    • United States v. Hunter (D. Vt. 1998)
      • “ A finding of probable cause is not predicated on the government’s knowing precisely how certain records are stored.”
  • Always Distinguish
    • What Careful and Prudent Prosecutor Would Do
    • What can be Defended
  • Remember
    • Thus far, we’re way ahead of the defense bar
    • Preparing the Warrant
    • Executing the Warrant
    • Post Search - What to Return
    • Federal Statutes the Govern Electronic Records
    • Voice Mail
    • Evidence located outside the State/US
    • A Scary Case
    Outline of Presentation
    • Preparing the Warrant
    • Executing the Warrant
    • Post Search - What to Return
    • Federal Statutes the Govern Electronic Records
    • Voice Mail
    • Evidence located outside the State/US
    • A Scary Case
    Outline of Presentation
  • Preparing the Warrant
    • Do you need a warrant
    • Consent exceptions
    • Alternatives to warrants
    • What are you searching for
    • Warrant language
    • PC to search WHERE you’re searching
    • On site or Off site search
    • Other Issues
  • When Do You Need a Warrant
    • Is 4th Amendment/Article One, Section Seven involved?
    • Reasonable Expectation of Privacy
    • Government Action
  • Is There a Reasonable Expectation of Privacy in:
    • Computer in Home
    • Computers away from Home
      • Work Computers
      • Shared Computers
    • Websites
      • Website open to Public
      • Website password protected
    • Electronic Communication
  • Government Action
    • Private searches not covered
    • Searches by foreign law enforcement (other states, federal, other country) not covered.
    • They can’t be acting as your agent
  • Preparing the Warrant
    • Do you need a warrant
    • Consent exceptions
    • Alternatives to warrants
    • What are you searching for
    • Warrant language
    • PC to search WHERE you’re searching
    • On site or Off site search
    • Other Issues
  • Consent Exception
    • Parent
    • Spouse
    • Co-User
    • Workplace
      • Private v. Public
  • Workplace Searches
    • Public or private sector
    • Do existing employment policies permit a search
    • Is the search work-related
  • Workplace Searches - Private
    • Police cannot search without a warrant or consent
    • Consent can be given by a party who exercises common authority over the area searched
    • Be wary of co-worker consent (as opposed to employer/supervisor consent)
    • Even if private search wrongful, not suppressible unless acting as police agent
  • Workplace Searches - Public
    • Starting Point - O’Connor v. Ortega (1987)
      • There is a reasonable expectation of privacy (unless actual office practices and procedures or legitimate regulation permit the supervisor or co-workers or the public to enter the employee’s workspace.)
      • Even with reasonable expectation of privacy, employer can search for work related reasons or to investigate work related misconduct.
  • Workplace Searches - Public
    • Expectation of Privacy
    • Written employment policies can define what is protected and what is not
    • Banners
  • Workplace Searches - Public
    • Warrentless Search
    • Search must be work-related
      • Presence or involvement of law enforcement officers will not invalidate the search so long as the employer or his agent participates for legitimate work-related reasons
      • Fact that work-related malfeasance being investigated is also a crime will not make search invalid
    • Search must be justified at its inception and permissible in its scope
  • Workplace Searches - Public
    • Consent
    • Government employers acting in their official capacity generally cannot consent to a law enforcement search of their employee’s offices.
  • Preparing the Warrant
    • Do you need a warrant
    • Consent exceptions
    • Alternatives to warrants
    • What are you searching for
    • Warrant language
    • PC to search WHERE you’re searching
    • On site or Off site search
    • Other Issues
  • Alternatives to Search Warrants
    • When You Might Need an Alternative
    • Grand Jury Subpoena
    • 2703(d) Order
    • Trial Subpoena
    • Pen Register/Trap and Trace
  • When You Might Need an Alternative to a Search Warrants
    • You don’t have probable cause
    • Evidence is out-of-state
  • Subpoenas
    • Warrant may be limited to within state - subpoena may not (state law dependent)
    • Limits under Federal law (ECPA) re: what electronic communication records you can obtain by subpoena
    • Can enforce through Interstate Compact to obtain witnesses but need a court hearing
  • 2703(d) Order Pen Register/Trap & Trace
    • Will be discussed later in this presentation
  • Preparing the Warrant
    • Do you need a warrant
    • Consent exceptions
    • Alternatives to warrants
    • What are you searching for
    • Warrant language
    • PC to search WHERE you’re searching
    • On site or Off site search
    • Other Issues
  • What are you Searching For? INFORMATION
  • Describe Evidence in Terms of Specific Records or Information
  • Preparing the Warrant
    • Do you need a warrant
    • Consent exceptions
    • Alternatives to warrants
    • What are you searching for
    • Warrant language
    • PC to search WHERE you’re searching
    • On site or Off site search
    • Other Issues
  • Define “Records” or “Information” to Include Computer Records
    • The terms “records” and “information” include those items in whatever form and by whatever means they have been created or stored.
  • Or, More Specifically The terms “records” and “information” include those items in whatever form and by whatever means they have been created or stored, including any electrical, electronic, or magnetic form (such as any information on an electronic or magnetic storage device, including floppy diskettes, hard disks, ZIP disks, CD-ROMs, optical discs, backup tapes, printer buffers, smart cards, memory calculators, pagers, personal digital assistants such as Palm Pilot computers, as well as printouts or readouts from any magnetic storage device); any handmade form (such as writing, drawing, painting); any mechanical form (such as printing or typing_: and any photographic form (such as microfilm, microfiche, prints, slides, negatives, videotapes, motion pictures, photocopies).
  • Remember: You Can Defend the Search of a Computer Where the Warrant did not Specify Computer Records
  • Preparing the Warrant
    • Do you need a warrant
    • Consent exceptions
    • Alternatives to warrants
    • What are you searching for
    • Warrant language
    • PC to search WHERE you’re searching
    • On site or Off site search
    • Other Issues
  • Probable Cause
    • Evidence of a Crime
    • Will be found in the place you want to search
  • Probable Cause to Search Where you want to Search
    • If PC is based on tracing electronic trail, BE CAREFUL
      • Ultimately you will trace back to connection point to Internet - typically ISP
      • Dial-up ISP v. Cable Modem/DSL
      • Spoofing
      • Verify computer target is used at location you want to search
  •  
  • Preparing the Warrant
    • Do you need a warrant
    • Consent exceptions
    • Alternatives to warrants
    • What are you searching for
    • Warrant language
    • PC to search WHERE you’re searching
    • On site or Off site search
    • Other Issues
  • How Will Search Be Conducted
    • On site, print evidence
    • On site, electronically copy evidence
    • On site, mirror image for off site examination
    • Seize equipment and search off site (most frequent)
  • Reasons to Search Off Site
    • Too Much Data
    • Too Risky
    • Too Inconvenient (to suspect and police)
    • Need Expertise not Available on site
  • Off Site Searches Approved
    • United States v. Hunter (D. Vt. 1998)
      • “ Until technology and law enforcement expertise render on-site computer records searching both possible and practical, wholesale seizures, if adequately safeguarded, must occur”
    • But see People v. Michael John Gall (Colo. Sup. 2001, dissent)
  • Preparing the Warrant
    • Do you need a warrant
    • Consent exceptions
    • Alternatives to warrants
    • What are you searching for
    • Warrant language
    • PC to search WHERE you’re searching
    • On site or Off site search
    • Other Issues
  • Other Issues to Address in Warrant Affidavit
    • Articulate Search Strategy in Affidavit/Warrant?
    • Have Experts/Victim Representatives Accompany Police? Address this is affidavit?
    • Preparing the Warrant
    • Executing the Warrant
    • Post Search - What to Return
    • Federal Statutes the Govern Electronic Records
    • Voice Mail
    • Evidence located outside the State/US
    • A Scary Case
    Outline of Presentation
  • Executing the Warrant
    • What can you search
    • What can you take
    • Should an expert accompany you
    • Must Officer be present when search is executed
    • When to get a second warrant
    • Time Limits on execution of warrant
  • What Can Be Searched
    • Anywhere evidence you are authorized to seize could reasonably be found
    • Plain View
  •  
  • Plain View in Computer Context
    • Officer must be lawfully in position from which she/he can plainly see the item
    • The incriminating nature of the item must be immediately apparent
    • The officer must not change the focus of her/his search as a result of discovering the plain view item
  • Executing the Warrant
    • What can you search
    • What can you take
    • Should an expert accompany you
    • Must Officer be present when search executed
    • When to get a second warrant
    • Time Limits on execution of warrant
  • If Taking Computer to Search Off Site, What Can You Take?
    • Clearly storage devices and need not be removed from computer
    • Can take what is needed to effectuate your search.
    • Must be substantive reason to take other equipment
  • Executing the Warrant
    • What can you search
    • What can you take
    • Should an expert accompany you
    • Must Officer be present when search executed
    • When to get a second warrant
    • Time Limits on execution of warrant
  • Presence and Assistance of Expert in Conducting Search
    • Permission not required, but role of expert in search must be clearly established
    • Better practice to request and receive permission in affidavit and warrant
    • Post search examination of computer by expert - get approval if part of search
    • Special concern when expert is representative of victim
  • Executing the Warrant
    • What can you search
    • What can you take
    • Should an expert accompany you
    • Must Officer be present when search is executed
    • When to get a second warrant
    • Time Limits on execution of warrant
  • Must Officer be present when search executed
    • How do you execute a warrant at an out-of-state location - typically fax warrant
    • U.S. District Court in Minnesota said state warrant executed via Fax runs afoul of 18 USC Section 3105 (Officer must be present) and 4th Amendment requires the same (U.S. v. Bach)
    • Reversed on Appeal (motion for reconsideration pending)
  • Executing the Warrant
    • What can you search
    • What can you take
    • Should an expert accompany you
    • Must Officer be present when search executed
    • When to get a second warrant
    • Time Limits on execution of warrant
  • When to Get an Additional Warrant?
    • When you have probable cause to believe that evidence not covered by your current warrant may be found in a computer
    • Remember Plain View - can still take note of outside-the-scope evidence
    • Safest Course - Get an Additional Warrant
  • Executing the Warrant
    • What can you search
    • What can you take
    • Should an expert accompany you
    • Must Officer be present when search executed
    • When to get a second warrant
    • Time Limits on execution of warrant
  • Prompt Execution
    • Must Be Executed Before Stale
    • Warrant’s Own Time Limits
    • Court Rules - See Washington CrR 2.3 (c) Ten Day Limit
      • What About Off-Site Search
      • Search Sufficient to find some evidence
    • Preparing the Warrant
    • Executing the Warrant
    • Post Search - What to Return
    • Federal Statutes the Govern Electronic Records
    • Voice Mail
    • Evidence located outside the State/US
    • A Scary Case
    Outline of Presentation
  • Post Search - What to Return
    • May be dictated by warrant
    • May be times when prudent course is to return
      • Defendant’s business computer
      • Third party business computer
    • Get stipulation
    • Don’t Return Contraband
    • Preparing the Warrant
    • Executing the Warrant
    • Post Search - What to Return
    • Federal Statutes the Govern Electronic Records
    • Voice Mail
    • Evidence located outside the State/US
    • A Scary Case
    Outline of Presentation
  • PPA and ECPA
    • Neither provides for suppression but . . .
  • Privacy Protection Act, 42 U.S.C. § 2000aa
    • Passed in response to Zurcher v. Stanford Daily, 436 U.S. 547 (1978)
    • Prohibits searches/seizures of material intended to be published or broadcast and "documentary material" possessed in connection with a purpose to publish or broadcast the material. Such material must be obtained by subpoena.
    • There are exceptions.
  • Steve Jackson Games
    • Secret Service agents executed a search warrant at the offices of Steve Jackson Games, Inc.
    • SJG filed suit against the Secret Service claiming violations of the Privacy Protection Act and the Electronic Communications Privacy Act
    • Court held that Secret Service violated the PPA and awarded damages of $51,040. The court also found a violation of the ECPA and awarded statutory damages of $1,000 to each individual plaintiff. It also awarded SJG over $250,000 in attorney fees and costs.
  • Steve Jackson Games (cont)
    • Although the Secret Service may not have known that SJG was a publisher at the time of execution of the warrant, they were aware of this by the day after the execution of the warrant.
    • The decision makes several things clear.
      • First, a computer "publisher" is protected under the PPA.
      • Second, even if there is no knowledge of publisher status at the time a search is executed, if the seized material shows publisher status, the seizing agents may be liable for their actions following their presumed acquisition of knowledge of publisher status.
      • Finally, SJG was not itself a target in the investigation. Had the company been the target, the results might have been different.
    • The decision also makes it clear that a lack of familiarity with the Privacy Protection Act can be costly.
  • Steve Jackson Games (cont)
    • The most important point about the PPA that can be made in a summary discussion such as this one is that the Act applies almost exclusively to third party search situations. When you seek to search your target's computer you are usually outside the parameters of the PPA.
    • Special rules and mechanisms govern obtaining electronic evidence from service providers
      • telephone companies
      • Internet Service Providers (ISPs)
      • e-mail providers and web hosting services, etc.
    • Search warrants and subpoenas will suffice in most cases for non-providers
    Obtaining Information from Providers
  • Tools for Obtaining Electronic Evidence
    • Primarily Tools Providers
      • Subpoenas
      • Trap & Trace / Pen Registers 
      • 2703(d) Orders 
      • Search Warrants
      • Wiretap (Title III) Orders 
    • Real-time investigation/prospective collection of information vs. production of historical information
    • Content vs. transactional/account information
    Seizing Information & Software
  • The Big Picture
    • When there is continuing criminal activity, you can obtain information in real time
      • transactional:
        • trap and trace (identify source/routing of incoming messages)
        • pen register orders (identify destination/routing of outgoing messages)
      • content: wiretaps, consensual monitoring, etc.
        • In computer context often called “keystroking”
    Real-time Information (1)
  • Pen Register / Trap & Trace
    • Recover phone #, dynamic IP, MAC address
    • For example, a pen register would help determine where a child pornographer was sending images, a trap & trace would help determine ISP an extortionist was using to pick up web e-mail w/victim’s answer
    • No content!
    • Also, cannot use to obtain real-time cell phone location information
  • Legal Side of Pen / Traps (12-31-05 sunset DOES NOT apply)
    • Obtain ex parte order from federal court with jurisdiction over offense
      • 60 days, plus extensions
    • Feds
      • obtain upon cert from government attorney that “information likely to be obtained is relevant to an ongoing criminal investigation”
    • State
      • authorities obtain (18 USC 3123(a)(2)) upon same cert by law enforcement officer
        • order specifies geographic scope
  • Reasons for Using New Law
    • MD definition of pen register
      • a device that records & decodes electronic or other impulses that identify the numbers dialed or otherwise transmitted on the telephone line to which the device is attached
    • New federal definition
      • a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility
  • Reasons for Using New Law, cont.
    • MD definition of trap & trace
      • device that captures the incoming electronic or other impulses that identify the originating number or an instrument or device from which … transmitted
    • New federal definition
      • device or process that captures the incoming … impulses that identify the originating number or other dialing, routing, addressing and signaling info reasonably likely to identify the source of a wire or electronic communication
  • The Big Picture
  • Real-time Content (2)
    • Real-time monitoring is a critical tool for investigation of sophisticated computer crime
    • For example, assume a drug dealer is making deals by e-mail, and you want to intercept the e-mails before the drug dealer can delete them
    • This is “interception” of “content,” and so you must obtain a wiretap order or a recognized exception to the wiretap statute must apply, 18 U.S.C. § 2510-2521
  • Wiretap Orders
    • Wiretap orders are very burdensome and have many requirements, e.g.,
      • probable cause regarding a felony offense (which may need to be one of a certain type)
      • less intrusive techniques “reasonably appear unlikely to succeed”
      • short time period, minimization, etc.
    • Suppression is a remedy for oral and “wire” communications
    • States can impose additional limits on state and local investigators, or may prohibit
  • Exceptions to the Court Order Requirement 18 U.S.C. § 2511(2)(i) (12-31-05 sunset applies to “trespasser”)
    • Under federal law
      • system providers can intercept communications to protect their rights or property
      • law enforcement can monitor “computer trespassers”
    • Law enforcement can intercept with consent
      • federal = 1 party consent; many states = 2 parties
    • System banner: “all communications may be monitored”
      • may create “implied” consent
  • “Trespasser” Exception Requirements (10-31-05 sunset applies)
    • “ Trespasser” accessed without authority & without existing contractual relationship
    • Requirements for monitoring assistance
      • owner/operator of victim computer consents
      • intercept part of lawful investigation
      • reasonable grounds to believe intercepted communications relevant to investigation
      • authority only applies to communication to or from trespasser
  • The Big Picture
  • The Stored Wire & Electronic Communications Act (3)
    • 18 U.S.C. § 2701 et seq., part of ECPA, controls access to data on networked computers
      • transactional / account records
      • stored content (including data and communications)
    • Warning: The rules below are not exhaustive
    • The statute applies to information stored by services that provide
      • the ability to send or receive wire or electronic communications
        • an electronic communication service or ECS
      • storage or processing services to the public electronically
        • a remote computing service or RCS
    • Thus, telephone companies, ISPs, & corporate computer systems are all covered in some ways by the statute
    Stored Electronic Communications
  • Limitations on Access
    • The Stored Electronic Communications Act limits both
      • voluntary disclosure of wire and electronic communications, and
      • compelled access by the government to stored electronic communications
    • Let’s assume you are seeking to compel production…
    • Governed by 18 U.S.C. § 2703
    • You can obtain contents of electronic communications and transactional data with a warrant
    • Outside a warrant, what authority you need depends upon a number of factors
    Compelled Production
  • Compelling Production of Unread E-mail
    • § 2703(a): If you are asking for material in “electronic storage” (unread e-mail) from a provider
      • “ temporary, intermediate storage ... incidental to transmission”
    • You need a warrant
      • unless the material is >180 days old
    • Warning: Warrants are typically treated like orders in practice (law enforcement agents typically do not conduct the search themselves)
  • Compelling Production of Other Contents
    • Stored files & opened electronic mail
    • Restrictions apply only if the data is held by a provider, and
      • service is “ to the public ”
      • customer or subscriber information is sought
    • If these apply, need a § 2703(d) order (see later) or subpoena with notice (which can be delayed under § 2705(a) but must be given)
      • can use a warrant without notice
  • Compelling Content - Examples -
    • Unopened e-mail on an ISP or company system
      • need a warrant
    • Opened e-mail or files on an ISP
      • order / subpoena with notice (warrant without notice)
    • Opened e-mail or files at a company
      • no additional protection — subpoena
    • Search warrants allow you to search e-mails & data on a network
      • BUT a search warrant for one person’s e-mail or data may not allow you to search everyone’s e-mail & data
    • Determine a workable plan that a judge can approve
      • especially if you are seizing for search off site
    • Warrant of a federal court with jurisdiction has national scope
    Fine Points of Search Warrants (12-31-05 sunset for national scope)
  • Voluntary Disclosure of Contents
    • Assume a cooperating service provider that wants to give law enforcement information
    • Governed by 18 U.S.C. § 2702
    • Unlike § 2703
      • only governs services “to the public”
        • does not limit the ability of many private systems to disclose contents
      • covers wire & electronic communications
  • Voluntary Disclosure of Contents - Exceptions -
    • A service provider to the public may disclose contents and/or customer records of a communication in electronic storage
      • with consent of the addressee or customer
      • when necessary for rendition of service or for protection of rights or property of provider
      • contents only: to a law enforcement agency if inadvertently obtained and pertain to the commission of a crime, etc.
      • in cases of emergency
  • Emergency Exception (12-31-05 sunset applies)
    • Provider of service to the public may disclose
      • content if that provider believes immediate danger of death or serious physical injury requires disclosure without delay
      • customer records (not content)
        • to a governmental entity if immediate danger of death or serious physical injury justifies
        • to any person other than government, at will
  • Voluntary Disclosure of Contents - Examples -
    • Company (no service to the public) e-mails (opened or not) or files
      • disclosure generally allowed
    • Unopened e-mail on an ISP
      • disclosure not allowed unless exception
    • Opened e-mail or files on an ISP
      • disclosure not allowed unless exception
  • The Big Picture
  • Compelled Production of Subscriber / Account Data (4) (12-31-05 sunset DOES NOT apply)
    • Can get basic customer or subscriber information from a service provider through a state or federal subpoena
      • > name > address > length of service & types of services
      • > telephone number or other subscriber number / identity
      • > local & long distance telephone toll billing record
    • Patriot Act enables obtaining with subpoena
      • > records of session times & duration
      • > identifying numbers including temporary network addresses
      • > means of payment including credit card #
    • Notice to the subscriber is not required
  • Subscriber / Account Information
  • Compelled Disclosure of Other Transactional Data
    • Any other “record or other information pertaining to a subscriber or a customer ” requires
      • articulable facts order by STATE or federal court
      • “ specific and articulable facts showing ... reasonable grounds to believe [the records] are relevant and material…to an ongoing criminal investigation” (18 U.S.C. § 2703(d))
      • can also use a warrant or consent
    • Notice to the subscriber is not required
  • Articulable Facts Orders, Jurisdictional Issues
    • State courts may now issue 2703(d) orders
    • Articulable facts orders issued by federal courts can be served nationwide
    • Preparing the Warrant
    • Executing the Warrant
    • Post Search - What to Return
    • Federal Statutes the Govern Electronic Records
    • Voice Mail
    • Evidence located outside the State/US
    • A Scary Case
    Outline of Presentation
  • Voice Mail
    • Is stored voice mail protected by the wiretap statute and/or State Statutes?
    • When voice mail is on a cassette tape likely not entitled to any special protection
      • When voice mail is in electronic form on voice mail system in home, likely not entitled to any special protection, but . . .
      • When voice mail is on a remote system, like Qwest's voice mail (or county's voice mail) then entitled to full protection
  • Voice Mail (cont)
    • Is there a difference between listened to and not listened to messages? No clear case law. Good argument that until listened to, communication is still in transit. Once listened to it is being stored not as part of initial transmission but as convenience to user
    • Be careful - law is fluid
    • Preparing the Warrant
    • Executing the Warrant
    • Post Search - What to Return
    • Federal Statutes the Govern Electronic Records
    • Voice Mail
    • Evidence located outside the State/US
    • A Scary Case
    Outline of Presentation
  • Out of State Providers
    • State Warrant
    • State Subpoena
    • Out-of-State Warrant
    • Interstate Compact to Compel Attendance of Out-of-State Witnesses
    • California Law
    • 2703(d) Order
  • Out of State Providers - A New Proposal
    • DRAFT STATUTE
        • a) Full Faith and Credit - Any production order that is consistent with subsection (b) of this section issued by the court of another State (the issuing State) shall be accorded full faith and credit by the court of another State (the enforcing State) and enforced as if it were the order of the enforcing state.
        • b) Production Order - A production order issued by a State court is consistent with this subsection if –
          • 1) The order is pursuant to the investigation or prosecution of a crime of the issuing state;
          • 2) The order was issued in accordance with the law of the issuing state; and
          • 3) Such court had jurisdiction over the criminal investigation or prosecution under the law of the issuing state.
        • c) "Production Order" means any order, warrant, or subpoena for the production of records.
        • d) "Records" includes those items in whatever form created or stored.
  • Outside The United States
    • No Good Solution for Many Situations
    • See USDOJ Manual on Search Computers, I.C.7. - International Issues for details
    • I Won’t Put This in Writing, But . . .
  • Outside The United States - an Example United States v. Vassili Gorschkov
  • Russian Hackers - 1
    • January 2000 - Alexy Ivanov contacts Company “A”
    • I’ve obtained root passwords.
    • Unless you pay me your data could be downloaded and system destroyed
  • Russian Hackers - 2
    • Ivanov does the same thing to Goodnews Internet Services in Cincinnati.
    • January and February 2000 - Company “B”, a California e-commerce and credit card processing company receive similar contact from Ivanov and another person
  • Russian Hackers - 3
    • July 2000 - Ivanov contacts a financial clearing house in the D.C. area and make same pitch.
    • The clearing house had, in fact, had data from 38,000 credit card accounts copied in May
    • Online auction escrow site - customers contacted and directed to bogus site - told to enter cc numbers.
  • Russian Hackers - 4
    • August 2000 - California auto retailer given same pitch. $10,000-20,000 demanded.
    • California online credit card processing company told “pay us $100,000 or we release your data”
    • October 2000 - Online retailer of DVDs told “pay us $10,000 to fix your security problems.”
  • Russian Hackers - 5
    • Undercover FBI contacted Ivanov in June 2000. Inquires about security consulting. Ivanov says he wants to involve his partner, Vassili Gorchkov.
    • (FBI subsequently identifies voice of person claiming to be Ivanov as that of Gorchkov.)
  • Russian Hackers - 6
    • At Ivanov and Gorshkov’s suggestion FBI (using pseudonym “Invita”) invite them to hack into Invita computer in Seattle.
    • Hack is successful.
    • At Ivanov and Gorshkov’s suggestion, Invita invites them to Seattle to demonstrate their hacking skills in person.
  • Russian Hackers - 7
    • November 10, 2000 - Gorchkov and Ivanov come to Invita’s offices.
    • Gorchkov says they “may have stolen” credit card information but refuses to say more while in U.S.
    • Gorchkov says they hacked into many computers but only got paid by 1 or 2. Spend most of their time “negotiating.”
  • Russian Hackers - 8
    • Ivanov and Gorchkov given Invita computers to demonstrate their skill.
    • Keyboard monitoring program captures all keystrokes.
    • Gorchkov, while undercover agents linger nearby, types in login and password to his computer in Russia.
    • Captured by monitoring program.
  • Russian Hackers - 9
    • Gorchkov obtains hacking tools from Russia, hacks Invita’s network.
    • Gorchkov and Ivanov arrested.
    • Per Vienna Convention requirements, Russian Consulate notified.
  • Russian Hackers - 10
    • FBI then logs into Gorchkov’s computer in Russia and copies approximately 1 GB of data.
    • FBI/U.S. Attorney then obtain warrant and search copied data.
  • Anything Illegal? Evidence Admissible?
  • Court Ruling - 1
    • Did FBI violate Fourth Amendment by obtaining username and password?
  • Court Ruling - 2
    • Answer: NO
      • No expectation of privacy in private computer network belonging to U.S. company
      • Defendant knew sysadmin could and likely would monitor his activity
      • Agents told him they wanted to see what he was capable of doing.
      • Entered password when agent present.
  • Court Ruling - 3
    • Did the Government violate the Fourth Amendment by accessing Russian computers and downloading data?
  • Court Ruling - 4
    • Answer: NO
      • The Fourth Amendment does not apply to extraterritorial access to computers in Russia.
    • QUESTION: Was the access made solely in Russia?
      • Further, the act of copying the data was not a seizure because it didn’t interfere with any possessory interest in the data.
  • Court Ruling - 5
    • Court held Fourth Amendment didn’t apply
    • Even if it did apply, exigent circumstances supported seizure until warrant could be obtained.
    • Coughenour said no court has ever held a search illegal where there was PC for the search, the search was conducted to preserve evidence and a valid warrant was ultimately obtained.
    • Preparing the Warrant
    • Executing the Warrant
    • Post Search - What to Return
    • Federal Statutes the Govern Electronic Records
    • Voice Mail
    • Evidence located outside the US
    • A Scary Case
    Outline of Presentation
  • People of Colorado v. Michael John Gall
    • Colorado Supreme Court - 3/5/2001
    • Defendant threatened co-workers, spoke of bombs and weapons
    • Searched apartment for “written or printed material” relating to firearms, explosives, intent to do harm to person or building
    • Seized two desktop, five laptop computers
    • Got separate warrant to search computers
  • People of Colorado v. Michael John Gall (cont)
    • Trial court suppressed computer evidence, in part because it was unable to conclude that a computer is analogous to a writing or other type of document (which was authorized to be seized by the search)
  • People of Colorado v. Michael John Gall (cont)
    • Supreme Court reversed suppression order
      • cited numerous cases DOJ guidelines refers to
      • analyzed computers as containers
      • specifically approved removing computers for later searching offsite
  • People of Colorado v. Michael John Gall (cont)
    • Dissent - “Computers are far more complex and versatile than mere writings and their purpose is significantly different from just a container storing writings . . . When the objects to be seized are intermingled with other objects that are not the subject of a search, special measures are required to protect the unrelated material.”
  • People of Colorado v. Michael John Gall (cont)
    • Dissent
      • Computers, by their very nature, raise special privacy concerns.
      • Because computers process personal information and effects, they require heightened protection under the Fourth Amendment.
  • People of Colorado v. Michael John Gall (cont)
    • Dissent - Off site search
      • Case law does not support seizing computers for off site search where warrant does not specifically include computers
      • If computers could be seized as writings (for off site search) why did they think they needed a second warrant?
  • People of Colorado v. Michael John Gall (cont)
    • Dissent - Intermingled Documents
      • Particularity requirement requires that warrant must include measures to direct the subsequent search of a computer
      • Subsequent search should be designed to limit privacy intrusion
  • People of Colorado v. Michael John Gall (cont)
    • My Assessment/Recommendations
      • If you know there’s a computer, put it in the warrant
      • Even if don’t know computer is there, draft warrant so it includes computer records
      • Have a search plan, even if not included in warrant - it may save your bacon!
  • You Don’t Want to be the Prosecutor when . . .
  • Resources
    • Computer Crime and Intellectual Property Section of U.S. Department of Justice (202) 514-1026 www.cybercrime.gov
    • National Association of Attorneys General (NAAG) 202.326.6000 www.naag.org
    • National District Attorneys Association (NDAA) & American Prosecutors Research Institute (APRI) (703) 549-9222 – NDAA www.ndaa-apri.org ( 703) 519-4253 – APRI www.ndaa-apri.org
  • Resources
    • NW3C www.nw3c.org
    • NCTP www.nctp.org
    • Operations Center www.cybercrime.org (877) 628-7674
  • QUESTIONS? Call Us
    • Abigail Abraham
    • [email_address]
    • (713) 869-2728
    • Ivan Orton
    • [email_address]
    • (206) 296-9082