Another Visit to the Brave New World of Computer Searches
- A recent case illustrates the potential for challenging computer searches not just through facial challenges to the warrant but in the way the search was conducted.
- Agents conducting a computer search can’t use search techniques that are aimed at items that aren’t in the categories the search warrant is for.
- Find out about standard procedures for conducting a computer search that may be inconsistent with this limitation.
NOW THE BLOG:
In a series of three posts last summer, I wrote about the brave new world of computer searches. (See “The Brave New World of Computer Searches” and “Getting Braver in a Brave New World: Computer Searches Part 2” in the July 2012 link at the right and “Getting Even Braver in a Brave New World: Computer Searches Part 3” in the August 2012 link.) One of the things I talked about in that series of posts was the issue of search protocols and the potential for arguments that a search was overbroad if the agents or experts conducting the search didn’t use a search protocol that was reasonably aimed at what the warrant authorized them to search for.
A good example of a successful argument in this area came to my attention recently. It’s a district court opinion in the case ofUnited States v. Schlingloff, No. 11-40073 (C.D. Ill. Oct. 24, 2012), reported at both 2012 WL 5378148 and 2012 U.S. Dist. Lexis 157272 and soon to be reported in the Federal Supplement reporter. The warrant in Schlingloff authorized a search of the computer and various other computer media devices which were seized (and the residence in which they were found) for evidence of passport fraud and harboring an alien. The computer and other devices were examined by a forensic expert using a standard forensic examination program known as Forensic Tool Kit, or FTK.
The search protocol issue arose because it turns out this FTK program has an option known as a “Known File Filter,” or KFF, which enables the program to flag and alert the examiner to certain contraband files, including child pornography, that have been previously identified by law enforcement. This filter was left on during the examination in this case – as part of the examiner’s “standard operating procedure” – and the filter flagged two child pornography video files. This led to a second warrant to search for child pornography more generally, the discovery of additional child pornography files, and a subsequent prosecution for possession of child pornography.
An evidentiary hearing – and further pushing of the issue in a motion for reconsideration after initial denial of the motion to suppress – revealed that an expert conducting a search with FTK can easily disable, or simply not affirmatively enable, the KFF alerts, either generally or for specific categories of files such as child pornography. This led to the argument that using FTK to search the computer with the KFF alerts fully enabled was overbroad given the limited focus of the warrant. And the district court eventually agreed – after a motion to reconsider made clear how easily the KFF alerts could be generally, or even selectively, disabled. The court explained:
[I]n light of the admitted ability to confine the FTK search by not enabling the KFF filter for child pornography alerts, the Court finds that [the forensic examiner] took an affirmative additional step to enable the KFF alerts that would identify known child pornography files as part of his search for evidence of passport fraud or identity theft. In a case where the professed subject matter sought in the search bore no resemblance to child pornography, it is difficult to construe this as anything other than a deliberate expansion of the scope of the warrant, or at the very least, an affirmative step that effectively did so.
2012 WL 5378148, at *4; 2012 U.S. Dist. LEXIS 157272, at *9-10.
The court then went on to acknowledge that there would be further development of the issues in this area in the future, citing among other cases the Hill case discussed in my July 24, 2012 and July 31, 2012 blogs.
Given the ever increasing state of technology and consequently, technology related crimes, the Court finds that this issue is not going to go away, and in fact, will likely become more prevalent and finely contoured. Digital images or files can be located nearly anywhere on a computer and “may be manipulated to hide their true contents.” [United States v. Mann,] 592 F.3d [779,] 782-83 [(7th Cir. 2010)], citing United States v. Hill, 459 F.3d 966, 978 (9th Cir. 2006). Accordingly, more comprehensive and systematic searches have been found to be necessary. See United States v. Grimmett, 439 F.3d 1263, 1270 (10th Cir. 1006 [sic]) (finding that a computer search may be as extensive as reasonably required to locate the items described in the warrant). [Note: This Grimmett opinion describes how the agent did limit the search to files with extensions that indicated images, which is one example of how a protocol can limit a search. See id. at 1270.] Nevertheless, it is also important to note that there is normally no fear of degradation or dissipation of evidence or a rapidly evolving situation requiring the need to “shoot from the hip” in examining seized computer files without a proper warrant. United States v. Seiver, 692 F.3d 774, 777 (7th Cir. 2012). . . .
The promise of the Fourth Amendment to be free from unreasonable searches and seizures contemplates a warrant that sets forth with specificity the area to be searched and the subject matter of the search. So if a warrant authorizes an officer to look in all files on a computer, should the courts care how it is done? This Court believes so.
2012 WL 5378148, at *4-5; 2012 U.S. Dist. LEXIS 157272, at *10-11.
The court also rejected plain view and inevitable discovery arguments based on the evidence that had been presented about the technology. As to plain view, it concluded that “[t]he suggestion that the agent inadvertently came across a file when that same agent specifically set up the situation to find and highlight this type of file by ‘clicking’ to enable the KFF alert is untenable.” 2012 WL 5378148, at *5; 2012 U.S. Dist. LEXIS 157272, at *11-12. As to inevitable discovery, the court explained: “To some degree, this argument [that the files could and would have been found through a manual search of every file] misses the point, as the use of the filter did not require [the examiner] to look at all; the filter locates the files and brings them to the attention of the officer. Discovery is specifically targeted rather than the result of inadvertence.” 2012 WL 5378148, at *5; 2012 U.S. Dist. LEXIS 157272, at *12-13. The court also noted that complete manual searches were theoretically possible, but impractical and would not be conducted in the typical case.
This case highlights the importance of inquiring into not just the facial validity of the warrant and whether its express terms were complied with, but also exactly how the search was conducted. I bet there’s a lot of “standard operating procedures” – which the agent testified the procedure here was – that raise Fourth Amendment questions.