|
Article Excerpt
I. INTRODUCTION
"What happened to the Fourth Amendment? Was it repealed somehow?" (1) Those are the chilling words of U.S. District Judge James Mahan, echoed by Ninth Circuit Judge Sidney Thomas in his dissent in United States v. Comprehensive Drug Testing, Inc. ("CDT"). (2) The questions are in reference to federal agents' seizure and subsequent search of confidential medical records in relation to their investigation of the illegal distribution of steroids by the Bay Area Laboratory Cooperative ("BALCO"). (3) The agents had issued subpoenas to and then executed search warrants on two independent testing labs to obtain the steroid testing records of ten Major League Baseball ("MLB") players who had connections to their investigation of BALCO. (4) The Ninth Circuit upheld the agents' seizure and subsequent search of computer files, which contained steroid drug testing results not only for the ten targets of the federal investigation, but countless other athletes inside and outside of baseball. (5)
Because of its connection to steroids and the government's investigation into BALCO and San Francisco Giants' slugger Barry Bonds, the decision received nationwide attention. Bonds's name is inextricably tied to the BALCO investigation, having been linked to BALCO and steroid use in a recent New York Times bestseller. (6) Bonds was recently indicted on perjury and obstruction of justice charges that stemmed from allegedly false statements he made to the federal grand jury investigating illegal steroid distribution at BALCO. (7) It has even been speculated that one of the motivations behind the government's initial investigation of BALCO was a personal vendetta that the government's lead investigator, Jeff Novitsky, had against Bonds. (8)
Apart from its notoriety, the CDT decision is important in several respects. First, it attempts to define the parameters and limitations involved in computer searches, particularly with respect to the seizure and subsequent search of intermingled files. (9) The CDT court held that government agents can seize entire collections of computer data for off-site review where files within the scope of the search warrant are intermingled with irrelevant data on the computer's hard drive. (10) It also permitted the government to browse the contents of computer files to determine if they are within the scope of the warrant, without having to limit such a search to key words or file type. (11) This part of the ruling recognizes the inherent need for flexibility in conducting computer searches.
Second, the decision is also notable for what it does not do--give adequate protection to the privacy concerns of innocent third parties whose records are caught up in the government's dragnet. The case raises a fascinating question: What privacy concerns are implicated when the government obtains confidential medical records from a disinterested third party and what steps have to be taken to ensure that such concerns are not violated? The majority opinion seems to give short shrift to privacy rights, giving the government virtual carte blanche to search intermingled data that it seizes. This power is subject to post-seizure review by a magistrate, but this review is only after a proper objection has been filed by an aggrieved party. (12) In other words, the government is free to search the seized data until such objection is made. Thus, the ruling affords somewhat uncertain status to the prospect of effective judicial oversight, as there is no mechanism for providing notice to aggrieved third parties that their heretofore confidential records have been seized by the government. (13)
In addition, given the myriad issues present in the case, the decision may serve as the perfect vehicle for the United States Supreme Court (should it be given the opportunity to review the case) to lay out a consistent, uniform set of guidelines for the government to follow in conducting computer searches--something that is sorely lacking in the current jurisprudence on this issue. (14) As will be discussed in Part II of this Article, the rules for conducting computer searches vary dramatically from circuit to circuit. If the decision is reversed, at least in part, then in the ultimate irony of ironies, the Supreme Court will have chastised the Ninth Circuit for having been too conservative when it comes to protecting the liberties and freedoms of individuals.
If nothing else, the CDT decision highlights the need for courts to adopt a more uniform approach to computer searches. The case pitted the two extremes of the current debate against one another. The majority took the position that computer searches require nothing more than an extension of the traditional rules governing searches of documentary evidence to the digital realm. (15) Conversely, Judge Thomas argued in a boisterous dissent that computer searches require something more. He advocated for magistrate review of intermingled computer files before government investigators could inspect them, and argued that strict limits be placed on the government's ability to subsequently search that data. (16)
This Article attempts to clarify the existing law on computer searches and lays out a framework for how such searches should be approached in the future. Part II of this Article examines the current state of the law regarding computer searches and explores the two contrasting approaches to the problem. Next, it addresses what protections are currently available with respect to maintaining the privacy and confidentiality of medical and legal records which are seized in an investigation. It also examines how, and under what circumstances, an aggrieved party may seek return of seized property. Part III provides an in-depth analysis of and commentary on the CDT decision. Part IV discusses how courts view the plain view doctrine's operation in the digital search realm and addresses whether the doctrine should apply at all in this context. Finally, in Part V, this Article provides some recommendations as to how current search and seizure principles should be applied to govern computer searches in the future.
II. DISCUSSION OF APPLICABLE FOURTH AMENDMENT PROVISIONS TO COMPUTER SEARCHES AND SEIZURES
The current state of the law surrounding computer searches is a bit like parenting. There are lots of ideas as to how it should occur but no clear agreement as to the right answer. Some courts have attempted to analogize computers to closed containers or file cabinets in an attempt to meld computer searches into existing Fourth Amendment jurisprudence. (17) Other courts have held that computers require a "special approach" to the question and have imposed new restrictions on such searches which are not present in areas outside this context. (18) Such legal gymnastics are unwarranted. To borrow a phrase from Todd Bertuzzi, a computer "is what it is." (19) Rather than simply being akin to a container or file cabinet, a computer is much more. It is anything and everything a user wants it to be--a file cabinet containing thousands of personal files or business records, a personal accountant, a photo album, a music or movie player, a virtual desk complete with calendar and Rolodex, a research librarian, or a video game machine. In effect, the search of a computer is in some ways no different today than a search of a house or an office desk used to be; it just can be accomplished in one-stop shopping.
Most computer searches occur using a standard protocol. First, the computer is examined to see if it is in proper working order or has any physical damage. (20) Next, the hard drive is removed, inspected, and connected to a forensic computer for examination. (21) A write-blocking device is installed between the suspect drive and the forensic computer to prevent the examiner from accidentally writing information onto the suspect drive. (22) A bitstream copy of the hard drive is then made, including blank space. (23) The copy of the hard drive information is then analyzed by using software such as EnCase, which allows investigators to examine the contents of each file. (24)
A. WARRANT SPECIFICITY: PARTICULARITY AND BREADTH
In order to understand the rules governing computer searches, it is first necessary to discuss the basic principles governing execution of search warrants generally. To be reasonable under the Fourth Amendment, a warrant must be specific. (25) However, a warrant need only be specific enough to "permit the executing officer to exercise reasonable, rational and informed discretion and judgment in selecting what should be seized." (26) "Specificity has two aspects: particularity and breadth." (27)
First, a warrant is said to be sufficiently particular if it sets forth "general classifications of the items to be seized" which would enable the executing officer to "ascertain and identify with reasonable certainty" the items that he is authorized to seize. (28) Depending upon the complexity of the crimes under investigation, the court's focus should be on whether the warrant is as particular as reasonably could be expected under the circumstances. (29) Given that the search of a hard drive or other storage media is inherently complex, some courts have found warrants to search computers meet the particularity requirement even though they may only generally describe the computer or storage media to be searched. (30) As will be further explored below, this line of decisions recognizes that it is often difficult for officers to precisely pinpoint the location of the desired evidence when it is in digital form. This is because such evidence may be contained in files on the hard drive of the computer or on various storage media such as CD-ROMs or jump drives. It may even be hidden from view entirely by encryption or other security methods. (31) Other courts have followed a different approach, instead requiring that warrants for computer searches be limited more narrowly to specifically defined files or media and to specific types of material and evidence. (32)
Second, breadth is defined as the "requirement that there be probable cause to seize the particular thing named in the warrant." (33) A warrant is thus overbroad if it includes items for which there is no probable cause to search. (34) In cases involving complex investigations, typified by the need to assemble a "paper puzzle," courts have been more tolerant of broad warrant provisions. (35) Where an item of interest is contained in a large collection of files or documents, all items in the set may be inspected during a search, provided that "specific guidelines for identifying the documents sought are provided in the search warrant." (36)
B. THE CAREY/WINICK DOCTRINE
Because of a computer's massive storage capacity, some courts have been loath to authorize broad searches which allow agents seeming unfettered discretion in deciding what files to seize and how they should be searched. (37) The Tenth Circuit has been the most ardent proponent of this "special approach" to computer searches. The court first outlined this doctrine in United States v. Carey. (38) There, government agents seized two personal computers while conducting a search for evidence of drug possession and drug transactions. (39) After obtaining a second warrant to search the computer files, a detective and a computer technician viewed the directories on the hard drives and then downloaded and printed them. (40) The detective proceeded to use key word searches of text files, which did not produce any evidence related to drug use or drug transactions but did disclose many files with sexually suggestive titles and a .jpg extension. (41) The detective did not know what the jpeg files were, but testified that the image files could have contained evidence relating to the drug charges. (42)
Upon opening the first JPG file, the detective discovered what he believed to be child pornography. (43) He then downloaded 244 more image files and continued to open and view a sampling of them. (44) The Tenth Circuit held that the detective's search of all but the first image file exceeded the scope of the search warrant. (45) The court stated that the file cabinet analogy may be "inadequate" in the computer context and noted that a "special approach" is needed instead. (46) It required that the warrant demonstrate that such mislabeling is anticipated before such a general search of the hard drive would be permitted:
While the scenario is likely, it is not representative of the facts of this case. This is not a case in which ambiguously labeled files were contained in the hard drive directory. It is not a case in which the officers had to open each file drawer before discovering its contents. Even if we employ the file cabinet theory, the testimony of Detective Lewis makes the analogy inapposite because he stated he knew, or at least had probable cause to know, each drawer was properly labeled and its contents were clearly described in the label. (47)
The court also noted that because the computers had been removed from the home, there were no "exigent circumstances" justifying a general rummaging through the files on the hard drive. (48) The court found that investigators can generally employ "several methods" such as key word searches or directory or file titles to avoid searching file types not identified in the warrant. (49) Thus, the court criticized the officers' failure to use the information gained through the key word search (no evidence of drug transactions) to limit their search appropriately. (50)
The court's approach in Carey has at its genesis an article written by Raphael Winick in 1994. (51) Winick theorized that because computers can store "massive quantities" of information, they are fundamentally different from closed containers which frame much of the traditional Fourth Amendment analysis. (52) Therefore, according to Winick, a "different analysis" under the Fourth Amendment is mandated. (53) This approach contains two steps. The first requires that officers apply for permission to remove a computer and storage media from the premises. (54) If that permission is granted, the officers must then obtain a second warrant, specifying exactly what types of files are to be searched and the precise methods which will be used to search those files. (55)
The first prong of Winick's test is essentially an adoption of the intermingled document doctrine, first espoused in United States v. Tamura. (56) In Tamura, the court objected to the "wholesale seizure" of entire filing cabinets of records without any efforts to limit the seizure of unrelated material. (57) The Tamura court suggested that, where it was necessary to seize intermingled documents, the documents should be "sealed and held pending approval by a magistrate of a further search." (58) Winick proposed a similar procedure for computer searches:
This rule holds that where officers come across relevant documents so intermingled with irrelevant documents that they cannot feasibly be sorted at the site, the officers may seal or hold the documents pending approval by a magistrate of the conditions and limitations on a further search through the documents. If the officers know prior to the search that transporting large quantities of documents or hardware is likely, they can apply to the magistrate issuing the warrant for permission to remove such material; permission should be granted only when on-site sorting of relevant and irrelevant material is infeasible and no other practical alternative exists. (59)
If removal of computer equipment and media is warranted, Winick believed officers should not be allowed to conduct a full review of the files contained on the storage media based simply on a "vague allegation" that such review of all files was necessary in all cases. (60) Instead, he recommended that officers be forced to use such methods as keyword searches to identify and read through only those files which "there is reason to believe contain relevant information." (61)
Apart from the Tenth Circuit, only a handful of courts have adopted Winick's two-pronged approach. (62) In In re the Search of 3817 W. West End, a magistrate judge for the Northern District of Illinois approved a warrant to seize computers but refused to permit the government to search the computer files until it provided a specific search protocol. (63) The court held that a generalized search of the computer was inappropriate because of the "substantial likelihood" that it contained unrelated personal documents intermingled with those related to tax fraud. (64) The court relied on the fact that computer searches could be limited by key words or to text or graphics files. While noting that these tools are not the "exclusive means" for conducting computer searches, the court found that their existence "demonstrates the ability of the government to be more targeted in its review of computer information than it can be when reviewing hard copy documents in a file cabinet." (65)
C. A NEW "OLD" APPROACH TO COMPUTER SEARCHES
Winick's approach has come under increasing fire. Criminals have begun using more sophisticated methods of concealing files and data which can defeat the use of simple key word searches. For example, file types or extensions can be changed to hide the true identify or content of the file. (66) Incriminating files may also be deleted or encrypted. (67) One commentator, David Ziff, suggests that the better approach to computer searches is to "import the same rules and standards used for searches of physical records or documents." (68) Ziff argues that any type of file, regardless of whether it is in a small stack of papers or in a computer containing thousands of files, should receive the same level of protection. "If courts have approved of the protection given to individual documents in the stack of twenty, there is no reason to apply a different test simply because the stack has grown." (69)
Another commentator, Orin S. Kerr, has recently written a series of articles advocating that the Carey/Winick approach be rejected in favor of a more fluid approach which accommodates the interests of both parties. (70) He notes that computer searches conducted in the virtual world are inherently different from those conducted in the traditional physical sense because "digital evidence searches generally occur at both a 'logical' or 'virtual' level and a 'physical' level." (71) According to Kerr, this "distinction between physical searches and logical searches is fundamental in computer forensics." (72) He explains the difference between logical and physical searches as follows:
Consider a search for a picture file believed to be evidence of a crime. An examiner might begin by conducting a logical search of the hard drive for files with extensions known to be used for image files, such as ".jpg" .... This procedure sounds easy, but ordinarily does not suffice. It is easy to change the extension of a file. To hide a picture, a user might take a file saved with a ".jpg" extension and resave it with an extension common to a different kind of file, such as ".doc" or ".wpd." A search for picture files based on the logical file extensions will no longer locate the file. Instead, the analyst will have to conduct a search at a physical instead of a logical level. Software can locate image files at a physical level by searching for file headers characteristic of known types of picture files.... The file header remains unchanged regardless of the extension placed on the file, allowing a physical search to uncover picture files that a logical search would not locate. (73)
Consequently, Kerr notes officers are often forced to examine the "entire digital haystack to find the needle." (74)
Because files can be mislabeled, hidden, or deleted, a forensic investigator can never be sure ahead of time which type of search may be required. Due to forensic examiners' inability to forecast accurately what course a digital search will take, Kerr criticizes the logic underlying the Carey/Winick approach as "deeply flawed." (75) Instead, he proposes that forensic examiners, not magistrates, are the persons who are best able to dictate the search parameters:
It is difficult to know what the particular search requires and what tools are best suited to find the evidence without first taking a look at the files on the hard drive. In a sense, the forensics process is a bit like surgery: the doctor may not know how best to proceed until he opens up the patient and takes a look. The ability to target information described in a warrant is highly contingent on a number of factors that are difficult or even impossible to predict ex ante. In light of these difficulties, magistrate judges are poorly equipped to evaluate whether a particular search protocol is the fastest and most targeted way of locating evidence stored on a hard drive. (76)
Another criticism of the Carey/Winick approach is that it does not take into account the need for an officer to exercise his or her judgment in determining the relevance of a file's contents. (77) Thomas Clancy points out that search protocols are context insensitive, and as a result, they cannot always predict a document's incriminatory character or relevance to an investigation. (78) An investigator often must review the contents of a file and compare it to some known standard before forming an opinion as to its usefulness. For example, in the context of a Medicare fraud investigation, a key word search could be used to pull up all files pertaining to a particular diagnosis code or treatment type. However, such a search may cast too wide a net. The officer would still have to examine the contents of each file to determine the authenticity of the injury or reasonableness of the fee charged for the service provided.
Ziff proposes that the discretion of the officer should be checked, not by search protocols, but instead by vigilantly defining and monitoring the scope of the warrant:
[T]he ability to examine documents does not give searching officers the authority to read the contents of any given file. Rather, the officers' authority extends only so far as necessary to determine if a given document is within the scope of the warrant. Once the examination reaches the point where it is clear that the document is outside the scope of the warrant, the officer no longer has authority under the warrant to continue reading the document. (79)
Clancy also rejects the notion that there should be special rules for electronic evidence containers. Otherwise, in his view, filing cabinets, diaries, books, floppy drives, hard drives, paper bags, and other storage devices would "all require different rules." (80)
In a recent line of cases, courts outside the Tenth Circuit have generally declined to follow the Carey/Winick "special approach." (81) These courts have recognized the difficulties inherent in conducting digital searches and thus have been reluctant to tie the hands of investigators by making them comply with rigid, pre-approved search protocols. Instead, the courts have focused on the reasonableness of the government's actions under the circumstances.
For example, in United States v. Hill, (82) the Ninth Circuit adopted the first prong of the Winick approach (the intermingled document doctrine) to limit the seizure of computer hardware and media, but it refused to adopt the second part to correspondingly limit agents' search of the data. In Hill, a computer technician tipped off the police to what she believed to be child pornography on the defendant's computer. (83) The officers sought and obtained a warrant for the computer and all storage media, but the defendant picked up his computer before the warrant could be executed. (84) The police then executed a second warrant on defendant's home and seized storage media from his bedroom. (85) A subsequent search of the media revealed images of child pornography. (86)
The defendant argued that the search was overbroad because it (1) allowed the seizure of all computer media without requiring inspection at the scene, and (2) it placed no limits or controls on the search methodology the police used in analyzing the seized media. (87) Judge Kozinski, sitting by designation, rejected defendant's contentions. First, he found that inspection and sorting of the media on site would be impractical because it would: (1) pose a significant burden on smaller agencies to continuously update their technology, (2) pose a serious risk of damaging or compromising the integrity of evidence at the scene, and (3) take an inordinately long time to accomplish. (88) Thus, the court concluded that the police "were not required to examine defendant's electronic storage media at the scene" for the presence of child pornography, but instead "were entitled to seize all such media and take them to the police station for examination by an expert." (89)
Judge Kozinski found that Tamura did not require a different result. He concluded that, even in the absence of a specific showing that computer files were difficult to sort on-site, the procedures outlined in Tamura for seizure of intermingled evidence had been complied with:
The warrant here authorized precisely such a seizure of intermingled materials that are difficult and time-consuming to separate on-site. That the officer seeking the warrant did not make...
|
