US Department Of Justice Computer And Electronic Search Manual

US_Department_of_Justice_-_Computer_and_Electronic_Search_Manual manual pdf -FilePursuit

US_Department_of_Justice_-_Computer_and_Electronic_Search_Manual manual pdf -FilePursuit

User Manual: manual pdf -FilePursuit

Open the PDF directly: View PDF PDF.
Page Count: 139 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Email this Document!
Searching
and Seizing Computers
and Obtaining Electronic Evidence
in Criminal Investigations
Computer Crime and Intellectual Property Section
Criminal Division
United States Department of Justice
January 2001
PREFACE
This publication supersedes Federal Guidelines for Searching and Seizing Computers (1994), as
well as the Guidelines1997 and 1999 Supplements. Although the interagency group that produced the
Guidelines achieved its goal of offering systematic guidance to all federal agents and attorneysin the
law of computer search and seizure, intervening changes in law and the dramatic expansion of the
Internet since 1994 have fostered the need for fresh guidance. This manual is designed to combine an
updated version of the Guidelinesadvice on searching and seizing computers with guidance on the
statutes that govern obtaining electronic evidence in cases involving computer networks and the
Internet. Of course, this manual is intended to offer assistance, not authority. Its analysis and
conclusions reflect current thinking on difficult areas of law, and do not represent the official position of
the Department of Justice or any other agency. It has no regulatory effect, and confers no rights or
remedies.
This publication was written by Orin S. Kerr of the Computer Crime and Intellectual Property
Section of the U.S. Department of Justice, under the supervision of Martha Stansell-Gamm, Chief of the
Computer Crime and Intellectual Property Section. The author gratefully acknowledges the assistance
of Mark Eckenwiler, Scott Charney, David Green, Jennifer Martin, Chris Painter, the members of the
1999 CTC Working Group (especially Stephen Heymann), Jeff Singdahlsen, Mark Pollitt, Thos.
Gregory Motta, Joanne Pasquerelli, and summer interns Dan Jackson and Avi Ionescu. Electronic
copies of this document are available from the Computer Crime and Intellectual Property Sections web
site, www.cybercrime.gov. Inquiries, comments, and corrections should be directed to Orin S. Kerr at
(202) 514-1026. Requests for paper copies or written correspondence should be sent to the following
address:
Computer Crime and
Intellectual Property Section
(CCIPS)
Page 1 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Attn: Search and Seizure Manual
Computer Crime and
Intellectual Property Section
United States Department of Justice
P.O. Box 887
Ben Franklin Station
Washington, DC 20044-0887
TABLE OF CONTENTS
INTRODUCTION
I. SEARCHING AND SEIZING COMPUTERS WITHOUT A WARRANT
A. Introduction
B. The Fourth Amendments Reasonable Expectation of Privacyin Cases Involving Computers
1. General Principles
2. Reasonable Expectation of Privacy in Computers as Storage Devices
3. Reasonable Expectation of Privacy and Third-Party Possession
4. Private Searches
C. Exceptions to the Warrant Requirement in Cases Involving Computers
1. Consent
a) Scope of Consent
b) Third-Party Consent
c) Implied Consent
2. Exigent Circumstances
3. Plain View
4. Search Incident to a Lawful Arrest
5. Inventory Searches
6. Border Searches
7. International Issues
D. Special Case: Workplace Searches
1. Private Sector Workplace Searches
a) Reasonable Expectation of Privacy in Private-Sector Workplaces
b) Consent in Private Sector-Workplaces
c) Employer Searches in Private-Sector Workplaces
2. Public-Sector Workplace Searches
a) Reasonable Expectation of Privacy in Public Workplaces
b) ReasonableWorkplace Searches Under OConnor v. Ortega
c) Consent in Public-Sector Workplaces
II. SEARCHING AND SEIZING COMPUTERS WITH A WARRANT
A. Introduction
B. Planning the Search
1. Basic Strategies for Executing Computer Searches
a) When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime
b) When Hardware is Merely a Storage Device for Evidence of Crime
2. The Privacy Protection Act
a) A Brief History of the Privacy Protection Act
b) The Terms of the Privacy Protection Act
c) Application of the PPA to Computer Searches and Seizures
Page 2 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
3. Civil Liability Under the Electronic Communications Privacy Act
4. Considering the Need for Multiple Warrants in Network Searches
5. No-Knock Warrants
6. Sneak-and-Peek Warrants
7. Privileged Documents
a) The Attorney General's Regulations Relating to Searches of Disinterested Lawyers, Physicians,
and Clergymen
b) Strategies for Reviewing Privileged Computer Files
C. Drafting the Warrant and Affidavit
Step 1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or
Attachments
to the Warrant
Step 2: Establish Probable Cause in the Affidavit
Step 3: In the Affidavit Supporting the Warrant, Include an Explanation of the Search Strategy
(Such as the Need to Conduct an Off-site Search) as Well as the Practical and Legal
Considerations
That Will Govern the Execution of the Search
D. Post-Seizure Issues
1. Searching Computers Already in Law Enforcement Custody
2. The Permissible Time Period For Examining Seized Computers
3. Rule 41(e) Motions for Return of Property
III. THE ELECTRONIC COMMUNICATIONS PRIVACY ACT
A. Introduction
B. Providers of Electronic Communication Service vs. Remote Computing Service
Electronic communication service
Electronic storage
Remote computing service
C. Classifying Types of Information Held by Service Providers
1. Basic Subscriber Information Listed in 18 U.S.C. § 2703(c)(1)(C)
2. Records or Other Information Pertaining to a Customer or Subscriber
3. Contents
D. Compelled Disclosure Under ECPA
1. Subpoena
2. Subpoena with Prior Notice to the Subscriber or Customer
3. Section 2703(d) Order
4. § 2703(d) Order with Prior Notice to the Subscriber or Customer
5. Search Warrant
E. Voluntary Disclosure
1. Contents
2. Records Other than Contents
F. Quick Reference Guide
G. Working with Network Providers: Preservation of Evidence, Preventing Disclosure to Subjects,
and
Cable Act Issues
1. Preservation of Evidence under 18 U.S.C. § 2703(f)
2. Orders Not to Disclose the Existence of a Warrant, Subpoena, or Court Order
3. Possible Conflicts with the Cable Act, 47 U.S.C. § 551
H. Remedies
1. Suppression
2. Civil Actions
Page 3 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
IV. ELECTRONIC SURVEILLANCE IN COMMUNICATIONS NETWORKS
A. Introduction
B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-27
C. The Wiretap Statute, Title III, 18 U.S.C. §§ 2510-22
1. Introduction: The General Prohibition
2. Key Phrases
Wire communication
Electronic communication
Intercept
3. Exceptions to Title III
a) Interception Authorized by a Title III Order, 18 U.S.C. § 2518
b) Consent of a Party to the Communication, 18 U.S.C. § 2511(2)(c)-(d)
c) The Provider Exception, 18 U.S.C. § 2511(2)(a)(i)
d) The Extension Telephone Exception, 18 U.S.C. § 2510(5)(a)
e) The Inadvertently Obtained Criminal EvidenceException 18 U.S.C. § 2511(3)(b)(iv)
f) The Accessible to the PublicException,18 U.S.C. § 2511(2)(g)(i)
D. Remedies For Violations of Title III and the Pen/Trap Statute
1. Suppression Remedies
a) Statutory Suppression Remedies
b) Constitutional Suppression Remedies
2. Defenses to Civil and Criminal Actions
a) Good-Faith Defense
b) Qualified Immunity
V. EVIDENCE
A. Introduction
B. Authentication
1. Authenticity and the Alteration of Computer Records
2. Establishing the Reliability of Computer Programs
3. Identifying the Author of Computer-Stored Records
C. Hearsay
1. Inapplicability of the Hearsay Rules to Computer-Generated Records
2. Applicability of the Hearsay Rules to Computer-Stored Records
D. Other Issues
1. The Best Evidence Rule
2. Computer Printouts as Summaries
VI. APPENDICES
Appendix A: Sample Network Banner Language
Appendix B: Sample 18 U.S.C. § 2703(d) Application and Order
Appendix C: Sample Language for Preservation Request Letters under 18 U.S.C. § 2703(f)
Appendix D: Sample Pen Register /Trap and Trace Application and Order
Appendix E: Sample Subpoena Language
Appendix F: Sample Language for Search Warrants and Accompanying Affidavits
to Search and Seize Computers
Appendix G: Sample Letter for Provider Monitoring
INDEX
INTRODUCTION
Page 4 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
In the last decade, computers and the Internet have entered the mainstream of American life.
Millions of Americans spend several hours every day in front of computers, where they send and receive
e-mail, surf the Web, maintain databases, and participate in countless other activities.
Unfortunately, those who commit crime have not missed the computer revolution. An increasing
number of criminals use pagers, cellular phones, laptop computers and network servers in the course of
committing their crimes. In some cases, computers provide the means of committing crime. For
example, the Internet can be used to deliver a death threat via e-mail; to launch hacker attacks against a
vulnerable computer network; to disseminate computer viruses; or to transmit images of child
pornography. In other cases, computers merely serve as convenient storage devices for evidence of
crime. For example, a drug kingpin might keep a list of who owes him money in a file stored in his
desktop computer at home, or a money laundering operation might retain false financial records in a file
on a network server.
The dramatic increase in computer-related crime requires prosecutors and law enforcement agents
to understand how to obtain electronic evidence stored in computers. Electronic records such as
computer network logs, e-mails, word processing files, and .jpgpicture files increasingly provide the
government with important (and sometimes essential) evidence in criminal cases. The purpose of this
publication is to provide Federal law enforcement agents and prosecutors with systematic guidance that
can help them understand the legal issues that arise when they seek electronic evidence in criminal
investigations.
The law governing electronic evidence in criminal investigations has two primary sources: the
Fourth Amendment to the U.S. Constitution, and the statutory privacy laws codified at 18 U.S.C. §§
2510-22, 18 U.S.C. §§ 2701-11, and 18 U.S.C. §§ 3121-
27. Although constitutional and statutory issues
overlap in some cases, most situations present either a constitutional issue under the Fourth Amendment
or a statutory issue under these three statutes. This manual reflects that division: Chapters 1 and 2
address the Fourth Amendment law of search and seizure, and Chapters 3 and 4 focus on the statutory
issues, which arise mostly in cases involving computer networks and the Internet.
Chapter 1 explains the restrictions that the Fourth Amendment places on the warrantless search
and seizure of computers and computer data. The chapter begins by explaining how the courts apply the
reasonable expectation of privacytest to computers; turns next to how the exceptions to the warrant
requirement apply in cases involving computers; and concludes with a comprehensive discussion of the
difficult Fourth Amendment issues raised by warrantless workplace searches of computers. Questions
addressed in this chapter include: When does the government need a search warrant to search and seize a
suspect's computer? Can an investigator search without a warrant through a suspect's pager found
incident to arrest? Does the government need a warrant to search a government employee's desktop
computer located in the employees office?
Chapter 2 discusses the law that governs the search and seizure of computers pursuant to search
warrants. The chapter begins by reviewing the steps that investigators should follow when planning and
executing searches to seize computer hardware and computer data with a warrant. In particular, the
chapter focuses on two issues: first, how investigators should plan to execute computer searches, and
second, how they should draft the proposed search warrants and their accompanying affidavits. Finally,
the chapter ends with a discussion of post-search issues. Questions addressed in the chapter include:
When should investigators plan to search computers on the premises, and when should they remove the
computer hardware and search it later off-site? How should investigators plan their searches to avoid
civil liability under the Privacy Protection Act, 42 U.S.C. § 2000aa? How should prosecutors draft
search warrant language so that it complies with the particularity requirement of the Fourth Amendment
and Rule 41 of the Federal Rules of Criminal Procedure? What is the law governing when the
Page 5 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
government must search and return seized computers?
The focus of Chapter 3 is the stored communications portion of the Electronic Communications
Privacy Act, 18 U.S.C. §§ 2701-11 (ECPA). ECPA governs how investigators can obtain stored
account records and contents from network service providers, including Internet service providers
(ISPs), telephone companies, cell phone service providers, and satellite services. ECPA issues arise
often in cases involving the Internet: any time investigators seek stored information concerning Internet
accounts from providers of Internet service, they must comply with the statute. Topics covered in this
section include: How can the government obtain e-mails and network account logs from ISPs? When
does the government need to obtain a search warrant, as opposed to 18 U.S.C. § 2703(d) order or a
subpoena? When can providers disclose e-mails and records to the government voluntarily? What
remedies will courts impose when ECPA has been violated?
Chapter 4 reviews the legal framework that governs electronic surveillance, with particular
emphasis on how the statutes apply to surveillance on the communications networks. In particular, the
chapter discusses Title III as modified by the Electronic Communications Privacy Act, 18 U.S.C. §§
2510-22 (referred to here as Title III)1, as well as the Pen Register and Trap and Trace Devices
statute, 18 U.S.C. §§ 3121-27. These statutes govern when and how the government can conduct real-
time surveillance, such as monitoring a computer hacker's activity as he breaks into a government
computer network. Topics addressed in this chapter include: When can victims of computer crime
monitor unauthorized intrusions into their networks and disclose that information to law enforcement?
Can network bannersgenerate implied consent to monitoring? How can the government obtain a pen
register/trap and trace order that permits the government to collect packet header information from
Internet communications? What remedies will courts impose when the electronic surveillance statutes
have been violated?
Of course, the issues discussed in Chapters 1 through 4 can overlap in actual cases. An
investigation into computer hacking may begin with obtaining stored records from an ISP according to
Chapter 3, move next to an electronic surveillance phase implicating Chapter 4, and then conclude with
a search of the suspect's residence and a seizure of his computers according to Chapters 1 and 2. In
other cases, agents and prosecutors must understand issues raised in multiple chapters not just in the
same case, but at the same time. For example, an investigation into workplace misconduct by a
government employee may implicate all of Chapters 1 through 4. Investigators may want to obtain the
employee's e-mails from the government network server (implicating ECPA, discussed in Chapter 3);
may wish to monitor the employee's use of the telephone or Internet in real-time (raising surveillance
issues from Chapter 4); and at the same time, may need to search the employee's desktop computer in
his office for clues of the misconduct (raising search and seizure issues from Chapters 1 and 2).
Because the constitutional and statutory regimes can overlap in certain cases, agents and prosecutors
will need to understand not only all of the legal issues covered in Chapters 1 through 4, but will also
need to understand the precise nature of the information to be gathered in their particular cases.
Chapters 1 through 4 are followed by a short Chapter 5, which discusses evidentiary issues that
arise frequently in computer-related cases. The publication concludes with appendices that offer sample
forms, language, and orders.
Computer crime investigations raise many novel issues, and the courts have only begun to
interpret how the Fourth Amendment and federal statutory laws apply to computer-related cases.
Agents and prosecutors who need more detailed advice can rely on several resources for further
assistance. At the federal district level, every U.S. Attorneys Office has at least one Assistant U.S.
Attorney who has been designated as a Computer and Telecommunications Coordinator (CTC).
Page 6 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Every CTC receives extensive training in computer-related crime, and is primarily responsible for
providing expertise relating to the topics covered in this manual within his or her district. CTCs may be
reached in their district offices. Further, several sections within the Criminal Division of the U.S.
Department of Justice in Washington, D.C., have expertise in computer-related fields. The Office of
International Affairs ((202) 514-
0000) provides expertise in the many computer crime investigations that
raise international issues. The Office of Enforcement Operations ((202) 514-
6809) provides expertise in
the wiretapping laws and other privacy statutes discussed in Chapters 3 and 4. Also, the Child
Exploitation and Obscenity Section ((202) 514-5780) provides expertise in computer-related cases
involving child pornography and child exploitation.
Finally, agents and prosecutors are always welcome to contact the Computer Crime and
Intellectual Property Section (CCIPS) directly both for general advice and specific case-related
assistance. During regular business hours, at least two CCIPS attorneys are on duty to answer questions
and provide assistance to agents and prosecutors on the topics covered in this document, as well as other
matters that arise in computer crime cases. The main number for CCIPS is (202) 514-1026.
I. SEARCHING AND SEIZING COMPUTERS WITHOUT A WARRANT
A. Introduction
The Fourth Amendment limits the ability of government agents to search for evidence without a
warrant. This chapter explains the constitutional limits of warrantless searches in cases involving
computers.
The Fourth Amendment states:
The right of the people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but
upon probable cause, supported by Oath or affirmation, and particularly describing the place
to be searched, and the persons or things to be seized.
According to the Supreme Court, a warrantless search does not violate the Fourth Amendment if
one of two conditions is satisfied. First, if the governments conduct does not violate a persons
reasonable expectation of privacy,then formally it does not constitute a Fourth Amendment search
and no warrant is required. See Illinois v. Andreas, 463 U.S. 765, 771 (1983). Second, a warrantless
search that violates a persons reasonable expectation of privacy will nonetheless be reasonable(and
therefore constitutional) if it falls within an established exception to the warrant requirement. See
Illinois v. Rodriguez, 497 U.S. 177, 183 (1990). Accordingly, investigators must consider two issues
when asking whether a government search of a computer requires a warrant. First, does the search
violate a reasonable expectation of privacy? And if so, is the search nonetheless reasonable because it
falls within an exception to the warrant requirement?
B. The Fourth Amendments Reasonable Expectation of Privacyin Cases Involving Computers
1. General Principles
Page 7 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
A search is constitutional if it does not violate a persons reasonableor legitimateexpectation
of privacy. Katz v. United States, 389 U.S. 347, 362 (1967) (Harlan, J., concurring). This inquiry
embraces two discrete questions: first, whether the individuals conduct reflects an actual (subjective)
expectation of privacy,and second, whether the individuals subjective expectation of privacy is one
that society is prepared to recognize as reasonable.’” Id. at 361. In most cases, the difficulty of
contesting a defendant
s subjective expectation of privacy focuses the analysis on the objective aspect of
the Katz test, i.e., whether the individuals expectation of privacy was reasonable.
No bright line rule indicates whether an expectation of privacy is constitutionally reasonable. See
OConnor v. Ortega, 480 U.S. 709, 715 (1987). For example, the Supreme Court has held that a person
has a reasonable expectation of privacy in property located inside a persons home, see Payton v. New
York, 445 U.S. 573, 589-90 (1980); in conversations taking place in an enclosed phone booth, see Katz,
389 U.S. at 358; and in the contents of opaque containers, see United States v. Ross, 456 U.S. 798, 822-
23 (1982). In contrast, a person does not have a reasonable expectation of privacy in activities
conducted in open fields, see Oliver v. United States, 466 U.S. 170, 177 (1984); in garbage deposited at
the outskirts of real property, see California v. Greenwood, 486 U.S. 35, 40-41 (1988); or in a strangers
house that the person has entered without the owners consent in order to commit a theft, see Rakas v.
Illinois, 439 U.S. 128, 143 n.12 (1978).
2. Reasonable Expectation of Privacy in Computers as Storage Devices
l
To determine whether an individual has a reasonable expectation of privacy in information stored
in a computer, it helps to treat the computer like a closed container such as a briefcase or file
cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing
information stored in a computer without a warrant if it would be prohibited from opening a
closed container and examining its contents in the same situation.
The most basic Fourth Amendment question in computer cases asks whether an individual enjoys a
reasonable expectation of privacy in electronic information stored within computers (or other electronic
storage devices) under the individuals control. For example, do individuals have a reasonable
expectation of privacy in the contents of their laptop computers, floppy disks or pagers? If the answer is
yes,then the government ordinarily must obtain a warrant before it accesses the information stored
inside.
When confronted with this issue, courts have analogized electronic storage devices to closed
containers, and have reasoned that accessing the information stored within an electronic storage device
is akin to opening a closed container. Because individuals generally retain a reasonable expectation of
privacy in the contents of closed containers, see United States v. Ross, 456 U.S. 798, 822-23 (1982),
they also generally retain a reasonable expectation of privacy in data held within electronic storage
devices. Accordingly, accessing information stored in a computer ordinarily will implicate the owners
reasonable expectation of privacy in the information. See United States v. Barth, 26 F. Supp.2d 929,
936-37 (W.D. Tex. 1998) (finding reasonable expectation of privacy in files stored on hard drive of
personal computer); United States v. Reyes, 922 F. Supp. 818, 832-33 (S.D.N.Y. 1996) (finding
reasonable expectation of privacy in data stored in a pager); United States v. Lynch, 908 F. Supp. 284,
287 (D.V.I. 1995) (same); United States v. Chan, 830 F. Supp. 531, 535 (N.D. Cal. 1993) (same);
United States v. Blas, 1990 WL 265179, at *21 (E.D. Wis. 1990) ([A]n individual has the same
expectation of privacy in a pager, computer, or other electronic data storage and retrieval device as in a
closed container.). But see United States v. Carey,172 F.3d 1268, 1275 (10th Cir. 1999) (dicta)
(analogizing a computer hard drive to a file cabinet in the context of a search pursuant to a warrant, but
then stating without explanation that the file cabinet analogy may be inadequate).
Page 8 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Although individuals generally retain a reasonable expectation of privacy in computers under their
control, special circumstances may eliminate that expectation. For example, an individual will not retain
a reasonable expectation of privacy in information from a computer that the person has made openly
available. In United States v. David, 756 F. Supp. 1385 (D. Nev. 1991), agents looking over the
defendants shoulder read the defendant
s password from the screen as the defendant typed his password
into a handheld computer. The court found no Fourth Amendment violation in obtaining the password,
because the defendant did not enjoy a reasonable expectation of privacy in the display that appeared on
the screen. Id. at 1389. See also Katz v. United States, 389 U.S. 347, 351 (1967) (What a person
knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment
protection.).
Nor will individuals generally enjoy a reasonable expectation of privacy in the contents of
computers they have stolen. See United States v. Lyons, 992 F.2d 1029, 1031-32 (10th Cir. 1993).
3. Reasonable Expectation of Privacy and Third-Party Possession
Individuals who retain a reasonable expectation of privacy in stored electronic information under
their control may lose Fourth Amendment protections when they relinquish that control to third parties.
For example, an individual may offer a container of electronic information to a third party by bringing a
malfunctioning computer to a repair shop, or by shipping a floppy diskette in the mail to a friend.
Alternatively, a user may transmit information to third parties electronically, such as by sending data
across the Internet. When law enforcement agents learn of information possessed by third parties that
may provide evidence of a crime, they may wish to inspect it. Whether the Fourth Amendment requires
them to obtain a warrant before examining the information depends first upon whether the third-party
possession has eliminated the individuals reasonable expectation of privacy.
To analyze third-party possession issues, it helps first to distinguish between possession by a
carrier in the course of transmission to an intended recipient, and subsequent possession by the intended
recipient. For example, if A hires B to carry a package to C, As reasonable expectation of privacy in
the contents of the package during the time that B carries the package on its way to C may be different
than As reasonable expectation of privacy after C has received the package. During transmission,
contents generally retain Fourth Amendment protection. The government ordinarily may not examine
the contents of a package in the course of transmission without a warrant. Government intrusion and
examination of the contents ordinarily violates the reasonable expectation of privacy of both the sender
and receiver. See United States v. Villarreal, 963 F.2d 770, 774 (5th Cir. 1992); but see United States v.
Walker, 20 F. Supp.2d 971, 973-74 (S.D.W. Va. 1998) (concluding that packages sent to an alias in
furtherance of a criminal scheme do not support a reasonable expectation of privacy). This rule applies
regardless of whether the carrier is owned by the government or a private company. Compare Ex Parte
Jackson, 96 U.S. (6 Otto) 727, 733 (1877) (public carrier) with Walter v. United States, 447 U.S. 649,
651 (1980) (private carrier).
A government searchof an intangible electronic signal in the course of transmission may also
implicate the Fourth Amendment. See Berger v. New York, 388 U.S. 41, 58-60 (1967) (applying the
Fourth Amendment to a wire communication in the context of a wiretap). The boundaries of the Fourth
Amendment in such cases remain hazy, however, because Congress addressed the Fourth Amendment
concerns identified in Berger by passing Title III of the Omnibus Crime Control and Safe Streets Act of
1968 (Title III), 18 U.S.C. §§ 2510-22. Title III, which is discussed fully in Chapter 4, provides a
comprehensive statutory framework that regulates real-time monitoring of wire and electronic
communications. Its scope encompasses, and in many significant ways exceeds, the protection offered
by the Fourth Amendment. See United States v. Torres, 751 F.2d 875, 884 (7th Cir. 1985). As a
practical matter, then, the monitoring of wire and electronic communications in the course of
transmission generally raises many statutory questions, but few constitutional ones. See generally
Page 9 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Chapter 4.
lIndividuals may lose Fourth Amendment protection in their computer files if they lose control of
the files.
Once an item has been received by the intended recipient, the senders reasonable expectation of
privacy generally depends upon whether the sender can reasonably expect to retain control over the item
and its contents. When a person leaves a package with a third party for temporary safekeeping, for
example, he usually retains control of the package, and thus retains a reasonable expectation of privacy
in its contents. See, e.g., United States v. Most, 876 F.2d 191, 197-98 (D.C. Cir. 1989) (finding
reasonable expectation of privacy in contents of plastic bag left with grocery store clerk); United States
v. Barry, 853 F.2d 1479, 1481-83 (8th Cir. 1988) (finding reasonable expectation of privacy in locked
suitcase stored at airport baggage counter); United States v. Presler, 610 F.2d 1206, 1213-14 (4th Cir.
1979) (finding reasonable expectation of privacy in locked briefcases stored with defendants friend for
safekeeping). See also United States v. Barth, 26 F. Supp.2d 929, 936-
37 (W.D. Tex. 1998) (holding that
defendant retains a reasonable expectation of privacy in computer files contained in hard drive left with
computer technician for limited purpose of repairing computer).
If the sender cannot reasonably expect to retain control over the item in the third partys
possession, however, the sender no longer retains a reasonable expectation of privacy in its contents.
For example, in United States v. Horowitz, 806 F.2d 1222 (4th Cir. 1986), the defendant e-mailed
confidential pricing information relating to his employer to his employers competitor. After the FBI
searched the competitors computers and found the pricing information, the defendant claimed that the
search violated his Fourth Amendment rights. The Fourth Circuit disagreed, holding that the defendant
relinquished his interest in and control over the information by sending it to the competitor for the
competitors future use. See id. at 1225-26. See also United States v. Charbonneau, 979 F. Supp. 1177,
1184 (S.D. Ohio 1997) (holding that defendant does not retain reasonable expectation of privacy in
contents of e-mail message sent to America Online chat room after the message has been received by
chat room participants) (citing Hoffa v. United States, 385 U.S. 293, 302 (1966)). In some cases, the
sender may initially retain a right to control the third partys possession, but may lose that right over
time. The general rule is that the senders Fourth Amendment rights dissipate along with the senders
right to control the third partys possession. For example, in United States v. Poulsen
, 41 F.3d 1330 (9th
Cir. 1994), computer hacker Kevin Poulsen left computer tapes in a locker at a commercial storage
facility but neglected to pay rent for the locker. Following a warrantless search of the facility, the
government sought to use the tapes against Poulsen. The Ninth Circuit held that the search did not
violate Poulsens reasonable expectation of privacy because under state law Poulsen
s failure to pay rent
extinguished his right to access the tapes. See id. at 1337.
An important line of Supreme Court cases states that individuals generally cannot reasonably
expect to retain control over mere information revealed to third parties, even if the senders have a
subjective expectation that the third parties will keep the information confidential. For example, in
United States v. Miller, 425 U.S. 435, 443 (1976), the Court held that the Fourth Amendment does not
protect bank account information that account holders divulge to their banks. By placing information
under the control of a third party, the Court stated, an account holder assumes the risk that the
information will be conveyed to the government. Id. According to the Court, the Fourth Amendment
does not prohibit the obtaining of information revealed to a third party and conveyed by him to
Government authorities, even if the information is revealed on the assumption that it will be used only
for a limited purpose and the confidence placed in the third party will not be betrayed.Id. (citing
Hoffa
v. United States, 385 U.S. 293, 302 (1966)). See also Smith v. Maryland, 442 U.S. 735, 743-44 (1979)
(finding no reasonable expectation of privacy in phone numbers dialed by owner of a telephone because
act of dialing the number effectively tells the number to the phone company); Couch v. United States,
Page 10 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
409 U.S. 322, 335 (1973) (holding that government may subpoena accountant for client information
given to accountant by client, because client retains no reasonable expectation of privacy in information
given to accountant).
Because computer data is information,this line of cases suggests that individuals who send data
over communications networks may lose Fourth Amendment protection in the data once it reaches the
intended recipient. See United States v. Meriwether, 917 F.2d 955, 959 (6th Cir. 1990) (suggesting that
an electronic message sent via a pager is informationunder the Smith/Miller line of cases);
Charbonneau, 979 F. Supp. at 1184 ([A]n e-mail message . . . cannot be afforded a reasonable
expectation of privacy once that message is received.). But see C. Ryan Reetz, Note, Warrant
Requirement for Searches of Computerized Information, 67 B.U. L. Rev. 179, 200-06 (1987) (arguing
that certain kinds of remotely stored computer files should retain Fourth Amendment protection, and
attempting to distinguish United States v. Miller and Smith v. Maryland). Of course, the absence of
constitutional protections does not necessarily mean that the government can access the data without a
warrant or court order. Statutory protections exist that generally protect the privacy of electronic
communications stored remotely with service providers, and can protect the privacy of Internet users
when the Fourth Amendment may not. See 18 U.S.C. §§ 2701-11 (discussed in Chapter 3, infra).
Defendants will occasionally raise a Fourth Amendment challenge to the acquisition of account
records and subscriber information held by Internet service providers using less process than a full
search warrant. As discussed in a later chapter, the Electronic Communications Privacy Act permits the
government to obtain transactional records with an articulable factscourt order, and basic subscriber
information with a subpoena. See 18 U.S.C. §§ 2701-11 (discussed in Chapter 3, infra). These statutory
procedures comply with the Fourth Amendment because customers of Internet service providers do not
have a reasonable expectation of privacy in customer account records maintained by and for the
providers business. See United States v. Hambrick, 55 F. Supp.2d 504, 508 (W.D. Va. 1999), affd,
225 F.3d 656, 2000 WL 1062039 (4th Cir. 2000) (unpublished opinion) (finding no Fourth Amendment
protection for network account holders basic subscriber information obtained from Internet service
provider); United States v. Kennedy, 81 F. Supp.2d 1103, 1110) (D. Kan. 2000) (same). This rule
accords with prior cases considering the scope of Fourth Amendment protection in customer account
records. See, e.g., United States v. Fregoso, 60 F.3d 1314, 1321 (8th Cir. 1995) (holding that a
telephone company customer has no reasonable expectation of privacy in account information disclosed
to the telephone company); In re Grand Jury Proceedings, 827 F.2d 301, 302-
03 (8th Cir. 1987) (holding
that customer account records maintained and held by Western Union are not entitled to Fourth
Amendment protection).
4. Private Searches
lThe Fourth Amendment does not apply to searches conducted by private parties who are not
acting as agents of the government.
The Fourth Amendment is wholly inapplicable to a search or seizure, even an unreasonable one,
effected by a private individual not acting as an agent of the Government or with the participation or
knowledge of any governmental official.United States v. Jacobsen, 466 U.S. 109, 113 (1984). As a
result, no violation of the Fourth Amendment occurs when a private individual acting on his own accord
conducts a search and makes the results available to law enforcement. See id. For example, in United
States v. Hall, 142 F.3d 988 (7th Cir. 1998), the defendant took his computer to a private computer
specialist for repairs. In the course of evaluating the defendants computer, the repairman observed that
many files stored on the computer had filenames characteristic of child pornography. The repairman
accessed the files, saw that they did in fact contain child pornography, and then contacted the state
Page 11 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
police. The tip led to a warrant, the defendants arrest, and his conviction for child pornography
offenses. On appeal, the Seventh Circuit rejected the defendants claim that the repairmans warrantless
search through the computer violated the Fourth Amendment. Because the repairmans search was
conducted on his own, the court held, the Fourth Amendment did not apply to the search or his later
description of the evidence to the state police. See id. at 993. See also United States v. Kennedy, 81 F.
Supp.2d 1103, 1112 (D. Kan. 2000) (concluding that searches of defendants computer over the Internet
by an anonymous caller and employees of a private ISP did not violate Fourth Amendment because
there was no evidence that the government was involved in the search).
In United States v. Jacobsen, 466 U.S. 109 (1984), the Supreme Court presented the framework
that should guide agents seeking to uncover evidence as a result of a private search. According to
Jacobsen, agents who learn of evidence via a private search can reenact the original private search
without violating any reasonable expectation of privacy. What the agents cannot do without a warrant is
exceed[] the scope of the private search.Id. at 115. See also United States v. Miller, 152 F.3d 813,
815-16 (8th Cir. 1998); United States v. Donnes, 947 F.2d 1430, 1434 (10th Cir. 1991). But see United
States v. Allen, 106 F.3d 695, 699 (6th Cir. 1999) (dicta) (stating that Jacobsen does not permit law
enforcement to reenact a private search of a private home or residence). This standard requires agents to
limit their investigation to the precise scope of the private search when searching without a warrant after
a private search has occurred. So long as the agents limit themselves to the scope of the private search,
the agents
search will not violate the Fourth Amendment. However, as soon as agents exceed the scope
of the private warrantless search, any evidence uncovered may be suppressed. See United States v.
Barth, 26 F. Supp.2d 929, 937 (W.D. Tex. 1998) (suppressing evidence of child pornography found on
computer hard drive after agents viewed more files than private technician had initially viewed during
repair of defendants computer). In computer cases, this aspect of Jacobsen means that private searches
will often be useful partly as opportunities to provide the probable cause needed to obtain a warrant for a
further search. The fact that a private person has uncovered evidence of a crime on another persons
computer does not permit agents to search the entire computer. Instead, the private search permits the
agents to view the evidence that the private search revealed, and, if necessary, to use that evidence as a
basis for procuring a warrant to search the rest of the computer.2
Although most private search issues arise when private third parties intentionally examine property
and offer evidence of a crime to law enforcement, the same framework applies when third parties
inadvertently expose evidence of a crime to plain view. For example, in United States v. Procopio, 88
F.3d 21 (1st Cir. 1996), a defendant stored incriminating files in his brothers safe. Later, thieves stole
the safe, opened it, and abandoned it in a public park. Police investigating the theft of the safe found the
files scattered on the ground nearby, gathered them, and then used them against the defendant in an
unrelated case. The First Circuit held that the use of the files did not violate the Fourth Amendment,
because the files were made openly available by the thievesprivate search. See id. at 26-27 (citing
Jacobsen, 466 U.S. at 113).
Importantly, the fact that the person conducting a search is not a government employee does not
necessarily mean that the search is privatefor Fourth Amendment purposes. A search by a private
party will be considered a Fourth Amendment government search if the private party act[s] as an
instrument or agent of the Government.Skinner v. Railway Labor ExecutivesAssn, 489 U.S. 602,
614 (1989). The Supreme Court has offered little guidance on when private conduct can be attributed to
the government; the Court has merely stated that this question necessarily turns on the degree of the
Governments participation in the private partys activities, . . . a question that can only be resolved in
light of all the circumstances.’” Id. at 614-15 (quoting Coolidge v. New Hampshire, 403 U.S. 443, 487
(1971)). In the absence of a more definitive standard, the various federal Courts of Appeals have
adopted a range of approaches for distinguishing between private and government searches. About half
of the circuits apply a totality of the circumstancesapproach that examines three factors: whether the
Page 12 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
government knows of or acquiesces in the intrusive conduct; whether the party performing the search
intends to assist law enforcement efforts at the time of the search; and whether the government
affirmatively encourages, initiates or instigates the private action. See, e.g., United States v. Pervaz
, 118
F.3d 1, 6 (1st Cir. 1997); United States v. Smythe, 84 F.3d 1240, 1242-43 (10th Cir. 1996); United
States v. McAllister, 18 F.3d 1412, 1417-18 (7th Cir. 1994); United States v. Malbrough, 922 F.2d 458,
462 (8th Cir. 1990). Other circuits have adopted more rule-like formulations that focus on only two of
these factors. See, e.g., United States v. Miller, 688 F.2d 652, 657 (9th Cir. 1982) (holding that private
action counts as government conduct if, at the time of the search, the government knew of or acquiesced
in the intrusive conduct, and the party performing the search intended to assist law enforcement efforts);
United States v. Paige, 136 F.3d 1012, 1017 (5th Cir. 1998) (same); United States v. Lambert, 771 F.2d
83, 89 (6th Cir. 1985) (holding that a private individual is a state actor for Fourth Amendment purposes
if the police instigated, encouraged or participated in the search, and the individual engaged in the search
with the intent of assisting the police in their investigative efforts).
C. Exceptions to the Warrant Requirement in Cases Involving Computers
Warrantless searches that violate a reasonable expectation of privacy will comply with the Fourth
Amendment if they fall within an established exception to the warrant requirement. Cases involving
computers often raise questions relating to how these establishedexceptions apply to new
technologies.
1. Consent
Agents may search a place or object without a warrant or even probable cause if a person with
authority has voluntarily consented to the search. See Schneckloth v. Bustamonte, 412 U.S. 218, 219
(1973). This consent may be explicit or implicit. See United States v. Milian-Rodriguez, 759 F.2d
1558, 1563-64 (11th Cir. 1985). Whether consent was voluntarily given is a question of fact that the
court must decide by considering the totality of the circumstances. While no single aspect controls the
result, the Supreme Court has identified the following important factors: the age, education, intelligence,
physical and mental condition of the person giving consent; whether the person was under arrest; and
whether the person had been advised of his right to refuse consent. See Schneckloth, 412 U.S. at 226.
The government carries the burden of proving that consent was voluntary. See United States v. Price,
599 F.2d 494, 503 (2d Cir. 1979).
In computer crime cases, two consent issues arise particularly often. First, when does a search
exceed the scope of consent? For example, when a target consents to the search of a machine, to what
extent does the consent authorize the retrieval of information stored in the machine? Second, who is the
proper party to consent to a search? Do roommates, friends, and parents have the authority to consent to
a search of another persons computer files?3
a) Scope of Consent
The scope of a consent to search is generally defined by its expressed object, and is limited by the
breadth of the consent given.United States v. Pena, 143 F.3d 1363, 1368 (10th Cir. 1998). The
standard for measuring the scope of consent under the Fourth Amendment is objective reasonableness:
What would the typical reasonable person have understood by the exchange between the [agent] and
the [person granting consent]?Florida v. Jimeno, 500 U.S. 248, 251 (1991). This requires a fact-
Page 13 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
intensive inquiry into whether it was reasonable for the agent to believe that the scope of consent
included the items searched. Id. Of course, when the limits of the consent are clearly given, either
before or during the search, agents must respect these bounds. See Vaughn v. Baldwin, 950 F.2d 331,
333 (6th Cir. 1991).
lThe permitted scope of consent searches depends on the facts of each case.
Computer cases often raise the question of whether consent to search a location or item implicitly
includes consent to access the memory of electronic storage devices encountered during the search. In
such cases, courts look to whether the particular circumstances of the agentsrequest for consent
implicitly or explicitly limited the scope of the search to a particular type, scope, or duration. Because
this approach ultimately relies on fact-driven notions of common sense, results reached in published
opinions have hinged upon subtle (if not entirely inscrutable) distinctions. Compare United States v.
Reyes, 922 F. Supp. 818, 834 (S.D.N.Y. 1996) (holding that consent to look insidea car included
consent to retrieve numbers stored inside pagers found in cars back seat) with United States v. Blas,
1990 WL 265179, at *20 (E.D. Wis. 1990) (holding that consent to look ata pager did not include
consent to activate pager and retrieve numbers, because looking at pager could be construed to mean
what the device is, or how small it is, or what brand of pager it may be). See alsoUnited States v.
Carey, 172 F.3d 1268, 1274 (10th Cir. 1999) (reading written consent form extremely narrowly, so that
consent to seizure of any propertyunder the defendants control and to a complete search of the
premises and propertyat the defendants address merely permitted the agents to seize the defendants
computer from his apartment, but did not permit them to search the computer off-site because it was no
longer located at the defendants address). Prosecutors can strengthen their argument that the scope of
consent included consent to search electronic storage devices by relying on analogous cases involving
closed containers. See, e.g., United States v. Galante, 1995 WL 507249, at *3 (S.D.N.Y. 1995) (holding
that general consent to search car included consent to have officer access memory of cellular telephone
found in the car, relying on circuit precedent involving closed containers); Reyes, 922 F. Supp. at 834.
Agents should be especially careful about relying on consent as the basis for a search of a
computer when they obtain consent for one reason but then wish to conduct a search for another reason.
In two recent cases, the Courts of Appeals suppressed images of child pornography found on computers
after agents procured the defendants consent to search his property for other evidence. In United States
v. Turner
, 169 F.3d 84 (1st Cir. 1999), detectives searching for physical evidence of an attempted sexual
assault obtained written consent from the victims neighbor to search the neighbors premisesand
personal property.Before the neighbor signed the consent form, the detectives discovered a large
knife and blood stains in his apartment, and explained to him that they were looking for more evidence
of the assault that the suspect might have left behind. See id. at 86. While several agents searched for
physical evidence, one detective searched the contents of the neighbors personal computer and
discovered stored images of child pornography. The neighbor was charged with possessing child
pornography. On interlocutory appeal, the First Circuit held that the search of the computer exceeded
the scope of consent and suppressed the evidence. According to the Court, the detectivesstatements
that they were looking for signs of the assault limited the scope of consent to the kind of physical
evidence that an intruder might have left behind. See id. at 88. By transforming the search for physical
evidence into a search for computer files, the detective had exceeded the scope of consent. See id. See
alsoCarey
, 172 F.3d at 1277 (Baldock, J., concurring) (concluding that agents exceeded scope of consent
by searching computer after defendant signed broadly-worded written consent form, because agents told
defendant
that they were looking for drugs and drug-related items rather than computer files containing child
pornography) (citing Turner).
l
It is a good practice for agents to use written consent forms that state explicitly that the scope of
Page 14 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
consent includes consent to search computers and other electronic storage devices.
Because the decisions evaluating the scope of consent to search computers have reached
sometimes unpredictable results, investigators should indicate the scope of the search explicitly when
obtaining a suspects consent to search a computer.
b) Third-Party Consent
i) General Rules
It is common for several people to use or own the same computer equipment. If any one of those
people gives permission to search for data, agents may generally rely on that consent, so long as the
person has authority over the computer. In such cases, all users have assumed the risk that a co-user
might discover everything in the computer, and might also permit law enforcement to search this
common areaas well.
The watershed case in this area is United States v. Matlock, 415 U.S. 164 (1974). In Matlock, the
Supreme Court stated that one who has common authorityover premises or effects may consent to a
search even if an absent co-user objects. Id. at 171. According to the Court, the common authority that
establishes the right of third-party consent requires
mutual use of the property by persons generally having joint access or control for most
purposes, so that it is reasonable to recognize that any of the co-inhabitants has the right to
permit the inspection in his own right and that the others have assumed the risk that one of
their number might permit the common area to be searched.
Id. at 171 n.7.
Under the Matlock approach, a private third party may consent to a search of property under the
third partys joint access or control. Agents may view what the third party may see without violating
any reasonable expectation of privacy so long as they limit the search to the zone of the consenting third
partys common authority. See United States v. Jacobsen, 466 U.S. 109, 119 (1984) (noting that the
Fourth Amendment is not violated when a private third party invites the government to view the
contents of a package under the third partys control). This rule often requires agents to inquire into
third parties
s rights of access before conducting a consent search, and to draw lines between those areas
that fall within the third partys common authority and those areas outside of the third partys control.
See United States v. Block, 590 F.2d 535, 541 (4th Cir. 1978) (holding that a mother could consent to a
general search of her 23-year-old sons room, but could not consent to a search of a locked footlocker
found in the room). Because the joint access test does not require a unity of interests between the
suspect and the third party, however, Matlock permits third-party consent even when the target of the
search is present and refuses to consent to the search. See United States v. Sumlin, 567 F.2d 684, 687
(6th Cir. 1977) (holding that woman had authority to consent to search of apartment she shared with her
boyfriend even though boyfriend refused consent).
Courts have not squarely addressed whether a suspects decision to password-protect or encrypt
files stored in a jointly-used computer denies co-users the right to consent to a search of the files under
Matlock. However, it appears likely that encryption and password-protection would in most cases
indicate the absence of common authority to consent to a search among co-users who do not know the
password or possess the encryption key. Compare United States v. Smith, 27 F. Supp.2d 1111, 1115-16
Page 15 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
(C.D. Ill. 1998) (concluding that a woman could consent to a search of her boyfriends computer located
in their house, and noting that the boyfriend had not password-protected his files) with Block, 590 F.2d
at 541 (concluding that a mother could not consent to search of a locked footlocker in her sons room
where she did not possess the key). Conversely, if the co-user has been given the password or
encryption key by the suspect, then she probably has the requisite common authority to consent to a
search of the files under Matlock. See United States v. Murphy, 506 F.2d 529, 530 (9th Cir. 1974) (per
curiam) (concluding that an employee could consent to a search of an employers locked warehouse
because the employee possessed the key, and finding special significancein the fact that the employer
had himself delivered the key to the employee).
As a practical matter, agents may have little way of knowing the precise bounds of a third partys
common authority when the agents obtain third-party consent to conduct a search. When queried,
consenting third parties may falsely claim that they have common authority over property. In Illinois v.
Rodriguez, 497 U.S. 177 (1990), the Supreme Court held that the Fourth Amendment does not
automatically require suppression of evidence discovered during a consent search when it later comes to
light that the third party who consented to the search lacked the authority to do so. See id. at 188-89.
Instead, the Court held that agents can rely on a claim of authority to consent if based on the facts
available to the officer at the moment, . . . a man of reasonable caution . . . [would believe] that the
consenting party had authorityto consent to a search of the premises. Id. (internal quotations omitted)
(quoting Terry v. Ohio, 392 U.S. 1, 21-22 (1968)). When agents reasonably rely on apparent authority
to consent, the resulting search does not violate the Fourth Amendment.
ii) Spouses and Domestic Partners
lMost spousal consent searches are valid.
Absent an affirmative showing that the consenting spouse has no access to the property searched,
the courts generally hold that either spouse may consent to search all of the couples property. See, e.g.,
United States v. Duran, 957 F.2d 499, 504-05 (7th Cir. 1992) (concluding that wife could consent to
search of barn she did not use because husband had not denied her the right to enter barn); United States
v. Long, 524 F.2d 660, 661 (9th Cir. 1975) (holding that wife who had left her husband could consent to
search of jointly-owned home even though husband had changed the locks). For example, in United
States v. Smith, 27 F. Supp.2d 1111 (C.D. Ill. 1998), a man named Smith was living with a woman
named Ushman and her two daughters. When allegations of child molestation were raised against
Smith, Ushman consented to the search of his computer, which was located in the house in an alcove
connected to the master bedroom. Although Ushman used Smiths computer only rarely, the district
court held that she could consent to the search of Smiths computer. Because Ushman was not
prohibited from entering the alcove and Smith had not password-protected the computer, the court
reasoned, she had authority to consent to the search. See id. at 1115-16. Even if she lacked actual
authority to consent, the court added, she had apparent authority to consent. See id. at 1116 (citing
Illinois v. Rodriguez).
iii) Parents
lParents can consent to searches of their childrens rooms when the children are under 18 years
old. If the children are 18 or older, the parents may or may not be able to consent, depending on
the facts.
Page 16 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
In some computer crime cases, the perpetrators are relatively young and reside with their parents.
When the perpetrator is a minor, parental consent to search the perpetrators property and living space
will almost always be valid. See 3 W. LaFave, Search and Seizure: A Treatise on the Fourth
Amendment § 8.4(b) at 283 (2d ed. 1987) (noting that courts have rejected even rather extraordinary
efforts by [minor] child[ren] to establish exclusive use.).
When the sons and daughters who reside with their parents are legal adults, however, the issue is
more complicated. Under Matlock, it is clear that parents may consent to a search of common areas in
the family home regardless of the perpetrators age. See, e.g., United States v. Lavin, 1992 WL 373486,
at *6 (S.D.N.Y. 1992) (recognizing right of parents to consent to search of basement room where son
kept his computer and files). When agents would like to search an adult childs room or other private
areas, however, agents cannot assume that the adults parents have authority to consent. Although
courts have offered divergent approaches, they have paid particular attention to three factors: the
suspect
s age; whether the suspect pays rent; and whether the suspect has taken affirmative steps to deny
his or her parents access to the suspects room or private area. When suspects are older, pay rent,
and/or deny access to parents, courts have generally held that parents may not consent. See United
States v. Whitfield, 939 F.2d 1071, 1075 (D.C. Cir. 1991) (holding cursory questioningof suspects
mother insufficient to establish right to consent to search of 29-year-old sons room); United States v.
Durham, 1998 WL 684241, at *4 (D. Kan. 1998) (mother had neither apparent nor actual authority to
consent to search of 24-year-old sons room, because son had changed the locks to the room without
telling his mother, and son also paid rent for the room). In contrast, parents usually may consent if their
adult children do not pay rent, are fairly young, and have taken no steps to deny their parents access to
the space to be searched. See United States v. Rith, 164 F.3d 1323, 1331 (10th Cir. 1999) (suggesting
that parents are presumed to have authority to consent to a search of their 18-year-old sons room
because he did not pay rent); United States v. Block, 590 F.2d 535, 541 (4th Cir. 1978) (mother could
consent to police search of 23-year-old sons room when son did not pay rent).
iv) System Administrators
Every computer network is managed by a system administratoror system operatorwhose job
is to keep the network running smoothly, monitor security, and repair the network when problems arise.
System operators have root levelaccess to the systems they administer, which effectively grants them
master keys to open any account and read any file on their systems. When investigators suspect that a
network account contains relevant evidence, they may feel inclined to seek the system administrators
consent to search the contents of that account.
As a practical matter, the primary barrier to searching a network account pursuant to a system
administrators consent is statutory, not constitutional. System administrators typically serve as agents
of provider[s] of electronic communication serviceunder the Electronic Communications Privacy Act
(ECPA), 18 U.S.C. §§ 2701-11. ECPA regulates law enforcement efforts to obtain the consent of a
system administrator to search an individuals account. See 18 U.S.C. § 2702-03. Accordingly, any
attempt to obtain a system administrators consent to search an account must comply with ECPA. See
generally Chapter 3, The Electronic Communications Privacy Act,infra.
To the extent that ECPA authorizes system administrators to consent to searches, the resulting
consent searches will in most cases comply with the Fourth Amendment. The first reason is that
individuals may not retain a reasonable expectation of privacy in the remotely stored files and records
that their network accounts contain. See generally Reasonable Expectation of Privacy and Third Party
Possession, supra. If an individual does not retain a constitutionally reasonable expectation of privacy
in his remotely stored files, it will not matter whether the system administrator has the necessary joint
Page 17 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
control over the account needed to satisfy the Matlock test because a subsequent search will not violate
the Fourth Amendment.
In the event that a court holds that an individual does possess a reasonable expectation of privacy
in remotely stored account files, whether a system administrators consent would satisfy Matlock should
depend on the circumstances. Clearly, the system administrators access to all network files does not by
itself provide the common authority that triggers authority to consent. In the pre-Matlock case of Stoner
v. California, 376 U.S. 483 (1964), the Supreme Court held that a hotel clerk lacked the authority to
consent to the search of a hotel room. Although the clerk was permitted to enter the room to perform his
duties, and the guest had left his room key with the clerk, the Court concluded that the clerk could not
consent to the search. If the hotel guests protection from unreasonable searches and seizures were left
to depend on the unfettered discretion of an employee of the hotel,Justice Stewart reasoned, it would
disappear. Id. at 490. See also Chapman v. United States, 365 U.S. 610 (1961) (holding that a
landlord lacks authority to consent to search of premises used by tenant); United States v. Most, 876
F.2d 191, 199-200 (D.C. Cir. 1989) (holding that store clerk lacks authority to consent to search of
packages left with clerk for safekeeping). To the extent that the access of a system operator to a network
account is analogous to the access of a hotel clerk to a hotel room, the claim that a system operator may
consent to a search of Fourth Amendment-protected files is weak. Cf. Barth, 26 F. Supp.2d at 938
(holding that computer repairmans right to access files for limited purpose of repairing computer did
not create authority to consent to government search through files).
Of course, the hotel clerk analogy may be inadequate in some circumstances. For example, an
employee generally does not have the same relationship with the system administrator of his companys
network as a customer of a private ISP such as AOL might have with the ISPs system administrator.
The company may grant the system administrator of the company network full rights to access employee
accounts for any work-related reason, and the employees may know that the system administrator has
such access. In circumstances such as this, the system administrator would likely have sufficient
common authority over the accounts to be able to consent to a search. See generally Note, Keeping
Secrets in Cyberspace: Establishing Fourth Amendment Protection for Internet Communication, 110
Harv. L. Rev. 1591, 1602-03 (1997). See also United States v. Clarke, 2 F.3d 81, 85 (4th Cir. 1993)
(holding that a drug courier hired to transport the defendants locked toolbox containing drugs had
common authority under Matlock to consent to a search of the toolbox stored in the couriers trunk).
Further, in the case of a government network, the Fourth Amendment rules would likely differ
dramatically from the rules that apply to private networks. See generally OConnor v. Ortega, 480 U.S.
709 (1987) (explaining how the Fourth Amendment applies within government workplaces) (discussed
infra).
c) Implied Consent
Individuals often enter into agreements with the government in which they waive some of their
Fourth Amendment rights. For example, prison guards may agree to be searched for drugs as a
condition of employment, and visitors to government buildings may agree to a limited search of their
person and property as a condition of entrance. Similarly, users of computer systems may waive their
rights to privacy as a condition of using the systems. When individuals who have waived their rights are
then searched and challenge the searches on Fourth Amendment grounds, courts typically focus on
whether the waiver eliminated the individuals reasonable expectation of privacy against the search.
See, e.g., American Postal Workers Union, Columbus Area Local AFL-CIO v. United States Postal
Service, 871 F.2d 556, 56-61 (6th Cir. 1989) (holding that postal employees retained no reasonable
expectation of privacy in government lockers after signing waivers).
Page 18 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
A few courts have approached the same problem from a slightly different direction and have asked
whether the waiver established implied consent to the search. According to the doctrine of implied
consent, consent to a search may be inferred from an individuals conduct. For example, in United
States v. Ellis, 547 F.2d 863 (5th Cir. 1977), a civilian visiting a naval air station agreed to post a
visitors pass on the windshield of his car as a condition of bringing the car on the base. The pass stated
that [a]cceptance of this pass gives your consent to search this vehicle while entering, aboard, or
leaving this station.Id. at 865 n.1. During the visitors stay on the base, a station investigator who
suspected that the visitor had stored marijuana in the car approached the visitor and asked him if he had
read the pass. After the visitor admitted that he had, the investigator searched the car and found 20
plastic bags containing marijuana. The Fifth Circuit ruled that the warrantless search of the car was
permissible, because the visitor had impliedly consented to the search when he knowingly and
voluntarily entered the base with full knowledge of the terms of the visitors pass. See id. at 866-67.
Ellis notwithstanding, it must be noted that several circuits have been critical of the implied
consent doctrine in the Fourth Amendment context. Despite the Fifth Circuit
s broad construction, other
courts have proven reluctant to apply the doctrine absent evidence that the suspect actually knew of the
search and voluntarily consented to it at the time the search occurred. See McGann v. Northeast Illinois
Regional Commuter R.R. Corp., 8 F.3d 1174, 1179 (7th Cir. 1993) (Courts confronted with claims of
implied consent have been reluctant to uphold a warrantless search based simply on actions taken in the
light of a posted notice.); Securities and Law Enforcement Employees, District Council 82 v. Carey,
737 F.2d 187, 202 n.23 (2d Cir. 1984) (rejecting argument that prison guards impliedly consented to
search by accepting employment at prison where consent to search was a condition of employment).
Absent such evidence, these courts have preferred to examine general waivers of Fourth Amendment
rights solely under the reasonable-expectation-of-privacy test. See id.
2. Exigent Circumstances
Under the exigent circumstancesexception to the warrant requirement, agents can search
without a warrant if the circumstances would cause a reasonable person to believe that entry . . . was
necessary to prevent physical harm to the officers or other persons, the destruction of relevant evidence,
the escape of the suspect, or some other consequence improperly frustrating legitimate law enforcement
efforts. See United States v. Alfonso, 759 F.2d 728, 742 (9th Cir. 1985). In determining whether
exigent circumstances exist, agents should consider: (1) the degree of urgency involved, (2) the amount
of time necessary to obtain a warrant, (3) whether the evidence is about to be removed or destroyed, (4)
the possibility of danger at the site, (5) information indicating the possessors of the contraband know the
police are on their trail, and (6) the ready destructibility of the contraband. See United States v. Reed,
935 F.2d 641, 642 (4th Cir. 1991).
Exigent circumstances often arise in computer cases because electronic data is perishable.
Computer commands can destroy data in a matter of seconds, as can humidity, temperature, physical
mutilation, or magnetic fields created, for example, by passing a strong magnet over a disk. For
example, in United States v. David, 756 F. Supp. 1385 (D. Nev. 1991), agents saw the defendant
deleting files on his computer memo book, and seized the computer immediately. The district court held
that the agents did not need a warrant to seize the memo book because the defendants acts had created
exigent circumstances. See id. at 1392. Similarly, in United States v. Romero-Garcia, 991 F. Supp.
1223, 1225 (D. Or. 1997), affd on other grounds 168 F.3d 502 (9th Cir. 1999), a district court held that
agents had properly accessed the information in an electronic pager in their possession because they had
reasonably believed that it was necessary to prevent the destruction of evidence. The information stored
in pagers is readily destroyed, the court noted: incoming messages can delete stored information, and
batteries can die, erasing the information. Accordingly, the agents were justified in accessing the pager
Page 19 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
without first acquiring a warrant. See id. See also United States v. Ortiz, 84 F.3d 977, 984 (7th Cir.
1996) (in conducting search incident to arrest, agents were justified in retrieving numbers from pager
because pager information is easily destroyed). Of course, in computer cases, as in all others, the
existence of exigent circumstances is absolutely tied to the facts. Compare Romero-Garcia, 911 F. Supp.
at 1225 with David, 756 F. Supp at 1392 n.2 (dismissing as lamethe governments argument that
exigent circumstances supported search of a battery-operated computer because the agent did not know
how much longer the computers batteries would live) and United States v. Reyes, 922 F. Supp. 818,
835-36 (S.D.N.Y. 1996) (concluding that exigent circumstances could not justify search of a pager
because the government agent unlawfully created the exigency by turning on the pager).
Importantly, the existence of exigent circumstances does not permit agents to search or seize
beyond what is necessary to prevent the destruction of the evidence. When the exigency ends, the right
to conduct warrantless searches does as well: the need to take certain steps to prevent the destruction of
evidence does not authorize agents to take further steps without a warrant. See United States v. Doe, 61
F.3d 107, 110-11 (1st Cir. 1995). Accordingly, the seizure of computer hardware to prevent the
destruction of information it contains will not ordinarily support a subsequent search of that information
without a warrant. See David, 756 F. Supp. at 1392.
3. Plain View
Evidence of a crime may be seized without a warrant under the plain view exception to the warrant
requirement. To rely on this exception, the agent must be in a lawful position to observe and access the
evidence, and its incriminating character must be immediately apparent. See Horton v. California, 496
U.S. 128 (1990). For example, if an agent conducts a valid search of a hard drive and comes across
evidence of an unrelated crime while conducting the search, the agent may seize the evidence under the
plain view doctrine.
lThe plain view doctrine does not authorize agents to open a computer file and view its contents.
The contents of an unopened computer file are not in plain view.
Importantly, the plain view exception cannot justify violations of an individuals reasonable
expectation of privacy. The exception merely permits the seizure of evidence that has already been
viewed in accordance with the Fourth Amendment. In computer cases, this means that the government
cannot rely on the plain view exception to justify opening a closed computer file.4
The contents of a file
that must be opened to be viewed are not in plain view. See United States v. Maxwell, 45 M.J. 406,
422 (C.A.A.F. 1996). This rule accords with decisions applying the plain view exception to closed
containers. See, e.g., United States v. Villarreal, 963 F.2d 770, 776 (5th Cir. 1992) (concluding that
labels fixed to opaque 55-gallon drums do not expose the contents of the drums to plain view). ([A]
label on a container is not an invitation to search it. If the government seeks to learn more than the label
reveals by opening the container, it generally must obtain a search warrant.).
United States v. Carey, 172 F.3d 1268, 1273 (10th Cir. 1999), provides a useful example. In
Carey, a police detective searching a hard drive with a warrant for drug trafficking evidence opened a
jpgfile and instead discovered child pornography. At that point, the detective abandoned the search
for drug trafficking evidence and spent five hours accessing and downloading several hundred jpg
files in a search for more child pornography. When the defendant moved to exclude the child
pornography files on the ground that they were seized beyond the scope of the warrant, the government
argued that the detective had seized the jpgfiles properly because the contents of the contraband files
were in plain view. The Tenth Circuit rejected this argument with respect to all of the files except for
Page 20 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
the first jpgfile the detective discovered. See id. at 1273, 1273 n.4. Although the court
s reasoning is
somewhat opaque, this aspect of Carey
seems sensible. The plain view exception permits agents to seize
property found in plain view, not to infringe a suspects right to privacy until his property comes into
plain view. As a result, the detective could seize the first jpgfile that came into plain view when the
detective was executing the search warrant, but could not rely on the plain view exception to justify the
search for additional jpgfiles on the defendant
s computers that were beyond the scope of the warrant.
4. Search Incident to a Lawful Arrest
Pursuant to a lawful arrest, agents may conduct a full searchof the arrested person, and a more
limited search of his surrounding area, without a warrant. See United States v. Robinson, 414 U.S. 218,
235 (1973); Chimel v. California, 395 U.S. 752, 762-63 (1969). For example, in Robinson, a police
officer conducting a patdown search incident to an arrest for a traffic offense discovered a crumpled
cigarette package in the suspects left breast pocket. Not knowing what the package contained, the
officer opened the package and discovered fourteen capsules of heroin. The Supreme Court held that
the search of the package was permissible, even though the officer had no articulable reason to open the
package. See id. at 234-35. In light of the general need to preserve evidence and prevent harm to the
arresting officer, the Court reasoned, it was perse reasonable for an officer to conduct a full search of
the personpursuant to a lawful arrest. Id. at 235.
Due to the increasing use of handheld and portable computers and other electronic storage devices,
agents often encounter computers when conducting searches incident to lawful arrests. Suspects may be
carrying pagers, Personal Digital Assistants (such as Palm Pilots), or even laptop computers when they
are arrested. Does the search-incident-to-arrest exception permit an agent to access the memory of an
electronic storage device found on the arrestees person during a warrantless search incident to arrest?
In the case of electronic pagers, the answer clearly is yes. Relying on Robinson, courts have
uniformly permitted agents to access electronic pagers carried by the arrested person at the time of
arrest. See United States v. Reyes, 922 F. Supp. 818, 833 (S.D.N.Y. 1996) (holding that accessing
numbers in a pager found in bag attached to defendants wheelchair within twenty minutes of arrest falls
within search-incident-to-arrest exception); United States v. Chan, 830 F. Supp. 531, 535 (N.D. Cal.
1993); United States v. Lynch, 908 F. Supp. 284, 287 (D.V.I. 1995); Yu v. United States, 1997 WL
423070 (S.D.N.Y. 1997); United States v. Thomas, 114 F.3d 403, 404 n.2 (3d Cir. 1997) (dicta). See
also United States v. Ortiz, 84 F.3d 977, 984 (7th Cir. 1996) (same holding, but relying on an exigency
theory).
Courts have not yet addressed whether Robinson will permit warrantless searches of electronic
storage devices that contain more information than pagers. In the paper world, certainly, cases have
allowed extensive searches of written materials discovered incident to lawful arrests. For example,
courts have uniformly held that agents may inspect the entire contents of a suspects wallet found on his
person. See, e.g., United States v. Castro, 596 F.2d 674, 676 (5th Cir. 1979); United States v. Molinaro,
877 F.2d 1341, 1347 (7th Cir. 1989) (citing cases). Similarly, one court has held that agents could
photocopy the entire contents of an address book found on the defendants person during the arrest, see
United States v. Rodriguez, 995 F.2d 776, 778 (7th Cir. 1993), and others have permitted the search of a
defendants briefcase that was at his side at the time of arrest. See, e.g., United States v. Johnson, 846
F.2d 279, 283-84 (5th Cir. 1988); United States v. Lam Muk Chiu, 522 F.2d 330, 332 (2d Cir. 1975). If
agents can examine the contents of wallets, address books, and briefcases without a warrant, it could be
argued that they should be able to search their electronic counterparts (such as electronic organizers,
floppy disks, and Palm Pilots) as well. Cf. United v. Tank, 200 F.3d 627, 632 (9th Cir. 2000) (holding
that agents searching a car incident to a valid arrest properly seized a Zip disk found in the car, but
Page 21 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
failing to discuss whether the agents obtained a warrant before searching the disk for images of child
pornography).
The limit on this argument is that any search incident to an arrest must be reasonable. See Swain
v. Spinney, 117 F.3d 1, 6 (1st Cir. 1997). While a search of physical items found on the arrestees
person may always be reasonable, more invasive searches in different circumstances may violate the
Fourth Amendment. See, e.g. Mary Beth G. v. City of Chicago, 723 F.2d 1263, 1269-71 (7th Cir. 1983)
(holding that Robinson does not permit strip searches incident to arrest because such searches are not
reasonable in context). For example, the increasing storage capacity of handheld computers suggests
that Robinsons bright line rule may not always apply in the case of electronic searches. Courts may
conclude that a quick search through a pager that stores a few phone numbers is reasonable incident to
an arrest, but that a very time-consuming search through a handheld computer that contains an entire
warehouse of information presents a different case. Cf. United States v. ORazvi, 1998 WL 405048, at
*7 n.7 (S.D.N.Y. 1998). When in doubt, agents should obtain a search warrant before examining the
contents of electronic storage devices that might contain large amounts of information.
5. Inventory Searches
Law enforcement officers routinely inventory the items they have seized. Such inventory
searchesare reasonable and therefore fall under an exception to the warrant requirement when
two conditions are met. First, the search must serve a legitimate, non-investigatory purpose (e.g., to
protect an owners property while in custody; to insure against claims of lost, stolen, or vandalized
property; or to guard the police from danger) that outweighs the intrusion on the individuals Fourth
Amendment rights. See Illinois v. Lafayette, 462 U.S. 640, 644 (1983); South Dakota v. Opperman
, 428
U.S. 364, 369 (1976). Second, the search must follow standardized procedures. See Colorado v.
Bertine, 479 U.S. 367, 374 n.6 (1987); Florida v. Wells, 495 U.S. 1, 4-5 (1990).
It is unlikely that the inventory-search exception to the warrant requirement would support a
search through seized computer files. See ORazvi, 1998 WL 405048, at *6-7 (noting the difficulties of
applying the inventory-
search requirements to computer disks). Even assuming that standard procedures
authorized such a search, the legitimate purposes served by inventory searches in the physical world do
not translate well into the intangible realm. Information does not generally need to be reviewed to be
protected, and does not pose a risk of physical danger. Although an owner could claim that his
computer files were altered or deleted while in police custody, examining the contents of the files would
offer little protection from tampering. Accordingly, agents will generally need to obtain a search warrant
in order to examine seized computer files held in custody.
6. Border Searches
In order to protect the governments ability to monitor contraband and other property that may
enter or exit the United States illegally, the Supreme Court has recognized a special exception to the
warrant requirement for searches that occur at the border of the United States. According to the Court,
routine searchesat the border or its functional equivalent do not require a warrant, probable cause, or
even reasonable suspicion that the search may uncover contraband or evidence. United States v.
Montoya De Hernandez, 473 U.S. 531, 538 (1985). Searches that are especially intrusive require at least
reasonable suspicion, however. See id.. at 541. These rules apply to people and property both entering
and exiting the United States. See United States v. Oriakhi, 57 F.3d 1290, 1297 (4th Cir. 1995).
Page 22 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
At least one court has interpreted the border search exception to permit a warrantless search of a
computer disk for contraband computer files. In United States v. Roberts, 86 F. Supp.2d 678 (S.D. Tex.
2000), United States Customs Agents learned that William Roberts, a suspect believed to be carrying
computerized images of child pornography, was scheduled to fly from Houston, Texas to Paris, France
on a particular day. On the day of the flight, the agents set up an inspection area in the jetway at the
Houston airport with the sole purpose of searching Roberts. Roberts arrived at the inspection area and
was told by the agents that they were searching for currencyand high technology or other datathat
could not be exported legally. Id. at 681. After the agents searched Roberts
property and found a laptop
computer and six Zip diskettes, Roberts agreed to sign a consent form permitting the agents to search his
property. A subsequent search revealed several thousand images of child pornography. See id. at 682.
When charges were brought, Roberts moved for suppression of the computer files, but the district court
ruled that the search had not violated the Fourth Amendment. According to the court, the search of
Robertsluggage had been a routine searchfor which no suspicion was required, even though the
justification for the search offered by the agents merely had been a pretext. See id. at 686 (citing Whren
v. United States, 517 U.S. 806 (1996)). The court also concluded that Robertsconsent justified the
search of the laptop and diskettes, and indicated that even if Roberts had not consented to the search, [t]
he search of the defendants computer and diskettes would have been a routine export search, valid
under the Fourth Amendment.See Roberts, 98 F. Supp.2d at 688.
Importantly, agents and prosecutors should not interpret Roberts as permitting the interception of
data transmitted electronically to and from the United States. Any real-time interception of
electronically transmitted data in the United States must comply strictly with the requirements of Title
III, 18 U.S.C. §§ 2510-22. See generally Chapter 4. Further, once electronically transferred data from
outside the United States arrives at its destination within the United States, the government ordinarily
cannot rely on the border search exception to search for and seize the data because the data is no longer
at the border or its functional equivalent. Cf.Almeida-Sanchez v. United States, 413 U.S. 266, 273-74
(1973) (concluding that a search that occurred 25 miles from the United States border did not qualify for
the border search exception, even though the search occurred on a highway known as a common route
for illegal aliens, because it did not occur at the border or its functional equivalent).
7. International Issues
Outside the United States border, searching and seizing electronic evidence raises difficult
questions of both law and policy. Because the Internet is a global network, international issues may
arise in many cases; even a domestic investigation may involve a computer system, data, witness or
subject located in a foreign jurisdiction. In such cases, the Fourth Amendment may or may not apply,
depending on the circumstances. See generally United States v. Verdugo-Urquidez, 494 U.S. 259
(1990) (considering the extent to which the Fourth Amendment applies to searches outside of the United
States). However, international policies regarding sovereignty and privacy may require the United
States to take actions ranging from informal notice to a formal request for assistance to the country
concerned.
This manual will not attempt to provide detailed guidance on how to resolve international issues
that arise in such cases. Investigators and prosecutors should contact the Office of International Affairs
at (202) 514-
0000 for assistance. However, a few basic principles can be stated here. The United States
maintains approximately 40 bilateral mutual legal assistance treaty relationships and many other
relationships pursuant to letters rogatory or other longstanding means of cooperation. While
with respect to computer and electronic evidence is under further development internationally, these
treaty structures and ongoing relationships continue to provide the legal and practical means by which
the United States both seeks and provides legal assistance. When agents learn prior to a search that
Page 23 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
some of all of the data to be searched is located in a foreign jurisdiction, they should seek advice from
the Office of International Affairs as to the need for and appropriate means to seek assistance from that
country.
When immediate international assistance is required, the international network of 24-hour Points
of Contact established by the High-tech Crime Subgroup of the G-8 countries can provide assistance,
such as preserving data and assisting in real-time tracing of cross-border communications. See generally
Michael A. Sussmann, The Critical Challenges from International High-Tech and Computer-Related
Crime at the Millennium, 9 Duke J. Comp. & Intl L. 451, 484 (1999). The network is available twenty-
four hours a day to respond to urgent requests for assistance in international high-tech crime
investigations, or cases involving electronic evidence. The membership currently includes Australia,
Brazil, Canada, Denmark, Finland, France, Germany, Italy, Japan, Republic of Korea, Luxembourg,
Russia, Spain, Sweden, United Kingdom, and the United States, and continues to grow. The Point of
Contact for the United States is CCIPS, which can be contacted at (202) 514-1026 during regular
business hours, or, after hours, through the DOJ Command Center at (202) 514-5000. CCIPS also has
computer crime law enforcement contacts in countries beyond members of the network; agents and
prosecutors can call CCIPS for assistance.
Finally, international issues may also arise when the United States responds to foreign requests for
international legal assistance for computer and electronic evidence. Investigators and prosecutors can
the Office of International Affairs ((202) 514-0000) or CCIPS for additional advice.
D. Special Case: Workplace Searches
Warrantless workplace searches deserve a separate analysis because they occur often in computer
cases and raise unusually complicated legal issues. The primary cause of the analytical difficulty is the
Supreme Courts complex decision in OConnor v. Ortega, 480 U.S. 709 (1987). Under OConnor, the
legality of warrantless workplace searches depends on often-subtle factual distinctions such as whether
the workplace is public sector or private sector, whether employment policies exist that authorize a
search, and whether the search is work-related.
Every warrantless workplace search must be evaluated carefully on its facts. In general, however,
law enforcement officers can conduct a warrantless search of private (i.e., non-government) workplaces
only if the officers obtain the consent of either the employer or another employee with common
authority over the area searched. In public (i.e., government) workplaces, officers cannot rely on an
employers consent, but can conduct searches if written employment policies or office practices
establish that the government employees targeted by the search cannot reasonably expect privacy in their
workspace. Further, government employers and supervisors can conduct reasonable work-related
searches of employee workspaces without a warrant even if the searches violate employeesreasonable
expectation of privacy.
One cautionary note is in order before we proceed. This discussion evaluates the legality of
warrantless workplace searches of computers under the Fourth Amendment. In many cases, however,
workplace searches will implicate federal privacy statutes in addition to the Fourth Amendment. For
example, efforts to obtain an employees files and e-mail from the employers network server raise
issues under the Electronic Communications Privacy Act, 18 U.S.C. §§ 2701-11 (discussed in Chapter
3), and workplace monitoring of an employees Internet use implicates Title III, 18 U.S.C. §§ 2510-22
(discussed in Chapter 4). Before conducting a workplace search, investigators must make sure that their
search will not violate either the Fourth Amendment or relevant federal privacy statutes. Investigators
should contact CCIPS at (202) 514-1026 or the CTC in their district for further assistance.
Page 24 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
1. Private Sector Workplace Searches
The rules for conducting warrantless searches and seizures in private-sector workplaces generally
mirror the rules for conducting warrantless searches in homes and other personal residences. Private
company employees generally retain a reasonable expectation of privacy in their workplaces. As a
result, private-workplace searches by law enforcement will usually require a warrant unless the agents
can obtain the consent of an employer or a co-worker with common authority.
a) Reasonable Expectation of Privacy in Private-Sector Workplaces
Private-sector employees will usually retain a reasonable expectation of privacy in their office
space. In Mancusi v. DeForte
, 392 U.S. 364 (1968), police officers conducted a warrantless search of an
office at a local union headquarters that defendant Frank DeForte shared with several other union
officials. In response to DeFortes claim that the search violated his Fourth Amendment rights, the
police officers argued that the joint use of the space by DeFortes co-workers made his expectation of
privacy unreasonable. The Court disagreed, stating that DeForte still could reasonably have expected
that only [his officemates] and their personal or business guests would enter the office, and that records
would not be touched except with their permission or that of union higher-ups.Id. at 369. Because
only a specific group of people actually enjoyed joint access and use of DeFortes office, the officers
presence violated DeFortes reasonable expectation of privacy. See id. See also United States v. Most,
876 F.2d 191, 198 (D.C. Cir. 1989) ([A]n individual need not shut himself off from the world in order
to retain his fourth amendment rights. He may invite his friends into his home but exclude the police; he
may share his office with co-workers without consenting to an official search.); United States v. Lyons
,
706 F.2d 321, 325 (D.C. Cir. 1983) (One may freely admit guests of ones choosing or be legally
obligated to admit specific persons without sacrificing ones right to expect that a space will remain
secure against all others.). As a practical matter, then, private employees will generally retain an
expectation of privacy in their work space unless that space is open to the world at large.Id. at 326.
b) Consent in Private Sector-Workplaces
Although most non-government workplaces will support a reasonable expectation of privacy from
a law enforcement search, agents can defeat this expectation by obtaining the consent of a party who
exercises common authority over the area searched. See Matlock, 415 U.S. at 171. In practice, this
means that agents can often overcome the warrant requirement by obtaining the consent of the targets
employer or supervisor. Depending on the facts, a co-workers consent may suffice as well.
Private-sector employers and supervisors generally enjoy a broad authority to consent to searches
in the workplace. For example, in United States v. Gargiso, 456 F.2d 584 (2d Cir. 1972), a pre-Matlock
case, agents conducting a criminal investigation of an employee of a private company sought access to a
locked, wired-off area in the employers basement. The agents explained their needs to the companys
vice-president, who took the agents to the basement and opened the basement with his key. When the
employee attempted to suppress the evidence that the agents discovered in the basement, the court held
that the vice-presidents consent was effective. Because the vice-president shared supervisory power
over the basement with the employee, the court reasoned, he could consent to the agentssearch of that
area. Id. at 586-87. See also United States v. Bilanzich, 771 F.2d 292, 296-97 (7th Cir. 1985) (holding
that the owner of a hotel could consent to search of locked room used by hotel employee to store
Page 25 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
records, even though owner did not carry a key, because employee worked at owners bidding);
J.L. Foti
Constr. Co. v. Donovan, 786 F.2d 714, 716-17 (6th Cir. 1986) (per curiam) (holding that a general
contractors superintendent could consent to an inspection of an entire construction site, including
subcontractors work area). In a close case, an employment policy or computer network banner that
establishes the employers right to consent to a workplace search can help establish the employers
common authority to consent under Matlock. See Appendix A.
Agents should be careful about relying on a co-workers consent to conduct a workplace search.
While employers generally retain the right to access their employeeswork spaces, co-workers may or
may not, depending on the facts. When co-workers do exercise common authority over a workspace,
however, investigators can rely on a co-workers consent to search that space. For example, in United
States v. Buettner-Janusch, 646 F.2d 759 (2d Cir. 1981), a professor and an undergraduate research
assistant at New York University consented to a search of an NYU laboratory managed by a second
professor suspected of using his laboratory to manufacture LSD and other drugs. Although the search
involved opening vials and several other closed containers, the Second Circuit held that Matlock
authorized the search because both consenting co-workers had been authorized to make full use of the
lab for their research. See id. at 765-66. See also United States v. Jenkins, 46 F.3d 447, 455-58 (5th
Cir. 1995) (allowing an employee to consent to a search of the employers property); United States v.
Murphy, 506 F.2d 529, 530 (9th Cir. 1974) (per curiam) (same); United States v. Longo, 70 F. Supp.2d
225, 256 (W.D.N.Y. 1999) (allowing secretary to consent to search of employers computer). But see
United States v. Buitrago Pelaez, 961 F. Supp. 64, 67-68 (S.D.N.Y. 1997) (holding that a receptionist
could consent to a general search of the office, but not of a locked safe to which receptionist did not
know the combination).
c) Employer Searches in Private-Sector Workplaces
Warrantless workplace searches by private employers rarely violate the Fourth Amendment. So
long as the employer is not acting as an instrument or agent of the Government at the time of the search,
the search is a private search and the Fourth Amendment does not apply. See Skinner v. Railway Labor
ExecutivesAssn, 489 U.S. 602, 614 (1989).
2. Public-Sector Workplace Searches
Although warrantless computer searches in private-sector workplaces follow familiar Fourth
Amendment rules, the application of the Fourth Amendment to public-sector workplace searches of
computers presents a different matter. In OConnor v. Ortega, 480 U.S. 709 (1987), the Supreme Court
introduced a distinct framework for evaluating warrantless searches in government workplaces that
applies to computer searches. According to OConnor, a government employee can enjoy a reasonable
expectation of privacy in his workplace. See id. at 717 (OConnor, J., plurality opinion); Id. at 721
(Scalia, J., concurring). However, an expectation of privacy becomes unreasonable if actual office
practices and procedures, or . . . legitimate regulationpermit the employees supervisor, co-workers, or
the public to enter the employees workspace. Id. at 717 (OConnor, J., plurality opinion). Further,
employers can conduct reasonablewarrantless searches even if the searches violate an employees
reasonable expectation of privacy. Such searches include work-related, noninvestigatory intrusions
(e.g., entering an employees locked office to retrieve a file) and reasonable investigations into work-
related misconduct. See id. at 725-26 (OConnor, J., plurality opinion); Id. at 732 (Scalia, J.,
concurring).
Page 26 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
a) Reasonable Expectation of Privacy in Public Workplaces
The reasonable expectation of privacy test formulated by the OConnor plurality asks whether a
government employees workspace is so open to fellow employees or to the public that no expectation
of privacy is reasonable. OConnor, 480 U.S. at 718 (plurality opinion). This standard differs
significantly from the standard analysis applied in private workplaces. Whereas private-sector
employees enjoy a reasonable expectation of privacy in their workspace unless the space is open to the
world at large,Lyons, 706 F.2d at 326, government employees retain a reasonable expectation of
privacy in the workplace only if a case-by-case inquiry into actual office practices and procedures
shows that it is reasonable for employees to expect that others will not enter their space. See OConnor,
480 U.S. at 717 (plurality opinion); Rossi v. Town of Pelham, 35 F. Supp.2d. 58, 63 (D.N.H. 1997). See
also OConnor, 480 U.S. at 730-31 (Scalia, J., concurring) (noting the difference between the
expectation-of-privacy analysis offered by the OConnor plurality and that traditionally applied in
private workplace searches). From a practical standpoint, then, public employees are less likely to retain
a reasonable expectation of privacy against government searches at work than are private employees.
Courts evaluating public employeesreasonable expectation of privacy in the wake of OConnor
have considered the following factors: whether the work area in question is assigned solely to the
employee; whether others have access to the space; whether the nature of the employment requires a
close working relationship with others; whether office regulations place employees on notice that certain
areas are subject to search; and whether the property searched is public or private. See Vega-Rodriguez
v. Puerto Rico Tel. Co., 110 F.3d 174, 179-80 (1st Cir. 1997) (summarizing cases); United States v.
Mancini, 8 F.3d 104, 109 (1st Cir. 1993). In general, the courts have rejected claims of an expectation
of privacy in an office when the employee knew or should have known that others could access the
employees workspace. See e.g., Sheppard v. Beerman, 18 F.3d 147, 152 (2d Cir. 1994) (holding that
judges search through his law clerks desk and file cabinets did not violate the clerks reasonable
expectation of privacy because of the clerks close working relationship with the judge); Schowengerdt
v. United States, 944 F.2d 483, 488 (9th Cir. 1991) (holding that civilian engineer employed by the
Navy who worked with classified documents at an ordinance plant had no reasonable expectation of
privacy in his office because investigators were known to search employeesoffices for evidence of
misconduct on a regular basis). But see United States v. Taketa, 923 F.2d 665, 673 (9th Cir. 1991)
(concluding in dicta that public employee retained expectation of privacy in office shared with several
co-workers). In contrast, the courts have found that a search violates a public employees reasonable
expectation of privacy when the employee had no reason to expect that others would access the space
searched. See OConnor, 480 U.S. at 718-19 (plurality) (holding that physician at state hospital retained
expectation of privacy in his desk and file cabinets where there was no evidence that other employees
could enter his office and access its contents); Rossi, 35 F. Supp.2d at 64 (holding that town clerk
enjoyed reasonable expectation of privacy in 8' x 8' office that the public could not access and other
town employees did not enter).
While agents must evaluate whether a public employee retains a reasonable expectation of privacy
in the workplace on a case-by-case basis, official written employment policies can simplify the task
dramatically. See OConnor, 480 U.S. at 717 (plurality) (noting that legitimate regulationof the work
place can reduce public employeesFourth Amendment protections). Courts have uniformly deferred to
public employersofficial policies that expressly authorize access to the employees workspace, and
have relied on such policies when ruling that the employee cannot retain a reasonable expectation of
privacy in the workplace. See American Postal Workers Union, Columbus Area Local AFL-CIO v.
United States Postal Serv., 871 F.2d 556, 56-61 (6th Cir. 1989) (holding that postal employees retained
no reasonable expectation of privacy in contents of government lockers after signing waivers stating that
lockers were subject to inspection at any time, even though lockers contained personal items); United
States v. Bunkers, 521 F.2d 1217, 1219-1220 (9th Cir. 1975) (same, noting language in postal manual
Page 27 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
stating that locker is subject to search by supervisors and postal inspectors). Of course, whether a
specific policy eliminates a reasonable expectation of privacy is a factual question. Employment policies
that do not explicitly address employee privacy may prove insufficient to eliminate Fourth Amendment
protection. See, e.g., Taketa, 923 F.2d at 672-73 (concluding that regulation requiring DEA employees
to maintain clean desksdid not defeat workplace expectation of privacy of non-DEA employee
assigned to DEA office).
lWhen planning to search a government computer in a government workplace, agents should look
for official employment policies or bannersthat can eliminate a reasonable expectation of
privacy in the computer.
Written employment policies and bannersare particularly important in cases that consider
whether government employees enjoy a reasonable expectation of privacy in government computers.
Banners are written notices that greet users before they log on to a computer or computer network, and
can inform users of the privacy rights that they do or do not retain in their use of the computer or
network. See generally Appendix A.
In general, government employees who are notified that their employer has retained rights to
access or inspect information stored on the employers computers can have no reasonable expectation of
privacy in the information stored there. For example, in United States v. Simons, 206 F.3d 392 (4th Cir.
2000), computer specialists at a division of the Central Intelligence Agency learned that an employee
named Mark Simons had been using his desktop computer at work to obtain pornography available on
the Internet, in violation of CIA policy. The computer specialists accessed Simonscomputer remotely
without a warrant, and obtained copies of over a thousands picture files that Simons had stored on his
hard drive. Many of these picture files contained child pornography, which were turned over to law
enforcement. When Simons filed a motion to suppress the fruits of the remote search of his hard drive,
the Fourth Circuit held that the CIA divisions official Internet usage policy eliminated any reasonable
expectation of privacy that Simons might otherwise have in the copied files. See id. at 398. The policy
stated that the CIA division would periodically audit, inspect, and/or monitor [each] users Internet
access as deemed appropriate,and that such auditing would be implemented to support identification,
termination, and prosecution of unauthorized activity.Id. at 395-96. Simons did not deny that he was
aware of the policy. See id.v at 398 n.8. In light of the policy, the Fourth Circuit held, Simons did not
retain a reasonable expectation of privacy with regard to the record or fruits of his Internet use,
including the files he had downloaded. Id. at 398.
Other courts have agreed with the approach articulated in Simons and have held that banners and
policies generally eliminate a reasonable expectation of privacy in contents stored in a government
employees network account. See Wasson v. Sonoma County Junior College, 4 F. Supp.2d 893, 905-06
(N.D. Cal. 1997) (holding that public employers computer policy giving the employer the right to
access all information stored on [the employers] computersdefeats an employees reasonable
expectation of privacy in files stored on employers computers); Bohach v. City of Reno, 932 F. Supp.
1232, 1235 (D. Nev. 1996) (holding that police officers did not retain a reasonable expectation of
privacy in their use of a pager system, in part because the Chief of Police had issued an order
announcing that all messages would be logged); United States v. Monroe, 52 M.J. 326 (C.A.A.F. 2000)
(holding that Air Force sergeant did not have a reasonable expectation of privacy in his government e-
mail account because e-mail use was reserved for official business and network banner informed each
user upon logging on to the network that use was subject to monitoring). But see DeMaine v. Samuels,
2000 WL 1658586, at *7 (D. Conn. 2000) (suggesting that the existence of an employment manual
explicitly authorizing searches weighs heavilyin the determination of whether a government
employee retained a reasonable expectation of privacy at work, but does not, on its own, dispose of the
question).
Page 28 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Of course, whether a specific policy eliminates a reasonable expectation of privacy is a factual
question. Agents and prosecutors must consider whether a given policy is sufficiently broad that it
reasonably contemplates the search to be conducted. If the policy is narrow, it may not waive the
government employees reasonable expectation of privacy against the search that the government plans
to execute. For example, in Simons, the Fourth Circuit concluded that although the CIA divisions
Internet usage policy eliminated Simonsreasonable expectation of privacy in the fruits of his Internet
use, it did not eliminate his reasonable expectation of privacy in the physical confines of his office. See
Simons, 206 F.3d at 399 n.10. Accordingly, the policy by itself was insufficient to justify a physical
entry into Simonsoffice. See id. at 399. See also Taketa, 923 F.2d at 672-73 (concluding that
regulation requiring DEA employees to maintain clean desksdid not defeat workplace expectation of
privacy of non-DEA employee assigned to DEA office). Sample banners appear in Appendix A.
b) ReasonableWorkplace Searches Under OConnor v. Ortega
lGovernment employers and their agents can conduct reasonablework-related searches even if
those searches violate an employees reasonable expectation of privacy.
In most circumstances, a warrant must be obtained before a government actor can conduct a search
that violates an individuals reasonable expectation of privacy. In the context of government
employment, however, the governments role as an employer (as opposed to its role as a law-enforcer)
presents a special case. In OConnor, the Supreme Court held that a public employer or the employers
agent can conduct a workplace search that violates a public employees reasonable expectation of
privacy so long as the search is reasonable. See OConnor, 480 U.S. at 722-23 (plurality); Id. at 732
(Scalia, J., concurring). The Courts decision adds public workplace searches by employers to the list
of special needsexceptions to the warrant requirement. The special needsexceptions permit the
government to dispense with the usual warrant requirement when its officials infringe upon protected
privacy rights in the course of acting in a non-law enforcement capacity. See, e.g., New Jersey v.
T.L.O., 469 U.S. 325, 351 (1985) (Blackmun, J., concurring) (applying the special needsexception to
permit public school officials to search student property without a warrant in an effort to maintain
discipline and order in public schools); National Treasury Employees Union v. Von Raab
, 489 U.S. 656,
677 (1989) (applying the special needsexception to permit warrantless drug testing of Customs
employees who seek promotions to positions where they would handle sensitive information). In these
cases, the Court has held that the need for government officials to pursue legitimate non-law-
enforcement aims justifies a relaxing of the warrant requirement because the burden of obtaining a
warrant is likely to frustrate the [non-law-enforcement] governmental purpose behind the search.
OConnor, 480 U.S. at 720 (quoting Camara v. Municipal Court, 387 U.S. 523, 533 (1967)).
According to OConnor, a warrantless search must satisfy two requirements to qualify as
reasonable. First, the employer or his agents must participate in the search for a work-related reason,
rather than merely to obtain evidence for use in criminal proceedings. Second, the search must be
justified at its inception and permissible in its scope.
i) The Search Must Be Work-Related
The first element of OConnors reasonableness test requires that the employer or his agents must
participate in the search for a work-related reason, rather than merely to obtain evidence for use in
criminal proceedings. See OConnor, 480 U.S. at 721. This element limits the OConnor exception to
circumstances in which the government actors who conduct the search act in their capacity as
employers, rather than law enforcers. The OConnor Court specified two such circumstances. First, the
Page 29 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Court concluded that public employers can conduct reasonable work-
related noninvestigatory intrusions,
such as entering an employees office to retrieve a file or report while the employee is out. See id. at
722 (plurality); Id. at 732 (Scalia, J., concurring). Second, the Court concluded that employers can
conduct reasonable investigations into an employees work-related misconduct, such as entering an
employees office to investigate employee misfeasance that threatens the efficient and proper operation
of the office. See id. at 724 (plurality); Id. at 732 (Scalia, J., concurring).
The line between a legitimate work-related search and an illegitimate search for criminal evidence
is clear in theory, but often blurry in fact. Public employers who learn of misconduct at work may
investigate it with dual motives: they may seek evidence both to root out inefficiency, incompetence,
mismanagement, or other work-related misfeasance,id. at 724, and also to collect evidence for a
criminal prosecution. Indeed, the two categories may merge altogether. For example, government
officials who have criminal investigators under their command may respond to allegations of work-
related misconduct by directing the investigators to search employee offices for evidence of a crime.
The courts have adopted fairly generous interpretations of OConnor when confronted with mixed-
motive searches. In general, the presence and involvement of law enforcement officers will not
invalidate the search so long as the employer or his agent participates in the search for legitimate work-
related reasons. See, e.g., Gossmeyer v. McDonald, 128 F.3d 481, 492 (7th Cir. 1997) (concluding that
presence of law enforcement officers in a search team looking for evidence of work-related misconduct
does not transform search into an illegitimate law enforcement search); Taketa, 923 F.2d at 674
(concluding that search of DEA office space by DEA agents investigating allegations of illegal
wiretapping was an internal investigation directed at uncovering work-related employee misconduct.).
Shields v. Burge, 874 F.2d 1201, 1202-05 (7th Cir. 1989) (applying the OConnor exception to an
internal affairs investigation of a police sergeant that paralleled a criminal investigation); Ross v.
Hinton, 740 F. Supp. 451, 458 (S.D. Ohio 1990) (concluding that a public employers discussions with
law enforcement officer concerning employees alleged criminal misconduct, culminating in officers
advice to securethe employees files, did not transform employers subsequent search of employees
office into a law enforcement search).
Although the presence of law enforcement officers ordinarily will not invalidate a work-related
search, a few courts have indicated that whether OConnor applies depends as much on the identity of
the personnel who conduct the search as whether the purpose of the search is work-related. For
example, in United States v. Simons, 206 F.3d 392, 400 (4th Cir. 2000), the Fourth Circuit concluded
that OConnor authorized the search of a government employees office by his supervisor even though
the dominant purpose of the search was to uncover evidence of a crime. Because the search was
conducted by the employees supervisor, the Court indicated, it fell within the scope of OConnor. See
id. ([The employer] did not lose its special need for the efficient and proper operation of the workplace
merely because the evidence obtained was evidence of a crime.) (internal quotations and citations
omitted). Conversely, one district court has held that the OConnor exception did not apply when a
government employer sent a uniformed police officer to an employees office, even though the purpose
of the police officers presence was entirely work-related. See Rossi v. Town of Pelham, 35 F. Supp.2d
58, 65-66 (D.N.H. 1997) (civil action pursuant to 42 U.S.C. § 1983) (concluding that OConnor
exception did not apply when town officials sent a single police officer to town clerks office to ensure
that clerk did not remove public records from her office before a scheduled audit could occur; the
resulting search was a police intrusionrather than an employer intrusion).
Of course, courts will invalidate warrantless workplace searches when the facts establish that law
enforcement provided the true impetus for the search, and the search violated an employees reasonable
expectation of privacy. See United States v. Hagarty, 388 F.2d 713, 717 (7th Cir. 1968) (holding that
surveillance installed by criminal investigators violated the Fourth Amendment where purpose of
Page 30 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
surveillance was to detect criminal activityrather than to supervise and investigatea government
employee); United States v. Kahan, 350 F. Supp. 784, 791 (S.D.N.Y. 1972), revd in part on other
grounds, 479 F.2d 290 (2d Cir. 1973), revd with directions to reinstate the district court judgment, 415
U.S. 239 (1974) (invalidating warrantless search of INS employees wastebasket by INS criminal
investigator who searched the employee
s wastebasket for evidence of a crime every day after work with
the employers consent).
ii) The Search Must Be Justified At Its Inception And Permissible In Its Scope
To be reasonableunder the Fourth Amendment, a work-related employer search of the type
endorsed in OConnor must also be both justified at its inception,and permissible in its scope.
OConnor, 480 U.S. at 726 (plurality). A search will be justified at its inception when there are
reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of
work-related misconduct, or that the search is necessary for a noninvestigatory work-related purpose.
Id. See, e.g., Simons, 206 F.3d at 401 (holding that entrance into employees office to seize his
was justified at its inception because employer knew that employee had used the computer to download
child pornography); Gossmeyer, 128 F.3d at 491 (holding that co-workers specific allegations of
serious misconduct made Sheriffs search of Child Protective Investigators locked desk and file
cabinets justified at its inception); Taketa, 923 F.2d at 674 (concluding that report of misconduct
justified initial search of employees office); Shields, 874 F.2d at 1204 (suggesting in dicta that search
police officers desk for narcotics pursuant to internal affairs investigation might be reasonable
following an anonymous tip); DeMaine v. Samuels, 2000 WL 1658586, at * 10 (D. Conn. 2000)
(holding that search of police officers day planner was justified by information from two reliable
sources that the officer kept detailed attendance notes relevant to overtime investigation involving other
officers); Williams v. Philadelphia Housing Auth., 826 F. Supp. 952, 954 (E.D. Pa. 1993) (concluding
that employees search for a computer disk in employees office was justified at its inception because
employer needed contents of disk for official purposes). CompareOrtega v. OConnor, 146 F.3d 1149,
1162 (9th Cir. 1998) (concluding that vague, uncorroborated and stale complaints of misconduct do not
justify a decision to search an employees office).
A search will be permissible in its scopewhen the measures adopted are reasonably related to
the objectives of the search and [are] not excessively intrusive in light of the nature of the misconduct.
OConnor, 480 U.S. at 726 (plurality) (internal quotations omitted). This standard requires employers
and their agents to tailor work-related searches to the alleged misfeasance. See, e.g., Simons
, 206 F.3d at
401 (holding that search for child pornography believed to be stored in employees computer was
permissible in scope because individual who conducted the search simply crossed the floor of [the
defendants] office, switched hard drives, and exited); Gossmeyer, 128 F.3d at 491 (concluding that
workplace search for images of child pornography was permissible in scope because it was limited to
places where such images would likely be stored); Samuels, 2000 WL 1658586, at *10 (holding that
search through police officers day planner was reasonable because Internal Affairs investigators had
reason to believe day planner contained information relevant to investigation of overtime abuse). If
employers conduct a search that unreasonably exceeds the scope necessary to pursue the employers
legitimate work-related objectives, the search will be unreasonableand will violate the Fourth
Amendment. See OConnor, 146 F.3d at 1163 (concluding that a general and unboundedsearch of an
employees desk, cabinets, and personal papers was impermissible in scope where the search team did
not attempt to limit their investigation to evidence of alleged misconduct).
c) Consent in Public-Sector Workplaces
Page 31 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Although public employers may search employeesworkplaces without a warrant for work-related
reasons, public workplaces offer a more restrictive milieu in one respect. In government workplaces,
employers acting in their official capacity generally cannot consent to a law enforcement search of their
employeesoffices. See United States v. Blok, 188 F.2d 1019, 1021 (D.C. Cir. 1951) (concluding that a
government supervisor cannot consent to a law enforcement search of a government employees desk);
Taketa, 923 F.2d at 673; Kahan, 350 F. Supp. at 791. The rationale for this result is that the Fourth
Amendment cannot permit one government official to consent to a search by another. See Blok, 188
F.2d at 1021 (Operation of a government agency and enforcement of criminal law do not amalgamate
to give a right of search beyond the scope of either.). Accordingly, law enforcement searches
conducted pursuant to a public employers consent must be evaluated under OConnor rather than the
third-party consent rules of Matlock. The question in such cases is not whether the public employer had
common authority to consent to the search, but rather whether the combined law enforcement and
employer search satisfied the Fourth Amendment standards of OConnor v. Ortega.
II. SEARCHING AND SEIZING COMPUTERS WITH A WARRANT
A. Introduction
The legal framework for searching and seizing computers with a warrant largely mirrors the legal
framework for more traditional types of searches and seizures. As with any kind of search pursuant to a
warrant, law enforcement must establish probable cause, supported by Oath or affirmation,and must
particularly describ[e] the place to be searched, and the persons or things to be seized. U.S. Const.
Amend. 4.
Despite the common legal framework, computer searches differ from other searches because
computer technologies frequently force agents to execute computer searches in nontraditional ways.
Consider the traditional case of a warrant to seize a stolen car from a private parking lot. Agents
generally can assume that the lot will still exist in its prior location when the agents execute the search,
and can assume they will be able to identify the stolen car quickly based on the cars model, make,
license plate, or Vehicle Identification Number. As a result, the process of drafting the warrant and
executing the search is relatively simple. After the agents establish probable cause and describe the car
and lot to the magistrate judge, the magistrate judge can issue the warrant authorizing the agents to go to
the lot and retrieve the car.
Searches for computer files tend to be more complicated. Because computer files consist of
electrical impulses that can be stored on the head of a pin and moved around the world in an instant,
agents may not know where computer files are stored, or in what form. Files may be stored on a floppy
diskette, on a hidden directory in a suspects laptop, or on a remote server located thousands of miles
away. The files may be encrypted, misleadingly titled, stored in unusual file formats, or commingled
with millions of unrelated, innocuous, and even statutorily protected files. As a result of these
uncertainties, agents cannot simply establish probable cause, describe the files they need, and then go
and retrieve
the data. Instead, they must understand the technical limits of different search techniques,
plan the search carefully, and then draft the warrant in a manner that authorizes the agents to take
necessary steps to obtain the evidence they need.
Searching and seizing computers with a warrant is as much an art as a science. In general,
however, agents and prosecutors have found that they can maximize the likelihood of a successful
search and seizure by following these four steps:
Page 32 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
1) Assemble a team consisting of the case agent, the prosecutor,
and a technical expert as far in advance of the search as possible.
Although the lead investigating agent is the central figure in most searches, computer searches
generally require a team with three important players: the agent, the prosecutor, and a technical
specialist with expertise in computers and computer forensics. In most computer searches, the case
agent organizes and directs the search, learns as much as possible about the computers to be searched,
and writes the affidavit establishing probable cause. The technical specialist explains the technical
limitations that govern the search to the case agent and prosecutor, creates the plan for executing the
search, and in many cases takes the lead role in executing the search itself. Finally, the prosecutor
reviews the affidavit and warrant and makes sure that the entire process complies with the Fourth
Amendment and Rule 41 of the Federal Rules of Criminal Procedure. Of course, each member of the
team should collaborate with the others to help ensure an effective search.
There are many sources of technical expertise in the federal government. Most agencies that have
law enforcement investigators also have technical specialists trained in computer forensics. For
example, the FBI has Computer Analysis Response Team (CART) examiners, the Internal Revenue
Service has Seized Computer Evidence Recovery (SCER) specialists, and the Secret Service has the
Electronic Crime Special Agent Program (ESCAP). Investigating agents should contact the technical
experts within their own agency. Further, some agencies offer case agents sufficient technical training
that they may also be able to act as technical specialists. In such cases, the case agents normally do not
need to consult with technical experts and can serve as technical specialists and case agents
simultaneously.
2) Learn as much as possible about the computer system that will be searched
before devising a search strategy or drafting the warrant.
After assembling the team, the case agent should begin acquiring as much information as possible
about the computer system targeted by the search. It is difficult to overstate the importance of this step.
For the most part, the need for detailed and accurate information about the targeted computer results
from practical considerations. Until the agent has learned what kinds of computers and operating
systems the target uses, it is impossible to know how the information the system contains can be
retrieved, or even where the information may be located. Every computer and computer network is
different, and subtle differences in hardware, software, operating systems, and system configuration can
alter the search plan dramatically. For example, a particular search strategy may work well if a targeted
network runs the Linux operating system, but might not work if the network runs Windows NT instead.
These concerns are particularly important when searches involve complicated computer networks
(as opposed to stand-alone PCs). For example, the mere fact that a business uses computers in its
does not mean that the computersterminals found there actually contain any useful information.
Businesses may contract with network service providers that store the businesss information on remote
network servers located miles (or even thousands of miles) away. As a result of these considerations, a
technical specialist cannot advise the case agent on the practical aspects of different search strategies
without knowing the nature of the computer system to be searched. Agents need to learn as much as
possible about the targeted computer before drafting the warrant, including (if possible) the hardware,
the software, the operating system, and the configuration of the network.
Obtaining detailed and accurate information about the targeted computer also has important legal
implications. For example, the incidental seizure of First Amendment materials such as drafts of
newsletters or web pages may implicate the Privacy Protection Act (PPA), 42 U.S.C. § 2000aa, and
the incidental seizure and subsequent search through network accounts may raise issues under the
Page 33 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2701-11 (see generally Parts B.2 and
B.3, infra
). To minimize liability under these statutes, agents should conduct a careful investigation into
whether and where First Amendment materials and network accounts may be stored on the computer
system targeted by the search. At least one court has suggested that a failure to conduct such an
investigation can help deprive the government of a good faith defense against liability under these
statutes. See Steve Jackson Games, Inc. v. United States Secret Service, 816 F. Supp. 432 (W.D. Tex.
1993), affd, 36 F.3d 457 (5th Cir. 1994).
On a practical level, agents may take various approaches to learning about a targeted computer
network. In some cases, agents can interview the system administrator of the targeted network
(sometimes in an undercover capacity), and obtain all or most of the information the technical specialist
needs to plan and execute the search. When this is impossible or dangerous, more piecemeal strategies
may prove effective. For example, agents sometimes conduct on-site visits (often undercover) that at
least reveal some elements of the hardware involved. A useful source of information for networks
connected to the Internet is the Internet itself. For example, the hostcommand in a UNIX
environment often reveals the operating system, machines, and general layout of a targeted network
connected to the Internet (although it may set off alarms at the target network).
3) Formulate a strategy for conducting the search (including a backup plan)
based on the known information about the targeted computer system.
With a team in place and the targeted system researched, the next step is to formulate a strategy
for conducting the search. For example, will the agents search through the targeted computer(s) on the
premises, or will they simply enter the premises and remove all of the hardware? Will the agents make
copies of individual files, or will they make exact copies of entire hard drives? What will the agents do
if their original plan fails, or if the computer hardware or software turns out to be significantly different
from what they expected? These decisions hinge on a series of practical and legal considerations. In
most cases, the search team should decide on a preferred search strategy, and then plan a series of
backup strategies if the preferred strategy proves impractical.
The issues that must be considered when formulating a strategy to search and seize a computer are
discussed in depth in Part B of this chapter. In general, however, the issues group into four questions:
First, what is the most effective search strategy that will comply with Rule 41 and the Fourth
Amendment? Second, does the search strategy need to be modified to minimize the possibility of
violating either the PPA or ECPA? Third, will the search require multiple warrants? And fourth, should
agents ask for special permission to conduct a no-knock or sneak-and-peek search?
4) Draft the warrant, taking special care to describe the object of the search and the
property to be seized accurately and particularly, and explain the search strategy (as
well as the practical and legal issues that helped shape it) in the supporting affidavit.
The essential ingredients for drafting a successful search warrant are covered in Section C, and a
practical guide to drafting warrants and affidavits appears in Appendix F. In general, however, the keys
to drafting successful computer search warrants are first to describe carefully and particularly the object
of the warrant that investigators have probable cause to seize, and second to explain adequately the
search strategy in the supporting affidavit. On a practical level, these steps help focus and guide the
investigators as they execute the search. As a legal matter, the first step helps to overcome particularity
challenges, and the latter helps to thwart claims that the agents executed the search in flagrant
disregardof the warrant.
Page 34 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
B. Planning the Search
1. Basic Strategies for Executing Computer Searches
Computer searches may be executed in a variety of ways. For the most part, there are four possibilities:
1) Search the computer and print out a hard copy of particular files at that time;
2) Search the computer and make an electronic copy of particular files at that time;
3) Create a mirror-image electronic copy of the entire storage device on-site, and then later
recreate a working copy of the storage device off-site for review;5 and
4) Seize the equipment, remove it from the premises, and review its contents off-site.
Which option is best for any particular search depends on many factors. The single most
consideration is the role of the computer hardware in the offense.
lAlthough every computer search is unique, search strategies often depend on the role of the
hardware in the offense. If the hardware is itself evidence, an instrumentality, contraband, or a
fruit of crime, agents will usually plan to seize the hardware and search its contents off-site. If
the hardware is merely a storage device for evidence, agents generally will only seize the
hardware if less disruptive alternatives are not feasible.
In general, computer hardware can serve one of two roles in a criminal case. First, the computer
hardware can be a storage device for evidence of crime. For example, if a suspect keeps evidence of his
fraud schemes stored in his personal computer, the hardware itself is merely a container for evidence.
The purpose of searching the suspect's computer will be to recover the evidence the computer hardware
happens to contain.
In other cases, however, computer hardware can itself be contraband, evidence, an instrumentality,
or a fruit of crime. For example, a computer used to transmit child pornography is an instrumentality of
crime, and stolen computers are contraband. In such cases, Federal Rule of Criminal Procedure 41
grants agents the right to seize the computer itself, independently from the materials that the hardware
happens to contain. See generally Appendix F (explaining the scope of materials that may be seized
according to Rule 41). Because Rule 41 authorizes agents to seize hardware in the latter case but not the
former, the search strategy for a particular computer search hinges first on the role of the hardware in the
offense.6
a) When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime
Under Fed. R. Crim. P. 41(b), agents may obtain search warrants to seize computer hardware if the
hardware is contraband, evidence, or an instrumentality or fruit of crime. See Rule 41(b); Appendix F.
When the hardware itself may be seized according to Rule 41, agents will usually conduct the search by
seizing the computer and searching it off-
site. For example, a home personal computer used to store and
transmit contraband images is itself an instrumentality of the crime. See Davis v. Gracey, 111 F.3d
1472, 1480 (10th Cir. 1997) (computer used to store obscene images); United States v. Lamb, 945 F.
Supp. 441, 462 (N.D.N.Y. 1996) (computer used to store child pornography). Accordingly, Rule 41
permits agents to obtain a warrant authorizing the seizure of the computer hardware. In most cases,
investigators will simply obtain a warrant to seize the computer, seize the hardware during the search,
and then search through the defendant's computer for the contraband files back at the police station or
computer forensics laboratory. In such cases, the agents should explain in the supporting affidavit that
Page 35 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
they plan to search the computer for evidence and/or contraband after the computer has been seized and
removed from the site of the search.
Notably, exceptions exist when agents will not want to seize computer hardware even when the
hardware is used as an instrumentality, evidence, contraband, or a fruit of crime. When the computer
involved is not a stand-alone PC but rather part of a complicated network, the collateral damage and
practical headaches that would arise from seizing the entire network generally counsels against a
wholesale seizure. For example, if a system administrator of a computer network stores stolen
proprietary information somewhere in the network, the network becomes an instrumentality of the
system administrator's crime. Technically, agents could obtain a warrant to seize the entire network.
However, carting off the entire network might cripple a functioning business and disrupt the lives of
hundreds of people, as well as subject the government to civil suits under the Privacy Protection Act, 42
U.S.C. § 2000aa and the Electronic Communications Privacy Act, 18 U.S.C. §§ 2701-11. See generally
Steve Jackson Games, Inc. v. Secret Service, 816 F. Supp. 432, 440, 443 (W.D. Tex. 1993) (discussed
infra). In such circumstances, agents will want to take a more nuanced approach to obtain the evidence
they need. Agents faced with such a situation can call the Computer Crime and Intellectual Property
Section at (202) 514-1026 or the Assistant U.S. Attorney designated as a Computer-
Telecommunications Coordinator (CTC) in their district for more specific advice.
b) When Hardware is Merely a Storage Device for Evidence of Crime
The strategy for conducting a computer search is significantly different if the computer hardware is
merely a storage device for evidence of a crime. In such cases, Rule 41(b) authorizes agents to obtain a
warrant to seize the electronic evidence, but arguably does not authorize the agents to seize the hardware
that happens to contain that evidence. Cf. United States v. Tamura, 694 F.2d 591, 595 (9th Cir. 1982)
(noting that probable cause to seize specific paper files enumerated in warrant technically does permit
the seizure of commingled innocent files). The hardware is merely a storage container for evidence, not
evidence itself. This does not mean that the government cannot seize the equipment: rather, it means
that the government generally should only seize the equipment if a less intrusive alternative that permits
the effective recovery of the evidence is infeasible in the particular circumstances of the case. Cf. id. at
596.
As a practical matter, circumstances will often require investigators to seize equipment and search
its contents off-site. First, it may take days or weeks to find the specific information described in the
warrant because computer storage devices can contain extraordinary amounts of information. Agents
cannot reasonably be expected to spend more than a few hours searching for materials on-site, and in
some circumstances (such as executing a search at a suspect's home) even a few hours may be
unreasonable. See United States v. Santarelli, 778 F.2d 609, 615-16 (11th Cir. 1985). Given that
personal computers sold in the year 2000 usually can store the equivalent of ten million pages of
information and networks can store hundreds of times that (and these capacities double nearly every
year), it may be practically impossible for agents to search quickly through a computer for specific data,
a particular file, or a broad set of files while on-site. Even if the agents know specific information about
the files they seek, the data may be mislabeled, encrypted, stored in hidden directories, or embedded in
slack spacethat a simple file listing will ignore. Recovering the evidence may require painstaking
analysis by an expert in the controlled environment of a forensics laboratory.
Attempting to search files on-site may even risk damaging the evidence itself in some cases.
Agents executing a search may learn on-site that the computer employs an uncommon operating system
that the on-site technical specialist does not fully understand. Because an inartful attempt to conduct a
search may destroy evidence, the best strategy may be to remove the hardware so that a government
Page 36 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
expert in that particular operating system can examine the computer later. Off-site searches also may be
necessary if agents have reason to believe that the computer has been booby trappedby a savvy
criminal. Technically adept users may know how to trip-wire their computers with self-destruct
programs that could erase vital evidence if the system were examined by anyone other than an expert.
For example, a criminal could write a very short program that would cause the computer to demand a
password periodically, and if the correct password is not entered within ten seconds, would trigger the
automatic destruction of the computer's files. In these cases, it is best to seize the equipment and permit
an off-site expert to disarm the program before any search occurs.
In light of these uncertainties, agents often plan to try to search on-
site, with the understanding that
they will seize the equipment if circumstances discovered on-site make an on-site search infeasible.
Once on-
site to execute the search, the agents will assess the hardware, software, and resources available
to determine whether an on-
site search is possible. In many cases, the search strategy will depend on the
sensitivity of the environment in which the search occurs. For example, agents seeking to obtain
information stored on the computer network of a functioning business will in most circumstances want
to make every effort to obtain the information without seizing the businesss computers, if possible. In
such situations, a tiered search strategy designed to use the least intrusive approach that will recover the
information is generally appropriate. Such approaches are discussed in Appendix F. Whatever search
strategy is chosen, it should be explained fully in the affidavit supporting the warrant application.
Sometimes, conducting a search on-site will be possible. A friendly employee or system
administrator may agree to pinpoint a file or record or may have a recent backup, permitting the agents
to obtain a hard copy of the files they seek while on-site. See, e.g., United States v. Longo, 70 F.
Supp.2d 225 (W.D.N.Y. 1999) (upholding pinpoint search aided by suspects secretary for two
particular computer files). Alternatively, agents may be able to locate the set of files targeted and make
electronic copies, or may be able to mirror a segment of the storage drive based on knowledge that the
information exists somewhere within that segment of the drive. In other cases, of course, such strategies
will fail. If the agents cannot learn where the information is stored or cannot create a working mirror
image for technical reasons, they may have no choice but to seize the computer and remove it. Because
personal computers are easily moved and can be searched effectively off-site using special forensics
tools, agents are particularly likely to seize personal computers absent unusual circumstances.
The general strategy is to pursue the quickest, least intrusive, and most direct search strategy that is
consistent with securing the evidence described in the warrant. This strategy will permit agents to
search on-site in some cases, and will permit them to seize the computers for off-site review in others.
Flexibility is the key.
2. The Privacy Protection Act
lWhen agents have reason to believe that a search may result in a seizure of materials relating to
First Amendment activities such as publishing or posting materials on the World Wide Web, they
must consider the effect of the Privacy Protection Act (PPA), 42 U.S.C. § 2000aa. Every
federal computer search that implicates the PPA must be approved by the Deputy Assistant
Attorney General of the Criminal Division, coordinated through CCIPS at (202) 514-1026.
Under the Privacy Protection Act (PPA), 42 U.S.C. §
2000aa, law enforcement must take special
steps when planning a search that agents have reason to believe may result in the seizure of certain First
Amendment materials. Federal law enforcement searches that implicate the PPA must be pre-approved
by the Justice Department in Washington, D.C. The Computer Crime and Intellectual Property Section
serves as the contact point for all such searches involving computers, and should be contacted directly at
Page 37 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
(202) 514-1026.
a) A Brief History of the Privacy Protection Act
Before the Supreme Court decided Warden v. Hayden
, 387 U.S. 294, 309 (1967), law enforcement
officers could not obtain search warrants to search for and seize mere evidenceof crime. Warrants
were permitted only to seize contraband, instrumentalities, or fruits of crime. See Boyd v. United States
,
116 U.S. 616 (1886). In Hayden, the Court reversed course and held that the Fourth Amendment
permitted the government to obtain search warrants to seize mere evidence. This ruling set the stage for
a collision between law enforcement and the press. Because journalists and reporters often collect
evidence of criminal activity in the course of developing news stories, they frequently possess mere
evidenceof crime that may prove useful to law enforcement investigations. By freeing the Fourth
Amendment from Boyd's restrictive regime, Hayden created the possibility that law enforcement could
use search warrants to target the press for evidence of crime it had collected in the course of
investigating and reporting news stories.
It did not take long for such a search to occur. On April 12, 1971, the District Attorney's Office in
Santa Clara County, California obtained a search warrant to search the offices of The Stanford Daily, a
Stanford University student newspaper. The DA's office was investigating a violent clash between the
police and demonstrators that had occurred at the Stanford University Hospital three days earlier. The
Stanford Daily had covered the incident, and published a special edition featuring photographs of the
clash. Believing that the newspaper probably had more photographs of the clash that could help the
police identify the demonstrators, the police obtained a warrant and sent four police officers to search
the newspaper's office for further evidence that could assist the investigation. The officers found
nothing. A month later, however, the Stanford Daily and its editors brought a civil suit against the
police claiming that the search had violated their First and Fourth Amendment rights. The case
ultimately reached the Supreme Court, and in Zurcher v. Stanford Daily, 436 U.S. 547 (1978), the Court
rejected the newspapers claims. Although the Court noted that the Fourth Amendment does not
prevent or advise against legislative or executive efforts to establish nonconstitutional protectionsfor
searches of the press, it held that neither the Fourth nor First Amendment prohibited such searches. Id.
at 567.
Congress passed the PPA in 1980 in response to Stanford Daily. According to the Senate Report,
the PPA protected the press and certain other persons not suspected of committing a crime with
protections not provided currently by the Fourth Amendment. S. Rep. No. 96-874, at 4 (1980). The
statute was intended to grant publishers certain statutory rights to discourage law enforcement officers
from targeting publishers simply because they often gathered mere evidenceof crime. As the
legislative history indicates,
the purpose of this statute is to limit searches for materials held by persons involved in First
Amendment activities who are themselves not suspected of participation in the criminal
activity for which the materials are sought, and not to limit the ability of law enforcement
officers to search for and seize materials held by those suspected of committing the crime
under investigation.
Id. at 11.
b) The Terms of the Privacy Protection Act
Subject to certain exceptions, the PPA makes it unlawful for a government officer to search for
Page 38 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
or seizematerials when
(a) the materials are work product materialsprepared, produced, authored, or created in
anticipation of communicating such materials to the public, 42 U.S.C. § 2000aa-7(b)(1);
(b) the materials include mental impressions, conclusions, or theoriesof its creator, 42
U.S.C. § 2000aa-7(b)(3); and
(c) the materials are possessed for the purpose of communicating the material to the public
by a person reasonably believed to have a purpose to disseminate to the publicsome form
of public communication,42 U.S.C. § 2000aa-7(b)(3), § 2000aa(a).
or
(a) the materials are documentary materialsthat contain information,
§ 2000aa-7(a); and
(b) the materials are possessed by a person in connection with a purpose to disseminate to
the publicsome form of public communication. 42 U.S.C. § 2000aa(b), § 2000aa-7(a).
Although the language of the PPA is broad, the statute contains several exceptions. Searches will
not violate the PPA when
1) the only materials searched for or seized are contraband, instrumentalities, or fruits of
crime, see § 2000aa-7(a),(b);
2) there is reason to believe that the immediate seizure of such materials is necessary to
prevent death or serious bodily injury, see § 2000aa(a)(2), § 2000aa(b);
3) there is probable cause to believe that the person possessing such materials has
committed or is committing the criminal offense to which the materials relate (an exception
which is itself subject to several exceptions), see § 2000aa(a)(1), § 2000aa(b)(1); and
4) in a search for or seizure of documentary materialsas defined by § 2000aa-7(a), a
subpoena has proven inadequate or there is reason to believe that a subpoena would not
result in the production of the materials, see § 2000aa(b)(3)-(4).
Violations of the PPA do not result in suppression of the evidence, but can result in civil damages
against the sovereign whose officers or employees execute the search. See § 2000aa-6(a),(d),(e); Davis
v. Gracey, 111 F.3d 1472, 1482 (10th Cir. 1997) (dismissing PPA suit against municipal officers in their
personal capacities because such suits must be filed only against the government entity). If State
officers or employees violate the PPA and the state does not waive its sovereign immunity and is thus
immune from suit, see Barnes v. State of Missouri, 960 F.2d 63, 65 (8th Cir. 1992), individual State
officers or employees may be held liable for acts within the scope or under the color of their
employment subject to a reasonable good faith defense. See § 2000aa-6(a)(2),(b).
c) Application of the PPA to Computer Searches and Seizures
Page 39 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
PPA issues frequently arise in computer cases for two reasons that Congress could not have
foreseen in 1980. First, the use of personal computers for publishing and the World Wide Web has
dramatically expanded the scope of who is involved in First Amendment activities. Today, anyone
with a computer and access to the Internet may be a publisher who possesses PPA-protected materials
on his or her computer.
The second reason that PPA issues arise frequently in computer cases is that the language of the
statute does not explicitly rule out liability following incidental seizures of PPA-
protected materials, and
such seizures may inevitably result when agents search for and seize computer-stored contraband or
evidence of crime that is commingled with PPA-protected materials. For example, investigations into
illegal businesses that publish images of child pornography over the Internet have revealed that such
businesses frequently support other publishing materials (such as drafts of adult pornography) that may
be PPA-protected. Agents may find that the PPA interferes with their ability to seize the contraband
child pornography because the contraband may be commingled with PPA-protected materials on the
business's computers. Seizing the computer for the contraband would necessarily result in the seizure of
the PPA-protected materials. Under this interpretation of the PPA, the statute does not merely deter law
enforcement from targeting innocent publishers for their evidence, but also affirmatively protects
individuals from the incidental seizure of property that may be used in part for First Amendment
activities.
As a formal matter, the legislative history and text of the PPA indicate that Congress probably
intended the PPA to apply only when law enforcement intentionally targeted First Amendment material
that related to a crime, as in Stanford Daily. For example, the so-called suspect exceptioneliminates
PPA liability when there is probable cause to believe that the person possessing such materials has
committed or is committing the criminal offense to which the materials relate,42 U.S.C. § 2000aa(a)
(1), § 2000aa(b)(1) (emphasis added). This text indicates that Congress believed that PPA-protected
materials would necessarily relate to a criminal offense, as when investigators target the materials as
evidence.
When agents collaterally seize PPA-protected materials because they are commingled on a
computer with other materials properly targeted by law enforcement, however, the PPA-protected
materials will not necessarily relate to any crime at all. For example, the PPA-protected materials might
be drafts of a horticulture newsletter that just happen to sit on the same hard drive as images of child
pornography or records of a fraud scheme. At least one court has responded to this difficulty by reading
the phrase to which the materials relatequite broadly when an inadvertent seizure of commingled
matter occurs. See United States v. Hunter, 13 F. Supp.2d 574, 582 (D. Vt. 1998) (concluding that
materials for weekly legal newsletter published by the defendant from his law office relateto the
defendant's alleged involvement in his client's drug crimes when the former was inadvertently seized in
a search for evidence of the latter). This reading effectively restores the suspect exception to its
intended purpose: limiting the scope of PPA protection to the press and certain other persons not
suspected of committing a crime.S. Rep. No. 96-874, at 4 (1980). See also Carpa v. Smith, 208 F.3d
220, 2000 WL 189678, at *1 (9th Cir. 2000) (unpublished opinion) ([T]he Privacy Protection Act . . .
does not apply to criminal suspects.).
Although Congress probably intended the PPA to apply only when law enforcement intentionally
targets PPA-protected materials in search of evidence, at least one court has held law enforcement liable
under the PPA for the incidental seizure of (and more particularly, failure to return) PPA-protected
materials stored on a seized computer. In Steve Jackson Games, Inc. v. Secret Service
, 816 F. Supp. 432
(W.D. Tex. 1993), affd on other grounds, 36 F.3d 457 (5th Cir. 1994)7, a district court held the United
States Secret Service liable for the inadvertent seizure of PPA-protected materials possessed by Steve
Page 40 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Jackson Games, Inc. (SJG). Although SJG was primarily a publisher of role-playing games, it also
operated a network of thirteen computers that provided its customers with e-mail, published information
about SJG products, and stored drafts of upcoming publications. The Secret Service executed a search
of SJG's computers on March 1, 1990, after learning that a system administrator of SJG's computers had
been linked to a computer hacking incident under Secret Service investigation. Believing that the
system administrator had stored evidence of the crime on SJG's computers, the Secret Service obtained a
warrant and seized two of the thirteen computers connected to SJG's network, in addition to other
materials. The Secret Service did not know that SJG's computers contained publishing materials until
the day after the search, on March 2, 1990. However, the Secret Service did not return the computers it
seized until months later. At no time did the Secret Service believe that SJG itself was involved in the
crime under investigation.
The district court in Steve Jackson Games ruled that the Secret Service violated the PPA by
continuing to hold SJG's seized property after it learned that the property included materials that SJG
intended to disseminate to the public, including drafts of a book and magazine articles. Although the
Secret Service had executed the search to find evidence of computer hacking, the incidental seizure and
then retention of PPA-protected material constituted a prohibited seizure of work product materials
and documentary materialsaccording to 42 U.S.C. § 2000aa. See id. at 440-41. The court set the
damage award at just over $50,000, plus attorneys fees to be determined later.
Unfortunately, the district courts precise reasoning in Steve Jackson Games
is difficult to discern.
For example, the court did not explain exactly which of the materials the Secret Service seized were
covered by the PPA; instead, the court merely recited the property that had been seized, and concluded
that some PPA-protected materials were obtainedduring the search. Id. at 440. Similarly, the court
indicated that the search of SJG and the initial seizure of its property did not violate the PPA, but that
the Secret Services continued retention of SJG
s property despite a request by SJG for its return was the
true source of the PPA violation something that the statute itself does not appear to contemplate. See
id. at 441. The court also suggested that it might have ruled differently if the Secret Service had made
copies of all information seizedand returned the hardware as soon as possible, but did not answer
whether in fact it would have reached a different result in such case. Id. Finally, the court set damages
equal to the company's lost profits resulting from the search, seizure, and retention of SJGs property,
quite irrespective of how much of the companys lost profits were derived specifically from the seizure
and retention of the PPA-protected materials. See id.
The boundaries of the PPA remain quite uncertain in the wake of Steve Jackson Games. See, e.g.,
State of Oklahoma v. One (1) Pioneer CD-ROM Changer, 891 P.2d 600, 607 (Okla. App. 1995)
(rejecting the apparent premise of Steve Jackson Games that the seizure of computer equipment could
violate the PPA merely because the equipment also contained or was used to disseminate potential
'documentary materials'). The handful of federal courts that have resolved civil suits filed under the
PPA since the district court opinion in Steve Jackson Games have ruled against the plaintiffs with little
substantive analysis. See, e.g., Davis v. Gracey, 111 F.3d 1472, 1482 (10th Cir. 1997) (dismissing for
lack of jurisdiction PPA suit improperly filed against municipal employees in their personal capacities);
United States v. Hunter, 13 F. Supp.2d 574, 582 (D. Vt. 1998) (rejecting PPA claim when search of
attorney's office for evidence of a crime arising from law practice led to seizure of materials relating to
legal newsletter because the government had reason to believe that [the defendant] had committed a
criminal offense . . . to which the seized materials related); DePugh v. Sutton, 917 F. Supp. 690, 696-
97
(W.D. Mo. 1996) (rejecting pro se PPA challenge to seizure of materials relating to child pornography
because there was probable cause to believe that the person possessing the materials committed the
criminal offense to which the materials related), aff'd, 104 F.3d 363 (8th Cir. 1996); Powell v. Tordoff,
911 F. Supp. 1184, 1189-90 (N.D. Iowa 1995) (dismissing PPA claim because plaintiff did not have
standing to challenge search and seizure under the Fourth Amendment). See also Lambert v. Polk
Page 41 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
County, 723 F. Supp. 128, 132 (S.D. Iowa 1989) (rejecting PPA claim after police seized videotape
because officers could not reasonably believe that the owner of the tape had a purpose to disseminate the
material to the public).
Agents and prosecutors who have reason to believe that a search may implicate the PPA should
contact the Computer Crime and Intellectual Property Section at (202) 514-1026 or the Assistant U.S.
Attorney designated as a Computer-Telecommunications Coordinator (CTC) in each district for more
specific guidance.
3. Civil Liability Under the Electronic Communications Privacy Act
lWhen a search may result in the incidental seizure of network accounts belonging to innocent
third parties, agents should take every step to protect the integrity of the third party accounts to
avoid potential ECPA liability.
When law enforcement executes a search of an Internet service provider and seizes the accounts of
customers and subscribers, those customers and subscribers may bring civil actions claiming that the
search violated the Electronic Communications Privacy Act (ECPA). ECPA governs law enforcement
access to the contents of electronic communications stored by third-party service providers. See 18
U.S.C. § 2703; Chapter 3, infra (discussing the Electronic Communications Privacy Act). In addition,
ECPA has a criminal provision that prohibits unauthorized access to electronic or wire communications
in electronic storage. See 18 U.S.C. § 2701; Chapter 3, infra (discussing the definition of electronic
storage).
The concern that a search executed pursuant to a valid warrant might violate ECPA derives from
Steve Jackson Games, Inc. v. Secret Service, 816 F. Supp. 432 (W.D. Tex. 1993), discussed supra. In
Steve Jackson Games, the district court held the Secret Service liable under ECPA after it seized,
reviewed, and (in some cases) deleted stored electronic communications seized pursuant to a valid
search warrant. See id. at 443. The court's holding appears to be rooted in the mistaken belief that
ECPA requires that search warrants also comply with 18 U.S.C. § 2703(d) and the various notice
requirements of § 2703. See id. In fact, ECPA makes quite clear that § 2703(d) and the notice
requirements § 2703 are implicated only when law enforcement does not obtain a search warrant.
Compare 18 U.S.C. § 2703(b)(1)(A), § 2703(c)(1)(B)(i) with 18 U.S.C. § 2703(b)(1)(B), § 2703(c)(1)
(B)(ii). See generally Chapter 3, infra. Indeed, the text of ECPA does not appear to contemplate civil
liability for searches and seizures authorized by valid Rule 41 search warrants: ECPA expressly
authorizes government access to stored communications pursuant to a warrant issued under the Federal
Rules of Criminal Procedure, see 18 U.S.C. § 2703(a), (b), (c)(1)(B); Davis v. Gracey, 111 F.3d 1472,
1483 (10th Cir. 1997), and the criminal prohibition of § 2701 does not apply when access is authorized
under § 2703. See 18 U.S.C. § 2701(c)(3)8. Further, objectively reasonable good faith reliance on a
warrant, court order, or statutory authorization is a complete defense to an ECPA violation. See 18
U.S.C. § 2707(e); Gracey, 111 F.3d at 1484 (applying good faith defense because seizure of stored
communications incidental to a valid search was objectively reasonable). Compare Steve Jackson
Games, 816 F. Supp. at 443 (stating without explanation that the court declines to find this defense).
The best way to square the result in Steve Jackson Games with the plain language of ECPA is to
exercise great caution when agents need to execute searches of Internet service providers and other
third-
parties holding stored wire or electronic communications. In most cases, investigators will want to
avoid a wholesale search and seizure of the providers computers. When investigators have no choice
but to execute the search, they must take special care. For example, if agents have reason to believe that
Page 42 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
they may seize customer accounts belonging to innocent persons but have no reason to believe that the
evidence sought will be stored there, they should inform the magistrate judge in the search warrant
affidavit that they will not search those accounts and should take steps to ensure the confidentiality of
the accounts in light of the privacy concerns expressed by 18 U.S.C. § 2703. Safeguarding the accounts
of innocent persons absent specific reasons to believe that evidence may be stored in the persons'
accounts should satisfy the concerns expressed in Steve Jackson Games. CompareSteve Jackson
Games, 816 F. Supp. at 441 (finding ECPA liability where agents read the private communications of
customers not involved in the crime and thereafter deleted or destroyed some communications either
intentionally or accidentally) with Gracey
, 111 F.3d at 1483 (declining to find ECPA liability in seizure
where [p]laintiffs have not alleged that the officers attempted to access or read the seized e-mail, and
the officers disclaimed any interest in doing so).
If agents believe that a hacker or system administrator might have hidden evidence of a crime in
the account of an innocent customer or subscriber, agents should proceed carefully. For example, agents
should inform the magistrate judge of their need to search the account in the affidavit, and should
attempt to obtain the consent of the customer or subscriber if feasible. In such cases, agents should
contact the Computer Crime and Intellectual Property Section at (202) 514-1026 or the CTC designated
in their district for more specific guidance.
4. Considering the Need for Multiple Warrants in Network Searches
lAgents should obtain multiple warrants if they have reason to believe that a network search will
retrieve data stored in multiple locations.
Fed. R. Crim. P. 41(a) states that a magistrate judge located in one judicial district may issue a
search warrant for a search of property . . . within the district,or a search of property . . . outside the
district if the property . . . is within the district when the warrant is sought but might move outside the
district before the warrant is executed. The Supreme Court has held that propertyas described in
Rule 41 includes intangible property such as computer data. See United States v. New York Tel. Co.,
434 U.S. 159, 170 (1977). Although the courts have not directly addressed the matter, the language of
Rule 41 combined with the Supreme Courts interpretation of property
may limit searches of computer
data to data that resides in the district in which the warrant was issued. Cf. United States v. Walters, 558
F. Supp. 726, 730 (D. Md. 1980) (suggesting such a limit in a case involving telephone records).
A territorial limit on searches of computer data poses problems for law enforcement because
computer data stored in a computer network can be located anywhere in the world. For example, agents
searching an office in Manhattan pursuant to a warrant from the Southern District of New York may sit
down at a terminal and access information stored remotely on a computer located in New Jersey,
California, or even a foreign country. A single file described by the warrant could be located anywhere
on the planet, or could be divided up into several locations in different districts or countries. Even
worse, it may be impossible for agents to know when they execute their search whether the data they are
seizing has been stored within the district or outside of the district. Agents may in some cases be able to
learn where the data is located before the search, but in others they will be unable to know the storage
site of the data until after the search has been completed.
When agents can learn prior to the search that some or all of the data described by the warrant is
stored remotely from where the agents will execute the search, the best course of action depends upon
where the remotely stored data is located. When the data is stored remotely in two or more different
places within the United States and its territories, agents should obtain additional warrants for each
location where the data resides to ensure compliance with a strict reading of Rule 41(a). For example, if
Page 43 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
the data is stored in two different districts, agents should obtain separate warrants from the two districts.
Agents should also include a thorough explanation of the location of the data and the proposed means of
conducting the search in the affidavits accompanying the warrants.
When agents learn before a search that some or all of the data is stored remotely outside of the
United States, matters become more complicated. The United States may be required to take actions
ranging from informal notice to a formal request for assistance to the country concerned. Further, some
countries may object to attempts by U.S. law enforcement to access computers located within their
borders. Although the search may seem domestic to a U.S. law enforcement officer executing the search
in the United States pursuant to a valid warrant, other countries may view matters differently. Agents
and prosecutors should contact the Office of International Affairs at (202) 514-0000 for assistance with
these difficult questions.
When agents do not and even cannot know that data searched from one district is actually located
outside the district, evidence seized remotely from another district ordinarily should not lead to
suppression of the evidence obtained. The reasons for this are twofold. First, courts may conclude that
agents sitting in one district who search a computer in that district and unintentionally cause intangible
information to be sent from a second district into the first have complied with Rule 41(a). Compare
United States v. Ramirez, 112 F.3d 849, 852 (7th Cir. 1997) (Posner, C.J.) (adopting a permissive
construction of the territoriality provisions of Title III); United States v. Denman, 100 F.3d 399, 402
(5th Cir. 1996) (same); United States v. Rodriguez, 968 F.2d 130 (2d Cir. 1992) (same).
Second, even if courts conclude that the search violates Rule 41(a), the violation will not lead to
suppression of the evidence unless the agents intentionally and deliberately disregarded the Rule, or the
violation leads to prejudicein the sense that the search might not have occurred or would not have
been so abrasiveif the Rule had been followed. See United States v. Burke, 517 F.2d 377, 386 (2d
Cir. 1975) (Friendly, J.); United States v. Martinez-Zayas, 857 F.2d 122, 136 (3d Cir. 1988) (citing
cases). Under the widely-adopted Burke test, courts generally deny motions to suppress when agents
executing the search cannot know whether it violates Rule 41 either legally or factually. See Martinez-
Zayas, 857 F.2d at 136 (concluding that a search passed the Burke test [
g]iven the uncertain state of the
lawconcerning whether the conduct violated Rule 41(a)). Accordingly, evidence acquired from a
network search that accessed data stored in multiple districts should not lead to suppression unless the
agents intentionally and deliberately disregarded Rule 41(a) or prejudice resulted. See generally United
States v. Trost, 152 F.3d 715, 722 (7th Cir. 1998) ([
I]t is difficult to anticipate any violation of Rule 41,
short of a defect that also offends the Warrant Clause of the fourth amendment, that would call for
suppression.).
5. No-Knock Warrants
As a general matter, agents must announce their presence and authority prior to executing a search
warrant. See Wilson v. Arkansas, 514 U.S. 927, 934 (1995); 18 U.S.C. § 3109. This so-called knock
and announcerule reduces the risk of violence and destruction of property when agents execute a
search. The rule is not absolute, however. In Richards v. Wisconsin, 520 U.S. 385 (1997), the Supreme
Court held that agents can dispense with the knock-and-announce requirement if they have
a reasonable suspicion that knocking and announcing their presence, under the particular
circumstances, would be dangerous or futile, or that it would inhibit the effective
investigation of the crime by, for example, allowing the destruction of evidence.
Page 44 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Id. at 394. The Court stated that this showing was not high, but the police should be required to make
it whenever the reasonableness of a no-knock entry is challenged. Id. at 394-95. Such a showing
satisfies both the Fourth Amendment and the statutory knock-and-announce rule of 18 U.S.C. § 3109.
See United States v. Ramirez, 118 S. Ct. 992, 997-98 (1998).
Agents may need to conduct no-knock searches in computer crime cases because technically adept
suspects may hot wiretheir computers in an effort to destroy evidence. For example, technically
adept computer hackers have been known to use hot keys,computer programs that destroy evidence
when a special button is pressed. If agents knock at the door to announce their search, the suspect can
simply press the button and activate the program to destroy the evidence.
When agents have reason to believe that knocking and announcing their presence would allow the
destruction of evidence, would be dangerous, or would be futile, agents should request that the
magistrate judge issue a no-knock warrant. The failure to obtain judicial authorization to dispense with
the knock-and-announce rule does not preclude the agents from conducting a no-knock search,
however. In some cases, agents may neglect to request a no-knock warrant, or may not have reasonable
suspicion that evidence will be destroyed until they execute the search. In Richards, the Supreme Court
made clear that the reasonableness of the officers' decision [to dispense with the knock-and-announce
rule] . . . must be evaluated as of the time they enteredthe area to be searched. Richards, 510 U.S. at
395. Accordingly, agents may exercise independent judgmentand decide to conduct a no-knock
search when they execute the search, even if they did not request such authority or the magistrate judge
specifically refused to authorize a no-knock search. Id. at 396 n.7. The question in all such cases is
whether the agents had a reasonable suspicion that knocking and announcing their presence, under the
particular circumstances, would be dangerous or futile, or that it would inhibit the effective investigation
of the crime by, for example, allowing the destruction of evidence. Id. at 394.
6. Sneak-and-Peek Warrants
Despite Rule 41(d), courts have authorized sneak-and-peekwarrants in a few narrow situations.
Sometimes called surreptitious search warrants,sneak-and-peek warrants are warrants that excuse
agents from having to notify the person whose premises are searched that the search has occurred at the
time of the search. See Paul V. Konovalov, Note, On a Quest for Reason: A New Look at Surreptitious
Search Warrants, 48 Hastings L.J. 435, 443 (1997); United States v. Freitas, 800 F.2d 1451, 1452 (9th
Cir. 1986) (discussing magistrate judge's creation of a sneak and peek warrant by cross[ing] off . . . the
requirement [on the warrant form] that copies of the warrant and an inventory of the property taken were
to be left at the residence). Because notice furthers important constitutional values, it is important that
agents who wish to obtain sneak-and-peek warrants should do so sparingly, and only in special
circumstances. However, sneak-and-peek searches may prove useful in searches for intangible
computer data. For example, agents executing a sneak-and-peek warrant to search a computer may be
able to enter a business after hours, search the computer, and then exit the business without leaving any
sign that the search occurred.
The circuits that have considered the legality of sneak-and-peek warrants have struggled to
reconcile them with Rule 41(d) and the Fourth Amendment. The Second and Ninth Circuits each set
forth two requirements that must be met in the absence of explicit statutory authority before a sneak-
and-peek warrant may be authorized. First, the officers must make a showing of reasonable necessity
as to why the officers should be able to delay notice of the search. United States v. Villegas, 899 F.2d
1324, 1337 (2d Cir. 1990). See also Freitas, 800 F.2d at 1456. Second, the warrant must require notice
to the target of the search within seven days of the surreptitious search unless a strong showing of
necessityfor further delay has been made. Freitas, 800 F.2d at 1456; See also Villegas, 899 F.2d at
Page 45 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
1337. Although other circuits may take a less restrictive approach, see United States v. Simons, 206
F.3d 392, 403 (4th Cir. 2000) (concluding that a 45-day delay in notice was permissible under the
Fourth Amendment), these two requirements provide a useful standard that agents should follow when
they seek judicial authorization to conduct a sneak-and-peek search.
If these two requirements are met, a court will permit evidence obtained in violation of Rule 41 to
be used in court so long as 1) the covert nature of the search did not prejudice the target, in the sense that
the search might not have occurred if notice had been given, and 2) the agents did not intentionally and
deliberately disregard Rule 41 in executing the search. See Simons, 206 F.3d at 403; United States v.
Pangburn, 983 F.2d 449, 455 (2d Cir. 1993); United States v. Johns, 948 F.2d 599, 603 (9th Cir. 1991).
Agents executing a sneak-and-peek search will not be deemed to have intentionally and deliberately
disregarded Rule 41 if the warrant authorized the sneak-and-peek search, or the executing agents
believed that the warrant authorized such a search. See United States v. Simons, 107 F. Supp.2d 703,
705 (E.D. Va. 2000) (concluding that agents who mistakenly believed that a warrant authorized a
sneak-and-peek warrant were at most, negligent,and that the resulting search was therefore not
executed with intentional disregard of Rule 41). Finally, a showing of good faith reliance on a sneak-
and-peek warrant will defeat a suppression motion. See Johns, 948 F.2d at 605; Freitas, 800 F.2d at
1456. See generally United States v. Leon, 468 U.S. 897 (1984).
7. Privileged Documents
Agents must exercise special care when planning a computer search that may result in the seizure
of legally privileged documents such as medical records or attorney-client communications. Two issues
must be considered. First, agents should make sure that the search will not violate the Attorney
General's regulations relating to obtaining confidential information from disinterested third parties.
Second, agents should devise a strategy for reviewing the seized computer files following the search so
that no breach of a privilege occurs.
a) The Attorney General's Regulations Relating to Searches of Disinterested Lawyers, Physicians,
and Clergymen
Agents should be very careful if they plan to search the office of a doctor, lawyer, or member of
the clergy who is not implicated in the crime under investigation. At Congress's direction, the Attorney
General has issued guidelines for federal officers who want to obtain documentary materials from such
disinterested third parties. See 42 U.S.C. § 2000aa-11(a); 28 C.F.R. § 59.4(b). Under these rules,
federal law enforcement officers should not use a search warrant to obtain documentary materials
believed to be in the private possession of a disinterested third party physician, lawyer, or clergyman
where the material sought or likely to be reviewed during the execution of the warrant contains
confidential information on patients, clients, or parishioners. 28 C.F.R. § 59.4(b). The regulation does
contain a narrow exception. A search warrant can be used if using less intrusive means would
substantially jeopardize the availability or usefulness of the materials sought; access to the documentary
materials appears to be of substantial importance to the investigation; and the application for the warrant
has been recommended by the U.S. Attorney and approved by the appropriate Deputy Assistant
Attorney General. See 28 C.F.R. § 59.4(b)(1) and (2).
When planning to search the offices of a lawyer under investigation, agents should follow the
guidelines offered in the United States Attorney's Manual, and should consult the Office of Enforcement
Operations at (202) 514-3684. See generally United States Attorney's Manual, § 9-13.420 (1997).
Page 46 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
b) Strategies for Reviewing Privileged Computer Files
lAgents contemplating a search that may result in the seizure of legally privileged computer files
should devise a post-seizure strategy for screening out the privileged files and should describe
that strategy in the affidavit.
When agents seize a computer that contains legally privileged files, a trustworthy third party must
comb through the files to separate those files within the scope of the warrant from files that contain
privileged material. After reviewing the files, the third party will offer those files within the scope of the
warrant to the prosecution team. Preferred practices for determining who will comb through the files
vary widely among different courts. In general, however, there are three options. First, the court itself
may review the files in camera. Second, the presiding judge may appoint a neutral third party known as
a special masterto the task of reviewing the files. Third, a team of prosecutors who are not working
on the case may form a taint teamor privilege teamto help execute the search and review the files
afterwards. The taint team sets up a so-called Chinese Wall
between the evidence and the prosecution
team, permitting only unprivileged files that are within the scope of the warrant to slip through the wall.
Because a single computer can store millions of files, judges will undertake in camera review of
computer files only rarely. See Black v. United States, 172 F.R.D. 511, 516-17 (S.D. Fla. 1997)
(accepting in camera review given unusual circumstances); United States v. Skeddle, 989 F. Supp. 890,
893 (N.D. Ohio 1997) (declining in camera review). Instead, the typical choice is between using a taint
team and a special master. Most prosecutors will prefer to use a taint team if the court consents. A taint
team can usually screen through the seized computer files fairly quickly, whereas special masters often
take several years to complete their review. See Black, 172 F.R.D. at 514 n.4. On the other hand, some
courts have expressed discomfort with taint teams. See United States v. Neill, 952 F. Supp. 834, 841
(D.D.C. 1997); United States v. Hunter
, 13 F. Supp.2d 574, 583 n.2 (D. Vt. 1998) (stating that review by
a magistrate judge or special master may be preferableto reliance on a taint team) (citing In re Search
Warrant, 153 F.R.D. 55, 59 (S.D.N.Y. 1994)). Although no single standard has emerged, these courts
have generally indicated that evidence screened by a taint team will be admissible only if the
government shows that its procedures adequately protected the defendants' rights and no prejudice
occurred. See, e.g., Neill, 952 F. Supp. at 840-42; Hunter, 13 F. Supp.2d at 583. In unusual
circumstances, the court may conclude that a taint team would be inadequate and may appoint a special
master to review the files. See, e.g., United States v. Abbell, 914 F. Supp. 519 (S.D. Fla. 1995);
DeMassa v. Nunez, 747 F.2d 1283 (9th Cir. 1984). In any event, the reviewing authority will almost
certainly need a skilled and neutral technical expert to assist in sorting, identifying, and analyzing digital
evidence for the reviewing process.
C. Drafting the Warrant and Affidavit
Law enforcement officers must draft two documents to obtain a search warrant from a magistrate
judge. The first document is the affidavit, a sworn statement that (at a minimum) explains the basis for
the affiant's belief that the search is justified by probable cause. The second document is the proposed
warrant itself. The proposed warrant typically is a one-page form, plus attachments incorporated by
reference, that describes the place to be searched, and the persons or things to be seized. If the
magistrate judge agrees that the affidavit establishes probable cause, and that the proposed warrant's
descriptions of the place to be searched and things to be seized are adequately particular, the magistrate
judge will sign the warrant. Under the Federal Rules of Criminal Procedure, officers must execute the
warrant within ten days after the warrant has been signed. See Fed. R. Crim. P. 41(b).
Page 47 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Step 1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or
Attachments to the Warrant
a. General
Agents must take special care when describing the computer files or hardware to be seized, either
in the warrant itself or (more likely) in an attachment to the warrant incorporated into the warrant by
reference. The Fourth Amendment requires that every warrant must particularly describ[e] . . . the . . .
things to be seized. U.S. Const. Amend. IV. The particularity requirement prevents law enforcement
from executing general warrantsthat permit exploratory rummagingthrough a person's belongings
in search of evidence of a crime. Coolidge v. New Hampshire, 403 U.S. 443, 467 (1971).
The particularity requirement has two distinct elements. See United States v. Upham, 168 F.3d
532, 535 (1st Cir. 1999). First, the warrant must describe the things to be seized with sufficiently
precise language so that it tells the officers how to separate the items properly subject to seizure from
irrelevant items. See Davis v. Gracey, 111 F.3d 1472, 1478 (10th Cir. 1997); Marron v. United States,
275 U.S. 192, 296 (1925) (As to what is to be taken, nothing is left to the discretion of the officer
executing the warrant.). Second, the description of the things to be seized must not be so broad that it
encompasses items that should not be seized. See Upham, 168 F.3d at 535. Put another way, the
description in the warrant of the things to be seized should be limited to the scope of the probable cause
established in the warrant. See In re Grand Jury Investigation Concerning Solid State Devices, 130 F.3d
853, 857 (9th Cir. 1997). Considered together, the elements forbid agents from obtaining general
warrantsand instead require agents to conduct narrow seizures that attempt to
minimize[] unwarranted
intrusions upon privacy.Andresen v. Maryland, 427 U.S. 463, 482 n.11 (1976).
b. Warrants to Seize Hardware Compared to Warrants to Seize Information
lIf computer hardware is contraband, evidence, fruits, or instrumentalities of crime, the warrant
should describe the hardware itself. If the probable cause relates only to information, however,
the warrant should describe the information, rather than the physical storage devices which
happen to contain it.
The most important decision agents must make when describing the property in the warrant is
whether the seizable property according to Rule 41 is the computer hardware itself, or merely the
information that the hardware contains. If the computer hardware is itself contraband, an instrumentality
of crime, or evidence, the focus of the warrant should be on the computer hardware itself and not on the
information it contains. The warrant should describe the hardware and indicate that the hardware will be
seized. See, e.g., Davis v. Gracey, 111 F.3d 1472, 1480 (10th Cir. 1997) (seizure of computer
equipmentused to store obscene pornography was proper because the equipment was an
instrumentality). However, if the probable cause relates only to information stored on the computer, the
warrant should focus on the content of the relevant files rather than on the storage devices which may
happen to contain them. See, e.g., United States v. Gawrysiak, 972 F. Supp. 853, 860 (D.N.J. 1997),
aff'd, 178 F.3d 1281 (3d Cir. 1999) (upholding seizure of records [that] include information and/or data
stored in the form of magnetic or electronic coding on computer media . . . which constitute evidence
of enumerated federal crimes). The warrant should describe the information based on its content (e.g.,
gambling records, evidence of a fraud scheme), and then request the authority to seize the information in
whatever form the information may be stored. To determine whether the warrant should describe the
computer hardware itself or the information it contains, agents should consult Appendix F and determine
whether the hardware constitutes evidence, contraband, or an instrumentality that may itself be seizable
according to Rule 41(a).
Page 48 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
lWhen conducting a search for information, agents need to consider carefully exactly what
information they need. The information may be very narrow (e.g., a specific record or report), or
quite broad (e.g., thousands of records relating to an elaborate fraud scheme). Agents should
tailor each warrant to the needs of each search. The warrant should describe the information to
be seized, and then request the authority to seize the information in whatever form it may be
stored (whether electronic or not).
Agents should be particularly careful when seeking authority to seize a broad class of information.
This often occurs when agents plan to search computers at a business. See, e.g., United States v. Leary,
846 F.2d 592, 594 (10th Cir. 1988). Agents cannot simply request permission to seize all records
from an operating business unless agents have probable cause to believe that the criminal activity under
investigation pervades the entire business. See United States v. Ford, 184 F.3d 566, 576 (6th Cir. 1999)
(citing cases); In re Grand Jury Investigation Concerning Solid State Devices, 130 F.3d 853, 857 (9th
Cir. 1997). Instead, the description of the files to be seized should include limiting phrases that can
modify and limit the all recordssearch. For example, agents may specify the crime under
investigation, the target of the investigation if known, and the time frame of the records involved. See,
e.g., United States v. Kow, 58 F.3d 423, 427 (9th Cir. 1995) (invalidating warrant for failure to name
crime or limit seizure to documents authored during time frame under investigation ); Ford, 184 F.3d at
576 (Failure to limit broad descriptive terms by relevant dates, when such dates are available to the
police, will render a warrant overbroad.); In the Matter of the Application of Lafayette Academy, 610
F.2d 1, 3 (1st Cir. 1979); United States v. Hunter
, 13 F. Supp.2d 574, 584 (D. Vt. 1998) (concluding that
warrant to seize [a]ll computersnot sufficiently particular where description did not indicate the
specific crimes for which the equipment was sought, nor were the supporting affidavits or the limits
contained in the searching instructions incorporated by reference.).
In light of these cases, agents should narrow all recordssearches with limiting language where
necessary and appropriate. One effective approach is to begin with an all recordsdescription; add
limiting language stating the crime, the suspects, and relevant time period if applicable; include explicit
examples of the records to be seized; and then indicate that the records may be seized in any form,
whether electronic or non-electronic. For example, when drafting a warrant to search a computer at a
business for evidence of a drug trafficking crime, agents might describe the property to be seized in the
following way:
All records relating to violations of 21 U.S.C. § 841(a) (drug trafficking) and/or 21 U.S.C.
§ 846 (conspiracy to traffic drugs) involving [the suspect] since January 1, 1996, including
lists of customers and related identifying information; types, amounts, and prices of drugs
trafficked as well as dates, places, and amounts of specific transactions; any information
related to sources of narcotic drugs (including names, addresses, phone numbers, or any
other identifying information); any information recording [the suspect's] schedule or travel
from 1995 to the present; all bank records, checks, credit card bills, account information,
and other financial records.
The terms recordsand informationinclude all of the foregoing items of evidence in
whatever form and by whatever means they may have been created or stored, including any
electrical, electronic, or magnetic form (such as any information on an electronic or
magnetic storage device, including floppy diskettes, hard disks, ZIP disks, CD-ROMs,
optical discs, backup tapes, printer buffers, smart cards, memory calculators, pagers,
personal digital assistants such as Palm Pilot computers, as well as printouts or readouts
from any magnetic storage device); any handmade form (such as writing, drawing,
painting); any mechanical form (such as printing or typing); and any photographic form
(such as microfilm, microfiche, prints, slides, negatives, videotapes, motion pictures,
Page 49 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
photocopies).
This language describes the general class of information to be seized (all records); narrows it to
the extent possible (only those records involving the defendant's drug trafficking activities since 1995);
offers examples of the types of records sought (such as customer lists and bank records); and then
explains the various forms that the records may take (including electronic and non-electronic forms).
Of course, agents do not need to follow this approach in every case; judicial review of search
warrants is commonsensicaland practical,rather than overly technical.United States v.
Ventresca, 380 U.S. 102, 108 (1965). When agents cannot know the precise form that records will take
before the search occurs, a generic description must suffice. See Davis v. Gracey, 111 F.3d 1472, 1478
(10th Cir. 1997) (Even a warrant that describes the items to be seized in broad or generic terms may be
valid when the description is as specific as the circumstances and the nature of the activity under
investigation permit.) (internal quotations omitted); United States v. London, 66 F.3d 1227, 1238 (1st
Cir. 1995) (noting that where the defendant operated a complex criminal enterprise where he mingled
innocentdocuments with apparently-innocent documents which, in fact, memorialized illegal
transactions, . . . . [it] would have been difficult for the magistrate judge to be more limiting in phrasing
the warrant's language, and for the executing officers to have been more discerning in determining what
to seize.); United States v. Sharfman, 448 F.2d 1352, 1354-55 (2d Cir. 1971); Gawrysiak, 972 F. Supp.
at 861. Even an all recordssearch seeking evidence of a particular criminal activity may be
appropriate in certain circumstances. See also United States v. Hargus, 128 F.3d 1358, 1362-63 (10th
Cir. 1997) (upholding seizure of any and all records relating to the businessunder investigation for
mail fraud and money laundering); London, 66 F.3d at 1238 (upholding search for
books and records . .
. and any other documents. . . which reflect unlawful gambling); United States v. Riley, 906 F.2d 841,
844-45 (2d Cir. 1990) (upholding seizure of
items that constitute evidence of the offenses of conspiracy
to distribute controlled substances); United States v. Wayne, 903 F.2d 1188, 1195 (8th Cir. 1990)
(upholding search for documents and materials which may be associated with . . contraband
[narcotics]).
c. Defending Computer Search Warrants Against Challenges Based on the Description of the Things
to be Seized
Search warrants may be subject to challenge when the description of the things to be seized
does
not comply fully with the best practices described above. Two challenges to the scope of warrants arise
particularly often. First, defendants may claim that a warrant is insufficiently particular when the
warrant authorizes the seizure of hardware but the affidavit only establishes probable cause to seize
information. Second, defendants may claim that agents exceeded the scope of the warrant by seizing
computer equipment if the warrant failed to state explicitly that the information to be seized might be in
electronic form. The former challenge argues that the description of the property to be seized was too
broad, and the latter argues that the description was not broad enough.
1) When the warrant authorizes the seizure of hardware but the affidavit only establishes
probable cause to seize information
Computer search warrants sometimes authorize the seizure of hardware when the probable cause in
the affidavit relates solely to the computer files the hardware contains. For example, agents may have
probable cause to believe that a suspect possesses evidence of a fraud scheme, and may draft the warrant
to authorize the seizure of the defendant's computer equipment rather than the data stored within it. On
a practical level, such a description makes sense because it accurately and precisely describes what the
agents will do when they execute the warrant (i.e., seize the computer equipment). From a legal
Page 50 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
standpoint, however, the description is less than ideal: the equipment itself is not evidence of a crime, an
instrumentality or contraband that may be seized according to Rule 41(a). See Appendix F; cf. In re
Grand Jury Subpoena Duces Tecum, 846 F. Supp. 11, 13 (S.D.N.Y. 1994) (concluding that a subpoena
demanding production of computer hardware instead of the information it contained was unreasonably
broad pursuant to Fed. R. Crim. P. 17(c)). The physical equipment merely stores the information that
the agents have probable cause to seize. Although the agents may need to seize the equipment in order
to obtain the files it contains, the better practice is to describe the information rather than the equipment
in the warrant itself. When agents obtain a warrant authorizing the seizure of equipment, defendants
may claim that the description of the property to be seized is fatally overbroad. See, e.g., Davis v.
Gracey, 111 F.3d 1472, 1479 (10th Cir. 1997).9
To date, the courts have adopted a forgiving stance when faced with this challenge. The courts
have generally held that descriptions of hardware can satisfy the particularity requirement so long as the
subsequent searches of the seized computer hardware appear reasonably likely to yield evidence of
crime. See, e.g., United States v. Hay, 231 F.3d 630, 634 (9th Cir. 2000) (upholding seizure of
computer hardwarein search for materials containing child pornography); United States v. Campos,
221 F.3d 1143, 1147 (10th Cir. 2000) (upholding seizure of computer equipment which may be, or is
used to visually depict child pornography,and noting that the affidavit accompanying the warrant
explained why it would be necessary to seize the hardware and search it off-site for the images it
contained); United States v. Upham, 168 F.3d 532, 535 (1st Cir. 1999) (upholding seizure of [a]ny and
all computer software and hardware, . . . computer disks, disk drivesin a child pornography case
because [a]s a practical matter, the seizure and subsequent off-premises search of the computer and all
available disks was about the narrowest definable search and seizure reasonably likely to obtain the
[sought after] images); United States v. Lacy, 119 F.3d 742, 746 (9th Cir. 1997) (warrant permitting
blanket seizureof computer equipment from defendants apartment not insufficiently particular when
there was probable cause to believe that computer would contain evidence of child pornography
offenses); United States v. Henson, 848 F.2d 1374 (6th Cir. 1988) (permitting seizure of computer[s],
computer terminals, cables, printers, discs, floppy discs, [and] tapesthat could hold evidence of the
defendants' odometer-tampering scheme because such language is directed toward items likely to
provide information concerning the [defendants'] involvement in the . . . scheme and therefore did not
authorize the officers to seize more than what was reasonable under the circumstances); United States
v. Hersch, 1994 WL 568728, at *1 (D. Mass. 1994). Cf. United States v. Lamb, 945 F. Supp. 441, 458-
59 (N.D.N.Y. 1996) (not insufficiently particular to ask for [a]ll stored filesin AOL network account
when searching account for obscene pornography, because as a practical matter all files need to be
reviewed to determine which files contain the pornography).
Despite these decisions, agents should comply with the technical requirements of Rule 41 when
describing the property to be seizedin a search warrant. If the property to be seized is information,
the warrant should describe the information to be seized, rather than its container. Of course, when the
information to be seized is contraband (such as child pornography), the container itself may be
independently seized as an instrumentality. See Gracey, 111 F.3d at 1480 (seizure of computer
equipmentwas proper in case involving obscenity because the hardware was an instrumentality of the
crime).
2) When agents seize computer data and computer hardware but the warrant does not expressly
authorize their seizure
Search warrants sometimes fail to mention that information described in the warrant may appear in
electronic form. For example, a search for all recordsrelating to a conspiracy may list paper-world
examples of record documents but neglect to state that the records may be stored within a computer.
Page 51 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Agents executing the search who come across computer equipment may not know whether the warrant
authorizes the seizure of the computers. If the agents do seize the computers, defense counsel may file a
motion to suppress the evidence arguing that the computers seized were beyond the scope of the
warrant.
The courts have generally permitted agents to seize computer equipment when agents reasonably
believe that the content described in the warrant may be stored there, regardless of whether the warrant
states expressly that the information may be stored in electronic form. See, e.g., United States v.
Musson, 650 F. Supp. 525, 532 (D. Colo. 1986). As the Tenth Circuit explained in United States v.
Reyes, 798 F.2d 380, 383 (10th Cir. 1986), in the age of modern technology and commercial
availability of various forms of items, the warrant c[an] not be expected to describe with exactitude the
precise form the records would take. Accordingly, what matters is the substance of the evidence, not
its form, and the courts will defer to an executing agent's reasonable construction of what property must
be seized to obtain the evidence described in the warrant. See United States v. Hill, 19 F.3d 984, 987-
89
(5th Cir. 1994); Hessel v. O'Hearn, 977 F.2d 299 (7th Cir. 1992); United States v. Word, 806 F.2d 658,
661 (6th Cir. 1986); United States v. Gomez-Soto, 723 F.2d 649, 655 (9th Cir. 1984) (
The failure of the
warrant to anticipate the precise container in which the material sought might be found is not fatal.).
See also United States v. Abbell, 963 F. Supp. 1178, 1997 (S.D. Fla. 1997) (noting that agents may
legitimately seize [a] document which is implicitly within the scope of the warrant -- even if it is not
specifically identified).
3) General defenses to challenges of computer search warrants based on the description of the things
to be seized
Prosecutors facing challenges to the particularity of computer search warrants have a number of
additional arguments that may save inartfully drawn warrants. First, prosecutors can argue that the
agents who executed the search had an objectively reasonable good faith belief that the warrant was
sufficiently particular. See generally United States v. Leon, 468 U.S. 897, 922 (1984); Massachusetts v.
Shepard, 468 U.S. 981, 990-91 (1984). If true, the court will not order suppression of the evidence.
See, e.g., United States v. Hunter, 13 F. Supp.2d 574, 584-85 (D. Vt. 1998) (holding that good faith
exception applied even though computer search warrant was insufficiently particular). Second,
prosecutors may argue that the broad description in the warrant must be read in conjunction with a more
particular description contained in the supporting affidavit. Although the legal standards vary widely
among the circuits, see Wayne R. LaFave, Search and Seizure: A Treatise on the Fourth Amendment §
4.6(a) (1994), most circuits permit the warrant to be construed with reference to the affidavit for
purposes of satisfying the particularity requirement in certain circumstances. Finally, several circuits
have held that courts can redact overbroad language and admit evidence from overbroad seizures if the
evidence admitted was seized pursuant to sufficiently particular language. See United States v.
Christine, 687 F.2d 749, 759 (3d Cir. 1982); Gomez-Soto, 723 F.2d at 654.
Step 2: Establish Probable Cause in the Affidavit
The second step in preparing a warrant to search and seize a computer is to write a sworn affidavit
establishing probable cause to believe that contraband, evidence, fruits, or instrumentalities of crime
exist in the location to be searched. See U.S. Const. Amend. IV (no Warrants shall issue, but upon
probable cause, supported by Oath or affirmation); Fed. R. Crim. P. 41(b),(c). According to the
Supreme Court, the affidavit must establish a fair probability that contraband or evidence of a crime
will be found in a particular place.Illinois v. Gates, 462 U.S. 213, 238 (1983). This requires a
practical, common-sense determination of the probabilities, based on a totality of the circumstances.
Page 52 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
See id. Of course, probable cause will not exist if the agent can only point to a bare suspicionthat
criminal evidence will be found in the place searched. See Brinegar v. United States, 338 U.S. 160, 175
(1949). Once a magistrate judge finds probable cause and issues the warrant, the magistrate's
determination that probable cause existed is entitled to great deference,Gates, 462 U.S. at 236, and
will be upheld so long as there is a substantial basis for concluding that probable cause existed. Id. at
238-39 (internal quotations omitted).
Importantly, the probable cause requirement does not require agents to be clairvoyant in their
knowledge of the precise forms of evidence or contraband that will exist in the location to be searched.
For example, agents do not need probable cause to believe that the evidence sought will be found in
computerized (as opposed to paper) form. See United States v. Reyes, 798 F.2d 380, 382 (10th Cir.
1986) (noting that in the age of modern technology . . . , the warrant could not be expected to describe
with exactitude the precise forms the records would take). Similarly, agents do not need to know
exactly what statutory violation the evidence will help reveal, see United States v. Prandy-Binett, 995
F.2d 1069, 1073 (D.C. Cir. 1993), and do not need to know who owns the property to be searched and
seized, see United States v. McNally, 473 F.2d 934, 942 (3d Cir. 1973). The probable cause standard
simply requires agents to establish a fair probability that contraband or evidence of a crime will be found
in the particular place to be searched. See Gates, 462 U.S. at 238. Of course, agents who have
particular knowledge as to the form of evidence or contraband that exists at the place to be searched
should articulate that knowledge fully in the affidavit.
Probable cause challenges to computer search warrants arise particularly often in cases involving
the possession and transmission of child pornography images.10 For example, defendants often claim
that the passage of time between the warrant application and the occurrence of the incriminating facts
alleged in the affidavit left the magistrate judge without sufficient reason to believe that images of child
pornography would be found in the defendant's computers. The courts have generally found little merit
in these stalenessarguments, in part because the courts have taken judicial notice of the fact that
collectors of child pornography rarely dispose of such material. See, e.g., United States v. Lacy, 119
F.3d 742, 745-46 (9th Cir. 1997); United States v. Sassani, 139 F.3d 895, 1998 WL 89875, at *4-5 (4th
Cir. 1998) (unpublished) (citing cases).
Probable cause challenges may also arise when supporting evidence in an affidavit derives heavily
from records of a particular Internet account or Internet Protocol (IP) address. The problem is a
practical one: generally speaking, the fact that an account or address was used does not establish
conclusively the identity or location of the particular person who used it. As a result, an affidavit based
heavily on account or IP address logs must demonstrate a sufficient connection between the logs and the
location to be searched to establish a fair probability that contraband or evidence of a crime will be
found in [the] particular placeto be searched. Gates, 462 U.S. at 238. See, e.g., United States v. Hay,
231 F.3d 630, 634 (9th Cir. 2000) (evidence that child pornography images were sent to an IP address
associated with the defendants apartment, combined with other evidence of the defendants interest in
young children, created probable cause to search the defendants apartment for child pornography);
United States v. Grant, 218 F.3d 72, 76 (1st Cir. 2000) (evidence that an Internet account belonging to
the defendant was involved in criminal activity on several occasions, and that the defendants car was
parked at his residence during at least one such occasion, created probable cause to search the
defendants residence).
Step 3: In the Affidavit Supporting the Warrant, Include an Explanation of the Search Strategy
(Such as the Need to Conduct an Off-site Search) as Well as the Practical and Legal
Considerations That Will Govern the Execution of the Search
Page 53 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
The third step in drafting a successful computer search warrant is to explain both the search
strategy and the practical considerations underlying the strategy in the affidavit. For example, if agents
expect that they may need to seize a personal computer and search it off-site to recover the relevant
evidence, the affidavit should explain this expectation and its basis to the magistrate judge. The
affidavit should inform the court of the practical limitations of conducting an on-site search, and should
articulate the plan to remove the entire computer from the site if it becomes necessary. The affidavit
should also explain what techniques the agents expect to use to search the computer for the specific files
that represent evidence of crime and may be intermingled with entirely innocuous documents. If the
search strategy has been influenced by legal considerations such as potential PPA liability, the affidavit
should explain how and why in the affidavit. If the agents have authority to seize hardware because the
hardware itself is evidence, contraband, or an instrumentality of crime, the affidavit should explain
whether the agents intend to search the hardware following the seizure, and, if so, for what. In sum, the
affidavit should address all of the relevant practical and legal issues that the agents have considered in
the course of planning the search, and should explain the course of conduct that the agents will follow as
a result. Although no particular language is required, Appendix F offers sample language that agents
may find useful in many situations. Finally, when the search strategy is complicated or the affidavit is
under seal, it is a good practice for agents to reproduce the explanation of the search strategy contained
in the affidavit as an attachment to the warrant itself.
The reasons for articulating the search strategy in the affidavit are both practical and legal. On a
practical level, explaining the search strategy in the affidavit creates a document that both the court and
the agents can read and refer to as a guide to the execution of the search. See Natl City Trading Corp.
v. United States, 635 F.2d 1020, 1026 (2d Cir. 1980) ([W]e note with approval the care taken by the
Government in the search involved here. . . . Such self-regulatory care [in executing a warrant] is
conduct highly becoming to the Government.). Similarly, if the explanation of the search strategy is
reproduced as an attachment to the warrant and given to the subject of the search pursuant to Rule 41(d),
the explanation permits the owner of the searched property to satisfy himself during the search that the
agentsconduct is within the scope of the warrant. See Michigan v. Tyler, 436 U.S. 499, 508 (1978)
(noting that
a major function of the warrant is to provide the property owner with sufficient information
to reassure him of the entry's legality). Finally, as a legal matter, explaining the search strategy in the
affidavit helps to counter defense counsel motions to suppress based on the agentsalleged flagrant
disregardof the warrant during the execution of the search.
To understand motions to suppress based on the flagrant disregardstandard, agents and
prosecutors should recall the limitations on search and seizure imposed by Rule 41 and the Fourth
Amendment. In general, the Fourth Amendment and Rule 41 limit agents to searching for and seizing
property described in the warrant that is itself evidence, contraband, fruits, or instrumentalities of crime.
See United States v. Tamura, 694 F.2d 591, 595 (9th Cir. 1982); see also Appendix F (describing
property that may be seized according to Rule 41). If agents execute a warrant and seize additional
property not described in the warrant, defense counsel can file a motion to suppress the additional
evidence. Motions to suppress such additional evidence are filed relatively rarely because, if granted,
they result only in the suppression of the property not named in the warrant. See United States v.
Hargus, 128 F.3d 1358, 1363 (10th Cir. 1997). On the other hand, defense counsel will often attempt to
use the seizure of additional property as the basis for a motion to suppress all of the evidence obtained in
a search. To be entitled to the extreme remedy of blanket suppression, the defendant must establish that
the seizure of additional materials proves that the agents executed the warrant in flagrant disregardof
its terms. See, e.g., United States v. Le, 173 F.3d 1258, 1269 (10th Cir. 1999); United States v. Matias,
836 F.2d 744, 747-48 (2d Cir. 1988) (citing cases). A search is executed in flagrant disregardof its
terms when the officers so grossly exceed the scope of the warrant during execution that the authorized
search appears to be merely a pretext for a fishing expeditionthrough the targets private property.
See, e.g., United States v. Liu, – F.3d –, 2000 WL 1876779 (2d Cir. 2000); United States v. Foster, 100
Page 54 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
F.3d 846, 851 (10th Cir. 1996); United States v. Young, 877 F.2d 1099, 1105-06 (1st Cir. 1989).
Motions to suppress alleging flagrant disregardare common in computer searches because, for
practical and technical reasons, agents executing computer searches frequently must seize hardware or
files that are not described in the warrant. For example, agents who have probable cause to believe that
evidence of a defendant's fraud scheme is stored on the defendant's home computer may have to seize
the entire computer and search it off-site. See discussion supra. Defense lawyers often argue that by
seizing more than the specific computer files named in the warrant, the agents flagrantly disregarded
the seizure authority granted by the warrant. See, e.g., United States v. Henson, 848 F.2d 1374, 1383
(6th Cir. 1988); United States v. Hunter, 13 F. Supp.2d 574, 585 (D. Vt. 1998); United States v.
Gawryisiak, 972 F. Supp. 853, 865 (D.N.J. 1997), aff'd, 178 F.3d 1281 (3d Cir. 1999); United States v.
Sissler, 1991 WL 239000, at *3 (W.D. Mich. 1991), aff'd, 966 F.2d 1455 (6th Cir. 1992); United States
v. Schwimmer, 692 F. Supp. 119, 126 (E.D.N.Y. 1988).
Prosecutors can best respond to flagrant disregardmotions by showing that any seizure of
property not named in the warrant resulted from a good faith response to inherent practical difficulties,
rather than a wish to conduct a general search of the defendant's property under the guise of a narrow
warrant. The courts have recognized the practical difficulties that agents face in conducting computer
searches for specific files, and have approved off-site searches despite the incidental seizure of
additional property. See, e.g., Davis v. Gracey, 111 F.3d 1472, 1280 (10th Cir. 1997) (noting the
obvious difficulties attendant in separating the contents of electronic storage [sought as evidence] from
the computer hardware [seized] during the course of a search); United States v. Schandl, 947 F.2d 462,
465-466 (11th Cir. 1991) (noting that an on-site search might have been far more disruptivethan the
off-site search conducted); Henson, 848 F.2d at 1383-84 (We do not think it is reasonable to have
required the officers to sift through the large mass of documents and computer files found in the
[defendant's] office, in an effort to segregate those few papers that were outside the warrant.); United
States v. Scott-Emuakpor, 2000 WL 288443, at *7 (W.D. Mich. 2000) (noting the specific problems
associated with conducting a search for computerized recordsthat justify an off-site search);
Gawrysiak, 972 F. Supp. at 866 (The Fourth Amendment's mandate of reasonableness does not require
the agent to spend days at the site viewing the computer screens to determine precisely which documents
may be copied within the scope of the warrant.); Sissler, 1991 WL 239000, at *4 (The police . . . were
not obligated to inspect the computer and disks at the . . . residence because passwords and other
security devices are often used to protect the information stored in them. Obviously, the police were
permitted to remove them from the . . . residence so that a computer expert could attempt to 'crack' these
security measures, a process that takes some time and effort. Like the seizure of documents, the seizure
of the computer hardware and software was motivated by considerations of practicality. Therefore, the
alleged carte blanche seizure of them was not a 'flagrant disregard' for the limitations of a search
warrant.). See also United States v. Upham, 168 F.3d 532, 535 (1st Cir. 1999) (It is no easy task to
search a well-laden hard drive by going through all of the information it contains . . . . The record shows
that the mechanics of the search for images later performed [off-site] could not readily have been done
on the spot.); United States v. Lamb, 945 F. Supp. 4414, 62 (N.D.N.Y. 1996) ([I]f some of the image
files are stored on the internal hard drive of the computer, removing the computer to an FBI office or lab
is likely to be the only practical way of examining its contents.).
The decisions permitting off-site computer searches are bolstered by analogous physical-world
cases that have authorized agents to remove file cabinets and boxes of paper documents so that agents
can review the contents off-site for the documents named in the warrant. See, e.g., United States v.
Hargus, 128 F.3d 1358, 1363 (10th Cir. 1997) (concluding that wholesale seizure of file cabinets and
miscellaneous papersdid not establish flagrant disregard because the seizure was motivated by the
impracticability of on-site sorting and the time constraints of executing a daytime search warrant);
Crooker v. Mulligan, 788 F.2d 809, 812 (1st Cir. 1986) (noting cases upholding the seizure of
Page 55 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
documents, both incriminating and innocuous, which are not specified in a warrant but are intermingled,
in a single unit, with relevant documents); United States v. Tamura, 694 F.2d 591, 596 (9th Cir. 1982)
(ruling that the district court properly denied suppression motion where the Government's wholesale
seizures were motivated by considerations of practicality rather than by a desire to engage in
indiscriminate 'fishing'); United States v. Hillyard, 677 F.2d 1336, 1340 (9th Cir. 1982) (If
commingling prevents on-site inspection, and no other practicable alternative exists, the entire property
may be seizable, at least temporarily.).
Explaining the agent's search strategy and the practical considerations underlying the strategy in
the affidavit can help ensure that the execution of the search will not be deemed in flagrant disregard
of the warrant. Cf.United States v. Hay, 231 F.3d 630, 634 (9th Cir. 2000) (suggesting that a magistrate
judges authorization of a search supported by an affidavit that explained the need for an off-site search
of a computer constituted the magistrate judges authorizationof the off-site search); United States v.
Campos, 221 F.3d 1143, 1147 (10th Cir. 2000) (relying on the explanation of the search strategy
contained in the affidavit in the course of holding that a computer warrant was not overbroad). A
careful explanation of the search strategy illustrates the agent's good faith and due care, articulates the
practical concerns driving the search, and permits the judge to authorize the strategy described in the
affidavit. A search that complies with the strategy explained in the supporting affidavit will not be in
flagrant disregard of the warrant. See, e.g., Gawrysiak, 973 F. Supp. at 866 (commending agents for
conducting a computer search with considerable carebased on the submission of a detail-rich
supporting affidavit and a written search plan).
lWhen agents expect that the files described in the warrant will be commingled with innocent files
outside of the warrants scope, it is a good practice, if technically possible, to explain in the
affidavit how the agents plan to search the computer for the targeted files.
When agents conduct a search for computer files and other electronic evidence stored in a hard
drive or other storage device, the evidence may be commingled with data and files that have no relation
to the crime under investigation. Figuring out how best to locate and retrieve the evidence amidst the
unrelated data is more of an art than a science, and often requires significant technical expertise and
careful attention to the facts. As a result, agents may or may not know at the time the warrant is
obtained how the storage device should be searched, and, in beginning the search, may or may not know
whether it will be possible to locate the evidence without conducting an extensive search through
unrelated files.
When agents have a factual basis for believing that they can locate the evidence using a specific set
of techniques, the affidavit should explain the techniques that the agents plan to use to distinguish
incriminating documents from commingled documents. Depending on the circumstances, it may be
helpful to consult with experts in computer forensics to determine what kind of search can be conducted
to locate the particular files described in the warrant. In some cases, a key wordsearch or similar
surgical approach may be possible. Such an approach may permit law enforcement to locate the
incriminating files without conducting an extensive search through innocent files that happen to be
mixed together with the incriminating files that are the target of the search. Notably, the Fourth
Amendment does not generally require such an approach. See United States v. Hunter, 13 F. Supp.2d
574, 584 (D. Vt. 1998) (Computer records searches are no less constitutional than searches of physical
records, where innocuous documents may be scanned to ascertain their relevancy.); United States v.
Lloyd, 1998 WL 846822, at *3 (E.D.N.Y. 1998). However, in extensive dicta, the Tenth Circuit has
indicated that it favors such a narrow approach because it minimizes the possibility that the government
will be able to use a narrow warrant to justify a broader search. See United States v. Carey, 172 F.3d
1268, 1275-76, 1275 n.8. (10th Cir. 1999) (citing Raphael Winick, Searches and Seizures of Computers
and Computer Data, 8 Harv. J. L. &. Tech. 75, 108 (1994)); Campos, 221 F.3d at 1148. See also
Page 56 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Gawrysiak, 972 F. Supp. at 866 (suggesting in dicta that agents executing a search for computer files
could have at the least checked the date on which each file was created, and avoided copying those files
that were created before the time period covered by the warrant).
Of course, in many cases a narrow approach will be technically impossible. The targeted files may
be mislabeled, hidden, oddly configured, written using code words to escape detection, encrypted, or
otherwise impossible to find using a simple technique such as a key wordsearch. Because some
judges may fail to appreciate such technical difficulties, it is a good practice as a matter of policy for
agents to discuss these issues in the affidavit if it appears that a narrow search will not be effective. In
such cases, a more extensive search through innocent files will be necessary to determine which files fall
within the scope of the warrant. Explaining these practical needs in the affidavit can make clear at the
outset why an extensive search will not be in flagrant disregardof the warrant, and why the extensive
search complies fully with traditional Fourth Amendment principles. See Andresen v. Maryland, 427
U.S. 463, 482 n.11 (1976) (In searches for papers, it is certain that some innocuous documents will be
examined, at least cursorily, in order to determine whether they are, in fact, among those papers
authorized to be seized.); United States v. Riley, 906 F.2d 841, 845 (2d Cir. 1990) (noting that records
searches permit agents to search through many papers because few people keep documents of their
criminal transactions in a folder marked ‘[crime] records.’”); United States v. Gray, 78 F. Supp.2d 524,
530 (E.D. Va. 1999) (noting that agents executing a search for computer files are not required to accept
as accurate any file name or suffix and [to] limit [their] search accordingly,because criminals may
intentionally mislabel files, or attempt to bury incriminating files within innocuously named
directories.); Hunter, 13 F. Supp.2d at 584; United States v. Sissler, 1991 WL 239000, at *4 (W.D.
Mich. 1991) ([T]he police were not obligated to give deference to the descriptive labels placed on the
discs by [the defendant]. Otherwise, records of illicit activity could be shielded from seizure by simply
placing an innocuous label on the computer disk containing them.).
lWhen agents obtain a warrant to seize hardware that is itself evidence, contraband, or an
instrumentality of crime, they should explain in the affidavit whether and how they plan to search
the hardware following the seizure.
When agents have probable cause to seize hardware because it is evidence, contraband, or an
instrumentality of crime, the warrant will ordinarily describe the property to be seized as the hardware
itself. In many of these cases, however, the agents will plan to search the hardware after it is seized for
electronic data stored inside the hardware that also constitute evidence or contraband. It is a good
practice for agents to inform the magistrate of this plan in the supporting affidavit. Although the courts
have upheld searches when agents did not explain this expectation in the affidavit, see, e.g., United
States v. Simpson, 152 F.3d 1241, 1248 (10th Cir. 1998) (discussed infra), the better practice is to
inform the magistrate in the affidavit of the agentsplan to search the hardware following the seizure.
D. Post-Seizure Issues
In many cases, computer equipment that has been seized will be sent to a laboratory for forensic
examination. The time that may elapse before a technical specialist completes the forensic examination
varies widely, depending on the hardware itself, the evidence sought, and the urgency of the search. In
most cases, however, the elapsed time is a matter of months. Several legal issues may arise during the
post-seizure period that implicate the government's right to retain and search the computers in their
custody.
1. Searching Computers Already in Law Enforcement Custody
Page 57 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
l
In general, agents should obtain a second warrant to search a computer seized pursuant to a valid
warrant if the property targeted by the proposed search is different from that underlying the first
warrant.
Agents often seize a computer pursuant to a warrant, and then ask whether they need a second
warrant to search the computer. Whether a second warrant is needed depends on the purpose of the
search. If agents plan to search the computer for the information that was the target of the original
seizure, no second warrant is required. For example, in United States v. Simpson, 152 F.3d 1241 (10th
Cir. 1998), investigators obtained a warrant to seize the defendant's computer diskettes . . . and the
defendant's computerbased on probable cause to believe it contained child pornography. The
investigators seized the computer and then searched it in police custody, finding child pornography
images. On appeal following conviction, the defendant claimed that the investigators lacked the
authority to search the computer because the warrant merely authorized the seizure of equipment. The
Tenth Circuit rejected the argument, concluding that a warrant to seize computer equipment permitted
agents to search the equipment. See id. at 1248. See also United States v. Gray, 78 F. Supp.2d 524,
530-31 (E.D. Va. 1999) (holding that initial warrant authorizing search for evidence of computer
hacking justified a subsequent search for such evidence, even though agents uncovered incriminating
evidence beyond the scope of the warrant in the course of executing the search).
If investigators seize computer equipment for the evidence it contains and later decide to search the
equipment for different evidence, however, they should obtain a second warrant. In United States v.
Carey, 172 F.3d 1268 (10th Cir. 1999), detectives obtained a warrant to search the defendant's computer
for records of narcotics sales. Searching the computer back at the police station, a detective discovered
images of child pornography. At that point, the detective abandoned the search for drug-related
evidenceand instead searched the entire hard drive for evidence of child pornography. Id. at 1277-78.
The Tenth Circuit suppressed the child pornography, holding that the subsequent search for child
pornography was impermissible general rummagingthat exceeded the scope of the original warrant.
Id. at 1276 (Baldock, J., concurring); Id. at 1273. CompareGray, 78 F. Supp.2d at 530-31 (upholding
search where agent discovered child pornography in the course of looking for evidence of computer
hacking pursuant to a warrant, and then obtained a second warrant before searching the computer for
child pornography).
Notably, Careys focus on the agents subjective intent may reflect a somewhat outdated view of
the Fourth Amendment. The Supreme Courts recent Fourth Amendment cases generally have declined
to examine an agents subjective intent, and instead have focused on whether the circumstances, viewed
objectively, justified the agents conduct. See, e.g., Whren v. United States, 517 U.S. 806, 813 (1996);
Horton v. California, 496 U.S. 128, 138 (1990). Relying on these precedents, several courts have
indicated that an agents subjective intent during the execution of a warrant no longer determines
whether the search exceeded the scope of the warrant and violated the Fourth Amendment. See United
States v. Van Dreel, 155 F.3d 902, 905 (7th Cir. 1998) ([U]nder Whren
, . . . once probable cause exists,
and a valid warrant has been issued, the officers subjective intent in conducting the search is
irrelevant.); United States v. Ewain, 88 F.3d 689, 694 (9th Cir. 1996) (Using a subjective criterion
would be inconsistent with Horton
, and would make suppression depend too much on how the police tell
their story, rather than on what they did.). According to these cases, the proper inquiry is whether,
from an objective perspective, the search that the agents actually conducted was consistent with the
warrant obtained. See Ewain, 88 F.3d at 694. The agents subjective intent is either irrelevant,Van
Dreel, 155 F.3d at 905, or else merely one factor in the overall determination of whether the police
confined their search to what was permitted by the search warrant.Ewain, 88 F.3d at 694.
2. The Permissible Time Period For Examining Seized Computers
Page 58 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
lNeither Rule 41 nor the Fourth Amendment creates any specific time limits on the government's
forensic examination of seized computers. Some magistrate judges have begun imposing such
limitations, however.
Despite the best efforts of the government to analyze seized computers quickly, the forensic
examination of seized computers often takes months to complete because computers can store enormous
amounts of data. As a result, suspects whose computers have been seized may be deprived of their
computer hardware for an extended period of time. Neither Rule 41 nor the Fourth Amendment imposes
any specific limitation on the time period of the government's forensic examination. The government
ordinarily may retain the seized computer and examine its contents in a careful and deliberate manner
without legal restrictions, subject only to Rule 41(e)'s authorization that a person aggrievedby the
seizure of property may bring a motion for the return of the property (see Rule 41(e) Motions for
Return of Property,infra).11
A few magistrate judges have taken a different view, however. Several magistrate judges have
refused to sign search warrants authorizing the seizure of computers unless the government conducts the
forensic examination in a short period of time, such as thirty days. Some magistrate judges have
imposed time limits as short as seven days, and several have imposed specific time limits when agents
apply for a warrant to seize computers from operating businesses. In support of these limitations, a few
magistrate judges have expressed their concern that it might be constitutionally unreasonableunder
the Fourth Amendment for the government to deprive individuals of their computers for more than a
short period of time. Other magistrates have suggested that Rule 41's requirement that agents execute a
searchwithin 10 days of obtaining the warrant might apply to the forensic analysis of the computer as
well as the initial search and seizure. See Fed. R. Crim. P. 41(c)(1).
The law does not expressly authorize magistrate judges to issue warrants that impose time limits
on law enforcements examination of seized evidence. Although the relevant case law is sparse, it
suggests that magistrate judges lack the legal authority to refuse to issue search warrants on the ground
that they believe that the agents may, in the future, execute the warrants in an unconstitutional fashion.
See Abraham S. Goldstein, The Search Warrant, the Magistrate, and Judicial Review, 62 N.Y.U. L.
Rev. 1173, 1196 (1987) (The few cases on [whether a magistrate judge can refuse to issue a warrant on
the ground that the search may be executed unconstitutionally] hold that a judge has a ministerialduty
to issue a warrant after probable causehas been established.); In re Worksite Inspection of Quality
Products, Inc., 592 F.2d 611, 613 (1st Cir. 1979) (noting the limited role of magistrate judges in issuing
search warrants). As the Supreme Court suggested in one early case, the proper course is for the
magistrate to issue the warrant so long as probable cause exists, and then to permit the parties to litigate
the constitutional issues afterwards. See Ex Parte United States, 287 U.S. 241, 250 (1932) (The refusal
of the trial court to issue a warrant . . . is, in reality and effect, a refusal to permit the case to come to a
hearing upon either questions of law or fact, and falls a little short of a refusal to permit the enforcement
of the law.).
Prosecutors should also be prepared to explain to magistrate judges why a forensic search for files
stored in a seized computer need not occur within 10 days of obtaining the warrant. Rule 41(c)(1)
requires that the agents who obtain a warrant must search, within a specified period of time not to
exceed 10 days, the person or place named for the property or person specified.
This rule directs agents
to search the place named in the warrant and seize the property specified within 10 days so that the
warrant does not become stalebefore it is executed. See United States v. Sanchez, 689 F.2d 508, 512
n.5 (5th Cir. 1982). This rule does not apply to the forensic analysis of evidence that has already been
seized, however; even if such analysis involves a Fourth Amendment searchin some cases, it plainly
does not occur in the place . . . namedin the warrant. An analogy to paper documents may be
Page 59 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
helpful. A Rule 41 warrant that authorizes the seizure of a book requires that the book must be seized
from the place described in the warrant within 10 days. However, neither the warrant nor Rule 41
requires law enforcement to examine the book and complete any forensic analysis of its pages within the
same 10-day period. Cf. Commonwealth v. Ellis, 10 Mass. L. Rptr. 429, 1999 WL 815818, at *8-9
(Mass. Super. 1999) (interpreting analogous state law provision) (
The ongoing search of the computer's
memory need not have been accomplished within the . . . period required for return of the warrant.).
Although the legal basis for imposing time limits on forensic analysis is unclear, a magistrate
judges refusal to issue a computer search warrant absent time limitations can create significant
headaches for prosecutors. As a practical matter, prosecutors often have little choice but to go along
with the magistrate judge's wishes. A judge's refusal to sign a search warrant generally is not an
appealable final order, and the prosecutor's only recourse is to turn to another judge, who will want to
know why the first judge refused to sign the warrant. See United States v. Savides, 658 F. Supp. 1399,
1404 (N.D. Ill. 1987), aff'd in relevantpartsub. nom. United States v. Pace
, 898 F.2d 1218, 1230 (7th Cir.
1990). As a practical matter, then, prosecutors will often have little choice but to try to convince the
judge not to impose a time limit, and if that fails, to request extensions when the time period proves
impossible to follow.
At least one court has adopted the severe position that suppression is appropriate when the
government fails to comply with court-imposed limits on the time period for reviewing seized
computers. In United States v. Brunette, 76 F. Supp.2d 30 (D. Me. 1999), a magistrate judge permitted
agents to seize the computers of a child pornography suspect on the condition that the agents searched
through the computers for evidence within 30 days. The agents executed the search five days later,
and seized several computers. A few days before the thirty-day period elapsed, the government applied
for and obtained a thirty-day extension of the time for review. The agents then reviewed all but one of
the seized computers within the thirty-day extension period, and found hundreds of images of child
pornography. However, the agents did not begin reviewing the last of the computers until two days after
the extension period had elapsed. The defendant moved for suppression of the child pornography
images found in the last computer, on the ground that the search outside of the sixty-day period violated
the terms of the warrant and subsequent extension order. The court agreed, stating that because the
Government failed to adhere to the requirements of the search warrant and subsequent order, any
evidence gathered from the . . . computer is suppressed. Id. at 42.
The result in Brunette makes little sense either under Rule 41 or the Fourth Amendment. Even
assuming that a magistrate judge has the authority to impose time constraints on forensic testing in the
first place, it seems incongruous to impose suppression for violations of such conditions when analogous
violations of Rule 41 itself would not result in suppression. CompareBrunettewith United States v.
Twenty-Two Thousand, Two Hundred Eighty Seven Dollars ($22,287.00), U.S. Currency, 709 F.2d
442, 448 (6th Cir. 1983) (rejecting suppression when agents began search shortly after10 p.m., even
though Rule 41 states that all searches must be conducted between 6:00 a.m. and 10 p.m.). This is
especially true when the hardware to be searched was a container of contraband child pornography, and
therefore was itself an instrumentality of crime that was not subject to return.
3. Rule 41(e) Motions for Return of Property
Rule 41(e) states:
A person aggrieved by an unlawful search and seizure or by the deprivation of property may
move the district court for the district in which the property was seized for the return of the
property on the ground that such person is entitled to lawful possession of the property. The
Page 60 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
court shall receive evidence on any issue of fact necessary to the decision of the motion. If
the motion is granted, the property shall be returned to the movant, although reasonable
conditions may be imposed to protect access and use of the property in subsequent
proceedings. If a motion for return of property is made or comes on for hearing in the
district of trial after an indictment or information is filed, it shall be treated also as a motion
to suppress under Rule 12.
Fed. R. Crim. P. 41(e).
Rule 41(e) has particular importance in computer search cases because it permits owners of seized
computer equipment to move for the return of the equipment before an indictment is filed. In some
cases, defendants will file such motions because they believe that the seizure of their equipment violated
the Fourth Amendment. If they are correct, the equipment must be returned. See, e.g., In re Grand Jury
Investigation Concerning Solid States Devices, Inc., 130 F.3d 853 (9th Cir. 1997). Rule 41(e) also
permits owners to move for a return of their property when the seizure was lawful, but the movant is
aggrieved by the government's continued possession of the seized property.Id. at 856. The multi-
functionality of computer equipment occasionally leads to Rule 41(e) motions on this basis. For
example, a suspect under investigation for computer hacking may file a motion claiming that he must
have his computer back to calculate his taxes or check his e-mail. Similarly, a business suspected of
fraud may file a motion for the return of its equipment claiming that it needs the equipment returned or
else the business will suffer.
Owners of properly seized computer equipment must overcome several formidable barriers before
a court will order the government to return the equipment. First, the owner must convince the court that
it should exercise equitable jurisdiction over the owner's claim. See Floyd v. United States, 860 F.2d
999, 1003 (10th Cir. 1988) (Rule 41(e) jurisdiction should be exercised with caution and restraint.).
Although the jurisdictional standards vary widely among different courts, most courts will assert
jurisdiction over a Rule 41(e) motion only if the movant establishes: 1) that being deprived of
possession of the property causes 'irreparable injury', and 2) that the movant is otherwise without a
remedy at law. See In re the Matter of the Search of Kitty's East, 905 F.2d 1367, 13770-71 (10th Cir.
1990). Compare Ramsden v. United States, 2 F.3d 322, 325 (9th Cir. 1993) (articulating four-factor
jurisdictional test from pre-1989 version of Rule 41(e)). If the movant established these elements, the
court will move to the merits of the claim. On the merits, seized property will be returned only if the
government's continued possession is unreasonable. See Ramsden, 2 F.3d at 326. This test requires the
court to weigh the government's interest in continued possession of the property with the owner's
in the property's return. See United States v. Premises Known as 608 Taylor Ave., 584 F.2d 1297, 1304
(3d Cir. 1978). In particular:
If the United States has a need for the property in an investigation or prosecution, its
retention of the property generally is reasonable. But, if the United States' legitimate
interests can be satisfied even if the property is returned, continued retention of the property
would be unreasonable.
Advisory Committee Notes to the 1989 Amendment of Rule 41(e) (quoted in Ramsden, 2 F.3d at 326;
Kitty's East, 905 F.2d at 1375).
Rule 41(e) motions requesting the return of properly seized computer equipment succeed only
rarely. First, courts will usually decline to exercise jurisdiction over the motion if the government has
offered the property owner an electronic copy of the seized computer files. See In re Search Warrant
Executed February 1, 1995, 1995 WL 406276, at *2 (S.D.N.Y. 1995) (concluding that owner of seized
Page 61 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
laptop computer did not show irreparable harm where government offered to allow owner to copy files it
contained); United States v. East Side Ophthalmology, 1996 WL 384891, at *4 (S.D.N.Y. 1996). See
also Standard Drywall, Inc. v. United States, 668 F.2d 156, 157 n.2. (2d Cir. 1982) (We seriously
question whether, in the absence of seizure of some unique property or privileged documents, a party
could ever demonstrate irreparable harm [justifying jurisdiction] when the Government either provides
the party with copies of the items seized or returns the originals to the party and presents the copies to
the jury.).
Second, courts that reach the merits generally find that the government's interest in the computer
equipment outweighs the defendant's so long as a criminal prosecution or forfeiture proceeding is in the
works. See United States v. Stowe, 1996 WL 467238 (N.D. Ill. 1996) (continued retention of computer
equipment is reasonable after 18 months where government claimed that investigation was ongoing and
defendant failed to articulate his need for the equipment's return); In the Matter of Search Warrant for K-
Sports Imports, Inc., 163 F.R.D. 594, 597 (C.D. Cal. 1995) (denying motion for return of computer
records relating to pending forfeiture proceedings). See alsoJohnson v. United States, 971 F. Supp. 862,
868 (D.N.J. 1997) (denying Rule 41(e) motion to return bank's computer tapes because bank was no
longer an operating business). If the government does not plan to use the computers in further
proceedings, however, the computer equipment must be returned. See United States v. Moore, 188 F.3d
516, 1999 WL 650568, at *6 (9th Cir. 1999) (unpublished) (ordering return of computer where the
government's need for retention of the computer for use in another proceeding now appears . . .
remote) ; K-Sports Imports, Inc., 163 F.R.D. at 597. Further, a court may grant a Rule 41(e) motion if
the defendant cannot operate his business without the seized computer equipment and the government
can work equally well from a copy of the seized files. See United States v. Bryant, 1995 WL 555700, at
*3 (S.D.N.Y. 1995) (referring to magistrate judge's prior unpublished ruling ordering the return of
computer equipment, and stating that the Magistrate Judge found that defendant needed this machinery
to operate his business).
III. THE ELECTRONIC COMMUNICATIONS PRIVACY ACT
A. Introduction
lECPA regulates how the government can obtain stored account information from network service
providers such as ISPs. Whenever agents or prosecutors seek stored e-mail, account records, or
subscriber information from a network service provider, they must comply with ECPA. The
practical effect of ECPAs classifications can be understood most easily using a chart such as the
one that appears in Part F of this chapter.
The stored communication portion of the Electronic Communications Privacy Act (ECPA), 18
U.S.C. §§ 2701-11, creates statutory privacy rights for customers and subscribers of computer network
service providers.
In a broad sense, ECPA exists largely to fill in the gapsleft by the uncertain application of
Fourth Amendment protections to cyberspace. To understand these gaps, consider the legal protections
we have in our homes. The Fourth Amendment clearly protects our homes in the physical world: absent
special circumstances, the government must first obtain a warrant before it searches there. When we use
a computer network such as the Internet, however, we do not have a physical home. Instead, the
closest most users have to a homeis a network account consisting of a block of computer memory
allocated to them but owned by a network service provider such as America Online. If law enforcement
investigators need the contents of a network account or information about how it is used, they do not
Page 62 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
need to go to the user to get that information. Instead, the government can go to the network provider
and obtain the information directly from the provider. Although the Fourth Amendment generally
requires the government to obtain a warrant to search a home, it does not require the government to
obtain a warrant to obtain the stored contents of a network account. Instead, the Fourth Amendment
generally permits the government to issue a subpoena to a network provider ordering the provider to
divulge the contents of an account.12 ECPA addresses this inequality by offering network account
holders a range of statutory privacy rights against access to stored account information held by network
service providers.
Because ECPA is an unusually complicated statute, it can be helpful when approaching the statute
for the first time to understand the intent of its drafters. The structure of ECPA reflects a series of
classifications that indicate the draftersjudgments about what kinds of information implicate greater or
lesser privacy interests. For example, the drafters saw different privacy interests at stake in stored e-
mails than in subscriber account information. Similarly, the drafters believed that computing services
available to the public
required more strict regulation than services that are not available to the public.
Perhaps this judgment reflects the reality that providers available to the public are not likely to have
close relationships with their customers, and therefore might have less incentive to protect their
customersprivacy. To protect the array of privacy interests identified by its drafters, ECPA offers
varying degrees of legal protection depending on the perceived seriousness of the privacy interest
involved. Some information can be obtained from providers with a mere subpoena; other information
requires a special court order; and still other information requires a search warrant. In theory, the
greater the privacy interest, the greater the privacy protection.
Navigating through ECPA requires agents and prosecutors to apply the various classifications
devised by ECPA's drafters to the facts of each case before they can figure out the proper procedure for
obtaining the information sought. First, they must classify the network services provider (e.g., does the
provider provide electronic communication service,” “remote computing service,or neither). Next,
they must classify the information sought (e.g., is the information content in electronic storage,
content held by a remote computing service, a record . . . pertaining to a subscriber,or basic
subscriber information). Third, they must determine whether they are seeking to compel disclosure, or
seeking to accept information disclosed voluntarily by the provider. If they seek compelled disclosure,
they need to determine whether they need a search warrant, a 2703(d) court order, or a subpoena to
compel the disclosure. If they are seeking to accept information voluntarily disclosed, they must
determine whether the statute permits the disclosure. The chart contained in Part F of this chapter
provides a useful way to apply these distinctions in practice.
The organization of this chapter will follow ECPAs various classifications. Part B explains how
agents and prosecutors can classify providers, so as to distinguish providers of electronic
communications servicefrom providers of remote computing service. Part C explains the different
kinds of information that providers can divulge, such as content in electronic storageand records . . .
pertaining to a subscriber. Part D explains the legal process that agents and prosecutors must follow to
compel a provider to disclose information. Part E looks at the flip side of this problem, and explains
when providers may voluntarily disclose account information. A summary chart appears in Part F. The
chapter ends with two additional sections. Part G discusses three important issues that may arise when
agents obtain records from network providers: steps to preserve evidence, steps to prevent disclosure to
subjects, and possible conflicts between ECPA and the Cable Act. Finally, Part H discusses the
remedies that courts may impose following violations of ECPA.
B. Providers of Electronic Communication Service vs. Remote Computing Service
Page 63 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
ECPA classifies providers covered by the statute into provider[s] of electronic communication
serviceand provider[s] of remote computing service. To understand these terms, it helps to recall
the era in which ECPA was drafted. In the mid 1980s, network account holders generally used third-
party network service providers for two reasons. First, account holders used their accounts to send and
receive communications such as e-mail. The use of computer networks to communicate prompted
privacy concerns because in the course of sending and retrieving messages, it was common for several
computers to copy the messages and store them temporarily. Copies that were created by these
providers of electronic communications serviceand placed in a temporary electronic storagein the
course of transmission sometimes stayed on a providers computer for several months. See H.R. Rep.
No. 99-647, at 22 (1986).
The second reason account holders used network service providers was to outsource tasks. For
example, users paid to have remote computers store extra files, or process large amounts of data. When
users hired such commercial remote computing servicesto perform tasks for them, they would send a
copy of their private communications to a third-party computing service, which retained the data for
later reference. Remote computing services raised privacy concerns because the service providers often
retained copies of their customers' files. See S. Rep. No. 99-541 (1986), reprinted in
1986 U.S.C.C.A.N.
3555, 3557.
ECPA protects communications held by providers of electronic communication service when those
communications are in electronic storage,as well as communications held by providers of remote
computing service. To that end, the statute defines electronic communication service,” “electronic
storage,and remote computing servicein the following way:
Electronic communication service
An electronic communication service (ECS) is any service which provides to users thereof the
ability to send or receive wire or electronic communications.18 U.S.C. § 2510(15). For example,
telephone companies and electronic mail companiesgenerally act as providers of electronic
communication services. See S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3568.
See Jessup-Morgan v. America Online, Inc., 20 F. Supp.2d 1105, 1108 (E.D. Mich. 1998) (America
Online); FTC v. Netscape Communications Corp., 196 F.R.D. 559 (N.D. Cal. 2000) (Netscape).
The legislative history and case law construing the definition of ECS indicate that whether a
company provides ECS is highly contextual. The central issue is the companys role in providing the
ability to send or receive the precise communication at issue, regardless of the companys primary
business. See H.R. Rep. No. 99-647, at 65 (1986). Any company or government entity that provides
others with means of communicating electronically can be a provider of electronic communications
servicerelating to the communications it provides, even if providing communications service is merely
incidental to the providers primary function. See Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (D.
Nev. 1996) (city that provided pager service to its police officers can be a provider of electronic
communication service); Lopez v. First Union Natl Bank, 129 F.3d 1186 (11th Cir. 1997) (bank that
provides electronic funds transfers can be a provider of electronic communication service). Cf. United
States v. Mullins, 992 F.2d 1472, 1478 (9th Cir. 1993) (airline that provides travel agents with
computerized travel reservation system accessed through separate computer terminals can be a provider
of electronic communication service).
Conversely, a service cannot provide ECS with respect to a communication if the service did not
provide the ability to send or receive that communication. See Sega Enterprises Ltd. v. MAPHIA
, 948 F.
Supp. 923, 930-31 (N.D. Cal. 1996) (video game manufacturer that accessed private e-mail stored on
Page 64 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
another companys bulletin board service in order to expose copyright infringement was not a provider
of electronic communication service); State Wide Photocopy v. Tokai Fin. Servs. Inc
, 909 F. Supp. 137,
145 (S.D.N.Y. 1995) (financing company that used fax machines and computers but did not provide the
ability to send or receive communications was not provider of electronic communication service).
Electronic storage
18 U.S.C. § 2510(17) defines electronic storageas any temporary, intermediate storage of a
wire or electronic communication incidental to the electronic transmission thereof,and any storage of
such communication by an electronic communication service for purposes of backup protection of such
communication. The mismatch between the common sense meaning of electronic storageand its
very particular definition has been a source of considerable confusion. It cannot be overemphasized that
electronic storagerefers only to temporary storage, made in the course of transmission, by a provider
of electronic communication service.
To determine whether a communication is in electronic storage,it helps to identify the
communications final destination. A copy of a communication is in electronic storageonly if it is a
copy of a communication created at an intermediate point that is designed to be sent on to its final
destination. For example, e-mail that has been received by a recipients service provider but has not yet
been accessed by the recipient is in electronic storage. See Steve Jackson Games, Inc. v. United States
Secret Service, 36 F.3d 457, 461 (5th Cir. 1994). At that stage, the copy of the stored communication
exists only as a temporary and intermediate measure, pending the recipients retrieval of the
communication from the service provider. Once the recipient accesses and retrieves the e-mail,
however, the communication reaches its final destination. If a recipient then chooses to retain a copy of
the accessed communication on the providers network, the copy stored on the network is no longer in
electronic storagebecause the retained copy is no longer in temporary, intermediate storage . . .
incidental to . . . electronic transmission.§ 2510(17). Because the process of transmission to the
intended recipient has been completed, the copy is simply a remotely stored file. See H.R. Rep. No. 99-
647, at 64-65 (1986) (noting Congressional intent to treat opened e-mail stored on a server under
provisions relating to remote computing services, rather than provisions relating to services holding
communications in electronic storage).
As a practical matter, whether a communication is held in electronic storageby a provider
governs whether that service provides ECS with respect to the communication. The two concepts are
coextensive. Only a provider that holds a communication in electronic storagecan provide ECS with
respect to that communication. Conversely, any stored file held by a provider of ECS must be in
electronic storage. If a communication is not in electronic storage,the service cannot provide ECS
for that communication. Instead, the service must provide either remote computing service(also
known as RCS,discussed below), or else neither ECS nor RCS. See discussion infra.
Remote computing service
The term remote computing service(RCS) is defined by 18 U.S.C. § 2711(2) as provision to
the public of computer storage or processing services by means of an electronic communications
system. An electronic communications systemis any wire, radio, electromagnetic, photooptical or
photoelectronic facilities for the transmission of electronic communications, and any computer facilities
or related electronic equipment for the electronic storage of such communications.18 U.S.C. § 2510
(14).
Page 65 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Roughly speaking, a remote computing service is provided by an off-site computer that stores or
processes data for a customer. See 1986 U.S.C.C.A.N. 3555, 3564-65. For example, a service provider
that processes data in a time-sharing arrangement provides an RCS. See H.R. Rep. No. 99-647, at 23
(1986). A mainframe computer that stores data for future retrieval also provides an RCS. See Steve
Jackson Games, Inc. v. United States Secret Service, 816 F. Supp. 432, 443 (W.D. Tex. 1993) (holding
that provider of bulletin board services was a remote computing service). In contrast with a provider of
ECS, a provider of RCS acts in a two-way capacity with the customer. Files held by a provider of RCS
are not on their way to a third intended destination; instead, they are stored or processed by the provider
for the convenience of the account holder. Accordingly, files held by a provider acting as an RCS
cannot be in electronic storageaccording to § 2510(17).
Under the definition provided by § 2711(2), a service can only be a remote computing serviceif
it is available to the public. Services are available to the public if they may be accessed by any user
who complies with the requisite procedures and pays any requisite fees. For example, America Online
is a provider to the public: anyone can obtain an AOL account. (It may seem odd at first that a service
can charge a fee but still be considered available to the public,but this mirrors commercial
relationships in the physical world. For example, movie theaters are open to the publicbecause
anyone can buy a ticket and see a show, even though tickets are not free.) In contrast, providers whose
services are open only to those with a special relationship with the provider are not available to the
public. For example, employers may offer network accounts only to employees. See Andersen
Consulting LLP v. UOP, 991 F. Supp. 1041, 1043 (N.D. Ill. 1998) (interpreting the
providing . . . to the
publicclause in § 2702(a) to exclude an internal e-mail system that was provided to a hired contractor
but was not available to any member of the community at large). Such providers cannot provide
remote computing service because their network services are not available to the public.
lWhether a provider is a provider of electronic communication service,a provider of remote
computing service,or neither depends on the nature of the particular communication sought.
For example, a single provider can simultaneously provide electronic communication service
with respect to one communication and remote computing servicewith respect to another
communication.
An example can illustrate how these principles work in practice. Imagine that Joe sends an e-mail
from his account at work (joe@goodcompany.com) to the personal account of his friend Jane
(jane@localisp.com). The e-mail will stream across the Internet until it reaches the servers of Jane's
Internet service provider, here the fictional LocalISP. When the message first arrives at LocalISP,
LocalISP is a provider of ECS with respect to that message. Before Jane accesses LocalISP and
retrieves the message, Joe's e-mail is in electronic storage. See Steve Jackson Games, Inc. v. United
States Secret Service, 36 F.3d 457, 461 (5th Cir. 1994). Once Jane retrieves Joe's e-mail, she can either
delete the message from LocalISPs server, or else leave the message stored there. If Jane chooses to
store the e-mail with LocalISP, LocalISP is now a provider of RCS with respect to the e-mail sent by
Joe, not a provider of ECS. The role of LocalISP has changed from a transmitter of Joes e-mail to a
storage facility for the file on LocalISPs server. Joe's e-mail is now simply a file stored remotely for
Jane by an RCS, in this case LocalISP. See H.R. Rep. No. 99-647, at 64-65 (1986) (noting
Congressional intent to treat opened e-mail stored on a server under provisions relating to remote
computing services, rather than services holding communications in electronic storage).
Next imagine that Jane responds to Joe's e-mail. Jane's return e-mail to Joe will stream across the
Internet to the servers of Joe's employer, Good Company. Before Joe retrieves the e-mail from Good
Company's servers, Good Company is a provider of ECS with respect to Jane's e-mail (just like
LocalISP was with respect to Joe's original e-mail before Jane accessed it). When Joe accesses Jane's e-
mail message and the communication reaches its destination (Joe), Good Company ceases to be a
Page 66 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
provider of ECS with respect to that e-mail (just like LocalISP ceased to be a provider of ECS with
respect to Joes original e-mail when Jane accessed it). Now for a more difficult question: what is the
status of Good Company if Joe decides to store the opened e-mail on Good Company's server? The
correct answer is that Good Company is now a provider of neither ECS nor RCS. Good Company does
not provide RCS because unlike LocalISP, Good Company does not provide services to the public. See
18 U.S.C. § 2711(2) ([T]he term remote computing servicemeans the provision to the public of
computer storage or processing services by means of an electronic communications system.) (emphasis
added); Andersen Consulting, 991 F. Supp. at 1043. Because Good Company provides neither ECS nor
RCS with respect to the opened return e-mail in Joe's account, ECPA no longer regulates access to this
e-mail, and such access is governed solely by the Fourth Amendment. Functionally speaking, Good
Company has 'dropped out' of ECPA with respect to the opened return e-mail in Joe's account.
Finally, imagine that both Joe and Jane decide to download copies of each others e-mails. Jane
downloads a copy of Joes e-mail from LocalISPs server to her personal computer at home, and Joe
downloads a copy of Janes e-mail from Good Companys server to his office desktop computer at
work. At this point, ECPAs treatment of the copies of the e-mails that remain on the servers is
unchanged: LocalISP continues to provide RCS with respect to the copy of Joes e-mail stored in Janes
account on LocalISPs server, and Good Company still provides neither RCS nor ECS with respect to
Janes e-mail stored in Joes account on Good Companys server. But what about the copies of the e-
mails now stored on Janes computer at home and Joes desktop computer at work? ECPA governs
neither. Although these computers contain copies of e-
mails, these copies are not stored on the server of
a third-party provider of RCS or ECS, and therefore ECPA does not apply. Access to the copies of the
communications stored in Janes personal computer at home and Joes office computer at work is
governed solely by the Fourth Amendment. See generally Chapters 1 and 2.
As this example indicates, a single provider can simultaneously provide RCS with regards to some
communications, ECS with regard to others, and neither ECS nor RCS with regard to others. As a
practical matter, however, agents do not need to grapple with these difficult issues in most cases.
Instead, agents can simply draft the appropriate order based on the information they seek. For example,
if the police suspect that Jane and Joe have conspired to commit a crime, the police might seek an order
compelling LocalISP to divulge all files in Jane's account except for those in electronic storage. In
plain English, this is equivalent to asking for all of Jane's opened e-mails and stored files. Alternatively,
the police might seek an order compelling Good Company to disclose files in electronic storagein
Joe's account. This is equivalent to asking for unopened e-mails in Joe's account. A helpful chart
appears in Part F of this chapter. Sample language that may be used appears in Appendices B, E, and F.
C. Classifying Types of Information Held by Service Providers
Network service providers can store different kinds of information relating to an individual
customer or subscriber. Consider the case of the e-mail exchange between Joe and Jane discussed
above. Jane's service provider, LocalISP, probably has access to a range of information about Jane and
her account. For example, LocalISP may have opened and unopened e-mails; account logs that reveal
when Jane logged on and off LocalISP; Jane's credit card information for billing purposes; and Jane's
name and address. When agents and prosecutors wish to obtain such records, they must be able to
classify these types of information using the language of ECPA. ECPA breaks the information down
into three categories: basic subscriber information listed in 18 U.S.C. § 2703(c)(1)(C); record[s] or
other information pertaining to a subscriber to or customer of [the] service;and contents.
1. Basic Subscriber Information Listed in 18 U.S.C. § 2703(c)(1)(C)
Page 67 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
18 U.S.C. § 2703(c)(1)(C) lists the types of information in the first category:
the name, address, local and long distance telephone toll billing records, telephone number
or other subscriber number or identity, and length of service of a subscriber to or customer
of such service and the types of services the subscriber or customer utilized[.]
With the exception of nameand address,the categories listed in § 2703(c)(1)(C) can be
difficult to translate into the present world of computer network accounts. The form and substance of
the information that providers retain can change rapidly as technology advances. In general, however,
investigators should resist the temptation to adopt overly broad interpretations of the ambiguous terms in
§ 2703(c)(1)(C). With one exception, all of the items in this list relate solely to the identity of the
subscriber and his relationship with the provider. See Jessup-Morgan v. America Online, Inc., 20 F.
Supp.2d 1105, 1108 (E.D. Mich. 1998) (describing § 2703(c)(1)(C) information as information
identifying an . . . account customer). The exception, telephone toll billing records, appears on the list
of basic subscriber information mostly for historical reasons: the items listed in § 2703(c)(1)(C) may be
obtained with a subpoena, and telephone toll billing records have traditionally been obtained using a
subpoena. See, e.g, United States v. Cohen, 15 F.R.D. 269, 273 (S.D.N.Y. 1953). While the exact
contours of § 2703(c)(1)(C) will remain ambiguous until the courts begin interpreting its language,
investigators should not use this ambiguity to avoid obtaining more rigorous court orders required by
ECPA to obtain most transactional information.
2. Records or Other Information Pertaining to a Customer or Subscriber
18 U.S.C. § 2703(c)(1)(A)-(B) covers a second type of information: a record or other information
pertaining to a subscriber to or customer of such service (not including the contents of communications .
. . . ). This is a catch-all category that includes all records that are not contents, including basic
subscriber information.
Common examples of record[s] . . . pertaining to a subscriber
include transactional records, such
as account logs that record account usage; cell-site data for cellular telephone calls; and e-
mail addresses
of other individuals with whom the account holder has corresponded. See H.R. Rep. No. 103-
827, at 10,
17, 31 (1994), reprinted in 1994 U.S.C.C.A.N. 3489, at 3490, 3497, 3511; United States v. Allen, 53
M.J. 402, 409 (C.A.A.F. 2000) (concluding that a log identifying the date, time, user, and detailed
internet address of sites accessedby a user constituted a record or other information pertaining to a
subscriber or customer of such serviceunder ECPA). See also Hill v. MCI Worldcom, 120 F. Supp.2d
1194, 1196 (S.D. Iowa 2000) (concluding that invoice/billing information and the names, addresses,
and phone numbers of parties . . . calledconstituted a record or other information pertaining to a
subscriber or customer of such serviceunder § 2703(c)(1)(A) for a telephone account). According to
the legislative history that accompanied § 2703(c)(1)(A)-(B), the purpose of separating the information
listed in § 2703(c)(1)(C) from other records described in § 2703(c)(1)(A)-(B) was to distinguish basic
subscriber information from more revealing transactional information that could contain a persons
entire on-line profile. 1994 U.S.C.C.A.N. at 3497, 3511.
3. Contents
The contents of a network account are the actual files stored in the account. See 18 U.S.C. § 2510
(8) (“‘contents,when used with respect to any wire, oral, or electronic communication, includes any
information concerning the substance, purport, or meaning of that communication). For example,
Page 68 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
stored e-mails are contents,as are word processing files stored in employee network accounts. The
subject headers of e-mails are also contents, as they often include messages. Cf. Brown v. Waddell, 50
F.3d 285, 292 (4th Cir. 1995) (noting that numerical pager messages provide an unlimited range of
number-coded substantive messagesin the course of holding that the interception of pager messages
requires compliance with Title III).
Contents can be further divided into three subcategories: contents stored in electronic storageby
providers of electronic communication service; contents stored by providers of remote computing
services; and contents stored by providers who provide neither electronic communications service nor
remote computing service. The distinctions among these types of content are discussed in Part B, supra.
D. Compelled Disclosure Under ECPA
The compelled disclosure provisions of ECPA appear in 18 U.S.C. § 2703. Section 2703
articulates the steps that the government must take to compel providers to disclose the contents of stored
electronic communications such as e-mail, as well as other information such as account records and
basic subscriber information. (Notably, § 2703 does not regulate the compelled disclosure of stored
wire communications, such as stored voicemail. Instead, the compelled disclosure of stored wire
communications held by a provider is governed by Title III, 18 U.S.C. §§ 2510-22. The distinction
between wire communications and electronic communications, as well as the reason for treating stored
wire communications differently than stored electronic communications, is discussed in Chapter 4, Part
C, Section 2, infra.)
Section 2703 offers five mechanisms that a government entitycan use to compel a provider to
disclose certain kinds of information. Each mechanism requires a different threshold showing. The five
mechanisms, ranking in ascending order of the threshold showing required, are as follows:
1) Subpoena
2) Subpoena with prior notice to the subscriber or customer
3) § 2703(d) court order
4) § 2703(d) court order with prior notice to the subscriber or customer
5) Search warrant
One feature of the compelled disclosure provisions of ECPA is that greater process generally
includes access to information that can be obtained with lesser process. Thus, a § 2703(d) court order
can compel everything that a subpoena can compel (plus additional information), and a search warrant
can compel the production of everything that a § 2703(d) order can compel (and then some). As a
result, agents generally can opt to pursue a higher threshold instead of a lower one. The additional work
required to satisfy a higher threshold will often be justified, both because it can authorize a broader
disclosure and because pursuing a higher threshold provides extra insurance that the process complies
fully with the statute.
1. Subpoena
l Investigators can subpoena basic subscriber information.
ECPA permits the government to compel two kinds of information using a subpoena. First, the
Page 69 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
government may compel the disclosure of the basic subscriber information listed in 18 U.S.C. § 2703(c)
(1)(C):
the name, address, local and long distance telephone toll billing records, telephone number
or other subscriber number or identity, and length of service of a subscriber to or customer
of such service and the types of services the subscriber or customer utilized[.]
See 18 U.S.C. § 2703(c)(1)(C).
Agents can also use a subpoena to obtain information that is outside the scope of ECPA. The
hypothetical e-mail exchange between Jane and Joe discussed in Part B of this chapter provides a useful
example. In that example, Joe retrieved Janes e-mail from the server of his employer Good Company,
and opted to retain a copy of the communication on Good Companys server. At that point, Good
Company provided neither remote computing servicenor electronic communication servicewith
respect to that communication, because the communication had reached its destination and Good
Company did not provide services to the public. See Part B, supra. Accordingly, § 2703 does not
impose any requirements on its disclosure, and investigators can issue a subpoena compelling Good
Company to divulge the communication just as they would if ECPA did not exist. Similarly,
information relating or belonging to a person who is neither a customernor a subscriberis not
protected by ECPA, and may be obtained using a subpoena according to the same rationale. Cf.
Organizacion JD Ltda. v. United States Department of Justice, 124 F.3d 354, 359-61 (2d Cir. 1997)
(discussing the scope of the word customeras used in ECPA).
The legal threshold for issuing a subpoena is low. See United States v. Morton Salt Co., 338 U.S.
632, 642-43 (1950). Of course, evidence obtained in response to a federal grand jury subpoena must be
protected from disclosure pursuant to Fed. R. Crim. P. 6(e). Other types of subpoenas other than federal
grand jury subpoenas may be used to obtain disclosure pursuant to 18 U.S.C. § 2703(c)(1)(C): any
federal or state grand jury or trial subpoena will suffice, as will an administrative subpoena authorized
by a federal or state statute. See 18 U.S.C. § 2703(c)(1)(C). For example, subpoenas authorized by § 6
(a)(4) of the Inspector General Act may be used. See 5 U.S.C. app. However, at least one court has held
that a pre-trial discovery subpoena issued in a civil case pursuant to Fed. R. Civ. P. 45 is inadequate. See
FTC v. Netscape Communications Corp., 196 F.R.D. 559 (N.D. Cal. 2000). Sample subpoena language
appears in Appendix E.
2. Subpoena with Prior Notice to the Subscriber or Customer
lInvestigators can subpoena opened e-mail from a provider if they comply with the notice
provisions of § 2703(b)(1)(B) and § 2705.
Agents who obtain a subpoena, and either give prior notice to the subscriber or else comply with
the delayed notice provisions of § 2705, may obtain:
1) everything that can be obtained using a subpoena without notice;
2) the contents of any electronic communicationheld by a provider of remote computing
service on behalf of . . . a customer or subscriber of such remote computing service.18
U.S.C. § 2703(b)(1)(B)(i), § 2703(b)(2); and
3) the contents of any electronic communication that has been in electronic storage in an
electronic communications system for more than one hundred and eighty days.18 U.S.C. §
2703(a).
Page 70 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
As a practical matter, this means that agents can obtain opened e-mail and other stored electronic
communications not in electronic storage 180 days or less using a subpoena, so long as they comply
with ECPA's notice provisions. See H.R. Rep. No. 99-647, at 64-65 (1986).
In general, the notice provisions can be satisfied by giving the customer or subscriber prior
noticeof the disclosure. See 18 U.S.C. § 2703(b)(1)(B). However, 18 U.S.C. § 2705(a)(1)(B) and §
2705(a)(4) permit notice to be delayed for successive 90-day periods upon the execution of a written
certification of a supervisory official that there is reason to believe that notification of the existence of
the subpoena may have an adverse result. 18 U.S.C. § 2705(a)(1)(B). Both supervisory officialand
adverse resultare specifically defined terms for the purpose of delaying notice. See § 2705(a)(2)
(defining adverse result); § 2705(a)(6) (defining supervisory official).
Although prior notice serves
important constitutional values, this provision of ECPA provides a permissible way for agents to delay
notice when notice would jeopardize a pending investigation or endanger the life or physical safety of an
individual. Cf. United States v. Donovan, 429 U.S. 413, 429 n. 19 (1977) (noting that delayed notice
provisions of Title III satisfy constitutional requirements.) Upon expiration of the delayed notice
period, the statute requires the government to send a copy of the request or process along with a letter
explaining the delayed notice to the customer or subscriber. See 18 U.S.C. § 2705(a)(5).
ECPAs provision allowing for opened e-mail to be obtained using a subpoena combined with
prior notice to the subscriber appears to derive from Supreme Court case law interpreting the Fourth and
Fifth Amendments. See Clifford S. Fishman & Anne T. McKenna, Wiretapping and Eavesdropping §
26:9, at 26-12 (2d ed. 1995). When an individual gives paper documents to a third-party such as an
accountant, the government may subpoena the paper documents from the third party without running
afoul of either the Fourth or Fifth Amendment. See United States v. Couch, 409 U.S. 322 (1973)
(rejecting Fourth and Fifth Amendment challenges to subpoena served on defendant
s accountant for the
accountants business records stored with the accountant). In allowing the government to subpoena
opened e-mail, Congress seems to have concluded that by rentingcomputer storage space with a
remote computing service, a customer places himself in the same situation as one who gives business
records to an accountant or attorney. Fishman & McKenna, §26:9, at 26-13.
3. Section 2703(d) Order
lAgents need a § 2703(d) court order to obtain account logs and other transactional records.
Agents who obtain a court order under 18 U.S.C. § 2703(d) may obtain:
1) anything that can be obtained using a subpoena without notice; and
2) all record[s] or other information pertaining to a subscriber to or customer of such
service (not including the contents of communications [held by providers of electronic
communications service and remote computing service]). 18 U.S.C. § 2703(c)(1)(B).
A court order authorized by 18 U.S.C. § 2703(d) may be issued by any federal magistrate, district
court or equivalent state court judge. See 18 U.S.C. § 2703(d). To obtain such an order, known as an
articulable factscourt order or simply a dorder,
the governmental entity [must] offer[] specific and articulable facts showing that there are
reasonable grounds to believe that the contents of a wire or electronic communication, or
the records or other information sought, are relevant and material to an ongoing criminal
investigation.
Page 71 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
This standard does not permit law enforcement merely to certify that it has specific and articulable
facts that would satisfy such a showing. Rather, the government must actually offer those facts to the
court in the application for the order. See United States v. Kennedy, 81 F. Supp.2d 1103, 1109-11 (D.
Kan. 2000) (concluding that a conclusory application for a § 2703(d) order did not meet the
requirements of the statute.). The House Report that accompanied the passage of § 2703(d) included
the following analysis:
This section imposes an intermediate standard to protect on-line transactional records. It is a
standard higher than a subpoena, but not a probable cause warrant. The intent of raising the
standard for access to transactional data is to guard against fishing expeditionsby law
enforcement. Under the intermediate standard, the court must find, based on law
enforcement's showing of facts, that there are specific and articulable grounds to believe
that the records are relevant and material to an ongoing criminal investigation.
H.R. Rep. No. 102-827, at 31 (1994), reprinted in 1994 U.S.C.C.A.N. 3489, 3511 (quoted in full in
Kennedy, 81 F. Supp.2d at 1109 n.8). As a practical matter, a one- to three-
page factual summary of the
investigation and the role that the records will serve in advancing the investigation usually satisfies this
criterion. A more in-depth explanation may be necessary in particularly complex cases. A sample §
2703(d) application and order appears in Appendix B.
Section 2703(d) orders are nationwide in scope, much like subpoenas. ECPA permits judges to
enter § 2703(d) orders compelling providers to disclose information even if the judges do not sit in the
district in which the information is stored. See 18 U.S.C. § 2703(d) (stating that any court that is a
court of competent jurisdiction described in [18 U.S.C.] section 3127(2)(A)may issue a § 2703(d)
order) (emphasis added); 18 U.S.C. § 3127(2)(A) (defining court of competent jurisdictionas a
district court of the United States (including a magistrate of such a court) or a United States Court of
Appeals). In contrast, the statutes and rules governing search warrants, Title III orders, and pen/trap
orders contain express geographical limitations. See Fed. R. Crim. P. 41(a) (permitting magistrate
judges to issue search warrants for a search of property . . . within the district); 18 U.S.C. § 2518(3)
(authorizing judges to enter a Title III order permitting the interception of communications within the
territorial jurisdiction of the court in which the judge is sitting); 18 U.S.C. §
3123(a) (authorizing courts
to permit the installation of pen/trap devices within the jurisdiction of the court).
4. § 2703(d) Order with Prior Notice to the Subscriber or Customer
lInvestigators can obtain everything in an account except for unopened e-mail stored with the ISP
for 180 days or less and voicemail using a § 2703(d) court order that complies with the notice
provisions.
Agents who obtain a court order under 18 U.S.C. § 2703(d), and either give prior notice to the
subscriber or else comply with the delayed notice provisions of § 2705, may obtain:
1) everything that can be obtained using a § 2703(d) court order without notice; and
2) the contents of any electronic communicationheld by a provider of remote computing
service on behalf of . . . a customer or subscriber of such remote computing service.18
U.S.C. § 2703(b)(1)(B)(ii), § 2703(b)(2).
Page 72 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
As a practical matter, this means that the government can obtain the full contents of a subscriber's
account except unopened e-mail (which has been in electronic storage180 days or less) using a §
2703(d) order that complies with the prior notice provisions of § 2703(b)(1)(B).
Although prior notice serves important constitutional values, agents can obtain an order delaying
notice for up to ninety days when notice would seriously jeopardize the investigation. See 18 U.S.C. §
2705(a). In such cases, agents generally will obtain this order by including an appropriate request in the
agents2703(d) application and proposed order; sample language appears in Appendix B. Agents may
also apply for successive renewals of the delayed notice, but must apply to the court for extensions. See
18 U.S.C. § 2705(a)(1)(A), §
2705(a)(4). The legal standards for obtaining a court order delaying notice
mirror the standards for certified delayed notice by a supervisory official. The applicant must satisfy the
court that there is reason to believe that notification of the existence of the court order may . . .
endanger[] the life or physical safety of an individual; [lead to] flight from prosecution; [lead to]
destruction of or tampering with evidence; [lead to] intimidation of potential witnesses; or . . . otherwise
seriously jeopardiz[e] an investigation or unduly delay[] a trial. 18 U.S.C. § 2705(a)(1)(A), § 2705(a)
(2). Importantly, the applicant must satisfy this standard anew every time the applicant seeks an
extension of the delayed notice.
5. Search Warrant
lInvestigators can obtain the full contents of an account (except for voicemail in electronic
storage) with a search warrant. ECPA does not require the government to notify the customer
or subscriber when it obtains information from a provider using a search warrant.
Agents who obtain a search warrant under Rule 41 of the Federal Rules of Criminal Procedure or
an equivalent state warrant may obtain:
1) everything that can be obtained using a § 2703(d) court order with notice; and
2) the contents of an electronic communication, that is in electronic storage in an
electronic communications system for one hundred and eighty days or less.18 U.S.C. §
2703(a).
In other words, agents can obtain every record and all of the contents of an account (except for
voicemail in electronic storage,see Chapter 4, Part C, Section 2, infra.) by obtaining a search warrant
based on probable cause pursuant to Fed. R. Crim. P. 41. The search warrant can then be served on the
service provider and compels the provider to divulge the information described in the search warrant to
law enforcement. Notably, obtaining a search warrant obviates the need to comply with the notice
provisions of § 2705. See 18 U.S.C. § 2703(b)(1)(A). Moreover, because the warrant is issued by a
neutral magistrate based on probable cause, obtaining a search warrant effectively insulates the process
from challenge under the Fourth Amendment.
As a practical matter, § 2703(a) search warrants are obtained just like Rule 41 search warrants, but
are usually served like subpoenas. As with a typical Rule 41 warrant, investigators must draft an
affidavit and a proposed warrant that complies with Rule 41. See 18 U.S.C. § 2703(a). Once a
magistrate judge signs the warrant, however, investigators ordinarily do not themselves search through
the providers computers in search of the materials described in the warrant. Instead, investigators bring
the warrant to the provider, and the provider produces the material described in the warrant.
Page 73 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
E. Voluntary Disclosure
The voluntary disclosure provisions of ECPA appear in 18 U.S.C. § 2702 and § 2703(c). These
statutes govern when a provider of RCS or ECS can disclose contents and other information voluntarily,
both to the government and non-
government entities. If the provider may disclose the information to the
government and is willing to do so voluntarily, law enforcement ordinarily does not need to obtain a
legal order to compel the disclosure. If the provider either may not or will not disclose the information,
agents must comply with the compelled disclosure provisions and obtain the appropriate legal orders.
1. Contents
lProviders of services not available to the publicmay freely disclose the contents of stored
communications. Providers of services to the public may disclose the contents of stored
communications only in certain situations.
When considering whether a provider of RCS or ECS can disclose contents, the first question
agents must ask is whether the services offered by the provider are available to the public. If the
provider does not provide services to the public,then ECPA does not place any restrictions on the
disclosure of contents. See 18 U.S.C. § 2702(a). For example, in Andersen Consulting v. UOP, 991 F.
Supp. 1041 (N.D. Ill. 1998), the petroleum company UOP hired the consulting firm Andersen
Consulting and gave Andersen employees accounts on UOP's computer network. After the relationship
between UOP and Andersen soured, UOP disclosed to the Wall Street Journal e-mails that Andersen
employees had left on the UOP . Andersen sued, claiming that the disclosure of its contents by the
provider UOP had violated ECPA. The district court rejected the suit on the ground that UOP did not
provide an electronic communications service to the public:
[G]iving Andersen access to [UOP's] e-mail system is not equivalent to providing e-mail to
the public. Andersen was hired by UOP to do a project and as such, was given access to
UOP's e-mail system similar to UOP employees. Andersen was not any member of the
community at large, but a hired contractor.
Id. at 1043. Because UOP did not provide services to the public, ECPA did not prohibit disclosure of
contents.
If the services offered by the provider are available to the public, then ECPA forbids the disclosure of
contents unless:
1) the disclosure may be necessarily incident to the rendition of the service or to the
protection of the rights or property of the provider of that service,§ 2702(b)(5);
2) the disclosure is made to a law enforcement agency . . . if the contents . . . were
inadvertently obtained by the service provider . . .[and] appear to pertain to the commission
of a crime,§ 2702(b)(6)(A);
3) the Child Protection and Sexual Predator Punishment Act of 1998, 42 U.S.C. § 13032,
mandates the disclosure, 18 U.S.C. § 2702(b)(6)(B); or
4) the disclosure is made to the intended recipient of the communication, with the consent
Page 74 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
of the intended recipient, to a forwarding address, or pursuant to a court order. 18 U.S.C. §
2702(b)(1)-(4). See 18 U.S.C. § 2702.
In general, these exceptions permit disclosure by a provider to the public when the needs of public
safety and service providers outweigh privacy concerns of customers, or else when disclosure is unlikely
to pose a serious threat to privacy interests.
2. Records Other than Contents
lThe rules for disclosure of non-content records to the government remain hazy.
Whether a provider of RCS or ECS can disclose non-content records depends first on who will
receive the disclosure. ECPA permits providers to disclose record[s] or other information pertaining to
a subscriber to or customer of such servicevoluntarily to anyone outside of the government for any
reason. 18 U.S.C. § 2703(c)(1)(A). The rules permitting the disclosure of non-content records to a
government entity are considerably more narrow, however. For this reason, agents should be extremely
careful when communicating with network service providers in an undercover capacity so as not to
violate ECPA. Likewise, when they are not in an undercover capacity, agents should clearly identify
themselves as law enforcement agents.
On its face, 18 U.S.C. § 2703(c)(1)(B) authorizes the disclosure of record[s] or other information
pertaining to a subscriber to or customer of such serviceto a government entity only when the
government obtains a warrant or § 2703(d) order, the customer or subscriber consents, or the
government submits a formal written request in a telemarketing fraud investigation. 18 U.S.C. § 2703(c)
(1)(B). Read broadly, this might appear to prohibit service providers from disclosing account logs and
basic subscriber information voluntarily. Such a result would defy common sense in many recurring
situations, however. For example, a network provider that is being defrauded by a customer or
subscriber often contacts law enforcement seeking to disclose records of the misuse. This is true both
for government providers such as NASA and DoD and for private providers such as corporations and
universities. A broad reading of 18 U.S.C. § 2703(c)(1)(B)'s prohibition could prohibit these providers
from taking the natural step of disclosing records of the abuse when they are victims. Under this
reading, the provider would be forced to contact law enforcement, and then law enforcement would have
to obtain a § 2703(d) order to compelthe provider to disclose the records.
There are several reasons to believe that courts will not adopt such a broad reading of § 2703(c)(1)
(B), and will permit providers to disclose non-content records when necessary to protect the rights and
property of the provider. First, courts may rule that the protection of the rights or property of the
providerexception that expressly permits providers to disclose stored contents and intercept
communications in transit impliedly covers the disclosure of less sensitive non-content records. See 18
U.S.C. § 2702(b)(5), §
2511(2)(a)(i). The courts have made similar rulings in the context of Title III and
its predecessor statute in order to recognize providers’ “
fundamental right to take reasonable measures to
protect themselves and their properties against the illegal acts of a trespasser.Bubis v. United States,
384 F.2d 643, 647-648 (9th Cir. 1967) (rejecting a literal interpretation of 47 U.S.C. § 605, the
predecessor to Title III, that would have left communications system providers powerless to take
reasonable measures to protect themselves and their properties against the improper and illegal use of
their facilities.); United States v. Auler, 539 F.2d 642, 646 n.9 (7th Cir. 1976) (stating that when
intercepting the contents of a communication is permitted under Title III, then recording mere pen
register/ trap and trace information relating to the same communication is surely permissible) (citing
United States v. Freeman, 524 F.2d 337, 341 (7th Cir.1975)).
Page 75 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Provider disclosure of non-content records may also be justified in specific situations. For
example, a computer hacker who does not have a legitimate account is not a customeror subscriber
of the provider, so that the provider should be able to disclose records pertaining tothe intruder's
activity without running afoul of ECPA. Cf. Organizacion JD Ltda. v. United States Department of
Justice, 124 F.3d 354, 359-61 (2d Cir. 1997) (concluding that a recipient of an electronic funds transfer
is not a customerof the bank who provided the transfer according to ECPA, where the recipient did
not have a legitimate account with the bank). Similarly, the structure of § 2703(c)(1)(A)-(B) suggests
that the prohibition on disclosure of non-contents to a government entitymight not apply to
disclosures among government entities. Finally, if the provider does not offer services to the public,
the provider cannot be a provider of RCS. If the records do not pertain to communications in
electronic
storage,ECPA may not regulate the provider's disclosure of the records.
The rules for voluntary disclosure of records to the government will remain hazy until the courts
begin interpreting § 2703(c), or until Congress changes the language of the statute. Until that time,
agents should be aware that some courts might rule that voluntary disclosure of records to the
government will violate ECPA even when there are weighty concerns supporting the disclosure. Of
course, agents can avoid this defect by obtaining a § 2703(d) order, search warrant, or the consent of the
customer or subscriber.
F. Quick Reference Guide
Quick Reference Guide
Voluntary Disclosure
Allowed?
Mechanisms to Compel
Disclosure
Public
Provider
Non-Public
Provider
PublicProvider Non-Public
Provider
Unopened
e-mail
(in electronic storage 180
days or less)
No, unless
§ 2702(b)
exception
applies
[§ 2702(a)(1)]
Yes
[§ 2702(a)(1)]
Search warrant
[§ 2703(a)]
Search warrant
[§ 2703(a)]
Unopened
e-mail
(in electronic storage
more than 180 days)
No, unless
§ 2702(b)
exception
applies
[§ 2702(a)(1)]
Yes
[§ 2702(a)(1)]
Subpoena with
notice; 2703(d)
[§ 2703(a,b)]
Subpoena with
notice; 2703(d)
order with
notice; or search
warrant
[§ 2703(a,b)]
Opened e-mail, and other
stored files
No, unless
§ 2702(b)
exception
applies
[§ 2702(a)(2)]
Yes
[§ 2702(a)(2)
and
§ 2711(2)]
Subpoena with
notice; 2703(d)
[§ 2703(b)]
Subpoena;
ECPA doesnt
apply[§ 2711
(2)]
Basic subscriber
information
No,
although
exceptions may
exist* [§ 2703
(c)]
No,
although
exceptions may
exist*
[§ 2703(c)]
Subpoena; 2703
(d) order; or
search warrant
[§ 2703(c)(1)
(C)]
Subpoena; 2703
(d) order; or
search warrant
[§ 2703(c)(1)
(C)]
Page 76 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
* See the discussion in Part E(2) above.
G. Working with Network Providers: Preservation of Evidence, Preventing Disclosure to Subjects,
and Cable Act Issues
l In general, investigators should communicate with network service providers before issuing
subpoenas or obtaining court orders that compel the providers to disclose information.
Law enforcement officials who procure records under ECPA quickly learn the importance of
communicating with network service providers. This is true because every network provider works
differently. Some providers retain very complete records for a long period of time; others retain few
records, or even none. Some providers can comply easily with law enforcement requests for
information; others struggle to comply with even simple requests. These differences are due to varied
philosophies, resources, hardware and software among network service providers. Because of these
differences, agents often will want to communicate with network providers to learn how the provider
operates before obtaining a legal order that compels the provider to act.
ECPA contains two provisions designed to aid law enforcement officials working with network
service providers. When used properly, these provisions help ensure that providers will not delete
needed records or notify others about the investigation.
1. Preservation of Evidence under 18 U.S.C. § 2703(f)
lAgents may make binding requests to providers that they preserve existing records pending the
issuance of more formal legal process. Such requests have no prospective effect, however.
In general, no law regulates how long network service providers must retain account records in the
United States. Some providers retain records for months, others for hours, and others not at all. As a
practical matter, this means that evidence may be destroyed or lost before law enforcement can obtain
the appropriate legal order compelling disclosure. For example, agents may learn of a child
pornography case on Day 1, begin work on a search warrant on Day 2, obtain the warrant on Day 5, and
then learn that the network service provider deleted the records in the ordinary course of business on
Day 3. To minimize this risk, ECPA permits the government to direct providers to freezestored
records and communications pursuant to 18 U.S.C. § 2703(f). Specifically, § 2703(f)(1) states:
A provider of wire or electronic communication service or a remote computing service,
upon the request of a governmental entity, shall take all necessary steps to preserve records
and other evidence in its possession pending the issuance of a court order or other process.
Section 2703(f) permits law enforcement agents to contact providers and make a binding request
directing the provider to preserve records they have in their possession. While a simple phone call
[§ 2711(2)]
Transactional and other
account records
No,
although
exceptions may
exist*
[§ 2703(c)]
No,
although
exceptions may
exist*
[§ 2703(c)]
2703(d) order or
search warrant[§
2703(c)(1)(B)]
2703(d) order or
search warrant
[§ 2703(c)(1)
(B)]
Page 77 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
should be adequate, a fax or an e-mail is better because it both provides a paper record and guards
against miscommunication. Upon receipt of the governments request, the provider must retain the
records for 90 days, renewable for another 90-day period upon a renewed government request. See 18
U.S.C. § 2703(f)(2). A sample 2703(f) letter appears in Appendix C.
Agents who send 2703(f) letters to network service providers should be aware of two limitations.
First, the authority to direct providers to preserve records and other evidence is not prospective. That is,
§ 2703(f) letters can order a provider to preserve records that have already been created, but cannot
order providers to preserve records not yet made. Agents cannot use § 2703(f) prospectively as an end
runaround the electronic surveillance statutes. If agents want providers to record information about
future electronic communications, they must comply with the electronic surveillance statutes discussed
in Chapter 4.
A second limitation of § 2703(f) is that some providers may be unable to comply effectively with §
2703(f) requests. As of the time of this writing, for example, the software used by America Online
generally requires AOL to reset the password of an account when it attempts to comply with a § 2703(f)
request to preserve stored e-mail. A reset password may well tip off the suspect. As a result, agents
may or may not want to issue 2703(f) letters to AOL or other providers who use similar software,
depending on the facts. The key here is effective communication: agents should communicate with the
network provider before ordering the provider to take steps that may have unintended adverse effects.
Agents simply cannot make informed investigative choices without knowing the provider's particular
practices, strengths, and limitations.
2. Orders Not to Disclose the Existence of a Warrant, Subpoena, or Court Order
18 U.S.C. § 2705(b) states:
A governmental entity acting under section 2703, when it is not required to notify the
subscriber or customer under section 2703(b)(1), or to the extent that it may delay such
notice pursuant to subsection (a) of this section, may apply to a court for an order
commanding a provider of electronic communications service or remote computing service
to whom a warrant, subpoena, or court order is directed, for such period as the court deems
appropriate, not to notify any other person of the existence of the warrant, subpoena, or
court order. The court shall enter such an order if it determines that there is reason to
believe that notification of the existence of the warrant, subpoena, or court order will result
in--
(1) endangering the life or physical safety of an individual;
(2) flight from prosecution;
(3) destruction of or tampering with evidence;
(4) intimidation of potential witnesses; or
(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.
18 U.S.C. § 2705(b).
This language permits agents to apply for a court order directing network service providers not to
disclose the existence of compelled process whenever the government itself has no legal duty to notify
the customer or subscriber of the process. If the relevant process is a § 2703(d) order or warrant, agents
can simply include appropriate language in the application and proposed § 2703(d) order or warrant. If
Page 78 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
agents instead seek to compel information using a subpoena, they must apply separately for this order.
3. Possible Conflicts with the Cable Act, 47 U.S.C. § 551
Prosecutors and agents should be aware of the potential conflict between § 2703(c)(1) and the
Cable Subscriber Privacy Act (the Cable Act), 47 U.S.C. § 551, when seeking records from a network
service provider that happens also to be a cable television provider. When Congress passed the Cable
Act in 1984 and ECPA in 1986, the two statutory regimes coexisted peacefully. The Cable Act offered
privacy rights for cable television subscribers relating to their cable television service, and ECPA
offered privacy rights to Internet users relating to their Internet service. Today these two services often
converge: many cable providers deliver high-speed Internet access over cable lines. These providers
occasionally have expressed the belief that their provision of Internet service is governed by the Cable
Act rather than ECPA. See, e.g., In Re Application of the United States for an Order Pursuant to 18
U.S.C. 2703(d), 36 F. Supp.2d 430 (D. Mass. 1999). This can prove troublesome for law enforcement,
because the Cable Act permits the government to obtain personally identifiable information concerning
a cable subscriberonly by overcoming a heavy burden of proof at an in-
court adversary proceeding. 47
U.S.C. § 551(h). Such an adversary proceeding would not only tip-off the suspect of the investigation,
but would require the government to inform the suspect of the evidence the government has linking the
suspect to the criminal activity. See id. Needless to say, such a rule would block government
investigations in most if not all cases.
Properly construed, the Cable Act should not conflict with ECPA because the two statutes regulate
different services. The Cable Act regulates the provision of cable television service, see H.R. Rep. 98-
934, at 2 (1984), reprintedin 1984 U.S.C.C.A.N. 4655, 4656, and ECPA regulates the provision of
Internet service. When a cable company provides Internet service, it should be bound by the rules that
apply to the provision of Internet service, not the rules that apply to cable television. Cable providers
should not be exempt from ECPA merely because they happen to provide their Internet service over
cable lines. A contrary result would permit privacy rights to hinge upon the corporate identity of the
provider and the means by which it provided the service. This approach would frustrate the design of
both the Cable Act and ECPA to establish uniform national standards for each type of service.
Accordingly, 18 U.S.C. § 2703(c) governs compelled access to records belonging to cable Internet
providers, rather than 47 U.S.C. § 551(h).
Prosecutors and agents who encounter this issue can contact the Computer Crime and Intellectual
Property Section at (202) 514-1026 or their local CTC for additional advice.
H. Remedies
1. Suppression
ECPA does not provide a suppression remedy. See 18 U.S.C. § 2708 (The [damages] remedies
and sanctions described in this chapter are the only judicial remedies and sanctions for nonconstitutional
violations of this chapter.). Accordingly, nonconstitutional violations of ECPA do not result in
suppression of the evidence. See United States v. Smith, 155 F.3d 1051, 1056 (9th Cir. 1998) ([T]he
Stored Communications Act expressly rules out exclusion as a remedy); United States v. Kennedy, 81
F. Supp.2d 1103, 1110 (D. Kan. 2000) ([S]uppression is not a remedy contemplated under the
ECPA.); United States v. Hambrick, 55 F. Supp.2d 504, 507 (W.D. Va. 1999) (Congress did not
provide for suppression where a party obtains stored data or transactional records in violation of the
Page 79 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
Act.), affd, 225 F.3d 656, 2000 WL 1062039 (4th Cir. 2000); United States v. Charles, 1998 WL
204696, at *21 (D. Mass. 1998) (ECPA provides only a civil remedy for a violation of § 2703");
United
States v. Reyes, 922 F. Supp. 818, 837-38 (S.D.N.Y. 1996) (Exclusion of the evidence is not an
available remedy for this violation of the ECPA. . . . The remedy for violation of [18 U.S.C. § 2701-11]
lies in a civil action.).13
Defense counsel seeking suppression of evidence obtained in violation of ECPA are likely to rely
on McVeigh v. Cohen, 983 F. Supp. 215 (D.D.C. 1998). In this unusual case, Judge Sporkin enjoined
the United States Navy from dismissing 17-year Navy veteran Timothy R. McVeigh after the Navy
learned that McVeigh was gay. The Navy learned of McVeigh's sexual orientation after McVeigh sent
an e-mail signed Timfrom his AOL account boysrchto the AOL account of a civilian Navy
volunteer. When the volunteer examined AOL's member profile directory,she learned that boysrch
belonged to a man in the military stationed in Honolulu who listed his marital status as gay.
Suspecting that the message was from McVeigh, the volunteer forwarded the e-mail and directory
profile to officers aboard McVeigh's submarine. The officers then began investigating McVeigh's
sexual orientation. To confirm McVeigh's identity, a Navy paralegal telephoned AOL and offered a
false story for why he needed the real name of boysrch.The paralegal did not disclose that he was a
Naval serviceman. After the AOL representative confirmed that boysrchbelonged to McVeighs
account, the Navy began a discharge proceeding against McVeigh. Shortly before McVeigh's discharge
was to occur, McVeigh filed suit and asked for a preliminary injunction blocking the discharge. Judge
Sporkin granted McVeigh's motion the day before the discharge.
Judge Sporkin's opinion reflects both the case's highly charged political atmosphere and the press
of events surrounding the issuance of the opinion.14 In the course of criticizing the Navy for
substituting subterfuge for ECPA's legal process to obtain McVeigh's basic subscriber information from
AOL, Judge Sporkin made statements that could be interpreted as reading a suppression remedy into
ECPA for flagrant violations of the statute:
[I]t is elementary that information obtained improperly can be suppressed where an
individual's rights have been violated. In these days of 'big brother,' where through
technology and otherwise the privacy interests of individuals from all walks of life are being
ignored or marginalized, it is imperative that statutes explicitly protecting these rights be
strictly observed.
Id. at 220. While ECPA should be strictly observed, the statement that suppression is appropriate when
information is obtained in violation of an individual's rightsis somewhat perplexing. Both the case
law and the text of ECPA itself make clear that ECPA does not offer a suppression remedy for
nonconstitutional violations. Accordingly, this statement must be construed to refer only to
constitutional rights.
2. Civil Actions
Although ECPA does not provide a suppression remedy for statutory violations, it does provide for
civil damages (including, in some cases, punitive damages), as well as the prospect of disciplinary
actions against officers and employees of the United States who may have engaged in willful violations.
18 U.S.C. § 2707 permits a person aggrievedby an ECPA violation to bring a civil action against the
person or entity which engaged in that violation. 18 U.S.C. § 2707(a). Relief can include money
damages no less than $1,000 per person, equitable or declaratory relief, and a reasonable attorney's fee
plus other reasonable litigation costs. Willful or intentional violations can also result in punitive
damages, see § 2707(b)-(c), and employees of the United States may be subject to disciplinary action
Page 80 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
for willful or intentional violations. See § 2707(d). A good faith reliance on a court order or warrant,
grand jury subpoena, legislative authorization, or statutory authorization provides a complete defense to
any ECPA civil or criminal action. See § 2707(e). Qualified immunity may also be available. See
Chapter 4, Part D, Sec. 2.
At least one court has held that a government entity cannot be held liable for obtaining
information from a network service provider in violation of 18 U.S.C. § 2703(c). In Tucker v. Waddell,
83 F.3d 688 (4th Cir. 1996), Durham, North Carolina police officers obtained a subscriber's account
records using an unauthorized subpoena in violation of §
2703(c)(1)(C). The subscriber sued the City of
Durham and the officers, seeking damages. The Fourth Circuit rejected the suit, reasoning that § 2703
(c) imposed duties on providers of ECS and RCS, but not government entities seeking information from
such providers. See id. at 691-93. Accordingly, the government could not be sued for violating § 2703
(c) unless it aided and abetted or conspired in the provider's violation. See id. at 693, 693 n.6. Notably,
however, even the Tucker court agreed that the government could be held liable for violating § 2703(a)
or § 2703(b). See id. at 693.
IV. ELECTRONIC SURVEILLANCE IN COMMUNICATIONS NETWORKS
A. Introduction
Computer crime investigations often involve electronic surveillance. Agents may want to monitor
a hacker as he breaks into a victim computer system, or set up a clonede-mail box to monitor a
suspect sending or receiving child pornography over the Internet. In a more traditional context, agents
may wish to wiretap a suspects telephone, or learn whom the suspect has called, and when. This
chapter explains how the electronic surveillance statutes work in criminal investigations involving
computers.
Two federal statutes govern real-time electronic surveillance in federal criminal investigations.
The first and most important is the wiretap statute, 18 U.S.C. §§ 2510-22, first passed as Title III of the
Omnibus Crime Control and Safe Streets Act of 1968 (and generally known as Title III). The second
statute is the Pen Registers and Trap and Trace Devices chapter of Title 18 (the Pen/Trap statute), 18
U.S.C. §§ 3121-27, which governs pen registers and trap and trace devices. Failure to comply with
these statutes may result in civil and criminal liability, and in the case of Title III, may also result in
suppression of evidence.
lIn general, the Pen/Trap statute regulates the collection of addressing information for wire and
electronic communications. Title III regulates the collection of actual content for wire and
electronic communications.
Title III and the Pen/Trap statute coexist because they regulate access to different types of
information. Title III permits the government to obtain the contents of wire and electronic
communications in transmission. In contrast, the Pen/Trap statute concerns the collection of mere
addressing information relating to those communications. See United States Telecom Assn v. FCC,
227 F.3d 450, 454 (D.C. Cir. 2000); Brown v. Waddell, 50 F.3d 285, 289-93 (4th Cir. 1995)
(distinguishing pen registers from Title III intercept devices). The difference between addressing
information and content is clear in the case of traditional communications such as telephone calls. The
addressing information for a telephone call is the phone number dialed for an outgoing call, and the
originating number (the caller ID information) for an incoming call. In contrast, the content of the
communication is the actual conversation between the two parties to the call.
Page 81 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
The distinction between addressing information and content also applies to Internet
communications. For example, when computers attached to the Internet communicate with each other,
they break down messages into discrete chunks known as packets,
and then send each packet out to its
intended destination. Every packet contains addressing information in the headerof the packet (much
like the toand from
addresses on an envelope), followed by the content of the message (much like a
letter inside an envelope). The Pen/Trap statute permits law enforcement to obtain the addressing
information of Internet communications much as it would addressing information for traditional phone
calls. See 18 U.S.C. § 3127(4) (defining trap and trace devicebroadly as
a device which captures the
incoming electronic or other impulses which identify the originating number of an instrument or device
from which a wire or electronic communication was transmitted). However, reading the entire packet
ordinarily implicates Title III. The primary difference between an Internet pen/trap device and an
Internet Title III intercept device (sometimes known as a sniffer) is that the former is programmed to
capture and retain only addressing information, while the latter is programmed to read the entire packet.
The same distinction applies to Internet e-mail. Every Internet e-
mail message consists of a header
that contains addressing and routing information generated by the mail program, followed by the actual
contents of the message authored by the sender. The addressing and routing information includes the e-
mail address of the sender and recipient, as well as information about when and where the message was
sent on its way (roughly analogous to the postmark on a letter). The Pen/Trap statute permits law
enforcement to obtain the addressing information of Internet e-mails (minus the subject line, which can
contain contents, cf. Brown, 50 F.3d at 292) using a court order, just like it permits law enforcement to
obtain addressing information for phone calls and individual Internet packetsusing a court order.
Conversely, the interception of e-mail contents, including the subject line, requires careful compliance
with the strict dictates of Title III.
B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-27
The Pen/Trap statute authorizes a government attorney to apply to a court for an order authorizing
the installation of a pen register and/or trap and trace device so long as the information likely to be
obtained is relevant to an ongoing criminal investigation. 18 U.S.C. § 3122(b)(2). A pen register
records outgoing addressing information (such as a number dialed from a monitored telephone), and a
trap and trace device records incoming addressing information (such as caller ID information). See 18
U.S.C. § 3127(3)-(4). In Internet cases, however, the historical distinction between pen registers and
trap and trace devices carries less importance. Because Internet headers contain both toand from
information, a device that reads the entire header (minus the subject line in the case of e-mail headers) is
known simply as a pen/trap device.
To obtain an order, applicants must identify themselves, identify the law enforcement agency
conducting the investigation, and then certify their belief that the information likely to be obtained is
relevant to an ongoing criminal investigation being conducted by the agency. See 18 U.S.C. § 3122(b)
(1)-(
2). So long as the application contains these elements, the court will authorize the installation of the
pen/trap device. The court will not conduct an independent judicial inquiry into the veracity of the
attested facts.In re Application of the United States, 846 F. Supp. 1555, 1558-59 (M.D. Fla. 1994). See
also United States v. Fregoso, 60 F.3d 1314, 1320 (8th Cir. 1995) (
The judicial role in approving use of
trap and trace devices is ministerial in nature.).
Importantly, this limited judicial review coexists with a strong enforcement mechanism for
violations of the statute. As one court has explained,
[t]he salient purpose of requiring the application to the court for an order is to affix personal
Page 82 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
responsibility for the veracity of the application (i.e., to ensure that the attesting United
States Attorney is readily identifiable and legally qualified) and to confirm that the United
States Attorney has sworn that the required investigation is in progress. . . . As a form of
deterrence and as a guarantee of compliance, the statute provides . . . for a term of
imprisonment and a fine as punishment for a violation [of the statute].
In re Application of the United States, 846 F. Supp. at 1559.
The resulting order may authorize use of a pen/trap device for up to sixty days, and may be
extended for additional sixty-day periods. See 18 U.S.C. § 3123(c). The court order also orders the
provider not to disclose the existence of the pen/trap to any . . . person, unless or until otherwise
ordered by the court,18 U.S.C. § 3123(d)(2), and may order providers of wire or electronic
communications service, landlords, or custodians to
furnish . . . forthwith all information, facilities, and
technical assistance necessaryto install pen/trap devices. See 18 U.S.C. § 3124(a), (b). Providers who
are ordered to assist with the installation of pen/trap devices under § 3124 can receive reasonable
compensation for reasonable expenses incurred in providing facilities or technical assistance to law
enforcement. See 18 U.S.C. § 3124(c). A providers good faith reliance on a court order provides a
complete defense to any civil or criminal action arising from its assistance in accordance with the order.
See 18 U.S.C. § 3124(d), (e).
The Pen/Trap statute also grants providers of electronic or wire communication service broad
authority to use pen/trap devices on their own networks without a court order. 18 U.S.C. §
3121(b) states
that providers may use pen/trap devices without a court order
(1) relating to the operation, maintenance, and testing of a wire or electronic
communication service or to the protection of the rights or property of such provider, or to
the protection of users of that service from abuse of service or unlawful use of service; or
(2) to record the fact that a wire or electronic communication was initiated or completed in
order to protect such provider, another provider furnishing service toward the completion of
the wire communication, or a user of that service, from fraudulent, unlawful or abusive use
of service; or
(3) where the consent of the user of that service has been obtained.
18 U.S.C. § 3121(b).
C. The Wiretap Statute, Title III, 18 U.S.C. §§ 2510-22
1. Introduction: The General Prohibition
Since its enactment in 1968 and amendment in 1986, Title III has provided the statutory
framework that governs real-time electronic surveillance of the contents of communications. When
agents want to wiretap a suspects phone, keystrokea hacker breaking into a computer system, or
accept the fruits of wiretapping by a private citizen who has discovered evidence of a crime, the agents
first must consider the implications of Title III.
The structure of Title III is surprisingly simple. The statutes drafters assumed that every private
Page 83 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
communication could be modeled as a two-way connection between two participating parties, such as a
telephone call between A and B. At a fundamental level, the statute prohibits a third party (such as the
government) who is not a participating party to the communication from intercepting private
communications between the parties using an electronic, mechanical, or other device,unless one of
several statutory exceptions applies. See 18 U.S.C. § 2511(1). Importantly, this prohibition is quite
broad. Unlike some privacy laws that regulate only certain cases or specific places, Title III expansively
prohibits eavesdropping (subject to certain exceptions and interstate requirements) essentially
everywhere by anyone in the United States. Whether investigators want to conduct surveillance at
home, at work, in government offices, in prison, or on the Internet, they must make sure that the
monitoring complies with Title IIIs prohibitions.
The questions that agents and prosecutors must ask to ensure compliance with Title III are
straightforward, at least in form: 1) Is the communication to be monitored one of the protected
communications defined in 18 U.S.C. § 2510?, 2) Will the proposed surveillance lead to an
interceptionof the communications?, and 3) If the answer to the first two questions is yes,does a
statutory exception apply that permits the interception?
2. Key Phrases
Title III broadly prohibits the interceptionof oral communications,” “wire communications,
and electronic communications. These phrases are defined by the statute. See generally 18 U.S.C. §
2510. In computer crime cases, agents and prosecutors planning electronic surveillance must understand
the definition of wire communication,” “electronic communication,and intercept. (Surveillance of
oral communications rarely arises in computer crime cases, and will not be addressed directly here.
Agents and prosecutors requiring assistance in cases involving oral communications should contact the
Justice Department's Office of Enforcement Operations at (202) 514-6809.)
Wire communication
lIn general, telephone conversations are wire communications.
According to § 2510(1), wire communicationmeans
any aural transfer made in whole or in part though the use of facilities for the transmission
of communications by the aid of wire, cable, or other like connection between the point of
origin and the point of reception (including the use of such connection in a switching
station) furnished or operated by any person engaged in providing or operating such
facilities for the transmission of interstate or foreign communications or communications
affecting interstate or foreign commerce and such term includes any electronic storage of
such communication.
Within this complicated definition, the most important requirement is that the content of the
communication must include the human voice. See § 2510(18) (defining aural transferas a transfer
containing the human voice at any point between and including the point of origin and point of
reception). If a communication does not contain a genuine human voice, either alone or in a group
conversation, then it cannot be a wire communication. See S. Rep. No. 99-541, at 12 (1986), reprinted in
1986 U.S.C.C.A.N. 3555. United States v. Torres, 751 F.2d 875, 885-86 (7th Cir. 1984) (concluding
that silent television surveillancecannot lead to an interception of wire communications under Title III
Page 84 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
because no aural acquisition occurs).
The additional requirement that wire communications must be sent in whole or in part . . . by the
aid of wire, cable, or other like connection . . .presents a fairly low hurdle. So long as the signal
travels through wire at some point along its route between the point of origin and the point of reception,
the requirement is satisfied. For example, all voice telephone transmissions, including those from
satellite signals and cellular phones, qualify as wire communications. See H.R. Rep. No. 99-647, at 35
(1986). Because such transmissions are carried by wire within switching stations, they are expressly
included in the definition of wire communication. Importantly, the presence of wire inside equipment at
the sending or receiving end of a communication (such as an individual cellular phone) does not satisfy
the requirement that a communication be sent in partby wire. The wire must transmit the
communication to a significant extentalong the path of transmission, outside of the equipment that
sends or receives the communication. Id.
The final phrase of § 2510(1), relating to wire communications in electronic storage,has been a
source of considerable confusion. Congress added this phrase to the definition of wire communication
to ensure that stored voice mail would in some circumstances be protected by the wiretap laws. See S.
Rep. No. 99-541, at 12 (1986), reprinted in 1986 U.S.C.C.A.N. 3555 (explaining that final phrase was
designed to specify that wire communications in storage like voice mail, remain wire communications,
and are protected accordingly). By using the phrase electronic storage,
however, Congress invoked a
term of art that has a particular and limited meaning: a temporary, intermediate storage . . . incidental
to . . . electronic transmission.§ 2510(17) . See generally
Chapter 3, Part B (discussing the meaning of
electronic storageas defined in § 2510(17)). Thus, the final phrase of § 2510(17) appears to add
unopened voice mail to the definition of wire communications. The practical effect of this phrase is to
require a Title III court order as a condition of government access to voice mail in electronic storage.
See also Chapter 3, Part D (discussing the treatment of voicemail under ECPA).
“Electronic communication”
lMost Internet communications (including e-mail) are electronic communications.
18 U.S.C. § 2510(12) defines electronic communicationas
any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature, transmitted in
whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects
interstate or foreign commerce, but does not include
(A) any wire or oral communication;
(B) any communication made through a tone-only paging device;
(C) any communication from a tracking device . . . ; or
(D) electronic funds transfer information stored by a financial institution in a
communications system used for the electronic storage and transfer of funds;
As the definition suggests, electronic communication is a broad, catch-all category. See United
States v. Herring, 993 F.2d 784, 787 (11th Cir. 1993). As a rule, a communication is an electronic
communication if it is neither carried by sound waves nor can fairly be characterized as one containing
the human voice (carried in part by wire).H.R. Rep. No. 99-647, at 35 (1986). Most electric or
electronic signals that do not fit the definition of wire communications qualify as electronic
communications. For example, almost all Internet communications (including e-mail) qualify as
Page 85 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
electronic communications.
Intercept
lMost courts have held that communications are intercepted only when they are acquired
contemporaneously with their transmission (in real time). The Ninth Circuit has taken a
different approach, however.
Section 2510(4) defines interceptas the aural or other acquisition of the contents of any wire,
electronic, or oral communication through the use of any electronic, mechanical, or other device. The
word acquisitionis notably ambiguous in this definition. For example, when law enforcement
surveillance equipment records the contents of a communication, the communication might be
acquiredat three distinct points: first, when the equipment records the communication; second, when
law enforcement later obtains the recording; or third, when law enforcement plays the recording and
either hears or sees the contents of the communication. The text of § 2510(4) does not specify which of
these events constitutes an acquisitionfor the purposes of ECPA. See United States v. Turk, 526 F.2d
654, 657-58 (5th Cir. 1976).
Courts confronted with this ambiguity have rendered inconsistent rulings. Many courts have held
that both wire and electronic communications are intercepted only when they are acquired
contemporaneously with their transmission. In other words, interception of the communications refers
only to their real-time acquisition at the time of transmission between the parties to the communication.
Subsequent access to a stored copy of the communication does not interceptthe communication. See,
e.g., Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 460-63 (5th Cir. 1994)
(access to stored e-mail communications) ; Wesley College v. Pitts, 974 F. Supp. 375, 386 (D. Del.
1997) (same); United States v. Meriwether, 917 F.2d 955, 960 (6th Cir. 1990) (access to stored pager
communications); United States v. Reyes, 922 F. Supp. 818, 836 (S.D.N.Y. 1996) (same); Bohach v.
City of Reno, 932 F. Supp. 1232, 1235-36 (D. Nev. 1996) (same); United States v. Moriarty, 962 F.
Supp. 217, 220-21 (D. Mass. 1997) (access to stored wire communications) ; In re State Police
Litigation, 888 F. Supp 1235, 1264 (D. Conn. 1995) (same); Payne v. Norwest Corp., 911 F. Supp.
1299, 1303 (D. Mont. 1995), affd in part and revd in part, 113 F.3d 1079 (9th Cir. 1997) (same).
The Ninth Circuit has taken a very different approach. First, in United States v. Smith, 155 F.3d
1051, 1058-59 (9th Cir. 1998), the court held that a party can intercept a wire communication by
obtaining a copy of the communication in electronic storage,which is specifically defined in § 2510
(17). The court reasoned that wire communications should be treated differently than electronic
communications because the definition of wire communication expressly included any electronic
storage of such communication,but the definition of electronic communication did not include this
phrase. See id. at 1057. Then, in a pro se civil case, Konop v. Hawaiian Airlines, 2001 WL 13232 ,
F.3d. (9th Cir. 2001), the court reversed course and concluded that it would be senseless
to treat wire
communications and electronic communications differently. Id. at *6-*7. Accordingly, the court held
that obtaining a copy of an electronic communication in electronic storagecan constitute an
interception of the communication, just as it can for wire communications. See id.
The most coherent interpretation of intercept
in the context of wire communications lies between
these two poles. The best evidence suggests that Congress intended for interceptto mean only real-
time acquisition. However, in recognition of the fact that Congress also intended to protect voicemail in
electronic storageby including it in the definition of wire communication, see S. Rep. No. 99-541, at
12 (1986) reprinted in 1986 U.S.C.C.A.N. 3555, agents should obtain a Title III order to access stored
voicemail if the voicemail falls within the statutory definition of electronic storagearticulated in §
Page 86 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
2510(17). See Chapter 3, Part B. In contrast, the decision in Konop is plainly incorrect: government
access to electronic communications in electronic storageis governed by 18 U.S.C. § 2703, not 18
U.S.C. § 2518.
3. Exceptions to Title III
Title III broadly prohibits the intentional interception, use, or disclosure15 of wire and electronic
communications unless a statutory exception applies. See 18 U.S.C. § 2511(1). In general, this
prohibitions bars third parties (including the government) from wiretapping telephones and installing
electronic sniffersthat read Internet traffic.
The breadth of Title III's prohibition means that the legality of most surveillance techniques under
Title III depends upon whether a statutory exception to the rule applies. Title III contains dozens of
exceptions, which may or may not apply in hundreds of different situations. In computer crime cases,
however, six exceptions apply most often:
A) interception pursuant to a § 2518 court order;
B) the consentexception, § 2511(2)(c)-(d);
C) the providerexception, § 2511(2)(a)(i);
D) the extension telephoneexception, § 2510(5)(a);
E) the inadvertently obtained criminal evidenceexception, § 2511(3)(b)(iv); and
F) the accessible to the publicexception, § 2511(2)(g)(i).
Prosecutors and agents need to understand the scope of these six exceptions in order to determine
whether different surveillance strategies will comply with Title III.
a) Interception Authorized by a Title III Order, 18 U.S.C. § 2518.
Title III permits law enforcement to intercept wire and electronic communications pursuant to a 18
U.S.C. § 2518 court order (Title III order). High-level Justice Department approval is required for
federal Title III applications, by statute in the case of wire communications, and by Justice Department
policy in the case of electronic communications (with exceptions to cover numeric pagers). When
authorized by the Justice Department and signed by a United States District Court or Court of Appeals
judge, a Title III order permits law enforcement to intercept communications for up to thirty days. See §
2518.
18 U.S.C. §§ 2516-18 imposes several formidable requirements that must be satisfied before
investigators can obtain a Title III order. Most importantly, the application for the order must show
probable cause to believe that the interception will reveal evidence of a predicate felony offense listed in
§ 2516. See § 2518(3)(a)-(
b). For federal agents, the predicate felony offense must be one of the crimes
specifically enumerated in § 2516(1)(a)-(p) to intercept wire communications, or any felony to intercept
electronic communications. See 18 U.S.C. § 2516(3). The predicate crimes for state investigations are
listed in 18 U.S.C. § 2516(2). The application for a Title III order must also show that normal
investigative procedures have been tried and failed, or that they reasonably appear to be unlikely to
succeed or to be too dangerous, see § 2518(1)(c); must establish probable cause that the communication
facility is being used in a crime; and must show that the surveillance will be conducted in a way that
minimizes the interception of communications that do not provide evidence of a crime. See § 2518(5).
For comprehensive guidance on the requirements of 18 U.S.C. § 2518, agents and prosecutors should
Page 87 of 139
CCIPSfinal
01/12/2001
http://www.cybercrime.gov/searchmanual.htm
consult the Justice Departments Office of Enforcement Operations at (202) 514-6809.
b) Consent of a Party to the Communication, 18 U.S.C. § 2511(2)(c)-(d)
18 U.S.C. § 2511(2)(c) and (d) state:
(c) It shall not be unlawful under this chapter for a person acting under color of law to
intercept a wire, oral, or electronic communication, where such person is a party to the
communication or one of the parties to the communication has given prior consent to such
interception.
(d) It shall not be unlawful under this chapter for a person not acting under color of law to
intercept a wire, oral, or electronic communication where such person is a party to the
communication or where one of the parties to the communication has given prior consent to
such interception unless such communication is intercepted for the purpose of committing
any criminal or tortious act in violation of the Constitution or laws of the United States or of
any State.
This language authorizes the interception of communications when one of the parties to the
communication consents to the interception.16 For example, if an undercover government agent or
informant records a telephone conversation between himself and a suspect, his consent to the recording
authorizes the interception. See, e.g., Obron Atlantic Corp. v. Barr, 990 F.2d 861 (6th Cir. 1993)
(relying on 2511(2)(c)). Similarly, if a private person records his own telephone conversations with
others, his consent authorizes the interception unless the commission of a criminal, tortious, or other
injurious act was at least a determinative factor in the persons motivation for intercepting the
communication. See United States v. Cassiere, 4 F.3d 1006, 1021 (1st Cir. 1993) (interpreting 2511(2)
(d)).
In computer cases, two questions relating to 18 U.S.C. § 2511(2)(c)-(d) arise particularly often.
First, to what extent can a posted notice or a bannergenerate implied consent and permit monitoring?
Second, who is a party to the communicationwhen a hacker routes an attack across a computer
network?
i) Banneringand Implied Consent
lMonitoring use of a computer network does not violate Title III after users view an appropriate
network bannerinforming them that use of the network constitutes consent to monitoring.
Consent to Title III monitoring may be express or implied. See