Seen at the SANS Blog at https://blogs.sans.org/computer-forensics/2009/08/27/sweeping-9th-circuit-decision-regarding-law-enforcement-officer-computer-forensics/:
Reposted from Greg Haverkamp < greg@haverkamp.com > from the GIAC Certified Forensic Analysts [GCFA] Mailing list
The 9th Circuit released its en banc decision today in U.S. v Comprehensive Drug Testing. The case itself has ties to seizures made in relation to the Balco investigations. The most significant aspect of the decision, based on my initial reading, is the elimination of the “plain view” exception as it pertains to warranted searches of digital media. Specifically, it clobbers the widely held position that all files, including those not pertaining to the instant investigation, are in plain view and may be used as evidence of criminal activity beyond the scope of the original investigation. (Images of child pornography seem to be the most common instance of this.)
One of the dissenters makes it sound like a plus for forensic examiners:
“Setting aside the omission of supporting legal authority, this new ex ante restriction on law enforcement investigations also raises practical, cost-related concerns. With respect to using an in-house computer specialist to segregate data, the majority’s guideline essentially requires that law enforcement agencies keep a ‘walled-off,’ non-investigatory computer specialist on staff for use in searches of digital evidence. To comply, an agency would have to expand its personnel, likely at a significant cost, to include both computer specialists who could segregate data and forensic computer specialists who could assist in the subsequent investigation. The alternative would be to use an independent third party consultant, which no doubt carries its own significant expense. Both of these options would force law enforcement agencies to incur great expense, perhaps a crushing expense for smaller police departments that already face tremendous budget pressures.”
The meat comes during the concluding portion of the majority opinion:
“We accept the reality that such over-seizing is an inherent part of the electronic search process and proceed on the assumption that, when it comes to the seizure of electronic records, this will be far more common than in the days of paper records. This calls for greater vigilance on the part of judicial officers in striking the right balance between the government’s interest in law enforcement and the right of individuals to be free from unreasonable searches and seizures. The process of segregating electronic data that is seizable from that which is not must not become a vehicle for the government to gain access to data which it has no probable cause to collect. In general, we adopt Tamura’s solution to the problem of necessary over-seizing of evidence: When the government wishes to obtain a warrant to examine a computer hard drive or electronic storage medium in searching for certain incriminating files, or when a search for evidence could result in the seizure of a computer, see, e.g., United States v. Giberson, 527 F.3d 882 (9th Cir. 2008), magistrate judges must be vigilant in observing the guidance we have set out throughout our opinion, which can be summed up as follows:
“1. Magistrates should insist that the government waive reliance upon the plain view doctrine in digital evidence cases. See p. 11876 supra.
“2. Segregation and redaction must be either done by specialized personnel or an independent third party. See pp. 11880-81 supra. If the segregation is to be done by government computer personnel, it must agree in the warrant application that the computer personnel will not disclose to the investigators any information other than that which is the target of the warrant.
“3. Warrants and subpoenas must disclose the actual risks of destruction of information as well as prior efforts to seize that information in other judicial fora. See pp. 11877-78, 11886-87 supra.
“4. The government’s search protocol must be designed to uncover only the information for which it has probable cause, and only that information may be examined by the case agents. See pp. 11878, 11880-81 supra.
“5. The government must destroy or, if the recipient may lawfully possess it, return non-responsive data, keeping the issuing magistrate informed about when it has done so and what it has kept. See p. 11881-82 supra.”
Orin Kerr’s has a series of posts analyzing this case on the Volokh Conspiracy:http://volokh.com/posts/chain_1228354570.shtml
Also, here’s a common sense guide to plain view doctrine in digital evidence: http://www.dfinews.com/articles.php?pid=705
The article is VERY informative and makes the distinction between a computer search and a forensic examination.
No related posts.
