Leonard Deutchman
Leonard Deutchman ()

Editor’s note: This is the second in a two-part series.

Last week, I discussed the case, United States v. Ganias, 824 F.3d 199 (2nd Cir. 2016), cert. denied, No. 16-263 (S.Ct. Dec. 5), in which the U.S. Court of Appeals for the Second Circuit, en banc, reversed a panel opinion that had vacated the defendant’s criminal conviction for two counts of tax evasion on the ground that the search of the defendant’s computers violated the Fourth Amendment. The search had been conducted upon forensic images (often referred to as “mirror” images) of hard drives of the defendant’s computers, which drives had been imaged in 2003 as part of execution of a search warrant for evidence of one crime, then re-searched in 2006 as part of execution of a second search warrant for evidence of the tax evasion charges. In this part of the series, I discuss the meaning and importance of forensic imaging, and the Second Circuit’s take on all of it.

Having discussed the nature of digital evidence as it pertains to searches and preservation, the court found that it need not resolve the issue of whether the retention of the forensic images violated the Fourth Amendment, because it found that the government, by not conducting its second search of the drives until after it had obtained the 2006 search warrant, which focused upon the activities of the defendant, had proceeded in good faith. The court’s reasoning is interesting but not relevant to our concerns here, so we shall skip review of it.

The dissent began with Entick v. Carrington, 19 How. St. Tr. 1029, 1064 (C.P. 1765), the common-law case that many credit with giving rise to the Fourth Amendment. There, all of the plaintiff’s papers and goods were seized, notwithstanding the irrelevance of almost all of them to the investigation being conducted. Entick, the dissent reasoned, led to the “foundational principle that the government cannot come into one’s home looking for some papers and, without suspicion of broader criminal wrongdoing, indiscriminately take all papers instead.”

The dissent found wholly unpersuasive the court’s reasoning that, because the way data is stored in a computer, the entirety of the digital device must be seized. “If anything,” the dissent reasoned, “the protections of the Fourth Amendment are even more important in the context of modern technology, for the government has a far greater ability to intrude into a person’s private affairs.” Since “virtually the entirety of a person’s life may be captured as data,” we must be more careful not to “over-seize” than before the advent of computers. While the “practical considerations” set forth above with regard to how hard drives and other digital devices work may allow the government to, “consistent with the Fourth Amendment, over-seize electronically stored data when executing a warrant,” once the Government “is able to extract the responsive documents, its right to the over-seizure of evidence comes to an end.” The dissent noted that this “obvious principle has long been adhered to in the context of physical documents, such as when the government seizes entire file cabinets for off-site review.”

The dissent further rejected the argument that the evidence, as seized, i.e., the images as generated, had to be preserved for purposes of authentication. The dissent argued that proving authenticity is a low burden, and that authentication through hash values is unnecessary, since the expert the government would have to call to establish authenticity through hash value comparisons would be “no less burdensome than simply having an agent testify as to the chain of custody. Moreover, because the government can authenticate individual files through hashing them, there is no reason to preserve the forensic image of the hard drive on which they were found to reside. The dissent rejected as a “slight prosecutorial advantage” not justifying the violation of Fourth Amendment rights that preservation of the hard drives could show “juries what a computer interface looked like in its ‘original form,’” as well as refute claims of data tampering.

Analysis

Several issues arise from the court’s and the dissent’s opinion. Some issues are legal while others are technical but, ultimately, all are legal, as the legal significance of the technical issues becomes better understood.

Starting with the technical issues, the court understood and appreciated far better than did the dissent why the seizure of digital evidence from a device required the creation of a forensic image of the device in whole, even if that meant that data not specified in the search warrant in items to be seized must be seized nevertheless. As the court explained, data is not compartmentalized on hard drives as it is in a file cabinet—data comprising a digital file can be in several locations across a drive. As well, there is so much to recover and examine on a hard drive beyond named files—deleted but recoverable files or fragments of files, metadata, etc.—that only by imaging the drive can such be accomplished. Moreover, only by imaging the hard drive can the operating system and all of the data revealing how the user(s) interacted with data be captured and analyzed. Fourth, hard drives must be captured and hash verified to create a digital chain of custody making the authenticity of the seized data unchallengeable. Finally, as a practical matter, searching a hard drive on scene would take so long that such a search would itself be “unreasonable” within the meaning of the Fourth Amendment.

Even though the court understood of how the technical issues of digital searches influence how the Fourth Amendment applies to such searches, that understanding was merely dicta since the court’s holding was that because the searches at issue were conducted pursuant to the second, 2006 search warrant, the agents acted in good faith and so suppression of the evidence would not lie. The dissent also understood the aforementioned technical issues, but simply gave no weight to them, holding that once the government seized and held onto the data searched pursuant to the 2006 search warrant but outside of the scope of the 2003 search warrant, the Fourth Amendment was violated, period.

Both the court and the dissent would have benefited from a review of the Justice Marshall Harlan’s seminal concurrence in Katz v. United States, 389 U.S. 347 (1967). In holding that the Fourth Amendment 
applied to wiretaps of telephone conversations, Katz overruled Olmstead v. United States¸ 277 U.S. 438 (1928). Olmstead found that a caller had no Fourth Amendment right of privacy in a telephone call because the only trespass at issue was the physical one needed to set up the wiretap, and that was performed at the telephone company’s offices, where the caller had no right of privacy. Katz held that, in an age of telephone calls (40 years passed between Olmstead, when calls were relatively infrequent and many simply did not have telephones, and Katz, when phones were ubiquitous and calls frequent), the “trespass” involved was of the telephone call itself, not of the phone. The technology, in essence, changed what we thought of as “private,” such that calls made in 1928, when operators listened in on every call and only a small percentage of the population made calls, much less owned phones, were not considered private, while by 1967 they certainly were.

The technology of digital devices and data storage has, similarly, changed what we think of as the “seizure” of data, but not in a way appreciated by either the court or the dissent. First, while the seizure of physical files in a file cabinet can prevent the files’ owners or users from accessing them, the imaging of those files has no such effect. Furthermore, given how changeable digital files are compared to those in paper or other palpable format, and how they do not reside in one, easily identifiable location on a hard drive or digital device generally but, rather, can reside in multiple locations but be brought together as what appears to the user to be a single entity, the importance of preserving such files via forensic imaging makes reasonable that technique. Thus, because of the new realities of digital data storage, what would have been thought of as an unreasonable seizure of physical files outside of the set of files a search warrant authorizes agents to seize is, now, reasonable when those files are intermingled within a hard drive or other digital device. While in Katz the changes in telephone technology and usage made what had been a reasonable seizure an unreasonable one, in the instant matter, the growth of digital technology had the opposite effect of making reasonable a seizure that would have been unreasonable had the files been in a physical, rather than in a digital, format.

Conclusion

It is understandable that the dissent ignored the realities of digital data storage, and it is unfortunate that, because its holding was based upon the good faith of the agents executing the 2006 warrant, the court also ignored them. It is, however, perhaps most unfortunate that, because the court’s holding was proper, the Supreme Court denied certiorari and thus lost the opportunity to clarify on the merits that the forensic imaging done in the instant matter, and it virtually every criminal (and civil, for what it’s worth) matter, was proper. Since the digital technology will not change in the foreseeable future and the forensic imaging at issue here is both the most popular and reasonable means of gathering potential evidence, the matter should be settled so that law enforcement need not have to debate the merits of its processes each time it executes a search warrant where digital devices are to be searched. •

Editor’s note: This is the second in a two-part series.

Last week, I discussed the case, United States v. Ganias , 824 F.3d 199 ( 2nd Cir. 2016 ) , cert. denied, No. 16-263 (S.Ct. Dec. 5), in which the U.S. Court of Appeals for the Second Circuit, en banc, reversed a panel opinion that had vacated the defendant’s criminal conviction for two counts of tax evasion on the ground that the search of the defendant’s computers violated the Fourth Amendment. The search had been conducted upon forensic images (often referred to as “mirror” images) of hard drives of the defendant’s computers, which drives had been imaged in 2003 as part of execution of a search warrant for evidence of one crime, then re-searched in 2006 as part of execution of a second search warrant for evidence of the tax evasion charges. In this part of the series, I discuss the meaning and importance of forensic imaging, and the Second Circuit’s take on all of it.

Having discussed the nature of digital evidence as it pertains to searches and preservation, the court found that it need not resolve the issue of whether the retention of the forensic images violated the Fourth Amendment, because it found that the government, by not conducting its second search of the drives until after it had obtained the 2006 search warrant, which focused upon the activities of the defendant, had proceeded in good faith. The court’s reasoning is interesting but not relevant to our concerns here, so we shall skip review of it.

The dissent began with Entick v. Carrington, 19 How. St. Tr. 1029, 1064 (C.P. 1765), the common-law case that many credit with giving rise to the Fourth Amendment. There, all of the plaintiff’s papers and goods were seized, notwithstanding the irrelevance of almost all of them to the investigation being conducted. Entick, the dissent reasoned, led to the “foundational principle that the government cannot come into one’s home looking for some papers and, without suspicion of broader criminal wrongdoing, indiscriminately take all papers instead.”

The dissent found wholly unpersuasive the court’s reasoning that, because the way data is stored in a computer, the entirety of the digital device must be seized. “If anything,” the dissent reasoned, “the protections of the Fourth Amendment are even more important in the context of modern technology, for the government has a far greater ability to intrude into a person’s private affairs.” Since “virtually the entirety of a person’s life may be captured as data,” we must be more careful not to “over-seize” than before the advent of computers. While the “practical considerations” set forth above with regard to how hard drives and other digital devices work may allow the government to, “consistent with the Fourth Amendment, over-seize electronically stored data when executing a warrant,” once the Government “is able to extract the responsive documents, its right to the over-seizure of evidence comes to an end.” The dissent noted that this “obvious principle has long been adhered to in the context of physical documents, such as when the government seizes entire file cabinets for off-site review.”

The dissent further rejected the argument that the evidence, as seized, i.e., the images as generated, had to be preserved for purposes of authentication. The dissent argued that proving authenticity is a low burden, and that authentication through hash values is unnecessary, since the expert the government would have to call to establish authenticity through hash value comparisons would be “no less burdensome than simply having an agent testify as to the chain of custody. Moreover, because the government can authenticate individual files through hashing them, there is no reason to preserve the forensic image of the hard drive on which they were found to reside. The dissent rejected as a “slight prosecutorial advantage” not justifying the violation of Fourth Amendment rights that preservation of the hard drives could show “juries what a computer interface looked like in its ‘original form,’” as well as refute claims of data tampering.

Analysis

Several issues arise from the court’s and the dissent’s opinion. Some issues are legal while others are technical but, ultimately, all are legal, as the legal significance of the technical issues becomes better understood.

Starting with the technical issues, the court understood and appreciated far better than did the dissent why the seizure of digital evidence from a device required the creation of a forensic image of the device in whole, even if that meant that data not specified in the search warrant in items to be seized must be seized nevertheless. As the court explained, data is not compartmentalized on hard drives as it is in a file cabinet—data comprising a digital file can be in several locations across a drive. As well, there is so much to recover and examine on a hard drive beyond named files—deleted but recoverable files or fragments of files, metadata, etc.—that only by imaging the drive can such be accomplished. Moreover, only by imaging the hard drive can the operating system and all of the data revealing how the user(s) interacted with data be captured and analyzed. Fourth, hard drives must be captured and hash verified to create a digital chain of custody making the authenticity of the seized data unchallengeable. Finally, as a practical matter, searching a hard drive on scene would take so long that such a search would itself be “unreasonable” within the meaning of the Fourth Amendment.

Even though the court understood of how the technical issues of digital searches influence how the Fourth Amendment applies to such searches, that understanding was merely dicta since the court’s holding was that because the searches at issue were conducted pursuant to the second, 2006 search warrant, the agents acted in good faith and so suppression of the evidence would not lie. The dissent also understood the aforementioned technical issues, but simply gave no weight to them, holding that once the government seized and held onto the data searched pursuant to the 2006 search warrant but outside of the scope of the 2003 search warrant, the Fourth Amendment was violated, period.

Both the court and the dissent would have benefited from a review of the Justice Marshall Harlan’s seminal concurrence in Katz v. United States , 389 U.S. 347 ( 1967 ) . In holding that the Fourth Amendment 
applied to wiretaps of telephone conversations, Katz overruled Olmstead v. United States¸ 277 U.S. 438 ( 1928 ) . Olmstead found that a caller had no Fourth Amendment right of privacy in a telephone call because the only trespass at issue was the physical one needed to set up the wiretap, and that was performed at the telephone company’s offices, where the caller had no right of privacy. Katz held that, in an age of telephone calls (40 years passed between Olmstead, when calls were relatively infrequent and many simply did not have telephones, and Katz, when phones were ubiquitous and calls frequent), the “trespass” involved was of the telephone call itself, not of the phone. The technology, in essence, changed what we thought of as “private,” such that calls made in 1928, when operators listened in on every call and only a small percentage of the population made calls, much less owned phones, were not considered private, while by 1967 they certainly were.

The technology of digital devices and data storage has, similarly, changed what we think of as the “seizure” of data, but not in a way appreciated by either the court or the dissent. First, while the seizure of physical files in a file cabinet can prevent the files’ owners or users from accessing them, the imaging of those files has no such effect. Furthermore, given how changeable digital files are compared to those in paper or other palpable format, and how they do not reside in one, easily identifiable location on a hard drive or digital device generally but, rather, can reside in multiple locations but be brought together as what appears to the user to be a single entity, the importance of preserving such files via forensic imaging makes reasonable that technique. Thus, because of the new realities of digital data storage, what would have been thought of as an unreasonable seizure of physical files outside of the set of files a search warrant authorizes agents to seize is, now, reasonable when those files are intermingled within a hard drive or other digital device. While in Katz the changes in telephone technology and usage made what had been a reasonable seizure an unreasonable one, in the instant matter, the growth of digital technology had the opposite effect of making reasonable a seizure that would have been unreasonable had the files been in a physical, rather than in a digital, format.

Conclusion

It is understandable that the dissent ignored the realities of digital data storage, and it is unfortunate that, because its holding was based upon the good faith of the agents executing the 2006 warrant, the court also ignored them. It is, however, perhaps most unfortunate that, because the court’s holding was proper, the Supreme Court denied certiorari and thus lost the opportunity to clarify on the merits that the forensic imaging done in the instant matter, and it virtually every criminal (and civil, for what it’s worth) matter, was proper. Since the digital technology will not change in the foreseeable future and the forensic imaging at issue here is both the most popular and reasonable means of gathering potential evidence, the matter should be settled so that law enforcement need not have to debate the merits of its processes each time it executes a search warrant where digital devices are to be searched. •