The U.S. Court of Appeals for the Second Circuit recently issued a ruling that may limit the scope of computer searches of criminal suspects. In turn, law enforcement agencies will likely have to supply better supervision and training for those that conduct the digital examinations.

Let's start with the basics: Ordinarily, a search warrant is required before evidence can be seized. That warrant must offer evidence that there is probable cause that a crime has been committed, describe the items sought in the search, and explain how they are connected to the crime. The subsequent search must be limited to the evidence described in the warrant.

There are exceptions. Among them is the plain view exception, which ordinarily applies when an officer finds other evidence in a place where he or she is lawfully entitled to be and is not violating the owner of the property's privacy. The Second Circuit has traditionally applied this rule to digital forensics searches as routinely as it has to physical searches of a person or property.

But as digital search scenes grow larger and larger—hard drives are in the terabytes and cellphones are over 50 gigabytes — questions have been raised about when a legal digital search for specific evidence becomes an improper general search.

The Second Circuit addressed the issue head on in its recent decision in U.S. v Galpin. While it stopped short of holding that the plain view exception does not apply to digital searches, it did limit the scope of its availability.

The Galpin court offered a classic example of the plain view exception by describing an officer who enters an apartment and sees cocaine on a table. The analogous situation in the digital world is when a forensic examiner opens a computer file in search of evidence listed in a warrant and finds evidence of a separate crime. Law enforcement authorities have long argued that in order to properly conduct a digital search, each computer file had to be opened. For example, in order to find evidence of narcotics trafficking, they must open and view all of the computer owner's family pictures, home budget spreadsheets and emails to high school sweethearts. If something like child pornography is found, it's fair game — just like the cocaine on the table.

At one point in the history of forensic computer examinations and the development of forensic software, it may, in fact, have been true that each and every file had to be opened and examined. But it is certainly not true now. There are many ways to craft a search plan so that it does not unnecessarily encroach into a computer owner's private areas.

And so the Second Circuit, in Galpin, held that the government must make a better effort to search only for digital evidence related to alleged crimes detailed in the warrant.

The appellate court remanded the case to the trial court, which has been asked to sever the valid sections from invalid sections of the search warrant—that is, the portions of the warrant that are supported by probable cause from those that are not. Once that is done, the trial court must look at the extent to which the search for digital evidence was calculated to target data beyond the scope of the warrant. If the court finds that evidence beyond the scope of the valid portions of the warrant was targeted by searching agents, the plain view exception does not apply and some evidence will be suppressed.

Broad Warrant

James R. Galpin Jr. had been convicted of several offenses involving child pornography and crimes against minors. As a convicted sex offender, he was subject to registration in New York. He became the subject of an investigation by police, who had been tipped off that he was violating the terms of his sex offender registration. Investigators learned that Galpin used an unregistered online identity to post at least one picture of himself in violation of the terms of New York's sex offender registration requirements.

And so a search-warrant was issued for an extensive list of computer-related items that were "believed to be evidence, [or] substantiate or support violations of NYS Corrections Law, … NYS Penal Law or federal statutes."

During the computer search, child pornography was found. Galpin moved to suppress all of the evidence seized, arguing that the warrant was overly broad and the result was an improper general search of his computer. The trial court denied the motion, holding that although the warrant was broad and there was no probable cause to search for child pornography, the valid portions of the warrant could be severed from the invalid clauses and that the child pornography was found in plain view.

Galpin appealed. The Second Circuit upheld the trial court's decision in part and reversed it in part. It stated that the trial court was correct in ruling there was insufficient probable cause of any crime other than failure to report an unregistered Internet identity and that the warrant was overly broad. But it reversed and remanded on the severability and plain view issues.

The Second Circuit adopted the test set out by the 10th Circuit in the 2006 case of U.S. v Sells on the severability issue. The most important ruling had to do with the plain view exception to the search warrant requirement. The appeals court held that if the trial court determines that there is a salvageable portion of the warrant supporting a search for the Internet identifier and pictures that the trial court "should take into account the degree, if any, to which digital search protocols target[ed] information outside the scope of the valid portion of the warrant."

The Second Circuit determined that there was not much support for finding that forensic examiners sought to limit the scope of the search ofGalpin's computer. The takeaway here is that digital searches should be limited to the crimes for which probable cause is articulated in the warrant affidavit and searches should be tailored to seek only what is specifically particularized.

In the Galpin case and in most criminal cases, forensic examiners simply run the forensic software and proceed with their examinations according to the training they receive from the software companies. They complete the examination using the tools they were provided by the software companies without giving a second thought to the legality of the process.

For instance, the software called Forensic Tool Kit has a set of databases of known illegal files, some of them child pornography, that they have reduced to hash values—a numeric value unique to a specific file. These databases are called "Known File Filters," or KFF.

Forensic examiners choose whether to search the entire KFF database, just the child pornography KFF, or none of the KFFs when they conduct an examination. Many police departments run the child pornography KFF whether or not the examinations are for child pornography, a child exploitation offense or any offense at all.

One problem is that digital forensics examiners are often taught how to use software, but they receive little or no training in the legal aspects of conducting a computer search. Any narcotics or organized crime search warrant I ever reviewed had some sort of plan associated with its execution. There was a person assigned to cover each specific assignment. Each person was tasked with reading the warrant and ensuring that authorities abided by the particular requirements of the warrant.

No such requirements exist in the digital search realm. Though some standards are observed at the state's crime lab by forensic examiners, the police officers who conduct the majority of digital searches do not follow any consistent search strategies.

Law enforcement agencies will now have to make sure they have strategies and protocols for limiting digital searches, or they will risk being challenged by defense attorneys and having evidence suppressed by courts.

This is especially true because authorities will not be able to claim they had to open every computer file to see if it contained information pertaining to the crime. Digital forensics software is quite sophisticated and is very user-friendly. In most instances, an examiner can easily limit the scope of the search. In the Galpin case, digital searches could readily have been conducted for only information related to the Internet identifier in question, or for just about any set of data one can conceive.


It's not a surprise that the Second Circuit ruled as it did. After all, courts have long recognized the ability of technology to violate our privacy even as it allows authorities to investigate potential criminal activity.

For instance, courts have ordered phone wiretaps to be conducted in such a way as to minimize the chances that law enforcement authorities will overhear private conversations that are not pertinent to the specific matters being investigated. The number and types of crimes in which telephonic intercepts are authorized are limited in Connecticut and elsewhere.

We treat our digital devices — our computers, cellphones and mobile devices — as extensions of ourselves. Some have described the phenomena as humans becoming "cyborgs" by incorporating mechanical elements into their bodies. Should the government decouple us from what makes us superhuman (our digital device) and then examine that device, they are de facto looking into our thoughts and our daily activities.

As time moves forward, more of our lives are held in computer storage. Virtually all of our lives are held . . . virtually. When law enforcement seizes our computers, they seize our lives—the records of our lives. As time goes on, our courts and legislatures will have to decide to what extent law enforcement authorities will be permitted to rummage through our lives.