Dave Banisar
The Electronic Privacy Information Center (EPIC) has obtained the Department of Justice's recently issued "Federal Guidelines for Searching and Seizing Computers." EPIC obtained the document under the Freedom of Information Act. The guidelines provide an overview of the law surrounding searches, seizures and uses of computer systems and electronic information in criminal and civil cases. They discuss current law and suggest how it may apply to situations involving computers. The guidelines were developed by the Justice Department's Computer Crime Division and an informal group of federal agencies known as the Computer Search and Seizure Working Group.
However, the guidelines also note that computers and accessories are frequently incompatible or booby trapped, thus recommending that equipment generally should be seized to ensure that it will work. They recommend that irrelevant material should be returned quickly. "[O]nce the analyst has examined the computer system and data and decided that some items or information need not be kept, the government should return this property as soon as possible." The guidelines suggest that it may be possible to make exact copies of the information on the storage devices and return the computers and data to the suspects if they sign waivers stating that the copy is an exact replica of the original data.
On the issue of warrantless seizure and "no-knock warrants," the guidelines note the ease of destroying data. If a suspect is observed destroying data, a warrantless seizure may occur, provided that a warrant is obtained before an actual search can proceed. For "no-knock" warrants, the guidelines caution that more than the mere fact that the evidence can be easily destroyed is required before such a warrant can be issued. "These problems . . . are not, standing alone, sufficient to justify dispensing with the knock-and-announce rule."
For computer systems used by more than one person, the guidelines state that the consent of one user is enough to authorize a search of the entire system, even if each user has a different directory. However, if users have taken "special steps" to protect their privacy, such as using passwords or encryption, a search warrant is necessary. The guidelines suggest that users do not have an expectation of privacy on large mainframe systems because users should know that system operators have the technical ability to read all files on such systems. They recommend that the most prudent course is to obtain a warrant, but suggest that in the absence of a warrant prosecutors should argue that "reasonable users will also expect system administrators to be able to access all data on the system." Employees may also have an expectation of privacy in their computers that would prohibit employers from consenting to police searches. Public employees are protected by the Fourth Amendment and searches of their computers are prohibited except for ""non-investigatory, work related intrusions" and "investigatory searches for evidence of suspected work-related employee misfeasance."
The guidelines discuss the Privacy Protection Act of 1980, which was successfully used in the Steve Jackson Games case against federal agents. They recommend that "before searching any BBS, agents must carefully consider the restrictions of the PPA." Citing the Jackson case, they leave open the question of whether BBS's by themselves are subject to the PPA and state that "the scope of the PPA has been greatly expanded as a practical consequence of the revolution in information technology -- a result which was probably not envisioned by the Act's drafters." Under several DOJ memos issued in 1993, all applications for warrants under the Privacy Protection Act must be approved by a Deputy Assistant Attorney General of the Criminal Division or the supervising DOJ attorney.
For computers that contain private electronic mail protected by the Electronic Communications Privacy Act of 1986, prosecutors are advised to inform the judge that private email may be present and avoid reading communications not covered in the warrant. Under the ECPA, a warrant is required for email on a public system that is stored for less than 180 days. If the mail is stored for more than 180 days, law enforcement agents can obtain it either by using a subpoena (if they inform the target beforehand) or by using a warrant without notice.
For computers that contain confidential information, the guidelines recommend that forensic experts minimize their examination of irrelevant files. It may also be possible to appoint a special master to search systems containing privileged information.
One important section deals with issues relating to encryption and the Fifth Amendment's protection against self-incrimination. The guidelines caution that a grant of limited immunity may be necessary before investigators can compel disclosure of an encryption key from a suspect. This suggestion is significant given recent debates over the Clipper Chip and the possibility of mandatory key escrow.