Police Searches of Computers
by Todd Garrison
Ignorance of the laws that govern your everyday life is at your own peril.
I do not advocate breaking any law, nor do I want to disseminate this article to criminals for the purpose of making the task of law enforcement more difficult. I cannot help but acknowledge that information here can be of use to criminals, but that is mere coincidence because all citizens have the right to protection under the various statutes and rules that protect our freedom.
Because I am involved with information security I have taken it upon myself to become familiarized with state and federal laws that affect computers. I am not a lawyer. I do not offer any of this information as such, nor do I advocate treating any of what I say as authoritative. If you suspect that you may be involved in litigation or an indictment that involves computers, get a lawyer. Not a lawyer who specializes in real-estate law, or general criminal defense. Retain a lawyer who specializes in computer and Internet law. The worst possible situation is a lawyer who doesn't know how the (computer-related) law works and puts you through failed filings while taking the wrong approach to your defense.
The prosecutor involved in your case (assuming it is computer-related) will most likely have received specialized training on computer-related offenses. In light of the media circus that surrounds hacking and anything that even remotely relates to a computer crime, prosecutors want to make examples in cases. So expect that they will try for maximum sentence and the harshest punishments for crimes under the guise that future risk can be averted in your case by imposing a harsh sentence before you graduate to more serious crimes.
The inspiration for this article is the recent publication of Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, a guide published by the Computer Crime and Intellectual Property Section (CCIPS) of the United States Department of Justice. Anyone who has followed the recent computer crime cases in the press knows that much of the computer crime law is still untested. Every day this becomes less true. Events are rapidly changing the interpretation of laws. Legislation such as the Digital Millennium Copyright Act has shifted fair use away from the individuals our government is supposed to protect and has given the power to large corporations. It will soon be illegal to even reverse engineer a product you have bought, and paid for the right to use - whether for the intended purpose or not. Events such as"sneak and peek" searches are becoming more commonplace when encryption is an issue.
There are, however, steps you can take to protect your privacy and make it more difficult to have certain information and computer systems seized as well as have the ability to recover your equipment after it has been seized. As I said before, I do not advocate or for that matter participate in crimes. It becomes less likely that upon knowing the law that you will be an unknowing party to a crime, but not impossible.
For instance you could be implicated in a crime by the fact alone that you know how to use a computer and one of your friends has committed a crime. This situation is not only likely, but happens regularly. Criminal investigators only need a suspicion that you may have information pertaining to evidence in a crime to seize your computers - even if you did not commit a crime.
There are laws that are supposed to protect against this, sure, but it is just a matter of semantics in the affidavit that the criminal investigator presents to a judge when requesting the search warrant. Furthermore in cases where you relinquish control (say you drop off your computer at a repair shop) that an affidavit and warrant are not even necessary to seize your equipment.
The DOJ computer search guidelines can be read at: www.cybercrime.gov/searchmanual.htm
So are we really that far away from Orwell's 1984? Does Big Brother have uncontrolled power? No. While you may not be able to prevent the initial show of force - where law enforcement essentially steals your equipment - there are many avenues to protect yourself. When doing vulnerability research on a computer system it is common to investigate multiple avenues of attack. To enumerate as many as possible and explore each one in an intellectual manner before choosing the avenue of attack. This is a discipline gleaned from basic tactics of warfare. It is a tried and proved method of offensive attack and, to be cliche, it is also a great defense. This is what I will attempt to do in this article. I do not propose legal defenses, but merely recognize locations in the existing laws which may allow more room for a defense once you have retained a lawyer.
Warrantless Searches
Quoting Nancy Reagan, "Just say no!" ("No, officer, you may not search my vehicle."; "No, officer, you may not enter the premise without a search warrant.") It should be noted here that refusal to search may be deemed as suspicious behavior and under extreme circumstances may be used against you in an affidavit. Keep your wits about you! Your interaction with the police, FBI, prosecutors, etc. will be held against you or will be credited to you during any trials, motions, filings, etc. Generally if they ask to search something they have a reason. Ask why they want to search. If for example they want to search your vehicle for drugs, get it in writing.
While this may be something they do not want to do, insist. Make it the only condition that they may search. Why? Because if they are looking for drugs as a guise for looking at your laptop, pager, cellphone, PDA, appointment book, etc. they just plain don't have the right. You can't store drugs on your hard disk! Now be extremely careful at this point - if they say they are searching for "evidence" of drugs they may be warranted to look through other devices. Make them change the wording to "drugs or drug paraphernalia" instead of "evidence" before you agree. Note that if they do find drugs, they have the right to search everything, including your computer, etc.
Others may consent to search on your behalf. That's right, even if you object, it may not matter. When you were a child you were probably taught that sharing was a good thing. This is true and not true at the same time. Later in this article I will explain when it is good, but in the case of warrantless searches it is not only dangerous, but it is as good as totally relinquishing any control for a search to an officer. The basic idea is your roommate can consent to a search of your apartment. It gets worse. Anyone you share your computer with can consent to its search. Your coworkers can consent to a search, a passenger in your vehicle can consent to a search. Essentially anything that is shared between you and another person can be searched with the consent of the other person. It gets even worse! If for example you don't share your computer with your roommate but they could access it, then they can authorize its search too. The search must be limited to what they can access. What this means is that if you must share your computer, do it in a manner that they do not have access to your files. Operating systems intended for a single user should not be considered an option in these cases. Use the multiple users features of Mac OS 9, use a UNIX operating system with different accounts, or use different profiles under Windows NT. Make sure that when you are done using your computer you log out, or employ a screensaver with a password.
If you give them your password, then they have a right to give it to whoever is conducting the search. Be aware also that operating systems like Windows NT and Windows 2000 may have a common cache for things like your web browser , and since it is accessible by others who use the same computer, then it is fair game and admissible evidence. The best advice I can give is use encryption for everything all the time. If you can get away with it, encrypt your applications, their temporary directories, configuration files. The same techniques that you use for protecting yourself against break-ins such as proper registry permissions can help too.
Another reason to employ encryption (and when I say encryption I mean strong encryption - always use strong ciphers, not RC2-40-bit or DES - but IDEA, 3DES, or Blowfish) is incidental disclosure. If you have a laptop and it gets ripped off on the bus, at the airport, on the subway, at school, or wherever you may be, and they catch the thief - they can search your laptop! They cannot ask for your encryption keys, but anything that the thief could have read (which is everything contained on the laptop), they have the right to read. Now recite this mantra: "Encryption protects me, I will use it everywhere." This type of disclosure opens up a lot of scary questions. Just remember that as long as there are people, there will be people who abuse their power. A criminal investigator may use these circumstance to target you, not that I know of any specific case where this has happened but it is still possible.
Anyone who is involved in security work knows that passwords, encryption, and physical locks can be overcome. But using these measures, even if you know they are not completely effective are an absolute must. In the eyes of the law even the weakest encryption affords a level of legal protection regarding allowed access (look at the DMCA). If you took steps to disallow another person from accessing something, no matter how basic those steps are, that means that they did not have legitimate access to those items. If you store your computer in a closed cabinet with a lock and did not give the key to your roommate, they no longer have the right to authorize its access to anyone. Password protect everything, encrypt the most trivial items, use physical locks and keys, store your important removable media in an inexpensive fire-safe. These are all actions that deny access and protect your legal rights against warrantless searches. If you are the only person who has legitimate access to an item, then you are the only one who can release that item for search. But wait! This doesn't apply at work... read on!
There is much debate about expectation of privacy at your workplace. But a basic expectation you should have is - nothing you do, say, or are otherwise involved in at work is private. Don't use your email at work for anything private. Don't even send a good ol' Mom a message saying hello. Get a free email account that uses SSL or other encryption if you plan on accessing it from work. Better yet, don't even access your private email at work. Your employer has the right to install cameras, listening devices, wiretaps, intercept and archive your email, watch what websites you visit, and even read your thoughts if they have the technology. The bottom line is keep your private life private. Your employer can, at their discretion, disclose this information to anyone they want.
Additionally, they can claim anything you do while on the job as their intellectual property. Don't even risk it. Keep anything you don't want them to know away from their grasp. Expect fully that if you commit a crime that involves computers that your employer will be the first place investigators will search. This is because you essentially have no rights to privacy and very few businesses would resist the will of public authority and deny them a search.
If you travel across borders, leave your laptop at home. Customs agents have the right to an unrestrained search of your belongings, including your data. They can even demand encryption keys, and you have to give them up. Remember that transporting strong encryption outside of the U.S. is considered to be export of munitions, and a federal offense. So even if your data is encrypted, that fact alone could be reason enough to forcibly detain you and even arrest you.
Exigent Circumstances: This is when investigators have reason to believe you might destroy evidence. Of all the laws on the books, this is one of the scariest. They don't need a warrant - they don't even have to knock on the door. They require only to have reasonable cause. They don't need evidence or a track record of you doing something like this in the past. They just need a reason to believe it. The intimidating part of this law is that it is up to the investigator, not a judge or district attorney, just the investigator. So if the officer has a hunch that you will try to destroy evidence by deleting files, encrypting data, or disposing of encryption keys once you are alerted to their presence, they have the right to deem a search exigent. Fortunately, because the law is vague, it is seldom used, but it is not unheard of. If you decide to put triggers on your systems that will automagically delete evidence, don't tell anyone about it, not even your friends. Bragging is the most common way people are deemed suspects for a crime and the most likely circumstance that investigators will use to decide you are at risk of destroying evidence.
Warrants
While the above warrantless searches are the most likely that you will be presented with, there is always the chance that a search warrant will be issued. While it can literally be a pain in the ass, it is better to be presented with a warranted search than a warrantless search. If you haven't committed a crime, then you should have reason to believe that the outcome will be in your favor. This is why a warranted search is better. The fact alone that a warrant has been issued means that a judge is involved and can be held accountable for wrongdoings in the legal process. But alas, if there are constraints in warrantless searches, there are even more in searches involving a warrant.
First, the process of how a search warrant is constructed. There are at minimum two documents that must be presented to a judge before he will issue a warrant. The first is an affidavit. This is the sworn testimony of the investigator(s) that show probable cause for a search. It will name what information leads to the conclusion that a search is required, where that information was obtained, and the circumstances under which the investigator believes it relevant. The second is the actual warrant. It describes what is to be searched, what methods will be used, who will be present, where the searched items will be stored, what time frame in which it will be executed, and the overall goal of what is being sought. Search warrants are required to be specific. Once again, searching for evidence of a contraband item is different from searching for an actual contraband item.
No matter what happens, cooperate with the search. Resisting will only make your life difficult. If the warrant specifically states that equipment will be seized, it will have addenda's stating exactly what will be seized, a description of what is to be seized, and what methods will be used to search. The investigators may opt to look through your computer on-site, but this is rather unlikely. If you have the ability, and the warrant does not authorize the seizure of video recording equipment, break out the camcorder and record what they do and say. This may be invaluable evidence in proving that an investigator overstepped the boundaries of a search warrant. It will also prove as a deterrent for them to overstep the warrant at all.
As a citizen you have certain unalienable rights. Use these rights to your advantage. Freedom of speech, attorney-client privilege, privacy of the clergy, freedom of the press, and, as a provider of network services you have more rights than just a citizen by the nature of the rights of those who you provide services to. Let's examine how these issues provide obstacles to law enforcement officials who wish to obtain your shiny new computer.
Freedom of Speech and Freedom of the Press: You have the right to speak your mind and publish those thoughts. These are inalienable rights as a U.S. citizen. Take advantage of these rights. Coincidentally, the Internet happens to be the most available and affordable method to publish your thoughts. Whether it be your business promotions, or social commentary such as this article, use it! Update it on a regular basis and make sure it is always available. This is important because if it is never updated or only available when you are surfing the web, the court may dismiss what you have published as not actually being a publication because of it being only occasionally available. Replicate it and make sure that the machines are available as a web server as often as possible - use round-robin DNS to make sure traffic actually goes to all of the machines acting as a web server. Any machine that doesn't act as a server for the dissemination of the information should be used to create the information being disseminated. Keep your web design software, image editing software, word processor, and proof that they have been used in the creation of your intellectual property that you publish to the Internet on the machines. Are you curious why this is mentioned in an article on search and seizure? Well, you now have the same statutory protections that a newspaper has in regards to search warrants. By seizing tools you use to publish your opinions, they violate many of your rights. Your First Amendment right mostly. These factors will quite possibly cause a search warrant to become more limited in scope and add a likelihood of a time limit upon investigators when removing equipment from your premises. Of course, doing this does absolutely nothing for you if they find you have committed a crime! It will just make them angry, and most likely it will come up in court that you purposely tried to use constitutional privilege to prevent investigators from performing their duties.
Attorney-Client Privilege: Oh boy! his can make an inyestigator's life difficult. Investigators are required by law to respect documents that contain private attorney-client privileged information. Essentially they can't confiscate them, read them, use them against you, or disclose them to anyone. In case they believe they may inadvertently gain access to such information, they will have to have special exceptions written into the warrant and will have to use an uninterested third-party to assist in reviewing the information. If the third-party notes that it is privileged information, the investigators cannot use it. Now this brings up interesting consequences. What if the information being sought in the warrant they are executing is actually contained within these documents? I don't know what the outcome would be. I make no claim as to what the result of a legal battle involving steganography hidden information in scanned images of privileged information would be, but I assure you it will be something played out in the courts in the future. In fact, I expect to see it played out in the media too!
Privacy of Clergy and Attorneys: There are special laws involved when law enforcement may search computers or records belonging to lawyers and clergy. If you share your computer systems with people in either of these occupations, investigators will have to get special approval in a search.
Service Providers: (Or, when sharing your computer is a good thing!) ISPs, phone companies, or anyone providing wire communications to anyone else immediately becomes regulated by the Electronic Communications Privacy Act (ECPA) and the procedures that investigators must use are different. While the folks you provide service to are afforded less privacy by this act (because searches of a third-party system do not require a warrant, only a subpoena), you are afforded more protections and even civil relief in the case of wrongdoing on the part of an investigator.
In short, by executing your rights and providing services to others which allow them to execute their rights you make the likelihood of losing your computers and equipment less likely (assuming that those you provide service for are law abiding as well). Here's a formula for making the seizure of your computer systems less likely. Make a deal with a small local law firm that you will provide them with free web hosting and email services in exchange for consultation of how to gain nonprofit status for your weekly/monthly/whatever Internet-based news publication (e-zine). Scan the documents that you used while conversing with your attorney and use steganography to hide the private keys you use for encryption within those privileged documents. Give away as many free email accounts to your friends and family as possible and encourage them to actively use the accounts. Host a website and email for a church. Make sure you take the time to show one of the clergy how to use email. Okay, maybe the last suggestion sounds kinda Brady Bunch'ish but it may be the motivation for a judge to deny a search warrant.
I'll go ahead and say it again despite recognizing that I sound like a broken record: None of this will help you if you have actually committed a crime. Don't use these methods to make investigators' lives more difficult when you are covering up a crime. It will reflect poorly on you when you receive sentencing. Besides, if you commit crimes you will most likely end up getting caught regardless of what you use your computers to accomplish.
Methods Available to Investigators
If you are being investigated for a crime, there is not a whole lot you can do until you get into a court of law. According to the law, investigators have a wide variety of techniques and are allowed to do quite a bit more than you may expect. Let's look at some of what they can do.
Instrumentality of Crime: If something is used during the committing of a crime, it is an instrument of crime. If you use a computer to break into another computer then the computer you used is an instrument of the crime. But wait - it doesn't stop there. The network you used, the router, the modem, anything that is connected or assists in the function of the system that is the instrument of the crime is considered an instrumentality as well. This can result in blanket seizures of equipment. Generally when searches are conducted against a business, investigators will not seize everything that could be considered an instrumentality. But expect everything computer-related in a search of a private residence to walk out the door. That's just the way it is and the courts support this practice. Once again, our federal government demonstrates that the rights of business are more important than those of individuals. Go figure.
No-knock Warrants: Not long ago a man was killed near where I live when the police executed a no-knock warrant at the wrong address. The man thought his home was being broken into and armed himself for defense. The police filled him with bullets. Aside from the fact that I believe this to be a blatant violation of the Fourth Amendment, it is dangerous. It puts the lives of law enforcement in danger and it especially puts the lives of innocent citizens at risk. These techniques cost lives, yet judges still approve them. But even scarier yet, in the case that the investigators believe that you may destroy evidence - they don't require a no-knock warrant. They can make the determination and just bust the door in without announcing who they are. The land of the free indeed!
Sneak and Peek: Welcome to the spy age. The government can't spy on the Soviet Communist regime anymore, so it has taken to practicing on their own citizens. Bugs, wiretaps, keystroke recorders, cameras, and other covert surveillance techniques previously reserved for national security are now legal and fair game in federal cases. Recently the FBI has used these techniques for capturing keystrokes for getting PGP keys. One such device (pictured) connects to the PS/2 port of a computer and looks fairly innocuous. This model is supposed to represent a ferrite coil which disperses electromagnetic fields. This "bug" only stores about 120,000 keystrokes but there are smaller devices that can store megabytes worth of keystrokes. My suggesting - if you find one of these on your system, take it apart and ensure it really is a ferrite coil. If it has anything resembling an integrated circuit inside, put it in the microwave for a few seconds and then throw it away.
Arm yourself with knowledge. Knowing the law helps us all from becoming victims of both crime and the illegitimate practice of law. Defend yourself. Most of all, if you decide to break the law, be prepared for the consequences. Our government no longer is willing to hand out little slaps on the wrist and you can expect to see more extreme measures involved in computer crime.
