Criminal Justice Section  


Criminal Justice Magazine
Spring 2004
Volume 19 Number 1

Suppressing Evidence Gained by Government Surveillance of Computers

By James Adams

James Adams is the Ellis and Nelle Levitt Distinguished Professor of Law at Drake Law School in Des Moines, Iowa.

Less than two decades ago, few Americans were concerned about Fourth Amendment privacy issues involving what a person typed on a computer, either at home or at work. For most users, a computer was merely a vastly improved typewriter used for word processing. Today, however, the rapidly changing technology of creation, transmission, and storage of digitized personal communications and information has enormously increased the potential exposure of private information. Unfortunately, individual expectations of privacy that users can and should expect in computer-assisted conversations, communications, and data storage have not coalesced into a consistent and coherent voice.

The failure to identify collective reasonable expectations of privacy arises in part because of most computer users' lack of knowledge. Counterintuitively in this so-called Information Age, most computer users are not fully versed in how digital technology creates, stores, exchanges, or transmits information. Further, Americans are poorly informed about precisely what types of computer data and communications are subject to seizure, where in the data creation or communication process the information may be seized, and what computer programs are currently available to the government to gain access to computer data storage or transfers. The Fourth Amendment right to privacy and the principle of excluding improperly seized evidence depend on identifying reasonable societal expectations of privacy in computer data creation, transmission of conversations or other communications, and data storage. Without Fourth Amendment protection of the data seized, no evidence will be excluded from being introduced at trial unless a specific statute requires that exclusion when the statute is violated. Statutory exclusionary requirements, however, are limited in the arena of interception and other acquisition of computer transmissions and stored data. Thus, what kind of digital data gained by government surveillance can be used in court-and whether and how such information might be suppressed-remain unresolved questions that should be of interest to many Americans who believe many of their Internet transactions are basically private.

Reasonable expectations of privacy

Constitutional reasonable expectations of privacy require the individual to manifest a subjective expectation of privacy, and the expectation has to be one that society is willing to recognize as reasonable. Although computer information technology is rapidly changing, the U.S. Supreme Court's historical approach to reasonable expectations of privacy and the exclusionary rule, together with analogous applications to other forms of technology, likely will continue to provide the analytical framework for computer transmission and storage privacy protection.

In assessing reasonable expectations of privacy in the myriad of computer options for digital communication, courts are likely to draw parallels to their extensive privacy experience with 100 years of development of telephone communication technology. The primary polestar telephone communication cases are Katz v. United States, 389 U.S. 347 (1967), and Smith v. Maryland, 442 U.S. 735 (1979). In Katz, the Supreme Court precluded the uninvited ear of the government from wiretapping a telephone line and recording a conversation without a search warrant. At the other end of the scale, the Court in Smith permitted the government, without a search warrant, to decode the telephone numbers dialed from a specific telephone by use of a device called a pen register. The difficulty will come in applying the relatively clear lines of analysis in Katz and Smith to a substantially different technological process of communication, which may include attempts to intercept data during the transmission process or to acquire stored data-including e-mail, Web search contacts, and downloads-at a local area network, at an Internet service provider (ISP), or at a remote computing service.

In addition to drawing parallels to telephone technology, reasonable expectations of privacy in digital storage and communication will depend on a variety of other traditional factors, including whether the target computer is a personal or business computer and whether the target computer is in a home, in a less private dedicated business location, or in a wireless venue open to the public. Also to be resolved is whether the government may obtain any information-and if so, what kind-from an in-home or business computer by a nonphysical technological intrusion.

Computers for personal use

Generally, computers for personal use are kept in a residence or other structure in which the individual exhibits an expectation of privacy. Without regard to the computer or the information contained on its hard drive, the residence provides a strong measure of privacy. The weighty expectation of privacy in the home is clear and unlikely to change. Entry into the home to seize or search a computer hard drive requires a traditional search warrant based on probable cause, particularly describing the place to be searched and the items sought. Potential exclusion of evidence seized from a computer initially derives from assessing the validity of the warrant and the scope of the search within the warrant.

Although the warrant should particularly describe the items sought so that a reasonable police officer does not intrude on other protected privacy interests, the circumstances of many offenses may prevent the government from access to detailed descriptions of data sought on a computer. Nevertheless, sufficiently detailed warrants should include the nature of the suspected criminal activity, the appropriate time frame of that activity, and the subject matter of the class of documents or data sought. The warrant should provide necessary information that assists in identifying the appropriate data.

Merely because potential evidence is stored on the hard drive of a home computer does not grant the government carte blanche to search all data stored on the hard drive. Instead, the government must take reasonable measures such as use of keyword search programs to ensure the search discloses only the desired information and not other stored data. Computer specialists should be used not only to prevent unnecessarily broad searches but also to ensure a sufficient search for relevant concealed files. The leeway granted the government to search for concealed data is similar to that granted in Andresen v. Maryland, 427 U.S. 463 (1976), where government agents sought specific hard copy files. Reasonably trained agents were permitted to briefly examine other documents to determine if they were previously unknown evidence that could be used to prove the crime related to the specific item sought.

Court rulings do not obligate the searching officers to conduct the search in the home. The computer, hard drive, and any storage disks may be seized and examined at the police station, where the government has access to the equipment and expertise necessary whenever the examination is going to be lengthy and the speed and appropriate level of copying or removing seizable data can be more readily handled at the station. Although the computer itself may be perceived as merely a container of seizable evidence and therefore not subject to seizure, many courts treat the hardware as an instrumentality of the crime and deem it seizable on that basis. The suspect, however, may be without the computer for a substantial period of time. Where the computer is also used for business purposes in the home, the individual may be effectively put out of business. Courts require that the government justify the prolonged seizure of home computers containing both business and personal data by demonstrating that the criminal activity suspected permeates all levels of the individual's business and personal life. One option available in some circumstances is to copy all of the files on the seized computer and return the machine. At a minimum, the defendant should file a request for preservation of his or her property and for its prompt return.

Various means that may protect privacy

While a search warrant signed by a magistrate is the first level of protection from in-home intrusion to obtain computer information, that protection may be illusory. Unless the government search substantially exceeds the authorized intrusion, the "good faith" exception to the exclusionary rule may prevent exclusion of the seized evidence even if the warrant is invalid. Although labeled a good faith exception, once a search warrant is issued, the burden is on the defendant to demonstrate one of four levels of fairly extreme governmental bad faith before the courts will recognize the need to deter government misconduct.

As a second level of protection, to thwart government (or hacker) access to private communications or information, a person may attempt to delete the files. When a person creates or accepts data on a personal computer, the information is generally stored on the computer's hard drive. E-mails, both incoming and outgoing, also may be preserved. Once the person views an e-mail or a download, he or she may attempt to preserve the privacy of those communications by deleting the stored data by dragging files and e-mails to the computer trash icon. "Trashing" the data removes the material from visible storage folders on the desk top, basically removing the computer's map to the data, but it does not physically remove the items from the hard drive. The material remains on the hard drive and can be retrieved by programs created specifically to search computer hard drives for deleted material. Although remaining on the hard drive, deleted files eventually may be overwritten by new material. Formerly, once overwritten, the deleted files could not be recovered, but software programs now allow recovery of some or all of the overwritten material. As an example of the legitimate concern about the capacity of programs to recover data, the Federal Bureau of Investigation reportedly sandblasts hard drives prior to discarding them.

Installing encryption programs provides another privacy protection option. The government has long complained that some suspects encrypt data to prevent government access to the data. On several occasions, the U.S. Department of Justice has unsuccessfully sought legislative curbs on encryption programs, or at least government access to the "keys" to these programs. As an alternative, the government has used a computer program-a key logger system (KLS)-for obtaining passwords to encrypted files. In United States v. Scarfo, 180 F. Supp. 2d 572 (D.N.J. 2001), the government obtained a "sneak-and-peek" warrant to surreptitiously enter a business premises to install the KLS on a personal computer. Because the trial court ruled that information about the program was classified, details of the installation and operation of the government KLS are not available.

Long-distance government infiltration of computers

The government reputedly has developed another KLS called Magic Lantern that does not require physical entry into the premises or the target computer. Again, the government has not disclosed the exact nature of Magic Lantern, but it appears to be a virus-like program that can be e-mailed to a suspect, similar to the delivery of most other viruses. Magic Lantern may also be delivered by inducing the suspect to click on a Web link or through a breach in an operating system. Once the KLS burrows into the computer system, the program transmits the identification of keystrokes as they occur. As soon as the government obtains the password for the encryption program, the government can obtain a search warrant to enter the home to seize the files.

Use of Magic Lantern raises at least two significant privacy interests related to suppression of evidence: whether the KLS records data that the government is not entitled to seize and whether a warrant is needed for long-distance installation of a KLS via an e-mail virus. The KLS records all keystrokes and therefore can record any data typed on the keyboard. Computers, however, are often used to communicate with other computers through a modem. To avoid seizure of wire or electronic communications in violation of the wiretap statute, the court in Scarfo noted that the government configured the KLS to avoid searching data stored on the hard drive and to avoid recording e-mail keystrokes while any communication port of the modem was open. Defense counsel, although given a summary of the functioning of the KLS, was not able to fully test the government's good faith in restricting the search within the limits of the warrant because the methodology of the KLS was classified information. In addition, not all e-mail or other stored data are created with a port open, allowing that data to be captured by the KLS. Without access to information about the KLS, access to expert testimony about the system, and judicial oversight through knowledgeable and adversarial cross-examination of the persons involved in the evidence-gathering process, persons seeking suppression because the search violated a statute or exceeded its permissible scope are forced to rely on self-policing by the government. This lack of transparency always raises concern about the fairness of the evidence-gathering method.

The second issue is whether the government needs a warrant before attempting long-distance installation of Magic Lantern. In Kyllo v. United States, 533 U.S. 27 (2001), the Court offered search warrant protection from the government's use of an off-premises sophisticated technological intrusion-via a thermal imager-to disclose information about the activities in the interior of the home, activities not otherwise discoverable without physical entry into a protected area. Although no court has yet ruled on long-distance delivery, a court using Kyllo could determine that sending a virus or worm via e-mail into a home to seize information requires a search warrant. According to Kyllo, all details revealed about the interior of the home are intimate details safe from a nonwarrant intrusion. Detection of keystrokes, particularly those designed to encrypt data for further protection, likely falls within the details otherwise unknowable to the government absent a physical intrusion to surreptitiously install a KLS in the target computer's system.

The Court in Kyllo based the reasonable expectations of privacy on an intrusion into a home and provided protection only from sophisticated technology that is not in general use. Although computer viruses are common, the details of Magic Lantern are undisclosed for security reasons and therefore the government may not be able to demonstrate general use.

On the other hand, because individuals retain the choice about opening any e-mail, they may be considered to have assumed the risk of a virus when opening an e-mail from an unknown party. Assumption of the risk of a privacy breach also may apply if the sender is a "false friend" that the suspect permits to enter the computer and home through an e-mail enclosure. (See generally Hoffa v. United States, 385 U.S. 293 (1966).) Again, information on how Magic Lantern is used is not yet available.

A significant aspect in resolving the warrant requirement issue is whether the keystrokes are similar to dialing a telephone number in Smith v. Maryland, seizure of which did not require a probable cause warrant. A person dialing a telephone is aware that the number dialed is transmitted to the telephone company, a public entity, and records are made for business purposes of the telephone company. However, I suspect that treating password keystrokes as falling within the transactional approach is unlikely because the keystrokes necessary to open an encrypted file retained on one's hard drive are not disclosed to anyone or any entity in the public arena for business or any other purpose. Indeed, the password may be readily viewed as an integral part of the content of the encryption program and the encrypted document. A telephone number, however, is not content, generally only providing a possible linkage between the target and other persons.

Using laptops outside the home

Individuals also may use personal laptop computers outside the home. The computer retains an expectation of privacy as a personal container holding information the individual intends to keep private while outside the home. Seizure and search of the computer, absent an exception to the warrant clause, would require a warrant. An additional issue may arise from use of a laptop in public areas with an infrastructure of access points for wireless communication. Other laptop users within a diameter of approximately 300 feet around the access point may use the same access point. Anyone within that area may use a relatively low-cost "packet sniffer" to intercept other users' communications. Although the user can add security devices, wireless networks do not ensure privacy and are likely to carry a lesser expectation of privacy from government surveillance.

Computers for business use

A computer at a business location may contain digital information created by any individual with access to the business computer. Typically, a business computer will be in a network with other business computers. When a file is created on a business computer, the computer memory-that is, its short-term memory-on the local machine will store the file until the machine is shut down. When the local computer is shut down, the file likely will be transferred to and stored on the local network server, which serves as the system's long-term memory. The user may also direct that certain files be retained on the local computer's hard drive, another form of long-term memory.

Both the information on the local computer and the local server are accessible through a search warrant. The hard drive of the local machine may be searched for short-term memory (that is, data created since the user last logged off the system), for software programs stored on it, and other listed data that may be stored on it.

If local network storage is used, the server likely will store legitimate business data above and beyond the government's target data. Depending on the format of the local server storage, search of a local server involves substantial risk of disclosure of stored information created by other nontarget persons within the network. Each user, however, often has a specific file on the local server, accessible only to the creating user and the system administrator. Searching beyond the target's individual file in these circumstances would generally be beyond the scope of the warrant for the individual's records.

Password-protected files on a network may demonstrate an individual reasonable expectation of privacy even though the network administrator has some access to the file. The privacy expectation may be reduced or eliminated if the business notifies employees that business computers are not to be used for personal activity and that the business has a right of access to and will monitor all files stored on the network.

When investigating a business's criminal activity, the search warrant, if supporting information is available, should list specific identifiable files. In other circumstances, the warrant may authorize seizure of all business records. During an all-records search, individual files may be briefly viewed by the government to determine any nexus to the suspected criminal activity. When unrelated criminal activity is detected during a reasonable review of digital records, seizure of that evidence will be tested by the "plain view" doctrine: Were police lawfully in the location, did police have a lawful right to view the data, and was the data's incriminating nature immediately apparent? And, once again, an invalid search warrant may not result in exclusion of evidence because of the good faith exception to the exclusionary rule.

Electronic or wire communications from home or business computers

The government also may desire access to computer communications-for example, e-mail, Web site searches, and downloads-during the communication's transmission or later from off-site storage. By statute, Congress requires a wiretap order to intercept "the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." (18 U.S.C.A. § 2510(4) (emphasis added).) Courts interpret "interception" to refer to acquisition during the creation or transmission process. (See Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457 (5th Cir. 1994).) "Content" is defined as "any information concerning the substance, purport or meaning" of an intercepted communication. (18 U.S.C.A. § 2510(8).) If no content is sought, the government may intercept the information through the substantially lesser showing required for a pen register or trap-and-trace device, known colloquially as "pen/trap." If stored information is the goal, the wiretap statute does not apply because no interception is necessary.

Core issues

The critical issues in the battle over Internet communication privacy and exclusion of evidence will turn on the scope given to the definition of content, the existence of any expectation of privacy once the file is launched on the Internet, the location of any interception by the government, and whether the interception is wire or electronic. A wire communication includes an aural transfer-a transfer including a human voice-made through facilities using wire, cable, or similar connections. An electronic communication includes transfers of "signs, signals, writing, images, sounds, data or intelligence of any nature transmitted . . . by wire, radio, electromagnetic, photoelectronic or photooptical system . . . ." (18 U.S.C.A. §§ 2510(12).) Wire communications are specifically excluded from the definition of electronic communications. Fourth Amendment exclusion extends to all unlawful seizures, whereas statutory exclusion extends only to unlawfully seized wire communications. The basic questions are: Do citizens have a reasonable expectation of privacy in e-mail addresses, header files, subject lines or content, downloads, or Web search data? Is the text of an e-mail entitled to the same constitutional protection provided to traditional mail and telephone conversations? Should outcomes change when voice is added to e-mail communications? In answering those questions, the courts will look to a mix of Fourth Amendment rights and statutory rights.

In Katz, the Supreme Court ruled that persons have a Fourth Amendment reasonable expectation of privacy in telephone conversations. The words seized are "effects" within the ambit of the Fourth Amendment. Interception of telephone communications requires that the government obtain a search warrant. Congress further raised the privacy bar by imposing stricter statutory standards than those required under the warrant clause on interception of the contents of all wire, oral, or electronic communications. (18 U.S.C.A. §§ 2510 et seq. (Title III).)

The Internet communication process substantially differs from the telephone process. The Internet system relays e-mail as "packets," that is, data in a binary numbering system using zeros and ones, through mail servers in a process called "packet switching." Mail server programs review the address of the recipient and send the document on to other mail servers for delivery to the addressee. An ISP may host a mail server or may provide direct service to organizations that have mail servers. The packets can be "sniffed" by programs installed at a mail server for specific trigger words, names, locations, or other identifiers. Selected packets can be captured and may be stored by the mail server. Once captured and stored, the e-mail can be read, including the address, header file, subject line, length of the document, or content. In addition, local servers at each end of the transmission process often copy and store e-mail. An ISP also may store backup copies of transmitted e-mails. Storage by an ISP or local server facilitates review of backup tapes to maintain system stability, which may be compromised by a system going down, by fraudulent conduct, or by viruses transmitted through e-mail.

When a person uses a computer to conduct a Web search or to access a Web site, the request normally passes through several proxies, the computer equivalent of a middleman. Web servers that host the Web site will log the contact. The search engine and proxies also log the personal search and retain the information, including the subject of the search, the sender's Internet protocol (IP) address (the specific address of the originating computer), time, date sent, and any referrals (the entities that passed the request along). For instance, if a person conducts a Google search leading to a Yahoo!-served Web site, the Yahoo!-served Web site will know which search engine referred the request. The logs may be backed up and maintained indefinitely.

The Eighth Circuit Court of Appeals in United States v. Bach, 310 F.3d 1063 (8th Cir. 2002), had an opportunity to rule on reasonable expectations of privacy in stored e-mail communications. The court, however, chose to resolve the case on other grounds. Nonetheless, it offered the following comment on the potential lack of constitutional protection for the privacy of e-mail: "While it is clear to this court that Congress intended to create a statutory expectation of privacy in e-mail files, it is less clear that an analogous expectation of privacy derives from the Constitution." (Id. at 1066.)

E-mail versus snail mail: What are the differences?

The first question for persons seeking to suppress evidence should be the question left unanswered in Bach: Do e-mail files have constitutional protection during transmission or storage? Clearly, the content of traditional mail has been accorded constitutional privacy protection. People in a modern world, however, communicate extensively by e-mail, often in a virtual conversation format. As of yet, no reason exists to indicate that the modern custom of using e-mail instead of "snail mail" should change society's constitutional expectation of privacy in conversations and written communications between persons or entities. Use of a new communication technology should not waive privacy rights, just as moving from face-to-face conversations to use of mail or the telephone did not waive privacy rights in the document or a conversation.

Because e-mail is transmitted in digital code, interception prior to delivery requires a program similar in nature to a wiretap to translate the code into words. Therefore, use of e-mail does not, on its face, expose the content to any public entity. Merely because the digital e-mail can be translated into words does not differentiate the process from the phone company's recording of the conversational impulses and translating the impulses into sound. Recognition of constitutional protection for e-mail content also would mean the exclusionary rule would be applicable to nonwarrant seizures and the "fruits of the poisonous tree" doctrine would apply

On the other hand, e-mail users may be expected to know that e-mails are more durable than a conversation, and deleting an e-mail neither destroys nor removes the e-mail from the computer system. In contrast, paper correspondence can be destroyed by the recipient and conversations may be kept secret by the other party to the conversation. Even if constitutional protection is not extended to the content of e-mail, Congress intended to provide statutory privacy protection against interception of the content of e-mail. (See United States v. Bach, 310 F.3d 1063 (8th Cir. 2002).)

The content versus noncontent debate

Noncontent information, however, may not be protected. The Supreme Court in Smith v. Maryland permitted use of pen registers to decode telephone numbers dialed from a specific telephone. The pen register's opposite number, the trap-and-trace device, decodes the telephone number of any telephones used to dial into the suspect telephone. According to Smith v. Maryland, neither disclosed content. The pen/trap devices disclose only information knowingly passed to the public-the telephone company-with knowledge that the telephone company can and does record telephone numbers for its business purposes. The Court noted explicitly, however, what a pen register did not disclose:

Indeed, a law enforcement official could not even determine from the use of a pen register whether a communication existed. These devices do not hear sound. They disclose only the telephone numbers that have been dialed-a means of establishing communication. Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.

(442 U.S. at 741, quoting United States v. N.Y. Telephone Co., 434 U.S. 159, 167.)

When the Court in Smith ruled that no Fourth Amendment intrusion occurred, Congress responded with modest statutory protection against seizure of noncontent information by pen/trap devices. Congress, however, stopped far short of requiring the equivalent of probable cause. A pen/trap order will issue if the government certifies "that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation." (18 U.S.C.A. § 3122(b)(2).) The issuing magistrate's duty is ministerial, not the neutral and detached assessment of probable cause required by a court order to intercept.

The USA PATRIOT Act of 2001 expanded the use of pen/trap certifications from access to telephone numbers to include certifications for a device or "process"-translate that as software-that records or decodes "dialing, routing, addressing or signaling information transmitted by an instrument or facility . . ." (18 U.S.C.A. § 3127.) Although "dialing, routing, addressing or signaling" is undefined, routing and addressing information appears to reside in the header file of an e-mail. The header file contains the identification number of the computer from which the communication originated, all the servers through which the communication passed from sender to receiver, the date and time the originating computer sent the communication, the time the communication spent at each server in the transmission process, the subject line of the e-mail, and a message identification number.

To obtain computer dialing, routing, addressing, or signaling information, the government has used Carnivore, a "packet sniffer" tool attached at an ISP that can search for e-mail addresses, keywords, or IP addresses. (Carnivore was later renamed DCS 1000, one assumes because it sounds less menacing.) Dial-up users are randomly assigned IPs by their ISP. If, however, an order is served to obtain pen/trap data, the ISP will assign a static IP to the target to facilitate acquisition of the information. Establishing surveillance on an IP address means that all users of a specific computer are subject to the surveillance, not merely the suspected individual. The lack of selectivity is not unlike a pen register that records all telephone numbers dialed from the target phone regardless of who is dialing. Surveillance of incoming e-mail to a specific IP also is similar to a mail watch that checks the return addresses of incoming mail to a specific address. Again, both involve public disclosure of information to facilitate transfer of either e-mail or regular mail.

A telephone number allows the government to discover the name of the individual to whom the number is assigned. From that information, the government can discover the identity of other persons who may live at the address to which the number is assigned. But the number does not disclose which person the dialing party sought. An e-mail address may be equated to a dialed telephone number in the sense that the subscriber must disclose the address to the ISP, a public entity, for transmission of the document. An e-mail address provides the e-mail coded address of the user to whom the information is sent, but the address may be shared by more than one individual who uses the same computer. Nevertheless, both the telephone number and e-mail are links-but not dispositive links-in connecting one individual to another.

Even assuming an e-mail address is noncontent, just as a telephone number, some e-mail header information (such as the subject line and the size of the e-mail) provides information about the "substance, purport or meaning" of the electronic communication. Disclosure of interest by calling a library and asking for information on a specific topic is similar to disclosure on an e-mail subject line, or disclosure of Web sites visited or other information sought through an Internet search. Carnivore reportedly can be programmed to put X's in place of content. Although of limited value to the government, the X's can provide information about the length of the subject line and the length of the body of the file.

To avoid the possibility of the government's improper seizure of content, the government could rely on ISP packet sniffer programs used by ISPs to discover and track fraud or hackers inserting viruses and worms. Presumably, the court order could require the ISP to disclose to the government noncontent information similar to that derived from a government-installed pen/trap. Indeed, the USA PATRIOT Act encouraged ISPs to report any suspicious information gleaned from the ISPs' surveillance by providing that no cause of action shall lie against any ISP for providing information or facilities in accord with a court order. (18 U.S.C.A. § 3124 (d).)

Nonetheless, the government appears to prefer Carnivore, which it can configure to pick up both content and noncontent information. The federal statute requires a report to the issuing court when the government uses its own packet sniffer, including disclosure of the configuration of the device and any changes in configuration during use. Reportedly, however, the operator of Carnivore can change modes on the detection process without leaving any trace of the previous modes used. Again, without access to physical information about how Carnivore was configured, defense counsel must rely on self-policing by the government and thus is severely limited in establishing whether the government went beyond the limits of its certification.

Basically, the exclusion of any portion of an e-mail communication disclosed by a packet sniffer depends on demonstrating the seizure of content by the pen/trap. To succeed, the defendants may have to convince a court that interception of any information listed in Smith v. Maryland as not disclosed should be considered content, and that the item is content worthy of Fourth Amendment protection. Also, although a pen/trap seizure of content also violates 18 U.S.C.A. § 3121(c), the remedy for the statutory violation does not include exclusion of evidence. Further, as long as the e-mail is considered an electronic communication, the wiretap statute does not require exclusion. Under 18 U.S.C.A. § 2515, only unlawful interception of wire or oral communications results in exclusion.

Lawful interception of the content of wire or electronic communications requires a court order. The statute defines a wire communication as an "aural transfer." (18 U.S.C.A. §§ 2510(1) and (18).) Currently developing technology is expanding use of computer-digitized oral statements sent as packets through the Internet as opposed to over a telephone system. Adding voice to an e-mail changes the e-mail from an electronic communication to a wire communication under 18 U.S.C.A. § 2510(18), which defines "aural transfer" as a transfer containing a human voice at any point in the transfer. Also by definition, an electronic transfer specifically excludes wire communications. Presumably the Supreme Court will not retreat from the Katz grant of privacy to telephone conversations merely because the person making the statement uses a new technological format to send the voice. The distinction between voice and electronic transfer is important because failure to comply with wiretap guidelines results in exclusion only for interception of a wire communication.

Stored wire and electronic communications

Different rules apply when the wire or electronic communications are stored because access to stored communications is not considered interception. In addition, the USA PATRIOT Act removed stored wire communications from the wiretap Act and gave them the same status as stored electronic communications. The change had two major impacts. First, by merely waiting until a wire or electronic communication is in storage, no matter how briefly, the government may obtain the communication on a showing less demanding than that required for a wiretap order. Second, the exclusionary rule remedy for wiretap violations does not apply.

How digital storage works

Electronic storage includes any temporary storage of a wire or electronic communication incidental to transmission and any storage for backup protection. (18 U.S.C.A. § 2510(17).) When some mail server systems receive a communication for a subscriber, the server will briefly store the communication before notifying the subscriber. Depending on the mail system used, some mail servers, either a local server or an ISP, store the e-mail until read by the recipient, and the recipient deletes the communication. On other mail server systems, the document remains stored on the server only until opened by the recipient, resulting in a download of the document to the recipient's computer. Once the file is downloaded, the mail server will not store a copy unless requested by the subscriber or storage is part of the server's normal backup procedures. In addition, an e-mail may pass through numerous servers on its way to the subscriber. The e-mail header file lists all the servers through which the e-mail traveled as well as the duration at the server for virus scans or other processes. The delay may be minutes or hours. Therefore, virtually all e-mail is stored temporarily at several points incidental to transmission.

Storage for backup protection may be undertaken by the mail server for its own business purposes. The mail server may maintain the backup files on parallel systems to avoid loss of the stored documents if one system fails. The contracts most users have with mail servers indicate that documents may be stored and searched for business purposes of the server.

Government access to stored files

The basis for government access to the content of stored e-mail depends on how long the communication has been stored and the facility in which the communication is stored. When the wire or electronic communication has been in storage by an electronic communications service provider for 180 days or less, the government may demand access only through a search warrant complying with the Federal Rules of Criminal Procedure. A warrant issued by any court with jurisdiction over the offense is valid nationwide. Although the warrant must comply with the Federal Rules of Criminal Procedure, the statute does not also require exclusion of the evidence if the warrant is later determined to be unsupported by probable cause. The exclusive remedy for violation of the statute is a civil penalty.

In addition to the described temporary storage or backup storage by a provider, the government may request that the service provider create backup records of specified communications. The government's request of the service provider may be by subpoena or court order. In either case, the subscriber is not notified of the preservation of the communication until three days after the provider certifies to the government that the communication is preserved. (18 U.S.C.A. § 2704.) The provider does not deliver the communication to the government until the subscriber has had an opportunity to contest the court order or subpoena after notification. However, the primary test of the legitimacy of the court order or subpoena is whether there is reason to believe the communications are relevant to a legitimate law enforcement inquiry. Clearly, probable cause is not required to seize the documents.

For communications in storage in a "remote computing service" and for communications stored for more than 180 days by an "electronic communications system" (18 U.S.C.A. § 2510(14)), the government can gain access in several ways: (1) a probable cause search warrant complying with the Federal Rules of Criminal Procedure without notice to the subscriber; (2) an administrative subpoena authorized by federal or state statute or a federal or state grand jury or trial subpoena with prior notice to the subscriber; or (3) a court order, based on identified "reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation." (18 U.S.C.A. § 2703(d).) The court order also requires prior notice to the subscriber. The latter two options do not require probable cause as a prerequisite, and any violation of the statute in obtaining the information would not cause exclusion of the evidence obtained.

What is stored content?

The federal statute also differentiates between content, which appears to be the body of the communication, and the records and information about the subscriber held by the electronic communication service or a remote computing service. (18 U.S.C.A. § 2703.) The accessible records and information include the subscriber's name, address, local and long-distance telephone connection records, records of session times and duration, length of subscriber service (including the start date and types of service), telephone or instrument number or identifying numbers (including temporarily assigned network numbers), and the means and source of payment for the services. The government can obtain the information by a warrant complying with the Federal Rules of Criminal Procedure, by a court order revealing articulated reasons to believe the information is relevant to an ongoing investigation, or by a statutorily authorized subpoena or grand jury or trial subpoena. No notice need be given to the subscriber. Should the foregoing information be considered content? Some, such as name, address, telephone, or IP number, are likely within the noncontent analysis of Smith v. Maryland. The Court in Smith, however, noted that a pen register does not record that a communication occurred. Records of searches, session times, and duration on a computer do provide that information and thus might be considered content.

Where to from here?

In response to computer communication privacy claims, the Supreme Court can try to fit the new computer and information technology pegs into the old telephone technology holes or the Court can reconceptualize the meaning of privacy in computer creation, transfer, and storage of information. By utilizing concepts from Smith v. Maryland giving great weight to public exposure of information, the Court could constrict expectations of a culture accustomed to relatively free private discussions. This seems to run counter to the idea that the United States is to some extent built on the concept that speech should be protected and encouraged. Even though protection and encouragement do not necessarily mean privacy, a society living in fear that the government can somewhat easily conduct computer surveillance for conversation and communication content would be discouraged from freely communicating.

On the other hand, the Court could focus on the broader concepts reflected in Kyllo v. United States and Minnesota v. Olson, 495 U.S. 91 (1990). Although both cases involved home intrusions, in Kyllo, the Court indicated that privacy should not be at the mercy of advancing technology that possesses the "power to shrink the realm of guaranteed privacy." (533 U.S. at 34.) In Olson, the Court recognized an overnight guest's reasonable expectation of privacy by pointing out that long-standing social customs serve valuable societal functions. The social custom of privacy of telephone conversations and the mail, privacy that easily could be compromised during transmission, should not change merely because the manner of transmission has changed from the written word to a digitized data flow.

Ultimately, a major factor in the test of privacy rights will be the Supreme Court's willingness to enforce government restraint through the exclusionary rule mechanism. The negative effect of exclusion of reliable evidence certainly appears to have influenced determinations of what is reasonable under the Court's Fourth Amendment balancing process. In that process, individual rights to security in the home, mail, and conversations may be counterbalanced by the Supreme Court's increasingly heavy weighting of society's need for seizure of evidence.

Putting Computer Experts to Use Regardless of statutory and constitutional guidelines on computer surveillance, the prosecution and the defense are likely to each need an expert to get through the computer data minefield. Enforcement of individual privacy rights on one hand and reasonable societal access to information on the other may revolve around the quality of experts available to the parties and access to the programs used to assist in the data-gathering process. Having experts for both parties provides three distinct advantages. The experts educate judges about computer search programs, protect and explain legitimate government access to computer data, and protect and explain individual privacy interests. Indeed, the U.S. Department of Justice (DOJ) search and seizure guidelines recommend that investigators and prosecutors include computer specialists in the investigation, warrant acquisition process, and execution of the warrant to ensure compliance with Fourth Amendment guidelines. (See The DOJ guidelines also suggest actions to be taken to avoid exclusion of evidence, all of which provide defense lines of inquiry for protecting privacy rights. Among the issues covered are: (1) ?The expert should provide guidance to investigators about computer search strategies and technical limitations in obtaining the desired information. (2) ?The government can avoid an overly broad warrant through a computer expert's assistance in particularly describing the information sought and, where appropriate, the relevant dates of the material sought. The warrant may then include the search strategy, such as the use of a keyword search or other specific search engine, to obtain the relevant information without invading irrelevant private files. (3) ?Whether executing a search warrant or obtaining information through a nonwarrant process such as a pen/trap, the government expert can ensure that the search execution minimizes intrusions to the items particularly described in the warrant or avoids content seizure through a pen/trap. (4) ?The search team should strictly keep records to allow monitoring the scope of the search to validate appropriate duration and minimization of the intrusion. The expert or the search program should record the scope, timing, and duration of all search methods. Record-keeping can be enhanced by use of available software programs that automatically include an audit log showing operator entries, dates, and times. (5) ?The government should preserve all files seized or copied, either as a mirror image or through other processes, so the defense expert can replicate the scope of the search or any possible impermissible seizure of content. One goal will be to demonstrate that seized files have not been altered. (6) ?The defense expert should seek access to the search programs used by the government to test the capability of the program to do what the government claims and to determine if the program could go beyond the search claimed by the government. Classification of some search programs as secret under the Classified Information Procedures Act (18 U.S.C. Appendix III) effectively prevents the defense expert from fully challenging the scope of some searches. (United States v. Scarfo, 180 F. Supp. 2d 572 (D.N.J. 2001).) (7) ?Federal Rule of Evidence 702 authorizes admission of "scientific, technical or other specialized knowledge [that] will assist the trier of fact to understand the evidence or to determine a fact in issue." Litigants are not likely to assert that computer technology does not fall within scientific, technical, or other specialized knowledge. Nevertheless, as with any person proffered as an expert in a specific field, the expert witness will have to demonstrate the witness's education, training, or experience that provides relevant expertise in use and application of the programs used in the search process. One example would be the qualifications of the offered expert to detect whether seized child pornography was digitally created. The relevant expertise should include not only knowledge of the specific program applied but also related alternative programs that could target the desired material without intrusion into nontarget information. Litigants also may look for experts who have completed one of several certification programs, such as a Microsoft certified systems engineer program. Other noncertification courses exist to cover numerous computer- related subjects such as server-operated systems, network infrastructure, and network security. -James Adams

Return to Table of Contents - Spring 2004

Return to Criminal Justice magazine home page