When an intrusion is detected, you must know to what lengths you can go to minimize the damage and also whether you can seize property. For example, let’s say that you have determined that an employee has installed hacking tools on your network and he has hacked into a business partner’s network. He then proceeded to steal passwords. Can you search his computer for evidence without a warrant? What about that UFD he carries on his keychain? Is that a work-related item or a personal item? These are the types of questions you’ll need to answer before you act.
Legal Organizational Rights and Limits
Employers can be either public or private. This distinction is important because government employers are bound by the Fourth Amendment, as discussed in the next section. Not everything that passes through a business door can be considered part of the workplace. For example, the contents of an employee’s purse or briefcase maintain their private character even though an employee brings them to work. Although circumstances might permit a supervisor to search an employee’s desk for a work-related file, a supervisor must usually leave an employee’s purse or briefcase alone.
When confronted with this issue, courts have analogized electronic storage devices to closed containers, and they have reasoned that accessing the information stored within an electronic storage device is akin to opening a closed container. Because individuals generally retain a reasonable expectation of privacy for the contents of closed containers, they also generally retain a reasonable expectation of privacy for data held within electronic storage devices.
Here are some cases to which you can refer for guidance:
- United States v. Ross, 456 U.S. 798, 822–23 (1982)
- United States v. Barth, 26 F. Supp. 2d 929, 936–37 (W.D. Tex. 1998)
- United States v. Reyes, 922 F. Supp. 818, 832–33 (S.D.N.Y. 1996)
- United States v. Lynch, 908 F. Supp. 284, 287 (D.V.I. 1995)
- United States v. Chan, 830 F. Supp. 531, 535 (N.D. Cal. 1993)
- United States v. Blas, 1990 WL 265179, at *21 (E.D. Wis. Dec. 4, 1990)
This analysis has interesting implications for items such as UFDs or external USB drives, which can be either work-related or private, depending on the circumstances. It is probably reasonable for employers to assume that UFDs found at an office are part of the workplace, but a court could treat a UFD that belongs to an employee as if it were a private, personal item.
Generally speaking, an employer may consent to a search of an employee’s computer and peripherals if the employer has common authority over the equipment. There are currently no cases specifically addressing an employer’s consent to search and seize an employee’s computer and related items. However, cases exist that discuss searches of an employee’s designated work area or desk.
In an electronic environment, employees do not know when a network administrator, supervisor, or anyone else accesses their data. As a practical matter, system administrators can, and sometimes do, look at data. But when they do, they leave no physical clues that would tell a user they have opened one of his files. Some users who are unfamiliar with computer technology may believe that their data is completely private. If an organization has published clear policies about privacy on the network, this effort would support the position that the user has granted implied consent to a search by working there under such a policy. However, if an organization or administration has not addressed these issues with its users and the situation remains ambiguous, the safest course is to obtain and exercise a warrant.
Search and Seizure Guidelines
The Fourth Amendment limits the ability of government agents to search for evidence without a warrant. It states “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
A warrantless search does not violate the Fourth Amendment if one of two conditions is met. Accordingly, investigators must consider two issues when asking if a government search of a computer requires a warrant:
1. Does the search violate a reasonable expectation of privacy?
2. If so, is the search nonetheless reasonable because it falls within an exception to the warrant requirement?
The most basic Fourth Amendment question in computer cases asks whether an individual enjoys a reasonable expectation of privacy in electronic information stored within computers or other electronic storage devices under that individual’s control. For example, do individuals have a reasonable expectation of privacy in the contents of their laptop computers, floppy disks, or pagers? If the answer is yes, the government ordinarily must obtain a warrant before it accesses the information stored inside. A search is constitutional if it does not violate a person’s “reasonable” or “legitimate” expectation of privacy [Katz v. United States, 389 U.S. 347, 362 (1967) (Harlan, J., concurring)]. In most cases, a defendant’s subjective expectation of privacy focuses on whether the expectation of privacy was reasonable.
Recognizing that government agencies could not function properly if supervisors had to establish probable cause and obtain a warrant every time they needed to look for a file in an employee’s office, in O’Connor v. Ortega, 480 U.S. 709 (1987), the Supreme Court held that two kinds of searches are exempt. Specifically, both (1) a non-investigatory, work-related intrusion and (2) an investigatory search for evidence of suspected work-related employee misfeasance are permissible without a warrant and should be judged by the standard of reasonableness (Id. at 725–26). These exemptions are stated under the Federal Guidelines for Searching and Seizing Computers. Access that document at http://www.knock-knock.com/federal_guidelines.htm.
Agents must evaluate whether a public employee retains a reasonable expectation of privacy in the workplace on a case-by-case basis, but written employment policies can simplify this task dramatically. See O’Connor v. Orgeta, 480 U.S. 709 at 717 (plurality). Courts have uniformly deferred to public employers’ official policies that expressly authorize access to the employee’s workspace, and they have relied on such policies when ruling that an employee cannot retain a reasonable expectation of privacy in the workplace. See the following cases:
- American Postal Workers Union, Columbus Area Local AFL-CIO v. United States Postal Serv., 871 F.2d 556, 59–61 (6th Cir. 1989)
- United States v. Bunkers, 521 F.2d 1217, 1219–21 (9th Cir. 1975)
When planning to search a government computer in a government workplace, agents must look for official employment policies or “banners” to defeat a reasonable expectation of privacy.
Will This End Up in Court?
In the event that an incident is sufficiently serious, and the organizational policy is to prosecute, an investigation could end up in court. Courts require that information contained in the equipment (and not the equipment itself) be seized and that ample, unaltered information be presented in each case. Court compliance could require cooperative efforts between law enforcement officers and a computer forensic examiner to make sure that technical resources suffice to address both the scope and complexity of a search.
Computer forensic examiners can help prosecute a case with advice about how to present computer-related evidence in court. They can help prepare a case and anticipate and rebut defense claims. In addition, forensic examiners can assist prosecutors in complying with federal rules pertaining to expert witnesses. Under these rules, the government must provide, upon request, a written summary of expert testimony that it intends to use during its case. There is a reciprocal requirement for a summary of defense expert-witness testimony, as long as the defense has requested a summary from the government, and the government has complied.
Should this situation arise, make sure all evidence is processed properly. Good laboratory practices ensure the quality and integrity of evidence by dictating how examinations are planned, performed, monitored, recorded, and reported. Unless you work for law enforcement, you probably don’t have a lab to process evidence; however, most large organizations do have a specially trained team to identify and collect evidence for any incidents that arise.
Often incidents occur that aren’t actually crimes and require only internal investigation. The same specially trained team conducts those investigations and is also aware of what constitutes a crime that would require law enforcement involvement. Let’s take a closer look at how such a team should be organized and how it works.