Reasonable Expectation of Privacy

What exactly is a “reasonable expectation of privacy”? That's a great question with no easy answer. There is no clear cut rule or test that would help us define it. Much of the interpretation centers on what society as a whole would consider as being reasonable. For example, a person would reasonably have a greater expectation of privacy on their personal computer than they would at a public library. As a rule of thumb, you can consider the computer as a closed container. If the officer lacks the authority to open a desk drawer or box, then the same would be true with a computer (Executive Office for United States Attorneys, 2009).

If the person has a reasonable expectation of privacy, then the government must first obtain a search warrant, or the search would have to meet one of the documented exceptions to the warrant requirement.

What about individual files? Should they be seen as separate, closed containers? It seems that courts aren't sure either. Rulings have been handed down supporting both positions. In (United States v. Slanina, 2002), the Fifth Circuit ruled that when a proper search is conducted on a portion of a disk, defendants no longer have a reasonable expectation of privacy in regards to other files.

In contrast, the Tenth Circuit took the opposite stance saying “[b]ecause computers can hold so much information touching on many different areas of a person's life, there is greater potential for the ‘intermingling’ of documents and a consequent invasion of privacy when police execute a search for evidence on a computer” (United States v. Walser, 2001).

Information that an individual knowingly exposes to others is not protected by the Fourth Amendment. Examples here could include public computers such as those in a classroom or “shared drives” on a network (Executive Office for United States Attorneys, 2009).

Private Searches

Private searches are not afforded Fourth Amendment protection unless the search is done at the request of the government or with their knowledge or involvement. Take the Geek Squad at Best Buy, for example. Let's say that someone gives them permission to work on their home computer and in the process they find child pornography images on their machine. The images found by the repair technician would be admissible as long as they were not searching at the request of the government, thereby acting as their agent.

E-mail

By and large, an individual maintains their Fourth Amendment protections when an e-mail is being transmitted, but would lose those protections when it reaches its final destination. E-mail is viewed in a similar fashion as regular “snail mail.” The legal interception of an individual's e-mail or other electronic communication is something that is tightly controlled. Known as the Wiretap Act, Title III of the Omnibus Crime Control and Safe Streets Act of 1968 prohibits unauthorized monitoring and lists the procedures needed to obtain a warrant for wiretapping (U.S. Department of Justice, Office of Justice Programs, 2010).

The Electronic Communications Privacy Act (ECPA)

The purpose of the ECPA was to ban a third party from intercepting and/or disclosing electronic communication without prior authorization. This federal statute was passed originally in 1968 as an amendment to the Wiretap Act of 1968. The ECPA underwent its first change in 1994 when it was amended by the Communications Assistance to Law Enforcement Act, also known as CALEA. It was modified once again after the 9/11 attacks by the USA Patriot Act. The Patriot Act was authorized again in 2006 (TechTarget, 2005).

Exceptions to the Search Warrant Requirement

There are several well-known exceptions to the search warrant requirement. A warrantless search is valid with consent as long as the person giving the consent is authorized and the consent is truly voluntary. The voluntariness of the consent is judged on the totality of the circumstances. The Supreme Court recognized age, education, intelligence, and the physical and mental condition of the person giving consent as important factors to consider. Other considerations would be whether the person was under arrest at the time of consent and whether the person had been advised of his right to refuse consent. If the validity of the search relies on consent, the burden is on the government to prove it was indeed given voluntarily.

Consent may be revoked at anytime. The search must cease immediately when the consent is withdrawn. So what happens if the suspect has second thoughts after his computer has been collected and taken to the lab for processing? The same standard applies (almost). The search must stop when they revoke their consent. That said, courts have said that this does NOT apply to forensic clones. In other words, although the original must be returned, any clones that have been made do not. Defendants do not have a reasonable expectation of privacy with a forensic clone (United States v. Megahed, 2009). For this very reason, cloning a drive sooner rather than later is a very wise move.

The scope of a consent search is sometimes at issue in a criminal case. If they give you consent to search the house, does that include closed containers and computers? Well, that depends on the particular details of the situation. Courts will again apply the “reasonableness” standard in making a determination. What would a reasonable person have understood the scope to be under those conditions?

The party granting consent may set forth restrictions on the search. Should that be the case, officers must abide with this request. To do otherwise could very well result in the suppression of any evidence recovered.

In the end, it's important to remember that consent searches can be highly nuanced and heavily dependent on the facts or circumstances that arise during that specific incident. While searching without a warrant is sometimes a necessity, the best practice is to get a search warrant whenever possible. Your case will rest on much more solid ground with a warrant than without.

Third parties can sometimes consent to the search of private property. Roommates, spouses, and parents are just a few of the examples. Normally, if a device is shared, all parties have the authority to provide consent to search its common areas. In this situation, none of them would have a reasonable expectation of privacy in the common areas since it's shared with other people. The notion of common areas is significant. Areas such as those that are password protected would not qualify as a common area. The third party would likely not have the authority to consent to its search. However, if the suspect has shared the password with the third party, then this constraint no longer applies. The suspect's reasonable expectation of privacy has been greatly diminished.

It's foreseeable that in the end, the third party in question really didn't have the authority to consent. This is not necessarily a deal breaker as far as the admissibility is concerned. Officers in the field can only do what a reasonable person would do when determining a third party's legal ability to provide consent. If the suspect is present at the scene, a third party is not permitted to grant consent.

Spouses, under normal circumstances, can consent to the search of common areas. Parents may or may not be able to provide consent to search a child's property. If the child in question is less than eighteen years of age, parents are generally permitted to give consent. If the child is over eighteen, then it gets a bit more complicated. Factors that will impact this determination include the child's age, whether or not they pay rent, and what steps (if any) they have taken to restrict access.

Technicians are often in the position of uncovering evidence during the course of their work. The courts have been split when deciding if the technician has the authority to consent. Officers may recreate the technician's search or observe them retrace their steps. They may not, however, expand the technician's search or direct them to look deeper. Should a technician locate evidence, their findings are normally used as the basis for a search warrant.

Exigent circumstances arise from time to time requiring the immediate seizure and possible search of a digital device. This is generally permitted under one of these three conditions: the evidence is under immanent threat of destruction, a threat puts law enforcement or the public in general in danger, and when the suspect is expected to escape before a search warrant can be acquired. This exception may apply to the seizure of an item or device, but not automatically the search of it. Once the item has been seized (secured), the exigency may no longer exist, thus requiring a search warrant to continue.

Officers have the right to charge suspects with evidence they see if they are legally permitted to be where they are, and if the item is immediately apparent to be incriminating. This is known as the plain view doctrine. This situation typically arises in a digital forensic context when an examiner is analyzing a drive for evidence of one crime and finds evidence of a completely different one. For instance, an examiner searching a hard drive for photos of stolen artwork comes across images of child pornography. At this juncture, the search should cease until a separate warrant pertaining to the possession of child pornography can be obtained.

Border searches and searches by probation and parole officers are afforded much more latitude than those conducted by police officers. From the court's perspective, individuals entering the country can be searched with probable cause or even reasonable suspicion. The court recognizes the government's need to secure the border from contraband and like material. Those individuals on probation or parole have less of an expectation of privacy than other citizens. For example, sex offenders may be prohibited from using the Internet during their supervised release. This stipulation would permit the parole or probation officer the authority to search the offender's computer at any time to ensure compliance. There is even some case law permitting this type of search without these specific conditions in place.

Employees in the workplace may or may not possess a reasonable expectation of privacy on their work computers. This expectation will vary depending on the facts including whether or not the employee is a government employee. Normally, officers can search an employee's computer without a warrant if the employer or another coworker (with shared authority) gives permission. Government employees are looked at a bit differently. That's not to say that employers can't search the employee's system; it just means that the search must be “work-related, justified at their inception, and permissible in scope” (Executive Office for United States Attorneys, 2009).

Seize the Hardware or Just the Information?

We know from the Fourth Amendment that a search warrant must “particularly describe the place to be searched and the person or things to be seized.” To effectively meet that requirement, we first need to understand what precisely we need to seize. In short, is it the hardware or the information held by the hardware? If the computer is contraband, evidence, or fruits or instrumentalities of a crime, then we need to establish probable cause to seize the hardware. Otherwise, our focus is on the information alone.

Particularity

Courts frown heavily on overly broad affidavits that lack the particularity mandated by the Fourth Amendment. Affidavits should make it clear what items can be seized and what can't. “Particularly” describing things that you likely have never seen may seem like an impossible task. It's really not. Serial numbers and the like are not required.

Here is some sample language that could be used:

“Any and all personal computer(s)/computing system(s) located at the residence of (INSERT ADDRESS HERE), to include input and output devices, electronic storage media, computer tapes, scanners, disks, diskettes, optical storage devices, printers, monitors, central processing units, and all associated storage media for electronic data, together with all other computer-related operating equipment and materials.”

Describing the information can be done in a somewhat similar fashion. Although we probably don't know the file names, for example, it's quite possible that we would know the suspect's name, the time period, and the specific crime that's being investigated. The courts are looking for some type of limiting language. Asking for “any and all files” on a suspect's hard drive stands a very good chance of being deemed overly broad, resulting in the suppression of any evidence found.

Establishing Need for Off-Site Analysis

The forensic analysis of a hard drive can be a very time-consuming process. For a variety of reasons, this is best done at the lab or police station. For all intents and purposes, doing this at the scene contemporaneously with the search should not be the first option. As such, the search warrant affidavit should spell out in clear terms the logic and need for this practice. Reasons can include the amount of time and data involved and potential use of antiforensic techniques as well as the need to perform this task under the more controlled conditions (like those found in the lab). This is one way to make this point in an affidavit:

“Computer storage devices (like hard disks or CD-ROMs) can store the equivalent of millions of pages of information. Additionally, a suspect may try to conceal criminal evidence; he or she might store it in random order with deceptive file names. This may require searching authorities to peruse all the stored data to determine which particular files are evidence or instrumentalities of crime. This sorting process can take weeks or months, depending on the volume of data stored, and it would be impractical and invasive to attempt this kind of data search on-site.

Technical requirements. Searching computer systems for criminal evidence sometimes requires highly technical processes requiring expert skill and properly controlled environment. The vast array of computer hardware and software available requires even computer experts to specialize in some systems and applications, so it is difficult to know before a search which expert is qualified to analyze the system and its data. In any event, however, data search processes are exacting scientific procedures designed to protect the integrity of the evidence and to recover even “hidden,” erased, compressed, password- protected, or encrypted files. Because computer evidence is vulnerable to inadvertent or intentional modification or destruction (both from external sources or from destructive code imbedded in the system as a “booby trap”), a controlled environment may be necessary to complete an accurate analysis.” (Executive Office for United States Attorneys, 2009)

Stored Communications Act

The Stored Communications Act (SCA), enacted in 1986, provides statutory privacy protection for customers of network service providers. The SCA controls how the government can access stored account information from entities such as Internet Service Providers (ISPs). This account information typically includes e-mail as well as subscriber and billing information. Specifically, the SCA lays out the process state and federal law enforcement officers must adhere to in order to force disclosure of these records by the provider.

The SCA seeks to codify the type of information sought, the privacy expectations associated with it, and the legal instrument required for the government to access it. The SCA breaks down service providers into two separate and distinct groups: “electronic communication service” providers and those organizations that provide “remote computing services.” Understanding these differences is essential to deciphering the SCA and its legal requirements.

According to the SCA, specifically 18 U.S.C. § 2510(15), an electronic communication service (ECS) provider is “any service which provides to users thereof the ability to send or receive wire or electronic communications.” ECS examples would include companies that deliver telephone and e-mail services (Executive Office for United States Attorneys, 2009). America Online comes to mind, as does Hotmail. It may surprise you to know that any company, no matter what its focus, can qualify as an ECS.

Title 18 U.S.C.§ 2711(2) defines a remote computing service (RCS) as “the provision to the public of computer storage or processing services by means of an electronic communications system.” Put another way, an RCS is provided by an “off-site computer that stores or processes data for a customer” (Executive Office for United States Attorneys, 2009).

The SCA also addresses the variety of information these providers store. This can include basic subscriber information like name, address, and credit card number. Other potential information includes logs and opened, unopened, draft, and sent e-mails.

Duty to Preserve

Evidence that was once confined to paper memos and filing cabinets is now found in Microsoft Word documents and back-up tapes. Digital evidence is significantly different from the paper-based evidence so many lawyers were accustomed to dealing with. For example, digital evidence is far more volatile and easier to alter or destroy. Volume is another key difference. There can be such a mind-boggling amount of data in a case that it can cost millions of dollars just to produce and review them.

In December 2006, the federal courts took the first substantive step in addressing and dealing with digital evidence, changing the Rules of Civil Procedure. These rule changes mandate that opposing attorneys work together to deal with the electronically stored information (ESI) in the case very early in the process. Addressing ESI early in a case reduces costs, time, and the chance of relevant evidence being overlooked. Not all lawyers and judges have embraced these changes. Like many folks, some lawyers and judges are very uncomfortable with technology, even going as far as to have someone else check and then print their e-mail.

Zubalake v. USB Warburg was a series of landmark electronic discovery cases. Judge Shira Scheindlin's rulings addressed many of the fundamental concerns in cases that involve ESI. Some of the concerns included the duty to preserve electronic data, a lawyer's duty to oversee their client's compliance with these guidelines, data sampling, cost shifting, and sanctions.

The duty to preserve potentially relevant data begins when there is a “reasonable anticipation of litigation.” Failing to recognize this trigger and take action can result in spoliation of the evidence and potentially severe sanctions to boot. Like other legal standards addressed in this chapter, defining a reasonable anticipation of litigation can be difficult, quite difficult in fact. The duty to preserve is not just caused by the arrival of a subpoena. It's very likely that the duty kicked in well before that time. It's a very fact-specific determination that will vary from case to case. The firing of a disgruntled employee could be enough to trigger it; likewise, so could an accusation of sexual harassment by an employee against his or her supervisor.

Judge Scheindlin also addressed a lawyer's duty to oversee their client's attempts to identify, preserve, collect, and produce potentially relevant evidence. She said, in part, “[c]ounsel must take affirmative steps to monitor compliance so that all sources of discoverable information are identified and searched.” Furthermore, she said that attorneys should draft and distribute a “litigation hold” that directs a company and its employees to protect the relevant data and ensure they're not destroyed or compromised in any way.

Data sampling is a way to test a large collection of ESI for the “existence or frequency of relevant information” (Sedona Conference, 2007). The volume of potentially relevant data can be staggering, especially in a large corporate environment. Data sampling is one of the best ways to save time and reduce costs during the eDiscovery process.

The costs incurred during the eDiscovery process can be massive, rising into hundreds of thousands or even millions of dollars. Typically, in traditional discovery, the producing party bears the cost of production. Under certain conditions, the costs of production may be shifted to the requesting party. In the Zubalake case, Judge Scheindlin addressed this concern and devised a seven-factor test to be used to determine if cost shifting is warranted.

The seven factors are “(1) the extent to which the request is specifically tailored to discover relevant information; (2) the availability of such information from other sources; (3) the total cost of production compared to the amount in controversy; (4) the total cost of production compared to the resources available to each party; (5) the relative ability of each party to control costs and its incentive to do so; (6) the importance of the issue at stake in the litigation and; (7) the relative benefits to the parties of obtaining the information” (Zubulake v. UBS Warburg, 2003).

Private Searches in the Workplace

It's not uncommon for work computers to be the subject of a search for criminal, civil, or administrative actions. From the private side, employers have a fair bit of latitude to search an individual's company computer. A company computer use policy that clearly spells out that work computers, e-mail, and so on are for work purposes only and that they may be searched at any time is an accepted best practice. For Fourth Amendment purposes (law enforcement or their agents), a work computer can be searched with consent of a supervisor or another employee as long as they have common authority over the area to be searched. It is also important to note that federal privacy statutes and the Stored Communications Act may come into play as well.

In the end, consult with the prosecuting attorney or corporate/in-house counsel for guidance. Getting their input can help ensure that the case is on the strongest legal footing (Executive Office for United States Attorneys, 2009)