Legal Perspective: Searching for and Seizing Information
by sarada avadhanam

A. INTRODUCTION
Hardware searches are not conceptually difficult. Like searching for weapons, the items sought are tangible. They occupy physical space and can be moved in familiar ways.

1. Searches for data and software are far more complex. For purposes of clarity, these types of searches must be examined in two distinct groups:

1.1. Searches where the information sought is on the computer at the search scene and (2) searches where the information sought has been stored off-site, and the computer at the search scene is used to access this off-site location.

2. In some cases, the distinction is insignificant, and many topics covered in this section apply equally to both types of searches. On the other hand, there are certain unique issues that arise only when the computer is part of a network.

3. Law requires that a search warrant be issued by a court in the district where the property is located, agents may have to get a second warrant in another district if the target has sent data to a distant computer.

4. Although "property" is defined to include "documents, books, papers and other tangible objects," (emphasis added), courts have held that intangible property such as information may be seized. In warrants had been upheld for intangible property such as telephone numbers called from a given phone line and recorded by a pen register, conversations overheard by means of a microphone touching a heating duct, the movement of property as tracked by location-monitoring beepers, and images seized with video cameras and telescopes. Covertly taken photographs without authorization allowed for seizure."sneak and peek" warrant executed without giving notice to the defendants .


B. INFORMATION AS CONTRABAND The same theories which justify seizing hardware--contraband or fruit of crime, instrumentality, or evidence--also apply to seizing information.. Because individuals often obtain copies of software in violation of copyright laws, it may be appropriate to seize that software as well as any documentation (such as photocopied software manuals) because they are likely to be illegally obtained. (Software producers may allow a purchaser to make a backup copy of the software bought, but these copies may not be disseminated because of copyright laws.) Lists of telephone card access codes and passwords for government computer networks may also be considered contraband, because their possession is prohibited by statute if the possessor has the requisite mens rea.


C. INFORMATION AS AN INSTRUMENTALITY law defines what may be seized as an instrumentality: any "property designed or intended for use or which is or has been used as the means of committing a criminal offense." This includes both tangible and intangible property.
Thus, in some cases, informational documents and financial instruments which have been used in the commission of an offense may be seized as instrumentalities of crime.

5. Documents used in connection with suspect's illegal alien status were instrumentalities, including phony birth certificates, bank records, and vaccination records. $5 million in securities were not instrumentalities where the government suspected improprieties with an $18,000 brokerage account and the securities were at most "incidental" to the offense.. Likewise, investigators should seize objects if they are "designed or intended for use" as instrumentalities.

6. Sometimes an item will obviously fit that description (like software designed to help hackers crack passwords or lists of stolen credit card numbers) but, at other times, it may not be so simple. Even so, as long as a reasonable person in the agent's position would believe the item to be an instrumentality, the courts will probably respect the agent's judgment. This is, after all, the same test used to determine when an object would aid apprehension or conviction of a criminal.

7. As such, the particular facts of the case are very important. For example, if an agent investigating the sysop of an illegal bulletin board knows that the board only operates on one personal computer, a second computer sitting in the same room is probably not an instrumentality. But if the agent has heard from a reliable informant that the suspect has boasted about expanding his operation to a second board, that second computer is probably "intended" as an instrumentality, and the agent should take it. Additionally, if the suspect has substantially modified a personal computer to enhance its usefulness for a particular crime (perhaps by installing password-cracking software), an agent might well reasonably believe that the computer and the software was "designed" for criminal activity. D. INFORMATION AS EVIDENCE evidence of crime may be seized in the same way as instrumentalities of crime.

8. In most instances, documents and other information connecting the criminal to his offense should be viewed as evidence of the crime, and not as instrumentalities.

9. The prescription records of a doctor who illegally prescribed morphine to "patients" were classified as evidence, not as instrumentalities.

10. The prescription records .
10.1. Customer lists of narcotics traffickers,
10.2. Telephone bills of hackers who break into computer networks, and
10.3. Plans for the fraud or embezzlement of corporate and financial targets.
10.4. Paper or book form, or electronically in computer or on a backup tape.
10.5. Documents may be seized if they show intent and the absence of mistake on the suspect's part, not relate directly to the commission of the crime


11. Evidence of Identity
11.1. identification evidence. Clothing seen worn by a criminal during the commission of the offense constitutes evidence of the crime, because it helps to tie the suspect to the crime.
11.2. Documents that incriminate a suspect's co-conspirators also may be seized as evidence because they help identify other involved parties and connect them with the suspect.
11.3. List of telephone numbers help in identifying and connecting others with the suspect's crimes. Hackers work jointly and pool hacking information. Telephone records may prove this connection. Evidence to identify the occupant of a home or office connected to the crime.
11.4. The seizure of telephone books, diaries, photos, utility bills, telephone bills, personal property, cancelled mail, keys, rent receipts, deeds, and leases that helped establish who owned and occupied premises used for a large scale narcotics operation.- indicating the ownership or occupancy of the residence. Computers are used by more than one person, and evidence may help establish who used the computer or computers to commit the crime.


12. Specific Types of Evidence
12.1. Hard Copy PrintoutsAny information contained in a computer system may have been printed out by the target of the investigation. Finding a printed copy may be valuable for a number of reasons.
12.2. First, a printout is earlier version of data that has since been altered or deleted.
12.3. Second, in certain electronic environments (such as bulletin boards), individuals may claim to lack knowledge about what information is electronically stored in the computer (e.g., a bulletin board operator may disavow any knowledge that his board contained illegal access codes that were posted and downloaded by others). Finding printed copies in someone's possession may negate this defense.
12.4. Third, the printouts may tie the crime to a particular printer which, in turn, may be seizable as an instrumentality (e.g., the printouts may reveal that extortionate notes were printed on a certain printer, thus warranting seizure of the printer).


13. Handwritten Notes
13.1. Finally, agents should be alert for notes in manuals, on the equipment, or in the area of the computer.
13.2. These may provide critical keys to breaking passwords, finding the file or directory names of important data, operating the hardware or software, identifying the suspect's electronic or telephone connections with co-conspirators and victims, or finding login names or accounts.


14. E. PRIVILEGED AND CONFIDENTIAL INFORMATION
14.1. 1. In General the warrant should be narrowly drawn to include only the data pertinent to the investigation, and that data should be described as specifically as possible..
14.2. In a broad search of computers used by confidential fiduciaries (e.g., attorneys or physicians) – better not to examine files about uninvolved third parties..


15. A. Doctors, Lawyers, and Clergy they should not use a search warrant to obtain documentary materials believed to be in the private possession of a disinterested third party physician, lawyer, or clergyman where the material sought or likely to be reviewed during the execution of the warrant contains confidential information on patients, clients, or parishioners.

16. B. Publishers and Authors: police may not search for or seize any "work product materials" (defined by statute) from someone "reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication." . Government officers cannot search for or seize "documentary materials" (also defined) from someone who possesses them in connection with a purpose to similarly publish. These protections do not apply to contraband, fruits of a crime, or things otherwise criminally possessed.
16.1. The larger the network and the more varied its services, the harder it is to predict whether there might be information on the system which could arguably qualify for protection.

17. Targets : If the person who holds the documents sought is a target of the investigation, the rules are understandably different.
17.1. The warrant should be drawn as narrowly as possible to include only information specifically about the case under investigation.
17.2. When the target of an investigation has complete control of the computer to be searched (such as a stand-alone PC), it may be difficult to find all the evidence without examining the entire disk drive or storage diskettes.
17.3. As experts comb for hidden or erased files or information contained between disk sectors, they must continue to protect the unrelated, confidential information as much as possible.


18. 3. Using Special officers the court may appoint a special officer to help search a computer which contains privileged information.
18.1. A neutral officer with a neutral computer expert to help will recover all the data without destroying or altering anything. The computer expert needs detailed instructions on the search procedures to be performed.


19. Never use the target of the search or his employees as computer expert.

20. F. UNDERSTANDING WHERE THE EVIDENCE MIGHT BE: STAND-ALONE pcs, NETWORKS AND FILE-SERVERS, BACKUPS, ELECTRONIC BULLETIN BOARDS, AND ELECTRONIC MAIL


21. Stand-Alone pcs - all storage devices. Incl. Hard drives, floppy disks, backup tapes, CD-roms, WORM drives, and flash drive etc.
21.1. If identification is an issue, they should look for fingerprints or other handwritten notes and labels that may help prove identity. If data is encrypted, a written copy of the password is clearly important.
21.2. A. Input/Output Devices: Do Monitors, Modems, Printers, and Keyboards Ever Need to be Searched?
21.3. There must be a basis for seizing each particular item. If agents are only searching for information, it may be senseless to seize hardware that cannot store information.
21.4. Information can be retrieved from many hardware devices, even those not normally associated with a storage function.
21.5. Input and output (I/O) devices such as keyboards, monitors, and printers do not permanently store data.
21.6. But some I/O devices that may provide useful evidence even after they have been turned off.
21.7. Laser printers -- It may be possible to search for images of the last page printed on laser printers. Paper containing information may still be inside a laser printer due to a paper jam that was not cleared.
21.8. Hard disk print buffers -- Some laser printers have five- or ten-megabyte hard drives that store an image before it prints, and the information will stay on the drive until the printer runs out of memory space and writes over it.
21.9. Print Spooler Device -- The spooler may be holding a print job if the printer was not ready to print when the print command was given (e.g., the printer was not turned on or was out of paper). This device should be handled at the scene since the information will be lost when power is disrupted.
21.10. Ribbon printers -- Like old typewriter ribbons, printer ribbons contain impressions from printed jobs. These impressions can be recovered by examining the ribbon.
21.11. Monitors -- Any burning of the screen phosphorus may reveal data or graphics commonly left on the screen.
21.12. Keyboards -- Although they do not normally store information, some unusual keyboards are actually computer workstations and may contain an internal diskette drive.
21.13. Hard Cards -- These appear to be a typical function board but they function like a hard disk drive and store information.
21.14. Scanner -- Flatbed type scanners may have hard paper copy underneath the cover.
21.15. Fax machines -- Although some kinds of stand-alone fax machines simply scan and send data without storing it, other models can store the data (e.g., on a hard drive) before sending it. Significantly, the data remains in the machine's memory until overwritten. Some fax machines contain two or more megabytes of memory--enough to hold hundreds of pages of information.