The Admissibility of Evidence - Digital Archaeology (2014)

Digital Archaeology (2014)

5. The Admissibility of Evidence

When an archaeologist makes a new discovery, the burden of proof falls on the researcher to show beyond a shadow of a doubt that the discovery is authentic and genuine. The same holds true of the gems the digital investigator uncovers during an investigation. It isn’t sufficient that we find the smoking gun. We have to find it in a manner that the courts find acceptable, or it will be dismissed. Another difference is that the investigator has to prove that the evidence is not only genuine, but relevant. Relevance is a function of admissibility. Whether or not evidence is admissible in court depends on a surprising number of factors. Throughout this book, the mantra has been document, document, and then document how you documented. Perhaps it hasn’t been said quite so succinctly, but still, documentation is the key to everything. This chapter will discuss what makes evidence admissible and how the investigator can assure that the work accomplished makes its way into court.

What Makes Evidence Admissible?

Any information or exhibits that are to be presented in a court case, whether it be civil or criminal, will be subjected to scrutiny by both sides as well as by the judge in order to determine whether or not that evidence meets the general guidelines for admissibility. If the court will allow the evidence to be presented, it is admissible. A number of factors go into making this decision. Some of the questions that will be asked are

• Is the evidence relevant?

• Is the evidence authentic and credible?

• Is the evidence competent?

All three of these conditions must be met before the material will be allowed in court. So to clarify matters as much as possible, a detailed discussion of each one is in order. In considering any of these questions, a concept of American law known as the exclusionary rule must be kept in mind at all times. This basic tenet of American law states that if evidence is collected in violation of the law, or in violation of a person’s constitutional rights, that evidence must be excluded from all court proceedings.

Environmental Law Publishing (2010) has posted a rather complex flowchart that helps determine the admissibility of evidence. The diagram takes into consideration various factors involved when a court would or would not allow evidence. A simplified version of this flowchart, limited to those conditions likely to be encountered in a digital examination, is seen in Figure 5.1.

Image

Figure 5.1 A flowchart of the admissibility of evidence

Is the Evidence Relevant?

“The fundamental rule governing the admissibility of evidence is that it must be relevant” (Wilson v. R 1970). If relevance cannot be established, the discussion can stop right here. None of the other factors covered in this chapter will be . . . well, relevant. The evidence will immediately be disallowed.

To be considered relevant, the evidence in question must satisfy two conditions. First and foremost, it must be material. Material means that it directly relates to the case being presented. If the prosecution is trying to prove that a man is guilty of bank fraud and presents files from his computer showing that he visited pornography sites with regularity, this is going to raise an instant objection from the defense.

The second condition of relevance is that the material is probative. That means it proves something that will help get at the truth of the situation. This works hand in hand with the material aspect of relevance. If the suspect possesses several account numbers for accounts that do not belong to him, it proves that he was showing an interest in other people’s business matters. The history of pornography sites proves something, but nothing that is material to the case.

Is the Evidence Authentic?

There are several things to examine in order to establish the authenticity of evidence as well. We must consider the credibility of the information presented. It must be factual information and not a person’s opinion, with the exception that an expert witness may be called upon to express an opinion based on professional experience or specialized training.

Is the Material an Opinion?

Strictly speaking, digital evidence will not fall under the category of an opinion. The material either exists or it doesn’t. However, the interpretation of material found may be subject to this test. As an investigator, collect anything of relevance. Let the legal team sort out this issue.

Is the Material Credible?

In order to ascertain that material presented as evidence is authentic, it falls to the investigator to demonstrate that the materials collected came from precisely where it is claimed. There can be no suspicion that the evidence has been tampered with or altered in any way. A good chain of custody is mandatory.

The information must be specifically associated to the circumstances and to the person linked to the events. It must be produced and attested by an individual who can verify that these associations exist.

Most of all, the information must be truthful and accurate. A statement under oath that a carrot is an apple does not make it so. Evidence presented that directly presents a statement or other evidentiary material may be treated like any other witness’s statement. It can be considered hearsay if it is not possible to get the originator of the material to testify as to its accuracy. In the case of scientific evidence, the witness must be able to defray any doubts that might arise regarding the accuracy of the process used to obtain the evidence. The digital investigator needs to be very familiar with the tools used to extract evidence.

Is the Evidence Competent?

For evidence to be competent, it must not be prejudicial in any way. It must be free of any statutory constraints. It must satisfy all constitutional constraints. And it must not be hearsay.

Prejudice

Any information not directly related to the case at hand that has the potential effect of swaying a jurist’s opinion in the matter, one way or the other, is considered prejudicial. This is why a prior criminal record is rarely allowed as evidence. A person who is being tried for robbing a liquor store is unduly prejudiced if the prosecution shows that she was convicted three times for shoplifting. If considered unfairly prejudicial, even evidence germane to the case may be excluded. Federal Rule 403 says that the probative value of the evidence must not be outweighed by the danger of unfair prejudice (FRE, Rule 403, 2011).

Statutory Restraints

Some information cannot be presented as evidence because of the protected nature of the information. Privileged information is generated in a variety of ways. Chapter 16, “Litigation and Electronic Discovery,” will cover this subject in more detail. For now suffice it to say that if information collected constitutes communication between a person and a priest, a doctor, or a lawyer, it is going to get kicked out of court.

Constitutional Constraints

The rights of the people are guaranteed under the Constitution. It is one of the fundamental tenets of our society. If evidence is obtained as a result of a blatant violation of those rights, it cannot be admitted as evidence, no matter how solidly it proves the case. Anybody who has seen Dirty Harry in action knows all about that. The First and Fourth Amendments to the Constitution are the amendments most frequently cited in evidence hearings, but circumstances can easily bring others into play.

Some court decisions have stated that forcing a suspect to reveal a password violates the Fifth Amendment as it applies to self-incrimination. In March 2012, a federal judge ordered Ramona Fricosu to provide an unencrypted copy of encrypted information from her hard drive (United States v. Fricosu 2012). The judge, Robert Blackburn, ruled that requiring the suspect to unencrypt the hard drive was not a violation of Fifth Amendment rights (Hunt and Varner 2012).

This ruling seemingly contradicts the decision handed down in U.S. v. John Doe (2012) where evidence was disallowed because the defendant had been forced to reveal the password to an encrypted drive. Which interpretation is correct is likely to be determined by the Supreme Court. As of this writing, Fricosu is still under appeal. The moral of these two stories is that it isn’t up to the investigator to decide what is right and what is wrong. Let the legal minds fight it out, and until a decision is handed down, do nothing that could compromise the evidence.

Hearsay

Hearsay is any statement that is made outside of the proceedings by any person (or thing, as we will see later on) who is not under oath at the time the statement is made. Courts take a dim view of “he said–she said” arguments on the witness stand. The Law Commission in 1995 had this to say about hearsay: “Where a representation of any fact is made otherwise than by a person, but depends for its accuracy on information supplied by a person, it should not be admissible as evidence of the fact unless it is proved that the information was accurate” (Sommer 1998).

For every rule, there are exceptions, and the hearsay rule is no exception. Several of the hearsay exceptions related to oral testimony are not relevant to this discussion and will be ignored. Exception No. 6, Records of a Regularly Conducted Activity, specifically relates to digital investigation. This includes records created by the business in the course of regular business activity as well as automatically generated records, such as log files (FRU 2012).

The Exclusionary Rule

Protection under the Fourth Amendment includes searches of a person’s possessions as well as his home. This includes his automobile, briefcase, cell phone, and any other object that could be classified as a “container.” The Fifth Amendment prevents people from being forced to testify against themselves. The alleged witches of Salem had their constitutional rights violated when they were forced to confess under duress. It is a pity for them that the Constitution had not yet been written. Lastly, the Sixth Amendment guarantees a person the right to counsel. The latter does not affect the digital investigator as often but should be kept on the back burner as a possible problem to deal with.

When a search or seizure of property is done in violation of a suspect’s constitutional rights, the exclusionary rule dictates that any evidence from such a search or seizure must be excluded as evidence. A key factor to consider here is that only a search and seizure performed by an agent of the government can be considered a violation of a suspect’s constitutional rights. There will be more on that when we talk about digital vigilantes later in this chapter.

Some version of the exclusionary rule has existed in U.S. legal doctrine since even before America was an independent country. Chief Justice Mansfield wrote in 1769 that the courts should disregard any evidence that was provided under duress, regardless of how convincing that evidence might be (Davies 2003).

Disregarding evidence obtained during an illegal search was affirmed by the Supreme Court in 1914 (Weeks v. U.S. 1914). This trial centered on an alleged scam to sell lottery tickets by mail. During this era, state-run lotteries did not exist, and any form of such activity was illegal. Law enforcement officials searched Weeks’s home and found the evidence they needed to prosecute.

Justice Day, writing for the majority, stated that “there was involved in the order refusing the application a denial of the constitutional rights of the accused.” The Supreme Court ruling reversed the decisions of the lower courts affirming Weeks’s conviction.

Keeping Evidence Authentic

For the most part, relevance and competence are matters for the legal minds to argue out. Verifying that the data is authentic, and keeping it that way throughout the entire cycle of the investigation, from instigation to conclusion, is the job of the investigative team. The process of documentation (to be discussed in greater detail in Chapter 17, “Case Management and Report Writing”) is a key component to having your evidence accepted in court.

There are three areas of discussion that need to be addressed. First of all, it is necessary to keep the search of all information systems legal and within the scope of authorization. Searching a computer system is no different than searching a home. Unless the owner has given explicit permission for the search to be conducted, some form of legal authorization, such as a court order, a warrant, or a subpoena, will be required. Chapter 3, “Search Warrants and Subpoenas,” covered this subject in greater detail.

While doing the search, there are additional concerns to keep in mind. What is the plain view doctrine, and how does it impact your work? Are there multiple users who regularly make use of the computer system being searched? Does your authorization define a specific scope for the search to be conducted?

Plain View Doctrine

Generally speaking, the plain view doctrine is a rule that specifies that a search and seizure of evidence can be done without a warrant any time that the official making the search finds evidence of a crime that is clearly visible without the need for an entry or a search. Court decisions have specified that there can be no reasonable expectation of privacy regarding an item that is located in a way anyone can see (Horton v. California 1990). The classic example of this situation is when a police officer pulls a driver over for a speeding violation and sees a baggie full of white powder on the front seat.

This premise easily comes into play during any digital investigation, and the investigator needs to tread carefully when it does. What would the correct approach be if, while searching for evidence of mail fraud, the investigator finds child pornography “in plain sight”? Mantei (2011) identifies three categories under which the plain view doctrine might impact the digital investigator:

• The inadvertence approach

• The prophylactic test approach

• The computers as containers approach

These different approaches were defined based on different court rulings that have occurred over the years. While the following discussion focuses primarily on how the government handled specific criminal cases, the principles will apply to any forensic evidence.

The Inadvertence Approach

Did the investigator come across the evidence “in plain view” accidentally or as the result of a systematic search? Defining plain view under this standard is based on a decision handed down by the U.S. Federal Circuit Court in U.S. v. Carey. In this historic case, the investigators were given permission by the owner of the computer to perform a search. Despite having consent, the officers obtained a search warrant for evidence regarding the sale and distribution of controlled substances. During the search, police officers found a number of files with sexually suggestive file names. After viewing several of these files, they found files containing child pornography. Additional charges of transporting and possessing goods containing or including child pornography were filed against the defendant.

Initially, the courts allowed the files as evidence, citing that the evidence had been obtained while executing a legally obtained search warrant. On appeal, the Tenth Circuit overturned this decision. Using the officers’ own testimony as a guide, the court pointed out that the files used to indict Carey were not found “in plain view” inadvertently, but rather after a systematic search consuming a substantial amount of time. The first files seen, which prompted the search, while pornographic in nature, did not contain child pornography and therefore were not evidence that a crime had been committed. In any case, the files were not regarding the sale and distribution of controlled substances.

This approach was further fortified in U.S. v. Mann (2010), where child pornography was discovered during an investigation into criminal voyeurism. While a large number of files were admitted as evidence, files flagged with known file filter (KFF) alerts were disallowed as evidence because the court decided that a KFF comparison identified the file as child pornography and therefore the investigators should have known they were outside of the scope of their investigation. A new warrant would have been required to search for child pornography.

The Prophylactic Test

In a nationally publicized case, U.S. v. Comprehensive Drug Testing, Inc., the Ninth Circuit outlined a series of rules that evidence must pass in order to be considered “in plain view.” In searching for records specific to certain professional athletes named in a warrant, a directory containing targeted files was seized and transported offsite for analysis. During this time, the names of other nationally recognizable athletes were discovered in the directory listings. The defense filed a FRCP 41(g) motion to have the evidence returned to the defendant and removed as evidence due to an unlawful search and seizure. The Ninth Circuit granted this motion and defined the following rules for applying plain view.

The government had to “forswear reliance on the plain view doctrine or similar doctrine,” and if the government refused to accept a waiver of that nature, the judge “should order that the seizable and non-seizable data be separated by an independent third party under the supervision of the court, or deny the warrant altogether.” The decision stated that the government also had to state the “actual degree of such risks” that failure to immediately execute a warrant will result in the destruction data (U.S. v. Comprehensive Drug Testing, Inc. 2008).

This completely contradicts the Fourth Circuit’s decision that a computer search must “by implication, authorize at least a cursory review of each file on the computer” (U.S. v. Williams 2010a). The backlash to U.S. v. Comprehensive was such that in a later document, the Ninth Circuit clarified that these were to be considered guidelines and not rules to be followed. However, at least for the time being, courts have different precedents from which to act. Each must be considered.

Computers as Containers

In 2010, police officers obtained a search warrant that allowed them to search and seize computers belonging to Karol and Curtis Williams. The warrant specified “computer systems and digital storage media, videotapes, videotape recorders, documents, [and] photographs” (U.S. v. Williams2010b). The purpose of the warrant was to investigate a complaint from a local church that they had received e-mails threatening young boys attending their Sunday school classes.

During the subsequent search, investigators discovered thousands of images of young boys. Thirty-nine of these images were classified as pornographic, and as a result of the search, Williams was indicted on child pornography charges. In Williams’s defense, he claimed that the search of his computers represented a violation of his Fourth Amendment rights because the search of his computers exceeded the scope of the warrant as issued.

In rejecting Williams’s appeal, the Fourth Circuit pointed out that the warrant authorized the search of each of the data storage devices or media specified in the warrant. Because the warrant instructed investigators to search for any evidence supporting the church’s complaint, the court decided that in order to ascertain the evidentiary value of any given file, that file had to be opened and viewed. In the decision, the Fourth Circuit correctly pointed out that file names and extensions were invalid search constants because either one could be changed to conceal the actual contents of the file. The computer system was compared to “filing cabinets or other closed containers” (U.S. v. Williams, 2010b). Once a warrant was issued for the container, each item in the container could be examined.

Dealing with Multiple Users

For many years, operating systems (OSs) have been designed from the ground up to support multiple users. Each OS maintains separate user profiles to manage preferences and separate containers for storing user files (Figure 5.2). Legal issues face any investigator searching a computer system used by more than one person.

Image

Figure 5.2 When multiple users access the same computer, each will have a separate profile.

It is not at all uncommon for computers owned by corporate entities or other organizations to be used by more than one person. Even privately owned computers are likely to be configured with multiple user accounts. My Macintosh at home has accounts for my wife, both of my children, me, and even my sister-in-law.

Any time multiple users are involved, the issue of privacy becomes somewhat convoluted. How to deal with search warrants and subpoenas is also impacted when there exists the possibility that any given file on the system could have been created by any one of several people. Whether legal or civil in nature, each case revolves around the concept of an individual’s “reasonable expectation of privacy.” If your warrant specifies User A, how does a general search of the hard disk preclude the possibility that files from User B will be discovered and viewed?

A password-encoded account that is managed on the local computer is a strong suggestion that users have a reasonable expectation of privacy. However, on most networks, passwords are managed by the network operating system and not on local security accounts. When this happens, while each computer onto which a user logs on will have a profile for that account, it is not necessarily true that files created, modified, or downloaded by that user will be stored in a profile-specific location. Such inconsistent behavior exacerbates the problems faced by the digital investigator.

These difficulties can be a little different, depending on whether the search is being conducted on the basis of the consent search doctrine or in response to a warrant or subpoena. Since warrants and subpoenas are covered in Chapter 3, “Search Warrants and Subpoenas,” only the consent search doctrine will be discussed in this section.

The Consent Search Doctrine

As has already been discussed at great length, the whole reason behind the necessity for search warrants is the Fourth Amendment. This particular document guarantees that citizens do not need to fear unreasonable searches or seizure of their property. Only by way of a legally executed warrant could a government official search a citizen’s property.

The Supreme Court has spent the last couple of centuries fine-tuning the definition of “unreasonable.” The courts defined a two-component test of any situation to ascertain the level of reasonability. First of all, does the individual have a “subjective expectation of privacy”? And secondly, would society in general be “prepared to recognize [it] as reasonable” (Katz v. U.S. 1967)?

One exception to the Fourth Amendment, carved out early in the game, was that any time the owner voluntarily consented to having his or her property searched, any evidence discovered as a result of that search was considered to be legally obtained. Subsequent court cases even determined that it did not necessarily have to be the actual owner of the property that granted consent for the search.

U.S. v. Matlock (1974) determined that anyone who possessed “common authority” over a property could grant consent to its search. In this decision, the court was quite clear that vested interest in the property extended beyond the concept of ownership. If the owner shared common access with a roommate or a family member, then that person also had the authority to grant permission to search those areas to which the person was granted access.

Such common authority is not without limitations. U.S. v. Block specified that while a person might have the authority to enter a room, this did not automatically render the authority to search everything within the room. The case in point involved a mother who granted permission for police to search the footlocker of her 23-year-old son. While she did have the authority to grant access to the room, because as owner of the house she automatically had that privilege, she could not grant permission to search a locked footlocker owned by her son. The line of demarcation was that she did not own the footlocker, did not have permission to open it, and subsequently did not have “access.”


Case Law: U.S. v. Frank Gary Buckner

In 2003, police entered the home of Frank Gary Buckner with the verbal consent of Buckner’s wife, Michelle. At this time, Ms. Buckner said for the officers “to take whatever [they] needed” and that she “want[ed] to be as cooperative as she could be” (U.S. v. Frank Gary Buckner 2007). The officers seized the computer belonging to Mr. Buckner and transported it offsite for forensic analysis. Evidence found on the computer led to 20 counts of wire fraud and 12 counts of mail fraud. The defense tried to have evidence derived from the computer search suppressed, contending that since the computer was password-protected and nobody could sign on to the computer or view the files without knowing the password, then only he could give permission for a search of the computer. The motion to suppress was denied and Buckner filed a conditional plea of guilty.

The condition of his plea reserved the right for him to appeal based on the denial of his motion to suppress. On appeal, Buckner did not challenge the right of police to seize the computer. He did, however, contend that the search of the computer without a warrant was unconstitutional and therefore the evidence was obtained illegally. In its decision, the U.S. Court of Appeals determined not only that Ms. Buckner had common authority over the computer but also that apparent authority existed for her to grant permission to the officers to search the computer. The motion to suppress was affirmed and Buckner lost the appeal.


The natural question that arose from these decisions was: Who has “apparent authority” to grant permission for a search? While the concept of common authority is clearly defined, to what extent must the investigator go to determine that a person granting permission actually has the authority to do so?

Illinois v. Rodriguez set the precedent for that decision in 1990. In this landmark decision, police responded to a call at the residence of Dorothy Jackson, who complained that Rodriguez was assaulting her daughter. According to police records, Ms. Jackson gave the officers every reason to believe that she had the authority to allow police to search the property. In the ensuing search, illegal contraband was discovered, which led to the arrest of Rodriguez. No warrant was issued because the police assumed none was needed in the presence of consent.

Rodriguez argued at his trial that Jackson did not have the authority to consent to such a search, since she no longer lived in the apartment and had not done so for several weeks. The argument was initially successful, and the lower court ruled on behalf of Rodriquez. The case wound its way all the way to the Supreme Court, where Justice Scalia, writing for the majority option, cited that Fourth Amendment rights are not violated when law enforcement “reasonably (though erroneously) believe that the person who has consented to their entry is a resident of the premises” (Illinois v. Rodriquez 1990).

So after this lengthy and possibly meandering discussion of what constitutes permission, how does this affect the digital investigation? The question of multiple accounts on a computer was asked in 2001. In a situation where one individual granted permission to search a computer, it was made clear to the investigating officers that there was another user on the computer, that both users had a password-protected account, and that both maintained their own file folders. The court decided that permission by one user on a shared system did not give police the right to search the files of the other user (Trulock v. Freeh 2001). The court analogized this to the locked footlocker in U.S. v. Block. Reference this to the earlier section, “Computers as Containers.”

A distinct problem is manifested when investigators use generic forensic tools to search for files on the hard disk. As discussed in Chapter 8, “Finding Lost Files,” many of the search tools are run against a forensic image of an entire drive. These tools do not necessarily know what files are owned by which users. Unlike encryption, which renders a file unreadable to general text searches, files that are only managed by password security are readily found by tools such as Encase, FTK, and such. While some of the more advanced versions of these tools are able to identify which user owns any particular file, the majority do not. Open-source or generic utilities such as strings or GREP and file carving utilities like Scalpel are unable to distinguish between users.

In U.S. v. Andrus (2007), McKay, the justice presiding, defines two legal issues key to any search of a system involving multiple users. The first questions whether or not users exhibit a determined attempt to keep their data private. Use of encryption and password-protected files is strongly indicative that they do. The second issue at stake is whether the investigating entity is employing any form of technology that allows the search to go beyond its authorized scope.

Using Encase as an example, McKay notes that software is capable of ignoring password protection in the process of finding and opening files. He concludes that investigators are then under the obligation to inquire into the level of access and what authority the person granting permission has over the system (U.S. v. Andrus 2007). A person with full administrative privileges on the system can obviously change any password on the system in order to gain access. But does the ability by necessity grant the right?

Defining the Scope of the Search

Regardless of whether the search for evidence is inspired by civil or criminal action or whether it is being conducted with consent or the result of a court order, it remains true that there will be a specific limit to the extent of the search. A search warrant will outline specific parameters that define the scope. Law enforcement officials are learning that a search scope that is too loosely defined will almost certainly lead to an appeal. Judges are more cognizant of this as well. In a civil investigation or an internal operation, it is up to the legal team to define the scope of the desired search.

Search warrants must be specific. Specificity is defined by two factors. The first is particularity. Particularity means that the warrant must clearly state what is being sought in the context of the search. A warrant that authorizes the search and seizure of “computers and storage media under the control of the defendant” would be considered overly broad if the “defendant” was a corporate entity. In this case, it would be necessary to identify which computer or computers were being sought and the specific media. That same description might be sufficient in a search of a private individual’s residence. It is always the decision of the legal counsel as to what items to search and not that of the investigator.

The second factor is breadth. Under the breadth factor, the scope of the warrant is limited to the probable cause upon which the original warrant is based. In other words, if the probable cause is in regard to income tax evasion, the searchers cannot confiscate pornographic material. If such evidence is found in plain sight, in order to seize the materials, a new warrant should be requested defining the new scope.

In a civil or internal investigation, the scope will be defined by the person or committee making the assignment. Civil litigation is generally preceded by a discovery meeting in which each side states what documentation it expects the other side to produce. E-discovery and its related processes are covered in more detail in Chapter 16, “Litigation and Electronic Discovery.” Internal investigations are usually subject to less regulatory oversight. As such, instructions may be very well defined or they may be very loose. It is important to make sure everybody is on the same page before the investigation starts. Regardless of the situation, any time the search looks like it is taking the investigator outside of the defined scope, the time has come to take a step back and find out if additional guidance is in order.

When the Constitution Doesn’t Apply

Much of the discussion in this chapter has been based on criminal investigations. Since these are cases that are prosecuted by government entities, the watchful eye of the Constitution rules every step. There are situations, however, when the courts cannot enforce constitutional law. In civil cases involving private individuals, the FRCP applies, which has a different set of rules for introducing evidence (See Chapter 16). Another situation that clouds the issue of constitutionality is evidence provided by the digital vigilante.

Civil Litigation and Internal Investigation

Internal corporate investigations are generally not impacted by constitutional limitations. However, a word of caution is in order. In the event that such an inquiry leads to the discovery of criminal activity and subsequent charges, any deficiencies in the investigation will be called into question. Legal counsel should be consulted in any situation where future prosecution is a possibility. Since this subject is covered in Chapter 16, there is little need to duplicate the material here.

Digital Vigilantes

People have long had a perverse admiration for the vigilante. Most of the super-heroes charging through the theaters are vigilantes. The law can’t act because its hands are tied by legal issues, or by their own incompetence or lack of concern. So a dedicated private citizen with special powers takes the law into his own hands. Vigilantes go far back into history. Where would merry old England have been without Robin Hood?

The realm of digital investigation is not without its share of these types of people. Well-trained hackers make the news when they break into a bank system and make off with thousands of credit card numbers. Not so much is heard when a hacker breaks into a system and produces evidence of a major crime in progress. Police have informants everywhere—even on the Net. But is the evidence uncovered by a vigilante admissible as evidence in court?

While law enforcement has made great strides in combating cybercrime in the past few years, it still has a way to go. According to Brenner (2007), the reason for this is our current model of law enforcement, because the assumptions it makes about crime do not hold true to digital criminology. The whole concept of “jurisdiction” makes no sense when there are no border guards to find contraband in the electronic luggage. When credit card information is stolen from an online store in Boston, but the perpetrator pressed the Enter key that initiated the crime in Pakistan, who goes after the bad guy, and which courts handle the civil case? Brenner suggests that the actions of vigilantes should be encouraged, although she argues that they should be controlled—deputized as it were. But how would that impact the constitutionality of the actions?

When Is the Private Search Constitutional?

Consider this case as an introduction to the discussion. In U.S. v. Bradley Joseph Steiger (2003), the defendant was arrested and charged with multiple counts of possessing child pornography and receiving it by way of interstate and foreign commerce. The evidence that led to law enforcement obtaining a police warrant came from an anonymous tip provided in an e-mail from a person who identified himself only as Unknownuser. Steiger attempted to have the evidence uncovered as a result of that warrant suppressed because Unknownuser was working as an agent for the government and as such had searched his computer illegally in violation of the Wiretap Act. Additionally, law enforcement failed to include the fact that the evidence provided by Unknownuser was obtained illegally when they applied for their search warrant.

In denying these motions to suppress, Justice Goodwin of the Eleventh Circuit made two observations regarding a search by private individuals. The first was that a search conducted by a private individual, whether legally conducted or not, did not implicate the Fourth Amendment. The second observation was that the court had to decide whether or not a private citizen was acting as an agent for the government when conducting the search. The latter decision is based on the answers to two questions.

Did the government know of, and authorize, the search? In Steiger, the answer was that it clearly did not. The search was conducted long before the government was made aware that a violation had occurred. Had an authorized agent of either a state or federal government agency suggested that Unknownuser conduct the search, then the hacker would have clearly been working as a government agent, whether paid or unpaid. The additional inference is that, had such an agency been aware that Unknownuser was going to perform such a search before the fact, their acquiescence to the search would render the hacker as a government agent.

Was the private individual’s primary purpose to assist the government or to further its own ends? It is very difficult to ascertain the motives of a person. In light of the fact that this particular search was done prior to law enforcement being aware of a violation, there was no evidence to support a claim that the hacker’s motive was to help the U.S. government.

A third question addressed by the decision that was related to the issuance of a warrant rather than the legality of the search focused on whether a warrant is legal if the affidavit uses illegally obtained information in submitting the request. Responding to this challenge, Goodwin wrote, “Because information obtained by a private person is not subject to the Fourth Amendment’s exclusionary rule, a statement that the anonymous source had hacked into Steiger’s computer to obtain that information would not have affected the magistrate’s finding of probable cause” (U.S. v. Bradley Joseph Steiger 2003).

When Is the Private Search Unconstitutional?

The same vigilante from Steiger became the focus of another court decision later that same year. When Unknownuser sent information about another alleged child pornography site, an FBI agent named Faulkner contacted him with a response sometimes known as “the wink and the nod.” Faulkner wrote that he could not authorize Unknownuser to conduct any searches because that would make him an agent of the government and none of the information discovered would be admissible in court. On the other hand, Faulkner added, if Unknownuser happened to stumble across such material, he would be delighted to hear about it.

In U.S. v. Jarrett, the District Court found that such an arrangement clearly indicated that Faulkner was aware that a search would take place and tacitly condoned such a search. That made Unknownuser an agent of the government. The evidence was suppressed.

The government appealed the decision and successfully had the evidence reinstated. However, its success was based on another factor rather than knowledge of the hacker’s activities. The decision of the Appeals Court stated that the agency relationship was dependent on the degree to which the government participated in the actions. The government neither participated nor instructed the hacker in any manner, and the case was ordered to be retried with the evidence included. According to the decision, the informant would become an agent of the government if the government did “affirmatively encourage, initiate or instigate the private action” (U.S. v. William Anderson Jarret 2003).

When Is the Warrant Legal?

The concept was revisited in 2007 with a new twist. An anonymous caller told police of a Sprint PCS Web site that displayed images similar to those in Steiger. The caller gave the agent the user ID and password for the site in the course of the conversation. The agent who received the call had no trouble accessing the Web site and downloaded the images as evidence to present in his request for a warrant. The warrant led to a search of the defendant’s apartment, which uncovered sufficient evidence for an arrest. The defendant voluntarily confessed when confronted with the evidence.

At trial, the defendant moved to have the evidence suppressed, based on the fact that while the tipster was not covered by Fourth Amendment restrictions, the agent who viewed the site clearly was. The site was password protected; therefore, downloading the images in the process of requesting a warrant was a violation of the defendant’s rights. The evidence found while searching the apartment, as well as the defendant’s confession, defense claimed, should be suppressed as being the “fruit of a poisonous tree.”

The motion was denied. While the court conceded that the password protection employed on the site demonstrated the defendant’s expectation of privacy, the fact that the defendant freely shared the user name eroded that expectation. In the decision, the court wrote, “For example, there can be no reasonable expectation of privacy in matters voluntarily disclosed or entrusted to third parties, even those disclosed to a person with whom one has a confidential business relationship” (U.S. v. Kendra D’Andrea 2007).

Vigilantes Today

Law enforcement continues to use digital vigilantes in the same manner as they have used street informants for years. Additionally, not all such informants are actively looking for criminal activity. In U.S. v. Barth, the District Court decided that while a person has a reasonable expectation of privacy regarding their computer files, that privacy is lost when the computer is dropped off to a computer repair facility for service. The rationale is that in order to service the computer, the technicians have to be able to access the contents. If they reveal what they’ve found to law enforcement officials, no violation of the Fourth Amendment has occurred.

In the corporate environment, a situation arises in which all employees sign employee policy forms acknowledging that they are aware that the organization may, at its discretion, monitor their activities and even search their computers. Management or IT personnel who subsequently turn over material they find to law enforcement officials do not violate any laws.

A civilian group called Perverted Justice exposed hundreds of alleged pedophiles on a Web site after their members posed as underage girls and agreed to meet for a secret tryst. They avoid the implications of being considered agents of the government by enforcing a simple rule. They never contact the police. If the police contact them about a specific individual posted on their Web site, they happily provide any information they can.

Another group, Artists Against 419, go after scam artists. They go after phishing sites and other fraudulent sites, and have used questionable tactics in their war against cybercrime. The list of individuals and organizations that fight crime in digital costumes instead of masks and capes grows every year. The legal battle as to whether their results are legally admissible as evidence continues.

Chapter Review

1. What are the three primary factors that determine whether evidence collected during an investigation will be admissible in court? Briefly discuss each of these factors.

2. Explain in your own words the exclusionary rule. How is it related to the three factors of admissibility?

3. What is the plain view doctrine, and why does it have such a significant impact on digital forensics? What are three approaches to ascertaining whether the doctrine applies to a specific case?

4. Explain particularity, and discuss how evidence might be suppressed if the court determines that it is absent in a particular warrant.

5. Under what circumstances is a digital search not covered under the Constitution?

Chapter Exercises

1. Look up U.S. v. Cioffi, 2009. How did the defense successfully argue to have evidence collected during the search of the defendant’s e-mail archives suppressed? What are two principles discussed in this chapter that were invoked?

2. Review the case U.S. v. Paul V. Burdulis. In this motion to suppress, the defense attempted to have evidence suppressed on the grounds that the warrant lacked particularity and that it did not establish probable cause that the evidence described in the warrant could be found in the locations defined in the warrant. What was the outcome of that motion, and what principle discussed in this chapter was cited by the judge in making his decision?

References

Department of Justice. 2004. Forensic examination of digital evidence: A guide for law enforcement. www.ojp.usdoj.gov/nij/pubs-sum/199408.htm (accessed February 12, 2012).

Brenner, S. 2007. Private-public sector cooperation in combating cybercrime: In search of a model. Journal of International Commercial Law and Technology 2(2):58.

Davies, T. 2003. Farther and farther from the original Fifth Amendment: The recharacterization of the right against self-incrimination as a “trial right” in Chavez v. Martinez. Tennessee Law Review 70:987–1045.

Environmental Law Publishing. 2010. Flowchart of the rules for the admissibility of evidence. www.envlaw.com.au/handout6.pdf (accessed May 22, 2013).

Horton v. California, 496 U.S. 128, 133 (1990).

Hunt, H., and C. Varner. 2012. United States: 5th Amendment self-incrimination and computer encryption passwords. www.mondaq.com/unitedstates/x/167962/Software/5th+Amendment+SelfIncrimination+Computer+Encryption+Passwords (accessed March 12, 2012).

Illinois v. Rodriguez 497 U.S. 177 (1990).

Katz v. United States 389 U.S. 347 (1967).

National Institute of Justice. 2004. The computer forensic tool testing program. www.nij.gov/topics/forensics/evidence/digital/standards/cftt.htm (accessed March 9, 2010).

Sommer, P. 1998. Digital footprints: Assessing computer evidence. Criminal Law Review (December):61.

Trulock v. Freeh, 275 F.3d 391 (4th Cir. 2001).

U.S. v. Andrus, 483 F.3d 711 (10th Cir. 2007).

U.S. v. Bradley Joseph Steiger, 318 F.3d 1039 (11th Cir. 2003).

U.S. v. Carey, 172 F.3d 1268 (10th Cir. 1999).

U.S. v. Comprehensive Drug Testing, Inc., D.C. No. CV-04-00707-2008.

U.S. v. Frank Gary Buckner, 473 F.3d 551 (2007).

U.S. v. Kendra D’Andrea, 497 F. Supp.2d 117 (2007).

U.S. v. Mann, 592 F.3d at 780 (2010).

U.S. v. Matlock, 415 U.S. 164 (1974).

U.S. v. William Anderson Jarret, 338 F.3d 339 (2003).

U.S. v. Williams, 592 F.3d 511, 521, 523 (4th Cir. 2010a).

U.S. v. Williams, 592 F.3d 511, 521, 523 (4th Cir. 2010b) p. 1003.

United States Of America, v. John Doe, Appellant, WL 579433, Nos. 11–12268 & 11–15421 (2012).

United States v. Fricosu, No. 10-cr-00509-REB-02 (2012).

Weeks v. United States, 232 U.S. 383 (1914).

Wilson v. R, 44 ALJR 221 (per Barwick CJ); ss55-56 EA (1970).