Monday, November 03, 2008

Hashing = 4th Amendment Search

On October 22, a federal district court issued what may be a notable opinion in U.S. v. Crist, 2008 WL 4682806 (U.S. District Court - Middle District of Pennsylvania 2008).

The issues the opinion addresses were raised by Crist’s motion to suppress evidence seized from his computer.


Here’s a summary of the facts – as described by the court – that resulted in Crist’s being charged with possessing child pornography and his moving to suppress evidence taken from his computer:

Crist rented a house in Camp Hill but was late with rental payments. After he fell two months behind, his landlord hired Jeremy and Kirk Sell to move Crist's stuff out of the house. Crist had made arrangements to move some of his things and most of his furniture, but had not moved everything by the time the Sells showed up at his house. According to the court, “[s]cattered throughout the nearly vacant rooms were Crist's possessions, including a keyboard, a PlayStation gaming console, and a personal computer. . . . [T]he Sells began removing Crist's possessions and placing them on the curb for trash pickup." U.S. v. Crist, supra.


A few days later, Jeremy “called his friend Seth Hipple, who . . . was looking for a computer,” to tell him he would be putting Crist's computer out for trash pickup. Hipple showed up and took it. Later, Crist came to the house and found the Sells removing his things. After they explained what they were doing, he “`went in the house, started going through bags out in the street. And he . . . asked, where is my computer?'” U.S. v. Crist, supra. Though the Sells knew Hipple had it, they “professed ignorance.” U.S. v. Crist, supra. Crist called the police “to complain of the theft of his computer, and Officer Adam Shope took a report.” U.S. v. Crist, supra.

Hipple took the computer to a friend's house, where they “`tried to get it running, tried to . . . clean it up.’” U.S. v. Crist, supra. He then took it home and began going “`through it to see what [he] could delete.’” After looking through a “`bunch of songs’” on a media folder,” he opened “a couple of video files depicting children performing sexual acts.’” Hipple “`freaked out,’ deleted the entire folder . . . and turned off the computer.” U.S. v. Cris, supra. A few days later, he called the police; when an officer arrived, he said he found “the computer and . . . discovered child pornography on it. Hipple `reported that he deleted the file right away.’ A report was taken, and the computer was logged into evidence.” U.S. v. Crist, supra. A detective contacted the Pennsylvania Attorney General's Office (AG’s Office) to have the it forensically examined.

This is where we come to the critical part of the case. A special agent with the AG Office’s computer forensics department conducted an examination of the computer:
Agent Buckwash created an `MD5 hash value’ of Crist's hard drive. An MD5 hash value is a unique alphanumeric representation of the data, a sort of . . . `digital DNA. When creating the hash value, Agent Buckwash used a `software write protect’ . . . to ensure that `nothing can be written to that hard drive.’ . . . Next, he ran a virus scan. . . . After that, he created an `image, or exact copy, of all the data on Crist's hard drive.

Agent Buckwash then opened up the image . . . in a software program called EnCase. . . . He explained that EnCase does not access the hard drive . . . through the computer's operating system. Rather, EnCase . . . . reads every file --bit by bit, cluster by cluster -- and creates a index of the files contained on the hard drive. . . .

Once in EnCase, Agent Buckwash ran a `hash value and signature analysis on all of the files on the hard drive.’ In doing so, he was able to `fingerprint’ each file in the computer. . . . [H]e compared those hash values to the hash values of files that are known or suspected to contain child pornography. [He] discovered five videos containing known . . . . [and] 171 videos containing suspected child pornography. . . .

Agent Buckwash `switch[ed] over to a gallery view, which gives us all the pictures on the computer,’ and was able to `mark every picture that [he] believe[d] is notable, whether it be child pornography or . . . something specific.’ Ultimately, he discovered almost 1600 images of child pornography or suspected child pornography.

Finally, [he] conducted an internet history examination by reviewing . . . `index [dot] dat’ files, which . . . amount to a history of websites the computer user visited. After extracting the index [dot] dat files, [he] used . . . NetAnalysis, which `allows you to sort for suspected child pornography.’ After [he] completed the forensic examination, he generated a report of his findings and presented it to Detective Cotton.
U.S. v. Crist, supra. Crist was indicted for possessing child pornography and moved to suppress the evidence obtained from his computer. The motion raised two issues: (i) whether Agent Buckwash’s examination exceeded the scope of the Hipple’s search of the computer; and (ii) whether the use of EnCase was a 4th Amendment “search.”

As I’ve noted before, the 4th Amendment only applies to actions by law enforcement officers – to what is called “state action.” So Hipple’s looking through the files on Crist’s computer was not a 4th Amendment search; he was acting on his own, not as an agent of the police. That means police can look at everything Hipple looked at – but ONLY what he looked at – without violating the 4th Amendment. Crist argued that Agent Buckwash’s EnCase examination exceeded the scope of Hipple’s private search AND itself constituted a “search” under the 4th Amendment.

The prosecution argued (i) that because Hipple had been “into” Crist’s computer, Crist no longer had a 4th Amendment expectation of privacy in the computer itself and (ii) that the Encase examination was not a search because “Agent Buckwash never `accessed the computer,’ but `simply ran hash values on’” it. U.S. v. Crist, supra. As to the first issue, the court relied on a Fifth Circuit Court of Appeals case (Runyan) which held that simply because private citizens examined SOME disks belonging to the suspect did not mean he lost his 4th Amendment expectation of privacy in the disks they did not examine.

That set up the second issue: whether the EnCase examination was a 4th Amendment search; if it was, it exceeded the scope of what Hipple had done and was, therefore, unconstitutional. U.S. v. Crist, supra. The district court found it was a search:
Computers are composed of many compartments, among them a `hard drive, . . . composed of many `platters,’ or disks. To derive the hash values of Crist's computer, the Government physically removed the hard drive from the computer, created a duplicate image of the hard drive . . . and applied the EnCase program to each compartment, disk, file, folder, and bit. By subjecting the entire computer to a hash value analysis-every file, internet history, picture, and `buddy list’ became available for Government review. Such examination constitutes a search.

Moreover, the EnCase analysis is a search different in character from the one conducted by Hipple, and thus it cannot be defended on the grounds that it did not exceed the private party search. As noted above, the rationale . . . is that the private search was so complete, no privacy interest remained. That is not the case here.

Hipple opened `a couple of videos’ and deleted them, a far different scenario from the search in Jacobsen, wherein the opening of a package . . . necessarily obviated any expectation of privacy. Here, the Hipple private search represented a discrete intrusion into a vast store of unknown electronic information. While Crist's privacy interest was lost as to the `couple of videos’ opened by Hipple, it is no foregone conclusion that his privacy interest was compromised as to all the computer's remaining contents.

. . . . Comparing a disk containing multiple files to the opened package breached in Jacobsen, the Runyan court found that no privacy interest remained in a disk once some of its contents had been viewed. As to the unopened disks, the court found privacy rights intact, and held unlawful a warrantless search of such disks. Where, as here, substantial privacy rights remained after the private search and the government actors had reason to know the EnCase program would likely reveal more information than they had learned from Hipple's brief search, . . . the scope of the private search was exceeded. . . .

[T]he Court specifically rejects the Government's . . . asking the Court to compare Crist's entire computer to a single closed container which was breached by the Hipple search. A hard drive is not analogous to an individual disk. Rather, a hard drive is comprised of many platters, or magnetic data storage units, mounted together. Each platter, as opposed to the hard drive in its entirety, is analogous to a single disk as discussed in Runyan. As such, the EnCase search implicates Crist's Fourth Amendment rights.
U.S. v. Crist, supra. The court therefore ordered the evidence obtained through the forensic examination of Crist’s computer to be suppressed, which might well end the case.

I absolutely agree with this court, and hope that if the government appeals, the Court of Appeals affirms what this judge has done.

I saw a comment someone – someone technologically sophisticated, unlike me – posted somewhere. It wondered why no one has come up with software that would change a few values of every image and movie file on a hard drive to frustrate this kind of hash matching. I have no idea why not, or if this is feasible, but it sounds like an interesting idea.

If someone would come up with such a program, we’d then have to decide if it’s a 4th Amendment “search” to use EnCase (and similar programs) on a hard drive if the owner of the hard drive had not used this hash-altering software. In other words, the issue would perhaps become whether, by not using this hypothetical hash-altering software, you had assumed the risk the government would be able to find evidence on your hard drive.

No comments: