Wednesday, August 19, 2009

Sneaking and Peeking

In a post I did last year, I noted that federal law allows the issuance of “sneak and peek” search” warrants. This post examines the use of a “sneak and peek” in a particular cybercrime case. Before I get to that case, though, I need to explain what “sneak and peek” warrants are and how they differ from traditional search warrants.


In the federal system, regular search warrants are governed by Rule 41 of the Federal Rules of Criminal Procedure. Rule 41(b)(1) says that at “the request of a federal law enforcement officer or an attorney for the government” a magistrate judge who has authority to issue warrants in that district can “issue a warrant to search for and seize a person or property located within the district”.


That provision contemplates the kind of searches and seizures officers have historically conducted: They go to a place, search for tangible evidence, seize it if they find it and leave a copy of the executed warrant and a receipt for the items the officers seized with “the person from whose premises” the property was taken. Rule 41(f)(1). (They can also leave the warrant and receipt on the premises if no one was there.)


Rule 41 warrants can be, and are, used to search for and obtain computer evidence. Rule 41(a)(2) defines the “property” that can be seized with such a warrant as including “documents, books, papers, any other tangible objects, and information.” So such a warrant can be used to seize computer hardware and/or data (“information”).


“Sneak and peek” warrants differ from regular Rule 41 warrants not in terms of how they are obtained (the officer still has to file an application for the warrant and an affidavit in support), but in terms of the kind of evidence they’re directed at and certain differences in the execution of the warrant. The PATRIOT Act amended § 3103a of Title 18 of the U.S. Code to accommodate “sneak and peek warrants,” which had been around for a while.


An early “sneak and peek” case is U.S. v. Johns, 851 F.2d 1131 (U.S. Court of Appeals for the Ninth Circuit 1988). In Johns, federal agents applied for a search warrant that would let them “surreptitiously enter” a commercial storage unit “to examine the contents without taking anything”. U.S. v. Johns, supra. They wanted to see what was in the unit but they didn’t want the owner to know law enforcement officers had been there. The court issued the warrant, the agents entered the storage unit and found chemicals used to manufacture methamphetamine, which resulted in Johns being indicted. U.S. v. Johns, supra. He moved to suppress the evidence, arguing that the “sneak and peek” warrant violated the 4th Amendment and Rule 41.


The Johns court followed the approach it had taken in U.S. v. Freitas, 800 F.2s 1451 (U.S. Court of Appeals for the Ninth Circuit 1986). The Freitas court, like later courts, found that a “sneak and peek” warrant violated Rule 41 because it didn’t require the agents executing to the warrant leave a copy of the warrant and a receipt for whatever was taken. (Back then, it was usually just visual observation and/or taking photos of whatever was in the place being searched).


The court also found, though, that the provisions of Rule 41 aren’t co-extensive with the requirements of the 4th Amendment; in other words, they’re narrower than the constitutional provision. According to most of the courts who considered “sneak and peek” warrants prior to the PATRIOT Act, the 4th Amendment is broad enough to encompass this kind of search for (and seizure of) intangible evidence. And I think that’s probably true; the 4th Amendment was created to address the traditional kind of searches and seizures but that doesn’t mean it can’t – and shouldn’t – be interpreted to apply to nontraditional searches and seizures.


To eliminate any concerns about the validity of “sneak and peek” warrants, Congress included a provision in the PATRIOT Act – codified as 18 U.S. Code § 3103a – that “specifically allow[s] officers to delay giving notice to the subject of a search if the court issuing the warrant `finds reasonable cause to believe that providing immediate notification of the execution of the warrant may have an adverse result.’” American Civil Liberties Union v. U.S. Dept. of Justice, 265 F.Supp.2d 20 (U.S. District Court for the District of Columbia 2003) (quoting the PATRIOT Act). The statute does require that the “sneak and peek” provide “for the giving of such notice within a reasonable period not to exceed 30 days after the date of its execution, or on a later date certain if the facts of the case justify a longer period of delay.” 18 U.S. Code § 3103a(b)(3).


That, then, is a brief history of “sneak and peek” warrants. As I noted in my prior post, in the Scarfo case, which arose in the 1990s, federal agents used a “sneak and peek” warrant to install a keystroke logger on a suspect’s office computer. So in that case, the focus wasn’t on simply sneaking in and peeking around, but on installing the logger so it would capture keystrokes typed on the keyboard. The purpose was to discover the key for an encrypted file on the computer; agents had used an earlier warrant to obtain a copy of the hard drive, which they searched without finding what they were looking for. The suspected the keystroke logger would record the key needed to access the file and, indeed, it eventually did.


Aside from the Scarfo case, I hadn't really seen any “sneak and peek” cases, at least not any reported cases. Recently, though, I found this one, which I had somehow overlooked: U.S. v. Hernandez, 2007 WL 2915856 (U.S. District Court for the Southern District of Florida 2007).


The case involved a DEA investigation into “Internet pharmacies, wherein customers order controlled substances prescriptions via the Internet”. U.S. v. Hermandez, supra. One of the pharmacies the DEA was investigating was RX Direct, Inc., which was then located in Deerfield, Florida. U.S. v. Hermandez, supra.


I won’t go into all the details of the investigation; I’ll just note that the agents involved made a number of undercover purchases of drugs from RX Direct, Inc. received evidence from citizens who had ordered drugs from the company and conducted an extensive investigation into its general operations. At that point, one of the agents – DEA Agent Richards – submitted an affidavit to a federal magistrate seeking a “sneak and peek” warrant for RX Direct, Inc. In outlining her probable cause for the warrant, she noted that based on her personal experience and that of other experienced agents,


information concerning the operation of Internet pharmacies routinely are stored in computer hardware and computer software. She . . . learned through her investigation that RX Direct dispensed prescription controlled substances pursuant to the electronic transmittal or prescription drug orders. Therefore, she believed that RX Direct stored information on computers which reflected the activity described in the affidavit.

Investigator Richards believed that the computers and computer media which would be found at the Deerfield location of RX Direct `are instrumentalities used to further, and contain evidence of, the dispensation of prescription controlled substances via the Internet where no legitimate physician/patient relationship was established.’


U.S. v. Hernandez, supra. Agent Richards reported that the owner of RX Direct had said he intended to move RX Direct to a new location, and it was not clear if the records would be relocated, as well. She then asked that the warrant be a “sneak and peek” warrant:


[B]ecause there is an ongoing undercover investigation of the subjects of this investigation, it would be detrimental to the investigation for an overt search warrant to be executed during normal business hours at this time. The overt execution of a search warrant at this time may result in endangering the life or physical safety of the CS; may result in the subjects . . . fleeing from prosecution before the investigation is complete; may result in the subjects destroying or tampering with evidence at as yet unidentified locations; and would likely seriously jeopardize the potential success of the undercover investigation by alerting the subjects to the existence of law enforcement scrutiny.


U.S. v. Hernandez, supra. Richards asked “permission to execute the warrant in a surreptitious fashion after the close of business and continuing during the hours of 10:00 p.m. and 6:00 a.m. so that the owners/operators of RX Direct would be unaware of the execution”. The court issued the warrant and allowed the agents to delay providing notice of the execution of the warrant for 30 days. U.S. v. Hernandez, supra. When they executed the warrant, the agents copied the data on the company’s hard drives.


The investigation continued, and eventually resulted in the indictment of individuals involved with RX Direct, Inc. One of them moved to suppress evidence, arguing that the “sneak and peek” warrant was invalid because it authorized the agents to copy data. He said “with most `sneak and peek’ warrants, no evidence is seized.” U.S. v. Hernandez, supra. I’m not sure that’s literally true: As I noted earlier, prior to the PATRIOT Act, officers executing “sneak and peek” warrants would go into a place -- a home or office or storage unit – and look around . . . and often to take photography or videotape what they saw. When they photographed and videotaped what they saw, they were in a sense “seizing” evidence, though not in the tangible, literal sense.


As I noted above, Rule 41 allows officers executing a search warrant – which includes a “sneak and peek” warrant – to seize “information.” I’d argue that even in the non-computer “sneak and peek” warrant cases the officers were, at least in a sense “seizing” information. In other words, they came away knowing something they didn’t prior to the search; we could say their simply learning that information was a seizure of evidence, but that might be a little difficult to defend. It seems to me, though, that if they recorded what they saw, they did in fact “seize” evidence in the form of information.


The Hernandez court quickly dismissed the argument about seizing evidence: “[T]he defendant cites no case which precludes the copying of records during the execution of a search warrant”. I suspect there is no case like that because copying documents has traditionally been part of executing warrants for paper records. I’m not sure if this “sneak and peek” warrant specifically authorized copying the data, which I think would probably have been a good idea. In denying the motion to suppress, the court also noted that the government was not planning to introduce evidence derived from the copying of the hard drives during the execution of the “sneak and peek” warrant at trial, so there was “no basis to suppress any evidence as the result of the copying of the computer hard drives.”

No comments: