Wednesday, April 30, 2014

18 U.S. Code § 1030(a)(5)(A), Toyota and "Damage”

Ibrahimshah Shahulhameed was found guilty, in federal court, of “violating 18 U.S. Code § 1030(a)(5)(A), which makes it unlawful to knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer”.  U.S. v. Shahulhameed, 2014 WL 1513143 (U.S. District Court for the Eastern District of Kentucky 2014).  He then filed a motion for “acquittal pursuant to Rule 29 of theFederal Rules of Criminal Procedure” or, in the alternative, for “a new trial” pursuant to Rule 33 of the Federal Rules of Criminal Procedure.  U.S. v. Shahulhameed, supra.

The U.S. District Court Judge who has the case began her opinion by noting that

[d]uring a trial that lasted approximately one week, the United States presented evidence that [Shahulhameed] was terminated from his position at Toyota Engineering & Manufacturing North America -- where he worked as a subcontractor -- on August 23, 2012. Following his termination, [Shahulameed] used his remote access to Toyota's computer system to make a series of programming changes to Toyota's servers that caused extensive damage.

U.S. v. Shahulhameed, supra.  The news stories you can find here offers an account of how the prosecution allegedly arose, and you can find the Criminal Complaint that was filed in the case here.  This press release from the U.S. Attorney whose office had the case also provides some additional details.

Under Rule 29(a) of the Federal Rules of Criminal Procedure, “the court on the defendant's motion must enter a judgment of acquittal of any offense for which the evidence is insufficient to sustain a conviction.”  Since the U.S. federal government, like the U.S. states, requires that a criminal defendant’s guilt be proven beyond a reasonable doubt, the court must determine whether the evidence presented proves each element of the crime(s) charged beyond a reasonable doubt in deciding whether or not to grand a motion for a judgment of acquittal.  

The federal judge who has this case began her analysis of Shahulhameed’s motion by noting that

[w]hen addressing a motion for judgment of acquittal, the Court must view the evidence in the light most favorable to the prosecution and determine whether there was sufficient evidence offered at trial to convince a rational trier of fact beyond a reasonable doubt that all of the elements of the charged crimes have been established. U.S. v. Graham, 622 F.3d 445 (U.S. Court of Appeals for the 6th Circuit 2010). 

The Court is precluded from weighing the evidence, considering witness credibility, or substituting its judgment for that of the jury. U.S. v. Chavis, 296 F.3d 450 (U.S. Court of Appeals for the 6th Circuit 2002).  The court gives the government `the benefit of all inferences which can reasonably be drawn from the evidence, even if the evidence is circumstantial.’ U.S. v. Carter, 355 F.3d 920 (U.S. Court of Appeals for the 6th Circuit 2004).

U.S. v. Shahulhameed, supra.  

She also noted that Shahulhameed could be found guilty of violating 18 U.S. Code § 1030(a)(5)(A) “only if” these facts were proved beyond a reasonable doubt at his trial:

(1) the defendant knowingly caused the transmission of a program, information, code, or command to a protected computer;

(2) the defendant, as a result of such conduct, intentionally caused damage to a protected computer without authorization; and

(3) the damage resulted in losses of more than $5,000 during a one-year period.

U.S. v. Shahulhameed, supra.  

Shahulhameed “present[ed] three reasons as to why he is entitled to acquittal under Rule 29”.  U.S. v. Shahulhameed, supra.  

First, he contends that insufficient evidence was presented to prove that the defendant's actions caused more than $5,000 in damage. Second, [Shahulhameed] argues that the evidence does not support a finding that he was `without authorization’ at the time the programming changes occurred. Third, [he] argues that the evidence did not establish beyond a reasonable doubt that he was the individual who issued the programming changes that caused the damage.

U.S. v. Shahulhameed, supra.  

The judge addressed his arguments in order, beginning with the issue of “damage”:

The United States must prove the damage caused by the defendant resulted in losses of $5,000 or more within a one-year period. Under . . . § 1030(a)(5)(A), a `loss’ includes `the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense.’ 18 U.S. Code § 1030(e)(11). Losses can include the cost of time spent by a salaried employee of the victim in responding to the damage. See U.S. v. Millot, 433 F.3d 1057 (U.S. Court of Appeals for the 8th Circuit 2006). Thus, the cost of Toyota's remedial efforts in responding to the defendant's cyber-attack is properly considered a loss under § 1030(a)(5)(A).

To prove [Shahulhameed] caused at least $5,000 in damage to the affected computers, the United States relied on the testimony and reports by a number of witnesses. Deva Veerasamy, an information systems employee at Toyota, testified he spent a significant amount of hours diagnosing and repairing the problems caused by [his] actions. Tom Cantrell, a supervisor at Toyota, testified to the hundreds of hours employees within his department worked to repair the damage. Although these witnesses did not quantify the exact cost of the many hours of labor expended, the United States introduced Exhibit 6 to make such a quantification. Exhibit 6 provided a summary of the hours and costs incurred by Cincinnati Bell Technology Solutions (CBTS) and Toyota. 

It did so by displaying the number of hours employees spent working on the problems alongside of each employee's hourly rate. According to this exhibit, the damage caused to Toyota between August 24, 2012 and October 30, 2012 was at least $187,070, far greater than the $5,000 minimum requirement. Moreover, testimony by Toyota employees during trial indicated that Toyota continued to incur costs after October 30, though quantification of these costs was unnecessary given the amount of damage already established at trial.

[Shahulhameed] contends this evidence is insufficient for a rational trier of fact to conclude that the $5,000 threshold was met. He points to the fact that the government failed to introduce `certified business records’ and the fact that Exhibit 6 did `not show what was supposedly worked on, the damage that existed, how said damage was fixed, any description of the work performed or any other illuminating information.’ . . . 

While it might be true that the government could have provided even more evidence to establish the damage at issue, the evidence presented at trial is sufficient on its own for a rational trier of fact to find that the losses exceeded $5,000. Considering the testimony of the various witnesses in conjunction with the summary exhibit of Toyota's costs, and viewing it all in the light most favorable to the government, the evidence was more than sufficient to establish the minimum amount of damage required.

U.S. v. Shahulhameed, supra.  

The judge then took up Shahulhameed’s second argument – that the

evidence does not support a finding that he was `without authorization’ when the programming changes were made because witnesses for the United States testified that his access to Toyota's computer system was revoked sometime between 6:32 a.m. and 7:00 a.m. the morning after the cyber-attack. That is to say, [Shahulhameed] contends he could not have been `without authorization’ if his access had not yet been revoked.

U.S. v. Shahulhameed, supra.  

Again, the judge did not agree.  She found that Shahulhameed

glosses over the testimony by Andrew Sell, [his] supervisor at the employment agency for whom he worked. Sell testified that [Shahulhameed] was terminated from his position at Toyota on the evening of August 23, 2012 at approximately 11:00 p.m. The cyber-attack did not take place until after that termination occurred. [Shahulhameed] dismisses Sell's testimony, calling it `sketchy at best,’ but offers no reason to doubt it. 

Moreover, [his] supervisor at Toyota testified that none of the programming changes made by Shahulhameed were authorized, so even if he retained his access and had not been terminated, the changes he made were `without authorization.’

As the United States correctly explains, [Shahulhameed’s] argument improperly conflates `access itself with the authorization to use access to transmit information, codes, and commands.’ . . . In doing so, [he] relies on several cases that analyze different provisions of § 1030 that make it unlawful to access a computer without authorization. 

But Shahulhameed was not charged with unauthorized access. Rather, [he] was charged under § 1030(a)(5)(A), which makes it unlawful to `cause[ ] damage without authorization.’ 18 U.S. Code § 1030(a)(5)(A).

`No one claimed at trial that the Defendant lacked the ability to access Toyota's computer systems after his termination.’ . . . Instead, and in accordance with the crime charged, evidence was presented to demonstrate that [Shahulhameed] used his access to make unauthorized programming changes that damaged Toyota's computers. Support for this lack of authorization came in several forms, including Sell's testimony that he had been terminated from his position at Toyota and Shahulhameed’d former supervisor who testified that the changes made by [him] were not authorized. The evidence undoubtedly supports a finding by a rational trier of fact that [Shahulhameed] caused damage without authorization.

U.S. v. Shahulhameed, supra (emphasis in the original).  

The judge therefore held that

[v]iewing all of the evidence in the light most favorable to the government, including the testimony by the private forensic investigators and Agent Keown, along with the server logs and [Shahulhameed’s] own testimony that he issued some of the programming commands, a rational trier of fact could reasonably determine that it was Shahulhameed who made these programming changes, which then caused damage to the Toyota servers. The evidence is therefore sufficient to sustain the guilty verdict and [his] motion for acquittal will be denied.

U.S. v. Shahulhameed, supra.

Finally, the judge noted that Shahulhameed

styles his motion as seeking a new trial in the alternative to his motion for acquittal. The motion, however, does not present arguments for a new trial. The Court will therefore construe his motion as arguing for a new trial on the same grounds as for acquittal: that being the manifest weight of the evidence does not support the jury's verdict.

U.S. v. Shahulhameed, supra.

She then explained that the standard for a new trial does

not parallel that for acquittal. When examining a defendant's motion for a new trial, the court may vacate any judgment and grant a new trial if the interest of justice so requires.’ Federal Rules of Criminal Procedure 33(a). `The decision whether to grant a new trial is left to the sound discretion of the district court.’ U.S. v. Pierce, 62 F.3d 818 (U.S. Court of Appeals for the 6th Circuit 1995).

`A district judge, in considering the weight of the evidence for purposes of adjudicating a motion for new trial, may act as a thirteenth juror, assessing the credibility of witnesses and the weight of the evidence.’ U.S. v. Hughes, 505 F.3d 578 (U.S. Court of Appeals for the 6th Circuit 2007). . . . Moreover, `it is widely agreed that Rule 33's “interest of justice” standard allows the grant of a new trial where substantial legal error has occurred.’ U.S.  v. Munoz, 605 F.3d 359 (U.S. Court of Appeals for the 6th Circuit 2010).

U.S. v. Shahulhameed, supra.

The judge then found that

[i]n construing [Shahulhameed’] arguments for acquittal as also supporting a motion for a new trial, the Court finds them without merit.

Although the Court is permitted to act as the thirteenth juror and weigh the evidence in order to determine whether a new trial is necessary, the reasons stated above all support the same conclusion in this alternative motion. The evidence overwhelmingly supports the findings that the losses totaled more than $5,000, that Shahulhameed was without authorization in causing the damage, and that he was the individual behind the cyber-attack. For all of the reasons stated above, the defendant's alternative motion for a new trial will be denied.

U.S. v. Shahulhameed, supra.

She therefore denied his “motion for acquittal, and in the alternative, motion for a new trial”.  U.S. v. Shahulhameed, supra.

Monday, April 28, 2014, Revenge Porn and Immunity

As the news story you can find here explains, in January of 2013,

more than two dozen women filed suit against the administrators of the website - and GoDaddy, the site's host - after nude or  semi-nude photos of the women appeared on the website without their permission. 

As the story also notes, GoDaddy then filed a motion “seeking to be dismissed from the lawsuit”.  As the opinion this post examines explains, the plaintiffs

filed the underlying action on behalf of a putative class of women who allege that other defendants, not a party to this appeal, who owned two `revenge porn’ websites, published sexually explicit photographs of plaintiffs without their permission or consent. GoDaddy, as an interactive computer service provider, hosted the revenge porn websites. . . .

[P]laintiffs admit that GoDaddy did not create the defamatory and offensive material at issue. Plaintiffs argue that because GoDaddy knew of the content, failed to remove it, and then profited from the activity on the websites, GoDaddy is jointly responsible for plaintiffs' damages. In their petition, plaintiffs allege that these revenge websites `engage[d] in the publication of obscenity and child pornography’ in violation of Texas Penal Code. Plaintiffs further allege that GoDaddy hosted the websites despite having knowledge that the developers were engaged in illegal activities.

Plaintiffs assert causes of action against GoDaddy `for intentional infliction of emotional distress, for its severe, extreme, intentional, and unlawful misconduct in violation of the Texas Penal [Code], and for its gross negligence in violation of Texas Penal Code[.]’, LLC v. Toups, 2014 WL 1389776 (Court of Appeals of Texas – Beaumont 2014).  You can, if you are interested, find the original Complaint the plaintiffs filed to initiate the lawsuit here.

As noted above, GoDaddy responded by filing a motion to dismiss the suit pursuant 

to Rule 91a of the Texas Rules ofCivil Procedure. In its memorandum of law filed in support of its motion to dismiss, GoDaddy argued that it is immune from civil liability for plaintiffs' claims under section 230 of the [Communications Decency Act] because GoDaddy is a provider of interactive computer services and cannot be treated as a publisher of content created by a third party.   

Plaintiffs responded that the websites were `”revenge porn” websites’ and by their nature not protected by the 1st Amendment; and, therefore, the website owners were not entitled to immunity under the CDA. Plaintiffs further argued that the CDA does not preempt their state law tort claims. After a hearing, the trial court denied GoDaddy's motion to dismiss., LLC v. Toups, supra.  

GoDaddy then filed a motion under Rule 168 of the TexasRules of Civil Procedure, in which it asked the trial judge to certify the denial of its motion to dismiss to the Court of Appeals., LLC v. Toups, supra.  By doing that, GoDaddy was hoping to have the appellate court either reverse the trial judge’s ruling (which would have ended its role in the suit) or remand the matter to the trial judge to re-determine whether the motion should have been granted.  Litigants usually have to wait until a case has been fully resolved before they can file an appeal, but Rule 168 allows interlocutory appeals.

The Court of Appeals began its analysis of the denial of the motion to dismiss by noting that “[w]e review the trial court's ruling on a question of law de novo.”, LLC v. Toups, supra.  The principle at issue was, again, whether GoDaddy was immune from suit by the plaintiffs, and the parties made essentially the same arguments they made before the trial judge., LLC v. Toups, supra. 

The court began its analysis of the immunity issue by noting that

[t]o support its argument that it is entitled to immunity, GoDaddy relies on the following language in section 230:

`No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.’

47 U.S. Code § 230(c)(1)

The statute defines an `”interactive computer service”’ as “any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet[.]’ Id. § 230(f)(2). The statute defines an ‘”information content provider”’ as `any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.’ Id. § 230(f)(3)., LLC v. Toups, supra.  And, just to reiterate, GoDaddy argued that it is a

provider of an interactive computer service as defined by the CDA, that the content at issue was provided by another information content provider, and plaintiffs' allegations improperly seek to treat GoDaddy as a publisher of the content posted on the websites by third parties.

Plaintiffs argue that GoDaddy is not entitled to immunity because § 230 does not preempt state law intentional torts, and because the immunity provision in § 230 only applies if the website content qualifies for protection under the 1st Amendment. Plaintiffs argue that the CDA `does not protect conduct that is illegal or in violation of a federal or state penal statute.’, LLC v. Toups, supra. 

The Court of Appeals began its analysis of these arguments with the plaintiff’s claim that § 230 does not preempt state law intentional torts: 

[U]nder the facts of this case, we need not decide whether plaintiffs' may bring their intentional infliction of emotional distress claim independently of other recognized theories. All of plaintiffs' claims against GoDaddy stem from GoDaddy's publication of the contested content, its failure to remove the content, or its alleged violation of the Texas Penal Code for the same conduct.

Allowing plaintiffs' to assert any cause of action against GoDaddy for publishing content created by a third party, or for refusing to remove content created by a third party would be squarely inconsistent with § 230See 47U.S. Code § 230(e)(3) (`[N]o liability may be imposed under any State or local law that is inconsistent with this section’).  See also Zeran v. American Online, Inc., 129 F.3d 327 (U.S. Court of Appeals for the 4th Circuit 1997) (concluding that the distributor theory of liability was `merely a subset’ of publisher liability, the court held that AOL was immune from suit for claims that it was liable as a distributer when AOL was given notice of defamatory content posted by a third party and unreasonably delayed removing it from the website)., LLC v. Toups, supra.  In a footnote, the court pointed out that “allowing plaintiffs to bring a private cause of action against GoDaddy for its alleged violations of the Texas Penal Code would be contrary to legislative intent.”, LLC v. Toups, supra (citing 47 U.S. Code § 230(a)).

The court therefore held that

[b]ecause GoDaddy acted only as an interactive computer service provider and was not an information content provider with regard to the material published on the websites, plaintiffs cannot maintain claims against GoDaddy that treat it as a publisher of that material. Moreover, plaintiffs cannot circumvent the statute by couching their claims as state law intentional torts., LLC v. Toups, supra. 

The Court of Appeals then took up the plaintiffs’ argument that GoDaddy

cannot receive immunity under § 230 for publishing content that is unlawful or unprotected by the 1st Amendment. Plaintiffs contend the website's content does not qualify for 1st Amendment protection as legal pornography, and the CDA `was never intended to bless criminal activities occurring on websites.’ Plaintiffs fail to cite to any authority that supports their position that only constitutionally protected content gives rise to immunity under § 230., LLC v. Toups, supra. 

The court pointed out, however, that

[t]here is no provision in the CDA that limits its application to suits involving constitutionally protected material. See 47 U.S. Code § 230. Reading such an exception into the statute would undermine its purpose.

`The amount of information communicated via interactive computer services is ... staggering. The specter of tort liability in an area of such prolific speech would have an obvious chilling effect. It would be impossible for service providers to screen each of their millions of postings for possible problems. Faced with potential liability for each message republished by their services, interactive computer service providers might choose to severely restrict the number and type of messages posted. Congress considered the weight of the speech interests implicated and chose to immunize service providers to avoid any such restrictive effect.’, LLC v. Toups, supra (quoting Zeran v. American Online, Inc., supra.)

The Court of Appeals also noted that in 47 U.S. Code § 230(b), Congress articulated the "specific policies" behind the adoption of the CDA:

`It is the policy of the United States—

(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;

(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;

(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;

(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children's access to objectionable or inappropriate online material; and

(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer.’

47 U.S. Code § 230(b). A construction of the CDA that yields a broad application of its provisions, without regard to the nature of the content at issue, is supported by its stated policies. See id., LLC v. Toups, supra. 

The Court of Appeals also pointed out that in Doe v. Bates, 2006 WL 3813758 (U.S.District Court for the Eastern District of Texas 2006), the federal judge explained that

`Section 230 does not, as [p]laintiffs propose, provide that an intentional violation of criminal law should be an exception to the immunity from civil liability given to internet service providers. Such a finding would effectively abrogate the immunity where a plaintiff simply alleged intentional conduct. Instead, “lawsuits seeking to hold a service provider liable for its exercise of a publisher's traditional editorial functions-such as deciding whether to publish, withdraw, postpone or alter content-are barred.”’, LLC v. Toups, supra.  In the Bates case, the judge also found that “Congress decided not to allow private litigants to bring civil claims based on their own beliefs that a service provider's actions violated the criminal laws”, and therefore  “granted Yahoo's motion to dismiss plaintiffs' claims and dismissed the case with prejudice.”  Doe v. Bates, supra (quoted in, LLC v. Toups, supra). 

The Texas Court of Appeals therefore found that the plaintiffs’ “contention that GoDaddy is not entitled to immunity from plaintiffs' state law claims because of the alleged obscene or unlawful nature of the material posted on the websites is without merit.”, LLC v. Toups, supra. 

 It therefore held that because the plaintiffs

seek to hold GoDaddy liable as the publisher of the contested website content; therefore, plaintiffs' claims are barred under 47 U.S. Code § 230. Even taking plaintiffs' allegations as true, plaintiffs' have failed to state a viable claim against GoDaddy., LLC v. Toups, supra.  So it reversed the trial judge’s order denying GoDaddy’s motion to dismiss and remanded “the cause to the trial court for entry of judgment in favor of, LLC and for further proceedings consistent with this opinion.”, LLC v. Toups, supra. 

Friday, April 25, 2014

The Flash Drive, “Kiddie Porn” and the Motions to Suppress

After he was convicted of “fifteen counts of sexual exploitation of a minor and four counts of molestation of a minor” in violation of Arizona law, David William Curtis, Jr., appealed.  State v. Curtis, 2014 WL 1319513 (Arizona Court of Appeals 2014). (The opinion does not cite the statues involved, but they appear to be Arizona Revised Statutes § 13-3553 and Arizona Revised Statutes § 13-1410.)  

After Curtis was convicted, the trial judge “sentenced him to ten years on each count, to be served consecutively, for a total of 190 years in prison.”  State v. Curtis, supra.  The news story you can find here provides a little more detail on the facts involved in the case.

Curtis, “an attorney, represented himself at trial”, which may account for the fact that he raised a number of issues on appeal, some of which involved the trial judge’s failure to grant any/all of the motions to suppress he filed prior to trial.  State v. Curtis, supra.  This post examines the arguments he made in support of two of those motions, the judge’s ruling and the Court of Appeals’ review of those rulings.  State v. Curtis, supra.  

This, according to the Court of Appeals, the charges in the case

arose from a private citizen's discovery of a flash drive in the parking lot of the Tempe Marketplace in May 2009. The flash drive contained multiple images of child pornography and was linked to Curtis. Further investigation resulted in the seizure of additional such images on digital media from Curtis' home and a car parked in his home driveway, including images depicting Curtis molesting a child. . . .

Curtis testified at trial, [saying] he did not recall seeing the images that formed the basis of the first ten counts in the indictment, but he had possessed items similar to the charged images in the course of representing clients facing criminal charges and in child-protection and custody cases. Curtis testified that he had had no such cases involving similar images after 2005, and had destroyed a chart linking evidence to the specific clients when he retired from the active practice of law in 2006.

Curtis testified that none of the images had sexual stimulation as their purpose, he had never molested the child depicted in the images charged in Counts 12, 14 and 16, and the images in Counts 18 and 20, which gave rise to associated molestation counts, did not depict either him or the child identified as the victim. Curtis also testified that someone else might have planted the evidence for many of the counts.

State v. Curtis, supra.  

Curtis argued that the trial judge erred in denying his first motion to suppress, which

sought to suppress evidence discovered in an initial warrantless police search of a computer flash drive. The flash drive was found in a parking lot at the Tempe Marketplace by a private individual, who turned it over to the police after discovering what he described as `kiddie porn’ on [it].

Curtis argues the police lacked proper cause to conduct a warrantless search of the flash drive, that the warrantless search was impermissible because it differed from and exceeded the scope of the preceding private search by the individual who found the flash drive and that the warrantless search should not have been allowed to determine ownership of the flash drive.

State v. Curtis, supra.  

The Court of Appeals began its analysis of Curtis’ arguments by noting that the

4th Amendment guarantees the right to be secure against unreasonable searches and seizures, and provides no warrants shall issue except upon probable cause. . . . `A “search” occurs when an expectation of privacy that society is prepared to consider reasonable is infringed.’ U.S. v. Jacobsen, 466 U.S. 109 (1984). Although a person retains no privacy interests in abandoned property, . . . a person retains some privacy interests in lost or misplaced property, which are outweighed by the government's interest in identifying and returning the property to its owner. . . .

The 4th Amendment has no applicability to a search by a private individual not acting with the knowledge of, or as an agent for, the government. U.S. v. Jacobsen, supra.  The government's subsequent searches are permissible to the extent they do not exceed the scope of the private search and thus do not `infringe any constitutionally protected privacy interest that had not already been frustrated as the result of private conduct.’  U.S. v. Jacobsen, supra.  

A government official's search of a computer disk does not exceed the scope of the prior private search simply because the government official examines more files than did the private party. U.S. v. Runyan, 275 F.3d 449 (U.S. Court of Appeals for the 5th Circuit 2001). . . .

State v. Curtis, supra.  

The Court of Appeals noted that “[b]ased on the evidence and argument” presented at

the four-day evidentiary hearing, the superior court found the flash drive had been lost or misplaced, not abandoned. The court found a private party discovered the flash drive in a parking lot at the Tempe Marketplace and turned it over to police after reporting that he saw what he perceived to be “kiddie porn” on the flash drive.

The court found that a police detective opened folders on the flash drive to determine whether the photographs viewed by the private party were in fact prohibited under Arizona law. The court further found that the objectionable material was apparent as soon as the detective viewed the folders on the flash drive. The court also found that the detective's warrantless search of the flash drive was no more extensive than the private party's search.

The superior court did not abuse its discretion in finding that the detective's warrantless search of the flash drive was no more extensive than the search conducted by the private party. The private party testified that he saw thumbnail views of `kiddie porn’ after he viewed several folders on the flash drive.

The detective who conducted a review to determine if images on the flash drive were prohibited under Arizona law testified that he quickly scrolled through thumbnail views of the contents of two folders before he opened a folder that displayed thumbnail views of at least four images of child pornography.

The detective exited the program as soon as he confirmed child pornography was present on the flash drive. He later confirmed that child pornography was present in only that one folder, which contained 24,000 images, the majority of which was child pornography.

On this record, the superior court did not err in finding that the detective's search of the flash drive was no more extensive than that of the private party. . . . For these reasons, the detective's warrantless search of the flash drive . . .  did not violate Curtis' 4th Amendment rights. . . .

State v. Curtis, supra.  

Curtis also argued that the Superior Court Judge who presided over his case

erred in denying his fifth motion to suppress, which claimed the police conducted a warrantless search of a portable hard drive discovered on the front passenger seat of a Honda Civic parked in his home driveway after the car had been towed to a police impound lot. Curtis argues on appeal that the search warrants issued for the car and his residence did not cover the portable hard drive found in the Honda Civic and a CD found in a Fujitsu laptop computer in his bedroom, and the evidence therefore should have been suppressed.

State v. Curtis, supra.  

The Court of Appeals began its analysis of Curtis’ arguments by noting that

[b]ecause Curtis did not ask the superior court to suppress the evidence discovered in a search of the CD found in the Fujitsu laptop computer on the basis he raises on appeal, he bears the burden of demonstrating that any error was fundamental error resulting in prejudice.

State v. Curtis, supra.  As I noted in a recent post, appellate courts tend to find, absent countervailing factors, that litigants who did not raise an issue at the trial court level are barred, under a theory of waiver or forfeiture, from raising it for the first time on appeal.

The Court of Appeals then explained that the

initial search warrant for Curtis' residence and the Honda Civic authorized police to examine and impound the car to ascertain if its interior matched photographs found on the flash drive and to seize computers and digital media found in the car and at the residence for later search by forensic examiners for evidence of images of the sexual exploitation of minors in violation of Arizona Revised Statutes § 13–3553(A).

A second search warrant judicially approved later in the day authorized the search and impoundment of a Hyundai that Curtis was driving the day of his arrest.

A third search warrant judicially approved the following day authorized police to search digital media and computers seized from the residence or the vehicles as identified in an attached Exhibit A. The detective who prepared the search warrants testified that he obtained the third warrant as a `precautionary’ measure and inadvertently omitted the portable hard drive from Exhibit A discovered earlier that day in the Honda Civic.

State v. Curtis, supra.  

The Court of Appeals found that the Superior Court Judge

concluded that the initial search warrant covering the Honda Civic and Curtis' residence properly allowed the search of any seized digital media, including the late-discovered portable hard drive (notwithstanding the technical error in omitting that late-discovered portable hard drive from the list of seized items to be searched in Exhibit A to the third warrant). On appeal, Curtis has shown no error in the superior court's conclusion.

State v. Curtis, supra.  

It also noted that the “same analysis” applied to the

search of the CD in the Fujitsu laptop computer seized from Curtis' bedroom, which was not discovered until sometime after the computer was seized. `[O]nce an item in an individual's possession has been lawfully seized and searched, subsequent searches of that item, so long as it remains in the legitimate uninterrupted possession of the police, may be conducted without a warrant.’ U.S. v. Burnette, 698 F.2d 1038 (U.S. Court of Appeals for the 9th Circuit 1983).

State v. Curtis, supra.  

The Court of Appeals therefore found that, in this case,

police lawfully seized the Honda Civic and the laptop computer pursuant to the first warrant to allow time and a secure venue for a subsequent, more thorough search, including a comparison of the interior of the Honda Civic to the background of certain photographs, and to allow a forensic search of computers and other digital media.

Because the portable hard drive and the CD in the Fujitsu laptop computer were discovered while the items were in the uninterrupted possession of the police pursuant to their execution of the first warrant, it was not necessary for police to obtain another warrant to conduct these searches.

Under these facts and circumstances, the superior court did not err in refusing to suppress the evidence found on the portable hard drive, or fundamentally err in failing to suppress the evidence found on the CD discovered in the Fujitsu laptop computer.

State v. Curtis, supra.  

For these and many other reasons, the Court of Appeals rejected the various arguments Curtis made on appeal and therefore affirmed his “convictions and resulting sentences.”  State v. Curtis, supra.