This post examines an
opinion in which a U.S. Magistrate Judge who sits in the U.S. District Court for the District of Columbia is ruling on the U.S. Department of
Justice’s application for “a search and seizure warrant pursuant to Rule 41 of the Federal Rules of Criminal Procedure for an Apple iPhone 4.” Matter
of the Search of Apple iPhone IMEI 013888003738427 (hereafter, “Matter of the Search of Apple iPhone”), 2014
WL 1239702.
The judge begins the
opinion by noting that the Department of Justice’s application is part of its
investigation of Daniel Milzman, a Georgetown University student
suspected of creating ricin in his dorm room in violation of 18 U.S. Code§ 175. . . . Pursuant to a
search and seizure warrant issued by this Court on March 18, 2014, see In
the Matter of the Search of the Premises Located at Georgetown University
[REDACTED], Mag. Case No. 14–263 (sealed), the government seized the
iPhone at issue. In that warrant, the Court interlineated a
requirement that a separate search and seizure warrant must be obtained to
actually search the contents of the iPhone.
Matter of the Search of Apple iPhone, supra (emphasis in the original).
He also notes that the
Department of Justice “has now returned for that subsequent search and seizure
warrant” and, pursuant “to a standard format used by the government, the
Application contains an `Attachment A,’ which describes the device to be
searched, and Attachment B, which lists the specific data to be seized.” Matter
of the Search of Apple iPhone, supra. As the judge notes, this is what Attachment B
says:
1.
All records on the Device described in Attachment A that reference or relate to
violations of Title 18, United States Code, Section 175 . . . and
involve DANIEL HARRY MILZMAN, including:
a.
Records of or information about the Device's Internet activity, including
firewall logs, caches, browser history and cookies, `bookmarked’ or `favorite’
web pages, search terms that the user entered into any Internet search engine,
and records of user-typed web addresses;
b.
Records of activities relating to the operation and ownership of the Device,
such as telephone incoming/outgoing call records, notes (however and wherever
written, stored, or maintained), electronic books, diaries, and reference
materials.
c.
Records of address or identifying information for DANIEL HARRY MILZMAN and
(however and wherever written, stored, or maintained) contact lists, user IDs,
eIDs (electronic ID numbers), and passwords.
d.
Any digital images documenting, referencing, or related to the production,
storage, or dissemination of biological agents, toxins, or delivery systems;
e.
GPS data stored on the Device to include the Device's location and search
history;
f.
Any records of activity indicative of purchases potentially related to
materials used in the production and/or storage of biological agents, toxins,
or delivery systems;
g.
Evidence of user attribution showing who used or owned the Device during the
time the violation described in this warrant is suspected of being committed,
such as logs, phonebooks, saved usernames and passwords;
h.
Any communications referencing or relating to the production or possession of
ricin, to include text messages and e-mails;
2.
Records evidencing the use of Internet Protocol addresses, including:
a.
Records of specific Internet Protocol addresses used and accessed;
b.
Records of Internet activity, including firewall logs, caches, browser history
and cookies, `bookmarked’ or `favorite’ web pages, search terms that the user
entered into any Internet search engine, and records of user-typed web
addresses.
3.
As used above, the terms `records’ and `information’ include all of the
foregoing items of evidence in whatever form and by whatever means they may
have been created or stored.
4.
Contextual information necessary to understand the evidence described in this
attachment.
Matter of the Search of Apple iPhone, supra.
The Magistrate Judge
also notes that “[f]or the first time in this Court's experience, the
government has also included a Forensic Analysis section”, which provides as
follows:
ELECTRONIC
STORAGE AND FORENSIC ANALYSIS
23.
Based on my knowledge, training, and experience, I know that electronic devices
can store information for long periods of time. Similarly, things that have
been viewed via the Internet are typically stored for some period of time on
the device. This information can sometimes be recovered with forensics tools.
24.
Forensic evidence. As further described in Attachment B, this application seeks
permission to locate not only electronically stored information that might
serve as direct evidence of the crimes described on the warrant, but also
forensic evidence that establishes how the Device to be seized was used, the
purpose of its use, who used it, and when. There is probable cause to believe
that this forensic electronic evidence might be on this Device because:
a.
Data on the storage medium can provide evidence of a file that was once on the
storage medium but has since been deleted or edited, or of a deleted portion of
a file (such as a paragraph that has been deleted from a word processing file).
b.
Forensic evidence on a device can also indicate who has used or controlled the
device. This `user attribution' evidence is analogous to the search for
“indicia of occupancy” while executing a search warrant at a residence.
c. A
person with appropriate familiarity with how an electronic device works may,
after examining this forensic evidence in its proper context, be able to draw
conclusions about how electronic devices were used, the purpose of their use,
who used them, and when.
25.
Nature of examination. Based on the foregoing, and consistent with Rule
41(e)(2)(B), the warrant I am applying for would permit the examination of the
device consistent with the warrant, noting the following:
a.
The examination will be conducted jointly between investigators and an FBI
technical review team with subject matter expertise in reviewing and analyzing
electronic devices. The length of such examinations will vary greatly depending
on the amount of data on the Device and the scope of the search authorized.
b.
Traditionally used forensic methods to target information specifically related
to an offense, such as keyword searches for related terms, are not compatible
with all types of files and applications on the Device. Therefore the
examination may require authorities to employ techniques including, but not
limited to, computer-assisted scans of the entire medium, that might expose
many parts of the device to human inspection in order to determine whether it
is evidence described by the warrant.
c.
The process of identifying the exact files, application data, registry entries,
logs, or other forms of forensic evidence on an electronic device that are
necessary to draw an accurate conclusion is a dynamic process. While it is
possible to specify in advance the records to be sought, computer evidence is
not always data that can be merely reviewed by a review team and passed along
to investigators. Whether data stored on the Device to be seized is evidence
may depend on other information stored on the Device and the application of
knowledge about how the Device behaves. Therefore, contextual information
necessary to understand other evidence also falls within the scope of the
warrant.
26.
Data outside the scope of the warrant. Any information discovered on the Device
to be seized which falls outside of the scope of this warrant will be returned
or, if copied, destroyed within a reasonably prompt amount of time after the
information is identified.
27.
Manner of execution. Because this warrant seeks only permission to examine a
device already in law enforcement's possession, the execution of this warrant
does not involve the physical intrusion onto a premises. Consequently, I submit
there is reasonable cause for the Court to authorize execution of the warrant
at any time in the day or night.
28.
Therefore, it is respectfully requested that the warrant sought by this
application explained above, and further authorize a full physical and forensic
examination of the seized items at a secure location.
Matter of the Search of Apple iPhone, supra. The judge
notes that the affiant who submitted Attachment B is “Special Agent David
Goldkopf of the Federal Bureau of Investigation.” Matter of the Search of Apple iPhone, supra.
The Magistrate Judge
then explains that in
two
opinions issued by this Court over the past two weeks, the Court admonished the
government to explain how it intends `to search for each thing it intends to
seize [and] how it will deal with the issue of intermingled documents.’ In
re Search of Black iPhone, 2014 WL 1045812, at *4.
The government has made some improvements in its
current Application, yet it still fails to satisfy the particularity
requirement of what will be searched and fails to fully explain to the Court
how much data for which it does not have probable cause will likely be seized.
The only way to address these issues is for the government to provide the Court
with its search protocol, which would explain how the search will occur.
Matter of the Search of Apple iPhone, supra.
He then explains that his belief a search procotol is necessary is based in the 4th Amendment, which provides as follows:
The
right of the people to be secure in their persons, houses, papers, and effects,
against unreasonable searches and seizures, shall not be violated, and no
Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized.
The Magistrate Judge
then explains that
Items, such as data, can only be seized if there is probable cause to support their seizure. See Coolidge v. New Hampshire, 403 U.S.443 (1971). With respect to the particularity requirement, the Supreme Court has recognized that it `ensures that the search will be carefully tailored to its justifications, and will not take on the character of the wide-ranging exploratory searches the Framers intended to prohibit.’ Maryland v. Garrison, 480 U.S. 79 (1987).
As a
result, `the scope of a lawful search is “defined by the object of the search
and the places in which there is probable cause to believe that it may be
found. Just as probable cause to believe that a stolen lawnmower may be found
in a garage will not support a warrant to search an upstairs bedroom, probable
cause to believe that undocumented aliens are being transported in a van will
not justify a warrantless search of a suitcase.”’ Maryland v. Garrison, supra. . . . The Court remains concerned that, in its
current form, the government's Application violates both of these provisions.
Matter of the Search of Apple iPhone, supra.
The judge then
explained that in the earlier opinions he issued in this case, he was concerned
about “the overseizure of data for which there was no probable cause” because,
as written “the government's application indicated that it would take and sift
through massive amounts of data for which it had no probable cause to seize in
the first place.” Matter of the Search of Apple iPhone, supra. He found, though, that the current
application “has largely, but not entirely, solved this problem” because the
government’s position was now that “[a]ny information discovered on the Device
to be seized which falls outside of the scope of this warrant will be returned
or, if copied, destroyed within a reasonably prompt amount of time after the
information is identified.” Matter of the Search of Apple iPhone, supra. He noted that a statement in a search
protocol to the effect that “the non-relevant data will be deleted from any
system images.” Matter of the Search of Apple iPhone, supra.
The judge also
explained that he was requiring a search protocol for another reason: to
satisfy the 4th Amendment’s requirement that a warrant “particularly
describe” the place to be searched. Matter of the Search of Apple iPhone, supra. He noted that in a
broad
manner, describing the iPhone and its specific IMEI number certainly describes
the `place to be searched’ in a particular manner. But an electronic search is
not that simple. An iPhone 4 has either 16 GB or 32 GB of flash memory, which could allow storage of up to
around two million text documents.
Obviously
no one -- especially not a college student -- would fill an iPhone with text
documents, but it is inconceivable that the government would go file by file to
determine whether each one is within the scope of the warrant. Instead, as the
government has explained in extremely general terms, it will use some sort of
`computer-assisted scans’ to determine where to look because
those scans will determine which parts will be exposed `to human inspection in
order to determine whether it is evidence described by the warrant.’ Affidavit at
11.
Thus,
a sufficient search protocol, i.e. an explanation of the
scientific methodology the government will use to separate what is permitted to
be seized from what is not, will explain to the Court how the government will
decide where it is going to search—and it is thus squarely aimed at satisfying
the particularity requirement of the 4th Amendment.
Matter of the Search of Apple iPhone, supra (emphasis in the original).
The judge therefore
held that the U.S. government was only being required to
tell
the Court what it already intends to do and what it does in every other similar
search of an iPhone. The government should not be afraid to use terms like `MD5
hash values,’ `metadata,’ `registry,’ `write blocking’ and `status marker,’ nor
should it shy away from explaining what kinds of third party software are used
and how they are used to search for particular types of data.
The Court
is not dictating that particular terms or search methods
should be used. Instead, the Court is attempting to convey that it wants a
sophisticated technical explanation of how the government intends to conduct
the search so that the Court may conclude that the government is making a
genuine effort to limit itself to a particularized search. . . .
This
is the third time the Court has asked the government for this explanation, and
the government should provide it. Any concerns about being locked into a
particular search protocol are unnecessary for two reasons. First, the
government can always return for additional authorization of this Court as
needed. Second, the application need only explain that some searches require
additional techniques and that what is proposed is merely what the
government intends to do at the time it submits its application, based on its
experience searching such devices and in light of the particular data it seeks
to seize.
Matter of the Search of Apple iPhone, supra (emphasis in the original).
The judge concludes
his opinion by noting that “[u]ntil the government actually explains how the
search will proceed, and thus how the government intends to limit its search of
data outside the scope of the warrant, this warrant cannot be issued.” Matter of the Search of Apple iPhone, supra. You can, if you are interested, read more about
the crime Milzman is suspected of committing in the news story you can find
here.
You can read more about a court's requiring a search protocol in this prior post.
No comments:
Post a Comment