Monday, April 07, 2014

Ricin, the iPhone 4 and Search Protocols


This post examines an opinion in which a U.S. Magistrate Judge who sits in the U.S. District Court for the District of Columbia is ruling on the U.S. Department of Justice’s application for “a search and seizure warrant pursuant to Rule 41 of the Federal Rules of Criminal Procedure for an Apple iPhone 4.”  Matter of the Search of Apple iPhone IMEI 013888003738427 (hereafter, “Matter of the Search of Apple iPhone”), 2014 WL 1239702. 

The judge begins the opinion by noting that the Department of Justice’s application is part of its

investigation of Daniel Milzman, a Georgetown University student suspected of creating ricin in his dorm room in violation of 18 U.S. Code§ 175. . . . Pursuant to a search and seizure warrant issued by this Court on March 18, 2014, see In the Matter of the Search of the Premises Located at Georgetown University [REDACTED], Mag. Case No. 14–263 (sealed), the government seized the iPhone at issue. In that warrant, the Court interlineated a requirement that a separate search and seizure warrant must be obtained to actually search the contents of the iPhone.

Matter of the Search of Apple iPhone, supra (emphasis in the original).

He also notes that the Department of Justice “has now returned for that subsequent search and seizure warrant” and, pursuant “to a standard format used by the government, the Application contains an `Attachment A,’ which describes the device to be searched, and Attachment B, which lists the specific data to be seized.”  Matter of the Search of Apple iPhone, supra.  As the judge notes, this is what Attachment B says:

1. All records on the Device described in Attachment A that reference or relate to violations of Title 18, United States Code, Section 175 . . . and involve DANIEL HARRY MILZMAN, including:

a. Records of or information about the Device's Internet activity, including firewall logs, caches, browser history and cookies, `bookmarked’ or `favorite’ web pages, search terms that the user entered into any Internet search engine, and records of user-typed web addresses;

b. Records of activities relating to the operation and ownership of the Device, such as telephone incoming/outgoing call records, notes (however and wherever written, stored, or maintained), electronic books, diaries, and reference materials.

c. Records of address or identifying information for DANIEL HARRY MILZMAN and (however and wherever written, stored, or maintained) contact lists, user IDs, eIDs (electronic ID numbers), and passwords.

d. Any digital images documenting, referencing, or related to the production, storage, or dissemination of biological agents, toxins, or delivery systems;

e. GPS data stored on the Device to include the Device's location and search history;

f. Any records of activity indicative of purchases potentially related to materials used in the production and/or storage of biological agents, toxins, or delivery systems;

g. Evidence of user attribution showing who used or owned the Device during the time the violation described in this warrant is suspected of being committed, such as logs, phonebooks, saved usernames and passwords;

h. Any communications referencing or relating to the production or possession of ricin, to include text messages and e-mails;

2. Records evidencing the use of Internet Protocol addresses, including:

a. Records of specific Internet Protocol addresses used and accessed;

b. Records of Internet activity, including firewall logs, caches, browser history and cookies, `bookmarked’ or `favorite’ web pages, search terms that the user entered into any Internet search engine, and records of user-typed web addresses.

3. As used above, the terms `records’ and `information’ include all of the foregoing items of evidence in whatever form and by whatever means they may have been created or stored.

4. Contextual information necessary to understand the evidence described in this attachment.

Matter of the Search of Apple iPhone, supra.

The Magistrate Judge also notes that “[f]or the first time in this Court's experience, the government has also included a Forensic Analysis section”, which provides as follows:

ELECTRONIC STORAGE AND FORENSIC ANALYSIS

23. Based on my knowledge, training, and experience, I know that electronic devices can store information for long periods of time. Similarly, things that have been viewed via the Internet are typically stored for some period of time on the device. This information can sometimes be recovered with forensics tools.

24. Forensic evidence. As further described in Attachment B, this application seeks permission to locate not only electronically stored information that might serve as direct evidence of the crimes described on the warrant, but also forensic evidence that establishes how the Device to be seized was used, the purpose of its use, who used it, and when. There is probable cause to believe that this forensic electronic evidence might be on this Device because:

a. Data on the storage medium can provide evidence of a file that was once on the storage medium but has since been deleted or edited, or of a deleted portion of a file (such as a paragraph that has been deleted from a word processing file).

b. Forensic evidence on a device can also indicate who has used or controlled the device. This `user attribution' evidence is analogous to the search for “indicia of occupancy” while executing a search warrant at a residence.

c. A person with appropriate familiarity with how an electronic device works may, after examining this forensic evidence in its proper context, be able to draw conclusions about how electronic devices were used, the purpose of their use, who used them, and when.

25. Nature of examination. Based on the foregoing, and consistent with Rule 41(e)(2)(B), the warrant I am applying for would permit the examination of the device consistent with the warrant, noting the following:

a. The examination will be conducted jointly between investigators and an FBI technical review team with subject matter expertise in reviewing and analyzing electronic devices. The length of such examinations will vary greatly depending on the amount of data on the Device and the scope of the search authorized.

b. Traditionally used forensic methods to target information specifically related to an offense, such as keyword searches for related terms, are not compatible with all types of files and applications on the Device. Therefore the examination may require authorities to employ techniques including, but not limited to, computer-assisted scans of the entire medium, that might expose many parts of the device to human inspection in order to determine whether it is evidence described by the warrant.

c. The process of identifying the exact files, application data, registry entries, logs, or other forms of forensic evidence on an electronic device that are necessary to draw an accurate conclusion is a dynamic process. While it is possible to specify in advance the records to be sought, computer evidence is not always data that can be merely reviewed by a review team and passed along to investigators. Whether data stored on the Device to be seized is evidence may depend on other information stored on the Device and the application of knowledge about how the Device behaves. Therefore, contextual information necessary to understand other evidence also falls within the scope of the warrant.

26. Data outside the scope of the warrant. Any information discovered on the Device to be seized which falls outside of the scope of this warrant will be returned or, if copied, destroyed within a reasonably prompt amount of time after the information is identified.

27. Manner of execution. Because this warrant seeks only permission to examine a device already in law enforcement's possession, the execution of this warrant does not involve the physical intrusion onto a premises. Consequently, I submit there is reasonable cause for the Court to authorize execution of the warrant at any time in the day or night.

28. Therefore, it is respectfully requested that the warrant sought by this application explained above, and further authorize a full physical and forensic examination of the seized items at a secure location.

Matter of the Search of Apple iPhone, supra.  The judge notes that the affiant who submitted Attachment B is “Special Agent David Goldkopf of the Federal Bureau of Investigation.” Matter of the Search of Apple iPhone, supra. 

The Magistrate Judge then explains that in

two opinions issued by this Court over the past two weeks, the Court admonished the government to explain how it intends `to search for each thing it intends to seize [and] how it will deal with the issue of intermingled documents.’ In re Search of Black iPhone, 2014 WL 1045812, at *4

The government has made some improvements in its current Application, yet it still fails to satisfy the particularity requirement of what will be searched and fails to fully explain to the Court how much data for which it does not have probable cause will likely be seized. The only way to address these issues is for the government to provide the Court with its search protocol, which would explain how the search will occur.

Matter of the Search of Apple iPhone, supra. 

He then explains that his belief a search procotol is necessary is based in the 4th Amendment, which provides as follows:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
 
The Magistrate Judge then explains that

Items, such as data, can only be seized if there is probable cause to support their seizure. See Coolidge v. New Hampshire, 403 U.S.443 (1971). With respect to the particularity requirement, the Supreme Court has recognized that it `ensures that the search will be carefully tailored to its justifications, and will not take on the character of the wide-ranging exploratory searches the Framers intended to prohibit.’ Maryland v. Garrison, 480 U.S. 79 (1987).

As a result, `the scope of a lawful search is “defined by the object of the search and the places in which there is probable cause to believe that it may be found. Just as probable cause to believe that a stolen lawnmower may be found in a garage will not support a warrant to search an upstairs bedroom, probable cause to believe that undocumented aliens are being transported in a van will not justify a warrantless search of a suitcase.”’ Maryland v. Garrison, supra. . . .  The Court remains concerned that, in its current form, the government's Application violates both of these provisions.

Matter of the Search of Apple iPhone, supra. 

The judge then explained that in the earlier opinions he issued in this case, he was concerned about “the overseizure of data for which there was no probable cause” because, as written “the government's application indicated that it would take and sift through massive amounts of data for which it had no probable cause to seize in the first place.”  Matter of the Search of Apple iPhone, supra.  He found, though, that the current application “has largely, but not entirely, solved this problem” because the government’s position was now that “[a]ny information discovered on the Device to be seized which falls outside of the scope of this warrant will be returned or, if copied, destroyed within a reasonably prompt amount of time after the information is identified.”  Matter of the Search of Apple iPhone, supra.  He noted that a statement in a search protocol to the effect that “the non-relevant data will be deleted from any system images.”  Matter of the Search of Apple iPhone, supra.

The judge also explained that he was requiring a search protocol for another reason: to satisfy the 4th Amendment’s requirement that a warrant “particularly describe” the place to be searched.  Matter of the Search of Apple iPhone, supra.  He noted that in a

broad manner, describing the iPhone and its specific IMEI number certainly describes the `place to be searched’ in a particular manner. But an electronic search is not that simple. An iPhone 4 has either 16 GB or 32 GB of flash memory, which could allow storage of up to around two million text documents. 

Obviously no one -- especially not a college student -- would fill an iPhone with text documents, but it is inconceivable that the government would go file by file to determine whether each one is within the scope of the warrant. Instead, as the government has explained in extremely general terms, it will use some sort of `computer-assisted scans’ to determine where to look because those scans will determine which parts will be exposed `to human inspection in order to determine whether it is evidence described by the warrant.’ Affidavit at 11.

Thus, a sufficient search protocol, i.e. an explanation of the scientific methodology the government will use to separate what is permitted to be seized from what is not, will explain to the Court how the government will decide where it is going to search—and it is thus squarely aimed at satisfying the particularity requirement of the 4th Amendment.

Matter of the Search of Apple iPhone, supra (emphasis in the original).

The judge therefore held that the U.S. government was only being required to

tell the Court what it already intends to do and what it does in every other similar search of an iPhone. The government should not be afraid to use terms like `MD5 hash values,’ `metadata,’ `registry,’ `write blocking’ and `status marker,’ nor should it shy away from explaining what kinds of third party software are used and how they are used to search for particular types of data. 

The Court is not dictating that particular terms or search methods should be used. Instead, the Court is attempting to convey that it wants a sophisticated technical explanation of how the government intends to conduct the search so that the Court may conclude that the government is making a genuine effort to limit itself to a particularized search. . . .

This is the third time the Court has asked the government for this explanation, and the government should provide it. Any concerns about being locked into a particular search protocol are unnecessary for two reasons. First, the government can always return for additional authorization of this Court as needed. Second, the application need only explain that some searches require additional techniques and that what is proposed is merely what the government intends to do at the time it submits its application, based on its experience searching such devices and in light of the particular data it seeks to seize.

Matter of the Search of Apple iPhone, supra (emphasis in the original).

The judge concludes his opinion by noting that “[u]ntil the government actually explains how the search will proceed, and thus how the government intends to limit its search of data outside the scope of the warrant, this warrant cannot be issued.” Matter of the Search of Apple iPhone, supra.  You can, if you are interested, read more about the crime Milzman is suspected of committing in the news story you can find here

You can read more about a court's requiring a search protocol in this prior post

No comments: