Wednesday, November 08, 2006

Seeking the Return of Seized Computers

In my last post, I talked about the provision in Rule 41 of the Federal Rules of Criminal Procedure which requires that a search warrant be “executed” within 10 days of being issued. Today I want to talk about a related issue: seeking the return of computer equipment that has been seized pursuant to a search warrant.

The usual dynamic under the Fourth Amendment for computer equipment is that law enforcement officers (a) get a warrant to seize and search computer equipment, (b) seize the equipment, analyze it and find evidence that is used to prosecute the owner for various crimes and (c) the owner moves to suppress that evidence on the grounds that the seizure and/or search of the computer somehow violated the Fourth Amendment. This is the dynamic we’re all used to: the operation of the Fourth Amendment’s exclusionary rule.

There is another, less well-known dynamic, one that arises under Rule 41(g) of the Federal Rules of Criminal Procedure. Rule 41(g) says that someone “aggrieved by an unlawful search and seizure of property or by the deprivation of property may move for the property's return.” If the party filing the motion shows good cause for the property’s being returned, the court will enter an order to that effect.

Motions for return of property are filed when the property at issue is, like computer equipment, not itself contraband but has been seized because it contains contraband (child pornography, say) or evidence of a crime (identity theft, extortion, hacking, etc.) The premise behind filing a Rule 41(g) motion in this context is that the computer was seized so the government could search it and find the evidence it contained; it has now been searched, the government has found and acquired the relevant evidence, so the computer should be returned to its owner.

This was the basis of a motion to return filed by a law firm in Massachusetts some years ago. As reported in Commonwealth v. Ellis, 10 Mass. L. Rptr. 429, 1999 WL 815818 (Mass. Super. 1999), law enforcement officers executing a search warrant at the firm’s office seized computers, back-up tapes and a printer to be searched off-site. After some time had passed, the law firm moved for the return of the seized property, arguing that the searches had been completed. The court denied the motion because it found that the government’s retaining the equipment was “reasonable” under the circumstances, the primary circumstance being that it had been (allegedly) used in the commission of crimes.

In People v. Lamonte, 61 Cal. Rptr. 2d 810 (Cal. App. 1997), on the other hand, the appellate court held that the defendant’s motion for the return of his computer should have been granted. This court explained that though the computer “may have” been used in committing a crime, it was not contraband, i.e., it itself was “not illegal to possess.”

These cases illustrate the traditional process of moving for return of seized property – a scenario I will call the “zero-sum seized property scenario.” In this scenario, the government has seized someone’s tangible property and, by retaining it, is completely depriving them of its possession and use. Only the government or the owner can have a computer, not both.

A new scenario – a non-zero sum seized property scenario – has emerged over the last few years. This scenario arises when, as is common, the government makes a copy, a mirror image, of a computer hard drive or other storage media and uses the copy for its analysis. What happens when the owner of the computer hard drive files a motion for the return of the copy of the hard drive?

This happened, for example, in Florida earlier this year. In the Matter of the Application of the United States for a Search Warrant, U.S. District Court – Middle District of Florida (Case No. 05-3113-01). Federal agents executed a search warrant at a business and made mirror images of the data contained in 3 laptop computers, 4 CPUs, two servers and 3 RAID drives. They took the copies away to be analyzed and, after some time had passed, the business moved for the return of all the data on the copies that was not relevant to the criminal investigation.

This is quite common; given the complexity and capacity of computer storage devices, they can contain a great deal of information that is irrelevant to the criminal investigation being conducted. And, as the business pointed out in this case, the irrelevant data is not within the scope of the warrant that justified the making and seizure of the copies; since it is not within the scope of the warrant, it seems its retention by the government would violate the Fourth Amendment.

That is what the business argued in the Florida case. The government’s response was that it should be allowed to retain the mirror images – in their entirety – “indefinitely” so they could be used to “authenticate seized information” and to conduct further searches, if necessary. An expert informed the court that the government should not need to retain the mirror images for authentication purposes, because a hash analysis of the mirror images could be used for that purpose. The government countered that, “for the last several years” it had been the practice among at least some U.S. Attorneys’ offices to retain mirror images of hard drives and other media “throughout the investigation and prosecution of the case.”

The District Court for the Middle District of Florida disagreed. It held that “the United States cannot, consistent with the Fourth Amendment, retain computer storage devices that contain data outside the scope of a search warrant after a search is completed, unless the computer storage devices have themselves been seized as instrumentalities or evidence of a crime or as contraband. . . . The United States should not, therefore, continue to take the cavalier attitude that it may retain computer storage devices throughout an investigation and prosecution without specific court authorization to do so.”

So this court, anyway, said the government cannot retain copied data that is not within the scope of the warrant used to copy computer storage media unless that data is relevant to an investigation. It also indicated that the owner of the seized computer storage media can seek the return of the data before the investigation has been completed, presumably after the government has been given a “reasonable” amount of time to analyze the seized copies.

I tend to agree with this court, but I suspect other courts may disagree. One of the reasons I find this issue of particular interest is because of a proposal I was asked to review last year. The author of this proposal advanced a system for collecting the data on all storage media copied by the government, pursuant to computer search warrants, and depositing it into a central data base. It would then be used for data mining, i.e., to conduct searches intended to identify criminal activity as to which the government was otherwise quite ignorant.

I argued that this was impermissible, that even though the government lawfully copied the data on the seized computer storage media, it cannot use that data for purposes unrelated to the investigation that justified the issue of the warrant authorizing the seizure and copying of the media. It was a rather difficult argument to make, since we have not historically had to deal with this non-zero-sum seized property scenario

traditional justification for seeking the return of tangible property is that you need it – you need to use the seized computer in your business or the seized car in your personal life. When the government takes a copy, this argument becomes more difficult, because they can keep the copy without interfering with your ability to use the computer media from which the data was copied.

I still think I’m right, and hope the proposal I note above does not become a reality.


Anonymous said...

No need for a hard drive when you run an operatiing system (Live) from CD or An IRAM card or typical flashram.

I use NO HARD DRIVE IN THIS MACHINE yet it's running windows and Linux.

Live CD'S people LIVE CD'S !!!!!!!!!

When they take a machine the first thing they go for is the hard drive.

What if there is no hard drive.
What if the machine is running in dumb terminal mode?
What if all that has been downloaded evaporates when it's turned off.

Try one of theese distros some time if your brave--First boot device must be set to CD in your computer's BIOS.

D@m small linux
Puppy linux---best for newbies--plays DVD'S right off the CD all by it's self.

There are hundreds of LIVE distros out there that is a full WORKING OS right on the CD without having to load up from a hard drive.

Don't let the government bully you anymore -take back your right to privacy.

Surf from a CD or Flashram-or IRAM.

When your done save your work to a keychain drive and shut down.

If they take it---they got your machine but not your work.


Anonymous said...

or just use Cleanup! local cops can't crack it. thye found nothing on my computer but won't give it back! how do I get it back?

Anonymous said...

Those cleaners-(pseudo security apps) don't work.

yes they erase the cache but the hard drive will reveal that you erased sectors containing some sort of data and what about your paging file ???.
That little --ha ha (file) can balloon up to 3 gigabytes --how long does it take your cleaner to kill off 3 gig of paging space?.....

They will go for the paging file if they can't find any juicy cache to look at.

Trust me it will be there in windows.I have examined my own equipment using various forensics utilities like (HELIX) or just by looking at the drive in RAW mode using WinHex.

The only way from leaving footprints on your machine is to use a Read only OS--AKA--Live CD
or booting from an IRam card or from a Read only USB device loaded with Puppy Linux.

Want opera,Firefox,,Mozilla?
Want it to funtion like a windows machine ?

You can now---it's easy to do.
I'm not trying to sell anything here just trying to get people to open their eyes to alternative OS's that Will give you TOTAL PRIVACY.

Anonymous said...

Great article! My computer got seized back in Nov 2007 because my ROOMMATE got in some trouble. It's been almost a whole year and they still haven't given it back. I know there's no evidence and they want to wait until his case goes to trial.

Anonymous said...

Great article! My computer was seized back in November 2007 for some trouble my ROOMMATE got into. It's almost been a year and I consider it "reasonable" time being that there's no evidence on it anyway! I want to take matter into my own hands but I don't know who to talk to.

Anonymous said...

My computer and my girlfriend's was confiscated by the cops in August 2008 along with everything else that was plugged in and could hold data and they still haven't searched it. Sounds like they're so backed up it might be another year before they get a chance to look at it. Bullshit in my opinion, being in college without a PC is horrible.

Anonymous said...

Mrs. Brenner,

Could you please provide a link to the actual case that you mention in this article from the Middle District of Florida (Case No. 05-3113-01)? I can't find it anywhere, and I'm really interested in seeing the particulars of this case.

Thanks in advance...

Susan Brenner said...


I wish I could provide a link, but all I had was a copy of the order (the paper order) issued in the case.

If you'd like a copy of it, you can contact the court and arrange to get it . . . possibly via their PACER (online docket and court documents) system. You can find the court clerk's office via a Google search, then either call or email them, see what you need to do to get a copy of it.

Good luck,

Anonymous said...

Same person as last comment...

Hi there. Thanks for your response. I realize this is an old post. I recently acquired access to the PACER system, but still am having no luck finding this case through a case number search. Do you happen to recall any more details about the case, as in the approximate/exact date this document was produced, or perhaps exactly what court it was filed in (more specifically than the middle district of FL)? Any information would be very helpful, as there are 3,691 pages of cases closed from 01/01/06-10/31/06!

Thanks again in advance!

Anonymous said...

This is the person who was interested in the Middle District of Florida case that you refer to in this article.

The correct case number, for future reference, is 6:05-mj-03113. If your readers were to enter that case number in a PACER search, they would find that document very quickly. The document you refer to, however, is an order on a motion for an extension of time, and it is, for whatever reason, the ONLY non-sealed document pertaining to this case. It does say the case number you referenced, however that case number, for whatever reason, is invalid.

Thanks very much for this, and pretty much every other article you've written! This blog is very informative, and I find myself reading articles from it quite often. They are always informative and very helpful!