Wednesday, June 17, 2009

Ghosts, Contraband and Seeking the Return of Seized Property

I’ve done several posts about trying to get the government to return computers and computer storage media it seized while executing a search warrant or pursuant to an exception to the 4th Amendment’s warrant requirement.

As I explained, someone whose computer equipment was seized can file a motion for return of property to try to get it back. The motion can be filed by someone who was never charged with a crime or by someone who was charged based on evidence found in the seized property. When a person who was never charged files a motion for return of property, he’s essentially saying the government is holding onto his stuff for no reason. In other words, if there’s no criminal case, the government doesn’t need it.

Someone who is being prosecuted based on evidence found in property seized from him usually begins by moving to suppress the evidence found in that property because his primary goal is to make it as difficult as possible for the prosecution to convict him. But those who have been charged can also file motions for the return of their property; they usually do this when the criminal case seems to be at an end, i.e., when the defendant has pled guilty or been convicted and has been sentenced. The rationale for the motion is that while the government needed the property while the case was pending, the case is over and the government’s authority to retain it has been exhausted.

One more bit of preface and we’ll get to the case this post is about: As I noted in a recent post, whether seized property will be returned to its owner depends to a great extent on whether it’s “evidence” or “contraband.” If it’s evidence, you have a chance at getting the property back because, as I noted above, the government is only authorized to keep evidence as long as it has some need for it, i.e., while the case is pending. But if the property is contraband (child pornography, say), you have no chance of getting it back because it’s illegal to possess that kind of property.

This brings us to Genao v. U.S., 2009 WL 1033384 (U.S. District Court for the Southern District of New York 2009). In 2005, a jury convicted Ismael Genao of “advertising child pornography in interstate commerce in violation of 18 U.S. Code § 2251(c) and transporting child pornography in interstate commerce in violation of 18 U.S. Code § 2252A(a)(1).” U.S. v. Genao, 224 Fed. Appx. 39 (U.S. Court of Appeals for the Second Circuit 2007). The criminal case began when, on the morning of March 6, 2003, Agent
Andrews of the [FBI] . . . used a computer in her office to access a chat room on the Internet Relay Chat. While on the IRC, Agent Andrews went to a chat room named `100reTeenGirlSexPics’ that she knew from her experience was dedicated to child pornography. Upon going to that chat room, Agent Andrews saw that file servers. . . had posted advertisements seeking to exchange child pornography.
U.S. v. Genao, supra. Andrews stayed online investigating two servers that seemed to be offering child pornography; she signed off after she “download[ed] seven images of children engaged in sexually explicit conduct” from one of them. U.S. v. Genao, supra. Andrews traced the images to an account owned by Genao and on “April 14, 2003, the FBI executed a search warrant” at his apartment in Yonkers, “where agents seized Genao’s computer and multiple computer hard drives.” U.S. v. Genao, supra.

Genao was convicted on both counts, sentenced and appealed his conviction to the Second Circuit Court of Appeals; on March 16, 2007, the Court of Appeals upheld the conviction. On September 1, 2008, he filed a motion seeking the return of property the FBI seized from his home. The property he sought fell into several categories, but we’re only concerned with three of them: “(1) one computer with two hard drives, (2) two separate external hard drives, (3) 118 compact discs”. Genao v. U.S., supra. In ruling on Genao’s motion, the federal district judge noted that Genao and the FBI agreed that
the hard drives . . . are contraband, in that they contain encrypted files containing child pornography. The government contends that the three CDs (numbered QNY31, QNY 33 and QNY 34) seized by the FBI contain what were described at trial as Ghost Image files, which would allow a user to restore encrypted information from the hard drives. The Government argues . . . that . . . the CDs numbered QNY31, QNY33, and QNY 34, cannot be returned to Plaintiff because they are contraband.
Genao v. U.S, supra. As to the Ghost Image files, the judge noted that they are
`used to copy a partition or hard drive into one huge file so it can be restored. If a hard drive should go bad or if a partition should go bad, the operating system or whatever it was on, that partition can be restored rather quickly.’ There were password protected Ghost files on several of the CDs but not the password for the encrypted material.
Genao v. U.S., supra. Genao responded to the FBI’s contraband claim by claiming
evidence at trial showed (1) that the FBI has cracked the password on the Ghost files . . . on some of the CDs and (2) that an FBI agent testified that `no contraband was found in said Ghost files.’ Plaintiff asks the Court to order the Government to produce FBI Agent Friesen and Assistant United States Attorney Collins . . . to testify at a hearing that the FBI opened and checked each Ghost file found on . . . the CDs and found no such contraband. Plaintiff further requests that he participate in the hearing by telephone.
Genao v. U.S., supra. The FBI opposed Genao’s request for a hearing: “First, the Government contends that it is reasonable to assume that the Ghost Image Files may indeed contain child pornography, and second, it would take the FBI two or three years conduct this particular forensic examination in preparation for the proposed hearing by Plaintiff.” Genao v. U.S., supra. And the FBI won:
Agent Friesen did testify . . . that someone . . . had cracked the password on the some of the encrypted Ghost Image Files and provided the password to him. However, he also testified that when representatives of the Government tried this password on files that were encrypted by PGP (`Pretty Good Privacy’), they could not open the files. Thus, the Court has been presented with no trial testimony . . . that these encrypted CDs do not contain contraband. Since the encryption would only serve to hide an illegal activity, there is a strong presumption that the encrypted CD's are contraband.

Furthermore, in his complaint, [Genao] acknowledged that the hard drives containing the encrypted material . . . should not be returned to him. Since the CDs containing encrypted materials (QNY31, QNY33, and QNY34) can be used to restore the images encrypted on the hard drives . . . there is strong circumstantial evidence that the encrypted Ghost Image Files on CDs QNY31, QNY33, and QNY34 contain images [he] encrypted in an attempt to hide his alleged activity. The Court finds that the CDs contain contraband, and since [Genao] has offered no evidence to show that the encrypted materials on CDs QNY31, QNY33, and QNY34 do not contain pornographic materials, denies [his] demand for a hearing and dismisses [his] claim for return of those CDs.
Genao v. U.S., supra.

So Genao lost because he couldn’t prove the encrypted data on the CDs did not include child pornography. I find that interesting because according to the leading expert on 4th Amendment law, when someone moves for the return of property AFTER the criminal case is over (as it was here), the government has the burden of proving that the property should not be returned because it’s contraband. Wayne R. LaVafe. Search and Seizure: A Treatise on the Fourth Amendment § 11.2(i) (4th ed. Thomson West 2008). He cites a couple of U.S. Court of Appeals cases which held that once the criminal case is over, the person from whom the property was seized is presumed to have a right to its return; to overcome that presumption, the government has to prove, by a preponderance of the evidence, that it cannot be returned because it’s contraband.

Did the government do that here? The federal judge seems to have relied on another presumption – the presumption that the only reason to use encryption is to hide illegal activity – to find that it did. I don’t know what I think of that result.

It’s an interesting issue: If the government seizes my property and I move to have it returned, either because I haven’t been charged or because I’ve been charged and convicted, can the government justifiably defeat my motion by showing that there are encrypted files on the computer and that, inferentially, the only reason to encrypt files is to conceal evidence of illegal activity? Do I have to give up the encryption key and let the government examine the files to prevail on my motion and get my property back?

4 comments:

Wes said...

Very concerned about the fact that there seems to be a presumption that encryption means illicit behavior. I am sure most companies around the globe will be happy to hear that they are suddenly subject to this presumption or do they get an exception because they are companies and this guy was already a criminal?

Susan Brenner said...

I agree (as to being concerned that the use of encryption can give rise to a presumption of illegal activity).

I'm sure companies will be treated differently, at least unless they, too, are suspected of being involved in illegal activity. I guess the theory theory would be that they're presumed NOT to be involved in illegal activity . . . unless and until evidence surfaces showing that they are . . . ?????

Anonymous said...

I assume that the reason the defendant cannot provide the decryption keys is because the drives contain additional incriminating evidence?

In this case, it does not seem that the use of encryption is what is giving rise to the presumption of illegal activity -- it's the fact that this equipment was seized because it was being used for an illegal activity, one that the defendant was convicted of. It does not appear his conviction had anything to do with encryption -- it appears based on actual evidence, not the possibility of evidence.

I guess what I'm saying is, this seems a lot different than "guilt by reason of encryption." In your example of a corporation, how do you think it would look if the corporation refused to decrypt data for the government? How is that different than Enron shredding documents? Given the facts at hand (i.e. actual conviction) I guess I don't see the big deal with requiring the government actually search the data before handing it back. This is no Steve Jackson Games, where the government is holding onto computers when there was no conviction.

Anonymous said...

Seems awfully odd to me that, encryption or not, the entire mediums are considered contraband instead of the relevant data. Power does what it wants, I guess.