This is an FBI investigation document from the Epstein Files collection (FBI VOL00009). Text has been machine-extracted from the original PDF file. Search more documents →
FBI VOL00009
EFTA00227381
2265 pages
Page 961 / 2265
Attorney-client privileged material Law enforcement sensitive Mass. L. Rptr. 429, 1999 WL 815818 at •9 (Mass. Super. 1999). The reasonableness of the time period depends on several factors. The Court in Ellis listed some of them: the size of the computer memory; the complexity of the computers' organizational structure, encryption, and password issues; the type of search engine available; the type of documents being searched for; and the resources available to the searching party. Ellis, 1999 WL 815818 at *9. Similarly, the court in Svphers found state police's motion for a one-year extension of time to examine a seized computer "reasonable in light of the anticipated length of the delay," where state police found 64,000 contraband images, some of them encrypted. (The court's opinion did not reveal how difficult it was to break the encryption). See also United States I. Hill, No. 05-50219, 2006 WL 2328721 (9th Cir. Aug. 11, 2006) (examining the complexity and length of the computer forensic process, and concluding that an off-site search of computer media was appropriate and would reduce the intrusiveness of the search process). The Svphers court also noted the delay was reasonable in light of the "overwhelming backlog" of the state police forensics unit. However, relying on backlog arguments alone would create a serious litigation risk. In State'. Zinck, the court excluded evidence taken from the defendant's computer because state police did not initiate their search of the computer until 18 months after taking possession. State I, Zinck, 2005 WL 551447, *2 (N.H. Super. Feb. 4, 2005). Even though "the State claims the Forensic Lab was suffering a backlog and only one technician was available to conduct the search, the State and not the defendant should bear the burden of such resource deficiencies." a The Court held that "police action caused the search to be unreasonably delayed," id. at *4, and suppressed. E. Repeated searching and context Assuming probable cause has not dissipated, the limited case law indicates that the Fourth Amendment allows investigators to conduct additional searches of images in order to gather more evidence that falls within the scope of the warrant. In Triumph Capital, the FBI conducted a thorough search of the hard drive in a laptop computer used by the defendant's general counsel. The criminal charges included a sophisticated bribery scheme, so the significance of particular documents was not always immediately apparent to the special agent conducting the search. The warrant authorized the review of documents that contained any of several listed keywords, although the warrant did not require any specific search methodology. After reviewing several documents, the special agent added his own keyword, "minutes," after seeing that word occur "in close proximity" to a directory listing pertaining to a contract that was relevant to the investigation. The Court rejected a challenge to the special agent's addition of this keyword, holding that he "reasonably and logically believed that the term was related to the [relevant] contract and therefore within the scope of the warrant," and that there was no evidence that the addition of the keyword was "a pretext to conduct a 13 Case No. 08-80736-CV-MARRA P-000961 EFTA00228341
Page 962 / 2265
Attorney-client privileged material
Law enforcement sensitive
fishing expedition or to find documents not listed in the warrant." Triumph Capital, 211
F.R.D. at 63.3
Triumph reflects a recognition that, particularly in the investigation of a case involving
business transactions, investigators will not always appreciate how a particular document
falls within the scope of the warrant without knowledge of the parties, their business, or
their scheme. Consequently, repeated review of the same data on a hard drive may be
necessary in order to determine whether a file is responsive to a warrant. See, United
States'. Brooks, 427 F.3d 1246, 1252 (10th Cir. 2005) ("Given the numerous ways
information is stored on a computer, a search can be as much art as science.")
At least one other court has held that as long as the information was properly
seized at time of seizure, repeated post seizure reviews are allowed. In United States'.
Hough, No. CR-04-20149 RMW, 2006 WL 2255212 (N.D. Cal. Aug. 7, 2006), a
defendant's computer was seized via a lawful parole search, and examined by parole
authorities. Seven months later, after the expiration of his parole, another law
enforcement agency again examined the computer for evidence of child pornography.
The court ruled that a subsequent examination by law enforcement of computer data
already seized and reviewed was appropriate.
However, the courts in Triumph and Hough may have allowed more leniency than
other courts might. In the analogous field of paper document searches, agents tasked
with determining which documents comply with a warrant are not permitted to scrutinize
each document intensely. See supra section I.D. If new evidence is later developed —
perhaps through evidence gathered later in the review of that same computer's data — that
indicates that files investigators originally believed unrelated to the crime may in fact
have evidentiary significance and fall within the scope of the warrant, those files may
then be re-examined to make that determination. For example, an agent may be
reviewing the emails stored on a seized computer and has identified that all emails sent to
a particular email account are relevant because the account is controlled by a conspirator.
Emails to another account are excluded as they appear to be unrelated to the crime. If the
agent later discovers that the second account is actually controlled by the conspirator or
contains evidence related to the warrant, it would be perfectly proper to go back to those
emails to see if any in fact contain evidence of the crime.
F. Examination after return of a warrant
Most courts treat the return on the warrant as a ministerial act, the primary
purpose of which is to "allow for proper identification of property taken byjhe police
under the warrant and to protect the owner's rights therfin." United States
Russell,
156 F.3d 687, 691 (6th Cir. 1998), cjEst United States'. Dudek, 530 F.2d 684, 691 (6th
Cir.1976) (emphasis removed). Indeed, we have not found any reported decision in
3 Also in Triumph, the special agent had copied the laptop's hard drive to an external disk. During his
forensic review, the special agent restored that image "four to six times," occasionally after conducting
"destructive" tests that altered the restored images. 211 F.R.D. at 48. The Court rejected a challenge to
these repeated restorations, holding that the "defendants were not prejudiced by this because the evidence
was 'frozen in tune' when the mirror image was made." 211 F.R.D. at 64.
14
Case No. 08-80736-CV-MARRA
P-000962
EFTA00228342
Page 963 / 2265
Attorney-client privileged material Law enforcement sensitive which evidence wits excluded because of failure to comply with the return requirement. age United States I. Gross, 137 F. Supp. 244 (S.D.N.Y. 1956); Application of Designer Sportswear, Inc., 521 F. Supp. 434 (S.D.N.Y. 1981). In one unpublished district court decision, however, the court ruled that the return of a warrant ended the investigators' authority to search computer evidence and suppressed the results of the post-return examination of the computer. In a second opinion in the Triumph Capital case, the court suppressed two documents taken from the laptop's hard drive after the government failed to prove that it had "seized" those documents before it filed the return on the search warrant. United States'. Triumph Capital Corp. 2003 WL 23319387 (D. Conn. May 21, 2003). (By "seized," the Court appeared to be referring to the forensic investigator's decision to send a particular file to defense counsel for privilege review.) According to the special agent's testimony, he learned during a conversation with the AUSA that part of the crime under investigation involved a fraudulent increase in the valuation of a particular investment. The special agent recalled he had seen two documents that might establish that had occurred. The government turned those documents over to defense counsel for privilege review more than seven months after the return of the warrant. The court held that the government had the burden to prove that those documents had been "seized" prior to the warrant's return. Because the government was unable to prove that, the court suppressed both documents. This decision stands in contrast with the earlier Triumph Capital opinion in which the court noted that after the warrant was returned, the special agent "continued his forensic review" by, among other things, "restorring) the mirror image... so that he could look at data and documents in their original form and context" Triumph Capital, 211 F.R.D. at 53. The court held this was "not analogous to returning to a crime scene to search for additional evidence," in part because "Where is no evidence that he seized additional documents or data after he filed the return." Triumph Capital, 211 F.R.D. at 65. The Triumph opinions treated the return of the warrant as a final deadline, after which the forensic investigator had no authority to continue his search. As the first Triumph opinion put it, "by filing the warrant [the forensic investigator) indicated he had completed what the warrant authorized him to do." Triumph Capital, 211 F.R.D. 31, 53. No other case treats a warrant's return as a final deadline. Most courts recognize that the return of a warrant with an inventory is a "ministerial act." 14, Moreover, the unusual facts of this case, where the court treated disclosure of a document to the defense pursuant to a taint procedure as a seizure, suggest that it is unlikely that other courts will follow the reasoning of the second Triumph Capital decision. In any event, to avoid potential suppression, investigators should file returns that simply indicate the information or hardware devices that were seized (e.g., "image of one Seagate 260 gigabyte hard drive"), rather than a specific list of files found to fall within the scope of the warrant. 15 Case No. 08-80736-CV-MARRA P-000963 EFTA00228343
Page 964 / 2265
Attorney-client privileged material Law enforcement sensitive Issue 3: The computer forensic examination/search process We were asked to address a number of legal and policy questions which arise from the computer forensics process: should the steps taken by automated forensic software be logged; must the scope of the search methodology used by the examiner be the narrowest possible; and, can all seized media be automatically "hashed" to identify known images of child pornography? Generally, while logging may assist the forensic laboratory in supporting its conclusions, the determination whether to enable logging on automated forensic software should be left to the judgment of the forensic examiner and the policies of the forensics laboratory. Because of the complexity of computer forensics, and the ease with which computer data can be deleted or hidden, forensic examiners should, consistent with the language of the warrant, be provided with broad latitude in conducting forensic examinations. Courts are increasingly recognizing the need to provide forensic examiners with wide latitude in the conduct of forensic examination. We believe that in order to avoid general searches that are condemned by the courts, the examiners' discretion should be circumscribed by the particularity of the warrant, not by any forensic methodology prescribed by courts. Prosecutors should discuss with forensic examiners what logging can and cannot do, and its impact on the forensic process, before requesting the use of logging. Finally, while there may be no legal impediment to using computer hashes of known child pornography images to run comparisons against all seized media, we believe that there are important policy reasons for restricting this practice. In our opinion, there is a solid argument that law enforcement may use automated computer forensic software to look for known child pornography images on a computer that is being searched pursuant to a warrant for an unrelated crime. Analogizing from dog-search cases, we believe that courts may find an automated hash-match for known contraband is not a Fourth Amendment search covered by the warrant requirement. However, this legal outcome is not at all certain, and there are a number of significant practical and policy problems that may arise from this practice. For example, even if the practice is theoretically sound, the government must be able to demonstrate that the thousands of "master" hashed images are indeed contraband child pornography. If this cannot be demonstrated, courts are likely to view the hash examination as a search subject to the warrant requirement. We are also concerned that, regardless of its legal foundations, the routine use of such hash comparisons for child pornography in all forensic examinations might be viewed by some courts as an alarming expansion of government intrusion: this could exacerbate already existing tendencies to subject the computer forensic process to unreasonable judicial limitations. A. Logging Many automated computer forensics tools allow for audit tracking. These features keep track of commands that are executed during the analysis of electronic evidence. Logging is permissible, but it is not required during the analysis of a hard 16 Case No. 08-80736-CV-MARRA P-000964 EFTA00228344
Page 965 / 2265
Attorney-client privileged material Law enforcement sensitive drive. There are differing views about whether or not logging is useful to support the evidentiary value of a computer forensic examination. On the one hand, in some cases logging could be used to bolster the forensic examiner's testimony by corroborating what steps were taken. For example, in the second unpublished Triumph Capital case, 2003 WL 23319387 (D. Conn. 2003), the court suppressed two files that had not been sent to defendants through a court-approved privilege review process until seven months after the return of warrant had been filed. Based on this preliminary showing, the court shifted the burden to the government to show that the files had been seized earlier. The court did not credit the agents' somewhat inconsistent stories and therefore suppressed the documents. The court noted that, the forensic examiner "did not keep contemporaneous notes of the steps he took during his search. Had he done so, at least with regard to the seizure of [these two documents], such notes might have corroborated the government's account" Id. at *5 n.9: Obviously, if the forensic software had logged the examiner's actions, it may have provided the corroboration necessary for the government to avoid suppression. On the other hand, logging can cause problems: detailed logs may invite defendants to argue that the examiner exceeded the scope of the warrant or diverged from the warrant's permissible search strategy; raise allegations that the government violated its Brady obligations; challenge an expert's credentials or methodology; or generally sow doubt and confusion. Forensics audit trails can be quite lengthy, and they provide a huge body of complex evidence that must be understood by the prosecutor and agent before trial. In addition, even when the forensic software's default setting is to conduct audit tracking, there is no legal impediment to an analyst's choosing to turn off the logging feature. Moreover, no authority requires the use of the auditiag function in forensics software. The District of Connecticut held in United States I. Triumph Capital Group, 211 F.R.D. 31 (D. Conn. 2002), that the agent "did not violate the warrant or act unreasonably by not running the [forensic backup tool's] audit log when he made the mirror image of the hard drive .. . . Reasonably well trained CART agents are not required to keep detailed, minute-by-minute records of every step they take during a search and [the agent] acted reasonably in not keeping such records." Id. at 48. Ultimately, the decision to use automated logging as part of the forensic process is primarily a judgment of the forensic examiner on the steps which must be taken to reach a scientifically sound and legally defensible conclusion. Prosecutors with views on the subject should consult closely with the forensics examiner to weigh risks and benefits. 17 Case No. 08-80736-CV-MARRA P-000965 EFTA00228345
Page 966 / 2265
Attorney-client privileged material
Law enforcement sensitive
B. Must search method be narrowest or least intrusive?
No authority supports the proposition that the search method used to examine a
computer's hard drive must be the "narrowest" or "least inirusive."4 As a preliminary
matter, it is hard to imagine how to define these terms, impossible to see how an
examiner would ever know, ex ante, if there may be a narrower way to achieve a goal,
and questionable whether a court would be competent to answer these questions.
Moreover, courts have repeatedly approved broad search methodologies where
they sought evidence within the scope of the wa
t. In general ,"[t]he touchstone of the
Fourth Amendment is reasonableness." Florida I. Jimeno, 500 U.S. 248, 250 (1991). In
United States,. Gray 78 F. Supp.2d 524 (ED. Va. 1999), for example, FBI agents
searched four computers pursuant to a warrant in connection with unauthorized computer
intrusions into NIH systems. While following routine FBI procedures, the CART agent
"looked briefly at each of the files contained" on the hard disk, including .jpg files found
in directories entitled "Teen" and "Tiny Teen." Defendant proffered expert testimony
that the tool used by the agent could have been modified to determine, without viewing
the contents of a file, whether it contained pictures or text. The Court refused to hold the
government at fault for not performing this step. "The resolution of the motion to
suppress does not turn on whether [the Agent] conducted the most technically advanced
search possible, but on whether the search, as conducted, was reasonable.... [A]s
computer technology changes so rapidly, it would be unreasonable to require the FBI to
know of, and use, only the most advanced computer searching techniques."
Courts are increasingly recognizing that due to the complexity of the ways in
which computers can store data, and the ways in which data can be hidden on computers,
restrictions based on file types may inappropriately limit the scope of a legitimate search.
In United States I. Adiani 452 F.3d 1140 (9th Cir. 2006), the court observed that
...the warrant arguably might have provided for a "less invasive search of Adjani's [email) 'inbox'
and 'outbox' for the addressees specifically cited in the warrant, as opposed to the wholesale
search of the contents of all emails purportedly looking for evidence • reflecting' communications
with those individuals." Avoiding that kind of specificity and limitation was not unreasonable
under the circumstances here, however. To require such a pinpointed computer search, restricting
the search to an email program or to specific search terms, would likely have failed to cast a
sufficiently wide net to capture the evidence sought. Cf. Ross, 456 U.S. at 821, 102 S.Ct. 2157
("When a legitimate search is under way, and when its purpose and its limits have been precisely
defined, nice distinctions between closets, drawers, and containers, in the case of a home, or
between glove compartments, upholstered seats, trunks, and wrapped packages, in the case of a
vehicle, must give way to the interest in the prompt and efficient completion of the task at hand:').
Moreover, agents arc limited by the longstanding principle that a duly issued warrant, even one
with a thorough affidavit, may not be used to engage in a general, exploratory search. 452 F.3d at
1149-1150.
4 It should be noted that although the government need not use the narrowest or least intrusive search
methodology, some courts in the computer and paper document contexts have required ethodologies that
to some extent limit government discretion amtprotect privacy. See. e.g. United States. Carey, 172 F.3d
1268,1273-75 (10th Cir. 1999); United States 11. Heldt 668 F.2d 1238, 1267 (D.C. Cir. 1982).
18
Case No. 08-80736-CV-MARRA
P-000966
EFTA00228346
Page 967 / 2265
Attorney-client privileged material Law enforcement sensitive In addition, in United States Hill, No. 05-50219, 2006 WL 2328721 (9th Cir. Aug. 11, 2006), the Ninth Circuit addressed narrow versus broad forensic searches when it rejected an argument that law enforcement should have conducted a narrow, on-site search. The court recognized that investigators cannot predict what hardware, software and trained personnel might be required to do a limited search. The court ruled that an in-depth off-site review of the media based upon the warrant was reasonable under the Fourth Amendment, and it rejected any requirement for the warrant to describe the forensic methodology that would be used in the subsequent examination of the seized media. A similar conclusion was reached in United States'. Brooks, 427 F.3d 1246 (10th Cir. 2005). Brooks and other courts have observed that the discretion of the forensic examiner is best circumscribed by the particularity of the warrant, and not by the forensic methodology used to conduct the search. CCIPS supports this holding and recommends that prosecutors resist any attempt by magistrates to impose such requirements. C. Hash-filtering for known child pornography images The FBI has asked whether, after an image is obtained by forensic investigators, the law permits them to use hash filtering to examine hard drives for child pornography when their authorization to search does not include an authorization to search for child pornography? There is a solid argument that law enforcement may use automated computer forensic software to look for known child pornography images on a computer that is being searched pursuant to a warrant for an unrelated crime, provided that (1) the image was lawfully in law enforcement's possession, and provided that (2) the automated search process exposes no images to observation and will inform the investigator only about the presence or absence of illegal child pornography. However, this legal outcome is not at all certain, and there are a number of significant practical and policy problems that may arise from this practice. In the most relevant fact pattern, agents examining a hard drive under the authority of a warrant unrelated to child pornography run a positive hash set match against a database of the hash values of known child pornography. Such databases are maintained by the National Center for Missing and Exploited Children and by the FBI. Hash set matching for known files, such as those found in the operating system, is a built- in operation of most modern forensic tools, including Encase, FTK, and iLook. The proposal here would be to add known child pornography hashes to the current hashes routinely performed during the computer forensics process. A positive match for child / A hash value is a mathematical "signature" of a collection of data, such that it is extremely unlikely that two non-identical collections will share the same hash value. In hash set matching, hash values are computed for files of unknown content, and the results are compared with known hash values for specific files of known content. Hash set matching is often used negatively, to exclude from agent review files irrelevant to an investigation, such as known operating system files. This memo focuses on the positive use of hash set matching: the use of hash set matching to identify known files containing contraband, typically files containing child pornography. 19 Case No. 08-80736-CV-MARRA P-000967 EFTA00228347
Page 968 / 2265
Attorney-client privileged material
Law enforcement sensitive
pornography would then serve as a basis to obtain a new search warrant to search the
hard drive for child pornography.
In our opinion, there is a solid argument that such a procedure does not constitute
an additional "search" under the Fourth Amendment, and thus does not require a warrant
or an exception to the warrant requirement. An investigative technique is a "search"
under the Fourth Amendment only if it invades a privacy interest.
United States
Jacobsen, 466 U.S. 109, 113 (1984) ("[a] 'search' occurs when an expectation of privacy
that society is prepared to consider reasonable is infringed"). Although the procedure
outlined here requires the computer to read every file on the disk into memory, it never
exposes to observation the contents of any file. Consequently, there is a solid argument
that it does not invade any privacy interests in those files, and is not a "search" of those
files under the Fourth Amendment any more than making a backup of the image file
would be a search.
The only information the computer potentially would reveal to the examiner about
the contents of any file is that one file's hash matches a hash of a known child
pornography image. There is an argument that this revelation does not constitute a
search, either, because it is analogous to the use of dogs to sniff for contraband.
The Supreme Court has held that a canine sniff by a narcotics detection dog is not
a search under the Fourth Amendment because it reveals no pvate information other
I
than the presence or absence of contraband. In United States I. Place 462 U.S. 696, 707
(1983), the Supreme Court held that an investigative procedure that (1) "does not expose
noncontraband items that otherwise would remain hidden from public view" and (2)
"discloses only the presence or absence of .. . a contraband item" is not a search. Place
involved the use by DEA agents of a trained narcotics detection dog to sniff a passenger's
luggage at an airport. Although ultimately holding that the warrantless seizure of the
luggage violated the Fourth Amendment, the Supreme Court opined that the dog sniff
itself was not a search. The Court found this investigative technique to be sui generic
because of the "manner in which the information is obtained and in the content of the
information revealed" by the sniff. a
The Court explained:
A *canine snif by a well-trained narcotics detection dog ... does not require opening the
luggage. It does not expose noncontraband items that otherwise would remain hidden front public
view, as does, for example, an officer's rummaging through the contents of the luggage. Thus, the
manner in which information is obtained through this investigative technique is much less
intrusive than a typical search. Moreover, the sniff discloses only the presence or absence of
narcotics, a contraband item.... This limited disclosure also ensures that the owner of the
property is not subject to the embarrassment and inconvenience entailed in less discriminate and
more intrusive investigative methods.
Id.
The Court recently revisited dog sniffs in Illinois
Caballes, 543 U.S. 405
(2005). The case involved a traffic stop for speeding and the issue was whether, absent
any grounds for suspicion that drugs may be found, the use of a dog sniff transforms an
otherwise lawful traffic stop into an illegal seizure. The Court held that the change in
20
Case No. 08-80736-CV-MARRA
P-000968
EFTA00228348
Page 969 / 2265
Attorney-client privileged material Law enforcement sensitive purpose was irrelevant because the dog sniff itself did not infringe a constitutionally protected interest in privacy, citing Place. Id. at 837. The Court had earlier affirmed the use of dog sniffs in vehicle chec ints (although ruling unconstitutional other aspects of the checkpoints) in Indianapolis I. Edmond, 531 U.S. 32, 40 (2000). (Lower courts have spelled out one additional requirement for this test, which is implicit in the Supreme Court precedents: law enforcement agents administering the test "must lawfully be present at the location where the" use of the investigatory tool occurs. United States. Reed, 141 F.3d 644 (6th Cir. 1998).) The reasoning of these dog sniff cases could potentially be extended by courts to hash filtering for known contraband files Because child pornography is contraband, using positive hash set matching to identify known child pornography in a hard drive lawfully in law enforcement's possession could fit into the Place-Jacobsen rubric. First, a positive hash set match "does not expose noncontraband items that otherwise would remain hidden from public view." Place, 462 U.S. at 707. Nothing is revealed to the examiner about files whose hash values do not match a known hash value. Second, positive hash value matching "discloses only the presence or absence of . . . a contraband item." Id. Therefore, following this reasoning, use of hash set matching for child pornography is not a search within the meaning of the Fourth Amendment. Similarly, following the Supreme Court's analysis In Jacobsen, hash set matching for child pornography reveals only whether data is child pornography, "and no other arguably 'private' fact." Jacobsen, 466 U.S. at 123. Therefore, it "compromises no legitimate privacy interest." Id. Nevertheless, there is substantial reason for caution in performing hash set matching for child pornography when searching a computer pursuant to a warrant unrelated to child pornography. Although the hash filtering is arguably not a search conducted pursuant to a warrant, a court may nonetheless treat the hash filtering as part of the search authorized by the warrant that brought the data into law enforcement's possession, and then object to what it deems an attempt by the government to expand the scope of the search. The Supreme Court has warned against "exploratory rummaging in a person's belongings," and it has cautioned that searches pursuant to a search warrant "should be as limited as possible." Coolidge I. New Hampshire, 403 U.S. 443, 467 (1971). When the sole purpose of hash set matching for child pornography is to discover contraband outside the scope of the search warrant, courts may find that these principles have been violated. Ste Carey, 172 F.3d at 1273-75. Courts might also analogize hash set matching for child pornography to the hypothetical use of a narcotics detection dog during execution of a search warrant unrelated to drug activity. For example, when searching a house for child pornography, would it be permissible to bring a dog to sniff for drugs, under the theory that dog sniffs are not searches within the meaning of the Fourth Amendment? Although canine sniffs have been approved in a variety of public contexts, including airport baggage, parking lots, and traffic stops, we are aware of no circuit court case law that addresses the question of whether law enforcement may bring dogs into private spaces when their 21 Case No. 08-80736-CV-MARRA P-000969 EFTA00228349
Page 970 / 2265
Attorney-client privileged material Law enforcement sensitive presence is unrelated to the warrant being executed.° Given the dearth of case law applying the dog-sniff doctrine in the search warrant context, the use of hash filtering for child pornography carries litigation risks. The propriety of hash set matching for child pornography may turn on how broadly courts apply the rule that a test which does nothing more than indicate the presence or absence of contraband does not implicate the Fourth Amendment. In United Slates'. Thomas 757 F.2d 1359 (2d. Cir. 1985), the Second Circuit rejected a broad application of this rule. In particular, it held that a dog sniff outside a private residence implicated the Fourth Amendment. The court distinguished Place by noting the differences between the exterior of a residence and an airport: Thus, a practice that is not intrusive in a public airport may be intrusive when employed at a person's home. Although using a dog sniff for narcotics may be discriminating and unoffensive relative to other detection hods, and will disclose only the presence or absence of narcotics, see United States g metPlace, 103 S.Ct. at 2644, it ranains a way of detecting the contents of a private, enclosed space. Id. at 1367. Other appellate courts have rejected Thomas's attempt to limit the reasoning of Place. See United States Brock, 417 F.3d 692, 696-97 (7th Cir. 2005); United States'. Reed 141 F.3d 644, 650 (6th Cir. 1998); United States Linitenfelter, 997 F.2d 632, 638 (9th Cir. 1993); United States'. Colyer, 878 F.2d 469, 475 (D.C. Cir.I989). For example, in a case in which a dog searching for a possible burglar instead alerted to drugs belonging to the apartment's owner, the Sixth Circuit stated that Thomas "ignores the Supreme Court's determination in Place that a person has no legitimate privacy interest in the possession of contraband." Reed, 141 F.3d at 650. The Sixth Circuit made clear that it would not seek to limit Place: "We now take the opportunity to clarify that a canine sniff is not a search within the meaning of the Fourth Amendment." Id, If hash filtering for child pornography were to be employed, it would be critical to ensure that the files included in the hash set were limited to files known to satisfy statutory and constitutional rules for child pornography. The government must be able to demonstrate that the hashes in the database each correspond to contraband. Some courts might require that the database contain only contraband images; conceivably, other courts ` District courts have affirmed the rule that a dog sniff is not a search in cases involving an arrest warrant and a warrant to inventory property and ascertain its condition. However, neither of these cases raise the "general warrant" issues as clearly as the use of a drug-sniffing dot inside a private space during the execution of a search warrant in a non-drug case. In United States Mcindl, 83 F. Supp.2d 1207 (D. Kans. 1999), officers saving an arrest warrant used a dog to search for persons, but the dog instead alerted to drugs. The court held that lals long as the canine unit is lawfully present when the sniff occurs, the canine will is not a search within the mcanin of the Fourth Amendment." a at 1217 (citation and internal quotation marks omitted). In Tr i , 934 F. Supp. 1217 (D. Col. 1996), customs agents executing an in rem warrant for the purpose of inventorying property and ascertaining its condition brought along a drug-sniffing dog. Rejecting a claim against the officers based on qualified immunity, the court noted that "[p]rior case law clearly held that a dog miff was not a search." 14. at 1223. 22 Case No. 08-80736-CV-MARRA P-000970 EFTA00228350
Page 971 / 2265
Attorney-client privileged material Law enforcement sensitive might tolerate a rate of error in the database that is roughly equivalent to the error rate of typical contraband-sniffing dogs. However, to the extent that a low (or zero) error rate cannot be demonstrated, courts are more likely to view the hash examination as a search subject to the warrant requirement. If a defendant could show that any non-contraband files were mistakenly included in the government's database, he could argue that the basic requirements of the dog-sniff doctrine were not met, as the hash filtering could potentially expose private information other than the presence of contraband. A court could hold that the entire hash-filtering technique, like the thermal imaging in Kyllo I. United States 533 U.S. 27, 38 (2001), is constitutionally impermissible because the technique may reveal personal details in the hard drive that are unrelated to any crime. See also Caballes, 543 U.S. at 410 (distinguishing Kvllo from dog sniffs because the device in ]Cello "was capable of detecting lawful activity" and thus invaded the "legitimate expectation that information about perfectly lawful activity will remain private."). In conclusion, there is a solid argument that law enforcement may use automated computer forensic software to look for known child pornography images on a computer that is being searched pursuant to a warrant for an unrelated crime. However, this legal outcome is not at all certain, and there are a number of significant practical and policy problems that may arise from this practice. Even if there is no legal impediment to using computer hashes of known child pornography images to run comparisons against all seized media, we believe that there are important policy reasons for restricting this practice. The routine use of such hash comparisons for child pornography in all forensic examinations might be viewed by some courts as an alarming expansion of government intrusion. This could exacerbate already existing tendencies to subject the computer forensic process to unreasonable judicial limitations. Issue 4: Returns on computer search warrants We have been asked to examine legal issues relating to the process of returning warrants where electronic media has been seized. We believe that the return requirements of Rule 41(f) are satisfied when the inventory attached to the return contains a general description of the media devices seized. We do not believe that the inventory requirements of Rule 41(0 require the government to identify individual computer files that were seized, copied or inspected. Rule 41(0 requires an officer executing a warrant to "prepare and verify an inventory of any property seized," Rule 41(0(2), and to "return [the warrant}—together with a copy of the inventory—to the magistrate judge designated on the warrant," Rule 41(0(4). "The Rules do not dictate a requisite level of specificity for inventories of seized items," and whether an inventory is sufficiently specific is a question of fact. Matter of Searches of Semtex Indus. Corp., 876 F. Supp. 426, 429 (E.D.N.Y. 1995). When documents are seized, an inventory listing each of them is not required; such "specificity and particularization would not seem to be called for even under an extreme construction of Rule 41" in light ofjts requirement that an inventory be "promptly" filed with the magistrate. United States. Birrell 269 F. Supp. 716, 722 (S.D.N.Y. 1967). 23 Case No. 08-80736-CV-MARRA P-000971 EFTA00228351
Page 972 / 2265
Attorney-client privileged material Law enforcement sensitive A "primary purpose of the return requirement is 'to allow for proper identification of property taken by the aolice under the warrant and to protect the owner's rights therein.'" United States I. Russells 156 F.3d 687, 691 (6th Cir. 1998), citing United States,. Dudek, 530 F.2d 684, 691 (6th Cir.1976) (emphasis removed). The inventory's purpose is also "to enable the Court to determine—on the face of the warrant, return and inventory—whether the seizure was properly limited to the property identified in the warrant." I3irrell, 269 F. Supp. at 721. Other purposes include (I) allowing "for proper identification of property taken by the police under the warrant and to protect the owner's rights therein;" (2) "insulat[ing] the police against false claims;" and (3) "promotting) the truth-gathering process [by making certain] the warrant and its affidavit are available to counsel for inspection in preparation for trial." Russell, 156 F.3d at 691. When documents or data is seized, providing defendants with "a copy of everything seized" has been held to "obviate[] the need for a detailed inventory." Triumph Capital, 211 F.R.D. at 66. Providing defendants with "access" to paper records seized from an office also "obviates the need for a more detailed inventory" beyond one that simply identifies which file cabinets were seized. Semtex 876 F. Supp. at 429-30. Moreover, the failure to provide a sufficiently specific inventory does not justify exclusion of evidence, unless the defendant was prejudiced. We have not found any reported case where evidence (of any type) was excluded because of a failure to comply with the inventory or return requirements. In United States.. Gross 137 F. Supp. 244 (S.D.N.Y. 1956), the United States failed to file any inventory at all, never returned the warrant, and never gave the defendant a receipt or copy of the warrant. The Court allowed the Government to correct those errors by giving it ten days to comply. In Application of Designer Sportswear. Inc. 521 1. Supp. 434 (S.D.N.Y. 1981), after defendants complained that there were "several items that were neither inventoried nor returned [to defendants after search]," the Court held that the Government's offer to "permit Designer renewed access to the materials to identify the items" was "a sufficient response to this claim." Id. at 436. Thus, as noted above in section 2F, investigators should file inventories with returns that simply indicate the information or hardware devices that were seized (e.g., "image of one Seagate 260 gigabyte hard drive"). When agents copy data during the search and leave the original media behind, the inventory need only note that fact. As explained above, giving a specific list of files presents some risk of inviting suppression motions, should it become neccnary to investigate other files after the return of the warrant.' Should the court request more specificity than a description of the media device seized or imaged, providing the data owner with a copy of the data collected during the search more than satisfies the return requirement. 7 In Triumph the inventory filed with the return "indicated that [the agent] seized 'a mirror image of the hard drive to review for evidence as noted on Attachment B.' " and included copies of the specific files "seized" by the agent. Triumph Capital, 211 F.R.D. at 53. 24 Case No. 08-80736-CV-MARRA P-000972 EFTA00228352
Page 973 / 2265
m• .,•,..N. ..s. mm EFTA00228353
Page 974 / 2265
Case No. 08-80736-CV-MARRA -000974 EFTA00228354
Page 975 / 2265
Query Attorneys Page 1 of 3 2:04-cv-00059-KJD-LRL John J. Melk, et al., VS David Copperfield Kent J. Dawson, presiding Lawrence R. Leavitt, referral Date filed: 01/15/2004 Date terminated: 07/18/2006 Date of last filing: 07/18/2006 Attorneys Kenn Brotman 333 West Wacker Drive Suite 2600 Chicago. IL 60606 sstgne LEAD ATTORNEY ATTORNEY TO BE NOTTCED Susan J. Greenspon 333 West Wacker Drive Suite 2600 Chicago, IL 60606 ssigne : LEAD ATTORNEY ATTORNEY TO BE NOTICED Peter Haveles Arnold & Porter, LLP 777 South Figueroa Street 44th Floor representing Janet L. Melk (Plaintiff) representing representing John J. Melk (Plaintiff) Janet L. Melk (Plaintiff) John J. Melk (Plaintiff) David Copperfield (Defendant) https://ec Invd.uscouns.gov/cgi_bit4rtvAttlatIA8p9q90-MARRA 8/4;72W" EFTA00228355
Page 976 / 2265
Query Attorneys Page 2 of 3 Assigned: 03/03/2004 LEAD ATTORNEY ATTORNEY TO BE NOTICED Bruce R. Laxalt Laxalt & Nomura, Ltd 9600 Gateway Dr Reno, NV 89521 Assigned: 01/30/2004 LEAD ATTORNEY ATTORNEY P9 BE NOTICED James J. Pisanelli Brownstein Hyatt Farber Schreck 300 South Fourth Street Suite 1200 Las Vegas, NV 89101- Assigned: 01/15/2004 LEAD ATTORNEY ATTORNEY TO BE NOTICED David A. Rammelt 333 West Wacker Drive Suite 2600 Chicago, IL 60606 (312) 857-7077 312 857-7095 fax Assigned: 01/15/2004 LEAD ATTORNEY ATTORNEY TO BE NOTICED representing representing representing David Copperfield IDefinulant) Janet L. Melk (Plaintiffi John J. Melk (Plaintiffl Janet L. Melk (Plaintiff) John J. Melk (Plaintiff https://ecinvd.uscourts.govicgi-birnsrgleciaragi MARRA gp7M76 EFTA00228356
Page 977 / 2265
Query Attorneys Page I of 5 2:04-cv-01201-KJD-LRL MDL #1619-In Re: Musha Cay Litigation VS NA Kent J. Dawson, presiding Lawrence R. Leavitt, referral Date filed: 08/27/2004 Date terminated: 07/18/2006 Date of last filing: 07/18/2006 Attorneys John Karl Aurell pro hac vice Ausley & McMullen 227 S. Calhoun Street, P.O. Box 391 02 Assigned: 10/28/2004 LEAD ATTORNEY ATTORNEY TO BE NOTICED Theodore L. Blumberg pro hac vice 230 Park Avenue 10th Floor 69 sstgne : 005 LEAD ATTORNEY ATTORNEY TO BE NOTICED Kenn Brotman 333 West Wacker Drive Suite 2600 Chicago, IL 60606 Assigned: 10/28/2004 LEAD ATTORNEY ATTORNEY TO BE NOTICED representing representing representing Christian Jogodzinski (Defendant) Michael Gleissner (Defendant) David Copperfield (Defendant) Janet L. Melk (Plaintiff) John J. Melk littps://ecf.nvd.uscourts.gov/cgi -bin/Cqgg:6 04 -s8$1171W -MAR RA 77 01 8/ 0 EFTA00228357
Page 978 / 2265
Query Attorneys Page 2 of 5 (Plaintiff) Jonathan K. Cooperman Kelley Drye & Warren LLP 1200 Nineteenth Street NW Janet L. Melk Suite 500 representing (Plaintiff ~0036- Assigned: 10/28/2004 Susan J. Greenspon • 333 West Wacker Drive Suite 2600 Chicago, IL 60606 Assigned: 10/28/2004 LEAD ATTORNEY ATTORNEY TO BE NOTICED Peter Haveles Arnold & Porter, LLP 777 South Figueroa Street 44th Floor Los An eles CA 90017- Assigned: 10/28/2004 LEAD ATTORNEY ATTORNEY TO BE NOTICED Janice H. Jensen Laxalt & Nomura, Ltd 9600 Gateway Dr Reno, NV 89521 • John J. Melk (Plaintiff) representing Janet L. Melk (Plaintiff representing John J. Melk (Plaintiff) David Copperfield (Defendant) representing David Copperfield (Defendant) . Case No. 08-8036-CYzMARRA https://eetnvd.uscourts.govicgi-bmkiryAttomeys.p11191t.19 0113416P EFTA00228358
Page 979 / 2265
Query Attorneys Page 3 of 5 Assigned: 02/15/2006 ATTORNEY TO BE NOTICED Bruce IL Laxalt Laxalt & Nomura, Ltd 9600 Gateway Dr Reno, NV 89521 Assigned: 10/28/2004 LEAD ATTORNEY ATTORNEY TO BE NOTICED James J. Pisanelli Brownstein Hyatt Farber Schreck 300 South Fourth Street Suite 1200 ssegne • LEAD ATTORNEY ATTORNEY TO BE NOTICED David A. Rammelt 333 West Wacker Drive Suite 2600 Chicago, IL 60606 representing representing representing David Copperfield (Defendant) Jeffrey Berkman (Defendant) Christian Jogodzinski (Defendant) Janet L. Melk (Plaintiff) John J. Melk (Plaintiff) Janet L. Melk (Plaintiffi CV MARRA 8b7288979 Imps://ecf.nvd.uscouns.govicgi-bin%51118tigaPhiui EFTA00228359
Page 980 / 2265
Quay Attorneys • • Page 4 of 5 Assigned: 10/28/2004 LEAD ATTORNEY ATTORNEY TO BE NOTICED Marlene Koch Silverman Greenberg Traurig LLP 2375 East Camelback Road Suite 700 Assigned: 10/28/2004 TERMINATED: 06/20/2006 Martin B. Sipple pro hac vice Ausley & McMullen 221 S. Calhoun Street, P.O. Box 391 302 Assigned: 10/28/2004 LEAD ATTORNEY ATTORNEY TO BE NOTICED Kevin Clark Walker 101 Park Avenue New York. NY 10178- Assigned: 10/28/2004 representing representing representing John J. Melk (Plaintiff) Janet L. Melk (Plaintiff John J. Melk (Plaintift) Christian Jogodzinski (Defendant) Michael Gleissner (Defendant) John J. Melk (Plaintiff) PACER Service Center Transaction Receipt r pi4f§a-MARRA https://ecfnvd.uscourts.govicgi-binFqat9Aitiihit &Sr EFTA00228360