Orin Kerr has some great coverage and analysis of a case out of the Middle District of Pennsylvania, U.S. v. Crist. From his very lengthy post:
First, the facts. Crist is behind on his rent payments, and his landlord starts to evict him by hiring Sell to remove Crist's belongings and throw them away. Sell comes a cross Crist's computer, and he hands over the computer to his friend Hipple who he knows is looking for a computer. Hipple starts to look through the files, and he comes across child pornography: Hipple freaks out and calls the police. The police then conduct a warrantless forensic examination of the computer:
I think this is generally a correct result: See my article Searches and Seizures in a Digital World, 119 Harv. L. Rev. 531 (2005), for the details. Still, given the lack of analysis here it's somewhat hard to know what to make of the decision. Which stage was the search — the creating the duplicate? The running of the hash? It's not really clear. I don't think it matters very much to this case, because the agent who got the positive hit on the hashes didn't then get a warrant. Instead, he immediately switched over to the EnCase "gallery view" function to see the images, which seems to be to be undoudtedly a search. Still, it's a really interesting question.
In the forensic examination, Agent Buckwash used the following procedure. First, Agent Buckwash created an “MD5 hash value” of Crist's hard drive. An MD5 hash value is a unique alphanumeric representation of the data, a sort of “fingerprint” or “digital DNA.” When creating the hash value, Agent Buckwash used a “software write protect” in order to ensure that “nothing can be written to that hard drive.” Supp. Tr. 88. Next, he ran a virus scan, during which he identified three relatively innocuous viruses. After that, he created an “image,” or exact copy, of all the data on Crist's hard drive.
Agent Buckwash then opened up the image (not the actual hard drive) in a software program called EnCase, which is the principal tool in the analysis. He explained that EnCase does not access the hard drive in the traditional manner, i.e., through the computer's operating system. Rather, EnCase “reads the hard drive itself.” Supp. Tr. 102. In other words, it reads every file-bit by bit, cluster by cluster-and creates a index of the files contained on the hard drive. EnCase can, therefore, bypass user-defined passwords, “break[ ] down complex file structures for examination,” and recover “deleted” files as long as those files have not been written over. Supp. Tr. 102-03.
Once in EnCase, Agent Buckwash ran a “hash value and signature analysis on all of the files on the hard drive.” Supp. Tr. 89. In doing so, he was able to “fingerprint” each file in the computer. Once he generated hash values of the files, he compared those hash values to the hash values of files that are known or suspected to contain child pornography.Agent Buckwash discovered five videos containing known child pornography. Attachment 5. He discovered 171 videos containing suspected child pornography.....
But for now the most interesting question is whether running the hash was a Fourth Amendment search. The Court concluded that it was, and that the evidence of child pornography discovered had to be suppressed...
Agent Buckwash then opened up the image (not the actual hard drive) in a software program called EnCase, which is the principal tool in the analysis. He explained that EnCase does not access the hard drive in the traditional manner, i.e., through the computer's operating system. Rather, EnCase “reads the hard drive itself.” Supp. Tr. 102. In other words, it reads every file-bit by bit, cluster by cluster-and creates a index of the files contained on the hard drive. EnCase can, therefore, bypass user-defined passwords, “break[ ] down complex file structures for examination,” and recover “deleted” files as long as those files have not been written over. Supp. Tr. 102-03.
Once in EnCase, Agent Buckwash ran a “hash value and signature analysis on all of the files on the hard drive.” Supp. Tr. 89. In doing so, he was able to “fingerprint” each file in the computer. Once he generated hash values of the files, he compared those hash values to the hash values of files that are known or suspected to contain child pornography.Agent Buckwash discovered five videos containing known child pornography. Attachment 5. He discovered 171 videos containing suspected child pornography.....
But for now the most interesting question is whether running the hash was a Fourth Amendment search. The Court concluded that it was, and that the evidence of child pornography discovered had to be suppressed...
I think this is generally a correct result: See my article Searches and Seizures in a Digital World, 119 Harv. L. Rev. 531 (2005), for the details. Still, given the lack of analysis here it's somewhat hard to know what to make of the decision. Which stage was the search — the creating the duplicate? The running of the hash? It's not really clear. I don't think it matters very much to this case, because the agent who got the positive hit on the hashes didn't then get a warrant. Instead, he immediately switched over to the EnCase "gallery view" function to see the images, which seems to be to be undoudtedly a search. Still, it's a really interesting question.
There's a bunch more to read. Orin is an expert in this area and I would defer to his knowledge regarding these tricky issues. I think that child pornography cases are often the battlegrounds for these tough 4th Amendment questions. And given that most courts seem inclined to create doctrinal exceptions when it means punishing child pornographers, there is a worry that courts may erode basic civil liberties in other cases as well. It's interesting to see the result in Crist against that trend. I wonder if the case will be reviewed by the Third Circuit.
Does Agent Buckwash explain the "three relatively innocuous viruses"? Did the defense pull that out of him? Could these virus "traffic" in child porn without the computer owner's knowledge? Maybe that is not the defense, but that is a real danger to anyone with a computer.
Posted by: | October 28, 2008 at 11:17 PM
I am not sure what you mean by Kerr's expertise; 4th Amendment, probably; computers, no. I've read his work and it's mostly trivial; it's not convincing to anyone who works with computers for a living.
To answer the above question, "Could these virus "traffic" in child porn without the computer owner's knowledge?" The answer to this question is yes, a virus can. Whether it was possible for these specific viruses to do that, one would need to know what the viruses were. While the threat of child porn being put on a computer is indeed real, the risk is minuscule and it is easily avoidable by taking the most basic precautions.
To me, it's obvious that the running of the hashs is the search, or at any rate should be. Copying the disk is not a search or the disk; you've just copied it. But you can't run a hash match on the disk without searching the disk for the match; that's self-evident to anyone who uses computers so I don't understand why Kerr is unclear on this point.
Posted by: Daniel | October 29, 2008 at 12:45 AM
Technology, specifically the Internet, has created a whole host of new legal conundrums that haven't been addressed properly by the legislature or the courts. Rather than being proactive, the courts and Congress are dealing with things as they come up and this is making case law and decisions so off the wall sometimes that there's no clear direction.
Posted by: JT | October 29, 2008 at 10:46 AM
Hi Daniel,
I think you might be mistaking a lack of clarity and confusion by courts for a lack of clarity and confusion by Orin. The problem in this area of law is that courts have defined a "search" in ways contrary to normal interpretations of the word. Things like intercepting cell phone signals or automated review of data have been held not to be "searches." The emphasis of courts on the "expectation of privacy" and the notion that a person has to be doing the searches creates a unusual doctrine. Further, most cases illustrate how little understanding judges have of computers (even after expert testimony). Orin is without-a-doubt an expert in this area, but his expertise has to make sense of law which really doesn't make a lot of sense.
Best,
Corey
Posted by: | October 29, 2008 at 10:52 AM
Corey:
I think you are right about the confusion but when I read through Orin's work to me he adds to the confusion, and doesn't really help clarify matters. One of the big mistakes he makes, IMHO, is that he wants to analogize computer and other technology searches to prior case law by engaging in a level of abstraction that reaches out of bounds. I don't think a computer search is like any other type of search. It certainly isn't analogous in any way shape or form to a drug sniffing dog.
In Searches and Seizures in a Digital World, his basic methodology is to compare and contrast the digital world with the traditional physical world. I think this methodology has no foundation in fact and it jumbles together technological areas that should be seperate. My own opinion is that Kerr wants to use the unique situation of computer technology as a way to undermine traditional constructions of the 4th amendment that he doesn't like. And I think that such a goal is unhelpful to actually sorting out what the real issues surrounding computer searches and the 4th amendment.
Posted by: Daniel | October 29, 2008 at 01:47 PM