Pages

Thursday, June 2, 2016

Seizure of Hard Drive Computer Data by Mirroring and the Fourth Amendment (6/2/16)

In United States v. Ganias, ___ F.3d ___, 2016 U.S. App. LEXIS 9706 (2d Cir. 2016) (en banc), here, the Second Circuit held (from the opening of the opinion):
Defendant-Appellant Stavros Ganias appeals from a judgment of the United States District Court for the District of Connecticut (Thompson, J.) convicting him, after a jury trial, of two counts of tax evasion in violation of 26 U.S.C. § 7201. He challenges his conviction on the ground that the Government violated his Fourth Amendment rights when, after lawfully copying three of his hard drives for off-site review pursuant to a 2003 search warrant, it retained these full forensic copies (or “mirrors”), which included data both responsive and non-responsive to the 2003 warrant, while its investigation continued, and ultimately searched the non-responsive data pursuant to a second warrant in 2006. Ganias contends that the Government had successfully sorted the data on the mirrors responsive to the 2003 warrant from the non-responsive data by January 2005, and that the retention of the mirrors thereafter (and, by extension, the 2006 search, which would not have been possible but for that retention) violated the Fourth Amendment. He argues that evidence obtained in executing the 2006 search warrant should therefore have been suppressed. 
We conclude that the Government relied in good faith on the 2006 warrant, and that this reliance was objectively reasonable. Accordingly, we need not decide whether retention of the forensic mirrors violated the Fourth Amendment, and we AFFIRM the judgment of the district court.
Although the issue arose in a tax evasion case, it is an issue that pervades the criminal law given that computers are ubiquitous and can be a mother lode in a criminal investigation.  The opinion is very long and, with respect to computer data, somewhat complex.  So, I will try to summarize, in my own words, the trajectory of reasoning.  In some of my summary, I add some minor spin of my own to connect the reasoning.

First, at the outset, this is an en banc opinion of the Second Circuit.  Two judges concurred with the holding in the case.

Second, the only holding in the case was that any Fourth Amendment violation was irrelevant because the Government agents had acted reasonably in obtaining and executing the search warrants and then in access the computer data.

Third, the Court did not decide the Fourth Amendment issue as to whether the computer data had been illegally seized and retained in violation of the Fourth Amendment.  The computer data in question had been seized from the office of Ganias, a CPA, incident to a nontax investigation of two of Ganias' clients.  The data was seized pursuant to search warrant by taking a "mirror image" of Ganias' computers.  That mirror image was an exact copy of the computer hard drives.  As had the hard drives, the mirror image contained information within the scope of the search warrant (related to the two clients being investigated) and information outside the scope of the search warrant (for Ganias personally and other clients).  Since it is generally not practical in seizing such computer data to separate immediately the data within the scope of the search warrant and data outside its scope, all of the data is seized via the mirroring; the separation process occurs later.  In separating out the data outside the scope of the search warrant, a rough index will be prepared stating generally the type of the information separated out.  More detailed review of the data within the scope of the search warrant can then occur as the needs of the investigation require, with such indices and analyses as appropriate.  But the information outside the scope of the search warrant is not supposed to be reviewed beyond the requirement of preparing a broad index.

To use a hard copy document analogy, say that the search warrant authorizes seizure of documents in the CPA's possession related to clients A and B and, because of impracticality of making the separation of documents upon the initial seizure, the officers executing the search warrant seize too much.  Assume that, under the circumstances, the seizure of too much was reasonable and in good faith simply because the officers did not have time to separate while on the premises.  After the separation occurs, the usual drill is to return the documents outside the scope of the search warrant to the person whose premises were searched.  There will often be some generic description of the documents to show why outside the scope of the search warrant -- e.g., documents related to other clients or to the CPA himself -- but review of the documents is not permitted.  Then, if the Government's criminal attention turns to the CPA, it will have the generic description of the documents outside the scope of the search warrant but will not have those documents and will have to obtain those documents through the normal means -- subpoena the CPA or search premises of the CPA where the documents might be.  This is standard fare for Fourth Amendment analysis of overseizures.

The problem is that the hard copy document and document file analogy is an imperfect analogy for computer data.  From the computer user's standpoint, the data may look like it is separated into directories on computers, often called files, because, to the computer user, they seem to function much like hardcopy files containing documents.  But, as the majority notes at length the hardcopy file analogy is inexact in the case of computers.  The problem is that computer data may appear to the computer user to be in discrete segments of the hard drive, but that is not how the computer actually stores the data.  (See the excerpt below.)

The Government did ultimately determine which computer data were within the scope of the search warrant and indexed, in the process, the computer data that was outside the scope, much as it would have in a hardcopy seizure as discussed above.  But, it kept the mirrored drives containing both the information within the scope of the search warrant and outside the scope of the search warrant.  Indeed, because of the way computer data are stored (making computer data an inexact analogy to hardcopies) and because of forensic requirements to maintain the integrity of the data within the scope of the search warrant, it may not be practically feasible to do the type of clean separation of data within the scope and outside the scope that can be done with hard copies.  So, if the Government does retain the mirrored drive with the generic description of data outside the scope of the search warrant and the Government's attention then turns to a party not being investigated in the original investigation, it will have the generic description of data outside the scope of the search warrant and may then be able to obtain a search warrant for it, as it did in Ganias.

Of course, if the Government had been able to purge the data outside the scope of the first summons, the CPA in the example would still have the data on the computers (assuming the hard disks had been preserved and the integrity of the data on the hard disks had been maintained).  But the Fourth Amendment question is not solved simply because the Government might have some other way to obtain the data.  Rather, the Fourth Amendment issue is whether the overseizure of data pursuant to a search warrant can permit the Government to hold onto the data outside the scope of the search warrant for an indefinite period.  Generally, Fourth Amendment analysis would require that that data be purged, but as noted that may not be possible for computer data because it might affect the integrity of the data within the scope of the search warrant.

That is basically the analysis presented by the majority.  Two judges concurred only in the good faith holding.  One judge, Judge Chin, wrote a passionate dissent.  (Judge Chin does make a mistake in his factual presentation; he says that the computer data taken upon execution of the search warrant were "subpoenaed;" seizures are not made pursuant to subpoena.)  Other than that, Judge Chin presents his position well.

Ganias' only recourse now is to seek certiorari in the Supreme Court.  On the direct holding as to good faith, I doubt that the Supreme Court would take the case since there is likely nothing exceptional there and the Supreme Court is likely not too change the good faith standard.  And, on the dicta holding about the problems of overseizure of computer data, I doubt that the Supreme Court would want to review dicta.  Of course, the computer data issue is very important, but I would think the Supreme Court would want to let the issue bubble around in the lower courts and then only review a case involving a conflict in the circuits.

Finally, I do present an excerpt from the opinion showing how a fairly typical example of seizure of computer data (I do bold-face some of the language to draw readers' attention to it):
On November 19, 2003, Army CID agents executed the search warrants.  Because the warrants authorized the seizure of computer hardware and software, in addition to paper documents, Agent Conner sought the help, in executing the warrants, of agents from the Army CID’s Computer Crimes Investigation Unit (“CCIU”), a unit with specialized expertise in digital forensics and imaging. At Ganias’s office, the CCIU agents — and in particular Special Agent David Shaver — located three computers. Rather than take the physical hard drives, which would have significantly impaired Ganias’s ability to conduct his business, Agent Shaver created mirror images: exact copies of all of the data stored thereon, down to the bit. n5 Ganias was present at his office during the creation of the mirrors, spoke with the agents, and was aware that mirrored opies of his three hard drives had been created and taken off-site. n6 There is no dispute that the forensic mirrors taken from Ganias’s office contained all of the computerized data maintained by Ganias’s business, including not only material related to IPM or AB, but also Ganias’s own personal financial records, and the records of “many other” accounting clients of Ganias: businesses of various sorts having no connection to the Government’s criminal investigation. n7 J.A. 464, ¶ 14.
   n5 Hard drives are storage media comprising numerous bits — units of data that may be expressed as ones or zeros. Mirroring involves using a commercially available digital software (in the present case, though not always, EnCase) to obtain a perfect, forensic replica of the sequence of ones and zeros written onto the original hard drive. During the mirroring, EnCase acquires metadata about the mirroring process, writing an unalterable record of who creates the copy and when the copy is created. It also assigns the mirror a “hash value” — a unique code that can be used to verify whether, upon subsequent examination of the mirror at any later date, even a single one or zero has been altered from the original reproduction.
   n6 Testifying at the suppression hearing, Agent Conner explained that the decision to take mirrors, rather than the hard drives themselves, reflected a desire to mitigate the burden on Ganias and his business. See J.A. 140-41. The district court credited this testimony, concluding that the agents “used a means less intrusive to the individual whose possessions were seized than other means they were authorized to use.” Ganias, 2011 WL 2532396, at *8. The district court, further, explicitly found that the 2003 warrant authorized the Government to take these mirrors, id. at *10, a position Ganias has not challenged on appeal, and that runs directly counter to the dissent’s seeming suggestions that the Government somehow acted improperly when it mirrored Ganias’s hard drives or that this initial seizure went beyond the scope of the 2003 warrant, see,
e.g., Dissent at 3 (noting that “although the Government had a warrant for documents relating to only two of defendant-appellant Stavros Ganias’s accounting clients, it seized all the data from three of his computers”); id. at 40 (stating that “the Government . . . entered Ganias’s premises with a warrant to seize certain papers and indiscriminately seized — and retained — all papers instead”).
   n7 Ganias claimed before the district court that when he expressed some concern about the scope of the data being seized, an agent assured him that the agents were only looking for files related to AB and IPM, and that irrelevant files “would be purged once they completed their search” for such files. J.A. 428. The district court made no finding to this effect, however. It is undisputed, moreover, that Ganias became aware in February 2006 that the Government retained the mirrors and sought to search them in connection with Ganias’s own tax reporting. At no time thereafter did Ganias seek return of the mirrors pursuant to Federal Rule of Criminal Procedure 41(g) or otherwise contact a case agent to seek their return or destruction.  
The next day, Agent Shaver consolidated the eleven mirrored hard drives from all three searches (including the three from Ganias’s office) onto a single external hard drive which he provided to Agent Conner. Agent Conner, in turn, provided this hard drive to the evidence custodian of the Army CID, who stored it at Fort Devens, Massachusetts. There the consolidated drive remained, unaltered and untouched, throughout the events relevant to this case. Around the same time, Agent Shaver created two additional copies of the mirrored drives on two sets of nineteen DVDs. After providing these DVD sets to Agent Conner, Agent Shaver then purged the external hard drives onto which he had originally written the mirrors. At this point, a week after the search, three complete copies of the mirrors of Ganias’s hard drives existed: an untouched copy stowed away in an evidence locker and two copies available for forensic analysis.

No comments:

Post a Comment

Comments are moderated. Jack Townsend will review and approve comments only to make sure the comments are appropriate. Although comments can be made anonymously, please identify yourself (either by real name or pseudonymn) so that, over a few comments, readers will be able to better judge whether to read the comments and respond to the comments.