A federal district court in Texas recently handed down a new case on the scope of computer warrant searches that shows how important and yet uncertain the rules of computer search and seizure are these days: United States v. Kim, — F.Supp.2d —, 2009 WL 5185389 (S.D. Texas 2009). The case was handed down December 23 by District Judge Vanessa Gilmore.
Law enforcement agents were searching a computer with a warrant for evidence of computer hacking when they come across folders containing encrypted files with the suggestive titles such as “ForbiddenFruit”, “Illegal_Loli #”, and “Loli#”. The files were encrypted with “CryptaPix,” encryption software that is generally known as a way to encrypt image files. The agents requested a warrant to open the files and search for child pornography, but the magistrate rejected the warrant application on the ground that there was insufficient probable cause. The government decided to try to decrypt the files anyway under the authority of the warrant to search for evidence of computer hacking. It took two months, but eventually the government decrypted the images and found 840 images of child pornography.
The district court suppressed the child pornography images as being beyond the scope of the warrant. However, the court did not follow the subjective approach that several courts have used in the computer search and seizure context to measure the scope of the warrant. (Under the subjective approach, courts look to whether the agents subjectively was trying to stay within the scope of the warrant when he clicked on the file.) Instead, the court concluded that it was objectively unreasonable for the government to decrypt the images based on its alleged interest in searching for evidence of computer hacking:
Looking in the encrypted folders for evidence of Computer Intrusion was unreasonable for several reasons. First, none of the other evidence of Computer Intrusion was located in encrypted folders. Agent Mance signed a sworn affidavit to the court asserting that he believed the encrypted folders to contain evidence of child pornography. He did not mention that the folders could contain evidence of Computer Intrusion. . Second, the encrypted folders were created five years before, and last modified approximately three years before the dates of the alleged computer intrusion.
Third, Cryptapix, the software used to encrypt the folders in question was not the type that could be used to encrypt images. At the hearing McGrody, the Government’s witness, established that the Defendant had version 2.2 of Cryptapix on his computer. Only Cryptapix 3.04, which was created in 2009, had the technology to store data as image files. Cryptapix 2.2, the version that the Defendant had on his computer and the version used to encrypt the files in the folder allegedly containing evidence of child pornography, did not have this feature.
Finally, at the hearing, Agent Symeonidis testified that the Government did not find any evidence of Computer Intrusion on the computer allegedly containing evidence of child pornography. In fact, McGrody testified that the Government did not have any evidence that the IP address of the computer containing the encrypted files attempted to gain access to the GEXA network. In fact, he stated that none of the IP addresses discussed in the search warrant belonged to the computer containing the encrypted files. Accordingly, the Court finds that when the Government agents began looking at the encrypted files, they were acting outside the scope of their warrant.
For the reasons stated above, the Court finds that when the Government agents decided to spend two months decoding the files in the encrypted folders, they did not do so in continuation of a valid search for evidence of Computer Intrusion. Rather, the Court finds that the Government examined the encrypted folders searching for evidence of child pornography, in direct defiance of the magistrate court’s order. The Court finds that the Government’s attempts to claim that they discovered the files while looking for evidence of Computer Intrusion is a clear attempt to justify the government’s warrantless search for evidence of child pornography and to manipulate the Court into authorizing their defiance of the Magistrate’s order.
This decision reminds me of United States v. Payton, the recent Ninth Circuit case in which the Ninth Circuit suppressed evidence found in a computer on the ground that there was no reason to think the evidence in the warrant would be on the computer. Like Payton, Kim reaches that result through a general reasonableness analysis: It seems to have a sense of when it would be objectively reasonable to open a particular file, much like Payton had a sense of when it was objectively reasonable to look inside a computer.
My own view, as I expressed in this 2005 article, is that the eventual answer — the least bad alternative, really — will be for courts to eliminate the plain view exception in the computer search and seizure context. The problem with a general reasonableness analysis is that courts have very little sense ex ante of what kinds of computer forensic searches are reasonable. Judges are not computer forensic specialists: They aren’t very well-positioned to distinguish reasonable from unreasonbale computer forensic steps. You can see that in Kim: The reasons why the court concludes it was ex ante unreasonable to decrypt the files ends up relying in large part on what the government found ex post, after the files were decrypted.
Imagine the next case. A hacker has read the Kim case, so he takes his hacker files, encrypts them using Cryptapix, and labels the folder “childpornpics.” The government comes across the folder when they’re searching the computer under a warrant for hacking evidence. Under Kim, are they allowed to even try to decrypt the files? You could read Kim as indicating that they can’t, as it would be unreasonable given the file label. Alternatively, you can read Kim as saying that the reasonableness of decrypting the files depends on what evidence they find: It’s reasonable if they end up finding evidence within the scope of the warrant but not if they find evidence outside the scope of the warrant. But if you take the latter interpretation of Kim, that’s just a complicated way of saying that the plain view exception doesn’t apply. Think about it: If the reasonableness of the search depends on whether the evidence discovered is within the scope of the warrant, that’s just an indirect way of saying that the evidence is allowed if it’s within the scope of the warrant and excluded if it’s outside the scope of the warrant.
Anyway, stay tuned: With recent cases like Payton, CDT and Kim, this seems to be an area that is moving fast these days. Thanks to Susan Brenner for the case information; she also has a post on the case at her cyb3rcrim3 blog.