U.S. DOJ Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
March 19, 2010 in Department of Justice
Computer Crime and Intellectual Property Section Criminal Division
- 299 pages
- July 2009
Searching and Seizing Computers Without a Warrant
The Fourth Amendment limits the ability of government agents to search for and seize evidence without a warrant. This chapter explains the constitutional
limits of warrantless searches and seizures in cases involving computers.
The Fourth Amendment states:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
According to the Supreme Court, a “‘seizure’ of property occurs when there
is some meaningful interference with an individual’s possessory interests in
that property,” United States v. Jacobsen, 466 U.S. 109, 113 (1984), and the
Court has also characterized the interception of intangible communications as
a seizure. See Berger v. New York, 388 U.S. 41, 59-60 (1967). Furthermore, the
Court has held that a “‘search’ occurs when an expectation of privacy that society
is prepared to consider reasonable is infringed.” Jacobsen, 466 U.S. at 113. If
the government’s conduct does not violate a person’s “reasonable expectation
of privacy,” then formally it does not constitute a Fourth Amendment “search”
and no warrant is required. See Illinois v. Andreas, 463 U.S. 765, 771 (1983).
In addition, a warrantless search that violates a person’s reasonable expectation
of privacy will nonetheless be constitutional if it falls within an established
exception to the warrant requirement. See Illinois v. Rodriguez, 497 U.S. 177,
185-86 (1990). Accordingly, investigators must consider two issues when
asking whether a government search of a computer requires a warrant. First,
does the search violate a reasonable expectation of privacy? And if so, is the
search nonetheless permissible because it falls within an exception to the warrant requirement?
B. The Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Involving Computers
1. General Principles
A search is constitutional if it does not violate a person’s “reasonable” or
“legitimate” expectation of privacy. Katz v. United States, 389 U.S. 347, 361
(1967) (Harlan, J., concurring). This inquiry embraces two discrete questions:
first, whether the individual’s conduct reflects “an actual (subjective) expectation
of privacy,” and second, whether the individual’s subjective expectation of
privacy is “one that society is prepared to recognize as ‘reasonable.’” Id. at 361.
In most cases, the difficulty of contesting a defendant’s subjective expectation
of privacy focuses the analysis on the objective aspect of the Katz test, i.e.,
whether the individual’s expectation of privacy was reasonable.
No bright line rule indicates whether an expectation of privacy is
constitutionally reasonable. See O’Connor v. Ortega, 480 U.S. 709, 715 (1987).
For example, the Supreme Court has held that a person has a reasonable
expectation of privacy in property located inside a person’s home, see Payton
v. New York, 445 U.S. 573, 589-90 (1980); in “the relative heat of various
rooms in the home” revealed through the use of a thermal imager, see Kyllo v.
United States, 533 U.S. 27, 34-35 (2001); in conversations taking place in an
enclosed phone booth, see Katz, 389 U.S. at 352; and in the contents of opaque
containers, see United States v. Ross, 456 U.S. 798, 822-23 (1982). In contrast, a
person does not have a reasonable expectation of privacy in activities conducted
in open fields, see Oliver v. United States, 466 U.S. 170, 177 (1984); in garbage
deposited at the outskirts of real property, see California v. Greenwood, 486
U.S. 35, 40-41 (1988); or in a stranger’s house that the person has entered
without the owner’s consent in order to commit a theft, see Rakas v. Illinois,
439 U.S. 128, 143 n.12 (1978).
UNITED STATES DISTRICT COURT
FOR THE [DISTRICT]
IN THE MATTER OF THE SEARCH OF
INFORMATION ASSOCIATED WITH
[[EMAIL ADDRESSES]] THAT IS STORED AT PREMISES CONTROLLED BY [[EMAIL PROVIDER]]
Case No. ______
affidavit IN SUPPORT OF
AN APPLICATION FOR A SEARCH WARRANT
256 Searching and Seizing Computers
I, [AGENT NAME], being first duly sworn, hereby depose and state as follows:
INTRODUCTION AND AGENT BACKGROUND
1. I make this affidavit in support of an application for a search warrant
for information associated with certain accounts that is stored at premises
owned, maintained, controlled, or operated by [EMAIL PROVIDER], an
email provider headquartered at [PROVIDER ADDRESS]. The information
to be searched is described in the following paragraphs and in Attachment A.
This affidavit is made in support of an application for a search warrant under
18 U.S.C. §§ 2703(a), 2703(b)(1)(A) and 2703(c)(1)(A) to require [EMAIL
PROVIDER] to disclose to the government records and other information in
its possession pertaining to the subscriber or customer associated with the accounts,
including the contents of communications.
2. I am a Special Agent with the [AGENCY], and have been since
[DATE]. [DESCRIBE TRAINING AND EXPERIENCE TO THE EXTENT
IT SHOWS QUALIFICATION TO SPEAK ABOUT THE INTERNET
AND OTHER TECHNICAL MATTERS].
3. The facts in this affidavit come from my personal observations, my
training and experience, and information obtained from other agents and witnesses.
This affidavit is intended to show merely that there is sufficient probable
cause for the requested warrant and does not set forth all of my knowledge
about this matter.
4. [Give facts establishing probable cause. At a minimum, establish a
connection between the email account and a suspected crime. Also mention
whether a preservation request was sent (or other facts suggesting the email is
still at the provider)]
5. In my training and experience, I have learned that [EMAIL PROVIDER]
provides a variety of on-line services, including electronic mail
(“email”) access, to the general public. Subscribers obtain an account by registering
with [EMAIL PROVIDER]. During the registration process, [EMAIL
PROVIDER] asks subscribers to provide basic personal information. Therefore,
the computers of [EMAIL PROVIDER] are likely to contain stored electron ic communications (including retrieved and unretrieved email for [EMAIL
PROVIDER] subscribers) and information concerning subscribers and their
use of [EMAIL PROVIDER] services, such as account access information,
email transaction information, and account application information.
6. In general, an email that is sent to a [EMAIL PROVIDER] subscriber
is stored in the subscriber’s “mail box” on [EMAIL PROVIDER] servers until
the subscriber deletes the email. If the subscriber does not delete the message,
the message can remain on [EMAIL PROVIDER] servers indefinitely.
7. When the subscriber sends an email, it is initiated at the user’s computer,
transferred via the Internet to [EMAIL PROVIDER]’s servers, and then
transmitted to its end destination. [EMAIL PROVIDER] often saves a copy
of the email sent. Unless the sender of the email specifically deletes the email
from the [EMAIL PROVIDER] server, the email can remain on the system
8. An [EMAIL PROVIDER] subscriber can also store files, including
emails, address books, contact or buddy lists, pictures, and other files, on servers
maintained and/or owned by [EMAIL PROVIDER]. [NOTE: Consider
consulting the provider’s law enforcement guide or contacting the provider to
identify other types of stored records or files that may be relevant to the case
and available from the provider. If there are such records, specifically describe
them in the affidavit and list them in Section I of Attachment B.]
9. Subscribers to [EMAIL PROVIDER] might not store on their home
computers copies of the emails stored in their [EMAIL PROVIDER] account.
This is particularly true when they access their [EMAIL PROVIDER] account
through the web, or if they do not wish to maintain particular emails or files
in their residence.
10. In general, email providers like [EMAIL PROVIDER] ask each
of their subscribers to provide certain personal identifying information when
registering for an email account. This information can include the subscriber’s
full name, physical address, telephone numbers and other identifiers, alternative
email addresses, and, for paying subscribers, means and source of payment
(including any credit or bank account number).
11. Email providers typically retain certain transactional information
about the creation and use of each account on their systems. This information
can include the date on which the account was created, the length of service,
records of log-in (i.e., session) times and durations, the types of service utilized,
258 Searching and Seizing Computers
the status of the account (including whether the account is inactive or closed),
the methods used to connect to the account (such as logging into the account
via [EMAIL PROVIDER]’s website), and other log files that reflect usage of
the account. In addition, email providers often have records of the Internet
Protocol address (“IP address”) used to register the account and the IP addresses
associated with particular logins to the account. Because every device
that connects to the Internet must use an IP address, IP address information
can help to identify which computers or other devices were used to access the
12. In some cases, email account users will communicate directly with
an email service provider about issues relating to the account, such as technical
problems, billing inquiries, or complaints from other users. Email providers
typically retain records about such communications, including records of
contacts between the user and the provider’s support services, as well records of
any actions taken by the provider or user as a result of the communications.
INFORMATION TO BE SEARCHED
AND THINGS TO BE SEIZED
13. I anticipate executing this warrant under the Stored Communications
Act, in particular 18 U.S.C. §§ 2703(a), 2703(b)(1)(A) and 2703(c)(1)(A),
by using the warrant to require [EMAIL PROVIDER] to disclose to the government
copies of the records and other information (including the content of
communications) particularly described in Section I of Attachment B. Upon
receipt of the information described in Section I of Attachment B, governmentauthorized
persons will review that information to locate the items described in
Section II of Attachment B.
14. Based on my training and experience, and the facts as set forth in
this affidavit, there is probable cause to believe that on the computer systems
in the control of [EMAIL PROVIDER] there exists evidence of a crime [and
contraband or fruits of a crime]. Accordingly, a search warrant is requested.
15. This Court has jurisdiction to issue the requested warrant because
it is “a court with jurisdiction over the offense under investigation.” 18 U.S.C.
16. Pursuant to 18 U.S.C. § 2703(g), the presence of a law enforcement
officer is not required for the service or execution of this warrant.
Appendix I 259
REQUEST FOR NONDISCLOSURE AND SEALING
17. [IF APPROPRIATE: The United States requests that pursuant to
the preclusion of notice provisions of 18 U.S.C. § 2705(b), [EMAIL PROVIDER]
be ordered not to notify any person (including the subscriber or customer
to which the materials relate) of the existence of this warrant for such period
as the Court deems appropriate. The United States submits that such an order
is justified because notification of the existence of this Order would seriously
jeopardize the ongoing investigation. Such a disclosure would give the subscriber
an opportunity to destroy evidence, change patterns of behavior, notify
confederates, or flee or continue his flight from prosecution. [Note: if using
this paragraph, include a nondisclosure order with warrant.]]
18. [IF APPROPRIATE: It is respectfully requested that this Court
issue an order sealing, until further order of the Court, all papers submitted
in support of this application, including the application and search warrant.
I believe that sealing this document is necessary because the items and information
to be seized are relevant to an ongoing investigation into the criminal
organizations as not all of the targets of this investigation will be searched at
this time. Based upon my training and experience, I have learned that online
criminals actively search for criminal affidavits and search warrants via the
internet, and disseminate them to other online criminals as they deem appropriate,
e.g., by posting them publicly online through the carding forums.
Premature disclosure of the contents of this affidavit and related documents
may have a significant and negative impact on the continuing investigation
and may severely jeopardize its effectiveness.]
Subscribed and sworn to before me on [date]:
UNITED STATES MAGISTRATE JUDGE
260 Searching and Seizing Computers
Place to Be Searched
This warrant applies to information associated with [EMAIL ACCOUNT]
that is stored at premises owned, maintained, controlled, or operated
by [EMAIL PROVIDER ], a company headquartered at [ADDRESS].
Related Material From the Archive:
- U.S. Secret Service: Best Practices For Seizing Electronic Evidence
- Electronic Evidence Compliance: A Guide for Internet Service Providers
- Microsoft Online Services Global Criminal Compliance Handbook
- 2007 MySpace.com Law Enforcement Guide
- eBay/PayPal Law Enforcement Guide
- Joint Public Health – Law Enforcement Investigations: Model Memorandum of Understanding (MOU)
- eBay/PayPal Responding to Law Enforcement Record Requests
- FBI Electronic Recordkeeping Certification Manual