In Re Warrant To Search A Target Computer At Premises Unknown, Case No. H-13-234M, F. Supp.2d, 2013 WL 1729765

Stephen WM SmithWorld over human rights protection in cyberspace is ignored and there are very few individuals and organisations that are maintaining a balance between civil liberties and national security requirements.

The lawful interception law in India is needed as soon as possible as the laws like Indian Telegraph Act, 1885 and Indian Information Technology Act, 2000 are not strictly in compliance with the Constitutional safeguards and they deserve to be repealed.

The proposed central monitoring system of India is another initiative of Indian government that may have serious constitutional ramifications. Add to this the desire of law enforcement agencies of India to installing key loggers at cyber cafes.

While India has adopted an endemic e-surveillance model yet U.S. Judiciary and law makers are not willing to compromise on the aspect of civil liberties. For instance, while the cyber intelligence sharing and protection act (CISPA) was passed by the House of Representatives yet its would, in all probability, die in Senate. Even otherwise, the White House has threatened to veto the CISPA bill if it remains in its current form.

As far as U.S. Judiciary is concerned, in a landmark judgment pronounced by Stephen WM Smith, United States Magistrate Judge at Southern District of Texas, Civil Liberties of U.S. citizens were respected and protected by him.

In this case, the U.S. Government applied for a Rule 41 search and seizure warrant targeting a computer allegedly used to violate federal bank fraud, identity theft, and computer security laws. Unknown persons were said to have committed these crimes using a particular email account via an unknown computer at an unknown location. The search would have been accomplished by surreptitiously installing software designed not only to extract certain stored electronic records but also to generate user photographs and location information over a 30 day period. In other words, the Government sought a warrant to hack a computer suspected of criminal use.

In early 2013, unidentified persons gained unauthorised access to the personal email account of John Doe, an individual residing within the Southern District of Texas, and used that email address to access his local bank account. The Internet Protocol (IP) address of the computer accessing Doe’s account resolves to a foreign country. After Doe discovered the breach and took steps to secure his email account, another email account nearly identical to Doe’s — the address differed by a single letter — was used to attempt a sizeable wire transfer from Doe’s local bank to a foreign bank account. The FBI commenced an investigation, leading to this search warrant request.

At this point in the investigation, the location of the suspects and their computer was unknown. The Government did not seek a garden-variety search warrant. Its application requested authorisation to surreptitiously install data extraction software on the target computer. Once installed, the software had the capacity to search the computer’s hard drive, random access memory, and other storage media; to activate the computer’s built-in camera; to generate latitude and longitude coordinates for the computer’s location; and to transmit the extracted data to FBI agents within this district.

Using this software, the government sought to obtain the information including records existing on the target computer at the time the software is installed, including records of Internet Protocol addresses used, records of Internet activity, including firewall logs, caches, browser history and cookies, “bookmarked” or “favorite” Web pages, search terms that the user entered into any Internet search engine, and records of user-typed Web addresses. The information also included records evidencing the use of the Internet Protocol addresses to communicate with the [victim’s bank’s] e-mail servers, evidence of who used, owned, or controlled the target computer at the time the things described in this warrant were created, edited, or deleted, such as logs registry entries, configuration file, saved user names and passwords, documents, browsing history, user profiles, e-mail contents, e-mail contacts, “chat,” messaging logs, photographs, and correspondence, evidence of software that would allow others to control the target computer, etc.

Ed: See FinFisher: the new face of global electronic spying, e-surveillance and eavesdropping for use of Spyware and key loggers for obtaining information from targeted systems.

At the Government’s request, the warrant application has been sealed to avoid jeopardising the ongoing investigation. This opinion will not be sealed because it deals with a question of law at a level of generality which could not impair the investigation.

This appears to be a matter of first impression in this (or any other) circuit. The Court has found no published opinion dealing with such an application, although in 2007 a magistrate judge is known to have issued a warrant authorising a similar investigative technique to track the source of e-mailed bomb threats against a Washington state high school.

The Government contended that its novel request was authorised by Rule 41. In the Court’s view, this claim raised a number of questions, including: (1) whether the territorial limits of a Rule 41 search warrant were satisfied; (2) whether the particularity requirements of the Fourth Amendment had been met; and (3) whether the Fourth Amendment requirements for video camera surveillance had been shown. Each issue was discussed in turn.

(1) Rule 41(b) Territorial Limit: Rule 41(b) sets out five alternative territorial limits on a magistrate judge’s authority to issue a warrant. The government’s application does not satisfy any of them. The rule’s first subsection, the only one expressly invoked by the Government’s application, allows a “magistrate judge with authority in the district . . . to issue a warrant to search for and seize a person or property located within the district.”

Even though the Government readily admitted that the current location of the target computer was unknown, it asserted that this subsection authorised the warrant “because information obtained from the target computer will first be examined in this judicial district.”  Under the Government’s theory, because its agents need not leave the district to obtain and view the information gathered from the target computer, the information effectively became “property located within the district.” This rationale does not withstand scrutiny.

It is true that Rule 41(a)(2)(A) defines “property” to include “information,” and the Supreme Court has long held that “property” under Rule 41 includes intangible property such as computer data. See United States v. New York Tel. Co., 434 U.S. 159, 170 (1977).  For purposes of search and seizure law, many courts have analogised computers to large containers filled with information. See United States v. Roberts, 86 F.Supp.2d 678, 688 (S.D.Tex.2000); United States v. Barth, 26 F.Supp.2d. 929, 936–37 (W.D.Tex.1998); United States v. David, 756 F.Supp. 1385, 1390 (D.Nev.2009)(holding that a computer notebook “is indistinguishable from any other closed container” for the purpose of Fourth Amendment analysis). By the Government’s logic, a Rule 41 warrant would permit FBI agents to roam the world in search of a container of contraband, so long as the container is not opened until the agents haul it off to the issuing district. The court has found no case willing to stretch the territorial limits of Rule 41(b)(1) so far.

The “search” for which the Government seeks authorisation is actually two-fold: (1) a search for the Target Computer itself, and (2) a search for digital information stored on (or generated by) that computer. Neither search will take place within this district, so far as the Government’s application shows. Contrary to the current metaphor often used by Internet-based service providers, digital information is not actually stored in clouds; it resides on a computer or some other form of electronic media that has a physical location. Before that digital information can be accessed by the Government’s computers in this district, a search of the Target Computer must be made. That search takes place, not in the airy nothing of cyberspace, but in physical space with a local habitation and a name. Since the current location of the Target Computer is unknown, it necessarily follows that the current location of the information on the Target Computer is also unknown. This means that the Government’s application cannot satisfy the territorial limits of Rule 41(b)(1).

This interpretation of (b)(1) is bolstered by comparison to the territorial limit of subsection (b)(2), which expressly deals with a transient target. This subsection allows an extraterritorial search or seizure of moveable property “if it is located within the district when the warrant is issued but might move or be moved outside the district before the warrant is executed.” Note that (b)(2) does not authorise a warrant in the converse situation—that is, for property outside the district when the warrant is issued, but brought back inside the district before the warrant is executed.

A moment’s reflection reveals why this is so. If such warrants were allowed, there would effectively be no territorial limit for warrants involving personal property, because such property is moveable and can always be transported to the issuing district, regardless of where it might initially be found. The other subsections of Rule 41(b) likewise offer no support for the Government’s application. Subsection (b)(3), dealing with an investigation of domestic or international terrorism, authorises a search by a magistrate judge with authority in “any district in which activities related to the terrorism may have occurred,” whether the property is within or outside that district. This case does not involve a terrorism investigation. Subsection (b)(4) deals with a tracking device warrant, and its provisions echo those of (b)(2), allowing the device to be monitored outside the district, provided the device is installed within the district. There is a plausible argument that the installation of software contemplated here falls within the statutory definition of a tracking device, because the software will activate the computer’s camera over a period of time and capture latitude/longitude coordinates of the computer’s physical location.

But the Government’s application would fail nevertheless, because there is no showing that the installation of the “tracking device” (i.e. the software) would take place within this district. To the contrary, the software would be installed on a computer whose location could be anywhere on the planet.

The only remaining possibility is (b)(5), which authorises a magistrate judge “in any district where activities related to the crime may have occurred” to issue a warrant for property that may be outside the jurisdiction of any state or district, but within a U .S. territory, possession, commonwealth, or premises used by a U.S. diplomatic or consular mission.

The application does indicate that Doe’s local bank account was improperly accessed, thereby satisfying (b)(5)’s initial condition. However, the remaining territorial hurdle of this subsection is not satisfied, because there is no evidence the Target Computer will be found on U.S.-controlled territory or premises.

(2) Fourth Amendment Particularity Requirement: The Fourth Amendment prescribes that “no warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

This particularity requirement arose out of the Founders’ experience with abusive general warrants. As previously noted, the warrant sought here would authorise two different searches: a search for the computer used as an instrumentality of crime, and a search of that computer for evidence of criminal activity. Because the latter search presumes the success of the initial search for the Target Computer, it is appropriate to begin the particularity inquiry with that initial search.

The Government’s application contains little or no explanation of how the Target Computer will be found. Presumably, the Government would contact the Target Computer via the counterfeit email address, on the assumption that only the actual culprits would have access to that email account. Even if this assumption proved correct, it would not necessarily mean that the government has made contact with the end-point Target Computer at which the culprits are sitting.

It is not unusual for those engaged in illegal computer activity to “Spoof Internet Protocol Addresses” as a way of disguising their actual on-line presence; in such a case the Government’s search might be routed through one or more “innocent” computers on its way to the Target Computer.

The Government’s application offers nothing but indirect and conclusory assurance that its search technique will avoid infecting innocent computers or devices. Further, the method in which the software is added to the target computer is designed to ensure that the [persons] committing the illegal activity will be the only individuals subject to said technology. This “method” of software installation is nowhere explained. Nor does the Government explain how it will ensure that only those “committing the illegal activity will be subject to the technology.” What if the Target Computer is located in a public library, an Internet café, or a workplace accessible to others? What if the computer is used by family or friends uninvolved in the illegal scheme? What if the counterfeit email address is used for legitimate reasons by others unconnected to the criminal conspiracy? What if the email address is accessed by more than one computer, or by a cell phone and other digital devices? There may well be sufficient answers to these questions, but the Government’s application does not supply them.

Ed: It seems court is referring to the aspect of cross border cyber attacks, authorship attribution and cyber crimes convictions.

The court concludes that the revised supporting affidavit does not satisfy the Fourth Amendment’s particularity requirement for the requested search warrant for the Target Computer.

(3) Constitutional Standards For Video Camera Surveillance: As explained above, the Government’s data extraction software will activate the Target Computer’s built-in-camera and snap photographs sufficient to identify the persons using the computer. The Government couches its description of this technique in terms of “photo monitoring,” as opposed to video surveillance, but this is a distinction without a difference. In between snapping photographs, the Government will have real time access to the camera’s video feed. That access amounts to video surveillance.

The Fifth Circuit has described video surveillance as “a potentially indiscriminate and most intrusive method of surveillance .” United States v. Cuevas–Sanchez, 821 F.2d 248, 250 (5th Cir.1987). In that case the court adopted constitutional standards for such surveillance by borrowing from the statute permitting wiretaps—Title III of the Omnibus

Crime Control and Safe Streets Act of 1968, 18 U.S.C. §§ 2510–2520. Id., citing United States v. Biasucci, 786 F.2d 504 (2nd Cir.), cert. denied, 479 U.S. 827 (1986). Under those standards, a search warrant authorizing video surveillance must demonstrate not only probable cause to believe that evidence of a crime will be captured, but also should include:

(i) A factual statement that alternative investigative methods have been tried and failed or reasonably appear to be unlikely to succeed if tried or would be too dangerous;

(ii) A particular description of the type of communication sought to be intercepted, and a statement of the particular offense to which it relates;

(iii) A statement of the duration of the order, which shall not be longer than is necessary to achieve the objective of the authorisation nor, in any event, longer than 30 days, (though extensions are possible); and

(iv) A statement of the steps to be taken to assure that the surveillance will be minimised to effectuate only the purposes for which the order is issued.

The Government’s application fails to meet the first and fourth of these criteria, i.e. inadequate alternatives and minimisation. Regarding the inadequacy of alternative investigative techniques, the Government offers only a conclusory statement:

“Investigative methods that might be alternatives to the use of a camera attached to the target computer reasonably appear to be unlikely to succeed if tried or would be too dangerous”.

The Government makes no attempt to explain why this is so. In fact, contemporaneous with this warrant application, the Government also sought and obtained an order under 18 U.S.C. § 2703 directing the Internet service provider to turn over all records related to the counterfeit email account, including the contents of stored communications. To support that application, an FBI agent swore that the ISP’s records would likely reveal information about the “identities and whereabouts” of the users of this account. Yet the same agent now swears that no other technique is likely to succeed. The Government cannot have it both ways.

As for minimisation, the Government has offered little more than vague assurances:

“Steps will be taken to assure that data gathered through the technique will be minimised to effectuate only the purposes for which the warrant is issued. The software is not designed to search for, capture, relay, or distribute personal information or a broad scope of data. The software is designed to capture limited amounts of data, the minimal necessary information to identify the location of the target computer and the user of target computer”.

The steps taken to minimise over-collection of data are left to the court’s imagination. The statement that the software is designed to capture only limited amounts of data—“the minimal necessary information needed to identify the location of the Target Computer and the user”—does mitigate the risk of a general search somewhat, but that assurance is fatally undermined by the breadth of data authorised for extraction in the proposed warrant.

Software that can retrieve this volume of information—Internet browser history, search terms, e-mail contents and contacts, “chat”, instant messaging logs, photographs, correspondence, and records of applications run, among other things—is not fairly described as capturing “only limited amounts of data.” Finally, given the unsupported assertion that the software will not be installed on “innocent” computers or devices, there remains a non-trivial possibility that the remote camera surveillance may well transmit images of persons not involved in the illegal activity under investigation. For these reasons, the Government has not satisfied the Fourth Amendment warrant standards for video surveillance.

(4) Conclusion: The court finds that the Government’s warrant request is not supported by the application presented. This is not to say that such a potent investigative technique could never be authorised under Rule 41. And there may well be a good reason to update the territorial limits of that rule in light of advancing computer search technology. But the extremely intrusive nature of such a search requires careful adherence to the strictures of Rule 41 as currently written, not to mention the binding Fourth Amendment precedent for video surveillance in this circuit. For these reasons, the requested search and seizure warrant is denied.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we believe that this is a good and well reasoned judgment and we welcome this judgment. In the Indian context we have to cover a long road to reach this level. A public interest litigation is pending before the Supreme Court of India to ensure regulations and guidelines for effective investigation of cyber crimes in India and we hope the Court would do the needful in this regard.

This entry was posted in Uncategorized. Bookmark the permalink.