Introduction – While computers have been around existed for decades, it has been only since the late 1980s, as computers have proliferated in businesses, homes, and government agencies, that digital evidence has been seized and individuals charged with criminal acts such as the possession of child pornography – in Colorado the charge is Sexual Exploitation of a Child/Children.
For years, evidence in child pornography cases was found in magazines and consisted of traditional photographs. During the mid-1990s, the Internet changed that. Now it is rare to find a child pornography case that involves anything other than digital images and printouts of those images.
The collection of digital evidence in criminal cases is governed at the Federal and State levels by numerous constitutional and statutory provisions, including statutes that regulate the communications and computer industries and that directly govern the gathering and use of digital evidence.
Several Federal statutes that govern access to and disclosure of certain types of information deemed deserving of special treatment by Congress:
– the Electronic Communications Privacy Act (which includes the Wiretap Act,
– the Pen Register and Trap and Trace Statute,
– the Stored Wire and Electronic Communications Act)
and
– the Privacy Protection Act.
The Wiretap Act (18 U.S.C. § 2510 et seq.) focuses on the interception of the content of communications while they are in transit. Examples of such interceptions include wiretapping a telephone, placing a listening device or”bug” in a room to pick up conversations, and installing”sniffer” software that captures a hacker’s instant messages. The Wiretap Act also governs the disclosure of intercepted communications.
The Wiretap Act generally and broadly prohibits anyone in the United States from intercepting the contents of wire, oral, or electronic communications. As a basic rule, the Wiretap Act prohibits anyone who is not a participating party to a private communication from intercepting the communication between or among the participating parties using an”electronic, mechanical, or other device,” unless one of several statutory exceptions applies.
One exception is the issuance of an order by a court of competent jurisdiction that authorizes interception. The requirements to obtain such an order are substantial.
Violation of the Wiretap Act can lead to criminal and civil liability. In the case of wire and oral communications, a violation by government officials may result in the suppression of evidence.
The Pen Register and Trap and Trace Statute (18 U.S.C. § 3121 et seq.), known as the Pen/Trap statute, governs the real-time acquisition of dialing, routing, addressing, and signaling information relating to communications. Unlike the Wiretap Act, the Pen/Trap statute does not cover acquisition of the content of communications. Rather, it covers the information about communications. The term”pen register” refers to a device that records outgoing connection information. A”trap and trace” device records incoming connection information.
For example, a pen register captures the telephone number dialed by an individual under surveillance, while a trap-and-trace device captures the telephone number of the party who is calling the individual under surveillance.
The Pen/Trap statute applies to telephone and Internet communications. For example, every e-mail communication contains”to” and”from” information. A pen/trap device captures such information in real time.
The statute generally forbids the nonconsensual real-time acquisition of noncontent information by any person about a wire or electronic communication unless a statutory exception applies. When no exception to this prohibition applies, law enforcement must obtain a pen/trap order from the court before acquiring noncontent information covered by the statute.
The stored communications chapter of the Electronic Communications Privacy Act (ECPA) (18 U.S.C. § 2701 et seq.) provides privacy protections to customers of and subscribers to certain communications services providers. This statute protects records held (e.g., billing) as well as files stored (e.g., e-mail, uploaded files) by providers for customers and subscribers. Depending on the type of provider, ECPA may dictate what type of legal process is necessary to compel a provider to disclose specific types of customer and subscriber information to law enforcement.
ECPA also limits what a provider may and may not voluntarily disclose to others, including Federal, State, or local governments.
ECPA applies when law enforcement seeks to obtain records about a customer or subscriber from a communications services provider (e.g., an Internet service provider (ISP) or cellular phone provider). For example, ECPA may apply when law enforcement seeks to obtain copies of a customer’s e-mails from an ISP. ECPA does not apply when law enforcement seeks to obtain the same e-mails from the customer’s computer.
Under ECPA, the production of some information may be compelled by subpoena, some by court order under section 2703(d) (discussed below), and some by search warrant. Generally speaking, the more sensitive the information (from basic subscriber information to transactional information to content of certain kinds of stored communications), the higher the level of legal process required to compel disclosure (from subpoena to court order under 2703(d) to search warrant).
As the level of government process escalates from subpoena to 2703(d) order to search warrant, the information available under the less exacting standard is included at the higher level (e.g., a search warrant grants access to basic subscriber information, transactional information, and content of stored communications).
Law enforcement must obtain a court order under 18 U.S.C. § 2703(d) to compel a provider to disclose more detailed records about a customer’s or subscriber’s use of services, such as the following:
1. Account activity logs that reflect what Internet protocol (IP) addresses the subscriber visited over time.
2. Addresses of others from and to whom the subscriber exchanged e-mail.
3. Buddy lists.
Law enforcement can also use a 2703(d) order to compel a cellular telephone service provider to turn over, in real time, records showing the cell-site location information for calls made from a subscriber’s cellular phone. These records provide more information about a subscriber’s use of the system than those available by subpoena, but they do not include the content of the communications.
A Federal magistrate or district court with jurisdiction over the offense under investigation may issue a 2703(d) order. State court judges authorized by the law of the State to enter orders authorizing the use of a pen/trap device may also issue 2703(d) orders. The application must offer”specific and articulable facts showing that there are reasonable grounds to believe that . . . the records or other information sought are relevant and material to an ongoing criminal investigation.”
ECPA distinguishes between communications in storage that have already been retrieved by the customer or subscriber and those that have not. In addition, the act distinguishes between retrieved communications that are held by a private provider (e.g., an employer who offers e-mail services to employees and contractors only) and those held by a provider that offers its services to the public generally.
1. Subpoena: retrieved communications held by private provider.
ECPA applies only to stored communications that a customer or subscriber has retrieved but left on a public service provider’s server, if the service provider offers those services to the public (see section IV.C.2). If a provider does not offer such services to the public, no constraints are imposed by ECPA on the provider’s right to disclose such information voluntarily.
ECPA does not require any heightened or particular legal process to compel disclosure of such records. For example, ECPA does not apply to a government request to compel an employer to produce the retrieved e-mail of a particular employee if the employer offers e-mail services and accounts to its employees but not to the public generally.
Where ECPA does not apply, such information may be available through traditional legal processes.
2. Subpoena or 2703(d), with notice: retrieved communications, unretrieved communications older than 180 days, and other files stored with a public provider.
ECPA applies to stored communications that a customer or subscriber has retrieved but left on the server of a communications services provider if the provider offers those services to the public. Such communications include text files, pictures, and programs that a customer may have stored on the public provider’s system. Under the statute, such a provider is considered a”remote computing service” and is not permitted to disclose voluntarily such content to the government.
Law enforcement may use either a subpoena or a 2703(d) court order to compel a public service provider to disclose the contents of stored communications retrieved by a customer or subscriber. In either case, however, law enforcement must give prior notice of the request to the customer or subscriber.
Another ECPA provision allows law enforcement to delay giving notice to the customer or subscriber when it would jeopardize a pending investigation or endanger the life or physical safety of an individual. If using a subpoena to compel the disclosure of stored, retrieved communications from a public service provider, law enforcement may seek to delay notice for 90 days”upon the execution of a written certification of a supervisory agent that there is reason to believe that notification of the existence of the subpoena may have an adverse result.” If using a 2703(d) order, law enforcement may seek permission from the court to delay notice as part of the application for the order.
At the end of the delayed notice period, law enforcement must send a copy of the request or process to the customer or subscriber, along with a letter explaining the delay.
Law enforcement may also use a subpoena or a 2703(d) order with prior notice to compel a service provider to disclose communications that are unretrieved but have been on the server more than 180 days. As a practical matter, most providers will not allow unretrieved messages to stay on a server unaccessed for such a long period.
If law enforcement is using a search warrant or seeking noncontent information, no notice is required.
3. Search warrant: unretrieved communications.
Unretrieved communications, including voice mail, held by a provider for up to 180 days have the highest level of protection available under ECPA. ECPA covers such communications whether the service provider is private or public. The service provider is generally not permitted to voluntarily disclose unretrieved communications to the government.
For example, under ECPA an e-mail sent to a customer is considered unretrieved if it resides on the server of the customer’s provider (i.e., an ISP or the customer’s employer), but the customer has not yet logged on and accessed the message. Once the customer accesses the e-mail (but a copy remains on the server of the provider), the e-mail is deemed retrieved. (Refer to chapter 1, section IV.C.1, of this guide for more details about retrieved communications.)
Law enforcement may seek a search warrant, such as a warrant provided by 2703(a), to compel a service provider to produce unretrieved communications in storage. No prior notice to the customer or subscriber is required.
Civil damages are the exclusive remedy for nonconstitutional violations of ECPA.
Evidence seized in violation of ECPA alone should not be suppressed.
The Privacy Protection Act (PPA) (42 U.S.C. § 2000aa et seq.) limits law enforcement’s use of a search warrant to search for or seize certain materials possessed for the purpose of public dissemination. The protected materials may be either”work products” (i.e., materials created by the author or publisher) or”documentary materials” (i.e., any materials that document or support the work product).
For example, a person who is creating an online newsletter may possess interview notes that could be considered”documentary materials”; the text of the newsletter to be published could be considered a”work product.” If the material is covered by PPA, law enforcement cannot use a search warrant to obtain it.
PPA’s prohibition on the use of a search warrant may not apply when:
Materials searched for or seized are”fruits” or instrumentalities of the crime or are contraband.
There is reason to believe that the immediate seizure of such materials is necessary to prevent death or serious bodily injury.
There is probable cause to believe that the person possessing the materials has committed or is committing a criminal offense to which the materials relate. (Except for the possession of child pornography and certain government information, this exception does not apply where the mere possession of the materials constitutes the offense.)
If evidence of a crime is commingled on a computer with PPA-protected materials, issues concerning proper scope and execution of a search warrant will arise. Recent cases indicate that the courts are limiting the scope of PPA protection to people who are not suspected of committing a crime. Evidence seized in violation of PPA alone will not be suppressed.
Searches for digital evidence, like searches for other forms of evidence, are subject to the constraints of Federal and State constitutional search and seizure laws and court rules. Traditional Fourth Amendment principles, such as those governing closed containers, apply to digital evidence. See Part II.