Presentation on theme: "Sean B. Hoar Assistant United States Attorney 2010 Financial Crimes & Digital Evidence Conference."— Presentation transcript:
Sean B. Hoar Assistant United States Attorney firstname.lastname@example.org 2010 Financial Crimes & Digital Evidence Conference
United States v. Comprehensive Drug Testing, Inc. (“CDT I “ – filed August 26, 2009) Classic example of bad facts making bad law CDT I was an en banc decision which affirmed three district court orders one quashing subpoenas two ordering return of property seized pursuant to a search warrant The subpoenas and search warrants emanated from a criminal investigation, but CDT was not a criminal defendant, merely a repository of digital evidence
The case emanated from an investigation into the use of steroids by professional baseball players – remember Barry Bonds? In 2002, an investigation commenced into the Bay Area Lab Cooperative (BALCO), which was suspected of providing steroids to professional baseball players. That year, the Major League Baseball Players Association (MLBPA) entered into a collective bargaining agreement with MLB owners
The collective bargaining agreement provided for suspicionless drug testing of all players. Urine samples were to be collected during first year of agreement and tested for banned substances. Players were assured results would remain anonymous and confidential...
The sole purpose of the testing was to determine whether more than five percent of players tested positive – which would require additional testing in future seasons. CDT administered the program collected specimens from players maintained list of players & test results Quest Diagnostics performed actual tests
During the BALCO investigation, ten players were identified as having tested positive in the CDT program. NDCA issued a grand jury subpoena seeking all “drug testing records and specimens” pertaining to MLB in CDT’s possession. CDT and MLBPA attempted to negotiate a more limited subpoena, but negotiations failed.
When negotiations failed, CDT and MLBPA moved to quash the subpoena. After CDT and baseball players’ union moved to quash the subpoena... a search warrant – limited to test results of ten named baseball players - was obtained for CDT’s facilities in Long Beach, California
And - you guessed it - although the CDT warrant was limited to test results of ten named baseball players, drug testing records of hundreds of MLB players – and many more people - were obtained...
A search warrant was also obtained for the urine samples on which the drug tests had been performed which were kept at Quest Diagnostics’ facilities in Las Vegas. New subpoenas were then served on CDT and Quest for the same records which had just been seized.
CDT and MLBPA then moved for return of the property seized from CDT in CDCA Judge Cooper in CDCA found that government failed to comply with procedures specified in warrant and ordered property returned CDT and MLBPA also moved for return of property seized from Quest in Nevada Judge Mahan in Nevada ordered property returned, with exception of ten identified baseball players
CDT and MLBPA then moved to quash latest round of subpoenas in NDCA Judge Ilston in NDCA quashed the subpoenas All three judges expressed grave dissatisfaction with government’s handling of investigation, even going so far as to accuse government of manipulation and misrepresentation.
The search warrant affidavit Contained extensive boilerplate about risk of destruction of electronically stored information if search not done off-site Which supported authorization for off-site search Contained procedure wherein data would be reviewed and segregated by specially trained computer personnel to restrict access to data by investigating agents Which supported authorization to examine data
The search warrant affidavit Contained procedure wherein if computer personnel determined that data fell outside warrant, the data would be returned within reasonable period of time not to exceed 60 days from date of seizure, absent further authorization Which supported authorization for seizure
In executing the search warrant at CDT’s facilities in Long Beach... the agent copied a file directory (the Tracey Directory) off a network server which included, among hundreds of other documents, an Excel spreadsheet that contained the names of many baseball players who tested positive for steroids The agents took an electronic copy of the entire directory off-site for later review...
The problem... boilerplate about risk of destruction of electronically stored information if search not done off-site wasn’t accurate... The record reflected no forensic lab analysis, no evidence of booby traps, no decryption, no cracking of passwords, no effort by dedicated computer computer specialist to separate data from which government had probable cause from other data...
The problem... procedure wherein data would be reviewed and segregated by specially trained computer personnel to restrict access to data by investigating agents wasn’t followed The “Tracey Directory” – which had names of all those who tested positive – was immediately provided to case agent who examined entire list Procedure for return of data wasn’t followed
Because certain evidence seized was outside the scope of warrant & because procedures specified in warrant not complied with... Two district courts ordered the return of property District of Nevada (Judge Mahan) Central District of California (Judge Cooper) One district court ordered subpoenas quashed Northern District of California (Judge Illston)
All three judges expressed “grave dissatisfaction” with government’s handling of investigation Even accusing it of manipulation & misrepresentation Government then appealed all three orders Divided 9 th Circuit panel reversed two orders but found appeal from Cooper order untimely Case then taken en banc...
CDT I affirmed three district court orders one quashing subpoenas two ordering return of property seized pursuant to a search warrant
Chief Judge Kozinski wrote opinion Concluding: “This was an obvious case of deliberate overreaching by the government in an effort to seize data as to which it lacked probable cause.” and taking “the opportunity to guide our district and magistrate judges in the proper administration of search warrants and grand jury subpoenas for electronically stored information...”
Magistrates should insist that government waive reliance upon plain view doctrine in digital evidence cases. Segregation and redaction must be done by specialized personnel or independent third party. If segregation is done by government computer personnel, it must agree in the warrant application that computer personnel will not disclose to investigators any information other than that which is the target of the warrant. Warrants and subpoenas must disclose actual risks of destruction of information and prior efforts to seize information in other judicial fora. Government’s search protocol must be designed to uncover only information for which it has probable cause, and only that information may be examined by the case agents. Government must destroy or, if the recipient may lawfully possess it, return non-responsive data, keeping the issuing magistrate informed about when it has done so and what it has kept.
In Oregon, federal digital evidence searches stopped between August and October, 2009 October, 2009, Oregon USAO negotiated reasonable application of CDT I Wall between reviewers (usually computer personnel) & investigators Data reviewed segregated &/or redacted prior to investigative review Reasonable time for review (120 days) Reasonable warrant return procedure Reasonable device/image retention procedure
United States v. Comprehensive Drug Testing, Inc. (“CDT I I“ – filed September 13, 2010) CDT II is an en banc decision which resulted from a rehearing of the CDT I en banc decision CDT II again affirmed three district court orders one quashing subpoenas two ordering return of property seized pursuant to a search warrant But... CDT II eliminated troubling “guidance” requiring filter team search protocol
Per Curiam Opinion of 11 Circuit judges; Concurrence by Chief Judge Kozinski joined by four judges (containing “guidance” from CDT I); Partial Concurrence and Partial Dissent by Judge Bea; Partial Concurrence and Partial Dissent by Judge Callahan joined by Judge Ikuta; Dissent by Judge Ikuta A wall between computer personnel & investigators is no longer required
Although a wall between computer personnel & investigators is no longer required, search protocol should be as narrow as possible. Technological representations in affidavit will be scrutinized; i.e. actual concerns about data corruption should be specifically articulated. There should be disclosure about attempts to obtain evidence in different judicial fora (i.e. grand jury subpoenas for target information). Where there may be a heightened privacy interest (third party data repositories), alternate protocol may be developed.
Under new Rule 41, return need not list all “data,” only the hardware seized The plain view doctrine need not be waived Government is not required to waive plain view doctrine As usual, second warrant will be sought should initial review reveal evidence of other crimes