United States v. Ganias and the Case for Selective Seizures of Digital Evidence

Cross-posted at Lawfare.

Recent high-profile cases involving digital searches and seizures have largely focused on government access to data, from the battle over breaking strong encryption to the debates over whether a warrant is required to hack a computer or to obtain private communications from a third-party service provider. But the next big set of questions lurking in the wings revolves around what happens after law enforcement gains access to a cache of personal data: How much can they seize? What can they can search, and how?  What happens to non-responsive data? What if it is evidence of another crime? A handful of courts and commentators have grappled with these questions, but the issues seem to be coming up with increasing frequency, highlighting the lack of clarity and consensus on a difficult suite of problems.

Earlier this year, the Second Circuit waded into these waters when an en banc panel decided United States v. Ganias, a case that many observers expected to resolve a thorny Fourth Amendment question about how long the government can keep seized data that falls outside the scope of a warrant.

Unfortunately, the opinion may do more to muddy the water than clear it. In particular, it operates on mistaken assumptions about the need to copy entire caches of data and search them off-site, suggesting that such an invasive process will often be reasonable for Fourth Amendment purposes. But a few additional facts make clear that such an approach ought to be exceedingly rare.

A bit of background is important here: Ganias was an accountant, and in 2003, the government suspected two of his clients of fraud. During the investigation, agents obtained a warrant to search Ganias’s files, including his computers, for data “relating to the business, financial, and accounting operations” of the two targets. Ganias was not suspected of any wrongdoing at the time.  In executing the warrant, the agents made exact copies (“mirror images”) of three hard drives belonging to Ganias, including “wholly unrelated personal files and files of other clients.” Back at the lab, investigators segregated the responsive data from the unresponsive data but kept the original copies. Two years later, investigators asserted that they had “independent probable cause” to believe that Ganias was engaged in tax-related crimes. And as a result, they obtained a second warrant in 2006 to search the mirror images retained from 2003, uncovering evidence that led to Ganias’s conviction.

On appeal, Ganias argued that retention of the mirror images for more than two years, including their caches of nonresponsive data, violated the Fourth Amendment’s prohibition on unreasonable seizures. A unanimous Second Circuit panel agreed, suppressing the evidence from Ganias’s hard drives and vacating his conviction. In an unusual move, the Second Circuit opted to hear the case en banc despite no request from either party. And in yet another twist, the court declined to rule on whether retention of the forensic mirrors violates the Fourth Amendment, ultimately refusing to suppress any evidence based on the “good faith” exception to the exclusionary rule.  But in the process, the court also issued more than twenty pages of dicta on digital searches and seizures designed to influence lower courts “for future cases.”

The majority began by acknowledging the complex issues that arise in the context of digital searches and seizures, including the possibility of modern-day “general warrants” (a point Judge Chin hammered home in his dissent). But the ‘digital is different’ trope cut both ways, according to the court. It said the reasonableness of a search or seizure will turn on careful consideration of the “technological features unique to digital media … features that simply do not exist in the context of paper files.” For example, the court noted that “files” as we know them are not discrete things, but are “fragmented” with metadata “interspersed throughout the medium.” The majority also observed that “deleted” files may remain on a computer’s unallocated space; that the absence of data may be relevant; that it is difficult to preserve data for authentication at trial; and that retaining a complete copy of all data may be necessary to preserve the rights of criminal defendants.

All of this may be true—sometimes, sort of. But considering the forensic tools now available to investigators, there is good reason to conclude that the ‘seize first, search later’ approach should not be the norm. At least in a case like this, not only is it feasible to identify and seize the relevant data on-site, but it may be constitutionally required.

First, had Ganias challenged the scope of the initial search and seizure in 2003, he could have sought to limit the scope the seizure and search to the target client files. After all, Ganias was a third party, not a target of the investigation, so it is difficult to understand why agents would even want to image his hard drives completely instead of just copying the relevant data on-site. Extending this logic, it would have been more reasonable for investigators to identify the responsive client files on-site and copy that data only.

Using write-blocking software and a process like “selective imaging,” not only is it possible to quickly search through large amounts of data on-site, but it is also possible to preserve any responsive data in an efficient and reliable way that allows it to be used later in court. One prominent approach is the use of “digital evidence bags” that allow investigators to safely search and acquire data on-site, together with any relevant metadata, and package it using digital keys designed to assure the data’s provenance for authentication and use at trial.

Second, it is a persistent myth that criminals frequently delete or “hide” incriminating data by changing filenames or extensions. In fact, a review of published opinions involving digital searches and seizures reveals not one instance of a defendant actually taking steps to “hide” data by renaming a file extension. (Plus, it would not work very well. Information about a file type is embedded in the file’s “header”—a part of the file itself—and recognizable by forensic software.) And while it is true that criminals may delete data—just like everyone else—there are only a handful of reported cases where incriminating evidence had intentionally been deleted. An analysis of police data in Australia provides another reference point, finding that just 6% of crimes that usually involve digital forensics actually require techniques like full disk imaging.

The Ganias court appeared to be unaware of these facts and focused instead on the retention of non-responsive data instead of the initial, all-encompassing seizure of the hard drives. But in the process, it mistakenly assumed no practical alternatives to the seizure and retention would address the government’s need to preserve and authenticate digital evidence.

Of course, the court’s search and seizure analysis was dicta, so it may be better to view Ganias as the beginning of a conversation rather than the final word. Going forward, courts should recognize that advances in technology include, among other things, improvements in forensic search and data preservation techniques.

In this light, judges may want to think twice before issuing warrants that authorize the seizure of all electronic data. At the very least, before such a seizure is permitted, specific facts should support a fair probability that incriminating data has been intentionally hidden or deleted. Such an invasive technique should not be permitted as a matter of mere convenience for law enforcement. It should be a rare occurrence, not standard operating procedure.

(Photo: ThinkStock)