In 2003, U.S. Army Criminal Investigative Division (CID) launched an investigation into two American government contractors, Industrial Property Management (IPM) and American Boiler, for alleged improper conduct. Later that year, CID obtained and executed a search warrant on the place of business of Steve Ganias, the accountant for both contractors. The warrant authorized the seizure of “all books, records, documents, materials, computer hardware[,] . . . software, and computer associates data relating to business, financial, and account operations of [IPM] and American Boiler . . . .” During the seizure, mirror images were taken of Ganias’ computers. Two and half months later CID agents began reviewing the images, segregating data that authorized by the search warrant from data that was not. Data from drives revealed potential tax evasion by another individual, motivating CID to share the full images with the IRS, who then conducted another search of the drives. Data reviewed during the IRS investigation revealed that Ganias’ himself was under-reporting his income by roughly $35,000 in 2002 and 2003. The IRS then obtained a search warrant permitting a search of the non-responsive data from the 2003 CID warrant, allowing the IRS to review Ganias’ personal financial files. In 2008, five years after the initial search warrant on Ganias’ computers, Ganias found guilty of tax evasion and sentenced to twenty-four months imprisonment.
On September 31, 2015, the U.S. Court of Appeals for the Second Circuit sat en banc to hear oral arguments in the case of United States v. Ganias. The primary question faced by the court is whether the Fourth Amendment authorizes federal agents during the execution of a search warrant to seize every file on an electronic device and retain those files indefinitely. Ganias argues that his Fourth Amendment rights were violated when law enforcement indiscriminately seized and retained data non-responsive to the warrant for an unreasonable amount of time. While Ganias claims that taking of a mirror image is a general search because it seizes data unauthorized by the warrant, he also recognizes practical difficulties of banning this practice. Therefore, according to Ganias the Fourth Amendment requires the prompt completion of the off-site review, including either a return or a purging of the files non-responsive to the search warrant. The court’s ruling in this case, regardless of the winning party, will have an impact on the conduct of electronic searches and seizures. In consequence it is necessary to understand the issues presented by the technology, review the arguments, and explore several simple changes law enforcement can make in order to reduce infringement of Fourth Amendment rights.
When searching and seizing electronic evidence during a criminal investigation, Federal agents are instructed to follow a two-stage search. In the first stage a forensic “mirror image” of the computer hard drive is taken. In the process of taking the image all directories, files, and metadata is copied from the original hard drive to an alternate drive, including data both responsive and non-responsive to the warrant. Once the hard drive is copied, the drive is then analyzed to segregate responsive and non-responsive data. Courts have allowed for the review of non-responsive data up until the point in which it becomes clear that the information no longer falls within the scope of the warrant. In order for an agent to determine the relevance of document, he or she must be able to cursorily review the document.
The consequences of this case, however, can be separated into two parts: the permissibility of the full mirror image and the retention of seized data. First, the court must address the permissibility of the full forensic. While many undoubtedly consider the full mirror image to be a seizure beyond what is warranted, it is likely that the government’s case for practicality will win. In both the petitioner and respondent briefs, the parties note that the taking of a mirror image is practical approach. Federal courts have generally supported the method of seizure used in the case at hand. The court in United States v. Comprehensive Drug Testing found, due to the sheer volume of data, contained by electronic devices that an on-site search of the devices is unreasonable. While the court in Kremen v. United States found that the removal of all the contents from a home for an off-site search to be a Fourth Amendment violation, the analogy does not quite work for the search of electronic devices. Unlike the physical papers or materials that seized from a home, the amount of data contained in an electronic device is essentially unlimited. Due to the sheer quantity of data that would need to be seized, an on-site search of a hard drive would be impractical for law enforcement and overly invasive upon the user.
While the petitioner’s brief concedes the practicality mirror imaging, it also argues that the off-site search must be limited to a reasonable time period. By first seizing the data and then searching over a period of time, it is as if the search of the user is never-ending. A never-ending search would very clearly be an expansive violation of the user’s Fourth Amendment right. This is Ganias’ primary constitutional argument. In the case at hand, the review of Ganias’ data by CID was not completed until eight months after the initial seizure. Meaning that Ganias was consistently searched for eight months. By December 2004, both government agencies had finished reviewing and segregating potentially responsive data. At no point was any non-responsive data returned or purged. Given the ruling of the lower court and persuasive authorities, it is likely that Ganias will win on this point.
In consequence of this ruling, agents and prosecutors alike will be forced to amend their practices to better protect against an over reach of power. One preliminary method in which this can be achieved is to set a time limit for the search. Any data searched outside of the timeframe of the search warrant would then become inadmissible during trial. This would force law enforcement to conduct the warrant within a reasonable time, as well give users definite knowledge of when the search actually ended. Some magistrate judges have started doing this. In In Re 1406 N. 2nd Avenue, the court permitted law enforcement to review the seized data and ordered that the court cease its search within days of the order. By doing so, all the parties involved knew the exact terms of the game. The user was put on notice of the seizure and the duration for which the search would last. Law enforcement then became aware of their rights and responsibilities in reviewing the data. The right to take all data, both non-responsive and responsive, still stands; however, they are no longer able to search for as long as it seems fit.
The question then becomes how does the authoritative body issuing the parameters of the warrant determine what is a reasonable amount of time to permit law enforcement to adequately search the drive without infringing on the user’s Fourth Amendment rights. The extent of time given to law enforcement to search the data should be ba
sed upon the amount of data the government expects to seize. The quantity of expected data to be seized is a factor of the duration of the crime, involvement in the criminal activity, and number of known devices. It is reasonable that agents and prosecutors be able to derive an approximation of expected data. When determining the timeframe, the technology used for the mirror image and manpower of the investigative authority should also be taken into consideration. While time limits should be placed on the searches, it is also reasonable to provide law enforcement with a means to extend time if the search is delayed for a legitimate reason, such as a misappropriation of the data collected. This will then allow the court to make a reasonable determination as to what is an appropriate time for the search, such that the user’s Fourth Amendment rights are not infringed and law enforcement is able to conduct a full investigation.
By placing a time limit on searches of mirrored data, judge’s can keep agents and prosecutors honest and decrease the possibility of violating a user’s Fourth Amendment rights. Had a time limit been placed on the search of the Ganias data the impact of the search on Ganias’ would have been reduced. While time limits would constrain the scope of the search, they do not fully resolve the issue of retention. Further analysis of traditional evidence retention policies and storage capacities must be completed. This analysis should keep in mind the consequences of the U.S. government permanently maintaining all search warrant data.