Brian Chase: Hello, and welcome to Search and Seizure in the Digital Realm. My name is Brian Chase and I am director of digital forensics at ArcherHall. ArcherHall is a digital forensics company that does work nationwide. We collect data from digital sources such as cell phones, computers, external hard drives, email accounts, cloud accounts, social media data. We collect that data, we analyze it, we testify about it at trial. We also offer e-discovery services where we take that data and we put it in a hosted review platform.
My personal background, I am a licensed attorney in Arizona and New York. I practiced law for about 10 years doing mostly plaintiff personal injury and criminal defense. I've tried cases as an attorney. I've been doing digital forensics work for about eight years, and I've testified about 20 times as an expert witness in digital forensics. In addition to my work at ArcherHall, I also teach at the University of Arizona, James E. Rogers College of Law. I teach a trial skills course there at the law school.
Today's presentation really combines both areas of my background, both the criminal defense work and the digital forensics work. We're going to be talking about fourth and fifth amendment law as it relates to digital evidence. Our course today is based entirely on federal law, on US constitution fourth and fifth amendment. Your state constitution, and your state laws might differ somewhat from the federal level. Be sure that you check your local jurisdiction if you're dealing in state court as opposed to federal court.
But let's get started today by discussing the legal framework. We're going to start by talking about fourth amendment law, going to be talking about that search law on the fourth amendment. When do we have a search when we're talking about digital evidence and when is a warrant required for those searches? So we're going to get into it by starting with US v. Jones, a 2012 decision from the US Supreme Court.
You're probably familiar with Jones but as a recap, Jones was a case where the government installed a GPS tracking device on Mr. Jones' vehicle. They then monitored his vehicle for 30 days. They did this without a warrant. The case went up to the US Supreme Court and the Supreme Court held Justice Scalia writing for the majority found that this was a trespass. Installing the GPS device on Mr. Jones vehicle was a trespass without a warrant and therefore, it was unlawful.
Now in order to raise trespass, the defendant must have standing. They must have an interest in the subject that is being searched. In this case, Mr. Jones actually did not own the vehicle. The vehicle was owned by his girlfriend or his wife, but the government knew that he was the primary driver of it, that's why they were stalling the GPS device on this vehicle, because they were trying to track him. So he clearly had standing to challenge this trespass.
Now, when we go to the concurring decisions from Alito and Sotomayor, they looked at this not from a trespass standpoint, but from a reasonable expectation of privacy. And they looked at it at long term versus short term. Short term would not violate somebody's reasonable expectation of privacy. Had they only installed that GPS tracking device for a day, that probably would not violate his reasonable expectation of privacy.
Certainly the government could have put an officer in a vehicle and trailed Mr. Jones for a day. His movement in public like that would not violate his expectation of privacy. But once it moved to long term tracking, then it impinges on the expectation of privacy. Now the court didn't tell us when something moves from short term to long term. They just told us that surely it crossed the line before the four week mark.
When did it cross the line before the four week mark? Well, we don't know, although I will suggest to you that it's potentially at the seven day mark. And we'll see that come up again in a little bit when we talk about Carpenter. So just keep that in mind until we get to Carpenter. But for now, with Jones, all we know is that long term monitoring using the GPS device violated that reasonable expectation of privacy and therefore a warrant was required.
Let's then move on now to Riley. You're probably familiar with Riley 2014 Supreme Court decision. And Riley ruled a warrant is required to search a cell phone. In Riley, we had a search incident to arrest. Riley belonged to the Lincoln Park gang of San Diego. In 2009, he had opened fire on arrival gang member driving past them. Shooters then got into Riley's car and drove away. About 20 days later, the police pulled over Riley due to expired license tags.
When they pulled him over, they found guns in the car and they arrested him. In his pocket at the time of arrest was his cell phone. So his cell phone was then seized and searched incident to arrest. He challenged that search of his cell phone. That search goes up to the US Supreme Court. And the US Supreme Court says that cell phones differ in both qualitative and quantitative sense from other objects that might be kept on an arrestee's person like their wallet.
They said a warrant is required to search a cell phone. They analogize it to searching somebody's home. And the amount of data contained in a cell phone is similar to that or exceeds that of what might be in a person's home. If you're on the defense side and you're challenging a search without a warrant, look to the language in Riley. Riley has a lot of language about the privacy interests at play when you're searching a cell phone.
For those of you who might be civil practitioners, Riley also has great language for you. If one side is seeking to compel your client to give up their phone in civil litigation, you might look to Riley and the language contained in Riley with the privacy interest at play in a cell phone search. So Riley then ruled you need a warrant to search somebody's cell phone. But what about other devices that could be found incident to arrest? What about digital cameras?
Somebody could have a digital camera in their pocket when they are arrested. Can that be searched incident to arrest? Well, digital cameras have a lot of data in them. Besides just the pictures you take, there is metadata in those pictures. It says when those pictures were taken. If that camera has GPS in it, it says where those pictures were taken.
There can be a lot of data stored within a digital camera. And courts are split whether a warrant is required for that or not. North Carolina ruled that Riley applied to GPS devices. So if you had a handheld GPS device like the TomTom and you had that in your pocket, Riley applies a warrant required. On key fobs, courts really haven't come to an agreement yet. So a key fob, you might think, "Well, why would somebody search that? I use it to lock or unlock my car."
Well, there can be a lot of data stored on a key fob. There are law enforcement agencies that have taken those key fobs, brought them over to the dealership and asked that the dealership download the data from the key fob. It can have information about the last trip or trips of the vehicle, fuel levels, all sorts of data can be stored on those key fobs. So as a warrant required for that, chances are it was going to be in somebody's pocket if they're arrested while driving.
So is that a search incident to arrest or does that differ in quantitative and qualitative sense from other objects and would Riley apply? There is no clear case law on this yet. Certainly if you are a criminal defense attorney and your client has their key fob searched incident to arrest, you might have a good argument for saying that a warrant is required. Now, Riley didn't change anything when it comes to the warrant exceptions, things like exigency, probationer, parolee exceptions or border searches.
In fact, you'll even find language in Riley talking about exigent circumstances and when law enforcement would not need a warrant. Those general exceptions to the warrant requirement still apply when it comes to cell phones. Riley didn't change anything when it comes to the exceptions to the warrant requirement.
Certainly if you've got somebody who's on probation or parole, their phones can be searched while they're on probation or parole. Border searches. If you're crossing the border, those phones and devices can be searched at the border. Now that is an active area of litigation. So at least at the time of this recording, those things can still be searched at the border. But be sure to check updated case law. This is being challenged in many jurisdictions right now.
So keep an eye out for changes in border searches from the appellate courts in the coming years as attorneys continue to challenge this exception as it relates to digital evidence. So if a warrant is required, then what about the particularity requirement? Riley doesn't say anything about the particularity requirement, but you would think if a warrant is required, then they would also have to comply with the particularity requirement. And there are some cases that talk about this.
There are several cases at the district court level that have said, "Look, you can't just search an entire cell phone. That's too broad. You've got to specify what it is you're searching for." Meaning you have to have probable cause for what you're searching for and you can't just go get everything off the cell phone. Now this is again, another area of active litigation.
Many of the warrants out there are for searching the entire cell phone. But some district courts are saying that's too broad, it doesn't comply with the particularity requirement. However, the sixth circuit has said, "Look, the warrants have to be broad." Because law enforcement doesn't necessarily know what they're looking for at the time of the search or really where it's going to be, or in what format. Is it going to be text messages or could there be screenshots of text messages?
And therefore, what they're looking for is actually in the images section of the phone and not within the text messages. So US v. Bass says a warrant that's for the entire cell phone is fine, that there are a number of things law enforcement's going to need to look for when searching the entire phone. And so if you're in the sixth circuit, US v. Bass says law enforcement can search the entire phone. If you're not in the sixth circuit, well then there's no appellate case law yet on whether or not that particularity requirement is going to apply for cell phones.
There was one case that I was part of here in Arizona where the defense attorney was challenging the search of his client's phone. The government had probable cause to believe that there were text messages from after the incident. Because the person he was texting told law enforcement that he had received text messages from the defendant but that he had deleted them. So law enforcement got a warrant for the defendant's entire phone.
They searched his entire phone and found relevant text messages from before the incident and the government wanted to use those at trial. The defense attorney challenged it saying, "Look, there was only probable cause to believe that there were text messages after the incident. And the particularity requirement would say that then you only get to search for those text messages."
So the government argued, "Well, one, US v. Bass, but we're not in the sixth circuit we're in the ninth circuit." But they also argued the plain view. They said, "Look, law enforcement, when they're downloading a cell phone has to download the entire contents of the cell phone," which is true forensic tools like Cellebrite don't provide a way to limit the download by a date range, also true. But what they left out was that there are ways to limit the reporting of the data.
While the forensic tools will download all of the data or at least all of the data that they can download, they can limit the reporting of that data. And this is what the defense argued. So when we download the data, we get it in a view like this. This is Cellebrite, a program called Physical Analyzer. It's how we, as forensic examiners, see the data. We can also produce the data in this same format in what we call the UFED reader format.
You might have seen them if you've worked on cell phone forensics cases before. When you're looking at the screen, what's in plain view? Can you see any content? Do you see any text messages? No. So the argument the defense made was, "Look, when you download the data, this is the view you get it in." Nothing in this view is plain view. It tells you the amounts of data, but it doesn't tell you what data is there or the content of any of the data.
For example, we can see next to SMS messages, there's 2571 on messages, but we don't see the content of them from this screen. And if the government was going to limit the scope of their warrant, they could do that. If you look in the top right corner, you'll see a button that says generate report. And when they click that button, they'll get a screen that allows them to generate a report. And now you can see some of the ways this data can be filtered.
They can do it by a date range so they can set the date range. So in that case, they could have set the range from the date of the incident to present because they knew they had probable cause for text messages after the incident, well basically the date of the incident to the time they seized the phone so they could have limited it there.
They also only knew about text messages so they could have limited the data types. They could have select just MMS and SMS messages, those are our text messages and they could have excluded the other data and then they can generate the report with just that data. There's many ways to limit the types of data when you're dealing with digital evidence. There can be keyword searches, file types, file size, date ranges.
So the question becomes, does there need to be some sort of search protocol. If you're dealing in state court, you probably haven't come across search protocols very often more common in federal court. They're not always needed, but it's a way where one examiner can use these protocols, generate a report for the case agent or whoever's going to be using it in the case. That way, the case agent only gets to see the data that they were authorized to see under the warrant.
So as this issue continues to get litigated, you might see search protocols as a possible solution to get the data that you have probable cause for complying with that particularity requirement while also dealing with the limitations of the forensic tools, that when we're collecting data, downloading data from a cell phone, we've got to download the entire phone.
We can't just run those keywords and only collect specific text messages or specific results that are responsive to those keywords. We've got to download everything, then we can filter it and report on just certain types of data. Let's move now to the third party doctrine. When we're talking about digital evidence, a lot of our digital evidence is stored with third parties. And the third party doctrine was established in the 1970s long before any of this digital evidence existed.
The third party doctrine comes from two cases out of the seventies, US v. Miller and Smith v. Maryland. In Miller, it was checks written going back to the bank where law enforcement obtained those without a warrant and in Smith v. Maryland, it was the phone numbers dialed. In both cases, the court said you have no expectation of privacy and data you're giving over to a third party.
These two cases together, Miller and Smith equal the third party doctrine, where there's no reasonable expectation of privacy and information knowingly and voluntarily revealed to third parties. Now these cases come from the 1970s, but this law, this doctrine still exists today. But think about all of the data we are turning over to third parties. We use so many third party providers nowadays for our digital evidence.
Think about things like Dropbox, Snapchat, Google, Instagram, Facebook, Twitter, all of these, we are giving our data to. Now there's a law, the electronics communications and privacy act, and the subsection of that law called the Stored Communications Act. And this law says that law enforcement is allowed to access this data without a warrant. They do need a court order under this law, but they do not need a warrant.
Those of you who have practiced in federal court have probably seen the 2703 D order that's coming for from the US code, the citation there. That law says that they can get this data, they just have to go seek that order. But then we had Carpenter come along. And Carpenter was dealing with cell site location information. This is the cell towers or cell sites that your phone communicates with. And in Carpenter, what happened is there was this group of people robbing T-Mobiles and RadioShacks.
The law enforcement arrested some of the people involved, one of them gave up Carpenter's name and phone number. So law enforcement then obtained 127 days worth of his historical cell site location information. That means law enforcement for those 127 days can figure out generally where Carpenter was. They couldn't get a precise location. It's not like GPS where they can pinpoint it within feet. This gives us a general location.
But they were able to track his location for 127 days. And when they did that, they saw that Carpenter's phone was near the locations of all of these robberies of the T-Mobile and RadioShack stores. They obtained this data using that Stored Communications Act, that subsection of the electronics communication privacy act. So they obtained this data without a warrant. But Carpenter challenged that, challenged them obtaining this data without a warrant.
And so it went up to the Supreme Court and the Supreme Court decided that a warrant is required for this kind of data, at least for more than seven days. When I mentioned earlier we were talking about Jones and that seven day mark between short term tracking and long term tracking, here's where I was getting it from. Now, if you go reading Carpenter and looking for this seven day requirement, it is in a footnote, I believe it's footnote two.
But it says, it suggests that anything more than seven days requires a warrant. It does not say that less than seven days does not require a warrant. It's still going to be a case by case determination. But what's critical in Carpenter is that they declined to apply the third party doctrine saying CSL, cell site location information is an entirely different species of business record. It is not like the phone numbers dialed or our checks written, it's an entirely different species.
And in Carpenter, the court says, "Look, you don't have to opt out of modern society in order to be protected by the fourth amendment." So Carpenter really calls into question how much the third party doctrine applies to some of our modern digital evidence. Because if cell site location information, basically just having your cell phone on, making phone calls, generating location data, if that, if the third party doctor and doesn't apply to that data, then what else doesn't it apply to?
So some of the challenges after Carpenter become there are various types of location tracking cases, things like using historical tower dumps E911 tracking or stingray tracking. So historical tower dumps. This is where law enforcement goes to a carrier, Verizon, T-Mobile, AT&T and they say, "We want you to tell us all of the phones that were connected to this cell tower at this date and time."
And so Verizon or AT&T, whoever it is, they produce a list and says, "Here you go, law enforcement. Here's all of the phones connected to this tower." Now that's less than seven days of data. It's only for one tower, maybe they use a few towers in that application. But do they need a warrant for that? The Stored Communications Act would suggest that they do not need a warrant for that. But what about Carpenter? Is that still an entirely different species of business record? Does that require a warrant?
They know they're going to be getting information about phones who have nothing to do with the crime involved that are merely in the area of that tower and therefore connected to the tower. How about E911 tracking? And E911 tracking, this is where law enforcement goes to Verizon, or T-Mobile, goes to these carriers again and says, "We want you to actively track this phone. We want to know where this phone's moving to." And the carrier activates the E911 system in the phone. That's the system that gets used when you call 911 so law enforcement knows where you are.
And so then they provide that E911 location data to law enforcement. Now does that require a warrant? Well, right now that question might be up in the air. However, I think this is an issue we might not have to deal with because the carriers themselves are normally going to require a warrant or some sort of assertion of exigency saying yeah, we... requiring law enforcement to assert that exigency applies in that case.
Absent those two situations, a warrant or exigency, I have not seen a carrier do this kind of tracking. So if you see that without a warrant and without exigency, certainly Carpenter and Jones might give you some grounds to challenge that data. Now, stingrays are these devices that act like cell towers. They trick your phone into connecting to the device because your phone thinks it's a cell tower. But in reality, it's a device being operated by law enforcement in order to capture the serial numbers of the phones nearby.
Law enforcement might put one of these devices in a vehicle outside an apartment building to see if the phone they're looking for is in that building. Now, does that require a warrant? Well, it's a limited, its short term monitoring. They're probably only doing it for a few hours as they're parked in front of that building. So Carpenter, at least under Carpenter, it's short term, it's less than seven days.
Carpenter doesn't say a warrant's not required so we don't know. Jones, that's certainly short term monitoring. So maybe this requires a warrant, maybe it doesn't. We don't yet have clear case law on that point. Now Carpenter raises a question about what about other kinds of data? What else about all of our other data that we're giving to third parties besides location data, our online accounts like social media?
So lower courts are saying that a warrant is required to obtain a lot of this data. Things like email or social media. What about bank records? We had the case saying, well, those checks, again, we have no expectation of privacy in those. But modern bank records have a lot more data in them. Do you have a bank app on your phone, the Wells Fargo app, the Bank of America, Chase Bank. How much data do you think that app is tracking about you? Is that covered by Carpenter?
Is that going to be an entirely different species of business record and thus not subject to the third party doctrine? Or is it third party doctrine data and law enforcement does not need a warrant? We don't know. These are active areas of litigation after Carpenter. Carpenter's a 2018 decision so there's going to be the effects of Carpenter for many years to come as these issues continue to get litigated, what about smart devices, your Amazon Alexa, your Nest thermostat, your Philips Hue light bulbs?
Well, in one case, a smart water meter that measured water... Or sorry, electric meter, not water meter, electric meter that measured electricity usage in 15 minute intervals. Well, the court here in the seventh circuit said a warrant is required for that. Now that's data that's certainly going to the power company. And in fact, that was probably a device installed by the power company, this electricity meter.
So you would think, "Well, that would be clear third party data." That's data that the electric company is gathering about your electricity usage in order to bill you. You know you're giving that data over to a third party. But the seventh circuit after Carpenter, they in fact cite Carpenter and this 2018 decision says, no, a warrant is required to get this kind of data.
So then the question becomes, if a warrant is required to get this kind of data after Carpenter, what about the particularity requirement? We're right back where we were with Riley. What about that particularity requirement? Well, we have US v. Blake in the 11th circuit. And in this case, the court says you can't just go get an entire account. You've got to be particular about the categories of data. You don't get the whole account.
So you can't go to Facebook and say, "Give me this person's entire Facebook account or entire Google account." Many people have had these services for more than a decade now. Well, just because somebody is suspected of being involved in a crime or there might be data on their Facebook account or their Google account that might relate to that crime, doesn't mean you get a decade worth of data. You've got to eliminate, you've got to apply that particularity requirement, you can only get certain categories or time ranges of data.
So if you start seeing warrants for entire social media accounts or entire email accounts US v. Blake and Carpenter would suggest that that is too broad. It has to comply with the particularity requirement. So now we have three major cases all moving in the defense field, all pointing towards the need for warrant, Jones, Riley, Carpenter. It's a pretty significant movement when it comes to digital evidence in favor of privacy and warrant requirements.
Now we're going to continue to see litigation based on these three cases and the cases that have come about in response to those. This area of law is going to keep developing. As we get more and more case law, this can be more and more difficult to figure out what are the warrant requirements. If you're on the law enforcement side, the easy answer is just go get a warrant. Better to be safe than sorry, get that warrant, make sure that that data will not be challenged because you didn't have a warrant.
And if you're on the defense side, this is a great opportunity to challenge the collection of data without a warrant, Jones, Riley, Carpenter, all in the defense favor, all requiring a warrant, all protecting user privacy. So if you're dealing with new type types of data, other online data, online accounts, all of these cases suggest a warrant should be required and there's the arguments that not just do you need a warrant, but that warrant has to be criticized to what you have got probable cause for.
You can't just go get at an entire account or an entire cell phone. So that warrant should be limited so as not to infringe too far on somebody's privacy. We have more log now pointing towards the privacy protections of the fourth amendment. So now let's switch gears and talk about the fifth amendment. So the fifth amendment, how does that relate to digital evidence? So the fifth amendment generally comes into play when we're talking about unlocking phones or providing passwords.
The fifth amendment provides an individual with protection against being compelled in any criminal case to be a witness against himself. The term witness has then been limited... limits the relevant category of communications to those that are testimonial in nature, I mean you can't be forced to provide testimony against yourself. So the issue when it comes to passwords is, is compelling a password testimonial. What about compelling a fingerprint or face ID? Are these testimonial in nature?
Well, there's case law that deals to some extent with passwords. The expression of the contents of an individual's mind fall squarely within the protections of the fifth amendment, meaning you can't compel somebody to give up something that's in their mind. That's fifth amendment protection. So compelled testimony. That communicates information that may lead to incriminating evidence is privileged even if the information itself is not inculpatory.
So courts that have addressed the password issue have found that a passcode cannot be compelled under the fifth amendment because the act of communicating the password is testimonial. So nearly every court that has looked at this issue has said a password is protected by the fifth amendment. You cannot compel somebody to give up their password. So if that phone is locked by a pin or passcode, well, you can't compel them to give up that pin or passcode.
Now what about when it comes to fingerprints? You can unlock phones nowadays using your fingerprint or your face ID. And we know police can compel other things such as blood samples, voice exemplars, handwriting exemplars, standing in the lineup. Police can you all of this without violating the fifth amendment. The eighth circuit has held that fingerprints are non testimonial. However, one court said that producing a fingerprint can communicate possession or control of a device.
So this court said, "Well, look, if you tell the defendant they need to unlock their phone by using their fingerprint, then the defendant must select a finger. And by doing so, they are communicating that they know which finger unlocks that phone and are therefore communicating that they have possession and control of that device because they know which of their fingers unlocks it."
So that court said, "Look, if law enforcement selects which finger to use, instead of making the individual do it, then nothing's communicated." So if law enforcement takes each one of the defendant's five fingers and maybe they do all 10 fingers in both hands, well, that's fine, that's not communicating anything because law enforcement is selecting. But if you make the defendant select which fingerprint, well, then it's communicating something and protected by the fifth amendment.
Now that's kind of an odd way of going about it but to some extent makes sense. One of these methods has some testimonial nature, it's communicating something by selecting the fingerprint. Whereas the other method with law enforcement picking, there's nothing communicated and therefore you're not requiring the defendant to give up something that's in their mind. There's some courts that have looked at this issue and have said that compelling a fingerprint is different than compelling a fingerprint to compare it to somebody's fingerprint found on scene, is materially different to have somebody unlock a cell phone than it would be to have them give up their fingerprint to compare it to fingerprints at a scene.
And one court said, look, it's no different than using a password to unlock the device and therefore it's protected by the fifth amendment. Now this one is a little interesting here, because that court is looking at the end result. The end result being the phone is unlocked. But fifth amendment isn't about protecting the end result, it's about protecting somebody to be compelled to be a witness against themselves.
One judge I've heard talk about this issue said that he has a hard time finding how the fifth amendment could possibly protect in this area. His feeling was, "Look, if law enforcement can get this data, when somebody is unconscious, then how could the fifth amendment possibly apply?" Makes a lot of sense. If you're unconscious, how can the fifth amendment apply? Because the fifth amendment is protecting... is a privilege against you having to communicate something, be a witness against yourself. And if you're unconscious, how could you possibly be protecting the contents of somebody's mind?
So he said, "Look, the fifth amendment can't apply to a fingerprint or face ID because when you're using a fingerprint or face ID, that could be done while the person is unconscious and therefore, it doesn't make any sense." Now how much is this issue going to matter going forward? Well, well it's yet to be determined.
However, in order to download data off of a phone, more and more you need the password, not just the fingerprint. Because in order to get the forensic tools to work with the phone, you often have to change settings on the device and those settings require that you enter the phone's pin or passcode. So ultimately is this issue going to continue to matter in the future? Well, we'll see.
Certainly with a fingerprint, they can unlock the phone and view the contents, but they might not be able to get a forensic download without the pin or passcode. And of course, law enforcement also has the ability to bypass the password in some devices, meaning that they'll never need the pin or passcode because they can get past it using some of their forensic tools. So this issue is being actively litigated now, but is it going to continue to matter in the future? Well, we'll have to wait and see.
Now you may have seen news stories where the news has reported that some court has ruled that a defendant has to give up their pin or passcode, seen many states have these kind of decisions and the news article reportings say, "Massachusetts now requires defendants to give up their pin or passcode or the fifth amendment doesn't apply." Every time I see one of these news stories, I go and I look at the case.
And every single time I have done this, the headline got it wrong. That is not what the court was saying. In each one of these cases, the court was applying the forgone conclusion exception. The foregone conclusion exception comes from Fisher in the 1970s. When this applies is when the government knows the existence of the evidence that they're going to get. When the government knows the existence of the evidence, no constitutional rights are touched.
The question is not of testimony but of surrender. So for the foregone conclusion exception to apply, three things must be present. The government must establish its knowledge of the existence of the evidence demanded, possession or control of that evidence by the defendant and the authenticity of the evidence. If law enforcement, the government, the prosecution can establish these three things, then the foregone conclusion exception applies, and the defendant can be ordered to turn over their password.
Every single one of the cases I have seen in the news where the news article says that some state has ordered the fifth amendment doesn't apply, then a defendant or a suspect has to turn over their pin or passcode to a device. It is because the court applied the foregone conclusion exception. So let me give you a modern day example of this. In this case, I believe this came out of the third circuit if I'm remembering correctly.
There was an encrypted external hard drive and a witness testified that there was child pornography on that external hard drive and law enforcement had seized the defendant's computer. And they can tell from looking at the defendant's computer that this encrypted external hard drive had been previously connected to the defendant's computer. And the defendant had provided the password to an iPhone that had also been connected to the computer.
So in this situation, the prosecution sought for the defendant to turn over his password, his third circuit, turn over his password. And the third circuit found that the foregone conclusion exception applied because the witness knew that there was child pornography on this hard drive so they knew what was on the hard drive. They knew the possession and control of the drive by the defendant because it had been plugged into his computer. And the authenticity wasn't an issue because it was the defendant's external hard drive that had been plugged into his computer.
Additionally, when questions by law enforcement, when he was asked to give up the password, he said, "I'm not going to do that, we both know what you're going to find." So more evidence that we knew what was on the external hard drive and we knew the defendant knew the password to that device. In this case, the defendant was actually held in jail on contempt for refusing to give up his password while this case made its way to the third circuit.
So this is an example of the modern day application of the foregone conclusion rule. So when you have this foregone conclusion, then a court can order a pin, password to be disclosed. Without the foregone conclusion, I've yet to see any case that says a pin or password can be compelled. But fingerprint, face ID still could potentially be compelled. And that might be enough to allow law enforcement to at least look at the data on the device even if they can't get a forensic download of the data.
Now, in some cases, a court has ruled that just powering up the phone and looking at the phone's lock screen constitutes a search. So keep in mind that they first are going to need that warrant for the device to know how the device can even be unlocked. Because if they're going the court saying, "Well, we want to compel a thing, fingerprint or face ID. How do they know that the phone can be unlocked with a fingerprint or a face ID?"
So keep in mind the steps that have to exist first before going to the court to ask to be able to compel somebody to give up their fingerprint, face ID or password. They're going to need a warrant for that device before they can even look at it. That's what Riley tells us and there's been case law since then further developing the rules and the bounds of Riley. So all of that brings us to good faith in the exclusionary rule. What happens if law enforcement acts without a warrant? Does the evidence get excluded?
So the question becomes whether the officer is acting consistent with precedent and where that precedent is coming from. So if it's within the same courts system, they need to be acting on that precedent. So if they're acting consistent with the existing case law, then their actions are not subject to the exclusionary rule. So meaning if we've got a case where the officers following the case law, but now in this particular case, the appellate court rules no, we need more.
They need a warrant, they need to comply with particularity requirement. Well, the officer at the time was acting with binding case law and therefore the actions are not subject to the exclusionary rule. Now be careful when you're looking at good faith in the exclusionary rule. Check your local jurisdiction because these can vary quite a lot from jurisdiction to jurisdiction.
So what happens if the officer is in the same jurisdiction, but there's state court precedent. So maybe they're in federal court, but there's state court precedent on point. Well, courts disagree on whether the exclusionary rule should apply or not when dealing with things like that. So this is where things can get pretty tricky. Does the evidence get excluded or not if the officers in maybe federal court were dealing in federal court, but there's a state court jurisdiction or a precedent.
Now generally, if you're in state court and there's federal court precedent and the federal court is applying fourth and fifth amendment law, well, that's probably going to be subject to the exclusionary rule because at a baseline, we have to follow the US constitution. So that's where we get into things like Supreme Court precedent. Court splinter over whether older Supreme Court cases not directly on point can trigger the good faith exception or whether Davis's on point precedent rule is the only way to trigger the exception.
So if we're dealing with something that's an older case, it's not directly on point but it's analogous, well, does that trigger exclusionary rule or not? Davis says it needs to be on point precedent. But what if it's not directly on point, makes it a little more difficult to tell. In US v. Robinson, the court finds Davis expressly limited binding as opposed to generally accepted authority and to precedent that specifically authorizes a particular police practice.
And in US v. Johnson, they held that suppression is the appropriate remedy when an officer makes a mistake absent a third party directive concerning an unsettled issue of law. So again, check your local jurisdiction when you're dealing in state court, applying the exclusionary rule can be a little difficult when you're not dealing with something that's directly on point.
As we get here towards a wrap up, I want to end a little bit by talking about why some of these rules are in place and particularly for those of you who are in criminal defense, who are there challenging law enforcement gathering of this evidence. I think this particular quote from Tim Cook is of interest. Tim Cook wrote if we accept as normal and unavoidable that everything in our lives can be aggregated, sold, or even leaked in the event of a hack, then we lose so much more than data, we lose the freedom to be human.
Think about what's at stake, everything you write, everything you say, every topic of curiosity, every stray thought, every impulsive purchase, every moment of frustration or weakness, every gripe or complaint, every secret shared in confidence. In a world without digital privacy, even if you have done nothing wrong, other than think differently. You begin to censor yourself, not entirely at first, just a little, bit by bit, to risk less, to hope less, to imagine less, to dare less, to create less, to try less, to talk less, to think less.
The chilling effect of digital surveillance is profound and it touches everything. I think we should keep Tim Cook's words in mind when defense attorneys, we as defense attorneys are challenging this kind of evidence. We're not just dealing with that defendant in front of us. We're creating the rules that govern privacy for all Americans. And if you're on the law enforcement side, I think you should also keep Tim Cook's words in mind as well. The simple answer, just get a warrant. It's going to make everything easier.
So as we kind of look back over the cases we've just talked about over the last hour, think about when the warrants are going to be required. More and more warrants are required when dealing with digital evidence. And Carpenter leaves open a lot of questions about data stored with third parties. And that's a big question because more and more our data is not stored locally on our cell phone or on our computer, but it's stored in the cloud, our emails, things like Dropbox with all of our documents or Office 365.
Many of you might be using cloud hosted case management systems, things like Cleo, my case, Amicus Cloud, all of these systems have our data up in the cloud. So when thinking about the effects of Carpenter, think about your own data. How much of your data is up in the cloud? And is that data, it's data you knowingly and voluntarily turned over to a third party, is that subject to collection without a warrant by law enforcement?
If we think about the devices in our home, all of the smart devices that you might have, your Amazon Alexa, or your Google Home, or your Apple HomePod, or maybe you're talking about your Philip Hue label bulbs, your some part sprinkler system, your garage door opener, your ring video cameras, all of these home, IoT, internet of things devices are storing data in the cloud. Is that data subject to collection without a warrant, or does Carpenter require a warrant? What about wearable devices, things like Fitbits, Apple Watches.
These are storing all sorts of data about us, our heart rate, our steps, our sleeping behavior. Is this data subject to collection without a warrant? And if a warrant is required because of something like Carpenter, well then, can they get the entire account or can they only get what they have probable cause for? Does that particularity requirement apply? But then the problems might come if the particularity requirement applies and only a sliver of data is collected, how do we know what that data really means?
Without the context, let's say it's that Fitbit data and they collect the data from the data of the crime and law enforcement says, "Look at this Fitbit data. This heart rate is elevated at the time of the crime." And yet maybe that's because that that Fitbit user exercises every day at that time. Without the context of additional data, we don't see that we're only looking at a sliver of the data.
So these rules have really huge implications when dealing with this evidence in our case. There are times where we want to protect the user's privacy, challenge those warrants, challenge the particularity requirement and say, "Look, law, enforcement's getting too broad, they're getting too much data." But at the same time, if we narrow it too much, if we bring that scope in and say, "We only get data from this day or these couple of days," then we might lose the context of what that data means, and it might make interpreting that data more difficult, or it might lead us to incorrect conclusions.
These rules have no simple answers. When we're applying the fourth and fifth amendment, we're thinking generally about privacy, a reasonable expectation of privacy about protecting individuals against being a witness against themselves. But on the flip side of that, if we go too far, we make it more difficult to collect data. And when that data is without context, it can lead to improper conclusions.
These are difficult issues. We're going to continue to face these issues over the coming years as we get new types of data, new devices that we're going to carry around with us or install in our homes, our vehicles, our offices. The amount of data that is being generated every day is staggering. And then the questions become how can law enforcement legally obtain that data and how do we protect the privacy of Americans who are generating that data?
Continue to monitor both federal and state court case law as these issues continue to develop. And if you work every day in the criminal justice system, think about these issues. When looking at your cases, when if you're advising law enforcement, talk to them about when they might need a warrant and how tailored that warrant needs to be. And on the defense side, think about when you should be challenging a warrant or a lack of a warrant about law enforcement obtaining this data or obtaining too much data without sufficient probable cause.
Thank you for attending this presentation. I certainly hope you learn something from this, you take something away from it. Again, my name is Brian Chase. I'm director of digital forensics at ArcherHall. Always feel free to reach out to us at www.archerhall.com or email me at Bchase, that's B-C-H-A-S-E.archerhall.com. Would be happy to talk to you about your case, or if you want to discuss some of these issues. Feel free to reach out, I'd be happy to talk to you. Thanks for taking the time to attend this presentation and have a great day.
I'd like to wrap up by talking about some of the common questions I get when I deliver this presentation. The first one is what about warrants for imaging or downloading cell phones that also list cloud accounts? One of the features of Cellebriterate is that when you download a cell phone, Cellebrite will automatically recognize cloud accounts such as Facebook or Dropbox that are connected to the phone. And if the credentials or access tokens are stored on the phone, Cellebrite can directly access those cloud accounts and download the data.
I think there's nothing particularly wrong with this kind of warrant, so long as it is narrowly tailored and they have probable cause for the things they're searching. So if their warrant says that they get to look for all communications between January 1st and January 15th and they download that cell phone and they see that there's a Facebook Messenger account that they can access, they could download that Facebook Messenger data and also pull out the data from January 1st to January 15th.
If the warrant authorizes it, it should be okay. But there should be probable cause for what they're getting from that cloud account and it should be narrowly tailored to focus on what it is that they have probable cause for. They still can't go get that entire cloud account just because the password or the access token is stored on the phone. Now people who have been doing forensics for a while might ask about warrants for computers.
Warrants for computers are generally for the entire computer. They're not going to be focused in on a particular area, such as communications. There's a few reasons for this. One is essentially technical impossibility. The way that computers store data is very different than the way cell phones store data. And while you could set up search protocols in a computer case so that one person does the examination, they look at just documents or they pull out documents, and then they give those to another person, in general, it's much harder in a computer case to focus in on say a certain date range or a certain category of data than it is on a cell phone.
For computers, you have to image the entire hard drive, you make a forensic duplicate of it. And data can be all over the place. You could be looking for deleted data, you could be looking for system files or log files, operating system files that might give insight as to what a user was doing on the device. You might be looking for communications, but those could be done through the browser, as well as through apps on the computer. They could be saved as PDF files on the computer.
So it's a lot harder to particularize a warrant for a computer and there's case law that suggests that law enforcement does not have to do that. However, most of that case law predates things like Carpenter. So while there might still be areas for challenge, generally speaking, computer warrants are going to function fairly differently than a warrant for a cell phone.
The last question I get a lot from defense attorneys is what to do if they want to get their client's data off of their client's cell phone but the cell phone is in law enforcement's possession and law enforcement has not been able to unlock the phone because there's a password on it and that's protected by the fifth amendment. How can you then get your client's data? Well, I've seen this come up several times.
Usually there's going to be some negotiation here with the prosecutor. In prior cases, what has happened is the prosecutor has released the phone or allowed a forensic examiner from the defense to go image the phone at law enforcement's offices. That examiner's provided with the password from the defendant, they unlock the phone, they conduct their examination, they lock the phone, they hand the phone back to law enforcement.
So now the defense has their client's data, law enforcement still has the phone, and if they're ever able to get the password they can get in. But if you as the defense attorney have this data and you want to use it at trial, you're going to have to disclose it. So usually the agreements that get put in place are in some sort of agreement as to what data will get disclosed to the prosecution if the prosecution's giving the defense access to the phone.
In most of the cases where I've seen this come up, both sides have come to some sort of mutual agreement about the data on the phone and allowing the defense examiner access. In a very small number of cases I've seen defense attorneys go to the judge and file a motion asking that their defense investigator be allowed to image that phone and return it to law enforcement. Law enforcement still can't get around that fifth amendment protection.
There's no fifth amendment issue when it is the defense's own expert getting the data, but of course the defense still has some disclosure obligations. So you work with the prosecutor on that. There are ways to deal with those situations. And once you get an image of that phone, then you can decide what you want to do with that data. Those are the common questions that I see most often from this presentation. I'm always happy to answer more questions. So if you have more, always feel free to reach out to me and I'll be happy to provide any answers that I can to assist you with your matter. Thank you.