Jeff Welty, Associate Professor, University of North Carolina at Chapel Hill
he U.S. Supreme Court recently observed that digital devices “have become important tools [for] ... criminal enterprises, and can provide valuable incriminating information about dangerous criminals.”1 Law enforcement officers need to know how to obtain that information lawfully, so that it may be used in court. But the rules for digital searches sometimes differ from those for physical searches, and the law regarding digital searches is evolving rapidly. This article is a practical guide to obtaining and executing a valid search warrant for a digital device.2
A warrant is normally required to search a digital device. Under most circumstances, individuals have a reasonable expectation of privacy in the contents of their digital devices, such as cellphones, tablets, and personal computers. Therefore, the Fourth Amendment requires a law enforcement officer to obtain a search warrant before searching such a device, unless an exception to the warrant requirement applies. The U.S. Supreme Court recently eliminated one important exception when it held that a digital device may not be searched incident to arrest.3 Thus, a search warrant will often be necessary to search a suspect’s digital devices.
Establishing Probable Cause
A warrant requires probable cause. In general, probable cause to search a digital device is no different from probable cause to search a physical object or location. But there are several probable cause issues that are unique to digital searches.
Probable cause may be based on an IP address.
Investigators sometimes determine that criminal activity has been conducted through a particular Internet Protocol (IP) address and are able to trace the IP address to a residence, only to learn that the residence has an unsecured wireless network. In such a case, investigators may be unable to rule out the possibility that a neighbor or a passerby, rather than a resident, used the network for criminal purposes. Nonetheless, courts have generally ruled that there is probable cause to search the digital devices at the residence, as residents are the most likely users of the network.4
Probable cause in child pornography cases.
Courts have addressed a number of recurrent issues that arise in child pornography investigations. In general, the following guidelines apply:
- When probable cause is based on a witness having seen child pornography on a suspect’s digital device, the officer who applies for the search warrant should provide an explicit and detailed description of the images or videos seen by the witness.5 Describing the material simply as “child pornography” is conclusory and may leave a judicial official unable to make an independent determination about the nature of the material and the existence of probable cause.
- When probable cause is based on information that a suspect had child pornography on his or her digital devices in the past, an officer with experience in child pornography investigations should explain in the search warrant application that individuals who view child pornography tend to retain it. When presented with such a narrative, courts often recognize that information that a suspect has child pornography on his or her digital devices does not easily become too outdated or “stale” to support a search warrant.
- Where there is evidence that a suspect has had sexual contact with children or has visited non-pornographic websites oriented toward pedophiles, these facts may help to support a finding of probable cause to believe that child pornography will be present on the suspect’s digital devices. However, these facts alone may not be sufficient to provide probable cause.6
Drafting Warrant Applications and Proposed Warrants
Several practices should be followed when drafting search warrant applications and proposed search warrants for digital devices.
Include digital-specific language.
The Fourth Amendment requires that a search warrant describe the place to be searched with particularity. If a warrant identifies a physical location, such as a suspect’s home or office, without specifically mentioning digital devices that may be present, there may be some doubt about the sufficiency of the warrant to authorize the search of the devices. Several courts have ruled that such a warrant is adequate, because a warrant authorizing the search of a particular location for a particular item generally authorizes the search of any container at the location that might reasonably contain the evidence sought, and digital devices are containers for information.7 For example, a warrant authorizing the search of a home for records of drug sales, lists of drug customers, and the like would allow the search of any drawer or box within the home in which the records could reasonably be found—and the search of any computer or cellphone that could contain such records.8 However, a few courts have suggested that digital devices are different and normally may be searched only if specifically permitted by the warrant.9 Therefore, a cautious officer who anticipates needing to examine digital devices should note that fact in the application and provide for it in the proposed warrant. Officers should also seek authorization to seize technical manuals, power cables, and passwords associated with digital devices, as not having these items may make a forensic search more difficult.
Describe the items to be seized in as much detail as reasonably possible.
The Fourth Amendment requires that a warrant describe the items to be seized with particularity. In most cases involving digital devices, the devices themselves are incidental to the true object of the search, which is the information contained on the devices. Thus, a warrant application should describe the files or information sought, not merely the devices, and should do so as specifically as reasonably possible. At a minimum, it should link the material sought to a specific offense. A court may view as overbroad a warrant that authorizes the seizure of all digital devices that belong to a suspect, but is likely to approve of a warrant that authorizes the seizure of all digital devices that belong to the suspect and that could contain evidence of the specific crime under investigation.10 In an appropriate case, the description of the items to be seized could be further tailored by limiting the files to be examined to files created or accessed by a specific user or files created or accessed on or after a specific date.
Include authorization for off-site forensic analysis.
In theory, a suspect’s digital devices could be searched at the location where they are seized. In practice, the massive storage capacity of modern digital devices and the need to use specialized forensic tools to examine them makes it more practical to search such devices in a laboratory setting. Therefore, the application should explain that officers plan to seize the digital devices and take them offsite for copying and forensic analysis, and the warrant should authorize this procedure.11 It is a good idea to make clear that this process will be time-consuming. If a defendant later argues that the search was not completed within the jurisdiction’s time limit for execution of a warrant, the warrant application will be evidence that the issuing court was aware of and approved the expected time frame for the examination.
Do not include a search protocol.
Because digital files can be camouflaged or disguised through misleading file names or extensions, it may be necessary to examine every file on a digital device when searching for incriminating material. Officers often use keyword searches, hash value searches, and other automated searching techniques to facilitate this process. An influential Ninth Circuit opinion has suggested that the search protocol that officers plan to use should be described in the warrant application, so that a judicial official may assess whether the search protocol is likely to retrieve only relevant material.12 However, most courts have held that a search protocol need not be included.13 As one court stated, “[i]t is unrealistic to expect a warrant to prospectively restrict the scope of a search by directory, filename or extension or to attempt to structure search methods—that process must remain dynamic.”14 The U.S. Department of Justice advises federal officials not to include any “[l]imitations on search methodologies” in the warrant or application.15 In light of this recommendation and the weight of authority, officers should not include a specific search protocol in a warrant application.
Present the application to an appropriate judicial official.
In most jurisdictions, any judicial official empowered to issue search warrants may issue search warrants for digital devices. However, a cautious officer handling a serious case may prefer to submit a search warrant application concerning a digital device to a judge rather than to a magistrate. In particular, if the officer is seeking a warrant for a new type of device or a new type of digitally stored information, a judge may be better suited than a magistrate to identify possible legal problems with the warrant.
Executing the Warrant
Handle digital devices properly.
Many state crime laboratories provide guidelines on handling digital devices properly during a search. The guidelines often address issues such as whether to leave devices on or turn them off, and whether to shut devices down normally or simply unplug them. Officers who are unfamiliar with searching digital devices should review these guidelines or consult with officers experienced in digital forensics.
Comply with timing requirements.
Most jurisdictions require that search warrants be executed within a specific amount of time, such as “within 48 hours from the time of issuance” or “within a specified time no longer than 14 days.”16 It likely is sufficient if the initial seizure of the digital devices is completed within this time period, even if the subsequent off-site forensic analysis takes longer.17 Concerns about the timing of the search may be reduced by obtaining explicit authorization in the warrant for a laboratory forensic analysis. Still, some courts have criticized extremely long delays in examining digital evidence, so any forensic analysis should be completed promptly.18
Obtain a second warrant when evidence of another crime is found.
When an officer obtains a warrant to search for evidence of one crime, but stumbles on evidence of another, the officer should obtain a second warrant authorizing a search of the device for the second crime. Arguably, this is unnecessary; it is impossible to know what a given file contains without examining it and most courts would allow the officer to search every file on the device for evidence of the first crime, rendering all the evidence of the second crime in plain view. However, one U.S. federal court of appeals has ruled that a warrant is necessary when an officer changes the focus of his or her search of a digital device, and another has called into question the use of the plain view doctrine in searches of digital devices.19 Because the law in this area is unsettled, obtaining a second warrant is prudent.
Dealing with password-protected devices.
Digital devices, especially cellphones, may be password protected. In some cases, officers with training in digital forensics may be able to bypass the password. In other cases, the manufacturer of the operating system may be able to extract some information from the device despite the password. This may require obtaining an additional search warrant to be served on the manufacturer. For example, Apple can extract “SMS, photos, videos, contacts, audio recording, and call history” from locked iPhones, but will do so only pursuant to a search warrant containing the specific language contained in Apple’s law enforcement guidelines.20 However, because password protection may make it more difficult, or even impossible, to access the information on a digital device, officers should (1) seize any papers near the devices that may contain passwords, and (2) attempt to prevent active devices from shutting down or “sleeping” such that entry of a password is required to activate the devices.
Expect technical limitations.
Enormous amounts of information may be extracted from digital devices. For example, cellphones may contain GPS location information, and computers may contain recoverable deleted files. But devices vary, and digital evidence technicians warn that some will bear more fruit than others, depending on storage capacity, operating system, security features, and other factors.
Preparing the Return and Inventory
In most jurisdictions, an officer who executes a search warrant must promptly return the warrant to the court. The officer usually must also provide the court and the person whose property was searched or seized a written inventory of the items seized. Searches of digital devices present several issues regarding returns and inventories.
Make the return after the initial seizure.
Should the warrant be returned after the initial seizure of a suspect’s digital devices, or should it wait until the subsequent forensic analysis is complete? There is little authority on point, but the prevailing practice is to return the warrant after the initial seizure of the suspect’s devices, even if the devices have not yet been subjected to an off-site examination. One justification for this practice is that it provides evidence of compliance with the requirement that a warrant be executed within a particular time period after issuance.
List the devices themselves on the inventory, at least initially.
Another question is whether the inventory should list the devices themselves, or the files and data within the devices. Because an officer generally completes an inventory at the same time he or she returns the warrant, the prevailing practice is to list the digital devices as items seized, making no reference to specific data or files, which often have not been extracted at this juncture. This is probably sufficient, though a cautious officer might file a supplemental inventory listing the data or files seized after the off-site search of the devices. In any event, in most jurisdictions, imperfect compliance with the return and inventory requirements is a technical defect that is unlikely to require the suppression of evidence.21
Special problems arise when searching digital devices that belong to third parties not suspected of any crime; when searching digital devices that contain privileged material, such as devices that belong to attorneys or physicians; and when searching digital devices that belong to the news media, broadly defined.
Jeff Welty is an Associate Professor of Public Law and Government at the University of North Carolina at Chapel Hill. He trains judges, prosecutors, and law enforcement officers in criminal law and procedure.
Today, 90 percent of U.S. adults own a cellphone, and digital devices of all kinds are proliferating.22 Although both the technology and the legal landscape are in flux, it is essential that officers become proficient at using search warrants to obtain digital evidence. ♦
1Riley v. California, 573 U.S. __, 134 S.Ct. 2473, 2493 (2014).
2For more details, see Jeffrey B. Welty, Digital Search and Seizure (UNC School of Government, forthcoming 2015).
3Riley, 573 U.S. at __, 134 S. Ct. at 2485. By its terms, Riley applies only to cellular phones, but its reasoning plainly applies to digital devices more broadly.
4See, e.g., United States v. Vosburgh, 602 F.3d 512, 526 (3d Cir. 2010); United States v. Perez, 484 F.3d 735, 740 (5th Cir. 2007); see also United States v. Thomas, 2012 WL 4892850, *4 (D. Vt. Oct. 15, 2012) (unpublished).
5In the alternative, the officer might attach the material under seal, if the officer has access to the material.
6For case citations on these issues, see Welty, Digital Search and Seizure.
7Wayne R. LaFave, Search and Seizure: A Treatise on the Fourth Amendment, § 4.10(b), 5th ed. (St. Paul, MN: West, 2012); cf. United States v. Ross, 456 U.S. 798 (1982) (expressing a similar rule as to warrantless vehicle searches).
8See, e.g., State v. Gurule, 303 P.3d 838 (N.M. 2013); United States v. Giberson, 527 F.3d 882 (9th Cir. 2008).
9United States v. Payton, 573 F.3d 859 (9th Cir. 2009) (suggesting that computer-specific language normally is required before digital devices may be searched pursuant to a warrant).
10Compare United States v. Galpin, 720 F.3d 436, 446 (2d Cir. 2013) (the court stated that the “particularity requirement assumes even greater importance” with digital searches as “advances in technology… have rendered the computer hard drive akin to a residence in terms of the scope and quantity of private information it may contain”), and Mink v. Knox, 613 F.3d 995, 1011 (10th Cir. 2010), with United States v. Christie, 717 F.3d 1156, 1164-65 (10th Cir. 2013) (noting that application of the “Fourth Amendment’s particularity requirement to computer searches [was still relatively new” but identifying as a “recognizable line” the notion that warrants lacking a “limiting principle” tend to be invalid, while warrants which are limited in their scope to either evidence of a specific crime or evidence of a particular type of material tend to be valid).
11See United States v. Evers, 669 F.3d 645, 652 (6th Cir. 2012); United States v. Mutschelknaus, 592 F.3d 826 (8th Cir. 2010) (warrant allowing officers 60 days to conduct off-site examination of seized computer was reasonable given the complexity of computer searches); United States v. Grimmett, 439 F.3d 1263, 1269 (10th Cir. 2006); In some jurisdictions, further off-site examination of digital devices is presumptively authorized by rule or statute. See, e.g., Fed. R. Crim. P. 41(e)(2)(B) (stating that “[u]nless otherwise specified, [a] warrant [for digital devices] authorizes a later review of the media or information consistent with the warrant”).
12United States v. Comprehensive Drug Testing, Inc., 621 F.3d 1162, 1179 (9th Cir. 2010) (en banc) (per curiam) (Kozinski, C.J., concurring).
13Evers, 669 F.3d at 653-54; United States v. Cartier, 543 F.3d 442, 447 (8th Cir. 2008); United States v. Khanani, 502 F.3d 1281 (11th Cir. 2007); United States v. Brooks, 427 F.3d 1246, 1251 (10th Cir. 2005).
14United States v. Burgess, 576 F.3d 1078, 1093 (10th Cir. 2009).
15United States Department of Justice, Criminal Division, Computer Crime and Intellectual Property Section, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, 3rd ed. (2009), 79, http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf (accessed
September 10, 2014).
16N.C. Gen. Stat. § 15A-248; Fed. R. Crim. P. 41(e)(2)(A)(i).
17Some jurisdictions expressly so provide. See, e.g., Fed. R. Crim. P. 41(e)(2)(B). Even where there is no express provision, a court is likely to allow continued forensic analysis outside the designated time period. See, e.g., United States v. Cameron, 652 F.Supp.2d 74 (D. Me. 2009).
18See, e.g., United States v. Ganias, 755 F.3d 125, 137 (2d Cir. 2014); United States v. Cote, 72 M.J. 41 (C.A.A.F. 2013) (“the Government’s violation of the warrant’s time limits for conducting an off-site search of the seized electronic device constituted more than a ‘de minimis’ violation of the warrant and resulted in an unreasonable search”; court suggests in a footnote that even absent the explicit time limit in the warrant, the Fourth Amendment’s reasonableness requirement may be implicated by such a long delay).
19United States v. Carey, 172 F.3d 1268, 1273 (10th Cir. 1999). But see United States v. Brooks, 427 F.3d 1246, 1251 (10th Cir. 2005); Comprehensive Drug Testing, Inc., 621 F.3d, 1178.
20Apple, Inc., “Legal Process Guidelines: U.S. Law Enforcement,” Apple.com (May 7, 2014), https://www.apple.com/legal/more-resources/law-enforcement (accessed September 8, 2014).
21State v. Nadeau, 1 A.3d 445, 463-64 (Me. 2010); State v. Fruitt, 35 N.C. App. 177 (1978).
22Pew Research Internet Project, “Mobile Technology Fact Sheet,” www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet (accessed September 10, 2014).
Please cite as:
Jeff Welty, “Search Warrants for Digital Devices,” The Police Chief 81 (October 2014): 98–100.