One of the most pressing challenges facing the legal world today is the application of constitutional law to rapidly evolving technology — particularly the application of the Fourth Amendment protection from unreasonable search and seizure to the digital frontier.1 The Fourth Amendment was drafted primarily with physical property in mind,2 to protect against general warrants “not limited in scope and application.”3 When executing warrants today, the standard approach in seizing electronic data is the creation of an identical read-only copy of the computer’s contents called a forensic mirror image.4 However, such evidence collection standards have generated a host of constitutional questions, centering on “how to limit the invasiveness of computer searches to avoid creating the digital equivalent of general searches.”5
Recently, in United States v. Ganias,6 the Second Circuit held that the government’s retention of files outside the scope of a warrant from lawfully imaged hard drives for over two and a half years violated the Fourth Amendment.7 While the reasoning behind this decision seems sound and intuitive when viewed against Fourth Amendment requirements regarding physical property, the opinion raises concerns about the evidentiary chain of custody;8 as a result, the opinion risks creating a “right to deletion,”9 which could unnecessarily complicate criminal prosecutions.
In 2003, the Army launched an investigation into alleged “improper conduct” by an Army contractor, Industrial Property Management (IPM).10 As part of the investigation, the Army obtained a warrant to seize materials from Stavros Ganias, IPM’s accountant.11 The warrant authorized the seizure of all “books, records, documents, materials, computer hardware and software and computer associated data relating to . . . [IPM].”12 When the warrant was executed, the Army’s computer specialists made forensic mirror images of all three of Ganias’s computers.13 “[T]he investigators were careful . . . to review only data” within the scope of the warrant.14 However, they did not purge or delete the files that did not pertain to IPM and that were therefore “non-responsive” to the warrant.15
In late 2004, IRS investigators discovered accounting irregularities in the paper documents from Ganias’s office.16 The government then expanded its investigation of Ganias to include possible tax violations and discovered evidence that Ganias had improperly reported income for his clients, and perhaps for himself.17 The IRS case agent sought to review Ganias’s personal financial records, and although she knew they were stored on the government copies of Ganias’s computers, did not believe she could properly review them as they were outside the scope of the 2003 warrant.18 Ganias and his counsel did not respond to a request to access these files, and subsequently, the government obtained a warrant in April 2006 to search the preserved files of Ganias’s personal financial records from 2003.19
In October 2008, Ganias was indicted by a grand jury for conspiracy and tax evasion.20 In February 2010, Ganias sought to suppress the evidence obtained as a result of the 2006 warrant,21 arguing that the data outside the scope of the 2003 warrant were held for an unreasonable amount of time and should have been returned.22 In April 2010, the U.S. District Court for the District of Connecticut denied the motion on the grounds that the data were seized pursuant to a valid warrant by “means less intrusive to the individual . . . than other means . . . authorized.”23 On April 1, 2011, the jury convicted Ganias on both counts of tax evasion.24 Ganias moved for a new trial on the basis of alleged jury misconduct, but the district court denied the motion25 and later sentenced Ganias to twenty-four months’ imprisonment.26
The Second Circuit reversed the denial of the motion to suppress, vacated Ganias’s conviction, and remanded for further proceedings.27 Writing for the panel, Judge Chin28 framed the question before the court as “whether the Fourth Amendment permits officials executing a warrant for the seizure of particular data on a computer to seize and indefinitely retain every file on that computer for use in future criminal investigations.”29 He answered that it did not.30 The decision rejected each of the government’s five arguments that there was legal authority for its indefinite retention of the computer files nonresponsive to the 2003 warrant. First, the claimed practical necessity of creating hard drive mirror images did “not justify the indefinite retention of non-responsive documents,” and without a warrant for Ganias’s personal records, copies of such records could not be regarded as government property without violating the Fourth Amendment.31 Second, obtaining the 2006 warrant did not cure any defect in searching the wrongfully retained files.32 The opinion analogized the breadth of data obtained from an imaged hard drive to a sweeping seizure of paper documents and determined that allowing retention until probable cause was found would essentially transform every warrant into a general warrant.33 Third, the fact that Ganias had since altered the original files did not justify the government’s actions; Fourth Amendment considerations “embod[y] a judgment that some evidence of criminal activity may be lost for the sake of protecting property and privacy rights.”34 Fourth, in response to the government’s argument that returning or deleting the nonresponsive files would leave the remaining data impossible to authenticate, the court wrote that it was “not convinced that there is no other way to preserve the evidentiary chain of custody.”35 Finally, Ganias’s failure to bring a motion for the return of property did not preclude suppression.36 Thus, finding that the police had violated the Fourth Amendment by searching the retained files and further finding that the exclusionary rule applied, the court held that the lower court erred in denying Ganias’s motion to suppress and vacated his conviction accordingly.37
Judge Hall concurred in part and dissented in part. Judge Hall agreed that the government’s retention of nonresponsive files without some independent basis for an extended period of time was an unreasonable seizure.38 However, he dissented from the portion of the opinion holding that the evidence should be suppressed.39 He found that the government had complied with what little case law existed at the time of the search, and therefore did not act in bad faith.40
While copying computer files is generally viewed as a seizure, courts and scholars have debated the proper procedures that the government should use and the extent of the protections that defendants should be afforded.41 The decision in Ganias highlights some of the difficulties in determining these details. Although the court properly found that Ganias’s Fourth Amendment rights had been violated, the decision failed to appreciate the importance of authentication requirements for electronic evidence. As a result, Ganias may unnecessarily complicate prosecutions by potentially creating a perceived “right to deletion” — a prescription that federal prosecutors must delete files nonresponsive to a warrant sooner rather than later.42 The court could have avoided any potentially burdensome effects of this prescription on the evidentiary authentication process had it issued a more narrow ruling merely suppressing the evidence.
The Ganias court’s opinion properly held that Ganias’s Fourth Amendment rights were violated, and it rightly recognized the importance of the particularity requirement43 in the context of electronic evidence. A hard drive contains detailed personal information including correspondence, lists of associates, web history, and financial information. Forensic investigators can also often recover deleted files as well as use “metadata,” a host of associated data detailing when and how a computer was used, to discover a wealth of additional information and reconstruct the development of a file.44 The opinion reflects the fear that the government could retain a defendant’s files indefinitely, and then much later, when probable cause is finally developed, obtain a search warrant, causing every warrant for specific electronic data to “become, in essence, a general warrant.”45 The court expressed very real concerns that allowing the actions of the government in a case like this would essentially “reduce[] the Fourth Amendment to a form of words.”46
But the court may have gone further than necessary in safeguarding this constitutional interest. The decision in Ganias stated that the government is not authorized to “retain all non-responsive documents indefinitely.”47 This has led some commentators to note that the court created an implied “right to deletion” that has potentially broad implications, particularly in relation to the evidentiary chain of custody.48 Such a reading is supported by sweeping language that appears at times throughout the majority opinion indicating that the retention itself, rather than the specific use of the retained data by the government, may have been an issue for the court.49 Although it is unclear from the opinion exactly when such data must be deleted, the court’s opinion could be read to suggest that nonresponsive data must be deleted sooner rather than later.
However, such a prescription threatens the authentication process. Upon execution of a warrant for electronic data, the government copies the entire hard drive before segregating the responsive files.50 The Ganias court acknowledged this practical reality of electronic forensic analysis, stating that it would be both “impractical” and “unnecessary” for the government not to use off-site analysis via mirror imaging.51 After collecting a hard drive image, the data must be authenticated for it to be admissible under current procedural rules.52 “Hash values,” strings of characters described as “digital fingerprints,” are the best method of verifying that the copied files are identical and unaltered.53 Forensic examiners calculate the hash value of the entire original drive and then compare it to the hash value of the entire image, or copy, they have created.54 Hashing also permits vast quantities of data to be verified efficiently: for example, a hard drive containing 200 gigabytes of information — the equivalent of millions of pages — can be reduced to a hash value that can be printed on two lines of a page.55 This method allows the entire hard drive to be authenticated at the highest standard and guarantees protection from evidence tampering, while only minimally intruding on any defendant’s privacy interest.56
Any alteration to an imaged hard drive, no matter how minor, changes the hash value,57 rendering it useless as a means of proving that the drive’s contents, including responsive files, were not altered at any point. Requiring police to delete all nonresponsive files on a copied hard drive would change the hash value, and, in turn, open the government to a host of challenges on the authenticity of its electronic evidence.58 The Department of Justice manual on these issues describes common challenges to the authenticity of electronic evidence, the most common concern being the possibility of alteration.59 Reliability challenges have been a well-documented issue with electronic evidence since the beginning of its use in criminal proceedings, as electronic evidence is susceptible to error at every stage of processing.60 Whereas hash values can efficiently authenticate digital evidence to what is essentially a certainty, all available alternatives are subject to some sort of vulnerability, and thus, challenges to authenticity.61
Ganias’s potentially burdensome effect could have been avoided entirely if the Second Circuit had issued a narrower opinion more in line with previous decisions.62 In addressing authentication concerns, the court indicated it was “not convinced” there was no other way to authenticate digital evidence, but went on to write that “even if we assumed it were necessary to maintain a complete copy of the hard drive solely to authenticate evidence responsive to the original warrant, that does not provide a basis for using the mirror image for any other purpose.”63 It is precisely this limited purpose that the court could have explicitly reserved, allowing the retention of data to be used for authentication, but not in subsequent searches, as the government attempted in Ganias. Under this rule, the government would have been prohibited from searching the nonresponsive files on its imaged hard drive, including the files sought in the 2006 warrant, and in order to access those files would have needed to seize them directly from Ganias again.
Such an alternative holding is consistent with evidentiary rules and other precedent,64 and would have addressed the court’s concerns about general warrants without compromising the data authentication process. If, in fact, the “right to deletion” becomes the status quo, not only will the government’s burden increase in that nonresponsive files will need to be deleted sooner rather than later, but the government will also face more challenges to the authenticity of its evidence in cases involving electronic data — burdens which simply seem unjustifiably imposed by what could have been a narrower ruling.