State Court: Nothing 'Stale' About Evidence Nearly A Quarter-Century Old
from the kind-of-puts-a-new-wrinkle-in-'evidence-preservation'-obligations dept
The digital era has redefined evidence "staleness." The evidence that law enforcement often claims needs to be grabbed quickly (and, often, violently) to save it from destruction is the same evidence that could conceivably live on forever if never subjected to a concerted destruction effort.
Back in 2012, Judge Posner detailed this shift in inadvertent evidence preservation in the US v. Sevier decision:
“Staleness” is highly relevant to the legality of a search for a perishable or consumable object, like cocaine, but rarely relevant when it is a computer file. Computers and computer equipment are “not the type of evidence that rapidly dissipates or degrades.” United States v. Vosburgh, 602 F.3d 512, 529 (3d Cir. 2010). Because of overwriting, it is possible that the deleted file will no longer be recoverable from the computer’s hard drive. And it is also possible that the computer will have been sold or physically destroyed. And the longer the interval between the uploading of the material sought as evidence and the search of the computer, the greater these possibilities. But rarely will they be so probable as to destroy probable cause to believe that a search of the computer will turn up the evidence sought[.]How long is too long? The answer is entirely open-ended. A recent decision from a California appeals court says a 23-year gap between the crime and the search warrant doesn't render the evidence "stale." A reopened "cold case" investigation into the apparent murder of a Los Angeles police officer resulted in the issuance of warrant in 2009 to search the defendant's current possessions, including the computer she didn't own (if she even had one) back in 1986.
The defendant moved to suppress the evidence, but the court said her "staleness" argument didn't apply. (But the "good faith exception" did... [It almost always does.]) Both warrants were extremely broad.
The first permitted authorities to search appellant’s residence and several vehicles registered to her. It sought electronically and digitally stored material, documents, and records related to the homicide, Rasmussen or Ruetten, including “letters, diaries, journals, writings, newspaper articles, books, correspondence, [or] greeting cards”; photographs of Ruetten and Rasmussen; items that may have belonged to Ruetten or Rasmussen; information identifying persons “who may have associated with or [may] have known” Ruetten, Rasmussen or appellant; medical or dental records tending to establish whether appellant received treatment for injuries after February 24, 1986; “bills, receipts, papers, reports or forms” from 1986 generally; and all .38/.357 caliber firearms in appellant’s possession.The lower court had some issues with the breadth of the warrants, but managed to talk itself out of its queasier feelings.
The second warrant, issued by a different magistrate, gave permission to search the “computers, storage media, computer hardware and digital evidence” seized pursuant to the first warrant, including “[email], internet browsing histories, cached information, partially deleted files, records, receipts, screen captures, photographs, logs, [and] printouts.”
The court agreed there was a plausible argument for overbreadth in the requests to search for “bills, receipts, paper or reports or forms from 1986” and for the names of all “people who may have associated with” Rasmussen, Ruetten or appellant. The court was “uncomfortable” with the request to search appellant’s computers because they were unlikely to have been in existence at the time of the crime.It also suggested it had no business telling magistrate judges how to do their jobs.
However, the court concluded that warrants should not be read in a hypertechnical way and that it was up to the issuing magistrates to tell the detective to “‘tighten [the] language’” or “beef it up.”The defendant argued that there was no "nexus" between the original crime and her current residence, not to mention the fact she had no computer back in 1986, so any search of her current computers was predicated on an unsupported assumption that these would contain evidence related to the 1986 murder.
The appeals court didn't find either argument persuasive. It pointed out that, while both warrants were broad, they were supported by probable cause. And, more importantly, the lack of a "bright line" measurement for "staleness" -- along with the common use of computers as "permanent" storage of copies of physical items -- allowed for this sort of search, despite the length of time elapsed since the initial investigation.
With respect to her contention that her move from one residence to another precluded a finding of a nexus between her current home and the evidence sought, the warrants specifically sought photographs, journals and diaries. A person does not normally discard such items, even after several moves.That handles the physical "nexus" argument. Here's the court on the digital end of it:
Appellant claims that the warrant was overbroad in granting permission to search her computers, as there was no evidence she owned any of them at the time of the homicide. The fact that she may not have owned those computers at the time of the crime did not preclude the possibility that she had transferred information or records -- particularly photographs -- to computers owned at the time of the search. (Cf. Arkansas Chronicle v. Easley (E.D. Va. 2004) 321 F.Supp.2d 776, 795 [recognizing that photographs and video preserved in computer format are “easily transferrable”]; U.S. v. Christie (10th Cir. 2013) 717 F.3d 1156, 1164 [observing that personal computers often hold “diaries, calendars, files, and correspondence”].)Now that the near-permanence of digital evidence is ensured by long-lasting storage and even longer-lasting cloud service backups, "staleness" is no longer an issue. But while that may give law enforcement a pass of serve search warrants years after alleged criminal activity occurred, it should also factor into discussions about warrantless searches based on exigent circumstances.
The government argued in the Riley case that the omnipresent "threat" of evidence destruction necessitated instant, warrantless access to arrested suspects' cellphones. (This was presented to the court without any supporting evidence that automated wiping or other uncontrollable evidence destruction had occurred with any frequency). But the opposite actually seems closer to reality: whatever is on a cellphone (or someone's computer) will last almost indefinitely unless a person makes active, time-consuming efforts to thwart evidence recovery.
From Posner's 2012 opinion:
When you delete a file, it goes into a “trash” folder, and when you direct the computer to “empty” the trash folder the contents of the folder, including the deleted file, disappear. But the file hasn’t left the computer. The trash folder is a waste paper basket; it has no drainage pipe to the outside. The file seems to have vanished only because the computer has removed it from the user interface and so the user can’t “see” it any more.Most people never make it past "Empty Recycling." Even though plenty of options exist for common users to ensure deleted files are actually deleted (read: overwritten), Posner points out that "use of such software is surprisingly rare." This coincides with the very low number of incidents where law enforcement has run into the use of automated tools to destroy digital evidence. And yet, the government insisted the possibility of evidence destruction should allow it to warrantlessly search cellphones and other devices at the time of arrest.
But it really shouldn't get to have it both ways. Either there's a good chance the evidence sought is intact -- and will be for possibly decades to come -- or it's all vanishing before it can get its hands on it, in which case the argument for "staleness" must be addressed in more detail.
Fortunately, the Supreme Court has put an end to law enforcement's insistence it must have access right now. That's good news, especially when combined with the unavoidable conclusions courts will reach when dealing with storage options that preserve evidence for years. The government can't be allowed to claim there's no time to get a warrant when it's readily apparent they have all the time in the world.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: evidence, stale, stephanie lazarus
Reader Comments
Subscribe: RSS
View by: Time | Thread
Newspeak...
In the novel "1984", the government saying one thing and its opposite was perfectly normal. Each citizen was supposed to understand that both are true and never think that inconsistency was suspicious.
Out of fiction, copyright monopolists have the same attitude: they say two opposite statements and politicians as well as judges are supposed to take them both as true.
This example today is just one more real life example that some people have only scorn for citizen rights and basic intelligence.
[ link to this | view in chronology ]
No, the low memory, lack of ubiquity in scanning hardware, and the poor quality of image software inherent in computers in 1986 makes it unlikely that she had any photographs on a computer in 1986, much less that she transferred it to a series of newer computers that she might have upgraded to at least every 10 years.
Compuserve didn't introduce the GIF format until 87 and the JPEG standard wasn't introduced until 92. Did someone think this woman was a pioneer in early computer imagery when she wasn't being a cop and that despite her training as a cop, she would have used this rudimentary imaging technology to take photographs of her killing someone?
[ link to this | view in chronology ]
Re:
Scanning photographs in when scanning and storage hardware made this feasible is something a lot of people did.
The court is right about that one. However, I cannot imagine why one would want to preserve any such evidence: I'd not have expected to keep incriminating photographs for a day, let alone scanned them to computer and stored them.
While the Facebook-uncovered crimes one sees these days sport a number of dimwit criminals, it's reasonable to assume that a person of her age would not be just that stupid.
[ link to this | view in chronology ]
Perhaps we need a digital version of "shut up"
[ link to this | view in chronology ]
Perhaps we need a digital version of "shut up"
You can't do yourself any good by talking to the police. As Supreme Court Justice Robert Jackson put it, "any lawyer worth his salt will tell the suspect in no uncertain terms to make no statement to the police under any circumstances".
So, even if you're innocent, consider the advice of running CCleaner or the like every month or so, and run Eraser biannually (no need to use the fancy multipass wipes; 1x random is likely enough).
[ link to this | view in chronology ]
Re: Perhaps we need a digital version of "shut up"
Or better yet, use a modern operating system with an encrypted file system and set the system to overwrite deleted files and slack space by default. Processors and hard disks are really fast, and adding encryption only adds a minimal amount of overhead that I am not sure why people don't do it other than laziness.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Plus, the defendant in this case is an idiot. To argue that she didn't have her current computer at the time of the crime is irrelevant. She could have easily transferred documents, data and whatnot to her current computer. The courts ruled correctly on that. She should really do her own research.
[ link to this | view in chronology ]
Re:
Why isn't one overwrite enough? Or is it just to make sure the first one didn't miss any sectors?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
I'm not saying you're wrong, but if it's possible to write data, and then write other data on top of it and still get at the previous data, why haven't drive manufacturers taken advantage of that to increase storage density?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
1) The error rate is unacceptably high for use as storage
2) It's destructive.
3) In order to do it, you need to use a scanning tunneling microscope. In effect, you're reading the magnetic polarization that is underneath the surface layer's overt polarization.
For practical purposes, this is not a realistic attack vector. However, if a well-funded company or agency was very, very interested in the contents of your drive, then it is possible.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Browsing history
[ link to this | view in chronology ]
Trying to picture this
Wow, Hallmark really does have a card for every occasion.
[ link to this | view in chronology ]