02: Introduction to Legal Concepts
Our study of digital forensics will be largely grounded in criminal investigations. Therefore, we need a basic understanding of US Fourth Amendment law and related legal procedures.
Keep in mind, I am not a lawyer, I am not training you to be or act as a lawyer, my lectures and this course do not constitute any kind of accurate legal advice. If you are in a situation personally or professionally where there are legal implications or interpretations needed, you’ll definitely need the help of a licensed lawyer. Our goal is really a study of government, civics, and legal reasoning.
Preliminaries
Let’s begin with the US Constitution. You could spend a lifetime studying the Constitution, but let’s just examine a few parts that are important for this course and study simplified versions of them.
The constitution gives us the three branches of government: legislative, executive, and judicial. For this course, we are concerned with the idea that
- the legislative branch creates and passes laws;
- the executive enforces those laws and ensures justice; and
- the judiciary’s role is to judge issues of justice.
Where it gets interesting is that the legislature needs to pass laws that do not violate rights guaranteed by the Constitution; if they do, the judiciary can rule the law unconstitutional and overturn it. Further, the legislature often attempts to write laws that apply to a broad set of circumstances, and they let the executive branch figure out the details in practice. But technology advances in a way that makes it hard for everyone (for citizens and the government alike) to figure out how a law written some time ago applies to the world as it works now. The judiciary is there to make decisions about such interpretations. If the legislature doesn’t like the judiciary’s interpretation, then the legislature can pass a new law that clears things up differently.
A very important concept is that the courtroom decisions made by the judiciary are as equally strong as laws passed by the legislative branch. The decisions are often referred to by the case name. For example, we’ll study decisions such as “Katz”, “Smith v Maryland”, and “Carpenter”. These decision are called “case law”.
For this course, the most important part of the constitution is the Fourth Amendment:
- The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
You could study just this amendment for a lifetime! In short, the amendment says that it’s unreasonable for the government to enter your home and search for things unless they have good reason. Over time, the legislature has passed laws that provide a lot more structure than my last sentence and protections that are not spelled out by the Fourth Amendment (but also not prevented by it). And over time, the judiciary has produced case law the further refines the structure and rules.
One of the most interesting aspects of our legal system is that the judiciary can suppress evidence as if it doesn’t exist. For example, let’s assume the government enters your home, and searches and seizes evidence that shows you committed a crime; if the judiciary finds that search was a violation of the Fourth Amendment, the evidence will be thrown out and not considered in a legal decision. Further, maybe that seized evidence was the basis of finding other evidence… it all gets suppressed. This concept is called “fruits of a poisonous tree”.
The Matrix
Our focus is on electronic evidence, and we can use use a 2-by-2 matrix of evidence types to frame legal protections and procedures. Along one dimension is evidence that is stored or real-time; along the second dimension we have content versus non-content. Each cell in our matrix requires the government seek a different kind of mechanism to search/seize that kind of evidence. Each mechanism has different rules.
| Stored data | Real-time data | |||
|---|---|---|---|---|
| Content | Search Warrant | Wiretap | ||
| Non-content | Subpoena or d-order | PRTT |
Let’s talk stored data first. If I send you an email, and then you read it and archive it, then you have decided not to delete it. You had the opportunity to do so, but decided to keep it around. Consider a different scenario: I call you on the phone (or zoom etc) and start to talking to you. In the moment, you don’t have an option to delete what’s being said. The government’s view is that you deserve more privacy protection for these real-time scenarios because you lacked the chance to delete the data. In the law, “stored data” is referred to as the “retrospective” case and the “real-time” scenario is the “prospective” case.
Now let’s talk content versus non-content. Consider a US Postal Service letter (snail mail!) that you send to me. To do that, you store the written letter (the content) inside an envelope, and then you write my address (the non-content) on the outside of an envelope. Typically, maintaining the privacy of the content is more important than maintaining the privacy of the non-content, and the government sees it that way too. What else is non-content? A nice way to remember it is “D.R.A.S.” which stands for dialing, routing, addressing, and signaling.
So we have four basic cases. Here’s an example of each.
- Stored non-content: a history of phone numbers you’ve called
- Stored content: an archived email
- Real-time content: an active zoom call
- Real-time non-content: a list of websites that you are visiting (that is, the list is updated as you visit the websites)
What I mean by “real-time” is that the government is capturing the evidence contemporaneously, as it is happening. In that sense, the authorization must have been sought prospectively ahead of the communication, just as we said above. For stored communication, the authorization occurs retrospectively, after the communication has happened.
Now let’s look at four mechanisms the government uses to search and seize evidence.
Subpoenas
Subpoenas are used to acquire stored non-content.
For example, investigators can subpoena “basic subscriber information”, which means, the account details that your ISP has about you. (A subpoena cannot get the content of your communications!). These details include:
- (A) name;
- (B) address;
- (C) local and long distance telephone connection records, or records of session times and durations;
- (D) length of service (including start date) and types of service utilized;
- (E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and
- (F) means and source of payment for such service (including any credit card or bank account number)[.]
The legal threshold for issuing a subpoena is extremely low. To put it one way, it just has to be information related to an on-going investigation (e.g., law enforcement cannot abuse subpoena power to get information about random people they dislike personally). In fact, often the judiciary does not review a subpoena before it is issued and complied with.
As example, as part of an investigation, a victim gave the government an email sent from a google gmail account. The government may subpoena Google for the account information related to that email address. Perhaps google has a phone number on record. The government may then determine that Verizon is the cellular company managing that phone number, and they may have a billing address on file. Verizon may have a home address for someone who may have sent the email of interest, and the government subpoenas Verizon next. (Getting into that home is not possible for the government without a warrant!)
2703-d Order
This mechanism is one that you probably never heard of — I’ve never seen it in a movie or TV show. Often called simply a “d-order”, the name comes from the section of the law that defines it. With a d-order, the government can obtain:
- Anything that can be obtained using a subpoena; and
- All records or other information pertaining to a subscriber to or customer of such service, but not including the contents of communications.
What does that mean in english? If a d-order is issued against a specific account, examples of what can be compelled are
- The account names, numbers, and addresses that the account holder has corresponded with;
- The full headers for email and messages held by the provider for the account (but not including the subject line or other content)
- A list of contact “favorites” or “buddies” that the provider may hold.
The threshold for obtaining a d-order is that the government must offer to a judge “specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”
Search Warrant
Warrants enable the government to search and seize stored content. To obtain a warrant, and therefore authorization to perform a search and seizure, the government appears before a judge or magistrate of the judiciary. An agent will present an application for a warrant that includes the facts that establish probable cause to believe that the search and seizure is needed.
When has probable cause has been established? PC is is fluid and context-dependent concept. It is a decision by a person who is part of an independent judiciary, and it not based on a fixed probability threshold (like “51% or more”) See for example this discussion, which states in part:
Although the Fourth Amendment states that “no warrants shall issue, but upon probable cause”, it does not specify what “probable cause” actually means. The Supreme Court has attempted to clarify the meaning of the term on several occasions, while recognizing that probable cause is a concept that is imprecise, fluid and very dependent on context. In Illinois v. Gates, the Court favored a flexible approach, viewing probable cause as a “practical, non-technical” standard that calls upon the “factual and practical considerations of everyday life on which reasonable and prudent [people] act”. Courts often adopt a broader, more flexible view of probable cause when the alleged offenses are serious.... Probable cause exists when there is a fair probability that a search will result in evidence of a crime being discovered.
With a warrant in hard, then content can be searched for and seized. That can include anything stored: email messages, videos, letters, documents, photos, you name it.
The warrant must be specific about the place to be searched and the things being sought. The agents executing the warrant must stay within those specifications. Most obviously, you can’t get a warrant for a specific home and then search the neighbor’s house. But consider a search for a refrigerator: it doesn’t make sense to open a drawer during the search that couldn’t contain a fridge. But if the search is for a refrigerator including receipts for the purchase, then it makes sense to open a drawer.
Pen-Register/ Trap-and-Trace (PRTT)
Now let’s consider real-time, non-content evidence. In the long, long ago, before the internet, people used telephones. And to use phones, they would dial phone numbers. A pen-register is a device that records the phone numbers of outgoing phone calls. A trap-and-trace is a device that records the phone number of an incoming call. At some point, the telephone system moved from being mechanical to digital and the pen-reg and the trap-and-trace became one mechanism. Sometimes people call that mechanism a “PRTT” or a “pen/trap”. (Sometimes people will just say “pen-reg” but they mean both devices.)
PRTTs apply to internet communications as well. And so with an authorized PRTT in hand, a government investigator can record the incoming and outgoing IP addresses listed in internet packets crossing into your home internet connection. But never the contents of those packets!
There is a low threshold for getting a PRTT authorized. The “applicants must identify themselves, identify the law enforcement agency conducting the investigation, and then certify their belief that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by the agency”. The court will not conduct an “independent judicial inquiry into the veracity of the attested facts.”
Wiretap Order
Wiretap orders are also called “super warrants” or “Title III” warrants. They allow the contemporaneous intercept of wire and electronic communications by the government.
To get wiretap, the application to a judge requires all that a regular warrant requires (such a PC) and more:
- Wiretaps are limited to specific felony offenses.
- The application must show that normal investigative procedures have been tried and failed, or reasonably appear to be unlikely to succeed or to be too dangerous,
- The application must show that the surveillance will be conducted in a way that minimizes the interception of communications that do not provide evidence of a crime.
Note that you don’t need a wiretap if you are party to the communication (at least federally; some states require all parties on the communication to consent to a recording).
When does the Fourth Amendment Apply?
In many scenarios, none of these legal mechanisms are necessary at all! For example, if you are communicating with an undercover law enforcement investigator, then anything you tell them is evidence. They don’t need a warrant to examine the emails you have sent them because they are an intended recipient of the communication. Most generally, these two cases are very important to know.
US v. Katz (1967): In this case, Katz entered a public telephone booth and made calls. The FBI placed a listening device on the outside of the telephone booth (they turned it on only when they saw him entering the booth). The court’s ruling introduced a two-prong test for courts to determine if search warrant is required for obtaining the content of communication.
- Did the person express subjectively a reasonable expectation of privacy?
- Does society objectively recognize their expectation of privacy as reasonable?
For example, if you have conversation about something with a friend in class, where others can overhear it, you may demand that the conversation stay private, but objectively, it’s not reasonable to expect privacy in a public space. But if you were to enter a phone booth (we have these booths again in the CS building but not for phone calls, they are for zoom calls! Conference space is limited in the building.), you are demonstrating a reasonable expectation of privacy that the court recognizes, even if the government could hear you voice outside the booth. The court wrote that the reach of the Fourth Amendment does not “turn upon the presence or absence of a physical intrusion”. Often the test is reduced to the question “was this a reasonable expectation of privacy?”.
Smith V Maryland (1979): In this case, the courts applied the Katz test to the installation of a pen trap on Smith’s phone (which captured the numbers he dialed, but not the content of his communications). The court decided the two-prong Katz test as follows: “First, it is doubtful that telephone users in general have any expectation of privacy regarding the numbers they dial, since they typically know that they must convey phone numbers to the telephone company… Second, even if [Smith] did harbor some subjective expectation of privacy, this expectation was not one that society is prepared to recognize as “reasonable.” When [Smith] voluntarily conveyed numerical information to the phone company and “exposed” that information to its equipment in the normal course of business, he assumed the risk that the company would reveal the information to the police.” There is an earlier, related case US v Miller (1976) on the subpoena of bank records, “The Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities.” The concepts decided in these two cases are sometimes refereed to as the “third-party doctrine”.
Thus, the Fourth Amendment does not protect the numbers you dial from government search and seizure — only the laws passed by Congress do.
Learn More
I can’t express enough times just how simplified the above legal discussion is. If you are interested in the full story, you can read or browse this guide from the government for professionals: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Or you can take CMPSCI 391L and study these concepts and others for a full semester.