Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Just EnCase It's Not a Search
Mark Rasch, 2008-11-21

Story continued from Page 1

Yet, the precedent set by the case is offset by a 2002 case from Texas, where a defendant’s estranged wife presented the police with her ex-husband’s computer and about 20 floppy disks, CDs and zip disks, some of which she had examined and determined that they contained child pornography. The question that faced the court: Could investigators examine the other disks without a warrant because they were part of the same pile, or did this exceed the scope of the private search by the ex-wife? The court concluded that the forensic examination of the other disks could not be justified without a warrant simply because they were in the same pile as disks that had been examined. The court did, however, conclude that, if a disk contained a single examined piece of contraband, the government could look at the entire disk without a warrant.

In Crist’s case, the government made three arguments. First, they argued that Crist abandoned his privacy rights when he failed to pay his rent, a claim rejected by the court. The government next argued that running an MD5 hash on Crist’s computer was not a search because the agents did not exceed the scope of the search that the landlord’s friend conducted. They did not, the government maintained, “look at any files, they simply accessed the computer."

Accessing a computer without the owner's consent intrudes on their privacy interest — the classic definition of a search. But what is amazing is that, in its legal brief, the United States Department of Justice took the position that running an automated tool designed to examine and categorize the contents of a massive file system for the purposes of determining the contents of files contained in that file system does not constitute a search, apparently because no human sees the contents of the file. The Court noted:

Computers are composed of many compartments, among them a "hard drive," which in turn is composed of many "platters," or disks. To derive the hash values of Crist's computer, the Government physically removed the hard drive from the computer, created a duplicate image of the hard drive without physically invading it, and applied the EnCase program to each compartment, disk, file, folder, and bit. By subjecting the entire computer to a hash value analysis-every file, internet history, picture, and “buddy list” became available for Government review. Such examination constitutes a search.

How could it not?

A Troubling Precedent

For some reason, the government did not appear to make the argument invited by the Supreme Court by its rulings in the FedEx and dog-sniff cases. The government could have argued that -- if the EnCase scan for a particular MD5 hash matches -- that the search is constitutionally permissible without a warrant because it revealed nothing except the existence of contraband. And, because there is no reasonable expectation of privacy in contraband, the government might argue, a search which only reveals the existence of contraband invades no legitimate privacy right.

In the Crist case, however, the court never addressed that critical issue, because it never had to. The government merely argued that an automated search was no search at all.

This unanswered question -- whether a scan of hash values looking for contraband is a permissible search -- is really the rub.

If the government may conduct warrantless searches as long as they only reveal the presence of contraband, then they could lawfully put automated sniffers on any computer, searching for the presence of files for which the MD5 hash matched that of contraband. While the software categorizing the files might be considered to be conducting a search -- and I think it is -- the contents of this search are not revealed unless the program believes it is contraband.

And, of course, such an interpretation would open the floodgates to a warrantless surveillance program that would put the Terrorist Surveillance Program to shame.

Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Comments Mode:
Proposing name change 2008-11-27
Anonymous (3 replies)
Re: Proposing name change 2008-11-29
Anonymous (1 replies)
Re: Re: Proposing name change 2008-12-02
Anonymous (1 replies)
Re: Re: Re: Proposing name change 2008-12-05
Re: Proposing name change 2008-12-01
Re: Proposing name change 2008-12-17
Just EnCase It's Not a Search 2008-12-02
Just EnCase It's Not a Search 2008-12-04
Anonymous (1 replies)
Re: Just EnCase It's Not a Search 2008-12-10
one more reason not to rent 2009-01-06


Privacy Statement
Copyright 2010, SecurityFocus