Schneier on Security
A blog covering security and security technology.
« Outfitting Moths with Sensors |
| Second Annual Movie-Plot Threat Contest Semi-Finalists »
June 5, 2007
Third Party Consent and Computer Searches
U.S. courts are weighing in with opinions:
When Ray Andrus' 91-year-old father gave federal agents permission to search his son's password-protected computer files and they found child pornography, the case turned a spotlight on how appellate courts grapple with third-party consents to search computers.
The case was a first for the 10th U.S. Circuit Court of Appeals, and only two other circuits have touched on the issue, the 4th and 6th circuits. The 10th Circuit held that although password-protected computers command a high level of privacy, the legitimacy of a search turns on an officer's belief that the third party had authority to consent.
The 10th Circuit's recent 2-1 decision in U.S. v. Andrus, No. 06-3094 (April 25, 2007), recognized for the first time that a password-protected computer is like a locked suitcase or a padlocked footlocker in a bedroom. The digital locks raise the expectation of privacy by the owner. The majority nonetheless refused to suppress the evidence.
Excellent commentary from Jennifer Granick:
The Fourth Amendment generally prohibits warrantless searches of an individual's home or possessions. There is an exception to the warrant requirement when someone consents to the search. Consent can be given by the person under investigation, or by a third party with control over or mutual access to the property being searched. Because the Fourth Amendment only prohibits "unreasonable searches and seizures," permission given by a third party who lacks the authority to consent will nevertheless legitimize a warrantless search if the consenter has "apparent authority," meaning that the police reasonably believed that the person had actual authority to control or use the property.
Under existing case law, only people with a key to a locked closet have apparent authority to consent to a search of that closet. Similarly, only people with the password to a locked computer have apparent authority to consent to a search of that device. In Andrus, the father did not have the password (or know how to use the computer) but the police say they did not have any reason to suspect this because they did not ask and did not turn the computer on. Then, they used forensic software that automatically bypassed any installed password.
The majority held that the police officers not only weren't obliged to ask whether the father used the computer, they had no obligation to check for a password before performing their forensic search. In dissent, Judge Monroe G. McKay criticized the agents' intentional blindness to the existence of password protection, when physical or digital locks are such a fundamental part of ascertaining whether a consenting person has actual or apparent authority to permit a police search. "(T)he unconstrained ability of law enforcement to use forensic software such at the EnCase program to bypass password protection without first determining whether such passwords have been enabled ... dangerously sidestep(s) the Fourth Amendment."
If courts are going to treat computers as containers, and if owners must lock containers in order to keep them private from warrantless searches, then police should be required to look for those locks. Password protected computers and locked containers are an inexact analogy, but if that is how courts are going to do it, then its inappropriate to diminish protections for computers simply because law enforcement chooses to use software that turns a blind eye to owners' passwords.
Posted on June 5, 2007 at 6:43 AM
• 56 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Prof. Orin Kerr recently had an interesting posting on "Virtual Analogies, Physical Searches, and the Fourth Amendment" at the Volokh Conspiracy blog.
His postings examine two ways of viewing computer data in searches -- "virtual" what the user sees and "physical" view seen by data recovery and forensics tools.
Regarding Jennifer Granick's good comments about locked containers and implications for the searches, are many of the typical "password protections" really obviuous locks? If the password "lock" only works when the data is accessed via one particular application, is there an obligation for other people's data recovery or forensic tools to detect the "locks"?
In searches of physical containers, not all means of locking would be obvious locks. A string tied to hold the container shut might not be a obvious lock.
Encryption would offer more obvious locks for data. The locked up data should not be readily comprehensible in a "physical" view of the data that bypasses the password protection.
Besides, looking for a password first might require the police (who is after all, on site) to actually turn on the computer first.
Which can allow a skilled user to have his/her harddisk erased first.
Presumably the existense of "Bolt Cutter" hardware means law enforcement officials can now ignore the exisitense of passwords.
Presumably the existense of "Bolt Cutter" hardware means law enforcement officials can now ignore the exisitense of padlocks.
Presumably the existense of "Bolt Cutter" hardware means law enforcement officials can now ignore the exisitense of padlocks.
If I lock the lid to a footlocker, but the contents are exposed and removable from a large hole in the side of the footlocker, is the footlocker a "locked container"? I don't think it is.
Similarly, if the computer lock is only a function of the boot sequence, only the boot sequence is locked. The drive isn't locked.
For more on U.S. v. Andrus, you could read an amicus brief on behalf of forensic examiners that Professor Paul Ohm of the University of Colorado Law School and I filed in support of the defendant's position. It addresses some of the questions commentors have posed about the visibility of locks and the responsibilities of investigators. You can download the brief here (pdf) or read more on my site.
If I understand this correctly...
By the same definition, couldn't an officer just pick the lock? The lock-picking kit also turns a blind eye to the key (instead of password).
Under the same principle, it sounds as if that would be completely legal as an alternative to getting permission or a warrant.
Very interesting stuff.
In the U.K. things are a little different the laws of evidence are spread all over various bits of legislation.
However the Association of Chief Police Officers produced a "Good Practice" guide for actually "securing evidence" on PCs and other electronic items.
An (out of date) copy can be found at,
The National Hi-Tech Crime Unit (NHTCU) it refers to has been replaced with SOCA etc, but it is still a very good read.
It's sad that the courts are aiding and abetting the State in gutting the Bill of Rights; but perhaps even sadder that so many people don't seem to care.
Why did the police ask a 91-year-old for permission? Because they really thought he had authority over all his adult son's possessions? Get out!
Or because they knew they could easily bully a very old person into agreeing to whatever they wanted to persuade him to agree to?
In a just world, the police who did this would be disciplined. And the judges who agreed to it would be removed from office.
This is more analogous to brute-forcing a door without checking for it to be locked (i.e. turning the knob). Booting with forensic bypass software is getting access to the contents without checking the container status, but its use implies an understanding on the part of the investigator that the container needs to be bypassed. The question to be asked is, "Why didn't the officer try the knob before breaking down the door?"
If I understand Granick's brief, she says a password is like a lock so the rules of locks apply. However, that does not address either Voss's comment that simply checking for a password could cause the disk to be erased or Doug's comment about an alternative entry being wide open.
The analogy I would use is: if you find a door to a barn wide open, are you expected to circle the barn to see if at least one door has a lock before going in?
If the hard drive was encrypted?
The comment about "child porn". I have a problem with that since if the girl/s etc is 17 and buster than a baywatch actor and there is no way you could know that they were under age..... Its still child porn in a lot of places. I'm not saying this is the case here, but it often is.
Might I suggest that a better analogy is an X-ray machine?
Imagine Ray Andrus had left a locked cashbox - it is usually easy to break these or to pick the lock, but they are just sufficient to discourage the curious.
If his grandfather had given permission to take away the cashbox, what would the police be obliged to do? I think (but would welcome explanations to the contrary) that they would require a warrant to break the box or pick the lock. Would they require a warrant to X-ray the box? Consistency suggest the answer 'yes', otherwise ...
Does this ruling constitute a precedent? If so my advice to miscreants is to purchase a cashbox and lock your computer inside while you are away. Even the hypothetical X-ray machine won't help the police.
@"Doug at June 5, 2007 07:39 AM"
This is not the case of a hole in the side of a footlocker. I would say this is more of a case of a locked footlocker with exposed hinges. If the hinges can be easily removed with a screwdriver is the footlocker sufficiently secured?
The internal hard drive of a computer is not usually readily available for connecting writeblockers or disk duplicators. Albeit most computer cases to usually have a method of locking the case.
I do believe that this police force overstepped their bounds and have created a situation that could lead to a scary precedence. These guys should have been a little more patient or at least cleared their actions prior to accessing the drive.
I do, however, admire their resourcefulness and I am glad that they are making their best efforts to protect our society.
Another instance of "good initiative, bad judgement."
Go forth and do good things,
What about a sticker next to the keyboard: "This computer is the exclusive property of [the son]."
Would the agents have to obey that??
Furthermore, don't use any crappy "password protection", just encrypt the stuff with a decent software.
I submit the analogy that the police unhinged a door without bothering to check if it is locked.
Until the courts decide what "effective" digital protection is, that warrants an expectation of privacy, there's always TrueCrypt. With a long, random password that is kept in Password Safe.
I agree that encryption would fit the "locked box" analogy better.
What if the encryption was ROT13? :-)
(Even with ROT13 "locked box" would still fit, but what about being doubly secure by doing ROT13 twice? :-) :-)
Everyone knows that ROT13 was factored. You should be using ROT17 with perhaps ROT23 for added facotoring security!
If US police follow the same principles as in the Association of Chief Police Officers' guide linked by Clive Robinson above, they specifically would *not* even try to boot the computer, because that would change the contents of the hard drive and compromise the evidence (because the defense would say the changes showed that the disk had been tampered with while in police custody). Instead, the cops' routine procedure would be simply to remove the hard drive and connect it to another computer as a secondary drive, so that they could examine it without changing it. So any boot password would indeed be irrelevant. A lock on the case, however, would surely be relevant unless Dad knew where the key was hidden.
The firmware in a modern harddrive can be flashed. I guess it wouldn't be very hard for a decent embedded systems programmer to modify the firmware to detect it has been moved to another computer without a proper disarming sequence, and trash the drive, or to simply withhold the sensitive data.
Ofcourse, encrypting the drive or the sensitive data would probably be easier.
@cutaway -- What if I change my footlocker analogy to a padlock on the hasp, but *NO* hinges on the other side? The point is the same -- the person doing the securing left a wide-open entry path.
Another analogy -- The police enter a house and receive permission from a resident to search the house -- assume the resident has "apparent authority." The police find a room with two doors. One is locked, the other unlocked.
In a forensic examination, the computer is never booted. If the computer is on when found, it's typically unplugged. The hard drive is put into a read only bay and a copy is made. The copy is examined, not the original, so that the original is not tainted by any changes. This allows the investigator to show in court that any evidence found on the drive is genuine, because the original is maintained in the exact state it was found. Think about it - if in court you could show even one file that had been manipulated by the prosecution, you'd be able to put any evidence from that system in doubt.
I think the answer is simple, though you should not have to do it: lock your laptop in a footlocker and don't give anyone else a key.
Just to amplify on derf's comment,
The reason that a Windows machine is never booted up by a forensic examiner is that on startup most versions of MS windows kernal write to the hard drive.
Linux on the otherhand does not write to the hard drive on boot up unless the RC files (Unix equiv of autoexec.bat) tell it to do so. Which is why a number of forensic examiners tools use Linux as the OS of choice.
In fact if you write protect the boot hard drive some versions of MS windows will not boot up at all. However Linux will boot quite happily with the same drive.
This is worth knowing as quite often a windows machine that fails to boot and gives a hard drive error, it is due to the kernal not being able to write to that one particular sector on the hard drive.
So if you boot from Linux you can get the data off of the drive (see dd comand) and write it back to a new drive and effectivly "save your bacon" if you do not have a recent backup (which we all do of course 8)
Just a thought,
Take a fairly cheep safe and drill a couple of small holes in the back large enough to take power cord and a network cable.
Put a small headless server inside running Linux etc (you might need to include a peltier device as well for cooling but hey thats just a practical detail ;)
On the outside of the safe use a diskless PC that boots linux off of the server into memory...
Then the police might just have a bit of difficulty with their pestering an old man into giving consent....
Your diskless PC would still require some sort of security to restrict access. Interesting idea, though.
Ofcourse, having a diskless PC would suggest there is more to be found. It would be better to have a regular PC with harddrive and stuff people typically have on their harddrive, with a restricted-access fileserver hidden somewhere. Make sure the server doesn't reveal it's presence until the user is authorised, using a UDP packet or something.
I would probably still encrypt the harddrive, just in case.
If you are really paranoid, you could build a (not too obvious) selfdestruct system to kill the drive if the safe is breached.
What I was just wondering about: AFAIK, it is perfectly valid to send data in a SYN packet. Why isn't this used for authentication? (i'm unaware of any system that does this)
People are missing the point. The point is not did the Police "break a lock," but did the dad have "access" to the computer and hence the "authority" to grant the police the right to search it.
If the computer was password protected then unless the 93 year-old dad routinely accesses computers with with forensics software then he most certainly did not have access to the computer and thus did not have authority to grant the search.
Someone earlier noted that this search was like the police routinely searching footlockers by removing the hinges. The problem is not that they bypassed a lock but that the person who grants "permission" for a search must be the owner or have "access." A person who has keys is presumed to have legal access for purposes of authorizing a search. The dad did not have the keys to the computer (the password) or access and thus was clearly not "authorized" to use the computer or to grant access to its contents. The police deliberately ignored this issue because it was expedient to them. The didn't look for or ask the dad if there was a password that would have meant the dad didn't have authorization to access the computer--they didn't want to know. The court decided to endorse this expediency, but by any rational measure it should be overturned.
Perhaps a physical lock that the police could not pretend to ignore would work for purposes of establishing who has authorized access to a computer but that really should not be necessary.
By this new standard anyone can authorize the police to search any unattended computer nearby and the police can presume they have the authority and access to do so, then the police can automatically bypass the login password to gain access. Clearly such position is untenable in the long run--or so we can hope.
This is absurd. It's obvious on the face of it that the intent of the authorities was to get what they wanted by any means. So they bullied an old man into giving consent to something he had no true authority over, and then back-doored the hard drive.
There is (should be) a reasonable expectation of privacy on a password-protected windows pc. Few people know how to perform a read-only forensic analysis of a hdd. For comparison, see how many people know how to pick your front door lock or boost your car radio. The locks (i.e. passwords) are almost purely symbolic, given that a moderately experienced professional can easily circumvent them. But as with most symbols, they should express intent in the legal system.
Contrast the authorities' reasoning in this case with the legal system's protection of DMCA-like intent. When the MPAA uses flawed technology to try to protect their revenue stream, we all have to duck and cover just to make a fair-use backup. But when an individual makes a reasonable effort to protect his/her data, it's just not good enough to meet the legal threshold.
Government of the corporation, by the corporation, and for the corporation. Enjoy the neo-feudalism.
Exposed hinges or unexposed hinges aren't the issue. The key to the legalese isn't "lock" -- it's "expectation of privacy".
From a legal standpoint, one has to assume that all locks can be broken, all doors battered down. But the standard is (supposed to be) different when there are expectations of privacy.
@Govt Skeptic: "Contrast the authorities' reasoning in this case with the legal system's protection of DMCA-like intent."
Very good point. If this ruling stands, then I should be able to use a binary-editor to do whatever I want to "protected" files and software. I'm not "running" the software or "playing" the files, so I "have no idea" that it is protected...
@Govt Skeptic: you (possibly unintentionally) raise an interesting angle to this incident: can this guy now sue the feds for breaking the DMCA? They arguably circumvented a protection (password), copied the data, some of which was written and therefore owned by the owner of the computer. This would be especially true if any of it would qualify as "art", but even if it's just his shopping list, that shouldn't really be relevant.
The point "X the Unknown" raised, which is basically the same reasoning, but the other way around; this sets a precedent that one is allowed to bypass a protection that possibly exists until one confirms that is actually exists.
If the police can actually *not notice* the password as they search the computer, I'm inclined to be sympathetic to the view that setting it doesn't give any reasonable expectation of privacy.
This case raises interesting questions. IANAL, but it seems from the cases cited in the amicus brief that courts have traditionally ruled that a third party cannot consent to a search of material (physical or digital) for which the owner has made an obvious attempt to keep it private from that third party. In other words, the key point is the intent of the owner, not the strength of the precautions they used to keep it private. Courts have further ruled that a password indicates such an intent.
My question is: what else indicates such an intent? For example, if a user deletes a file, that would seem to indicate an intent to keep it private, yet investigators routinely recover deleted files from hard drives. The average user doesn't know that deleeting a file does not necessarily permanently erase it. Is a password protected file still private if it happened to be in swap space when the investigator powered off the machine? There is now a copy that's not password protected, but the intent was there. Email? Most people don't even know if their email is stored locally. How about a browser cache of a password protected web site? Data that was stored in a hidden partition on the hard drive?
This goes further - if an investigator guesses wrong about what the courts will consider private, they may be breaking the law themselves, as the ECPA provides criminal penalties for accessing private data without consent or court order.
Any lawyers or LEOs out there who can educate us as to what is sufficient to show intent of privacy? Passwords? Encryption? Or am I misunderstanding the legal basis of Fourth Amendment protections?
"If the police can actually *not notice* the password as they search the computer, I'm inclined to be sympathetic to the view that setting it doesn't give any reasonable expectation of privacy."
Police invading your home and using forensic software attached directly your hard drive is an extraordinary measure. If the technical capability of the police is your standard of "reasonable expectation of privacy" then virtually nothing can be considered private. Police can also "ignore" padlocks and deadbolts--note that police don't necessarily try the door knob on a suspects house before breaking down with a battering ram--yet in order to ignore the door lock in this manner they need a warrant or exigent circumstances.
Hans Voss and Rich expressed concern that "looking for a password first might require the police (who is after all, on site) to actually turn on the computer first.
Which can allow a skilled user to have his/her harddisk erased first."
While this is a risk, it is the same risk that the police take in trying a doorknob to see if it is locked - that a skill user could set things up to destroy evidence. But how many users a) have the skills to set up a system like that, and b) are willing to lose all their data in the event that someone comes snooping around?
Destroying the data on the hard drive, while a setback to the investigation, is unlikely to completely end it - there is almost always other evidence of the crime (except possibly in the case of child porn, but in that situation, it's pretty likely that the criminal is going to gather himself another stash). And while not making a statement isn't supposed to be taken as an indication of guilt, having a hard drive that erases itself is much more extreme & certainly could be used as probable cause.
It's good to have this clarified. Now it's legal to break into a bank vault without knowing the lock combination. The banking industry will just have to get used to this new age we live in.
"""There is (should be) a reasonable expectation of privacy on a password-protected windows pc. Few people know how to perform a read-only forensic analysis of a hdd."""
What if you know better?
Could Bruce, for example, claim a "reasonable expectation of privacy" just because he set a password?
Never mind what the courts say... If you have to use a screwdriver to open the case, then there's a reasonable expectation of privacy.
OTOH, if the case is secured only by thumbscrews, then, imho, it's obviously open for casual access.
Sure, this might seem like an arbitrary rule. But use of tools makes a fairly clear line. And it's hardly anymore arbitrary than a rule that saying screwdrivers are ok, but boltcutters aren't.
If you disagree, then please explain to me the difference between a screwdriver and a boltcutters. Then use your distinction to argue where a cutting torch fits on either side of your preferred line.
This case reminds me of some of the early computer-crime cases where police would use warrants to seize machines they believed might contain information about a crime under circumstances where paper records could only have been produced under subpoena.
The use of a front (such as the father in this case) to gain physical access to the box seems to me to make the bad faith clear. If the police had had a warrant, they could indeed have used whatever forensic tools they pleased. But absent the warrant, it really does seem they were in the position of deliberately kicking in a door so that they wouldn't have to find out whether the person ostensibly authorizing entry had a key.
If I invite you into my house, and you peek inside the bathroom medicine cabinet, that's one thing. But if you bring in your tools and start dissassembling, for example, my microwave oven, then that's something else again.
In the instant case, consider, hypothetically, materials inside the computer's power supply. Suppose that the police suspected there might be a stolen fan inside the power supply (but without probable cause). A normal switching power supply has a label stating: HAZARDOUS VOLTAGE. NO USER SERVICABLE PARTS INSIDE. Further, the power supply enclosure is normally sealed with a piece of tape. The tape often indicates that breaking the seal will void the warranty. In these circumstances, I don't think it would have been reasonable for the police technician to open up the power supply without further checking the father's actual authority to consent to the search.
Going back to the actual fact pattern, all this password protection argument is largely beside the point. The basic question has to be whether the technician had properly obtained apparent authorization to physically open the case of the computer, and to remove the electrical connections to the hard drive.
Imho, based on the facts presented, the search was unreasonable.
#Doug: "If I lock the lid to a footlocker, but the contents are exposed and removable from a large hole in the side of the footlocker, is the footlocker a "locked container"? I don't think it is."
Well, I disagree, but regardless, that's why full-disk encryption is becoming more widespread.
@Mark: "If his grandfather had given permission to take away the cashbox, what would the police be obliged to do? I think (but would welcome explanations to the contrary) that they would require a warrant to break the box or pick the lock. Would they require a warrant to X-ray the box? Consistency suggest the answer 'yes', otherwise ..."
Well, FWIW, I recall reading an article years ago (not that I can find it now), where the police determined that there was probable cause to search the home of a suspected marijuana dealer through the use of infrared (or temperature -- not sure now) sensors that detected the elevated temperature caused by the intense lighting he had in his basement to help grow his crop...
No physical entry occurred in that instance until the warrant was issued. Still, I have a problem with that. Shall we use infrared to see what sexual positions you might be attempting in your bedroom, or shall we use detectors capable of picking up video and other signal leakage to determine which web sites you go to or which TV shows you like?
I argue that the container in this case was the actual hard disk and the search not unusual but the same as evidence being in plain sight.
The old man gave them the right to search the physical box containing the hard disk.
I say the user secured access to the operating system which did not actually secure access to the file system.
Lets say I have something illegal in my living room. I lock all the doors to my house but leave the shades up. The police look in the window and see my contraband. Using forensic software to view the contents of an unprotected file system is the same and not extreme. We would expect investigators to take care as to not disturb any potential evidence. This would be the same as wearing gloves so not to taint physical evidence.
What if the hard drive did not have an operating system on it. What if it was the defendants data drive and was only mounted by the operating system... would we consider this drive independent of the OS?
This isn't equivalent to looking through a window.
Not only did the police technician have to open the box, and disconnect the hard drive, but the technician connected his own laptop to the hard drive. Signals from the technician's laptop intruded across the interface to the harddrive.
You have to be able to see something with your own eyes for it to be in plain sight. Otherwise, the "plain" in plain sight loses meaning. Plain means ordinary and common. Plain sight has to have its everyday meaning here.
Consider further... we all should know that connecting an IDE cable backwards, with pin 1 swapped with pin 40, will fry a hard drive. And I don't know about you, but I've run into cables where the red stripe was on the wrong side of the cable. A forensic search has to start with photographing and documenting the positions of all connectors. But, otoh, if the technician is just taking a "quick, casual looksee", he may not be so thorough--understandable--but not reasonable when there's doubtful authorization.
Once a technician starts powering someone else's interfaces, he had better make sure that he not only really has authorization, but has the voltages, currents and pin assignments right. And then he'd better double-check the authorization part.
Ok, I agree that the police had no right to access the computer without a warrant, when the only person who was able to grant them permission was someone who didn't know the password and had never even used it.
The problem with your logic photopass is that we (or at least I) don't know what gave the police suspicions about the man in the first place. Having a laptop is not, in and of itself illegal. What is saved on that laptop could MAKE it illegal. But since everyone knows that the laptop was not powered up, where was their probable cause to search it? A laptop sitting on a table is not the same as having, for instance, a full blown meth lab in your living room in plain view of open windows. Now, if they had suspicions about him and had been investigating him for awhile in regard to child pornography and had perhaps even seen some sort of evidence in regard to that particular laptop, then things would be different. And if that's the case, then I'll shut up. :)
I do know something about people back-dooring one's computer, as I have had it happen to me. I have a password on my laptop and while at work one day, my sister and her b/f, along with my other sister came over to visit my mother. Since my laptop is the only way to connect to the internet (seeing as how my mother dropped her laptop), my sister and her b/f wanted to get online, but my password was a bit of a barrier. Not so much for my sister's b/f though. He went in a back door (with no equipment, obviously) and created a user account, which he then deleted when they were done. I was pissed. Not so much at him, even though he was the one who had done it, but at my sister for not stopping him. Anyway, I was really mad at both of them for awhile, but I'm not one who stays mad for long and I got over it pretty quickly.
Well, if you have a lockable computer case, and set a BIOS password, I believe you'd be required to physically unlock the computer to remove storage devices for cracking, thus obviating the computer-illiterate gray zone.
@Bill: "Well, FWIW, I recall reading an article years ago (not that I can find it now), where the police determined that there was probable cause to search the home of a suspected marijuana dealer through the use of infrared..."
Kyllo -vs- United States (referenced in one of the linked articles):
First, assume, for the sake of argument, that the computer case was typically secured by a metric, combination flanged-hex / Phillips-head screw.
If the police had asked the old man for the screwdriver or nutdriver that he used to open the case, and the old man had produced a suitably-keyed tool, then we'd have one fact pattern. But if the technician just brings in his own tool, then it's like bringing in a set of skeleton keys.
Second, though, even if there was apparent authority to physically open the case, we still have to consider whether there was apparent authority to break the electrical connection to the hardrive.
We presume that the techician observed electro-static discharge (ESD) precautions. That is, a competent technician, following recommended practices, would have grounded himself using a wrist-strap. Further, if he actually removed the hard drive from its mount, then he placed it on a grounded, anti-static pad.
Nevertheless, anyone who routinely handles MOSFET devices has manage to zap their share of them. It's just life--a matter of bad luck--exacerbated by low relative humidity.
Did the technician appear to receive informed consent before potentially destroying components? Typical hard-drive packaging warns users about the risks of ESD, and advises them to take precautions. Those warnings are normally repeated on labels permanently attached to the hard-drive case.
ESD may destroy devices--even when precautions are observed.
Exactly how obvious the password was is open to question - the article doesn't say if it was a Windows password, or a machine boot password, or even just a screensaver password. However, I *do* know that routinely, forensic images aren't taken using the actual hardware of the pc - instead, the case is opened, the drive connector and power connector are disconnected, and a replacement connector is used to connect that hard drive directly to the machine making the forensic copy (either a dedicated hardware copy device, or a laptop equipped with an external-drive adaptor, usually a read-only one)
Implicit in that is the fact that, had the owner removed the power cable and attached a padlock to the power socket, assigned a power-up password, and set all windows passwords to their most secure, unless he had prevented the case of the computer being opened, none of that would matter in respect of the forensic copy process.
For the boot locker analogy, a better description would be that the officer was faced with an entire row of lockers, and simply removed the rear panel so he could gain access to all the contents at once, carefully not looking to see if the front doors to any or all of them were locked.
That may be true of "grey box" desktop pcs, but increasingly teens have laptops for convenient portability to school or library, and almost no laptops have any way to secure the hard drive compartment.
"... either a dedicated hardware copy device, or a laptop equipped with an external-drive adaptor, usually a read-only one..."
@David Howe 6:58
It's worth noting that so-called "read-only" access to a modern hard drive is not a purely passive affair. Instead, it involves sending commands to the hard drive to move the arm over particular tracks in order to read the data from the magnetic media, and to write that data into the drive's onboard memory buffer. The data written to the memory buffer is then read via the external interface.
Those facts are important in order to gauge the intrusion into the hard-drive's sealed, metal enclosure.
I sincerely hope that everyone would agree that it would have been unreasonable under the circumstances for the technician to physically open up the hard drive. Not only does that void any warranty, but the hard drive most probably would have been rendered permanently inoperable. It takes special tools and a clean room environment to disassemble and reassemble a hard drive.
The only reasonable way for the technician to inspect the magnetic encoding on the platter was via the read head mounted on the drive's arm, and the drive electronics. That is, it would have been unreasonable for the techician to use his own tools to directly search the hard drive's platters--yet no conventional lock protected their immediate enclosure.
There's a somewhat comparable situation provided by a technology commonly found in American homes for somewhat longer than computers: TV sets. Most people know that the chassis of a CRT encloses potentially lethal voltages. Almost every American home contains at least one TV set, yet few--if any--of their cases have conventional padlocks. As a society, we're prepared to accept the fact that average adult just knows better than to go fucking around inside a TV without specialized knowlege. And toddlers can't manipulate tools well enough to get the case open.
The analogies with locked+unlocked doors and locked doors and visual access via windows are faulty here; in such cases the area owner with commonly available level of skills has the means to know about the accessibility of the area.
Use of forensic software here is in my opinion more similar to use of thermal cameras. Which, if I remember correctly, was already declared as requiring a warrant.
On a side note, the ATA IV specification allows setting up an access password at the level of the disk controller. While it is likely to be readable by the disk's manufacturer (and conversely the actors of the State), it may be taken as a clear indication of the disk being "locked". Some laptops allow this password to be set in BIOS.
Chella: It'd be easier for them to use a Knoppix CD, boot from it, then access the Net without even touching the laptop's disk. That way they would have the Net access and you'd have your privacy - at least as long as the disk partitions aren't accessed.
nedu: Putting the IDE cable in the wrong way does not necessarily kill the drive. At least Seagate drives tend to be rather resilient. The drivers on both ends of the IDE bus have to be able to withstand getting their outputs shorted to ground to achieve this. Not that difficult. There is also the notch on some cables, allowing insertion of the connector in only one way (at least when there are corresponding mechanical parts on the other connectors, which is the case of all 3.5" disks and vast majority of the recent motherboards.
It seems like this dicision moves us into a two tiered system for digital security: one for citicens and another for digital media companies. We have seen in recent months the ease with which HD-DVD and BlueRay "cryptography" can be bypassed by crackers. Yet, courts in the US continually hold that it is illegal to bypass DRM no matter how flimsy. Now, when personal privacy is at stake, the government is free to bypass a citizens privacy protection software.
The great thing about standars is that there are so many to chose from.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.