U.S. Court Rules that Hashing = Searching

Really interesting post by Orin Kerr on whether, by taking hash values of someone's hard drive, the police conducted a "search":

District Court Holds that Running Hash Values on Computer Is A Search: The case is United States v. Crist, 2008 WL 4682806 (M.D.Pa. October 22 2008) (Kane, C.J.). It's a child pornography case involving a warrantless search that raises a very interesting and important question of first impression: Is running a hash a Fourth Amendment search? (For background on what a "hash" is and why it matters, see here).

First, the facts. Crist is behind on his rent payments, and his landlord starts to evict him by hiring Sell to remove Crist's belongings and throw them away. Sell comes across Crist's computer, and he hands over the computer to his friend Hipple who he knows is looking for a computer. Hipple starts to look through the files, and he comes across child pornography: Hipple freaks out and calls the police. The police then conduct a warrantless forensic examination of the computer:

In the forensic examination, Agent Buckwash used the following procedure. First, Agent Buckwash created an "MD5 hash value" of Crist's hard drive. An MD5 hash value is a unique alphanumeric representation of the data, a sort of "fingerprint" or "digital DNA." When creating the hash value, Agent Buckwash used a "software write protect" in order to ensure that "nothing can be written to that hard drive." Supp. Tr. 88. Next, he ran a virus scan, during which he identified three relatively innocuous viruses. After that, he created an "image," or exact copy, of all the data on Crist's hard drive.

Agent Buckwash then opened up the image (not the actual hard drive) in a software program called EnCase, which is the principal tool in the analysis. He explained that EnCase does not access the hard drive in the traditional manner, i.e., through the computer's operating system. Rather, EnCase "reads the hard drive itself." Supp. Tr. 102. In other words, it reads every file-bit by bit, cluster by cluster-and creates a index of the files contained on the hard drive. EnCase can, therefore, bypass user-defined passwords, "break down complex file structures for examination," and recover "deleted" files as long as those files have not been written over. Supp. Tr. 102-03.

Once in EnCase, Agent Buckwash ran a "hash value and signature analysis on all of the files on the hard drive." Supp. Tr. 89. In doing so, he was able to "ingerprint" each file in the computer. Once he generated hash values of the files, he compared those hash values to the hash values of files that are known or suspected to contain child pornography. Agent Buckwash discovered five videos containing known child pornography. Attachment 5. He discovered 171 videos containing suspected child pornography.

One of the interesting questions here is whether the search that resulted was within the scope of Hipple's private search; different courts have approached this question differently. But for now the most interesting question is whether running the hash was a Fourth Amendment search. The Court concluded that it was, and that the evidence of child pornography discovered had to be suppressed:

The Government argues that no search occurred in running the EnCase program because the agents "didn't look at any files, they simply accessed the computer." 2d Supp. Tr. 16. The Court rejects this view and finds that the "running of hash values" is a search protected by the Fourth Amendment.

Computers are composed of many compartments, among them a "hard drive," which in turn is composed of many "platters," or disks. To derive the hash values of Crist's computer, the Government physically removed the hard drive from the computer, created a duplicate image of the hard drive without physically invading it, and applied the EnCase program to each compartment, disk, file, folder, and bit.2d Supp. Tr. 18-19. By subjecting the entire computer to a hash value analysis-every file, internet history, picture, and "buddy list" became available for Government review. Such examination constitutes a search.

I think this is generally a correct result: See my article Searches and Seizures in a Digital World, 119 Harv. L. Rev. 531 (2005), for the details. Still, given the lack of analysis here it's somewhat hard to know what to make of the decision. Which stage was the search — the creating the duplicate? The running of the hash? It's not really clear. I don't think it matters very much to this case, because the agent who got the positive hit on the hashes didn't then get a warrant. Instead, he immediately switched over to the EnCase "gallery view" function to see the images, which seems to be to be undoudtedly a search. Still, it's a really interesting question.

Posted on November 5, 2008 at 8:28 AM • 82 Comments

Comments

CalumNovember 5, 2008 8:38 AM

I just don't get this story at all. Once the guy has called the cops and cried CP, the cops surely shouldn't have a problem getting a warrant, etc, to examine the hard drive? Why was this elaborate charade neccesary?

Carlo GrazianiNovember 5, 2008 9:05 AM

I have a hard time understanding how running a hash to attach a unique identifier to each file could possibly _not_ be viewed as a search. If that identifier can be compared to hash IDs of known CP files, then the fact that the files were not viewed directly cannot possibly be material. It sounds like a procedure designed to perform an end-run around inconvenient legal evidentiary burdens. My guess is that the court realized the cops were trying to pull a fast one, and was not amused.

paulNovember 5, 2008 9:11 AM

I'm wondering about what other activities involving someone's disk or other storage wouldn't be considered a search. Presumably the mere bit-image copying isn't a search, any more than it would be a search to simply take the contents of a file cabinet and remove it to a secure location for storage. But once you start doing things that involve reading the data on the disk and executing conditionals based on that disk, it seems you've entered the "probably a search" territory.

If hash values weren't considered a search, it would be pretty easy to create hashing algorithms for things like "does the following text string appear in the file, either compressed or uncompressed?" and start running against a dictionary-exhausting list of hashes...

BenNovember 5, 2008 9:13 AM

There are a couple things to remember with this case...
1) The computer in question was in dispute, seized by the landlord as compensation for late rent. The landlord turned the machine over to the police, and the police never sought a warrant, even though the machine was effectively stolen. They may have mistakenly believed they were authorized by the landlord to search it without a warrant, but this would not be a correct read on things. I believe there was also a charge of theft filed by the owner.
2) To be clear, the search was a result of comparing individual file hashes against known "bad file" hashes. The search was not a result of taking a hash of the whole disk.
3) The really interesting thing here is that the police did their analysis on a drive image - which itself could have been thrown out as seized inappropriately, again because of a lack of warrant.

JHNovember 5, 2008 9:14 AM

I don't really see the relevance of asking 'at what stage was the search'. Would you ask the same question of a physical search - the opening of the door? The stepping through the door? The lifting of the mattress? Moving the eyes in order to look under the mattress?

Who cares? The aggregate activity constitutes a search.

If it does matter though, I would say that running the virus scan constituted a search (albeit a search for a different thing), and the hashing definitely constitutes a search.

RandyNovember 5, 2008 9:17 AM

2 items of note here.

1 - a search is a search is a search. It is irrational to think that anyone can find a value for comparison without doing a search. The only way that hash was found was a search. period. I think it is a good sign that the court realizes this basic fact and ruled in this manner.

2 - i hate to see a person engaged in child porn get off. We as a society need to insure our police forces have the tools and processes to do the work in a legally defensible manner.

denis biderNovember 5, 2008 9:23 AM

Agree with Randy. "Interacting with stuff" is how you conduct a search. Any kind of search.

Perhaps the police didn't think to bother with a warrant because Hipple gave them access to the computer, but they didn't consider that they needed a warrant anyway because it was Crist's to begin with?

Carlo GrazianiNovember 5, 2008 9:24 AM

If I may be forgiven a smug Linux geek moment, the tone of technological awe that suffuses the description of the analysis procedure and the magic of EnCase dissipates a little when translated into what a competent Linux/Unix sysadmin would naturally do if asked to non-invasively analyze that drive.

"Software write protect" is a fancy way of saying "mount read-only". The virus scan is irrelevant to the analysis, and in all likelihood is merely a defensive measure to protect the analyzing Windows machine. "Bit-by-bit copy" :== "Used dd". "Break down complex file structures for examination" :== "Examine the inode table". "Recover deleted files" :== ", "Run 'strings' on unallocated disk clusters". The operation of making an MD5 hash list of every file requires probably a 20 line shell script to run for a couple of hours.

But wrap that stuff in a shiny gui that runs on windows and you can print your own money. Go figure.

HawkeNovember 5, 2008 9:29 AM

"A hard drive is not analogous to an individual disk. Rather, a hard drive is
comprised of many platters, or magnetic data storage units, mounted together. Each platter, as opposed to the hard drive in its entirety, is analogous to a single disk as discussed in Runyan. As such, the EnCase search implicates Crist’s Fourth Amendment rights."

What?!

Is it just me, or is this bad precedent based on a misunderstanding of technology?

gregNovember 5, 2008 9:34 AM

I see a lot of claims of whats rational and irrational.

The Judge is the judge is the judge. Rational thinking has not always been the top of the list of judge traits. In fact when it come to computers and the internet they seem to try to be uneducated and ignorant about the whole thing.

Colossal SquidNovember 5, 2008 9:40 AM

If they're using MD5 for the hashing wouldn't collisions be an issue?
And what is 'suspected child pornography' in this context?

CalumNovember 5, 2008 9:41 AM

I'll try to explain myself a little more clearly. When you go to a cop and say, I currently have this guys computer, and I've just found some child pornography on it, then that cop should have no problem getting a warrant to search that computer.

JPNovember 5, 2008 9:43 AM

Carlo:
Actually, I think "break down complex file structures" is examining files contained within, for example, archives. Generally "recover deleted files" does a bit more than strings does, as it includes orphaned entries in the MFT and pattern-matching for file data beyond strings. (As far as free software goes, I think hachoir does both of these operations.)

David HarperNovember 5, 2008 9:46 AM

@Carlo Graziani: "The operation of making an MD5 hash list of every file requires probably a 20 line shell script to run for a couple of hours."

Actually, it's a Unix one-liner:

find / -type f -exec md5sum {} \;

... and sit back and wait.

o.s.November 5, 2008 9:52 AM

Bruce you asked:
"Still, given the lack of analysis here it's somewhat hard to know what to make of the decision. Which stage was the search — the creating the duplicate? The running of the hash? It's not really clear."

However,it's clear that from this statement :
"To derive the hash values of Crist's computer, the Government physically removed the hard drive from the computer, "
that physically removing the hard drive for analysis constitutes a search. I don't defend the pedo though.

JasonNovember 5, 2008 9:55 AM

I was under the impression that for child pornography, you are supposed to turn it over the FBI immediately and let them investigate it.

Also, how can they run a virus scan *before* creating their image and still consider the image representative of the original system?

Also, if they are running the image (using LiveView or something) then they are dumb.
Why would that be any part of your first steps?
Run the hashes as a discovery. You discover they probably have child porn. You go to a judge or hand it to the FBI, right? You certainly don't open the files up and look at them yourself. That's enough to get you arrested.

mcktNovember 5, 2008 10:31 AM

The summaries I'd seen of the story made me think that just hashing the hard drive was considered a search. Now that I've read into it, this seems rather obvious- investigators cataloged all the files on the drive, then checked the content of those files to see if it was known to be illegal content.

Yep, that sounds like a search to me.

mcktNovember 5, 2008 10:39 AM

@Jason: Also, if they are running the image (using LiveView or something) then they are dumb.
Why would that be any part of your first steps?

I am not a pro forensic investigator, but I imagine it'd be useful to know whether the drive was loaded with malware in court. The accused may claim "My computer was zombied, I didn't download that content" or something to that effect (though I don't know if that would help legally).

MacNovember 5, 2008 10:39 AM

It's unconscionable that the cop didn't get a warrant. It would have been very easy and relatively quick. He ruined a case because of his inattention to common details of investigation. All responsibility rides on his shoulders.

Honest tenantNovember 5, 2008 10:43 AM


This evidence was, from the sound of it, illegally obtained from the beginning, though.

Even if the landlord legally seized the computer (which, knowing landlords, I doubt,) he must not be permitted to access the information on the hard drive.

That's ridiculous, what this really comes down to is that landlords need to stop being given special privileges to recover debts. They need to get in line and do things legally like anyone else who is owed money.

Imagine if anyone who owed anyone any money was susceptible to having their computer seized and searched without notice! That's be a handy bludgeon for the government - Got student debt? Better do as we say, because we siezed your computer when you weren't looking, searched it and gave it back. We Know.

SpennyNovember 5, 2008 10:51 AM

Carlo, following forensic procedure is crucial when performing e-discovery. The forensic examiner must follow specific steps to ensure the information gathered will be accepted by the courts. By using court-approved commercial software the forensic examiner's steps are recorded in the logs, and all the methods used by Encase are more-or-less pre-approved and better understood by the judge. It's true that most of the tools in Linux can achieve the same end results, but because the software can be manipulated and it hasn't been vetted by the courts then its validity comes into questions. Using commercial software assures the courts that the proper technical steps were followed and the data is presented in a pretty report format that they've seen before. I've performed e-discovery using several commercial and open-sourced applications, and the commercial ones have features that help the examiner avoid small-but-disastrous mistakes. I personally wouldn't use open-source software for this case as the stakes are high and I don't want my tools coming into question. Unfortunately no software can force the investigator follows the proper legal procedure of getting a warrant. What a bonehead!

bitmongerNovember 5, 2008 10:53 AM

I don't understand the how the computer should be handled in this case.

Who owned it?

If it was stolen by the landlord and given to someone who didn't know it was stolen who told the police it had child porn on it? Is the evidence of the search valid? If the cops thought it was stolen is it valid? If the cops thought it wasn't, but later understood it was?

In this case, the landlord didn't directly provide access, but he gave it to another party who did.

If they needed to break the encryption on files within this computer would it still have been valid even if the current owner didn't have those keys / passwords ?

What if the evidence in question was in plain sight? It sounds like the guy turned in the computer because he saw questionable porn. Did he have to root the box? Or did it just boot up and login in automatically? If he did root the box and it was not the cops, and he was under the impression it was his property? (Does that make the evidence ok?) Was the data is ever in plain sight? Does it matter if they used an encase search instead of actually *looking* at what might have been in plain sight?

I think the method of encase hash comparision seems to be completely irrelevant. Yes, this is a search ~duh~. What else would you call it? If courts haven't completely figured that out I hope they do soon.

The hash argument is only a technical detail

(Although md5 is aweful for an evidence
database. I suppose it works as a first pass, but I could see complex _probably_ unrealistic scenarios where evidence was lost or destroyed and "fake" child porn could have been planted)

My question is was the data in plain sight? If the cops knocked on his door and he answered and had kiddie porn plastered to his wall visible from the threshold. That is plain sight. No warrant needed, right? If they then illegally searched his apartment and found no other porn than that bit plastered to the wall. Well, can they use that bit even if the search was illegal because it was in plain sight, right? _If_ using encase was an illegal search? Do we still need to establish if what they found was in plain sight?

Did the officers see anything _before_ the encase analysis?

Basically...
Was the data in plain sight here?
What is the standard for a computer?
Turning it on?
Logging in?
Moving the mouse to eliminate the screensaver??
Files in one's home directory, a download folder,
Opened/displayed files?

Is this established at all ?

Garick

MikeyNovember 5, 2008 11:01 AM

The computer may not have been 'stolen' at all. Many state laws allow the landlord to sieze tenant's property if the tenant is being evicted.

If the landlord did, in fact, follow state law when he took the computer, it certainly could have legally been his computer, which he legally gave to his friend, who as the owner could give legal consent to the police to have it searched without a warrant.

Carlo GrazianiNovember 5, 2008 11:02 AM

Thanks, Spenny. I'm glad I posted a bit of under-informed blowhardism, since the result has been to bring out some actual expertise.

edNovember 5, 2008 11:04 AM

I don't see how this CAN'T have been a search. At some point, the suspect's hard drive was read. That's a verb: to read. If you read something, it's the first step in a search.

The second part of a search is comparing what you read against a pattern of what you're looking for. That's what a hash is: a pattern that represents what you're looking for.

Bits are representations. If they weren't, then digital pictures of naked kids wouldn't be illegal. They'd only become illegal if you printed them on paper. Until they became ink on paper, it's all just electronic representation.

anonymous canuckNovember 5, 2008 11:09 AM

@carlo - Encase does a lot more than you explain. It manages the case and custody issues. In court it can mean the difference between the competent unix persons evidence being thrown out and the evidence of the less technical but more procedurally equiped. Most unix people are not trained in chain of evidence (also under current laws making the rounds LE is closing the shop on forensics) so unless you're a PI too you don't even get in the door.

@Ben - they do their work on an image because that's how they can preserve the chain of evidence and ensure that they can repeat the analysis.

@Jason - They did the virus check under write protect. Also the inital checksum was probably to allow them to show that the disk did not change during handling. Stops defence arguments quickly.

Also, I suspect the person using the machine that found the stuff was poking around. If the file names were not blatantly CP why wouldn't he open them. Perhaps he thought he found some legit porn. Hopefully he didin't open all of them and taint the evidence.

@hawke - that bit about platters and disks is just weird. You could have fun trying to counter architect some solution ... but I digress.

@all - Right call but I really hate seeing people get off because a simple procedure was not followed. How hard could this warrant have been? Really? Even if the person in possession was not-legally in possession, the cops take tips from criminals all the time. They were literally handed what should have been close to an open and shut case and fumbled. *censored*!

JustSomeGuyNovember 5, 2008 11:21 AM

I think the police/DA did the world a favor. Intentionally or not, they used a bad case to test a court and find out the limits of what does and does not constitute a search.

The PC was contaminated: Seth Hipple had it for days, admitted to using it, deleted files, etc. Seth's possession may or may not have been of stolen property. Either way, that case was a lost cause without a confession.

If the DA had dropped it, this line in the sand would not have been drawn.

Another case, one without tainted evidence, could have been jeopardized because police didn't know to stop before getting and comparing hashes.

DA tried their best to go after child porn. Police are better aware of 4th amendment rights. Yeah, the child porn guy walks, but he was going to anyhow through no fault of the police/DA.

Sounds like the best outcome possible given the circumstances.

bitmongerNovember 5, 2008 11:30 AM

I reading the ruling. It looks like a good one. I still have some unanswered questions, but it sounds like the decision is the police need a warrant to search significantly more than what others have discovered if it had not been abandoned. They found it was not. They also found the landlord had not done things right (given notice, etc... )

If they had searched to a similar extent the person who discovered the files, which I suppose might be in this case might be to examine files in that folder perhaps that would have been admissible. (I am ignoring tainting issues for the purpose of this discussion) They should have gotten a warrant to do an extensive search. Its not that hard.

gxtiNovember 5, 2008 11:44 AM

Taking a hash of the entire disk should be legally equivalent to making an image of the disk. Both can be used a way to prove that the disk has not been tampered with without necessarily inspecting its contents. In fact, I would trust the digest more in that regard since it could be stored somewhere more secure than the contents themselves (it is much smaller and can be printed to hard copy) and revalidated once a warrant is obtained, though the image would become very important if the disk did end up being modified (otherwise the original contents are gone and the police have no evidence).

As for whether hashing and/or imaging a disk constitutes a search, it seems that it would not since no contents are inspected, but it takes a great deal of faith to trust that the individual making a copy of the disk will not then inspect its contents. Perhaps there is equipment used to enforce this, e.g. a machine which is used on disks obtained as evidence that copies them but does not give access to the contents until authorization is given.

TonyNovember 5, 2008 12:38 PM

An automated search is still a search.

If the judge had ruled that this wasn't a search, he'd presumably have to rule the same way for the following scenario:

Police drop a small autonomous robot into a house through an open window. The robot has a camera and some image analysis software that identifies objects. When the robot exits the house it signals whether any objects were seen that match a list of suspicious objects.

StephenNovember 5, 2008 12:39 PM

Interestingly, whether Hipple's search was legal or not is irrelevant; all that matters is that the police performed a _more invasive_ search than Hipple did. If he had broken into Crist's house, found the kiddie porn, and reported it, there would have been no legal difference.

While I unfortunately must agree the search was unlawful, the logic that the court uses is deeply flawed. Basically, they argued that each platter in the drive was a closed container and that any searching of platters other than the ones Hipple searched was unreasonable. That's nuts, and should be torn apart on appeal.

However, later arguments seem to support the view that each file is a "container", and Hipple searching five files does not breach the expectation of privacy as to the other files. _That_ makes sense.

The court also made a point to smack down certain exclusions because the police had ample opportunity to obtain a warrant before conducting their search. _Any_ judge would have signed one based on Hipple's statements as to what he found, but they just didn't bother trying.

I wonder; since Crist's admission was _not_ suppressed, can they now use that to get a warrant and reintroduce the computer's contents as "inevitable discovery", or will the computer's contents remain "fruit of the poisoned tree"?

++DonNovember 5, 2008 1:07 PM

I've read a longer version of this story somewhere (don't remember the link), and the gist of the government's argument is this: the protections afforded by the Fourth Amendment do not extend to contraband. This has been established in court cases involving drug-sniffing dogs. Since the dogs only alert when contraband is present, if they do alert on your property then you have no Fourth Amendment protection. Therefore law enforcement can search your property without a warrant to find the contraband.

The analogy they're trying to draw here is that hashing the files on the hard drive and comparing those hashes against know child porn is analogous to using drug dogs: it only signals a hit when contraband is found, therefore it does not violate the Fourth Amendment.

I personally disagree with the notion that the Fourth Amendment doesn't apply to contraband. The text certainly doesn't say that. But even if you accept the "drug dog" exception, drug dogs are passive detectors of odors given off by whatever material they're trained to detect. They don't open up and actively search the property under scrutiny. I can accept the notion that you have no right to privacy for odors that your property is emitting into the public air. But that's not what happens when you hash every single file on a hard drive and compare them against a list of contraband hashes.

The author of article I read was concerned about how technology is giving us this sort of targeted search technology for all sorts of things, and therefore we will be subjected to more and more warrantless searches. I can't say that I disagree.

Pat CahalanNovember 5, 2008 1:13 PM

@ Randy

> I hate to see a person engaged in child porn get off

We don't know that this person was engaged in child porn trafficking... because...

@ Carlo

> The virus scan is irrelevant to the analysis

No, the virus scan (or, more importantly, a real, full-blown analysis of the operating system's integrity) is very relevant to the analysis.

A virus-ridden machine is very likely to be rootkitted, which in turn implies that the user is not necessarily the creator of any of the files on the machine. Since child porn distributors are known to use botnets, this may be a simple case of "somebody's machine wasn't updated and it was hacked".

kangaroNovember 5, 2008 1:30 PM

mckt: The accused may claim "My computer was zombied, I didn't download that content" or something to that effect (though I don't know if that would help legally).

IANAL, but I do know that for most crimes, "mens rea" is required -- in English, intent. You can't be guilty of child porn because someone broke into your house and hid photos in your attic.

Devils AdvocateNovember 5, 2008 1:30 PM

Who's to say that the landlord and his friend didn't conspire to load the tenants computer with kiddie porn

kangaroNovember 5, 2008 1:34 PM

Stephen: While I unfortunately must agree the search was unlawful, the logic that the court uses is deeply flawed.

But isn't that the "logic" that the courts always use, because of the intellectually deeply flawed concept of "stare decisis" -- that because a historical decision was made (in this case about floppies), it must stand even if it makes no sense at all -- at least until they decide that they can no longer rationalize around it?

"The Law" bites -- it's intellectual foundations are centimeters deep.

webbnhNovember 5, 2008 1:35 PM

The use of hashing for searching seems like a huge boon to those trying to hide things.

If you are dealing in digital contraband, the first thing you do on receipt is to change some innocuous bit or byte of it and destroy the original. The last thing you do before passing it on to someone is to change it again.

The result is that the file will not be found on your disk (or traced back to you) by a simple hash value comparison.

This approach is limited only by the number of "innocuous" bits in the file (and the ability to change them uniquely). With something like an image or video, nearly every bit is innocuous (who is going to notice if a single pixel (of a single frame) is the "wrong" color?). And, if you run out of innocuous bits, you can presumably just add more to the end of the file.

ShaneNovember 5, 2008 1:40 PM

@Calum, Stephen (re: warrants)

Whether or not it is legal reality, I find the concept that a man who has unlawfully obtained the property of another (morally sound reasoning or not) can simply cry 'Child Pr0n' and get a cop his search warrant incredibly disturbing.

Clearly, if the cops are using BS tech. loopholes to perform warrantless searches of someone's computer, but need only obtain a single witness statement regarding questionable content on said computer to legitimately (and as people put it, easily) obtain a search warrant, it's fairly obvious that finding someone to cry wolf would be a non-issue for a cop, esp. with a convicted criminal needing a deal.

I find that pretty disturbing I guess, but what can you do?

And, while I'm here, I'll just say that I do sincerely empathize with the bleeding hearts over issues regarding child pornography and sexual predators, but the national media and the FUD administration is really knocking these as far out of the park as they did terrorism. These types of issues, to me, truly emphasize people's collective historical ignorance, obviously not taking any lessons away from the McCarthy years, let alone some of the police-state atrocities committed abroad.

I'm glad the courts have maintained enough integrity to hold onto our checks and balances regarding (heh, at least 'physical' search) warrants even in the face of one of the new boogymen out there. I just hope it lasts... FUD campaigns of late have really seemed to do well at wearing down the masses enough to keep squeezing in the little bits of legislation that continue to dismantle our civil rights, without realizing that they are slowly but surely destroying the foundations and integrity of our country, with as much ignorant denial as the pre-millenium global warming debates. And much like global warming, I worry the administration isn't gonna wake up in time to save us from itself.

Although, with Obama.... I actually have hope. For the first time as an adult US citizen, I actually have some newfound faith in my government. FISA aside, anyhow...

BernieNovember 5, 2008 1:51 PM

Two points of info:

(1) Bruce did not comment on this other than the first sentence at the beginning of the post. The indention maybe hard to follow (or incorrectly rendered). The most of Bruce's post is a quote.

(2) A hash cannot prove that a file/disk was not change; it can prove that a file/disk was changed. That is, if the before and after hash values agree, the file/disk might or might not have been changed. If the before and after hash values disagree, then the file/disk was definitely changed.

StephenNovember 5, 2008 1:58 PM

@Shane: I find it somewhat disturbing as well, but that is why there is a (supposedly) neutral judge evaluating whether there is probable cause for a warrant. It has long been held, even in physical searches, that a private citizen's unlawful acts or untruthful statements do not invalidate a properly issued warrant. All that is up for debate here are warrantless searches, and IMHO the precedent in this case is a good one: cops cannot expand the scope of a (possibly unlawful) private search without a warrant -- but they can use the results of a limited search to get the warrant they need. If you think the check provided by the judge is insufficient, remember that next time at the polls and get better judges in office.

anonymous canuckNovember 5, 2008 2:01 PM

@Shane - unfortunately the counter ploy seems to work very well for abusers.

An acquaintence is currently going through hell because their kid (11-12yrs) finally broke down and fought back over playground bullying.

The bullies got the cops involved. He was arrested at school and cuffed (the event did not happen at school or on school property). Has been charged with theft (we have no idea what of). Has to attend another school. Can't go on his old school property. Can't go near the bullies (yet they it would seem can approach him). The parents who are new to Canada are having a terrible time finding out anything, have hired a lawyer. And the parents of the bullies are no where to be seen or heard.

Unless the cops are sitting on something huge that nobody is aware of, then this is absurd. Disgusting. What ever happened to presumption of innocence.

I just hope there is some serious recompense for false accusations.

TreyNovember 5, 2008 2:24 PM

I think that when data is analyzed, it is searched. Obtaining or duplicating data is not a search, generating hashes of data is not a search. Comparing data hash values to known hash values is a search. It is an examination of existing data values against known data values, which clearly requires searching.

With that said, it is unfortunate that this guy will get away with this crime.

Davi OttenheimerNovember 5, 2008 2:44 PM

Yes, an interesting question. If I use digital surveillance to view into your home, am I searching it? What if the digital surveillance system is designed to only identify movement, or a particular color/shape/shade? Is that a search?

Clive RobinsonNovember 5, 2008 4:09 PM

Ignoring the content of the files in question for now (as it's not actualy relevant).

Crist's machine was taken from him by the landlord.

At that point the case effectivly ended as the required evidentiary chain was broken.

All Crist should have said is, "the computer has been out of my possesion so I can not tell you what is on it".

At that point the case would have been over unless the Police could establish beyond doubt that one or more pieces of contraband had got on Crist's computer whilst it was provably in his posetion only.

And with a little bit of thought you will realise that that is an almost impossible thing to prove beyond reasonable doubt.

Further I'm getting very tired of hearing about EnCase and it's abilities. The simple fact is that malware has progressed considerably beyond it's meager capabilities.

To be blunt there are probably more unknown rootkits and malware out there, than there are known. Therefore a passive scan will not realy help you find them (other than to show there are unknown files or files with unknown content).

The only way to say for sure that there is not currently a root kit on a pasive scan is to 100% identify every file and it's contents which is realy only possible for a fresh install of known software, that in turn has been 100% verified as being root kit free...

Then again why bother installing a rootkit... If you have an unknown back door you can quietly use it to your hearts content and clean up behind yourself after each access. If you keep a carefull eye on patches and updates you will know ahead of most others if your backdoor has been discovered. And it is then upto you to put a rootkit in before the owner patches (if they ever do).

And importantly do you actually need to install a root kit any way? It is a bit "old hat" installing other software such as P2P software might be just as usefull and as most users do not realy put good passwords on their computers the chances are you will find out their password and then you can have some fun at the owners expense...

Finally getting back to the contraband files content, I'm a little puzzeled by the extent (or lack of) the contraband files. From what has been reported about others most people of this nature have hundreds if not tens of thousands of images etc stored away.

The whole thing as presented is to put it mildly a little bit fishy.

StephenNovember 5, 2008 5:40 PM

@Clive: Except that Crist admitted during questioning that the files were his, which re-establishes the culpability. Also, the police _did_ find thousands of kiddie porn files on the computer; only five of them might end up being admissible, though, since those are the only ones Hipple saw. Still, one file is enough to put this sicko away for a long, long time.

PeterNovember 5, 2008 5:54 PM

Putting aside the very serious nature of the crime and the apparant mistakes in the investigation - I think the legal issue of what constitutes a search in this sort of scenario deserves attention.

If an example can be drawn, in the UK if a police officer wants to search you, then they have to tell you under what legal right the search will be performed (usually requiring the officer to have a legitimate suspicion that you are are committing a crime, carrying a weapon or drugs, etc). Without that they cannot look into your bag or coat for example.

Now, if in a generic situation a computer is even accessed by a police officer, should that not in itself constitute a search regardless of the activity performed? They wouldn't be able to get away with looking through your bag and then saying that because they only wrote down a list of the items in your bag it didn't constitute a search.

herndongeezerNovember 5, 2008 6:21 PM

It would be instructive to have someone like Orin Kerr comment, but I think there is a serious chain of custody issue. Landlord, or his/her agent turned computer over to friend who turned it over to police. Chain apparently broken. But again, it would take someon like Orin to comment more intelligently.

HellfireNovember 5, 2008 8:30 PM

In my opinion, it seems to me that by hashing data, you are in a way, looking at the data, and discarding it right away. I think that any time a police officer directs a hard drive or computer system to pull a bit off of the platter, that should constitute a search.

I don't like the idea that a search only involves a person actually looking at the data. That could open a can of worms, since then it could be argued that any automated "search" isn't really a search. For example, couldn't you then argue that if the government piped all of our internet traffic through monitoring servers that automatically flagged data for review that that wouldn't be a search since no person is involved?

Clive RobinsonNovember 5, 2008 10:29 PM

@ Stephen,

"Also, the police _did_ find thousands of kiddie porn files on the computer;"

I do not know what additional information you have but from Orin Kerr's blog post,

"Agent Buckwash discovered five videos containing known child pornography. Attachment 5. He discovered 171 videos containing suspected child pornography."

Which does not sound like the "thousands of kiddie porn files" you say.

If you look at my post I actually made a comment to that effect indicating that the number reported was not in the range expected.

Further having not been privy to additional information I was careful to note,

"The whole thing as presented is to put it mildly a little bit fishy."

Also I am not aware from the blog posting that,

"... Crist admitted during questioning that the files were his, which re-establishes the culpability."

And I would be very cautious of such without it being in the full context.

In the U.K. we currently do not have a plea barganing system and officers of the law are not supposed to lie to suspects, neither of which is true of the US system.

However not having such freedom has not stoped various UK police officers not only doing both but further presenting false evidence in court on several UK child pornography cases (read background about Operation Ore and the presentation of false evidence in court, that was supposedly supplied by US officials, and the deliberate withholding of evidence about the reliability of the evidence presented).

Operation Ore also appears to have caused a number of false convictions (currently going through the apeals process) as well as causing several others to commit suicide, all on dubious evidence supplied from the US. It has caused a number of experts in the field to remark that far from being a spearhead towards "child protection" in the UK it has probably done considerably more harm than good.

Which is one of the reasons I'm a little cautious when it comes to the very emotive subject of "child pornography" and computers.

Another is that there have been several reported cases of faults in computer software leading to criminals downloading files of a sexual nature onto peoples computers and then attempting to blackmail the computer owner/user.

As in this case not knowing the facts or only having limited information leads to people making assumptions based on their emotional reaction to the supposed nature of the crime being investigated which is not likley to result in reasoned argument or justice.

StephenNovember 6, 2008 12:14 AM

@Clive: On page 5 of the ruling, a few paragraphs after the 176 kiddie porn videos, we see "Ultimately, he discovered almost 1600 images of child pornography or suspected child pornography." Perhaps "thousands" for 1600 is a slight exaggeration, but it puts it in the expected range.

Then on page six, it says "Crist admitted that he had put the files on the computer." That's going to seal his fate, because it establishes his guilt, whether all the files end up admissible or just the five that Hipple saw.

Clive RobinsonNovember 6, 2008 4:52 AM

@ Stephen,

I've yet to read the full text of the ruling due to two anoying facts,

1, my mobile does not support PDFs (or the download / storage of them).
2, The domain "http://volokh.com/" is blocked from the other account I have at my disposal (something to do with content blocking).

Which makes getting at more of the details not possible currently 8(

However I am very curious as to how the admission came about. And if it was a damming admission why on earth the admissability of evidence is being argued (unless the rules of evidence in the US preclude the sole use of a confession as a determinator of guilt).

Rich BNovember 6, 2008 5:10 AM

The police forensics person/crew had a thought-out procedure for accessing the disk. Shouldn't there have been a legal person/crew on hand with a thought-out procedure for getting a warrant in time?

DennisNovember 6, 2008 9:23 AM

If looking at something constitutes a 'search' then why would 'eye-witness' testimony be accepted without a warrant?

I'm sorry for being synical, but if you don't have anything to hide, then why do you care if the police have a warrant or not.

paulNovember 6, 2008 9:46 AM

@++Don:

The drug-sniffing dog principle is kinda difficult to stretch this far, don't you think? If the dog alerted outside someone's door, that could be probably cause for an entry (or maybe not). But the police don't get to break down your door, stand outside and watch the dog chewing open your sofa cushions or pawing open your refrigerator and biting open sealed containers, and then claim they were just following the dog's lead.

Perhaps a better analogy would be the rulings that thermal-infrared "searches" of property can't be conducted without a warrant, even though that information is as much in plain view as you could want, if only you could see it...

StephenNovember 6, 2008 11:15 AM

@Denns: A warrant is not required for anything in "plain sight" because there is no "reasonable expectation of privacy". And, the reason people care about warrants is that they (or are at least supposed to) act as a check on police harassing the innocent.

fuchikomaNovember 6, 2008 11:22 AM

Calum, that's exactly it. Legally this case went exactly as it should. The cops screwed up big-time and SHOULD HAVE got a warrant first!

But that is absolutely a search, far more invasive than any physical search, even if only hashes were compared. You can't just kick down doors and start tearing homes apart because you have a hunch. Then, it's very hard not to get a warrant for this kind of thing when asking for it properly.

If it's any consolation, the guy's name is out there so he's surely ruined anyhow, even if allowed to continue operating.

Clive RobinsonNovember 6, 2008 12:14 PM

@ ++Don, paul,

"The drug-sniffing dog principle is kinda difficult to stretch this far, don't you think?"

It is and I suspect in this case also not particularly relevant.

It revolves more around Crist's "reasonable expectation of privacy".

The state is assumed to have what are for practical purposes "limitless power" and the reason behind warrants is to provide oversight on the power of the police.

As an individual you are in many ways not restrained from breaching anothers expectation of privacy, except by the measures they put in place...

As an example you find a briefcase on the ground you open it up and start looking through the documents inside. Supposadly to see if you can identify the owner, but probably out of "monkey curiosity" as well.

Now have you done anything wrong, well it depends on many things but if it was not in a truly public place or you broke a lock or unzipped a closed section of the briefcase etc etc have you gone to far? And importantly at what point?

Then as you draw documents into plain sight and look at them they are effectivly nolonger private. But at what point is privacy lost?

And what of any other documents you have not actually read? Does opening the briefcase render them all public? What about those in zipped up sections?

Now what if you have taken the documents out put them on a photo copier and replaced the originals without looking at them? No information has been disclosed from them at this point but they have been duplicated what is the expectation of privacy?

The Judge with her odd phrasing of a computer was trying to bring the computer it's hard drive and the files and their contents into the same perspective as the brief case.

That is she was saying the only files that Agent Buckwash should have accessed where those that Hipple had accessed and no more (ie she was working at the individual file level) the state however where trying to argue that once Hipple had accessed the computer then it's entire contents had been subject to public gaze and where therfore in "plain sight" for which the agent did not require a warrant.

What makes it more complicated was that Hipple had apparantly deleted the files he had viewed...

Oops now it gets worse, did the fact that Hipple had conciously "destroyed" the evidence put it out of "public sight" and by recovering the file did the agent actually perform a process beyond that most people would regard as "simply looking at what was in public".

The whole thing is messy on many many levels and is very likely to get pushed around various courts.

My own personal take is that when the agent copied the hard drive he had made an illegal copy of the drive and had breached not only Crist's expectations of privacy but also copyright law and a few other laws as well. Two wrongs do not make a right especialy when there is a known and well understood procedure that should have been followed.

Further I have never bought into the theory that a Government has a "right to indescriminantly spy on people or their proxies for the supposed greater good".

Nor have I bought into the idea that trained agents of the Government make "honest mistakes".

I as an individual have no right of defence due to ignorance so why should a Government argue that it has?

It is because of this well recognised need for oversight and the curbing of power that warrants exist. As such the process should be respected not just in the letter but the spirit of the law.

AndrewNovember 6, 2008 1:30 PM

@Tony: Good point re: the autonomous robot "doing" the search...

To get old school for a second, I'd also offer that putting a K9 through the window and having it alert on drugs would be an equivalent search. Just because the cop isn't the one doing the search doesn't mean it's not a search!

BruceANovember 6, 2008 3:06 PM

As Mikey points out above:

>If the landlord did, in fact, follow state law when he took the computer, it certainly could have legally been his computer, which he legally gave to his friend, who as the owner could give legal consent to the police to have it searched without a warrant.

I'm curious, though: If the landlord legally took possession of the computer, doesn't the porn become his too?

edNovember 6, 2008 5:15 PM

@Andrew
"To get old school for a second, I'd also offer that putting a K9 through the window and having it alert on drugs would be an equivalent search. Just because the cop isn't the one doing the search doesn't mean it's not a search!"

Most (maybe even all) K9s are, in fact, police officers. They are deputized or whatever, which is one of the reasons their "testimony" is considered differently than another random dog, however trained.

There are also laws about killing or injuring K9s that are derived from their being considered law officers.

SlartyNovember 6, 2008 9:01 PM

The US rules of evidence constantly baffle me: luckily most countries aren't so extreme.

The guy who "owned" the machine at the time gave free access - no warrant was required.

If you sell your car and forget to take the gun out from under the seat, the person you sell it to is quite within their rights to drive it to a police station and ask an oficer to remove it (I use this example because it happened to me!).

What this sort of nonsense must do to the peoples trust in the justice system...

Stefan W.November 6, 2008 9:04 PM

Taking a hash of the entire drive isn't a search, but taking it on all the files to compare them with a list is.

Taking a nose full of a white powder to test if it is cocaine is searching for cocain.
Putting the white powder under a spectrograph, and comparing that graph with the graph of cocaine is a search as well.

I'm not that familiar with US-law. In Germany, we don't have the rule of poisened fruit, so the search might be illegal, but the result is used anyway.
On the other side, the landlord would not have gained access to private data. Your data privacy protection is - well - absent, missing.

gregNovember 7, 2008 3:33 AM

its a interesting discussion. I have one point to note on the "child pron" problem. Everyone is quick to condemn the accused without any real context even here.

Ask yourself this, what is kiddie porn as per the legal definition. Well its anyone underage in many countries. In many countries that 18. So they could be viewing some 17 year old with DD bra etc and they get plastered with kiddie porn label. Clearly this is not so kiddie....

Also different countries have very different definitions. Some countries anyone that looks like a minor --well thats kinda subjective espiscally when we consider the differences in race. Other include deliberate depiction of underage aka junior high students even if the actors are of legal age.... Some places ban toons, others do not.

Now add media misrepresentation.

A good example is in NZ where a picture of a man with a pedophile headline and next was a picture of some 5 year old girls going to school. There was no caption for the school girls and was in fact unrelated to the story. It turned out he slept with a girl he meet at a pub and at the time you had to be 20 to even get into a pub. But the girl was 15. He was found innocent because there was no reasonable way for him to know that she was underage.

Yet everyone still remembers that front page presentation of the "facts".

Innocent until proven otherwise is not just some simple ideal that judges should do. We must all do it. We must not judge unless we are part of the jury, we should not should about "getting off on a technicality" ever. The idea of improper search etc is about the fact that these people *are* innocent.

There are other counties with alternative guilty until proven innocent system. Almost no one gets found innocent of course. But please go and live there if thats what you want, and let us get back to innocent until proven otherwise.

In this case just about everyone involved was sloppy to say the least. More than 2 different people have accessed the machine, there is no real chain of evidence... Its a long list botch ups. If this is the quality of evidence thats permissible the idea of *proven* or beyond reasonable doubt is out the door.

Phil MNovember 7, 2008 3:49 AM

Consider a couple situations that are effectively very similar to what Bruce described but that avoid all the distracting computer-talk:

What if the police, based on a similar tip, entered someone's home, blindfolded with a camcorder running, and videotaped the contents of the home, then left and took the recording elsewhere and used a machine running some kind of pattern-matching software (or communicating with some remote pattern-matching humans) to determine whether the data on the video tape (which was only a copy of the many containers of things in the home) appeared to match known-criminal scenes? Would that be a search? If so, which stage was the search -- the blind videotaping? The analysis of the tape?

What if they instead used a periscope to get a copy of the house's contents without looking at the copy or modifying the contents and had trained monkeys looking through the periscope and describing, in some kind of one-way monkey summary (sort of a fingerprint of the scene), various things in the home to a second group of monkeys who were trained to remember the monkey-summaries of views of crime scenes and alert on any matches. Would that be a search? If so, which stage was the search -- the monkeys looking through periscopes and relaying what they saw to other monkeys? The other monkeys comparing the scene fingerprints to known-bad scenes?

Clive RobinsonNovember 7, 2008 7:33 AM

@ greg,

"Innocent until proven otherwise is not just some simple ideal that judges should do. We must all do it. We must not judge unless we are part of the jury"

Nicely put.

@ BruceA,

"I'm curious, though: If the landlord legally took possession of the computer, doesn't the porn become his too?"

More interestingly, if the computer was his and he gave it away, you need to ask another question which is "did he distrubute the pornography?"

I don't know about the US but other countires take a much dimer view on distrubution than posession...

Although I suspect it is a mute point, as far as I can tell he did not actually touch the computer let alone power it up. Likwise his paid agents (Shell and his son) didn't power it up they simply put it out or gave it to Hipple (the articles are not clear on which).

Then of course Hipple deleated some or all of the files he looked at is he guilty of wanton and knowing destruction of evidence?

Then of course (as it appears) if the landlord did not comply with the correct eviction and siezure requirments of the law the computer becomes "stolen property" which gives the options of theft, handeling and receiving of stolen property.

Further in some countries if something is put out for refuse collection, it instantly becomes the property of the municipality in which it has been put out...

Then of course there is the consideration of "fly tipping" or illegal desposal of refuse or other items...

You could go on all day looking for charges to bring against anyone involved with the case. The whole thing was a mess before the police etc became involved trying to make sense of even one little part of it is bad enough, so have pity on the judge she is probably thinking "why me..."

ChironNovember 7, 2008 9:12 AM

@David Harper, sit back and wait for weird file names to cause shell injections on your analysis machine.

find / -type f -exec md5sum '{}' \;

would be better (per the man pages), but is not immune to apostrophes in the file name.

MaltheosNovember 7, 2008 2:22 PM

Honestly the hashing != search. The search happened the moment that the contents of the drive were compared to a list of known items.

Searching is comparing a list of unclasified items to a list of classified items ( aka items of interest), and finding if any match.

AnonymousNovember 7, 2008 5:30 PM

I would counter by answering a question with a question: how is a hash and compare different from any other kind of analysis?

Suppose, for example, we have a machine vision breakthrough and some bunch of bright folks at SIGGRAPH write software which first examines an image file for skin tone (a set of skin tones within reason), then uses some kind of well-trained neural network to recognize Naughty Bits, and finally can examine the various proportions of faces and bodies identified within the image to compare ratios against what would be expected for someone who might be under some age limit (you'd probably have to go with post-pubertal vs. not).

Would this magical image analysis software constitute a search? How would this software be different from opening a JPG and saying, "You know, that girl looks awful young."

Legally, I would lean towards interpreting a hash or any kind of data analysis constitutes a search. Imagine it for a more controversial subject -- wire-tapping. Nobody human is listening, but monitoring all lines for various keywords and phrases would constitute a search as far as I'm concerned.

StormdogNovember 10, 2008 12:09 AM

Absolutely, in any sensible way, the search occurred at the point of comparison with other file hashes.
Compare this situation to publicly-held phone companies or postal services, where private information comes into government possession all the time. Neither of those situations in any way constitutes a search; the action of comparing the data so possessed with previously acquired evidence of wrongdoing would constitute such. If simple government possession of privately held information became illegal, so too would their ownership of these services.
Declaring simple duplication of digital information by government-owned services to be illegal would also be problematic, as in an email sent over the network of a publicly held telecommunications company.
The taking of any part of the computer in question, or the extraction of it's data in any form, might well constitute illegal seizure, but nobody here seems to care about this difference.

Clive RobinsonNovember 10, 2008 12:28 PM

@ Stormdog, et al,

"Absolutely, in any sensible way, the search occurred at the point of comparison with other file hashes."

No No NO !!!, the search started when the HD was accessed to make the copy.

In exactly the same way a search of your house starts when the Police enter your house.

It is legaly a defining moment, if you have taken precautions to protect your privacy or refuse open access to your house the authorities are duty bound to first find probable cause then obtain either permission from the rightfull owner or a warrant.

Or look at it another way, once they have accessed "your HD" and have copied it they no longer need to access "your HD" to make file comparisons for your definition of a search, as they have a copy that "they own" and you cannot dictate what they do with it now or at a later date...

The real issue is, that the judicial view point of what constituets "plain sight" with digital information is very fluid and ill defined at the best of times.

As far as I am concerned if it's not conciously made publicly available (ie by anonymous FTP or HTTP etc) then it's not in plain site, and should be treated as such.

As far as the authorities want to argue in all cases so far unless you take steps to protect it like "using mil grade crypto at file level and below, with physicaly locking the HD in a vault with no external access" then they regard it as being in plain sight and not requiring a warrant or permission to access.

The two view points differ by considerably more than a "country mile".

And judges are not known for their technical abilities, which is why we have expert witnessess who offer "opinion" (or "legaly acceptable hearsay" which we mear mortals are not allowed to do...).

DavidNovember 10, 2008 5:52 PM

Indeed, once the computer was confiscated by the landlord and then used, it would be possible to accuse the landlord, et. al. of placing the CP on the system, either to frame him or because they downloaded CP for their own interests.

RHNovember 10, 2008 7:54 PM

@Canuk: I've always been amused that our 'Court Order of Protection' system gags the person its placed on, preventing any plausible resolution of the problem which doesn't involve lawyers taking chunks out of each other, and yet there's not a single word written into the order of protection preventing the "victim" from pushing the "aggressor" around by using the COP to deny them access to locations. As an example, a student who has a COP leveraged against them by another student IMMEDIATELY is unable to attend school until the legal system decides they were innocent to begin with.

PeteNovember 11, 2008 8:27 AM

So, what if the police installed surveillance cameras in your house, but only ran automated monitoring. If the automated systems hit a (false) positive (feature extraction is basically a very specialized hash), that would be sufficient evidence for the police to get a warrant (to look at the surveillance data). Some people might think that this would reduce crime, but others might be a bit uncomfortable.

HansNovember 15, 2008 5:55 AM

What about the chain of evidence? The computer was handled by other persons, doing heaven knows what, before it was turned over to the police. What if the landlord wanted to "get at" his renter and installed some incriminating files? (If the renter confessed to the police he was stupid. The right to remain silent and all that.) It seems to me one didn't even have to argue whether it was a search or not, although obviously it does help as a backup argument.

BillNovember 15, 2008 7:47 AM

I'm curious as to how this case relates to the rules of the US Customs that allow an agent to seize and search a laptop (or iPod or whatever) at a border crossing for no reason.

BillyNovember 16, 2008 8:20 AM

It is utterly IMPERATIVE, to the freedom, liberty, and justice of all Americans, that criminals of all sorts walk free when law enforcement break the law in their investigation. Only the public outrage that summons will place adequate pressure on law enforcement to obey the law themselves.

Now, I want to know if getting a copy of that hash list is as hard as getting a copy of the no-fly list.... Does anyone know where someone might acquire either?

BillyNovember 16, 2008 8:29 AM

Also. Perhaps we should consider which people to hate more.

People who touch themselves in the privacy of their own home to impure thoughts.
-OR-
People who violate the 4th amendment, and dilute the power of law, and the law's respect for it's citizens.

Something to think about.

Clive RobinsonNovember 16, 2008 10:06 AM

@ Bill,

"I'm curious as to how this case relates to the rules of the US Customs that allow an agent to seize and search a laptop (or iPod or whatever) at a border crossing for no reason."

As far as I can tell it "does not" effect the TSA in the slightest.

The TSA appear to have the following theory.

1, When you are on an aircraft in flight mode you are covered by international law and the law of the country of departure or "flag" of the carrier.

2, When on airport land side you are covered by US legislation.

3, When on airport air side and not on an aircraft with the doors closed and flight redied, then you belong to them and whatever they think goes...

Hence the answer of it "does not". However it has not been challenged in an independent court in any meaningfull way as far as I can see (hopefully 11/5 has started a change on this).

Which is why even as a transit passanger if the TSA say jump don't ask "how high", ask "was that high enough" with a polite smile...

Which is why you will not be seeing me within a 1000 Km of "Continental USA" any time soon (just in case the plane gets diverted).

It would appear that my "quaint attitude" is "not peculier to just me" a number of security resarchers etc appear to have come to the same conclusion.

One attitude is "even though I have done nothing wrong" I have to consider "what might they be putting on my PC/Ipod etc and why", so I still have something to fear...

As discussed in previous blog pages on this site, there are fairly easy ways to avoid the TSA hassel but you have to ask if the grief of it is worth it?

And for me the simple answer is currently no.

sellMarch 11, 2010 1:11 PM

im the one who took the computer out wasnt the land lord she hired us gave the tennet by law the tim needed to get his stuff out he didnt we put it at the curb there 4 it free 4 any1 to take besides the point the sick part of it he was charged with it once already and lived accross from an elemtry school sick

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..