About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Thursday, March 24, 2011

Digital forensics and search warrants

Laws always lag far behind the pace of technology, and the laws surrounding computer security issues are no exceptions. It took several major data breaches before we began getting breach notification laws. Now, courts are trying to figure out how search warrants should work in computer crime cases. Ars Technica has a good overview of the current state of things.

NOTE: I am not a lawyer. This is not legal advice or recommendations. If you want legal advice, ask your lawyer.

It's a sticky issue because on one hand modern computers can have vast amounts of highly personal information on them: thousands of emails, journals, legal pornography, address books, etc. It can feel like an unreasonable invasion of privacy for law enforcement officers to go pawing through all of that to look for evidence of a crime, particularly if it's the victim's computer being investigated. Search warrants are supposed to specify what exactly is being looked for (stolen intellectual property, for example), and law enforcement officers are only supposed to look in places where the object of the warrant could reasonably be ... so no searching an office desk if the warrant is for a stolen car.

On the other hand, search warrants allow officers to search anything that could be hiding the object being searched for. There are plenty of videos of drug searches that show how ingeniously things can be hidden and how thorough searches can get in the physical world. The same principles apply in the digital world as well. Just as a packet of drugs can be hidden in a jar of flour, a contraband file can be hidden inside another file without too much difficulty or technical skills.

Furthermore, if evidence of illegal activity is seen on a computer, sometimes the accused will claim that either a hacker or malware is responsible, not the accused. It's perfectly possible for malware or hackers to take control of a computer and use it for illegal activity. That sort of activity can be detected, but digital evidence can be lost if not seized in time. This means that if we restrict our search to only looking for the illegal file mentioned in the search warrant, we could lose the opportunity to determine if someone other than the owner of the computer could be responsible for the illegal activity. A computer search that's too narrow in scope could result in the loss of evidence that could show the suspect's innocence.

Like many legal issues, this is a complex one with multiple legitimate concerns acting at cross purposes. Hopefully, the legislature and courts will come up with a solution that provides reasonable privacy protection, is practical, and does not place too heavy burdens on law enforcement.

No comments:

Post a Comment