State Court: Nothing 'Stale' About Evidence Nearly A Quarter-Century Old

from the kind-of-puts-a-new-wrinkle-in-'evidence-preservation'-obligations dept

The digital era has redefined evidence "staleness." The evidence that law enforcement often claims needs to be grabbed quickly (and, often, violently) to save it from destruction is the same evidence that could conceivably live on forever if never subjected to a concerted destruction effort.

Back in 2012, Judge Posner detailed this shift in inadvertent evidence preservation in the US v. Sevier decision:

“Staleness” is highly relevant to the legality of a search for a perishable or consumable object, like cocaine, but rarely relevant when it is a computer file. Computers and computer equipment are “not the type of evidence that rapidly dissipates or degrades.” United States v. Vosburgh, 602 F.3d 512, 529 (3d Cir. 2010). Because of overwriting, it is possible that the deleted file will no longer be recoverable from the computer’s hard drive. And it is also possible that the computer will have been sold or physically destroyed. And the longer the interval between the uploading of the material sought as evidence and the search of the computer, the greater these possibilities. But rarely will they be so probable as to destroy probable cause to believe that a search of the computer will turn up the evidence sought[.]
How long is too long? The answer is entirely open-ended. A recent decision from a California appeals court says a 23-year gap between the crime and the search warrant doesn't render the evidence "stale." A reopened "cold case" investigation into the apparent murder of a Los Angeles police officer resulted in the issuance of warrant in 2009 to search the defendant's current possessions, including the computer she didn't own (if she even had one) back in 1986.

The defendant moved to suppress the evidence, but the court said her "staleness" argument didn't apply. (But the "good faith exception" did... [It almost always does.]) Both warrants were extremely broad.
The first permitted authorities to search appellant’s residence and several vehicles registered to her. It sought electronically and digitally stored material, documents, and records related to the homicide, Rasmussen or Ruetten, including “letters, diaries, journals, writings, newspaper articles, books, correspondence, [or] greeting cards”; photographs of Ruetten and Rasmussen; items that may have belonged to Ruetten or Rasmussen; information identifying persons “who may have associated with or [may] have known” Ruetten, Rasmussen or appellant; medical or dental records tending to establish whether appellant received treatment for injuries after February 24, 1986; “bills, receipts, papers, reports or forms” from 1986 generally; and all .38/.357 caliber firearms in appellant’s possession.

The second warrant, issued by a different magistrate, gave permission to search the “computers, storage media, computer hardware and digital evidence” seized pursuant to the first warrant, including “[email], internet browsing histories, cached information, partially deleted files, records, receipts, screen captures, photographs, logs, [and] printouts.
The lower court had some issues with the breadth of the warrants, but managed to talk itself out of its queasier feelings.
The court agreed there was a plausible argument for overbreadth in the requests to search for “bills, receipts, paper or reports or forms from 1986” and for the names of all “people who may have associated with” Rasmussen, Ruetten or appellant. The court was “uncomfortable” with the request to search appellant’s computers because they were unlikely to have been in existence at the time of the crime.
It also suggested it had no business telling magistrate judges how to do their jobs.
However, the court concluded that warrants should not be read in a hypertechnical way and that it was up to the issuing magistrates to tell the detective to “‘tighten [the] language’” or “beef it up.”
The defendant argued that there was no "nexus" between the original crime and her current residence, not to mention the fact she had no computer back in 1986, so any search of her current computers was predicated on an unsupported assumption that these would contain evidence related to the 1986 murder.

The appeals court didn't find either argument persuasive. It pointed out that, while both warrants were broad, they were supported by probable cause. And, more importantly, the lack of a "bright line" measurement for "staleness" -- along with the common use of computers as "permanent" storage of copies of physical items -- allowed for this sort of search, despite the length of time elapsed since the initial investigation.
With respect to her contention that her move from one residence to another precluded a finding of a nexus between her current home and the evidence sought, the warrants specifically sought photographs, journals and diaries. A person does not normally discard such items, even after several moves.
That handles the physical "nexus" argument. Here's the court on the digital end of it:
Appellant claims that the warrant was overbroad in granting permission to search her computers, as there was no evidence she owned any of them at the time of the homicide. The fact that she may not have owned those computers at the time of the crime did not preclude the possibility that she had transferred information or records -- particularly photographs -- to computers owned at the time of the search. (Cf. Arkansas Chronicle v. Easley (E.D. Va. 2004) 321 F.Supp.2d 776, 795 [recognizing that photographs and video preserved in computer format are “easily transferrable”]; U.S. v. Christie (10th Cir. 2013) 717 F.3d 1156, 1164 [observing that personal computers often hold “diaries, calendars, files, and correspondence”].)
Now that the near-permanence of digital evidence is ensured by long-lasting storage and even longer-lasting cloud service backups, "staleness" is no longer an issue. But while that may give law enforcement a pass of serve search warrants years after alleged criminal activity occurred, it should also factor into discussions about warrantless searches based on exigent circumstances.

The government argued in the Riley case that the omnipresent "threat" of evidence destruction necessitated instant, warrantless access to arrested suspects' cellphones. (This was presented to the court without any supporting evidence that automated wiping or other uncontrollable evidence destruction had occurred with any frequency). But the opposite actually seems closer to reality: whatever is on a cellphone (or someone's computer) will last almost indefinitely unless a person makes active, time-consuming efforts to thwart evidence recovery.

From Posner's 2012 opinion:
When you delete a file, it goes into a “trash” folder, and when you direct the computer to “empty” the trash folder the contents of the folder, including the deleted file, disappear. But the file hasn’t left the computer. The trash folder is a waste paper basket; it has no drainage pipe to the outside. The file seems to have vanished only because the computer has removed it from the user interface and so the user can’t “see” it any more.
Most people never make it past "Empty Recycling." Even though plenty of options exist for common users to ensure deleted files are actually deleted (read: overwritten), Posner points out that "use of such software is surprisingly rare." This coincides with the very low number of incidents where law enforcement has run into the use of automated tools to destroy digital evidence. And yet, the government insisted the possibility of evidence destruction should allow it to warrantlessly search cellphones and other devices at the time of arrest.

But it really shouldn't get to have it both ways. Either there's a good chance the evidence sought is intact -- and will be for possibly decades to come -- or it's all vanishing before it can get its hands on it, in which case the argument for "staleness" must be addressed in more detail.

Fortunately, the Supreme Court has put an end to law enforcement's insistence it must have access right now. That's good news, especially when combined with the unavoidable conclusions courts will reach when dealing with storage options that preserve evidence for years. The government can't be allowed to claim there's no time to get a warrant when it's readily apparent they have all the time in the world.

Filed Under: evidence, stale, stephanie lazarus


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Wyrm (profile), 20 Jul 2015 @ 10:33pm

    "The government can't be allowed to claim there's no time to get a warrant when it's readily apparent they have all the time in the world."

    Newspeak...

    In the novel "1984", the government saying one thing and its opposite was perfectly normal. Each citizen was supposed to understand that both are true and never think that inconsistency was suspicious.

    Out of fiction, copyright monopolists have the same attitude: they say two opposite statements and politicians as well as judges are supposed to take them both as true.

    This example today is just one more real life example that some people have only scorn for citizen rights and basic intelligence.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jul 2015 @ 10:46pm

    "The fact that she may not have owned those computers at the time of the crime did not preclude the possibility that she had transferred information or records -- particularly photographs -- to computers owned at the time of the search."

    No, the low memory, lack of ubiquity in scanning hardware, and the poor quality of image software inherent in computers in 1986 makes it unlikely that she had any photographs on a computer in 1986, much less that she transferred it to a series of newer computers that she might have upgraded to at least every 10 years.

    Compuserve didn't introduce the GIF format until 87 and the JPEG standard wasn't introduced until 92. Did someone think this woman was a pioneer in early computer imagery when she wasn't being a cop and that despite her training as a cop, she would have used this rudimentary imaging technology to take photographs of her killing someone?

    reply to this | link to this | view in chronology ]

    • identicon
      David, 21 Jul 2015 @ 12:45am

      Re:

      No, the low memory, lack of ubiquity in scanning hardware, and the poor quality of image software inherent in computers in 1986 makes it unlikely that she had any photographs on a computer in 1986, much less that she transferred it to a series of newer computers that she might have upgraded to at least every 10 years.

      Scanning photographs in when scanning and storage hardware made this feasible is something a lot of people did.

      The court is right about that one. However, I cannot imagine why one would want to preserve any such evidence: I'd not have expected to keep incriminating photographs for a day, let alone scanned them to computer and stored them.

      While the Facebook-uncovered crimes one sees these days sport a number of dimwit criminals, it's reasonable to assume that a person of her age would not be just that stupid.

      reply to this | link to this | view in chronology ]

  • identicon
    JoeT, 21 Jul 2015 @ 12:07am

    Perhaps we need a digital version of "shut up"

    reply to this | link to this | view in chronology ]

  • identicon
    JoeT, 21 Jul 2015 @ 12:15am

    Perhaps we need a digital version of "shut up"

    (sorry for the earlier blank post... tab, enter, they're the same, right?)

    You can't do yourself any good by talking to the police. As Supreme Court Justice Robert Jackson put it, "any lawyer worth his salt will tell the suspect in no uncertain terms to make no statement to the police under any circumstances".

    So, even if you're innocent, consider the advice of running CCleaner or the like every month or so, and run Eraser biannually (no need to use the fancy multipass wipes; 1x random is likely enough).

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2015 @ 11:50am

      Re: Perhaps we need a digital version of "shut up"

      So, even if you're innocent, consider the advice of running CCleaner or the like every month or so, and run Eraser biannually (no need to use the fancy multipass wipes; 1x random is likely enough).

      Or better yet, use a modern operating system with an encrypted file system and set the system to overwrite deleted files and slack space by default. Processors and hard disks are really fast, and adding encryption only adds a minimal amount of overhead that I am not sure why people don't do it other than laziness.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2015 @ 12:58am

    1 law for us another law for our overlords when the same situation is applied to them.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2015 @ 7:28am

    This is why everyone should use the tried and true method of data erasure by overwriting the data multiple times. While this is no guarantee that not all deleted data is unrecoverable, it does make it harder for law enforcement or any other entity to recover that deleted data.

    Plus, the defendant in this case is an idiot. To argue that she didn't have her current computer at the time of the crime is irrelevant. She could have easily transferred documents, data and whatnot to her current computer. The courts ruled correctly on that. She should really do her own research.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 21 Jul 2015 @ 7:44am

      Re:

      This is why everyone should use the tried and true method of data erasure by overwriting the data multiple times.

      Why isn't one overwrite enough? Or is it just to make sure the first one didn't miss any sectors?

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 21 Jul 2015 @ 8:14am

        Re: Re:

        Because the erase head does not travel exactly the same path every time, leaving slivers of the old recording at the margins of the stripe. Those slivers can be read using specialized equipment and techniques.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 21 Jul 2015 @ 9:37am

          Re: Re: Re:

          Nowadays, the margin of one stripe overlaps with the margin of the next stripe (the write heads are wider than the read heads). And that's before going into Shingled Magnetic Recording, where the stripe itself overlaps with the next stripe, like shingles on a roof.

          reply to this | link to this | view in chronology ]

          • icon
            John Fenderson (profile), 21 Jul 2015 @ 9:49am

            Re: Re: Re: Re:

            This is true, but there are still lots of older drives in regular use. If you're concerned enough to be worried about this issue, write multiple passes of random numbers is still a good habit.

            reply to this | link to this | view in chronology ]

            • icon
              John Fenderson (profile), 21 Jul 2015 @ 9:51am

              Re: Re: Re: Re: Re:

              Although, if you're REALLY concerned about this, the better solution is to never write extremely sensitive data to the hard drive in the first place. Even with modern drives, erased data can still be recovered. It's just a lot more difficult.

              reply to this | link to this | view in chronology ]

              • icon
                nasch (profile), 21 Jul 2015 @ 10:16am

                Re: Re: Re: Re: Re: Re:

                Even with modern drives, erased data can still be recovered. It's just a lot more difficult.

                I'm not saying you're wrong, but if it's possible to write data, and then write other data on top of it and still get at the previous data, why haven't drive manufacturers taken advantage of that to increase storage density?

                reply to this | link to this | view in chronology ]

                • icon
                  John Fenderson (profile), 21 Jul 2015 @ 1:56pm

                  Re: Re: Re: Re: Re: Re: Re:

                  Three reasons:

                  1) The error rate is unacceptably high for use as storage
                  2) It's destructive.
                  3) In order to do it, you need to use a scanning tunneling microscope. In effect, you're reading the magnetic polarization that is underneath the surface layer's overt polarization.

                  For practical purposes, this is not a realistic attack vector. However, if a well-funded company or agency was very, very interested in the contents of your drive, then it is possible.

                  reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Jul 2015 @ 8:19am

        Re: Re:

        One time overwrite is enough. The old 35 pass Gutmann method was intended on performing a complete erasure on hard drives using recording techniques that are long obsolete. If you're really paranoid, then do 2 passes of random data.

        reply to this | link to this | view in chronology ]

  • icon
    nasch (profile), 21 Jul 2015 @ 7:44am

    Browsing history

    Internet browsing history from 1986?

    reply to this | link to this | view in chronology ]

  • identicon
    Chris Brand, 21 Jul 2015 @ 10:14am

    Trying to picture this

    "documents, and records related to the homicide, [...] including greeting cards"

    Wow, Hallmark really does have a card for every occasion.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.