Opinion
Case No. MJ 11-55.
February 11, 2011
MEMORANDUM ORDER DENYING THE GOVERNMENT'S APPLICATION FOR A WARRANT TO SEIZE AND SEARCH ELECTRONIC DEVICES SEALED ORDER
I. INTRODUCTION AND SUMMARY CONCLUSION
This matter comes before the Court on the government's application for a warrant to search the residence of Edward Cunnius, to seize any computers or digital devices (collectively "digital devices") that may be located at the premises, and to search all electronically stored information ("ESI") contained in any digital devices seized from Mr. Cunnius' residence for evidence relating to the crimes of copyright infringement or trafficking in counterfeit goods. Specifically, in addition to the search of the residence and the seizure of digital devices, the application requests the authority for investigative officers to: (1) search all ESI contained in Mr. Cunnius' digital devices and related to the use of the devices; (2) conduct the search without segregation by a filter team; (3) conduct the search without foreswearing the plain view doctrine; and (4) permit investigative agents to obtain a second warrant if, during the search of the ESI, the investigating and searching agents find evidence of crime outside the scope of the instant warrant. On February 7, 2011, the Court advised the Assistant United States Attorney ("AUSA") that the warrant, as presented, would not be granted. The United States has refused to accede to the Court's view that a filter team and forswearing reliance on the plain view doctrine are appropriate, and indeed, required in this specific case. Accordingly, the AUSA requested the Court to file a memorandum opinion, so that the government can appeal. A copy of the requested warrant and affidavit in support is attached as Exhibit 1. That request has led to this opinion.
"Digital devices" is defined in the warrant affidavit to include any electronic device capable of processing or storing data in digital form. Larson Aff. ¶ 37 n. 1; Larson Warrant App., Att. B, ¶ 2.
Because the government, in this application, refuses to conduct its search of the digital devices utilizing a filter team and foreswearing reliance on the plain view doctrine, the Court DENIES the application as seeking an overbroad or general warrant in violation of the Fourth Amendment and the law of this Circuit.
The Court is prepared to authorize the search of the residence. This opinion focuses on the search of digital devices contained in the residence. There are other changes to the warrant regarding hash values that would be required, as discussed in Part II Section E of this opinion. The Court does not understand the government to have objections to these changes, but if this is not the case, the government should address the issue in its appeal.
II. DISCUSSION
A. The Warrant Application to Seize and Search ESI devicesThe affidavit in support of the government's warrant application indicates that agents received information from Microsoft Corporation ("Microsoft") in October 2010 regarding an individual, Mr. Cunnius, whom they believed was advertising counterfeit Microsoft software via the internet classified advertising service Craigslist. Specifically, a Microsoft anti-piracy investigator informed agents that a shipment of counterfeit Microsoft software from China, addressed to "Edward Russell Cunnius" at 2305 Rucker Avenue #5, Everett, Washington, had been seized by Customs and Border Protection ("CBP") on October 18, 2010. In response to the CBP seizure, Microsoft sent a warning letter advising Mr. Cunnius that it had received information that he or someone with his company may have distributed illegal and/or unlicensed Microsoft software. The letter informed Mr. Cunnius of the consequences of illegal distribution.
The Microsoft investigator also informed the agents that Mr. Cunnius was responsible for numerous Craigslist advertisements over the past few months that offered to sell brand new, in-the-box, Microsoft software at prices well below typical retail prices for the same software. After contacting Mr. Cunnius at the phone number listed on the Craigslist advertisements, Microsoft conducted an undercover test purchase of several products from Mr. Cunnius at his home in Everett, Washington. These products were purchased at prices substantially below retail value, and upon further examination, were found to be counterfeit.
Following Microsoft's test purchase, undercover law enforcement agents conducted two test purchases from Mr. Cunnius at his apartment. On each occasion, agents contacted Mr. Cunnius via the telephone number listed in his Craigslist advertisements, and met with Mr. Cunnius at his apartment. The agents purchased several boxes of purportedly genuine, new, in-the-box, Microsoft software from Mr. Cunnius on December 13, 2010, and December 21, 2010, respectively. During each purchase, Mr. Cunnius retrieved the boxes containing the software from a closet in the bedroom of his apartment. According to the affidavit, he was evasive in response to questions regarding the authenticity of the products, and stated that if customers complained to him, he would instruct them to go buy the products for much higher prices at retail establishments. The agents submitted the products purchased from Mr. Cunnius to Microsoft for analysis by their product identification specialists, who determined that the products were counterfeit.
In response to questions regarding Mr. Cunnius' supplier, Mr. Cunnius told the undercover agents that it took him years to make his contact with his supplier and that he receives his product through the mail. He also told the agents that he communicates with his source via electronic mail, and pays him through electronic transfer from his bank.
The government then applied to this Court for a warrant authorizing agents to search Mr. Cunnius' apartment and seize evidence, fruits and instrumentalities of the crimes of (1) copyright infringement and/or (2) trafficking in counterfeit goods. Specifically, the government believes that evidence related to how Mr. Cunnius obtained counterfeit software, paid for it, and how he distributed the counterfeit software is likely to be discovered on digital devices located at his apartment. This evidence may include e-mail correspondence with Mr. Cunnius' source, evidence of internet banking transactions, and evidence of his online advertisements and marketing of counterfeit software. In addition, the government wishes to search for evidence of dominion and control of any digital device located in the apartment in order to determine who else may be responsible for obtaining and trafficking in the counterfeit software purchased from Mr. Cunnius, and who may have been using the computers at the relevant time.
There is no suggestion that the target is using the digital devices to "burn" counterfeit discs, or to transmit counterfeit copies electronically. Instead, the target of the investigation allegedly sells in-the-box counterfeit copies that have been imported.
The Court finds that the warrant affidavit establishes probable cause to search the digital devices located at Mr. Cunnius' residence for evidence of criminal copyright infringement and/or trafficking in counterfeit goods. Probable cause exists if "it would be reasonable to seek the evidence in the place indicated in the affidavit." United States v. Wong, 334 F.3d 831, 836 (9th Cir. 2003) (quoting United States v. Peacock, 761 F.2d 1313, 1315 (9th Cir. 1985)). The two crimes contemplated by the warrant in this case involve the "distribution" or "trafficking" of certain goods. Specifically, criminal copyright infringement includes "willfully infring[ing] a copyright" if that infringement was committed "for purposes of commercial advantage or private financial gain . . . by the reproduction or distribution, including by electronic means . . . of 1 or more copies or phonorecords of 1 or more copyrighted works, which have a total retail value of more than $1,000." 17 U.S.C. § 506(a), (b). Similarly, trafficking in counterfeit goods involves "intentionally traffic[king] or attempt[ing] to traffic in goods or services and knowingly us[ing] a counterfeit mark on or in connection with such goods or services . . . the use of which is likely to cause confusion, to cause mistake, or to deceive. . . ." 18 U.S.C. § 2320(a), (b). In light of the sworn affidavit that Mr. Cunnius advertises the counterfeit goods by posting advertisements containing digital photographs of the products on the website Craigslist, communicates with his source by e-mail, and pays his source using electronic transfers from his bank, the Court can reasonably assume that digital devices contain evidence relating to the crimes alleged.
However, despite the existence of probable cause to search the digital devices, the Court finds the warrant requested by the government overbroad. The affidavit contains no reference to use of a filter team, and no promise to foreswear reliance on the plain view doctrine. With respect to the procedures to be employed by law enforcement personnel to execute the search of digital devices, once they have been seized, the affidavit provides:
In order to examine the ESI in a forensically sound manner, law enforcement personnel with appropriate expertise will produce a complete forensic image, if possible and appropriate, of any digital device that is found to contain data or items that fall within the scope of Attachment B of this Affidavit. In addition, appropriately trained personnel may search for and attempt to recover deleted, hidden, or encrypted data to determine whether the data fall within the list of items to be seized pursuant to the warrant. In order to search fully for the items identified in the warrant, law enforcement personnel may then examine all of the data contained in the forensic image/s and/or on the digital devices to view their precise contents and determine whether the data falls within the list of items to be seized pursuant to the warrant.
The search techniques that will be used will be only those methodologies, techniques and protocols as may reasonably be expected to find, identify, segregate, and/or duplicate the items authorized to be seized pursuant to Attachment B to this affidavit.
If, after conducting its examination, law enforcement personnel determine that any digital device is an instrumentality of the criminal offense referenced above, the government may retain that device during the pendency of the case as necessary to, among other things, preserve the instrumentality evidence for trial, ensure the chain of custody, and litigate the issue of forfeiture. If law enforcement personnel determine that a device was not an instrumentality of the criminal offense referenced above, it shall be returned to the person/entity from whom it was seized within 90 days of the issuance of the warrant, unless the government seeks and obtains authorization from the court for its retention.
Unless the government seeks an additional order of authorization from any Magistrate Judge in the District, the government will return any digital device that has been forensically copied, that is not an instrumentality of the crime, and that may be lawfully possessed by the person/entity from whom it was seized, to the person/entity from whom it was seized within 90 days of seizure.
If, in the course of their efforts to search the subject digital devices, law enforcement agents or analysts discover items outside of the scope of the warrant that are evidence of other crimes, that data/evidence will not be used in any way unless it is first presented to a Magistrate Judge of this District and a new warrant is obtained to seize that data, and/or to search for other evidence related to it. In the event a new warrant is authorized, the government may make use of the data then seized in any lawful manner.
Larson Aff. ¶ 46(c)-(g).
As discussed below, permitting the government to conduct a search along these lines would violate the Fourth Amendment and the law of this Circuit.
B. The Fourth Amendment Prohibits General Searches
The instant warrant application cannot be squared with the Fourth Amendment's prohibition on general searches. The Fourth Amendment states:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.U.S. Const. amend. IV. The Warrant Clause of the Fourth Amendment categorically prohibits the issuance of any warrant except one "particularly describing the place to be searched and the persons or things to be seized." Maryland v. Garrison, 480 U.S. 79, 84 (1987) (citing U.S. Const. amend. IV). As the Supreme Court noted:
[t]he manifest purpose of this particularity requirement was to prevent general searches. By limiting the authorization to search to the specific areas and things for which there is probable cause to search, the requirement ensures that the search will be carefully tailored to its justifications, and will not take on the character of the wide-ranging exploratory searches the Framers intended to prohibit.Id. This understanding of the Fourth Amendment's particularity requirement broke no new ground. Indeed, sixty years before Maryland v. Garrison was decided, the Supreme Court recognized general searches were long deemed to violate the Constitution. Marron v. U.S., 275 U.S. 192, 196 (1927).
The Fourth Amendment's particularity provision was enacted to respond to the evils of general warrants and writs of assistance which English judges had employed against the colonists. Virginia v. Moore, 553 U.S. 164, 169 (2008). As the Supreme Court stated:
The practice had obtained in the colonies of issuing writs of assistance to the revenue officers, empowering them, in their discretion, to search suspected places for smuggled goods, which James Otis pronounced "the worst instrument of arbitrary power, the most destructive of English liberty and the fundamental principles of law, that ever was found in an English law book;" since they placed "the liberty of every man in the hands of every petty officer."Boyd v. United States, 116 U.S. 616, 625 (1886) (internal footnotes omitted). The requirement was thus designed to ensure only a specific place is searched and that probable cause to search that place actually exists. See Steele v. United States, 267 U.S. 498, 501-02 (1925).
The Fourth Amendment's prohibition on the issuance of general warrants goes hand in hand with the requirement that each search must be carefully tailored to its justifications. Hence, even if a warrant is not an impermissible general warrant, it still cannot be granted unless it is carefully tailored to its justification.
Here, the government seeks permission to search every bit of data contained in each digital device seized from Mr. Cunnius' residence. Contrary to the Fourth Amendment's particularity requirement limiting searches to only the specific areas and things for which there is probable cause to search, the government seeks to scour everything contained in the digital devices and information outside of the digital devices. This practice is akin to the revenue officers in colonial days who scoured "suspected places" pursuant to a general warrant.
The Court has considered the fact that the search warrant application seeks permission to search and seize evidence of the specified crimes, and a second warrant would be needed to seize evidence of other crimes for which there is no probable cause shown. However, the ability to seek a second warrant after finding evidence as to which there was no probable cause to search only magnifies the danger of the warrant constituting a general warrant. The requirement that a second warrant be obtained provides no meaningful limitation on the scope of the search conducted under the first warrant and no meaningful protection against the government obtaining evidence for which it lacks probable cause. For the first warrant would be nothing more than a "vehicle to gain access to data for which the government has no probable cause to collect." Comprehensive Drug Testing v. United States, 621 F.3d 1162, 1177 (9th Cir. 2010) (en banc) (" CDT III"). Indeed, the warrant the government now seeks would permit it to seize evidence found outside the scope of the first warrant whether that evidence was initially in plain view, or not.
The Ninth Circuit's initial panel decision is found at Comprehensive Drug Testing v. United States, 473 F.3d 913 (9th Cir. 2006). This panel decision was withdrawn and superseded by Comprehensive Drug Testing v. United States, 513 F.3d 1085 (9th Cir. 2008) (" CDT I"). The Ninth Circuit then granted rehearing en banc, Comprehensive Drug Testing v. United States, 545 F.3d 1160 (9th Cir. 2008), and issued its first en banc decision at Comprehensive Drug Testing v. United States, 579 F.3d 989 (9th Cir. 2009) (" CDT II"). The initial en banc decision was then revised and superseded by CDT III, 621 F.3d 1162.
C. What is Involved in a Digital Search?
As noted above, there is no suggestion in the affidavit that the digital devices at issue are being used to burn counterfeit discs or otherwise create or electronically transmit illegal copies of the software at issue. Instead, the affidavit makes it clear that the allegedly counterfeit software at issue is being imported. The search of the digital devices would undoubtedly be helpful to reveal the source(s) of supply, the quantity, customer names of the counterfeit merchandise, financial gains from the activity, and knowledge of the counterfeit nature of the goods. Against these legitimate needs, the Court weighs the vast amount and nature of data that can be stored on or accessed by personal computers, an analysis which illustrates the continued importance of the Fourth Amendment's particularity requirement.
1. A Digital Search Captures Vast Quantities of Data
A government search of even a single, non-networked computer involves searching vast quantities of ESI. As pointed out in the warrant affidavit, a single gigabyte of storage space is the equivalent of 500,000 double-spaced pages of text. Larson Aff. ¶ 45(b). Computer hard drives are now being sold for personal computers capable of storing up to two terabytes, or 2,048 gigabytes of data. Id. If a computer is networked, this exponentially increases the volume of data being searched. Thus, the sheer volume of ESI involved distinguishes a digital search from the search of, for example, a file cabinet.
2. A Digital Search Captures Innocent and Personal Information With No Relevance to the Asserted Crimes
Because it is common practice for people to store innocent and deeply personal information on their personal computers, a digital search of ESI will also frequently involve searching personal information relating to the subject of the search as well as third parties. As Judge Kleinfeld noted:
The importance of this case is considerable because, for most people, their computers are their most private spaces. People commonly talk about the bedroom as a very private space, yet when they have parties, all the guests — including perfect strangers — are invited to toss their coats on the bed. But if one of those guests is caught exploring the host's computer, that will be his last invitation.
There are just too many secrets on people's computers, most legal, some embarrassing, and some potentially tragic in their implications, for loose liberality in allowing search warrants. Emails and history links may show that someone is ordering medication for a disease being kept secret even from family members. Or they may show that someone's child is being counseled by parents for a serious problem that is none of anyone else's business. Or a married mother of three may be carrying on a steamy email correspondence with an old high school boyfriend. Or an otherwise respectable, middle-aged gentleman may be looking at dirty pictures. Just as a conscientious public official may be hounded out of office because a party guest found a homosexual magazine when she went to the bathroom at his house, people's lives may be ruined because of legal but embarrassing materials found on their computers. And, in all but the largest metropolitan areas, it really does not matter whether any formal charges ensue — if the police or other visitors find the material, it will be all over town and hinted at in the newspaper within a few days.
Nor are secrets the only problem. Warrants ordinarily direct seizure, not just search, and computers are often shared by family members. Seizure of a shared family computer may, though unrelated to the law enforcement purpose, effectively confiscate a professor's book, a student's almost completed Ph.D. thesis, or a business's accounts payable and receivable.U.S. v. Gourde, 440 F.3d 1065, 1077 (9th Cir. 2006) (Kleinfeld, J., dissenting).
3. Digital Devices Function as a Portal in the Age of Cloud Computing
"The term `cloud computing' is based on the industry usage of a cloud as a metaphor for the ethereal internet. A cloud platform can either be external or internal. An external cloud platform is storage or software access that is essentially rented from (or outsourced to) a remote public cloud service provider, such as Amazon or Google. This software-as-a-service allows individuals and businesses to collaborate on documents, spreadsheets, and more, even when the collaborators are in remote locations. By contrast, an internal or private cloud is a cluster of servers that is networked behind an individual or company's own firewall." David A. Couillard, Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing, 93 MINN. L. REV. 2205, 2216 (2009) (internal citations omitted).
The language in the instant warrant raises another significant constitutional concern related to the interactive nature of modern digital devices. These digital devices are not just repositories of data, but access points, or portals, to other digital devices and data, typically obtained through the internet or stored on a network. All data on the internet is both separate and one. The requested warrant is, in essence, boundless. This is made evident by the fact that the government seeks authorization, among other things, to obtain "all passwords, password files, test keys, encryption codes or other information necessary to access the computer equipment, storage devices or data." Larson Aff. ¶ 47(g).
This poses a multitude of problems, and it highlights the concerns raised by Judge Kleinfeld. First, once the government has all passwords, it is able to access a defendant's most sensitive information. To the extent the defendant may have medical records on-line, that information is now available to the government. If the defendant's wife, who is not alleged to be involved in any criminal activity, is sending embarrassing, private e-mail messages, that information is now available for use by the government. If the government wants to see what books the defendant is reading, or what movies his wife is viewing, all of this would be fair game under the warrant presented by the government. Moreover, if the defendant has been looking at legal but "dirty" pictures the government will know this as well, even if the defendant had intended to "throw them away." The government candidly acknowledges that its protocols "are exacting scientific procedures designed to protect the integrity of evidence and recover even hidden, erased, compressed, password-protected, or encrypted files." Larson Aff. ¶ 45.
4. A Digital Search Captures ESI of Which the User Is Unaware
In addition to granting the government access to ESI that was consciously downloaded by computer users, this boundless search would reveal ESI that computer users have no way of knowing is stored on their device. A search of a file cabinet, in contrast, would include only items put in the file cabinet by a person. A conscious, even if unknowing, act is required. This act perhaps would be analogous to intentionally downloading a file. However, in contrast to the conscious act of downloading a file or storing something in a file cabinet, cache files are a set of files automatically stored on a user's hard drive by a web browser to speed up future visits to the same websites, without the affirmative action of downloading. See U.S. v. Romm, 455 F.3d 990, 993 n. 1 (9th Cir. 2006). See also U.S. v. Parish, 308 F.3d 1025, 1030-31 (9th Cir. 2002). "Most web browsers keep copies of all the web pages that you view up to a certain limit, so that the images can be redisplayed quickly when you go back to them." Romm, 455 F.3d at 993 n. 1. Thus, a person's entire online viewing history can be retrieved from the cache, without any affirmative act other than visiting a web page.
The Ninth Circuit has defined "downloading" as "the act of manually storing a copy of an image on the hard drive for later retrieval." U.S. v. Romm, 455 F.3d 990, 994 n. 3 (9th Cir. 2006). See also U.S. v. Mohrbacher, 182 F.3d 1041, 1045-46 (9th Cir. 1999) (describing downloading).
5. A Digital Search Captures "Destroyed" Data
Unlike information in a file cabinet that can simply be taken out and destroyed, ESI is present after attempts to destroy it. In addition to data stored in cache files, ESI can be recovered from "unallocated space" on a hard drive, which "contains deleted data, usually emptied from the operating system's trash or recycle bin folder, that cannot be seen or accessed by the user without the use of forensic software." United States v. Flyer, No. 08-10580, slip op. at 2429 (9th Cir. Feb. 8, 2011). The government knows that once ESI is created, it is very difficult to destroy, and indeed, the government highlights this function. In the affidavit, the government states
Once created, electronically stored information ("ESI") can be stored for years in very little space and at little or no cost. A great deal of ESI is created, and stored, moreover, even without a conscious act on the part of the device operator. For example, files that have been viewed via the Internet are sometimes automatically downloaded into a temporary Internet directory or "cache," without the knowledge of the user. The browser often maintains a fixed amount of hard drive space devoted to these files, and files are only overwritten as they are replaced with more recently viewed Internet pages or if a user takes steps to delete them. . . . Even when such action [the affirmative attempts to delete] has been deliberately taken, ESI can often be recovered, months or even years later, using forensic tools.
Larson Aff. ¶ 44(a).
Although the probative evidence stored in any digital device seized in this case would seem to be limited to the supplier(s), possible customers, warnings, and the underlying financial data, the government has indicated that it may "search for and attempt to recover deleted, hidden, or encrypted data `to determine whether the data fall within the list of items to be seized.'" Larson Aff. ¶ 46(c). Such a request sweeps into the search of a single ESI device all sites, all data, and all persons that device accessed via the internet.
6. General Principles of the Fourth Amendment
In opposing the requirement of a filter team and forswearing reliance on the plain view doctrine, the government has taken the position that the characteristics set forth above relating to digital searches do not require heightened Fourth Amendment protection, citing the U.S. Supreme Court's assertion in Katz v. United States that "the Fourth Amendment protects people, not places." 389 U.S. 347, 351 (1967). It contends that a digital search is no more intrusive than a properly authorized search that requires officers to sift through all of an individual's papers, and every possible place where such papers might be found within the home. The government also cites the Ninth Circuit's statement in United States v. Giberson that "[w]hile it is true that computers can store a large amount of material, there is no reason why officers should be permitted to search a room full of filing cabinets or even a person's library for documents listed in a warrant but should not be able to search a computer." 527 F.3d 882, 888 (9th Cir. 2008).
Following Giberson, however, the Ninth Circuit began to refine its analysis. In U.S. v. Payton, the court explained that " Giberson held that computers were not entitled to a special categorical protection of the Fourth Amendment. Instead, they remained subject to the Fourth Amendment's overall requirement that searches be constitutionally `reasonable.'" 573 F.3d 859, 863-64 (9th Cir. 2009). Under Giberson, "[i]f it is reasonable to believe that a computer contains items enumerated in the warrant, officers may search it." Id. at 864 (citing Giberson, 527 F.3d at 888). With respect to the actual search conducted by the agents, however, the Payton court observed that "the nature of computers makes such searches so intrusive that affidavits seeking warrants for the search of computers often include a limiting search protocol, and judges issuing warrants may place conditions on the manner and extent of such searches, to protect privacy and other important constitutional interests . . . We believe that it is important to preserve the option of imposing such conditions when they are deemed warranted by judicial officers authorizing the search of computers." Id. at 864 (emphasis added). The Payton court concluded that "the special considerations of reasonableness involved in the search of computers are reflected by the practice, exemplified in Giberson, of searching officers to stop and seek an explicit warrant when they encounter a computer that they have reason to believe should be searched." Id. As discussed further below, this refinement continued in the CDT line of cases.
D. Comprehensive Drug Testing Inc. v. United States
The unconstitutionality of the instant warrant application, as well as the application presented in CDT III, is revealed by tracing the odyssey of the CDT litigation. Here, the government seeks to search all data contained in digital devices seized from Mr. Cunnius' residence, as well as information outside the devices. The government intends to perform this search without a filter team to separate from the investigative agents information that is outside the scope of the warrant. Additionally, the warrant does not foreswear reliance on the plain view doctrine, and further seeks authorization to obtain and use information found outside the scope of the initial warrant whether or not that information was found in plain view.
With this background, the Court turns to the Ninth Circuit opinion in CDT III. In that case, the government obtained a warrant to search CDT's facilities limited to the records of ten baseball players for whom there was probable cause to suspect of drug use. Included in the warrant was a provision to allow seizure of computer records from CDT facilities for off-site examination and segregation of the evidence. To justify this provision, which the government acknowledged included information beyond that relevant to the investigation, the supporting affidavit contained information about the difficulty and hazards of retrieving only ESI for which the government had probable cause.
Based on these representations, a magistrate judge granted the government permission to engage in a broad seizure. However, the warrant the magistrate judge authorized also contained important restrictions on the handling of seized data, including review and segregation by non-investigating law enforcement personnel rather than the case agents. The purpose of the segregation requirement was to prevent case agents from accessing information outside the scope of the warrant.
Utilizing this warrant, agents found at CDT's facilities the "Tracey Directory," which included, among hundreds of other documents, a spreadsheet containing the names of all the major league baseball players who had tested positive for steroids. The government had probable cause to search and seize records of ten baseball players. After deciding it was impractical to sort through the information on-site, the agents removed the data for off-site review. Although the warrant required segregation and screening, the case agent ignored this requirement and took control of the data.
Some of these baseball players were included in the warrant, some were not.
Based on its search of the Tracey Directory, the government obtained additional warrants to search the facilities of CDT and Quest for information regarding more baseball players who they discovered had tested positive for steroids, and issued subpoenas demanding production of the same records it had just seized. The government claimed it was justified in obtaining this additional incriminating information, based on the plain view doctrine of evidence found outside the scope of the warrant. In response, CDT and the baseball players' association moved for return of the seized property.
The litigation in CDT III involved multiple district courts. Two district courts ordered the government to return the property. The judges expressed grave dissatisfaction with the government's conduct; some accused the government of manipulation and misrepresentations. As one district judge stated in rejecting the government's arguments, "whatever happened to the Fourth Amendment? Was it . . . repealed somehow?" CDT III, 621 F.3d at 1177 (citing CDT I, 513 F.3d at 1117).
One judge allowed the government to retain the materials regarding the ten players identified in the initial warrant. The subpoenas at issue were also quashed.
The government appealed to the Ninth Circuit. In a reissued decision, the panel reversed two of the district courts' orders to return the property, and held the government was bound by the third court's order containing factual determinations including the government's failure to comply with the warrant and that it had displayed a callous disregard for the rights of third parties. CDT I, 513 F.3d 1085. Despite these determinations, the Ninth Circuit initially upheld the seizures. The dissent strenuously argued the decision was unfounded, ignored factual findings of the lower courts, and would have dire ramifications. As Judge Thomas stated, "Today's decision marks the return of the prohibited general warrant through an endorsement of a disguised impermissible general search warrant — a tactic we rejected in United States v. Rettig, 589 F.2d 418 (9th Cir. 1978)." Id. at 1143 (Thomas, J., concurring in part, dissenting in part).
The case was then taken en banc. CDT II, 579 F.3d 989. The en banc panel reversed and ordered the return of all testing results, save the ten athletes named in the first warrant. The majority explored the government's improper conduct and further reflected on the balance between law enforcement's perhaps legitimate need to over-seize in conducting searches of ESI devices, with the Fourth Amendment's prohibition on general or overbroad searches. To strike this balance, the court directed magistrate judges to adhere to the following five guidelines:
1. Magistrate [] [Judges] should insist that the government waive reliance upon the plain view doctrine in digital evidence cases.
2. Segregation and redaction must be either done by specialized personnel or an independent third party. If segregation is to be done by government computer personnel, it must agree in the warrant application that the computer personnel will not disclose to the investigators any information other than that which is the target of the warrant.
3. Warrants and subpoenas must disclose the actual risks of destruction of information as well as prior efforts to seize that information in other judicial fora.
4. The government's search protocol must be designed to uncover only the information for which it has probable cause, and only that information may be examined by the case agents.
5. The government must destroy or, if the recipient may lawfully possess it, return non-responsive data, keeping the issuing magistrate informed about when it has done so and what it has kept.Id. at 1006.
On September 13, 2010, the Ninth Circuit issued a revised en banc opinion. CDT III, 621 F.3d 1162. The new opinion did not change the outcome of the first en banc decision, but the five guidelines that were previously part of the majority decision became part of a concurring opinion authored by Chief Judge Kozinski. In his concurrence, joined by four other judges, Chief Judge Kosinski notes the guidelines are "hardly revolutionary," are "essentially Tamura's solution to the problem of necessary over-seizing of evidence," and also offer "the government a safe harbor, while protecting the people's right to privacy and property in their papers and effects." Id. at 1178, 1180 (Kozinski, C.J., concurring).
In the Court's view, the Ninth Circuit's final en banc opinion does not permit the issuance of the warrant the government seeks in this case for four reasons. First, although the five guidelines are no longer mandatory, the majority did not hold magistrate judges are prohibited from employing them or that they are improper or inappropriate. Rather the Court, exercising its independent judgment, as it must, has arrived at the conclusion that some of the guidelines should be applied based on the specifics of the present case. See id. at 1178 (Kozinski, C.J., concurring). It is also important to note that the Court does not and will not robotically apply the five guidelines. For example, the Court is satisfied, in this particular case, that the fifth guideline's concern is met by the government's representations that it will return the devices unless they are found to be instrumentalities of the criminal offenses named in the warrant.
Parenthetically, the Court notes the distinction between searching a "third party" computer, as was the case in CDT III, and searching a suspect's computer, would be a distinction without a difference. First, the Ninth Circuit stated CDT III was "more generally . . . about the procedures and safeguards that federal courts must observe in issuing and administering search warrants and subpoenas for electronically stored information," not about searches of a third party computer. CDT III, 621 F.3d at 1165-66. Second, in rejecting the government's argument that it could seize items in "plain view," the Court gave several examples including: "Can't find the computer? Seize the Zip disks under the bed in the room where the computer once might have been." Id. at 1171. In giving this example, the Court cited to United States v. Hill, 322 F.Supp.2d 1081 (C.D. Cal 2004), a case involving the search of an individual's computer and residence. Id. And third, in CDT III's "concluding thoughts" section, the Ninth Circuit stated that a broad computer search "calls for greater vigilance on the part of judicial officers in striking the right balance between the government's interest in law enforcement and the right of individuals to be free from unreasonable searches and seizures." Id. at 1177 (emphasis added).
Second, the warrant application in CDT III was drafted in a manner designed to ensure that it would be lawful and comport with the requirements of the Fourth Amendment. The warrant contained a panoply of safeguards absent here. As the Ninth Circuit stated "the magistrate judge . . . wisely made such broad seizure subject to certain procedural safeguards." CDT III, 621 F.3d at 1168. Germane to the present case, these safeguards included: (1) that investigative agents not review and segregate the data; (2) that specialized forensic computer search personnel review and segregate the data and not give it to the investigative agents; and (3) seized evidence outside the scope of the warrant be returned within 60 days.
The CDT III court endorsed these safeguards noting that the government's argument the investigative agents could access all data seized is nothing but "sophistry." Id. at 1172. As the Court stated, "it would make no sense to represent that computer personnel would be used to segregate data if investigative personnel were also going to access all the data seized. What would be the point?" Id. The court found the government's failure to follow this procedural protection to reach information not covered by the warrant was a "callous disregard of the Fourth Amendment," not only because of the binding findings of the district court, but also as matter of "simple common sense." Id.
Hence, there is nothing in CDT III indicating it is unwise for a magistrate judge to require the warrant application contain such safeguards where requests for broad computer searches are made, that such safeguards are inappropriate, or that once such safeguards are ordered, it is permissible for the government to ignore them. These safeguards are particularly appropriate in this case. According to the affidavit, the target of the search is a disabled man who conducts business out of his home. There is no evidence he is using the computer to create illegal copies, but the computer is likely to store information regarding his supplier, customers and financial transactions. There is no suggestion that utilizing a filter team in this investigation would compromise the government's ability to prosecute this case. There is no suggestion that requiring waiver of the plain view doctrine as a quid pro quo for the evident over-seizing will compromise the government's ability to prosecute this case.
In contrast to the warrants issued in CDT III, the government, here, applies for the broadest warrant possible — the authority to search every single thing — but minus any of the procedural safeguards the Ninth Circuit in CDT III deemed to be wise. Perhaps the government believes that its promise to use "only those methodologies, techniques and protocols as may reasonably be expected to find, identify, segregate and/or duplicate the items authorized to be seized" is a sufficient safeguard. Larson Aff. ¶ 46(d). However, such protection is illusory and does not justify the government's request to conduct a search without a filter team and to rely on the plain view doctrine. Once the Court authorizes the government to search all data, the government can, and will.
Third, the CDT III opinion rejected the government's arguments that under United States v. Tamura, 694 F.2d 591 (9th Cir. 1982), it did not have to return any data it found about baseball players outside the scope of the first warrant because that evidence was in "plain view" when agents examined the Tracey Directory. Calling this argument "too clever by half" the Ninth Circuit found the "point of the Tamura procedures is to maintain the privacy of materials that are intermingled with seizable materials, and to avoid turning a limited search . . . into a general search. . . ." CDT III, 621 F.3d at 1170. The government's claim that everything is in "plain view" when it is given permission to search broadly would "make a mockery of Tamura and render the carefully crafted safeguards in the Central District warrant a nullity." Id. at 1171. Hence, while the CDT III majority opinion does not state the government in all cases "must foreswear reliance on the plain view doctrine," the opinion essentially requires as much.
The Court notes a generalized seizure of ESI would be justified where there is probable cause to conclude that the entirety of the contents of the ESI device is evidence of crime. Cf. United States v. Kow, 58 F.3d 423, 427 (9th Cir. 1995) ("A generalized seizure of business documents may be justified if the government establishes probable cause to believe the entire business is merely a scheme to defraud or that all of the business's records are likely to evidence criminal activity."). Here, the government has not presented any evidence that in this case, Mr. Krause's ESI devices contain only evidence of criminal activity.
The instant warrant application goes a step beyond the position it took in CDT III. In this case, not only does the government fail to foreswear reliance on the plain view doctrine, it requests that it be allowed to seek a warrant that permits it to obtain a second warrant to seize additional evidence whether it was found in the initial search in plain view or not.
And fourth, the Ninth Circuit's "concluding thoughts" in CDT III put to rest any notion the warrant sought here is appropriate. Broad searches of ESI devices create "a serious risk that every warrant for electronic information will become, in effect, a general warrant, rendering the Fourth Amendment irrelevant." Id. at 1176. The Ninth Circuit further provided:
Once a file is examined . . . the government may claim (as it did in this case) that its contents are in plain view and, if incriminating, the government can keep it. Authorization to search some computer files therefore automatically becomes authorization to search all files in the same sub-directory, and all files in an enveloping directory, a neighboring hard drive, a nearby computer or nearby storage media.
. . . It is not surprising, then, that all three of the district judges below were severely troubled by the government's conduct in this case. Judge Thomas, too, in his panel dissent, expressed frustration with the government's conduct and position, calling it a "breathtaking expansion of the `plain view' doctrine, which clearly has no application to intermingled private electronic data.
. . .
We recognize the reality that over-seizing is an inherent part of the electronic search process and proceed on the assumption that, when it comes to the seizure of electronic records, this will be far more common than in the days of paper records. This calls for greater vigilance on the part of judicial officers in striking the right balance between the government's interest in law enforcement and the right of individuals to be free from unreasonable searches and seizures. The process of segregating electronic data that is seizable from that which is not must not become a vehicle for the government to gain access to data which it has no probable cause to collect.Id. at 1176-77.
In this case, the Court finds that the requested warrant application impermissibly grants the government a general or overbroad search warrant in violation of the Constitution and the law of the Circuit. The Court also reaches this conclusion while recognizing that quite often, broad searches of digital devices and "over-seizing is an inherent part of the electronic search process." However, a balance must be struck between the government's investigatory interests and the right of individuals to be free from unreasonable searches and seizures. Few computers are dedicated to a single purpose; rather, computers can perform many functions, such as "`postal services, playgrounds, jukeboxes, dating services, movie theaters, daily planners, shopping malls, personal secretaries, virtual diaries, and more.'" United States v. Andrus, 483 F.3d 711, 718 (10th Cir. 2007) (citing Orin S. Kerr, Searches and Seizures in the Digital World, 119 Harv. L. Rev. 531, 569 (2005)). Almost every hard drive encountered by law enforcement will contain records that have nothing to do with the investigation. To maintain the balance between the government's investigatory interests and the Fourth Amendment, the Court is ready to grant the government's instant application on the conditions set forth in this opinion. But the government, much like it did in the CDT line of cases, does not seek to perform the search with constitutional safeguards, i.e., a filter team or foreswearing reliance on the plain view doctrine. The government's warrant application therefore does not pass Constitutional muster, and cannot be squared with the Ninth Circuit's opinion in CDT III.
CDT III, 621 F.3d at 1177.
E. The Fourth Amendment and Use of "Hash Values"
The instant warrant search protocol also purports to authorize the government to use hash values to perform the search. The government's proposed use of hash values does not necessarily narrow the scope of the search requested. Specifically, although "hash values" can be used to exclude files that do not interest the government such as a digital device's operating system, they can also be used to search and find evidence outside the scope of the warrant automatically and systematically. This is because most law-enforcement forensic software can automatically search for evidence of other crimes, such as child pornography, based on known hash values. See United States v. Mann, 592 F.3d 779, 783-84 (7th Cir. 2010) (detective ignored warrant limitations and conducted general search using Forensic Tool Kit (FTK) and its accompanying "KFF alert system" to locate child pornography).
The instant warrant application proposes to use "hash values," but contained no restrictions on that use, allowing the government to search for evidence of crime for which is lacks probable cause, such as child pornography. Moreover, the warrant affidavit does not demonstrate "hash values" exist that can be used to ferret out the evidence for which the government has probable cause in this case. The Court concludes that the following language must be added to the instant warrant application in order to address the problems with using hash values:
However, these methodologies, techniques and protocols will not include the use of "hash value" libraries to search the electronically stored information for items that are not set forth in the items authorized to be seized in Attachment B of this warrant.
As this new language is necessary to address both the scope and reasonableness of the search the conduct seeks to conduct, it must be included in the government's ESI application.
III. CONCLUSION
This Court is required under the U.S. Constitution and the law of the Circuit to deny the instant warrant application. Counterfeiting products is a serious crime and costs American intellectual property owners billions of dollars annually, results in lost jobs, and creates substantial threats to consumers of these products. Probable cause exists to search Mr. Cunnius' digital devices for evidence relating to counterfeit products. But the government asks the Court to do what the law does not permit. The government would have the Court give it the authority to scour all data contained in the seized digital devices, and more, without any of the procedural protections CDT III deemed both wise and necessary, and the authority to obtain a second warrant to seize any other data found outside the scope of the first warrant whether it was found in plain view or not. This request is exactly what CDT III prohibited: "the process of segregating electronic data that is seizable from that which is not must not become a vehicle for the government to gain access to data which it has no probable cause to collect." Id. at 1177. Moreover, if the Court sanctions this action, its decision effectively becomes non-reviewable. See United States v. Leon, 468 U.S. 897 (1984).
CDT III provided strong guidance to this Court regarding ESI searches. While the guidelines are not mandatory, most are appropriately required in this case. The government may disagree with the decision enunciated in CDT III. The government's options, however, are to seek review of CDT III with the U.S. Supreme Court or to comply. Neither the government nor this Court has the option to pretend that CDT III does not exist. Because the Court finds the government's warrant application, without the protections set forth in this Order, fails to comply with the Fourth Amendment and the law of this Circuit, the Court DENIES the government's application for a search warrant.
As this matter involves an on-going criminal investigation, the Clerk of Court is directed to file this Order under seal. This Order will be unsealed at the earlier of when any warrant relating to this matter is executed, or when a decision is made not to proceed with the prosecution of the matter, or otherwise by written order. A copy of this Order shall also be provided to the United States and the assigned United States District Judge.
Exhibit 1
(Briefly describe the property to be searched or identify the person by name and address
UNITED STATES DISTRICT COURT for the Western District of Washington In the Matter of the Search of ) ) ) ) ) Case No. The residence located at 2305 Rucker Avenue, ) Apt. 5, Everett, Washington 98201 ) )APPLICATION FOR A SEARCH WARRANT
I, a federal law enforcement officer or an attorney for the government, request a search warrant and state under penalty of perjury that I have reason to believe that on the following person or property ( identify the person or describe the property to be searched and give its location):
See Attachment A, which is incorporated herein by reference
located in the Western District of Washington, there is now concealed (identify the person or describe the property to be seized):
See Attachment B, which is incorporated herein by reference
The basis for the search under Fed.R.Crim.P. 41(c) is ( check one or more):
[] evidence of a crime;
[] contraband, fruits of crime, or other items illegally possessed;
[] property designed for use, intended for use, or used in committing a crime;
[] a person to be arrested or a person who is unlawfully restrained.
The search is related to a violation of: Code Section Offense Description 18 U.S.C. § 2319 18 U.S.C. § 2320
Criminal Copyright Infringement Trafficking in Counterfeit Goods The application is based on these facts:
See attached Affidavit of Special Agent Michael J. Larson, attached hereto and incorporated herein.18 U.S.C. § 3103a Applicant's signature SA MICHAEL J. LARSON, Affiant Printed name and title Judge's signature Seattle, Washington JAMES P. DONOHUE, U.S. Magistrate Judge Printed name and title [] Continued on the attached sheet. [] Delayed notice of _____ days (give exact ending date if more than 30 days: ________) is requested under , the basis of which is set forth on the attached sheet. _____________________________________ Sworn to before me and signed in my presence. Date: __________________ _____________________________________ City and state:
ATTACHMENT A SUBJECT PREMISES
The SUBJECT PREMISES at 2305 Rucker Avenue, Apartment 5, Everett, Washington 98201 is more fully described as:a two-story apartment building located near the intersection of Rucker Avenue and 23rd Street. The apartment building is tan or taupe in color; however, the lower level of the west side of the structure has a red brick facade. The west side of the house has a red entry door, and a single-car garage door. The number two thousand three hundred five (2305) is affixed to the brick facade to the left of the red entry door. On the north side of the building, there is a covered external stairway with entry doors on both the upper and lower levels. Apartment number five is located on the upper level of the building and the entry door to the unit is light green in color and marked with the number five.
ATTACHMENT B ITEMS TO BE SEIZED
The items to be seized are the following items that constitute evidence, fruits, and instrumentalities of the crimes of Criminal Copyright Infringement in violation of Title 18, United States Code, Section 2319 and Trafficking in Counterfeit Goods in violation of Title 18, United States Code, Section 2320.
1. The following records, documents, files, or materials, in whatever form, including handmade or mechanical form (such as printed, written, handwritten, or typed); photocopies or other photographic form; and electrical, electronic, digital and magnetic form (in storage on or in media such as tapes, cassettes, hard disks, floppy disks, diskettes, compact disks, CD-ROMs, DVDs, optical disks, printer buffers, smartcards, electronic notebooks, memory cards, USB thumb drives, mobile or cellular phones, personal data assistants, or any other storage medium):
a. Counterfeit software and counterfeit software components including, boxes, labels, packaging, stickers, wrappers, emblems, medallions, documentation, license agreements, manuals, end user license agreements, and/or certificates of authenticity;
b. Records relating to the purchase and/or sale of software including invoices, purchase orders, correspondence with customers and/or suppliers of software, inventory lists, advertisements;
c. Records relating to the exporting or importing of computer software to or from countries other than the United States;
d. Records relating to licensing agreements for the distribution of computer software;
e. Shipping records including U.S. Mail, Federal Express, United Parcel Service, or any other common carrier;
f. Correspondence with Customs and Border Protection regarding any seizures of counterfeit software;
g. Correspondence with Microsoft Corporation or its affiliates regarding the distribution of counterfeit software;
h. Any books, papers, internet history, documents, pamphlets, or other materials regarding counterfeit software;
i. Records related to the posting of advertisements for the sale of software on Internet classified advertising services such as eBid, Craigslist, Amazon.com and/or eBay, including drafts of advertisements, photographs of products advertised, account information, sales history, customer feedback reports, payment records, customer complaints, and correspondence with the classified advertisement service provider;
j. Any and all financial records present at the subject premises, including: checking and savings account bank statements; deposit or withdrawal records; safe deposit box records and keys; investment or brokerage account statements; cashier's check receipts; check books; receipts; wire transfer records; electronic funds transfer records; cancelled checks; credit card account statements and receipts; records of employment and earnings; bank loan or credit applications; business books and records; and telephone records;
k. Any and all evidence of dominion and control of the subject premises and/or any digital devices located at the subject premises;
l. Any and all United States currency, cashier's checks, money orders, travelers checks, and other monetary instruments;
2. Digital devices and/or their components, including:
a. Any digital devices and storage device capable of being used to commit, further, or store evidence of the offense listed above;
b. Any digital devices used to facilitate the transmission, creation, display, encoding or storage of data related to criminal copyright infringement and/or trafficking in counterfeit goods, including modems, docking stations, monitors, cameras, printers, plotters, encryption devices, and optical scanners;
c. Any magnetic, electronic or optical storage device capable of storing data, such as floppy disks, hard disks, tapes, CD-ROMs, CD-R, CD-RWs, DVDs, optical disks, printer or memory buffers, smart cards, PC cards, memory calculators, electronic dialers, electronic notebooks, and personal digital assistants;
d. Any applications, utility programs, compilers, interpreters, and other software used to facilitate direct or indirect communication with the computer hardware, storage devices, or data to be searched;
e. Any physical keys, encryption devices, dongles and similar physical items that are necessary to gain access to the computer equipment, storage devices or data; and
f. Any passwords, password files, test keys, encryption codes or other information necessary to access the computer equipment, storage devices or data.
g. Evidence of who used, owned or controlled any seized digital device/s at the time the things described in this warrant were created, edited, or deleted, such as logs, registry entries, saved user names and passwords, documents, and browsing history;
h. Evidence of the attachment to the digital device/s of other storage devices or similar containers for electronic evidence;
i. Evidence of counter-forensics programs (and associated data) that are designed to eliminate data from a digital device;
j. Evidence of the times the digital device/s was used.
k. Any other ESI from the digital device/s necessary to understand how the digital device was used, the purpose for its use, who used it, and when.
AFFIDAVIT
STATE OF WASHINGTON ) ) ss COUNTY OF KING ) I, Michael J. Larson, being first duly sworn, depose and state as follows:INTRODUCTION AND AGENT BACKGROUND
1. I am a Special Agent with the Department of Homeland Security, United States Immigration and Customs Enforcement (ICE), assigned to the Office of the Special Agent in Charge, Seattle, Washington, and have been so employed since July of 2009. During my tenure with ICE, I have been assigned to the Border Enforcement Security Task Force (BEST) and have participated in investigations and search warrants involving theft, fraud, smuggling, counterfeit goods, and drug trafficking. Prior to my employment with ICE, I worked for the United States District Court for the Western District of Washington for eleven years as a United States Probation Officer and United States Probation Officer Assistant. I am a graduate of the Federal Law Enforcement Training Center's Criminal Investigator Training Program in Brunswick, Georgia, as well as the ICE Special Agent Training Program. I am also a graduate of Michigan State University in East Lansing, Michigan, where I received Bachelors degrees in International Relations and Criminal Justice from James Madison College and the School of Criminal Justice, respectively.
2. I make this affidavit in support of an application under Rule 41 of the Federal Rules of Criminal Procedure for a warrant to search the premises known as 2305 Rucker Avenue, Apartment 5, Everett, Washington, 98201, hereinafter "SUBJECT PREMISES," as more fully described in Attachment A to this Affidavit, for the property and items described in Attachment B to this Affidavit.
3. The facts set forth in this Affidavit are based on my own personal knowledge; knowledge obtained from other individuals during my participation in this investigation, including other law enforcement officers; review of documents and records related to this investigation; communications with others who have personal knowledge of the events and circumstances described herein; and information gained through my training and experience.
4. Because this Affidavit is submitted for the limited purpose of establishing probable cause in support of the application for a search warrant, it does not set forth each and every fact that I or others have learned during the course of this investigation. I have set forth only the facts that I believe are necessary to establish probable cause to believe that evidence, fruits and instrumentalities of violations of Title 18, United States Code, Sections 2319 (Criminal Copyright Infringement) and 2320 (Trafficking in Counterfeit Goods) will be found at the SUBJECT PREMISES and on any digital devices located at the SUBJECT PREMISES.
SUMMARY OF INVESTIGATION
5. In October 2010, I received information from Microsoft Corporation regarding an individual they believed was selling counterfeit Microsoft software via the internet classified advertising service Craigslist. According to Microsoft investigator Steve Studhalter, EDWARD CUNNIUS was responsible for numerous Craigslist advertisements over the past few months that offered to sell brand new, in the box, Microsoft software at prices well below typical retail prices for the same software. In addition, Mr. Studhalter informed me that a shipment of counterfeit Microsoft software from China, addressed to EDWARD CUNNIUS, had been seized by Customs and Border Protection (CBP) on October 18, 2010. Following the October 18, 2010 CBP seizure, Microsoft sent Mr. CUNNIUS a letter warning him of the consequences of distributing counterfeit software and informing him how he might detect counterfeit software to ensure he does not engage in further distribution of counterfeit software. Microsoft subsequently initiated an undercover test purchase of software from Mr. CUNNIUS at his home in Everett, Washington and purchased several products at prices substantially below retail value. An examination of the software products purchased from Mr. CUNNIUS revealed the products were counterfeit.
6. I later initiated two law enforcement undercover test purchases from Mr. CUNNIUS at his residence in Everett, Washington. On each occasion, agents with ICE contacted Mr. CUNNIUS in response to Craigslist advertisements offering the sale of Microsoft software at prices well below retail. Agents met Mr. CUNNIUS at his apartment in Everett, Washington on December 13, and December 21, 2010, and purchased several boxes of purportedly genuine, new, in the box, Microsoft software. During each undercover purchase, Mr. CUNNIUS retrieved the software packages from a closet in the bedroom of his apartment. Mr. CUNNIUS was evasive in response to questions about the authenticity of the product and stated that if customers complained, he would instruct them to go buy the products for much higher prices at retail establishments. All of the products purchased from Mr. CUNNIUS by the undercover agents were submitted to Microsoft for analysis by their product identification specialists who determined that each of the products were counterfeit.
THE INVESTIGATION
7. On October 27, 2010, I spoke to Microsoft anti-piracy investigator Steve Studhalter who told me about a suspect who recently had a shipment of counterfeit Microsoft software seized by Customs and Border Protection. According to Mr. Studhalter, on October 18, 2010, CBP had seized an inbound shipment of counterfeit Microsoft software from China, addressed to EDWARD RUSSELL CUNNIUS at 2305 Rucker Avenue #5, Everett, Washington. Mr. Studhalter also told me that this suspect had been advertising Microsoft software on Craigslist at suspiciously low prices on a regular basis over the past several months. I know based on my training and experience in conducting investigations of counterfeit products and from information I have received from Microsoft anti-piracy investigators, that one indication of potentially counterfeit product is the price at which the product is sold. Products sold for prices far below the typical retail price are often found to be counterfeit. Mr. Studhalter e-mailed screen clips of several recent Craigslist advertisements by Mr. CUNNIUS that offered to sell products such as Microsoft Office Professional 2010 and Microsoft Visio Professional 2010 at prices up 75% off retail value.
8. According to Mr. Studhalter, in response to the CBP seizure, Microsoft had sent a warning letter to Mr. CUNNIUS at his Everett home on October 22, 2010. The letter advised Mr. CUNNIUS that it had received information that Mr. CUNNIUS or someone with his company may have distributed illegal and/or unlicensed Microsoft software and informed Mr. CUNNIUS of the consequences of illegal distribution. The letter also notified Mr. CUNNIUS of the various types of software piracy including counterfeit software distribution. Finally, the letter advised Mr. CUNNIUS how to protect his business by obtaining legitimate Microsoft software from authorized retail distributors and by learning how to differentiate genuine Microsoft software from counterfeit and infringing software.
9. Mr. Studhalter also told me that he planed to initiate a "test purchase" from Mr. CUNNIUS. A test purchase is an undercover operation in which a private investigator employed by Microsoft purchases software from a suspected counterfeit software distributor. Test purchases may be initiated via telephone, over the internet, or in person depending on how the particular suspect conducts business. Product purchased during a test purchase is later examined by Microsoft product identification specialists in order to determine whether the product is genuine or counterfeit.
10. After speaking to Mr. Studhalter on October 27, 2010, I retrieved a copy of a CBP incident report from the Treasury Enforcement Communications System (TECS). The report, dated October 18, 2010, indicated that CBP-San Francisco seized, 10 pieces of Windows Ultimate software on October 18, 2010, at the San Francisco international mail station. CBP reported the shipment was valued at $1,350.00 and was sent via Air Express parcel from China, addressed to "Edward Cunnius" at 2305 Rucker Avenue #5, Everett, WA 98201 (the SUBJECT PREMISES). According to the report, the software inside the parcel was determined to be counterfeit based on the fact that clear labels were adhered to the surface of the disks, whereas a genuine Microsoft product does not have this feature. In addition, when the labels were lifted up, the portions of the hologram on the disc came up with the label. A genuine Microsoft disk has the hologram embedded in the disk and, therefore, the hologram would not come up with the label. Following the seizure, CBP sent a notice of seizure to Mr. CUNNIUS addressed to "2305 Rocker [sic] Ave. #5, Everett, Washington 98201." The notice informed Mr. CUNNIUS that the software was counterfeit and violated a trademark registered by the Microsoft Corporation. The notice further informed Mr. CUNNIUS that the software was subject to forfeiture.
11. I reviewed records from the Washington State Department of Licensing that indicate EDWARD RUSSELL CUNNIUS and Judith Ann CUNNIUS are the only registered drivers at 2305 Rucker Avenue #5, Everett, Washington 98201. I also obtained a copy of Mr. and Ms. CUNNIUS' driver's license photographs.
12. I have reviewed a report prepared by Randy Mullinax of R.E. Mullinax Investigations, LLC that indicates Mr. Mullinax conducted a test purchase from Mr. CUNNIUS on October 28, 2010. According to Mr. Mullinax, he contacted Mr. CUNNIUS on October 27, 2010, at a telephone number listed in a Craigslist advertisement for the sale of Microsoft Office Professional 2010. The man who answered the telephone identified himself as "Ed" and stated that he had two copies of Office Professional 2010 left. Mr. Mullinax reported that "Ed" told him to come to his apartment at 2305 Rucker Street, #5, Everett, Washington the following day to purchase the software. On October 28, 2010, Mr. Mullinax drove to the SUBJECT PREMISES and met with Mr. CUNNIUS. Mr. CUNNIUS sold Mr. Mullinax one copy each of Microsoft Windows 7 Ultimate, Microsoft Visio Professional 2010, and Microsoft Office Professional 2010. The total price for all three products was $350.00. According to Mr. Studhalter, the estimated retail price of these three products combined is $1,377.00. Mr. Mullinax reported that Mr. CUNNIUS stated that the product was "not counterfeit" and he claimed he obtained the software from someone he knew who bought it from Microsoft in Redmond, Washington. However, Mr. CUNNIUS also stated that if there was a problem with the software registering correctly, Microsoft might tell Mr. Mullinax that the software is counterfeit.
13. I have reviewed three sample analysis reports prepared by Microsoft product identification specialist Lisa Blinzler. Ms. Blinzler examined each of the products purchased by Mr. Mullinax on October 28, 2010, and determined that all three products were counterfeit. She reported that each of the items contained counterfeit certificates of authenticity labels, ultra-violet ink was missing from the product key labels, and there were typographical errors on the product boxes among other indications that the product and packaging were counterfeit.
14. On December 13, 2010, at approximately 9: 40 a.m., Special Agent Shawn Galetti, initiated telephonic contact with Mr. CUNNIUS for the purpose of purchasing the following Microsoft software: Visio Professional 2010 and Project Professional 2010. In the days and weeks leading up to this contact, Mr. CUNNIUS frequently advertised Microsoft software on Craigslist and directed interested parties to contact him at 425-339-2555. Agent Galetti contacted Mr. CUNNIUS at this telephone number. During the contact, Mr. CUNNIUS identified himself as "Ed" and stated that he could meet with Agent Galetti anytime before 6:00 p.m. Mr. CUNNIUS refused Agent Galetti's request to meet at neutral site stating that he was on disability and did not drive. Mr. CUNNIUS said his address was 2305 Rucker Avenue, Apartment 5, Everett, Washington 98201, and arranged to meet with Agent Galetti between 12:30 p.m. and 1:30 p.m. Agent Galetti's conversation with Mr. CUNNIUS was audio recorded, and I was present during the contact.
15. At approximately 12:42 p.m. on December 13, 2010, Agent Galetti and Agent Marcus Browne, acting in an undercover capacity, contacted Mr. CUNNIUS at the SUBJECT PREMISES. During their contact with Mr. CUNNIUS, one of the agents was wired for video and audio with an undercover recording device. The entire contact was taped and I have reviewed the tape. Shortly after the agents arrived, Mr. CUNNIUS went to a back room of his apartment and returned a short time later with one copy of Microsoft Visio Professional 2010 and one copy of Microsoft Project Professional 2010. Agent Galetti asked Mr. CUNNIUS if there were any problems with the software. Mr. CUNNIUS advised Agent Galetti to remove any "trial versions" from his computer before running the new software. Mr. CUNNIUS also stated that he had received the software about four months ago and that it cost as much as "a thousand dollars a piece" at Best Buy. He claimed he bought the product from a "third party." When Agent Galetti asked if Mr. CUNNIUS had received any complaints related to the software, Mr. CUNNIUS assured Agent Galetti that he had not received any customer complaints. Agent Galetti paid Mr. CUNNIUS with $225.00 in U.S. currency for the software and asked whether Mr. CUNNIUS had any other software for sale. Mr. CUNNIUS responded that he also had copies of Windows 7 Ultimate for $125.00, and Office Professional 2010 for $100.00.
16. While speaking to Agents Galetti and Browne, Mr. CUNNIUS received a telephone call from an unknown individual. Based on Mr. CUNNIUS' responses to the caller and his comments to Agents Galetti and Browne immediately after the call, it appeared the caller had questioned the authenticity of the software in the Craigslist posting. Mr. CUNNIUS advised the caller he "got it from a third party," and "they are not from the Microsoft store" and that it did not "say `not for resale' on em" Immediately after the call, Mr. CUNNIUS advised Agents Galetti and Browne that there were some people who wanted to "look a gift horse in-the-mouth" or they "just ain't happy what they see" and "they want to make a big deal about it." Mr. CUNNIUS said he would direct those people to the "door" and tell them "Best Buy is down the street about three miles — make sure you have a deep pocket."
17. On December 14, 2010, I provided the boxes of software that Agents Galetti and Browne purchased from Mr. CUNNIUS to Microsoft product identification specialist Brittany Carmichael who inspected the software and determined it was counterfeit. Ms. Carmichael completed a sample analysis report for each of the two pieces of software and reported that each of the items contained counterfeit certificates of authenticity labels, the ultra-violet ink was missing from the product key labels, and there were typographical errors on the product boxes among other indications that the product and packaging were counterfeit. These were the same counterfeit features discovered earlier on the counterfeit software that Mr. Mullinax purchased from Mr. CUNNIUS on October 28, 2010. According to Microsoft the software that Agents Galetti and Browne purchased for $225.00 had an estimated retail price of approximately $1,560.00.
18. On December 21, 2010, at approximately 9:40 a.m., Agent Galetti called Mr. CUNNIUS again and asked about Craigslist advertisements Mr. CUNNIUS had posted for the sale of Microsoft Office Professional 2010, Windows 7 Home Premium, Windows 7 Professional, and Windows 7 Ultimate. Mr. CUNNIUS agreed to meet Agent Galetti during the lunch hour at the SUBJECT PREMISES.
19. At approximately 11:45 a.m. on December 21, 2010, Agents Galetti and Browne, again acting in undercover capacity, contacted Mr. CUNNIUS at the SUBJECT PREMISES. During their contact with Mr. CUNNIUS, one of the agents was wired for video and audio with an undercover recording device. The entire contact was taped and I have reviewed the tape. Agent Galetti told Mr. CUNNIUS that he resold the software he bought from him on December 13, 2010, and made a good profit. Agent Galetti said there was demand for additional product and asked if Mr. CUNNIUS could contact his supplier to see if he or she would work with Agent Galetti. Mr. CUNNIUS said it took him years to make his contact and that he gets his product through the mail. He told Agent Galetti that he communicated with his source via electronic mail and paid him through electronic transfer from his bank. Agent Galetti told Mr. CUNNIUS that he was interested in making money and asked if Mr. CUNNIUS would introduce him to his source. Mr. CUNNIUS said he did not believe his source would talk to Agent Galetti. Mr. CUNNIUS also claimed the product was genuine and he had not experienced any trouble with the product. However, he said some people said they did not think the product was "legit" and he would tell them to "go to the store and pay $500.00."
20. After speaking to Agents Galetti and Browne about his source, Mr. CUNNIUS walked to a back bedroom where he opened a closet and produced the requested software. Agent Galetti accepted the software and again asked Mr. CUNNIUS if he could be introduced to his source. Mr. CUNNIUS advised he would speak to his source. Mr. CUNNIUS provided Agent Galetti with one copy each of Microsoft Office Professional 2010, Windows 7 Home Premium, Windows 7 Professional, and Windows 7 Ultimate. Agent Galetti paid Mr. CUNNIUS a total of $450.00.
21. On December 22, 2010, I provided the boxes of software that Agents Galetti and Browne purchased from Mr. CUNNIUS on December 21, 2010, to Microsoft product identification specialist Brittany Carmichael. Ms. Carmichael inspected the software and determined it was counterfeit based on many of the same counterfeit features discovered on the products purchased on December 13, 2010, and October 28, 2010. According to Microsoft the software that Agents Galetti and Browne purchased on December 21, 2010, for $450.00 had an estimated retail price of approximately $1,320.00.
22. I know based on my conversations with Mr. Studhalter and others at Microsoft Corporation that the word Microsoft is a registered trademark on the principal register of the United States Patent and Trade Office. I also know that the word Microsoft is registered as a trademark for the sale of software (among many other uses for which the word Microsoft is a registered trademark).
RELEVANT STATUTES
A. Criminal Copyright Infringement
23. Title 17, United States Code, Sections 506(a) and (b) provide in relevant part:
(a) Criminal infringement. —
(1) In general. — Any person who willfully infringes a copyright shall be punished as provided under section 2319 of title 18, if the infringement was committed —
(A) for purposes of commercial advantage or private financial gain;
(B) by the reproduction or distribution, including by electronic means, during any 180-day period, of 1 or more copies or phonorecords of 1 or more copyrighted works, which have a total retail value of more than $1,000.
B. Trafficking in Counterfeit Goods
24. Title 18, United States Code, Section 2320(a) and (b) provide in relevant part:
(a) Whoever; intentionally traffics or attempts to traffic in goods or services and knowingly uses a counterfeit mark on or in connection with such goods or services, or intentionally traffics or attempts to traffic in labels, patches, stickers, wrappers, badges, emblems, medallions, charms, boxes, containers, cans, cases, hangtags, documentation, or packaging of any type or nature, knowing that a counterfeit mark has been applied thereto, the use of which is likely to cause confusion, to cause mistake, or to deceive, shall, if an individual, be fined not more than $2,000,000 or imprisoned not more than 10 years, or both.
BACKGROUND REGARDING COPYRIGHTS
25. Based on my training and experience, I know the United States Copyright Office is an agency of the United States which promotes the progress of the arts and protection for the works of authors. The United States Copyright Office is also the office of record where claims to copyright are registered and where documents relating to copyright may be recorded when the requirements of the copyright law are met.26. In general terms, copyright is a form of protection provided by law for original works of authorship, including literary, dramatic, musical, architectural, cartographic, choreographic, pantomimic, pictorial, graphic, sculptural, and audiovisual creations. "Copyright" literally means the right to copy. The term has come to mean that body of exclusive rights granted by law to authors for protection of their work. The owner of a copyright has the exclusive right to reproduce, distribute, and, in the case of certain works, publicly perform or display the work; to prepare derivative works; in the case of sound recordings, to perform the work publicly by means of a digital audio transmission; or to license others to engage in the same acts under specific terms and conditions. Copyright protection does not extend to any idea, procedure, process, slogan, principle, or discovery.
BACKGROUND REGARDING TRADEMARKS
27. Based on my training and experience, I know the United States Patent and Trademark Office (USPTO) is an agency of the United States which promotes the progress of science and the useful arts by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries ( Article I, Section 8 of the United States Constitution). Among USPTO's major functions are the examination and registration of trademarks and the dissemination of trademark information. Through the registration of trademarks, USPTO assists businesses in protecting their investments, promoting goods and services, and safeguarding consumers against confusion and deception in the marketplace. By disseminating trademark information, USPTO promotes an understanding of intellectual property protection and facilitates the development and sharing of new technologies worldwide. Registration of a producer's trademark on USPTO's principal register gives notice to the world of the producer's exclusive right to use and to protect that trademark.
28. In general terms, a trademark is a word, name, symbol, or device, or any combination thereof, that is intended to distinguish one producer's goods from those of other producers and to indicate the source of the goods. Trademark law helps ensure that a trademark can serve this function of distinguishing a producer's goods, because it prohibits other producers from using a similar mark in a way that is "likely to cause confusion" among consumers (i.e. by making consumers wonder which producers created which products). Trademark law broadly prohibits uses of trademarks, trade names, and trade dress that are likely to cause confusion about the source of a product or service.
COPYRIGHTS AND TRADEMARKS RELEVANT TO THIS INVESTIGATION
29. Based on my training and experience, I know that Microsoft develops, advertises, markets, distributes, and licenses a number of computer software programs. Microsoft's software programs are recorded on certain electronic media, including magnetic diskettes, CD-ROMs, and/or DVD-ROMs, and they are packaged and distributed together with associated proprietary materials such as user guides, user manuals, end-user license agreements (EULAs), Certificates of Authenticity (COA), and other components.30. Microsoft Certificates of Authenticity are special certificates or labeling components that are distributed with Microsoft software programs in order to help end-users verify whether they have genuine Microsoft software. COAs are manufactured with special security features, such as interwoven threads, holograms, and ultra-violet ink, that make unauthorized duplication difficult.
31. Microsoft distributes unique Product Keys to its licensees. Each Product Key consists of a 25-character alphanumeric code arranged in five groups of five characters each. Product Keys are needed to unlock certain software programs and enable their use. Because media containing Microsoft's copyrighted software is capable of being installed on a potentially unlimited number of computers, Microsoft relies on the unique Product Keys, and in some cases activation features within the software, to prevent or at least restrict the installation and use of its software by unauthorized third parties. Product Keys are printed on, among other things, COAs.
32. COAs accompanying Microsoft software provide licensees of genuine Microsoft software with Product Keys that allow such customers to install and run genuine Microsoft software on their computers.
33. There are various restrictions on the distribution of Microsoft software. For example, certain Microsoft Original Equipment Manufacturer (OEM) and System Builder software is licensed for distribution only with a new personal computer (PC). The sale or other distribution of individual copies of OEM or System Builder Microsoft software, not as part of the distribution of a new PC, is not authorized by Microsoft.
34. Based on my knowledge and experience, I know that Microsoft has registered a number of copyrights, and trademarks and/or service marks, with the United States Copyright and United States Patent and Trademark Offices, respectively. Microsoft has been and still is, the sole owner of all rights, title and interest in, and to, its copyrights, trademarks, and/or service marks, and has made continuous use of these copyrights, trademarks, and/or service marks.
COMPUTER SEARCH RELATED DEFINITIONS
35. A "forensic image" is a complete and accurate copy of every bit and byte on the subject drive including hidden, deleted, or encrypted data. A forensic image will include all data, not just the data available and visible to the user utilizing the devices' operating system. Law enforcement typically attempts to create a forensic image of any digital device that may contain data or items within the scope of a search warrant in order to secure the data in a forensically sound manner prior to conducting a search. Because data on a digital device is affected by every action of the user, law enforcement will typically search the forensic image rather than the actual device in order to ensure the integrity of the data or items searched. The creation of a forensic image of the data to be searched is analogous to the process of securing a physical search location. A forensic image may be created of either a physical drive or a logical drive. A physical drive is the actual physical hard drive that may be found in a typical computer. When law enforcement creates a forensic image of a physical drive, the image will contain every bit and byte on the physical drive. A logical drive, also known as a partition, is a dedicated area on a physical drive that may have a drive letter assigned (for example the c: and d: drives on a computer that actually contains only one physical hard drive). Therefore, creating an image of a logical drive does not include every bit and byte on the physical drive.
36. "Email" or electronic mail is a method of exchanging digital messages, which are transmitted over a communications network, such as the Internet, an internal network (ie. Local Area Network), or mobile/cellular telephone service.
PROBABLE CAUSE THAT EVIDENCE WILL BE FOUND ON DIGITAL DEVICES AT THE SUBJECT PREMISES
37. As set forth above and in Attachment B to this Affidavit, I seek permission to search for and seize evidence, fruits and instrumentalities of the above-referenced crimes that might be found on the SUBJECT PREMISES, in whatever form they are found. Based on the information I have learned in this investigation, I believe evidence related to how Mr. CUNNIUS obtained counterfeit software, how Mr. CUNNIUS paid for counterfeit software and how Mr. CUNNIUS distributed counterfeit software is likely to be discovered on digital devices. Therefore, I am requesting permission to search for and seize any computers or digital devices that may be located at the subject premises.
"Digital device" includes any electronic device capable of processing and/or storing data in digital form, including, but not limited to: central processing units, laptop or notebook computers, peripheral input/output devices such as keyboards, printers, scanners, plotters, monitors, and drives intended for removable media, related communications devices such as modems, cables and connections, electronic storage media, electronic/digital security devices, wireless communication devices such as telephone paging devices, beepers, mobile or cellular telephones, personal data assistants ("PDAs"), iPods, blackberries, digital cameras, and digital gaming devices.
38. As outlined above, Mr. CUNNIUS stated that he communicates with his source of software via electronic mail. In addition, Mr. CUNNIUS stated that he paid his source through electronic transfers from his bank. Furthermore, Agents Galetti and Browne observed personal computers in Mr. CUNNIUS' apartment and Mr. CUNNIUS discussed computers extensively with the agents. I also know based on the information set forth above, that Mr. CUNNIUS advertises the sale of software via the internet classified service Craigslist and that many of his advertisements contain digital photographs of the products he advertises for sale. Therefore, I believe digital devices are likely to be found at the subject premises and that they are likely to contain evidence including electronic mail correspondence with Mr. CUNNIUS' source, evidence of internet banking transactions, and evidence of his advertisements and marketing of counterfeit software.
39. I also know based on my training and experience that computers may be utilized by more than one user. In order to determine exactly who else may be responsible for obtaining and trafficking in the counterfeit software purchased from Mr. CUNNIUS, I am asking for permission to search for evidence of dominion and control of any digital device located at the subject premises. In order to determine who may have been using the computers at the relevant time, I am asking for permission to search for things such as: 1) evidence of how the digital devices' logins are maintained; 2) whether the digital devices' are password protected; 3) whether there are multiple accounts on the digital devices; 4) what accounts are on the digital devices; 5) internet history that may reveal the identity of the particular users of the digital devices; 7) evidence of software that would allow remote access to the computer; 8) evidence of malware or viruses (or the lack thereof) that would allow others to control the digital devices; 9) evidence of security software designed to detect and/or defeat malware.
PAST EFFORTS TO OBTAIN EVIDENCE
40. Because of the nature of the evidence that I am attempting to obtain and the nature of the investigation, I have not made any prior efforts to obtain the evidence based on the consent of the SUBJECT. Based on my training and experience, I believe that Mr. CUNNIUS would probably refuse to consent to a search of his residence and any of his computer equipment and/or digital devices. I also believe, based upon the nature of the investigation, that if Mr. CUNNIUS becomes aware of the investigation in advance of the execution of a search warrant, he may attempt to destroy any potential evidence, whether digital or non-digital, thereby hindering law enforcement agents from the furtherance of the criminal investigation. Therefore, I have not attempted to obtain this evidence from Mr. CUNNIUS.
41. I am aware of one e-mail account that Mr. CUNNIUS has used in the past. In January 2011, I interviewed a former customer of Mr. CUNNIUS who stated that Mr. CUNNIUS has an e-mail account with the service provider Comcast. I have not yet attempted to obtain a search warrant for this account. I may request a search warrant for this account in the future, depending on the outcome of this search. I believe a search of Mr. CUNNIUS' computers will yield evidence of his electronic mail communications with his source and may reveal additional e-mail accounts in addition to the account he has with Comcast.
SEARCH AND/OR SEIZURE OF DIGITAL DEVICES
42. Based on my training and experience and my consultation with other agents who have specialized training and experience in searching for electronic evidence, I know that every type and kind of information, data, record, sound or image can exist and be present as electronically stored information on any of a variety of computers, computer systems, digital devices, and other electronic storage media. I also know that electronic evidence can be moved easily from one digital device to another. As a result, I believe that electronic evidence may be stored on any digital device present at the search site.
43. Based on my training and experience, and my consultation with other agents who have specialized training and experience in searching for electronic evidence, I know that in some cases the items set forth in Attachment B may take the form of files, documents, and other data that is user-generated and found on a digital device. In other cases, these items may take the form of other types data — including in some cases data generated automatically by the devices themselves.
44. Based on my training and experience, and my consultation with other agents who have specialized training and experience in searching for electronic evidence, I believe that if digital devices are found on the SUBJECT PREMISES, there is probable cause to believe that the items set forth in Attachment B will be stored in those digital devices for a number of reasons, including but not limited to the following:
a. Once created, electronically stored information ("ESI") can be stored for years in very little space and at little or no cost. A great deal of ESI is created, and stored, moreover, even without a conscious act on the part of the device operator. For example, files that have been viewed via the Internet are sometimes automatically downloaded into a temporary Internet directory or "cache," without the knowledge of the device user. The browser often maintains a fixed amount of hard drive space devoted to these files, and the files are only overwritten as they are replaced with more recently viewed Internet pages or if a user takes steps to delete them. This ESI may include relevant and significant evidence regarding criminal activities, but also, and just as important, may include evidence of the identity of the device user, and when and how the device was used. Most often, some affirmative action is necessary to delete ESI. Even when such action has been deliberately taken, ESI can often be recovered, months or even years later, using forensic tools.
b. Wholly apart from data created directly (or indirectly) by user-generated files, digital devices — in particular, a computer's internal hard drive — contain electronic evidence of how a digital device has been used, what is has been used for, and who has used it. This evidence can take the form of operating system configurations, artifacts from operating systems or application operations, file system data structures, and virtual memory "swap" or paging files. Computer users typically do not erase or delete this evidence, because special software is often required for that task. However, it is technically possible for a user to use such software to delete this type of information — and, the use of such special software may itself result in ESI that is relevant to the criminal investigation.
45. In addition, based on my training and experience and that of other agents who have specialized training and experience in searching for electronic evidence, I know that in most cases it is impossible to successfully conduct a complete, accurate, and reliable search for electronic evidence stored on a digital device during the physical search of a search site for a number of reasons, including but not limited to the following:
a. Technical Requirements: Searching digital devices for criminal evidence is a highly technical process requiring specific expertise and a properly controlled environment. The vast array of digital hardware and software available requires even digital experts to specialize in particular systems and applications, so it is difficult to know before a search which expert is qualified to analyze the particular system(s) and electronic evidence found at a search site. As a result, it is not always possible to bring to the search site all of the necessary personnel, technical manuals, and specialized equipment to conduct a thorough search of every possible digital device/system present. In addition, electronic evidence search protocols are exacting scientific procedures designed to protect the integrity of the evidence and to recover even hidden, erased, compressed, password-protected, or encrypted files. Since ESI is extremely vulnerable to inadvertent or intentional modification or destruction (both from external sources or from destructive code embedded in the system such as a "booby trap"), a controlled environment is often essential to ensure its complete and accurate analysis.
b. Volume of Evidence: The volume of data stored on many digital devices is typically so large that it is impossible to search for criminal evidence in a reasonable period of time during the execution of the physical search of a search site. A single megabyte of storage space is the equivalent of 500 double-spaced pages of text. A single gigabyte of storage space, or 1,024 megabytes, is the equivalent of 500,000 double-spaced pages of text. Computer hard drives are now being sold for personal computers capable of storing up to two terabytes (2,048 gigabytes of data.) And, this data may be stored in a variety of formats or encrypted (several new commercially available operating systems provide for automatic encryption of data upon shutdown of the computer.)
c. Search Techniques: Searching the ESI for the items described in Attachment B may require a range of data analysis techniques. In some cases, it is possible for agents and analysts to conduct carefully targeted searches that can locate evidence without requiring a time-consuming manual search through unrelated materials that may be commingled with criminal evidence. In other cases, however, such techniques may not yield the evidence described in the warrant, and law enforcement personnel with appropriate expertise may need to conduct more extensive searches, such as scanning areas of the disk not allocated to listed files, or peruse every file briefly to determine whether it falls within the scope of the warrant. These methodologies, techniques and protocols may include the use of a "hash value" library to exclude normal operating system files that do not need to be further searched.
46. In accordance with the information in this affidavit, law enforcement personnel will execute the search of digital devices seized pursuant to this warrant as follows:
a. Upon securing the search site, the search team will conduct an initial review of any digital devices/systems to determine whether the ESI contained therein can be searched and/or duplicated on site in a reasonable amount of time and without jeopardizing the ability to accurately preserve the data.
b. If based on their training and experience, and the resources available to them at the search site, the search team determines it is not practical to make an on-site search, or to make an on-site copy of the ESI within a reasonable amount of time and without jeopardizing the ability to accurately preserve the data, then the digital devices will be seized and transported to an appropriate law enforcement laboratory for review and to be forensically copied ("imaged,") as appropriate.
c. In order to examine the ESI in a forensically sound manner, law enforcement personnel with appropriate expertise will produce a complete forensic image, if possible and appropriate, of any digital device that is found to contain data or items that fall within the scope of Attachment B of this Affidavit. In addition, appropriately trained personnel may search for and attempt to recover deleted, hidden, or encrypted data to determine whether the data fall within the list of items to be seized pursuant to the warrant. In order to search fully for the items identified in the warrant, law enforcement personnel may then examine all of the data contained in the forensic image/s and/or on the digital devices to view their precise contents and determine whether the data fall within the list of items to be seized pursuant to the warrant.
d. The search techniques that will be used will be only those methodologies, techniques and protocols as may reasonably be expected to find, identify, segregate and/or duplicate the items authorized to be seized pursuant to Attachment B to this affidavit.
e. If, after conducting its examination, law enforcement personnel determine that any digital device is an instrumentality of the criminal offenses referenced above, the government may retain that device during the pendency of the case as necessary to, among other things, preserve the instrumentality evidence for trial, ensure the chain of custody, and litigate the issue of forfeiture. If law enforcement personnel determine that a device was not an instrumentality of the criminal offenses referenced above, it shall be returned to the person/entity from whom it was seized within 90 days of the issuance of the warrant, unless the government seeks and obtains authorization from the court for its retention.
f. Unless the government seeks an additional order of authorization from any Magistrate Judge in the District, the government will return any digital device that has been forensically copied, that is not an instrumentality of the crime, and that may be lawfully possessed by the person/entity from whom it was seized, to the person/entity from whom it was seized within 90 days of seizure.
g. If, in the course of their efforts to search the subject digital devices, law enforcement agents or analysts discover items outside of the scope of the warrant that are evidence of other crimes, that data/evidence will not be used in any way unless it is first presented to a Magistrate Judge of this District and a new warrant is obtained to seize that data, and/or to search for other evidence related to it. In the event a new warrant is authorized, the government may make use of the data then seized in any lawful manner.
47. In order to search for ESI that falls within the list of items to be seized pursuant to Attachment B to this Affidavit, law enforcement personnel will seize and search the following items (heretofore and hereinafter referred to as "digital devices), subject to the procedures set forth above:
a. Any digital device capable of being used to commit, further, or store evidence of the offense(s) listed above;
b. Any digital device used to facilitate the transmission, creation, display, encoding or storage of data, including word processing equipment, modems, docking stations, monitors, printers, cameras, plotters, encryption devices, and optical scanners;
c. Any magnetic, electronic or optical storage device capable of storing data, such as thumbdrives, memory sticks, CD-ROMs, CD-R, CD-RWs, DVDs, optical disks, printer or memory buffers, smart cards, PC cards, memory calculators, electronic dialers, electronic notebooks, personal digital assistants, floppy disks, hard disks, and tapes;
d. Any documentation, operating logs and reference manuals regarding the operation of the digital device, or software;
e. Any applications, utility programs, compilers, interpreters, and other software used to facilitate direct or indirect communication with the device hardware, or ESI to be searched;
f. Any physical keys, encryption devices, dongles and similar physical items that are necessary to gain access to the digital device, or ESI; and
g. Any passwords, password files, test keys, encryption codes or other information necessary to access the digital device or ESI.
CONCLUSION
48. Based on the information in this Affidavit, I also believe that the digital device/s at the SUBJECT PREMISES are instrumentalities of crime and constitute the means by which violations of Title 18, United States Code, Sections 2319 and 2320 have been committed. Therefore, I believe that in addition to seizing the digital devices/systems to conduct a search of their contents as set forth herein, there is probable cause to seize those digital devices/system as instrumentalities of the criminal activity. _______________________________________ MICHAEL J. LARSON, Affiant Special Agent U.S. Immigration and Customs Enforcement SUBSCRIBED and SWORN to before me this _______________ day of February, 2011. (Briefly describe the property to be searched or identify the person by name and address _________________________________ JAMES P. DONOHUE United States Magistrate Judge UNITED STATES DISTRICT COURT for the Western District of Washington In the Matter of the Search of ) ) ) ) ) Case No. The residence located at 2305 Rucker Avenue, ) Apt. 5, Everett, Washington 98201 ) )SEARCH AND SEIZURE WARRANT
To: Any authorized law enforcement officer An application by a federal law enforcement officer or an attorney for the government requests the search of the following person or property located in the Western District of Washington (identify the person or describe the property to be searched and give its location):See Attachment A, attached hereto and incorporated herein
The person or property to be searched, described above, is believed to conceal (identify the person or describe the property to be seized):
See Attachment B, attached hereto and incorporated herein
I find that the affidavit(s), or any recorded testimony, establish probable cause to search and seize the person or property. YOU ARE COMMANDED not to exceed 10 days
to execute this warrant on or before ______________________________________ () [] in the daytime 6:00 a.m. to 10 p.m. [] at any time in the day or night as I find reasonable cause has been established. Unless delayed notice is authorized below, you must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken.The officer executing this warrant, or an officer present during the execution of the warrant, must prepare an inventory as required by law and promptly return this warrant and inventory to United States Magistrate Judge JAMES P. DONOHUE ( name). 18 U.S.C. § 2705 (check the appropriate box) (not to exceed 30). Judge's signature Seattle, Washington JAMES P. DONOHUE, United States Magistrate Judge Printed name and title Return
[] I find that immediate notification may have an adverse result listed in (except for delay of trial), and authorize the officer executing this warrant to delay notice to the person who, or whose property, will be searched or seized [] for _____ days [] until, the facts justifying, the later specific date of _____________________. Date and time issued: ___________________________________ _______________________________________ City and state: Case No.: Date and time warrant executed: Copy of warrant and inventory left with: Inventory made in the presence of: Inventory of the property taken and name of any person(s) seized:Certification
I declare under penalty of perjury that this inventory is correct and was returned along with the original warrant to the designated judge. Executing officer's signature Printed name and title Date: _______________ ______________________________________________ _________________________________________ATTACHMENT A SUBJECT PREMISES
The SUBJECT PREMISES at 2305 Rucker Avenue, Apartment 5, Everett, Washington 98201 is more fully described as:a two-story apartment building located near the intersection of Rucker Avenue and 23rd Street. The apartment building is tan or taupe in color; however, the lower level of the west side of the structure has a red brick facade. The west side of the house has a red entry door, and a single-car garage door. The number two thousand three hundred five (2305) is affixed to the brick facade to the left of the red entry door. On the north side of the building, there is a covered external stairway with entry doors on both the upper and lower levels. Apartment number five is located on the upper level of the building and the entry door to the unit is light green in color and marked with the number five.
ATTACHMENT B ITEMS TO BE SEIZED
The items to be seized are the following items that constitute evidence, fruits, and instrumentalities of the crimes of Criminal Copyright Infringement in violation of Title 18, United States Code, Section 2319 and Trafficking in Counterfeit Goods in violation of Title 18, United States Code, Section 2320.
1. The following records, documents, files, or materials, in whatever form, including handmade or mechanical form (such as printed, written, handwritten, or typed); photocopies or other photographic form; and electrical, electronic, digital and magnetic form (in storage on or in media such as tapes, cassettes, hard disks, floppy disks, diskettes, compact disks, CD-ROMs, DVDs, optical disks, printer buffers, smartcards, electronic notebooks, memory cards, USB thumb drives, mobile or cellular phones, personal data assistants, or any other storage medium):
a. Counterfeit software and counterfeit software components including, boxes, labels, packaging, stickers, wrappers, emblems, medallions, documentation, license agreements, manuals, end user license agreements, and/or certificates of authenticity;
b. Records relating to the purchase and/or sale of software including invoices, purchase orders, correspondence with customers and/or suppliers of software, inventory lists, advertisements;
c. Records relating to the exporting or importing of computer software to or from countries other than the United States;
d. Records relating to licensing agreements for the distribution of computer software;
e. Shipping records including U.S. Mail, Federal Express, United Parcel Service, or any other common carrier;
f. Correspondence with Customs and Border Protection regarding any seizures of counterfeit software;
g. Correspondence with Microsoft Corporation or its affiliates regarding the distribution of counterfeit software;
h. Any books, papers, internet history, documents, pamphlets, or other materials regarding counterfeit software;
i. Records related to the posting of advertisements for the sale of software on Internet classified advertising services such as eBid, Craigslist, Amazon.com and/or eBay, including drafts of advertisements, photographs of products advertised, account information, sales history, customer feedback reports, payment records, customer complaints, and correspondence with the classified advertisement service provider;
j. Any and all financial records present at the subject premises, including: checking and savings account bank statements; deposit or withdrawal records; safe deposit box records and keys; investment or brokerage account statements; cashier's check receipts; check books; receipts; wire transfer records; electronic funds transfer records; cancelled checks; credit card account statements and receipts; records of employment and earnings; bank loan or credit applications; business books and records; and telephone records;
k. Any and all evidence of dominion and control of the subject premises and/or any digital devices located at the subject premises;
l. Any and all United States currency, cashier's checks, money orders, travelers checks, and other monetary instruments;
2. Digital devices and/or their components, including:
a. Any digital devices and storage device capable of being used to commit, further, or store evidence of the offense listed above;
b. Any digital devices used to facilitate the transmission, creation, display, encoding or storage of data related to criminal copyright infringement and/or trafficking in counterfeit goods, including modems, docking stations, monitors, cameras, printers, plotters, encryption devices, and optical scanners;
c. Any magnetic, electronic or optical storage device capable of storing data, such as floppy disks, hard disks, tapes, CD-ROMs, CD-R, CD-RWs, DVDs, optical disks, printer or memory buffers, smart cards, PC cards, memory calculators, electronic dialers, electronic notebooks, and personal digital assistants;
d. Any applications, utility programs, compilers, interpreters, and other software used to facilitate direct or indirect communication with the computer hardware, storage devices, or data to be searched;
e. Any physical keys, encryption devices, dongles and similar physical items that are necessary to gain access to the computer equipment, storage devices or data; and
f. Any passwords, password files, test keys, encryption codes or other information necessary to access the computer equipment, storage devices or data.
g. Evidence of who used, owned or controlled any seized digital device/s at the time the things described in this warrant were created, edited, or deleted, such as logs, registry entries, saved user names and passwords, documents, and browsing history;
h. Evidence of the attachment to the digital device/s of other storage devices or similar containers for electronic evidence;
i. Evidence of counter-forensics programs (and associated data) that are designed to eliminate data from a digital device;
j. Evidence of the times the digital device/s was used.
k. Any other ESI from the digital device/s necessary to understand how the digital device was used, the purpose for its use, who used it, and when.