A great deal of media attention has been paid to the contents of Anthony Weiner’s laptop computer, including the existence of emails between or among Hillary Clinton and Huma Abedin. However, questions about the legality of investigative actions taken with respect to the computer have largely been overlooked. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, examines these issues as part of a comprehensive review the legal issues pertaining to electronic evidence gathered and sought during criminal and civil investigations. A version of this article originally appeared on CybersecurityDocket. I would like to thank John for his willingness to publish his article as a guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post.
Amid the exhaustive punditry and analysis concerning FBI Director James Comey’s startling disclosure of a rejuvenated Hillary Clinton criminal investigation, some critical questions seem to have gotten lost in the shuffle. Namely, what are the legalities involved when handling Anthony Weiner (or anyone else’s) laptop computer; and could Anthony Weiner’s lawyers have avoided this entire situation had they been more careful?
This article comprehensively analyzes the multiple and complex legal issues relating to the Weiner laptop computer and offers some useful advice for managing these issues thoughtfully, cautiously, prudently and successfully.
The FBI and The Weiner Laptop Computer
FBI Director James Comey’s Oct. 28 bombshell letter to Congress – which even the U.S. Department of Justice has indicated as potentially affecting the presidential election – was apparently triggered by an investigation into the sexting habits of, and a 15-year-old girl’s possible illicit affair with, thrice disgraced former U.S. Congressman Weiner.
In Director Comey’s letter to Congress, he states that the FBI had has recently discovered additional emails between or among Hillary Clinton and Huma Abedin that are pertinent to the previously concluded investigation into whether Hillary Clinton mishandled classified information using a private server from her home in Chappaqua, N.Y.
In an internal email to FBI employees, Comey wrote: “Of course, we don’t ordinarily tell Congress about ongoing investigations, but here I feel an obligation to do so given that I testified repeatedly in recent months that our investigation was completed. I also think it would be misleading to the American people were we not to supplement the record.”
Next, after apparently reviewing the reported 650,000 emails in seven days, Director Comey wrote a second letter to Congress dated November 6, 2016, stating: “ . . . we reviewed all of the communications that were to or from Hillary Clinton while she was Secretary of State . . . Based on our review, we have not changed our conclusions that we expressed in July with respect to Secretary Clinton.”
How did Weiner’s laptop computer come to contain the Clinton/Abedin emails? This is unclear though the facts surrounding their seize/collection/recovery are beginning to crystalize. Abedin reportedly asserts that she herself did not even know that the Weiner laptop computer warehoused the Clinton/Abedin emails. Abedin reportedly used the laptop computer to back up her smartphone, and thereby (either intentionally, unknowingly and/or inadvertently) somehow transferred the emails to the Weiner laptop computer. Abedin reportedly testified under oath that she told the FBI of all possible devices that might contain any Clinton or state department emails but omitted any mention of the Weiner laptop computer during her testimony.
How the FBI obtained the laptop of Weiner also remains unclear and is critical to understanding the many legal issues triggered by its analysis. It appears that the Weiner laptop computer came to be in the FBI’s possession when, on October 3, 2016, New York FBI agents executed a search warrant to obtain Weiner’s iPhone, an iPad and the laptop.
However, given that the Clinton/Abedin emails were not within the scope of the original search warrant (which was likely limited to data pertaining to Weiner’s alleged illicit relationship, sexting and other related conduct), it also appears that the FBI had not read, analyzed or perhaps even seen the actual Clinton/Abedin emails on the Weiner laptop computer.
What predictably ensued was a frantic weekend where the U.S. Department of Justice reportedly applied for a search warrant for the Abedin/Clinton emails, which was apparently authorized by a federal judge, and a review of the reported 650,000 emails has begun. The review will likely entail: 1) de-duping of any identical emails in the batch; 2) an electronic review via key word search or other similar methodology of the remaining emails or other data; and 3) a forensic analysis of the hard drive for any relevant remnants, artifacts, fragments or residue from any deleted or otherwise trashed emails.
It does not appear that law enforcement (e.g. the FBI or NYPD) stormed the Manhattan apartment of Anthony Weiner and seized his laptop. Rather, it looks like Weiner cooperated and his attorneys somehow bargained for Weiner’s consent to turnover voluntarily his laptop as well as any other electronic devices in his possession custody, or subject to his control — perhaps (or perhaps not) negotiating the terms, scope and breadth of the turnover.
Whether Weiner’s counsel possesses a forensic image of the Weiner laptop computer’s hard drive, which would of course aid them in a competent defense of their client, remains unclear. And whether Weiner’s counsel had any opportunity to review the data on the Weiner laptop computer and other devices beforehand also remains unclear.
What The Weiner Laptop Computer Might Contain
However it got into the hands of law enforcement, the Weiner laptop computer could contain a virtual treasure trove of important evidence relating to the investigation into whether Hillary Clinton mishandled classified information.
The evidentiary possibilities are almost infinite. Not surprisingly, so-called ESD’s (electronic storage devices” such as laptop and desktop computers, company servers, individual smartphones and tablets and any other hard drive, thumb drive or virtual storage contraption or facility) have time and again provided law enforcement with the 21st century equivalent of the proverbial smoking gun.
In Weiner’s case, his alleged illicit sexting and possible unlawful relationship with a minor has accidentally engulfed Hillary Clinton – because his device contained “active data” such as actual emails or perhaps email headers or other related cache pertaining to Clinton’s role as Secretary of State or her role in any other possible criminal undertaking or conspiracy, including obstruction of justice.
But the evidentiary possibilities do not stop there. The “active data” on the Weiner laptop computer will not only contain exculpatory or inculpatory email communications and other relevant data. The Weiner laptop computer likely also includes gigabytes of irrelevant private and personal information of Weiner, Abedin or anyone else who used the device for any purpose, including Weiner and Abedin friends, family, colleagues, etc.
The Weiner laptop computer could also include information protected by domestic or foreign statute or requiring notice of disclosure per contract; personal health information of Weiner, abed in or other family and friends; or privileged communications with counsel or attorney work product.
Given the likely scenario that the FBI Agents charged with analyzing the laptop did not have authority to review data other than that specified in the search warrant, some semblance of the Clinton/Abedin emails were probably active data “in plain view” during the review of the Weiner laptop computer, which triggered the heightened scrutiny and the need for a new search warrant.
Most users have no idea of the contents of the “inactive data” on their ESDs, such as data within deleted recoverable files, unallocated and slack space or the boot sector, found during a digital forensic deep dive of a hard drive.
This kind of “inactive” evidence, which is rarely “in plain view” can contain unanticipated inculpatory information – and has ushered in an exciting and extraordinary era of a scientific approach towards identifying, capturing, harvesting, warehousing, perusing and ultimately introducing as evidence, critical, evidence at trial.
To illustrate the extraordinary impact of digital evidence, consider the history of traditional documentary evidence used in trials and prosecutions. For instance, the typical office worker has a trash bin in his or her office and disregards written documents in that trash bin throughout the day. At the end of the day or week, the contents of this trash bin are then emptied and transferred into a dumpster in the basement of the office building. At the end of the week, the trash dumpster is emptied and its contents are transported to a landfill or other trash facility. Historically, once emptied into a trash bin, discharged into a dumpster and/or transported to a landfill, any evidence contained on those places was very difficult, costly and challenging for law enforcement to recover.
But in today’s virtual world of ESDs and universal digital communications, not only are the virtual trash bins, dumpsters and landfills immediately accessible to the government – even a sledgehammer or a blow torch might not fully destroy the evidence contained therein.
Why is data so hard to destroy? Of course, with respect to an email, once sent, the sender typically loses any control over its contents and thereby has little chance of securing its deletion. With respect to documentary data, such as a letter, memorandum, presentation, notes from a meeting, etc., when that data file is deleted, its address is merely changed to unallocated space, but the text remains in free space unless it is overwritten, either intentionally or in the course of a device’s normal operating processes.
Similarly, at the end of every saved file is “slack space”, which contains various unexpected remnants, fragments and artifacts, including text from other files that were deleted then overwritten by shorter files and text that was never intentionally saved (perhaps forgotten, hidden on the device or otherwise in ‘‘not-so-plain’’ view).
These hidden files on laptops and other so-called ESDs can include an almost infinite hoard of evidence, which a user perhaps believed had already been intentionally deleted or even worse, simply never knew existed. This is probably why Hilary Clinton or her advisers instructed her IT team to use BleachBitto delete her files, a data wiping tool that purports to wipe disks so clean of data that, “even God can’t read them.”
Whether active data or inactive data, electronic evidence can also present challenges relating to its authenticity and relevance, when seeking its admissibility in a civil or criminal proceeding. For instance, a teenage child, a family friend, or even a visiting contractor could be using the Weiner/Abedin computer for unlawful purposes and could have, for instance, left evidence along those lines in unallocated or slack space – wrongly implicating Weiner or Abedin.
The Law Regarding the Weiner Laptop Computer
There are grave consequences when the government obtains a laptop from a witness, object, target, defendant or any other investigatory classification — and the risks of turning over a device to the government, without defense counsel’s proper review of that device, are considerable.
Defense counsel must not only understand the technological results of the review, examination, analysis or forensic deep dive of an ESD but must also understand the legal issues triggered when the government requests; subpoenas; seizes via search warrant; or otherwise obtains or recovers the ESD of an American citizen.
Search Warrants and ESDs
First and foremost, the Fourth Amendment to the Constitution states that no search warrant can be issued unless it “particularly describes the place to be searched and the things to be seized.”
Thus the law has developed that with respect to federal criminal search warrants for ESDs, the government must limit its searches of ESDs with the same particularity required of any search, and the government must: (1) explain how relevant data will be distinguished from irrelevant data; (2) note how the information will relate specifically to the underlying allegations; and (3) follow detailed protocols to avoid revealing non-responsive information, privileged information and other protected information. These search warrants of federal criminal authorities are subject to judicial oversight, when the prosecutor applies for the search warrant from a federal judge before their issuance.
Along these lines, an affidavit and application for a warrant to search a computer are in most respects the same as any other search warrant affidavit and application:
- The affiant swears to facts that establish that there is probable cause to believe that evidence of crime (such as records), contraband, fruits of crime, or instrumentalities of crime is present in a private space (such as a computer’s hard drive, or other media, which in turn may be in another private space, such as a home or office); and
- The warrant describes with particularity the things (records and other data, or perhaps the computer itself) to be searched and seized.
By the same token, like any other warrant describing with particularity the “things to be seized,” a search warrant for an ESD has two distinct elements. First, the warrant must describe the things to be seized with sufficiently precise language so that it tells the officers how to separate the items properly subject to seizure from irrelevant items. Second, the description of the things to be seized should be limited to the scope of the probable cause established in the warrant. Considered together, the elements forbid government investigators from obtaining “general warrants” and instead require them to conduct narrow seizures that attempt to “minimize” unwarranted intrusions upon privacy.
For ESDs, if computer hardware is contraband, evidence, fruits, or instrumentalities of crime, the warrant must describe the hardware itself. If the probable cause relates only to information, however, the warrant must describe the information to be seized, and then request the authority to seize the information in whatever form it may be stored (whether electronic or not).
The most critical distinction between a traditional search warrant and a search warrant of an ESD is the heightened level of particularity expected. When probable cause to search relates in whole or in part to information stored on the computer, the warrant must identify that information with particularity, focusing on the content of the relevant files rather than on the storage devices which may happen to contain them. In cases where the computer is merely a storage device for evidence, failure to focus on the relevant files may lead to a Fourth Amendment violation.
For instance, FBI agents cannot simply request permission to seize “all records” from an operating business unless agents have probable cause to believe that the criminal activity under investigation pervades the entire business. Likewise, seeking in a warrant “any and all data, including but not limited to” a list of items, a similarly dangerous phrase, also lacks particularity and has also been held to turn a computer search warrant into an unconstitutional general warrant.
Along these lines, search warrants for ESD should also include some sort of temporal particularity with respect to the relevant time period of any potential criminal violation or are otherwise subject to a successful challenge.
This notion of particularity is critical. Even in its own guidelines pertaining to the search and seizure of computers, the Department of Justice itself acknowledges that the law prefers searches of all things, including computer data, to be as “discrete and specific possible,” and advises federal prosecutors and agents to describe with particularity the specific set of techniques they will use to distinguish incriminating documents intermingled with innocuous ones.
If possible, Weiner’s counsel should have bargained for keeping a forensic copy of the hard drive of the Weiner laptop computer, rather than the laptop itself; this way, counsel could have an opportunity to review the same evidence that the government is reviewing.
In many cases, rather than seize an entire computer for on-site review, FBI agents can instead create a digital copy of the hard drive that is identical to the original in every relevant respect. This copy is called a “forensic image copy” — a copy that identically duplicates every bit and byte on the ESD, including the unallocated space, the slack space, the boot sector, master file table, and metadata in exactly the order they appear on the original. The forensic image copying also uses a process that does not disrupt the data contained on the ESD such as the “creation date” of a Word document; the “read date” of an email; or the “last accessed date” of a presentation.
Making a forensic image of an ESD is a professional and meticulous exercise. An image cannot be created by simply dragging and dropping icons or running conventional backup programs; the process of imaging usually involves opening the computer case and connecting the investigator’s own hardware directly to the hard drive.
In occasional cases, investigators will make the image copy on-site; however, with limited exceptions, courts will accept that the imaging and search of a hard drive or other media requires too much time to conduct on-site during the execution of a warrant.
In fact, examining an ESD for evidence of crime is nearly always a time consuming process. Even if the investigators know specific information about the files they seek, the data may be mislabeled, encrypted, stored in hidden directories, or embedded in slack space that a simple file listing will ignore. Thus the typical search warrant will explain why it is necessary to image an entire hard drive (or physically seize it) and later examine it for responsive records.
Federal Criminal Grand Jury Subpoenas for ESDs
Aside from the legal standards involved, the two most significant practical differences between a grand jury subpoena seeking an ESD and a search warrant allowing for the seizure of an ESD are: 1) the opportunity for counsel to object, and negotiate a response to the subpoena’s specific demands; and 2) the opportunity to create a forensic image of the ESD that the government has subpoenaed.
When subpoena recipients do not want to comply with a grand jury subpoena, they can challenge it by filing a motion to quash with the court that supervises the grand jury. The motion to quash says, essentially, that the subpoena should not be enforced for specific reasons, such as that the subpoena would violate the attorney-client privilege; that the subpoena lacks sufficient particularity; or that the subpoena is overbroad.
By moving to quash a grand jury subpoena, defense counsel in effect raises the bar for the government because, unlike a search warrant, the government issues grand jury subpoenas without any showing of probable cause; with only limited constitutional restrictions; or without any other reason to believe relevant evidence will be produced. In fact, a grand jury “can investigate merely on suspicion the law is being violated, or even just because it wants to assure that it is not.” This power to investigate, based on mere suspicion, makes defending against grand jury subpoenas extremely difficult.
Thus, with respect to federal criminal grand jury subpoenas for ESDs, the government does not necessarily avoid the probable cause and particularity requirements of a search warrant. Criminal subpoenas for devices capable of being used for data storage with no express safeguard against a subsequent rummaging through, and seizure of, irrelevant as well as relevant data (such as a judicially sanctioned search methodology), do not withstand Fourth Amendment reasonableness scrutiny.
A Mixed Batch of Federal Cases
With respect to grand jury subpoenas for actual ESDs, there is only a small amount of emerging case law and precedent. The few cases addressing this issue have recognized the centrality of relevance and particularity, in the ways in which they balance the two.
The especially important issue arising in the few reported ESD subpoena cases is whether the government: 1) can require a person or a business to produce ESDs; or 2) must instead focus the subpoena’s demands on producing particular information that is relevant to the grand jury’s inquiry.
In an early 1994 New York computer evidence case, a federal court held that requiring someone to produce hard drives and other computer hardware, simply to give the government access to some of the data stored in those devices, was unreasonable because it was analogous to requiring a business to produce all its file cabinets. The New York court granted the subpoena recipient’s motion to quash and told the grand jury to try again, this time with a subpoena that only required the production of information relevant to its investigation.
In a similar 2006 Pennsylvania case, the court found that a grand jury subpoena for an ESD was overbroad and vacated the lower court’s order enforcing it, without prejudice . . . which means the state attorney general’s office could try again with another more carefully drafted subpoena. The court noted that one way to resolve the problem would be for the lower court to appoint a neutral expert who would review the data on the hard drives and decide what should, and what should not, be produced to the attorney general.
The Pennsylvania court explained, however, that “any direct and compelled transfer to the executive branch of general-use media computer hardware should be pursuant to a due and proper warrant, issued upon probable cause.”
Several years later, in a 2007 New York case, a federal judge downplayed the dangers of insufficiently particular subpoenas. The grand jury subpoena in that case sought:
“Computers, hard drives, and any other devices or equipments [sic] capable of storing data or text in any format, including but not limited to cellular tele- phones, personal digital assistants, and any other storage media capable of containing data or text in magnetic, electronic, optical, digital, analog, or any other format, used to store information described above . . .”
The New York court found that, “the subpoena here specifies, albeit broadly, the information that is sought . . .. [I]n the less stringent context of a subpoena [as compared to a warrant], it adequately restricts the production to relevant documents.” The court thus implicitly questioned the analogy of data stores to file cabinets: as long as a digital store contains some piece of relevant information, the prosecution can demand the production of the entire store.
However, in a 2006 Maine case, the court took an opposite position, emphasizing the importance of particularity. The subpoena at issue requested, among other things, “[a]ny computer equipment and storage device capable of being used to commit, further, or store documents or data described [in the subpoena].”
The Maine court found that requesting all devices “capable of being used” for data storage was, by definition, overbroad under the Fourth Amendment, citing to a number of search warrant cases. Ultimately, the Maine court concluded that a subpoena that “requests the turnover of all computers (and related objects) . . . with no express safeguard against a subsequent rummaging through, and seizure of, irrelevant as well as relevant data . . . cannot withstand Fourth Amendment reasonableness scrutiny, suggesting that the reasonableness standard is met only by subpoenas that explain how relevant data will be distinguished from irrelevant data.
Most recently, the Ninth Circuit chimed in to “take the opportunity to guide our district and magistrate judges in the proper administration of search warrants and grand jury subpoenas for electronically stored information.” Specifically, the Ninth Circuit emphasized the reality that over-seizing is an inherent part of the electronic search process” and called “for greater vigilance on the part of judicial officers in striking the right balance between the government’s interest in law enforcement and the right of individuals to be free from unreasonable searches and seizures.”
The FBI Discovery of Abedin/Clinton Emails on the Weiner Laptop Computer
Finding comingled data on one single laptop like the Weiner laptop computer, e.g. belonging to Abedin and pertaining to irrelevant activities, is not unusual and will trigger certain law enforcement protocols.
Few computers are dedicated to a single purpose; rather, computers can perform many functions, such as “postal services, playgrounds, jukeboxes, dating services, movie theaters, daily planners, shopping malls, personal secretaries, virtual diaries, and more.” Thus, almost every hard drive encountered by law enforcement will contain records that have nothing to do with the investigation. The Fourth Amendment governs how investigators may search among the commingled records to isolate those records that are called for by the warrant.
The Supreme Court has noted that in a search of commingled records, “it is certain that some innocuous documents will be examined, at least cursorily, in order to determine whether they are, in fact, among those papers authorized to be seized.” Therefore, responsible officials, including judicial officials, must take care to assure that searches are conducted “in a manner that minimizes unwarranted intrusions upon privacy.”
For instance, when an FBI Agent encounters data on a laptop outside the scope of a search warrant, such as with the Abedin/Clinton emails found during its ostensibly unrelated search of the Weiner laptop computer, courts have set forth guidelines for an agent’s review of commingled records to identify data (such as emails) that fall within the scope of a warrant.
Some older cases appear to suggest that when agents executing a search encounter commingled records, they should seize the records, and then seek additional approval from the magistrate before proceeding – which appears to be the situation with the Weiner laptop computer.
For example, the Ninth Circuit, writing about a search of paper files in an age before computer searches were common, suggested that in the “comparatively rare instances” where “documents are so intermingled that they cannot feasibly be sorted on site,” law enforcement “can avoid violating fourth amendment rights by sealing and holding the documents pending approval by a magistrate of a further search.”
One leading case allows a “brief perusal” of each document, and requires that “the perusal must cease at the point of which the warrant’s inapplicability to each document is clear,” just like, “the police may look through . . . file cabinets, files and similar items and briefly peruse their contents to determine whether they are among the documentary items to be seized.”
The Second Weiner Search Warrant
If a document falls outside the scope of the warrant but nonetheless is incriminating, that document’s “seizure” is permissible only if during that brief perusal the document’s “otherwise incriminating character becomes obvious.” This was probably the situation with the Weiner laptop computer: while the existence of the Clinton/Abedin emails was clear, their relevance and inculpatory value was probably not.
It appears that Director Comey’s team was following DOJ guidelines, which state that when it becomes necessary for an investigator to personally examine a computer file to determine whether it falls within the scope of the warrant, the investigator must take all necessary steps to analyze the file thoroughly, but the investigator should cease the examination of that file as soon as it becomes clear that the warrant does not apply to that file. This is perhaps why Director Comey appeared to have little idea of the content of the actual Clinton/Abedin emails – and only knew of their existence.
Obtaining the second warrant can be critical. In a 1999 federal case, detectives obtained a warrant to search the defendant’s computer for records of narcotics sales. Searching the computer back at the police station, a detective discovered images of child pornography. At that point, the detective “abandoned the search for drug-related evidence” and instead searched the entire hard drive for evidence of child pornography. The Tenth Circuit suppressed the child pornography, holding that the subsequent search for child pornography exceeded the scope of the original warrant because law enforcement may not expand the scope of a search beyond its original justification.
Weiner’s Consent to Search His Laptop
The issue of consenting to a search, whether of a computer, a premises or even of a person, can be a confusing one. In computer crime cases, where devices such as a laptop are at issue, two consent issues arise particularly often.
First, when does a search exceed the scope of consent? For example, when someone consents to the search of a location, to what extent does the consent authorize the retrieval of information stored in computers at the location?
Second, who is the proper party to consent to a search? Do spouses (or estranged spouses like Weiner) roommates, friends, and parents have the authority to consent to a search of another person’s computer files?
With respect to the search of Weiner’s laptop, the nature and scope of Weiner’s consent was probably an issue – which is another reason why the FBI had to request that DOJ apply for a second search warrant.
Computer cases often raise the question of whether general consent to search a location or item implicitly includes consent to access the memory of electronic storage devices encountered during the search. In such cases, courts look to whether the particular circumstances of the investigator’s request for consent implicitly or explicitly limited the scope of the search to a particular type, scope, or duration. Because this approach ultimately relies on fact-driven notions of common sense, results reached in published judicial decisions have hinged upon subtle (if not entirely inscrutable) distinctions.
In matters like those involving the Weiner laptop computer, when FBI agents obtain consent for one reason (a possible illicit relationship with a 15-year-old girl) but then conduct a search for another reason (misuse of classified information), the FBI agents must be careful to make sure that the scope of consent encompasses their actual search.
Whatever method the FBI is using to review the Weiner laptop computer is probably permissible, even if Weiner’s counsel negotiated a specific method for the electronic review of the Weiner laptop computer. The scope of consent usually relates to the target item, location, and purpose of the search, rather than the search methodology used.
For example, in a 2005 federal case, an FBI agent received permission to conduct a “complete search” of the defendant’s computer for child pornography. The agent explained that he would use a “pre-search” disk to find and display image files, allowing the agent to easily ascertain whether any images contained child pornography. When the disk, for unexplained reasons, failed to function, the agent conducted a manual search for images, eventually discovering several pieces of child pornography. Although the agent ultimately used a different search methodology than the one he described to the defendant, the court approved the manual search because it did not exceed the scope of the described disk search.
Consent and Search Methodology
Even though both he and Abedin use it, Weiner can likely give consent to search the laptop. Absent an affirmative showing that the consenting spouse has no access to the computer searched (physical access, as in a separate locked room or technological access, as in password protected), the courts generally hold that either spouse may consent to a search of all of the couple’s property. Even a wife who had left her husband could consent to search of jointly-owned home even though the husband had changed the locks.
Most spousal consent searches are valid, sometimes even when estranged, as is the case between Weiner and Abedin. For example, in one 1998 Illinois case, a man named Smith was living with a woman named Ushman and her two daughters. When allegations of child molestation were raised against Smith, Ushman consented to the search of his computer, which was located in the house in an alcove connected to the master bedroom.
Although Ushman used Smith’s computer only rarely, the district court held that she could consent to the search of Smith’s computer. Because Ushman was not prohibited from entering the alcove and Smith had not password-protected the computer, the court reasoned, she had authority to consent to the search. Even if she lacked actual authority to consent, the court added, she had apparent authority to consent.
ESDs and Privileged Communications
With respect to any communications on the Weiner laptop computer with specially protected relationships such as with their counsel or their doctor, FBI agents must exercise special care when orchestrating their computer search, which could result in the seizure of legally privileged documents such as medical records or attorney-client communications.
Two issues must be considered. First, agents must make sure that the search will not violate the attorney general’s regulations relating to obtaining confidential information from disinterested third parties. Second, agents should devise a strategy for reviewing the seized computer files following the search so that no breach of a privilege occurs.
Along those lines, the FBI agents performing the search of the Weiner laptop computer will have likely devised a post-seizure strategy for screening out the privileged files and will have likely describes that strategy in their search warrant affidavit.
If The FBI Did Not Obtain a Second Search Warrant for the Weiner Laptop Computer
According to DOJ guidelines, in situations like the Weiner laptop computer email discoveries, if the FBI decides against obtaining a second search warrant, there are other options for reviewing the newly discovered data — though the preferred practices for determining who precisely will comb through potentially unrelated files varies widely among different courts. In general, however, there are three options.
First, the court itself may review the files in camera. Second, the presiding judge may appoint a neutral third party known as a “special master” to the task of reviewing the files. Third, a team of prosecutors or agents who are not working on the case may form a “filter team” or “taint team” to help execute the search and review the files afterwards. The filter team sets up a so-called “ethical wall” between the evidence and the prosecution team, permitting only unprivileged files to pass over the wall – and insuring that its procedures adequately protect the defendants’ rights and no prejudice occurred.
Thus. with respect to the Weiner laptop computer, DOJ could, for example, have asked the chief judge of the federal district handling the Weiner investigation to appoint a court-supervised special master to take charge of the Clinton/Abedin emails.
Using procedures fair to both law enforcement and to Weiner and Abedin, a special master could determine if the emails reveal evidence of a crime. The drawback of this scenario is that the FBI would be ceding control of the investigation to a third party (almost like when DOJ appoints an independent prosecutor), an option which can have dramatic and unanticipated consequences.
Governmental Regulatory Investigations and ESD
Civil investigations and the demand or subpoena of ESDs from civil regulatory agencies, as opposed to criminal law enforcement agencies, presents an entirely different paradigm, and is unfortunately too often wholly misunderstood.
Consider the SEC’s current practice of issuing administrative subpoenas for ESDs in their civil litigation and administrative proceedings involving securities schemes, such as insider trading, market manipulation and financial reporting fraud.
The SEC is an exceptional federal government agency — staffed with a dedicated corps of highly-credentialed professionals, inspired by a noble sense of mission, and rich with an 80+ year history of investor advocacy. But sometimes the SEC gets carried away and exceeds their statutory authority. This is the case with the SEC’s recent use of subpoenas demanding witnesses provide their ESDs to the SEC staff.
SEC ESD Subpoenas: De Facto Search Warrants
The SEC’s authority for subpoenas is derived from Section 21 of the Securities Exchange Act of 1934, the same act that established the SEC on June 6th, of that year. The Act specifically states:
“For the purpose of any such investigation, or any other proceeding under this title, any member of the Commission or any officer designated by it, is empowered to administer oaths and affirmations, subpoena witnesses, compel their attendance, take evidence, and require the production of any books, papers, correspondence, memoranda, or other records which the Commission deems relevant or material to the inquiry…” (emphasis added)
The SEC right to access ‘‘records’’ clearly contemplates something akin to a document (or other form of data) and nowhere in any statute, rule or regulation is the staff granted authority to access physical equipment such as a file cabinet containing documents, whether that file cabinet is made of metal, wood or circuitry. This means that the SEC’s subpoena for ESD is more akin to an unlawful seizure than a rightful document demand.
In addition to the questionable legality of the practice of subpoenaing devices, as mentioned earlier, the risks of turning over a device to the SEC without defense counsel’s proper review of that device are considerable.
- First, the “active data” on these devices could include irrelevant private and personal information of the user, as well as the user’s friends, family, colleagues, clients, customers, etc. The devices could also include information protected by domestic or foreign statute or requiring notice of disclosure per contract. Information loaded onto the machine by another user, or privileged communications with counsel or attorney work product could also be on the machine.
- Second, most users have no idea of the contents of the so-called “inactive data” on their ESDs, such as deleted recoverable files, or data located in the hard drive’s unallocated space or slack space, found during a digital forensic deep dive of a hard drive.
Given the SEC’s lengthy list of its Routine Uses of Information (contained in its Forms 1662 and 1661, and given to all witnesses), the SEC staff can refer any information it discovers (whether active data or inactive data) to any other investigative, prosecutorial, regulatory authority and a slew of other agencies and organizations. Thus, the ramifications of the SEC’s misguided ESD subpoenas are quite serious and could result in a witness, who is merely being investigated for a civil regulatory investigation, to be carted off in handcuffs for a wholly unrelated criminal violation relating to information found on his or her laptop computer.
The SEC’s “Neutral” Solution
When analyzing ESDs, the SEC digital forensics lab theoretically operates as an in-house neutral examiner, in order to advise the SEC investigatory staff with candor, veracity and transparency.
Along those lines, the SEC typically offers a compromise to witnesses who object to producing their ESDs. Specifically, the SEC offers the witness the alternative of producing their ESDs to the SEC digital forensics lab, rather than to the SEC’s investigators. The lab team will then search the ESDs, and, in turn, only provide relevant, non-privileged and otherwise relevant data to the SEC investigatory team.
This is a potentially foolish and dangerous arrangement for SEC witnesses.
First off, the SEC forensics team is not adequately positioned (or trained) to advocate on behalf of a witness and parse the data appropriately. Moreover, just like the SEC investigatory staff, the SEC forensic staff cannot waive the SEC’s Routine Uses of Information cited above. In fact, the SEC forensics team may be lawfully required to share the witnesses’ data with other law enforcement authorities, such as possible top secret or otherwise classified data; possible child pornography; or data that might relate to a crime. Once a witness produces an ESD to the government, that ESD is no longer in the witness’s possession, custody or control, instead every byte of that ESD now belongs to the government.
SEC Subpoena Enforcement
SEC subpoenas are administrative subpoenas that are not self-enforcing — i.e., unlike grand jury subpoenas, there is no formal avenue of objection other than to refuse to comply. Once the SEC can establish a witness’s non-compliance of a subpoena, the SEC must then file a federal court case, asking a judge to order a witness to comply with that subpoena.
Yet defense counsel are loath to refuse to comply with SEC subpoenas; thus, like grand jury objections, there is a paucity case law on the subject. Why? Because refusing to comply with an SEC subpoena can:
- Strike a perceivably uncooperative tone with the SEC staff, which can reduce the likelihood of receiving any form of cooperation credit later on;
- Trigger a costly and injurious SEC subpoena enforcement action. Defending an SEC federal action is not only expensive, the SEC subpoena enforcement action also provides the SEC the chance to air any of its preliminary investigative findings in a public filing—which are normally kept confidential until the filing of an actual an enforcement action;
- Prompt the SEC staff to seek a broad and sweeping asset freeze; and
- Rile the SEC staff inadvertently, escalating the SEC’s interest in a witness or creating other unintended consequences that increase unwanted, unnecessary and costly investigative scrutiny.
The Future of Federal Civil Subpoenas for ESDs
Historically, logistical concerns, rather than legal constraints, hindered a civil agency’s use of overbroad subpoenas. An overbroad subpoena could result in a witness’ “backing up the truck” to that agency’s headquarters and dumping hundreds or even thousands of boxes of documents in response, creating a logistical nightmare, not just to review, but even to inventory, causing lengthy investigation delays.
But those days are long gone. Document productions that filled warehouses and required months for legions of government regulators and analysts to review now merely require a silicon microchip for their storage, and a few hours (or even minutes) for one reviewer to scrutinize.
Technology has transformed the investigative playing field, empowering civil federal agencies in pioneering ways to examine, segregate and peruse data. To their credit, when it comes to electronic evidence in particular, the SEC and other civil agencies have become more creative, more resourceful and more effective than ever.
However, the fact that technology facilitates search and seizures does not mean the SEC or any other civil regulatory agency has the authority to do so. Unlike the FBI and the U.S. Department of Justice, the SEC and other civil regulators are not criminal agencies and operate under their own unique, and far less limiting, civil legal framework.
For instance, unlike criminal agencies, the SEC makes no distinction among targets, subjects or witnesses, which means that throughout an SEC investigation innocent bystanders are treated exactly the same as suspected perpetrators. Also, unlike grand jury subpoenas and search warrants, SEC administrative subpoenas rarely (if ever) are even seen by a judge, let alone approved by one.
It was quite a shock when the imbroglio resulting from Anthony Weiner’s sexting scandal and possible criminal behavior suddenly spilled over into the 2016 presidential race. But beyond the sordid allegations and endless cable news and social media chatter, it is clear that unique and crucial issues arise when searching ESDs, like a laptop computer, for evidence.
While the availability of ESDs is a boon for government investigators, it also raises the danger that a grand jury or governmental investigatory agency can too easily engage in arbitrary fishing expeditions that can easily trample upon fundamental statutory and constitutional rights.
Given in particular the CSI-like high-tech wizardry now routinely used by the government to collect, warehouse and review digital evidence, there has emerged a new field of legal expertise, where a mastery of precedent and criminal procedure is no longer enough to safeguard individual rights. Nowadays, much more is required, including a comprehensive understanding of terabyte-storing devices and cloud servers; digital forensic and data analytics; electronic search protocols; and a host of other emerging evidentiary-related technological hardware and virtual procedures.
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook,” available as an eBook on Amazon, iBooks and other booksellers.