Plain View Doctrine in Digital Evidence Cases — A Common Sense Approach October 19, 2009

By Larry E. Daniel

For some time now, various authors have suggested eliminating plain view from searches of computer hard drives and other digital evidence.

The issue with plain view in computer searches is a misunderstanding of what a computer search is versus a forensic examination of a computer hard drive. In his article, “Why the Plain View Doctrine Should Not Apply to Digital Evidence” in the Suffolk Journal of Trial and Appellate Advocacy, RayMing Chang writes:

“Searches pursuant to warrants for digital property are easily transformed into general searches of a suspect's digital property because police, by necessity, must perform a comprehensive search of a suspect's digital property in order to properly execute a digital property warrant. Courts have already begun to apply the plain view doctrine in a manner that allows police to use anything found during a search of digital property (e.g., computers) as evidence of crimes beyond the scope of the warrant. General searches are proscribed by the Fourth Amendment. Therefore, courts should stop applying the plain view doctrine to digital evidence.” ¹

More recently, the 9^th Circuit Court of Appeals of the Western District advocated eliminating the plain view doctrine from digital evidence altogether, citing the apparent impossibility of applying the rules in precedent cases to this new form of evidence. (United States v. Tamura, 694 F.2d 591 (9th Cir. 1982)²

The problem with the current approach to the plain view doctrine as it has been addressed by the courts and various legal authors like Orin Kerr in his 2006 article in the Harvard Law Review, “Searches and Seizures in a Digital World” is that they are making excellent legal arguments but are confusing a search of a computer with a forensic examination of a computer hard drive.

Kerr writes about the need to map the physical world to the virtual world of digital storage, because the laws are constructed based upon what happens in the physical world of a law enforcement officer examining a scene.³

While this is the correct approach, he falls into the trap of mistaking a forensic examination of a computer hard drive with a search of a computer. This is the fundamental disconnect between understanding how plain view doctrine should be applied in digital evidence cases; what constitutes a search versus what is a forensic examination.

In this article I will attempt to define the difference between the two, with the proposal that a computer search should be defined much in the same way as the physical search of a room, where the plain view doctrine can be applied.

Alternatively, I will define what a forensic examination of a computer hard drive is and why the plain view doctrine cannot be applied to the results of a forensic examination.

In an article on plain view doctrine published at Police Link, John Ryan gave a good summation of the law and its interpretation in the physical arena. Citing Horton v. California and Arizona v. Hicks, Ryan writes:

“In its conclusion the Court held that a plain view doctrine seizure has three elements. First, the officer must already be lawfully present in an area protected by the 4^th Amendment, second, the item must be out in plain view, and third, the officer must immediately recognize the item as evidence or contraband without making a further intrusion.”⁴

While some issues with digital evidence appear difficult, such as the over-seizing of evidence due to the massive storage capacity of digital media, applying the plain view doctrine is really a simple process.

However, it is only a simple process if you truly understand the difference between a forensic examination and a computer search as it would happen if the evidence were in the physical world. And to do that, the best method is to apply the current plain view doctrine to digital evidence in a common sense manner.

First, let’s review the three elements that govern the plain view doctrine:

1. The officer must already be lawfully present in an area protected by the 4^th Amendment.
2. The item must be out in plain view.
3. The officer must immediately recognize the item as evidence or contraband without making a further intrusion.

Taken at face value, it appears that there is no possibility of satisfying those requirements when searching digital evidence. And that would be the correct interpretation if one is attempting to apply those tests to digital evidence being forensically examined by an expert using forensic tools.

Rule number two is unenforceable if the tool being used forces items into plain view that could not be in plain view under “normal” circumstances.

By design forensic tools violate rule number three by intrusively examining evidence that normally could not come into plain view.

In order for the plain view doctrine to be updated to work in the digital world, some common sense rules need to be applied.

For example, in the physical world going through files in a filing cabinet would allow an item to come into plain view in the normal process of opening those files. However, if a document in a foreign language was present and the investigator did not read that language, it could not come into plain view since it would not meet the requirement of being immediately recognized by the officer as illegal or contraband material, even though the officer can plainly see the document.

If you imagine that the hard drive is a room and in that room are filing cabinets (partitions i.e. C:, D:), and in those filing cabinets are both folders containing files and files themselves, you have a good mapping of the virtual file structure of a hard drive to the physical equivalent of a room containing filing cabinets.

In searching through a physical filing cabinet, no special tools or skills are employed beyond the ability to open and look in folders and to read documents or peruse pictures.

If you equate that to a non-expert computer user sitting at the keyboard opening folders and looking at files while using no special skills or tools, you have basically the same operation. Any file the user can open and view without adding a tool, using special expert knowledge or forensic tools, should be able to regard evidence they see as part of the search as being in plain view. This is the essence of a computer search.

Another example of equating a search in the physical world to a computer search would be the recycle bin on the computer. It is the same as an officer looking through the trash can at a scene. If there is trash in the bin, he can search it and see things in plain view. However, if the trash was picked up, (the recycle bin was emptied in computer parlance), then nothing that was previously in the trash could come into plain view. To find items that have been put in the computer trash bin and subsequently emptied requires a special forensic examination or recovery tool. That would the same as having an officer on scene go to the county dump and recover the trash from the suspect’s home.

What I am advocating is that for the plain view doctrine to work in digital evidence cases there must be the possibility of the evidence to come into plain view without the use of special computer skills, tools, or software.

There are hundreds to thousands of files on a computer hard drive. Many of them are not available to the user of the computer. Files that are deleted, files that are resident in unallocated space, files in the internet cache, all places that the computer operating system itself provides no method of getting to by the user.

In order for any of these items to come into plain view, it would require a further intrusion beyond what is possible using the computer itself or non-special skills.

The underlying problem is that law enforcement uses boilerplate affidavit language for search warrants for computers and digital evidence that outlines all the ways that digital evidence can be hidden or protected by a person suspected of a crime. That language indicates clearly that such a search cannot satisfy the plain view doctrine since it insists that there is a need to expose evidence that would not be available without special forensic tool and skills. This is a forensic examination of digital evidence; it is not a computer search.

The table below illustrates the difference between a computer search and a forensic examination of digital evidence. While this is not an exhaustive listing, it provides a foundation for understanding the difference in the two types of searches for digital evidence.

A targeted forensic examination should be completely excluded from the plain view doctrine as it is an intrusive search and allows the examiner to see everything on the computer, regardless of its location or origin. That is a general statement, not a specific statement as it is well known in the digital forensics community that not everything can be found or viewed even with forensic software. However, it is also well known in the digital forensics community that evidence will be revealed that cannot be viewed by any other process.

Any item that can come into plain view in the area of digital evidence must be located in a manner that is reasonably possible for it to enter plain view and used to secure a subsequent warrant for an intrusive forensic examination of the digital evidence. Not the other way around. And that is what is happening; the search cart is before the horse with law enforcement beginning with a forensic examination and claiming plain view, instead of a computer search that would actually support plain view in the classical sense.

When the plain view doctrine is applied to the forensic examination of a computer, it is the equivalent of completely dismantling a house and its grounds to bring items into plain view: turning a specific search into a general search.

For specific searches of computer evidence that require the use of special skills or software such as database programs requiring a trained operator to retrieve information, the evidence provided to the government must exclude the doctrine of plain view and rely on the production and redaction of the evidence prior to its coming into possession of the government. In this regard, the 9^th Circuit Court of Appeals of the Western District was dead right in its opinion.²

This would require the use of digital forensics or other appropriate expertise to determine if the source of the evidence in question could have come into plain view based on the possibility of the law enforcement officer viewing the evidence without the assistance of an expert or special tools or software programs.

To say that browsing through thousands of database records meets the restrictions of a specific warrant would be both illogical and unreasonable.

Going forward, basing the plain view doctrine in digital evidence upon the standard of conducting a computer search prior to a forensic examination, using non specific skills and software is the only way for digital evidence to meet the plain view doctrine in a way that satisfies all of the rules set up by the courts to govern plain view.

Excluding the forensic examination of digital evidence from the plain view doctrine would clear up much of the confusion regarding the application of the plain view doctrine in digital evidence cases and provide a common sense approach that is favorable to judicial interpretation and simple for law enforcement to implement while protecting the rights of individuals as required by the 4^th amendment.

While the most common argument is that law enforcement must open all the files on a hard drive or other medium to determine if the file is evidence as described in the affidavit for the search warrant, it is simple to determine what would constitute an invasive search requiring a subsequent search warrant versus something that could be considered in plain view.

A good example would be a computer that contains the program QuickBooks. If there is suspicion that the financial records in the QuickBooks company data contain evidence of the crime specified in the search warrant, opening the files would make sense. However, if upon attempting to open the QuickBooks company file, a password were needed to view the data, then the data could not come into plain view.

The company file password could be easily cracked using special tools for that purpose; however, that should require a separate warrant to open a locked container and would be an invasive intrusion, precluding it from the plain view doctrine.

For the plain view doctrine to work in the digital world as it does in the physical, a distinction must be made between a computer search and digital forensic examination.

If you liken digital evidence to a DNA sample, DNA results cannot come into plain view simply because it requires a special test to determine the source of the DNA. It is not possible for the criminality of the DNA to be immediately apparent. The same is true for digital evidence that cannot be viewed outside of a forensic examination or via the use of special tools or skills.

That is the problem with the plain view doctrine as it has been interpreted for digital evidence to date: confusing a computer search with a forensic examination of digital evidence.

References:

1. Chang, RayMing, Why the Plain View Doctrine Should Not Apply to Digital Evidence. Suffolk Journal of Trial and Appellate Advocacy, Vol. 12, pp. 31-67, Spring 2007. Available at SSRN: http://ssrn.com/abstract=949575
2. 11860 UNITED STATES v. COMPREHENSIVE DRUG TESTING, INC, http://www.ca9.uscourts.gov/datastore/opinions/2009/08/26/05-10067eb.pdf
3. Kerr, Orin S., Searches and Seizures in a Digital World. Harvard Law Review, Vol. 119, 2006; GWU Law School Public Law Research Paper No. 135. Available at SSRN: http://ssrn.com/abstract=697541
4. Plain View Doctrine, Ryan, Jack, Police Link http://policelink.monster.com/training/articles/2043-plain-view-doctrine-

Larry E. Daniel is CEO and the principal digital forensic consultant at Guardian Digital Forensics. Larry has over eight years of experience in digital forensics and twenty five years of experience in management, IT security, programming, and data recovery. Larry is the author of the blog Ex Forensis at www.exforensis.com and is the host of the popular internet radio show, Talk Forensics on BlogTalkRadio. Larry is a member of the American Society of Digital Forensics and E-Discovery, American College of Forensics Institute, and is an associate member of the National Association of Criminal Defense Lawyers.

Comments

Monday November 16 2009
Mr. Daniel, while your article is well written and comes from a knowledgeable background, I feel that you have failed to take this analysis to the next logical step. The forensic data recovery that takes place on a computer as a result of a search warrant is the prequel to the actual search and should be analyzed as such. The forensic data recovery makes the material searchable in the context of the 4th Amendment. The plain view doctrine must be applied at the search level, not at the prequel level. Thomas Sadaka

---

Wednesday November 11 2009
I've never been wholly convinced that plain sight can exist when reading anything from a hard drive or an SSD or a USB memory stick or a memory card requires a very, very complicated tool known as a computer.
I think plain sight works if a suspect leaves suspicious information displayed on the monitor when the police enter a room or printed to the chassis of the physical machine but how is something which is encoded in the magnetic surface of a hard drive easily accessible without further intrusion? I can see why people would want to stretch plain sight to apply but why should it be stretched if it doesn't fit? There is a genuine option for reformers to say that the right way to alter the law in this area is to say it doesn't really apply to computers because they're different.

---

Wednesday November 11 2009
This is interesting and I had not thought of the problem in this way before. However, after researching the 9th Circuit Decision, I wonder how you would apply this framework to the facts there. The main problem there was that the government had 10 names on a warrant, and those 10 names were in an excel-like file that contained the names and drug testing results of hundreds of other athletes and regular folks. When the agents opened the file, hundreds of other names not associated with the investigation were all of a sudden in 'plain view' as your framework would suggest. The government wanted to keep ALL the info, presumably to pursue further investigation on all the listed players. Is this correct? How would CDT (the testing co.) get around this problem and keep such private information away from the governments prying eyes? Create a single excel file with each customers name as the title, and put a password on each one?

---

Showing results 1 to 3 of 3

Add A Comment

*Enter the code shown in the image: