Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions. First, banners may be used to generate consent to real-time monitoring under Title III. Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA. Third, in the case of government networks, banners may eliminate any Fourth Amendment "reasonable expectation of privacy" that government employees or other users might otherwise retain in their use of the government's network under O'Connor v. Ortega, 480 U.S. 709 (1987). Fourth, in the case of a non-government network, banners may establish a system administrator's "common authority" to consent to a law enforcement search pursuant to United States v. Matlock, 415 U.S. 164 (1974).
CCIPS does not take any position on whether providers of network services should use network banners, and, if so, what types of banners they should use. Further, there is no formal "magic language" that is necessary. However, it is important to realize that banners may be worded narrowly or broadly, and the scope of consent and waiver triggered by a particular banner will in general depend on the scope of its language. Here is a checklist of issues that may be considered when drafting a banner:
Network providers who decide to banner all or part of their network should consider their needs and the needs of their users carefully before selecting particular language. For example, a sensitive government computer network may require a broadly worded banner that permits access to all types of electronic information. Here are three examples of broad banners:
In other cases, network providers may wish to establish a more limited monitoring policy. Here are three examples of relatively narrow banners that will generate consent to monitoring in some situations but not others:
NOTE: Sample information specific to a particular case is enclosed in brackets; this sample information should be replaced on a case-by-case basis. Language required only if the application seeks to obtain the contents of communications (and therefore requires customer notification) is in bold.
UNITED STATES DISTRICT COURT
FOR THE______ DISTRICT OF_______
)
IN RE APPLICATION OF THE )
UNITED STATES OF AMERICA FOR ) MISC. NO. ____
AN ORDER PURSUANT TO )
18 U.S.C. 2703(d) ) Filed Under Seal
APPLICATION OF THE UNITED STATES
FOR AN ORDER PURSUANT TO 18 U.S.C. 2703 (d)
________, an Assistant United States Attorney for the ______ District of ______, hereby files under seal this ex parte application for an order pursuant to 18 U.S.C. 2703(d) to require [name of provider or service], an [description of provider or service, e.g. an educational institution] located in the ______ District of _______ at _______________, which functions as [an electronic communications service provider AND/OR a remote computing service] for its [description of users, e.g. students, faculty and others] to provide records and other information [add only if the application seeks to obtain the contents of communications pursuant to 2703(b)] and contents of a wire or electronic communication pertaining to [subscriber], one of its customers or subscribers. The records and other information requested are set forth as an Attachment to the Application and to the proposed Order. In support of this Application, the United States asserts:
LEGAL AND FACTUAL BACKGROUND
A governmental entity may require a provider of electronic communication service or remote computing service to disclose a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications) only when the governmental entity- . . .
(B) obtains a court order for such disclosure under subsection (d) of this section.
7. [Add only if the application seeks to obtain the contents of communications pursuant to 2703(b)] To obtain the contents of a wire or electronic communication in a remote computing service, or in electronic storage for more than one hundred and eighty days in an electronic communications system, the government must comply with 18 U.S.C. 2703(b)(1)(B), which provides, in pertinent part:
A governmental entity may require a provider of remote computing service to disclose the contents of any wire or electronic communication to which this paragraph is made applicable by paragraph 2 of this subsection --
. . . .
(B) with prior notice from the government entity to the subscriber or customer if the governmental entity --
. . . .
(ii) obtains a court order for such disclosure under subsection (d) of this section;
except that delayed notice may be given pursuant to section 2705 of this title.
8. [Add only if the application seeks to obtain the contents of communications pursuant to 2703(b)] 18 U.S.C. 2703(b)(2) states that 2703(b) applies with respect to any wire or electronic communication that is held or maintained on a remote computing service--
(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such remote computing service; and
(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing.
9. Section 2703(d), in turn, provides in pertinent part:
A court order for disclosure under subsection (b) or (c) may be issued by any court that is a court of competent jurisdiction (2) and shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation. . . . A court issuing an order pursuant to this section, on a motion made promptly by the service provider, may quash or modify such order, if the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden on such provider.
Accordingly, this application sets forth the specific and articulable facts showing that there are reasonable grounds to believe that the materials sought are relevant and material to the ongoing criminal investigation into the attacks on [intruded computer systems].
THE RELEVANT FACTS
10. On [date intrusion was discovered], an unauthorized intrusion was discovered into the [intruded computer system]. Investigation into this incident revealed that the intruder had obtained so-called "root" or system administrator level access into the [intruded computer system], effectively giving him complete control of the system.
11. On [successive date(s) of intrusion] the intruder(s) again connected to the [intruded computer system]. Based on the identification number (IP number [999.999.999.999]) logged by the [investigating party] as the source of the intrusion, investigators were able to determine that the connection had originated from [provider or service].
12. [FURTHER SPECIFIC AND ARTICULABLE FACTS SHOWING REASONABLE GROUNDS TO BELIEVE MATERIALS SOUGHT ARE RELEVANT AND MATERIAL TO THE CRIMINAL INVESTIGATION]
13. The conduct described above provides reasonable grounds to believe that a number of federal statutes may have been violated, [including 18 U.S.C. , ].
14. Records of customer and subscriber information relating to [target of investigation] that are available from [provider or service], [Add only if the application seeks to obtain the contents of communications pursuant to 2703(b)] AND/OR the contents of electronic communications (not in electronic storage) that may be found at [provider or service] will help government investigators identify the individual(s) who are responsible for the unauthorized access of the computer systems described above and to determine the nature and scope of the intruder's activities. Accordingly, the government requests that [provider or service] be directed to produce all records described in Attachment A to this Application, which information is divided into several parts. Part A requests the account name, address, telephone number, e-mail address, billing information, and other identifying information for [target of investigation].
15. Part B consists of [target of investigation]'s "User Connection Logs" from [date] through the date of the court's order, for the computer account assigned to [target of investigation], and for the specific terminal he was found to be operating on [dates of intrusion]. Although the first known intrusion occurred on [earliest date of known intrusion], experience has shown that successful computer intrusions are usually preceded by scanning activity that helps would-be intruders identify potential targets and identify their vulnerabilities. In this case, investigators have determined that many [intruded computer systems] systems were scanned in this manner during [time period of intrusion]. As a result, this information is directly relevant to identifying the individuals responsible. The information should include the date and time of connection and disconnection, the method of connection to [provider or service], the data transfer volume, and information related to successive connections to other systems.
16. [Add only if the application seeks to obtain the contents of communications pursuant to 2703(b)] Part C requests the contents of electronic communications (not in electronic storage) that were placed or stored in [provider or service] computer systems in directories or files owned or controlled by the accounts identified in Part A. Investigators anticipate that these files may contain hacker tools, materials similar to those previously left on the [intruded computer system] computer found by the system administrators, and files containing unlawfully obtained passwords to other compromised systems. These stored files, covered by 18 U.S.C. 2703(b)(2), will help ascertain the scope and nature of the possible intrusion activity conducted by [target of investigation] from [provider or service]'s computers.
17. The information requested should be readily accessible to [provider or service] by computer search, and its production should not prove to be burdensome.
18. The United States requests that this Application and Order be sealed by the Court until such time as the court directs otherwise.
19. The United States further requests that pursuant to the preclusion of notice provisions of 18 U.S.C. 2705(b), that [provider or service] be ordered not to notify any person (including the subscriber or customer to which the materials relate) of the existence of this order for such period as the court deems appropriate. The United States submits that such an order is justified because notification of the existence of this order could seriously jeopardize the ongoing investigation. Such a disclosure could give the subscriber an opportunity to destroy evidence, notify confederates, or flee or continue his flight from prosecution. [Optional Buckley Amendment language for cases where provider is an educational institution receiving federal funding: The Government requests that [provider or service]'s compliance with the delayed notification provisions of this Order should also be deemed authorized under 20 U.S.C. 1232g(b)(1)(j)(ii). See 34 CFR 99.31(a)(9)(i) (exempting requirement of prior notice for disclosures made to comply with a judicial order or lawfully issued subpoena where the disclosure is made pursuant to "any other subpoena issued for a law enforcement purpose and the court or other issuing agency has ordered that the existence or the contents of the subpoena or the information furnished in response to the subpoena not be disclosed")].
20. [Add only if the application seeks to obtain the contents of communications pursuant to 2703(b)] The United States further requests, pursuant to the delayed notice provisions of 18 U.S.C. 2705(a), an order delaying any notification to the subscriber or customer that may be required by 2703(b) to obtain the contents of communications, for a period of 90 days. Providing prior notice to the subscriber or customer could seriously jeopardize the ongoing investigation, as such a disclosure would give the subscriber an opportunity to destroy evidence, change patterns of behavior, notify confederates, or flee or continue his flight from prosecution.
WHEREFORE, it is respectfully requested that the Court grant the attached Order, (1) directing [provider or service] to provide the United States with the records and information described in Attachment A; (2) directing that the Application and Order be sealed; (3) directing [provider or service] not to disclose the existence or content of the Order, except to the extent necessary to carry out the Order, and directing that three certified copies of this Order and Application be provided by the Clerk of this Court to the United States Attorney's Office; [Add only if the application seeks to obtain the contents of communications pursuant to 2703(b)] (4) directing that the notification by the government otherwise required under 18 U.S.C. 2703(b) be delayed for ninety days.
Executed on __________.
___________________________
Assistant United States Attorney
ATTACHMENT A
You are to provide the following information as printouts and as ASCII data files (or describe media on which you want to receive the information sought), if available:
A. The following customer or subscriber account information for any accounts registered to [subscriber], or associated with [subscriber]. For each such account, the information shall include:
1. name(s) and email address;
2. address(es);
3. local and long distance telephone connection records, or records of session times and durations;
4. length of service (including start date) and types of service utilized;
5. telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and
6. the means and source of payment for such service (including any credit card or bank account number).
B. User connection logs for:
(1) all accounts identified in Part A, above,
(2) the IP address [list IP address, e.g. 999.999.999.999],
for the time period beginning [date] through and including the date of this order, for any connections to or from [provider or service].
User connection logs should contain the following:
1. Connection time and date;
2. Disconnect time and date;
3. Method of connection to system (e.g., SLIP, PPP, Shell);
4. Data transfer volume (e.g., bytes);
5. Connection information for other systems to which user connected via [provider or service], including:
a. Connection destination;
b. Connection time and date;
c. Disconnect time and date;
d. Method of connection to system (e.g., telnet, ftp, http);
e. Data transfer volume (e.g., bytes);
f. Any other relevant routing information.
C. [Add only if the application seeks to obtain the contents of communications pursuant to 2703(b)] The contents of electronic communications (not in electronic storage (3)) that were placed or stored in [provider or service]'s computer systems in directories or files owned or controlled by the accounts identified in Part A at any time after [date of earliest intrusion] up through and including the date of this Order.
UNITED STATES DISTRICT COURT
FOR THE__________ DISTRICT OF _________
)
IN RE APPLICATION OF THE )
UNITED STATES OF AMERICA FOR ) MISC. NO. _____
AN ORDER PURSUANT TO )
18 U.S.C. 2703(d) ) Filed Under Seal
ORDER
This matter having come before the court pursuant to an application under Title 18, United States Code, Section 2703(b) and (c), which application requests the issuance of an order under Title 18, United States Code, Section 2703(d) directing [provider or service], an electronic communications service provider and a remote computing service, located in the ______ District of _______, to disclose certain records and other information, as set forth in Attachment A to the Application, the court finds that the applicant has offered specific and articulable facts showing that there are reasonable grounds to believe that the records or other information [Add only if the application seeks to obtain the contents of communications pursuant to 2703(b)] and the contents of a wire or electronic communication sought are relevant and material to an ongoing criminal investigation.
IT APPEARING that the information sought is relevant and material to an ongoing criminal investigation, and that prior notice of this Order to any person of this investigation or this application and order entered in connection therewith would seriously jeopardize the investigation;
IT IS ORDERED pursuant to Title 18, United States Code, Section 2703(d) that [provider or service] will, within three days of the date of this Order, turn over to agents of the Federal Bureau of Investigation the records and other information as set forth in Attachment A to this Order.
IT IS FURTHER ORDERED that the Clerk of the Court shall provide the United States Attorney's Office with three (3) certified copies of this Application and Order.
IT IS FURTHER ORDERED that the application and this Order are sealed until otherwise ordered by the Court, and that [provider or service] shall not disclose the existence of the Application or this Order of the Court, or the existence of the investigation, to the listed subscriber or to any other person, unless and until authorized to do so by the Court. [Optional Buckley Amendment language: Accordingly, [provider or service]'s compliance with the non-disclosure provision of this Order shall be deemed authorized under 20 U.S.C. 1232g(b)(1)(j)(ii).]
[Add only if the application seeks to obtain the contents of communications pursuant to 2703(b)] IT IS FURTHER ORDERED that the notification by the government otherwise required under 18 U.S.C. 2703(b)(1)(B) be delayed for a period of [ninety days].
____________________________
United States Magistrate Judge
___________
Date
[Internet Service Provider]
[Address]
VIA FAX to (xxx) xxx-xxxx
Dear :
I am writing to [confirm our telephone conversation earlier today and to] make a formal request for the preservation of records and other evidence pursuant to 18 U.S.C. 2703(f) pending further legal process.
You are hereby requested to preserve, for a period of 90 days, the records described below currently in your possession, including records stored on backup media, in a form that includes the complete record. You also are requested not to disclose the existence of this request to the subscriber or any other person, other than as necessary to comply with this request. If compliance with this request may result in a permanent or temporary termination of service to the accounts described below, or otherwise alert the subscriber or user of these accounts as to your actions to preserve the referenced files and records, please contact me before taking such actions.
This request applies only retrospectively. It does not in any way obligate you to capture and preserve new information that arises after the date of this request.
This preservation request applies to the following records and evidence:
A. All stored communications and other files reflecting communications to or from [Email Account / User name / IP Address or Domain Name (between DATE1 at TIME1 and DATE2 at TIME2)];
B. All files that have been accessed by [Email Account / User name / IP Address or Domain Name (between DATE1 at TIME1 and DATE2 at TIME2)] or are controlled by user accounts associated with [Email Account / User name / IP Address or Domain Name (between DATE1 at TIME1 and DATE2 at TIME2)];
C. All connection logs and records of user activity for [Email Account / User name / IP Address or Domain Name (between DATE1 at TIME1 and DATE2 at TIME2)], including;
1. Connection date and time;
2. Disconnect date and time;
3. Method of connection (e.g., telnet, ftp, http);
4. Type of connection (e.g., modem, cable / DSL, T1/LAN);
5. Data transfer volume;
6. User name associated with the connection and other connection information, including the Internet Protocol address of the source of the connection;
7. Telephone caller identification records;
8. Records of files or system attributes accessed, modified, or added by the user;
9. Connection information for other computers to which the user of the [Email Account / User name / IP Address or Domain Name (between DATE1 at TIME1 and DATE2 at TIME2)]connected, by any means, during the connection period, including the destination IP address, connection time and date, disconnect time and date, method of connection to the destination computer, the identities (account and screen names) and subscriber information, if known, for any person or entity to which such connection information relates, and all other information related to the connection from ISP or its subsidiaries.
All records and other evidence relating to the subscriber(s), customer(s), account
holder(s), or other entity(ies) associated with [Email Account / User name / IP Address or Domain Name (between DATE1 at TIME1 and DATE2 at TIME2)],
including, without limitation, subscriber names, user names, screen names or other identities, mailing addresses, residential addresses, business addresses, e-mail addresses and other contact information, telephone numbers or other subscriber number or identifier number, billing records, information about the length
of service and the types of services the subscriber or customer utilized, and any other identifying information, whether such records or other evidence are in
electronic or other form.
Any other records and other evidence relating to [Email Account / User name / IP Address or Domain Name (between DATE1 at TIME1 and DATE2 at
TIME2)]. Such records and other evidence include, without limitation, correspondence and other records of contact by any person or entity about the above-referenced account, the content and connection logs associated with or relating to postings, communications and any other activities to or through [Email
Account / User name / IP Address or Domain Name (between DATE1 at TIME1 and DATE2 at TIME2)], whether such records or other evidence are in
electronic or other form.
Very truly yours,
__________________________
Assistant United States Attorney
APPENDIX D
This appendix contains three separate model forms for pen register/trap and trace orders on the Internet: an IP trap and trace for a web-based email account; a pen register/trap and trace
order to collect addresses on email sent to and from a target account; and an IP pen register/trap and trace order for use in investigating a computer network intrusion.
1) Model form for IP trap and trace on a web-based email account
The sample application and order below are specifically designed for use to locate and/or identify the person using a specified web-based email account on a service such as Yahoo or Hotmail. The order authorizes the collection of the numeric network address(es) -- i.e., the Internet Protocol (IP) address(es) -- from which the user accesses the account. That information, in turn, can be used to trace the user to the other Internet site (such as an ISP, a cybercafe, or a public library terminal) from which he or she accessed the webmail service. It is primarily useful in cases (such as fugitive investigations) where the objective is to identify and locate the user.
Note that this order is not designed to collect the email addresses to which the user sends email messages from the web-based account, nor to collect the addresses from which the account owner receives email. That type of order -- which might be used, for example, to discover the co-conspirators of a criminal known to use email in his/her conspiratorial activities -- would not ask for (or even discuss) IP addresses, and would normally require discussion of the pen register provisions of the statute as well as trap and trace. (For a sample application and order including such language, see the second model form in this appendix. Note that using the latter will likely slow the process of having the provider implement the order, so it should be used only where the additional information - i.e., To: and From: on email traffic sent from/to the target account - is needed.)
UNITED STATES DISTRICT COURT
_______ DISTRICT OF __________
)
IN THE MATTER OF THE APPLICATION )
OF THE UNITED STATES OF AMERICA ) No.
FOR AN ORDER AUTHORIZING THE )
INSTALLATION AND USE OF A TRAP )
AND TRACE DEVICE )
) FILED UNDER SEAL
________________, the United States Attorney for the __________ District of __________, by __________, an Assistant United States Attorney for the __________ District of __________, hereby applies to the Court pursuant to 18 U.S.C. 3122 for an order authorizing the installation and use of a trap and trace device. In support of this application, he/she states the following:
2. Applicant certifies that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by [investigative agency], in connection with possible violations of Title 18, United States Code, sections __________.
3. [As a result of information obtained through previous orders issued by this Court,] investigators believe that the offense under investigation has been and continues to be accomplished through the user account __________ at __________, an electronic communication service provider located at __________. The listed subscriber for this account is [name], [address], [telephone]. __________, and others yet unknown, are the subjects of the above investigation.
4. A trap and trace device is defined in Title 18, United States Code, Section 3127(4) as "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communication." This definition reflects the significant amendments made by the USA PATRIOT Act of 2001 216, Pub. L. No. 107-56, 115 Stat. 272, 288-90 (2001).
5. [webmail provider] is a provider of free electronic mail communication services. [provider's] users access its services by means of the Internet's World Wide Web. Using a standard web browser program (such as Netscape or Internet Explorer), [provider's] users may compose, send, and receive electronic mail through the computers in [provider's] network.
6. Whenever an Internet user visits [provider's] web site (or any other web site on the Internet), that user's computer identifies itself to the web site by means of its Internet Protocol address. An Internet Protocol ("IP") address is a unique numeric identifier assigned to every computer attached to the Internet. An Internet service provider (ISP) normally controls a range of several hundred (or even thousands of) IP addresses, which it assigns to its customers for their use.
7. IP numbers for individual user accounts (such as are sold by ISPs to the general public) are usually assigned "dynamically": each time the user dials into the ISP to connect to the Internet, the customer's machine is assigned one of the available IP addresses controlled by the ISP. The customer's computer retains that IP address for the duration of that session (i.e., until the user disconnects), and the IP address cannot be assigned to another user during that period. Once the user disconnects, however, that IP address becomes available to other customers who dial in thereafter. Thus, an individual customer's IP address normally differs each time he dials into the ISP. By contrast, an ISP's business customer will commonly have a permanent, 24-hour Internet connection to which a "static" (i.e., fixed) IP address is assigned.
8. These source IP addresses are, in the computer network context, conceptually identical to the origination phone numbers captured by traditional trap and trace devices installed on telephone lines. Just as traditional telephonic trap and trace devices may be used to determine the source of a telephone call (and thus the identity of the caller), it is feasible to use a combination of hardware and software to ascertain the source addresses of electronic connections to a World Wide Web computer, and thereby to identify and locate the originator of the connection.
9. Accordingly, for the above reasons, the applicant requests that the Court enter an order authorizing the installation and use of a trap and trace device to identify the source IP address (along with the date and time) of all logins to the subscriber account [user account] at [provider]. The applicant is not requesting, and does not seek to obtain, the contents of any communications.
10. The applicant requests that the foregoing installation and use be authorized for a period of 60 days.
11. The applicant further requests that the Order direct that, upon service of the order upon it, [provider] furnish information, facilities, and technical assistance necessary to accomplish the installation of the trap and trace device, including installation and operation of the device unobtrusively and with a minimum of disruption of normal service. [provider] shall be compensated by [investigating agency] for reasonable expenses incurred in providing such facilities and assistance in furtherance of the Order.
12. The applicant further requests that the Order direct that the information collected and recorded pursuant to the Order shall be furnished to [investigating agency] at reasonable intervals during regular business hours for the duration of the Order.
13. The applicant further requests that the Order direct that the tracing operation shall encompass tracing the communications to their true source, if possible, without geographic limit.
14. The applicant further requests that pursuant to Title 18, United States Code, Section 3123(d)(2) the Court's Order direct [provider], and any other person or entity providing wire or electronic communication service in the United States whose assistance is used to facilitate the execution of this Order (pursuant to 18 U.S.C. 3123(a)), and their agents and employees not to disclose to the listed subscriber, or any other person, the existence of this Order, the trap and trace device, or this investigation unless or until otherwise ordered by the court and further, pursuant to Title 18, United States Code, Section 3123(d)(1), that this application and Order be SEALED.
The foregoing is based on information provided to me in my official capacity by agents of [investigative agency].
I declare under penalty of perjury that the foregoing is true and correct.
Dated this day of , 2002.
____________________________
Assistant United States Attorney
UNITED STATES DISTRICT COURT
_______ DISTRICT OF __________
IN THE MATTER OF THE APPLICATION ) No.
OF THE UNITED STATES OF AMERICA )
FOR AN ORDER AUTHORIZING THE )
INSTALLATION AND USE OF A TRAP )
AND TRACE DEVICE )
) FILED UNDER SEAL
ORDER
This matter has come before the Court pursuant to an application under Title 18, United States Code, Section 3122 by __________, an attorney for the Government, which application requests an Order under Title 18, United States Code Section 3123 authorizing the installation and use of a trap and trace device to determine the source Internet Protocol address (along with date and time) of login connections directed to the user account __________ at [provider name], which is located at [address of provider]. The account is registered to [name/address].
The Court finds that the applicant has certified that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation into possible violations of Title 18, United States Code, Section __________, by __________ [and others yet unknown].
IT IS THEREFORE ORDERED, pursuant to Title 18, United States Code, Section 3123, that a trap and trace device be installed and used to determine the source Internet Protocol address (along with date and time) of login connections directed to the user account [user account], but not the contents of such communications;
IT IS FURTHER ORDERED, pursuant to Title 18, United States Code, Section 3123(c)(1), that the use and installation of the foregoing occur for a period not to exceed 60 days;
IT IS FURTHER ORDERED, pursuant to Title 18, United States Code, Section 3123(b)(2) and in accordance with the provisions of section 3124(b), that [provider], upon service of the order upon it, shall furnish information, facilities, and technical assistance necessary to accomplish the installation of the trap and trace device, including installation and operation of the device unobtrusively and with a minimum of disruption of normal service;
IT IS FURTHER ORDERED, that the results of the trap and trace device shall be furnished to [agency] at reasonable intervals during regular business hours for the duration of the Order;
IT IS FURTHER ORDERED, that the tracing operation shall encompass tracing the communications to their true source, if possible, without geographic limit;
IT IS FURTHER ORDERED that [agency] compensate [provider] for expenses reasonably incurred in complying with this Order; and
IT IS FURTHER ORDERED, pursuant to Title 18, United States Code, Section 3123(d), that [provider], and any other person or entity providing wire or electronic communication service in the United States whose assistance is used to facilitate the execution of this Order (pursuant to 18 U.S.C. 3123(a)), and their agents and employees shall not disclose to the listed subscriber, or any other person, the existence of this Order, the trap and trace device, or this investigation unless or until otherwise ordered by the court and further, pursuant to Title 18, United States Code, Section 3123(d)(1), that this application and Order be SEALED.
Dated this day of __________, 2002.
UNITED STATES MAGISTRATE JUDGE
2) Model form for pen register/trap and trace order to collect addresses on email sent to/from the target account.
The sample application and order below are specifically to collect the email addresses to which the user sends email messages from an account, and to collect the addresses from which the account owner receives email.
UNITED STATES DISTRICT COURT
_______ DISTRICT OF __________
)
IN THE MATTER OF THE APPLICATION )
OF THE UNITED STATES OF AMERICA ) No.
FOR AN ORDER AUTHORIZING THE )
INSTALLATION AND USE OF PEN )
REGISTER AND TRAP AND TRACE DEVICES )
) FILED UNDER SEAL
_____________, the United States Attorney for the __________ District of __________, by __________, an Assistant United States Attorney for the __________ District of __________, hereby applies to the Court pursuant to 18 U.S.C. 3122 for an order authorizing the installation and use of pen register and trap and trace devices. In support of this application, he/she states the following:
1. Applicant is an "attorney for the Government" as defined in Rule 54(c) of the Federal Rules of Criminal Procedure, and therefore, pursuant to Title 18, United States Code, Section 3122(a), may apply for an order authorizing the installation and use of pen register and trap and trace devices.
2. Applicant certifies that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by [investigative agency], in connection with possible violations of Title 18, United States Code, sections __________.
3. [As a result of information obtained through previous orders issued by this Court,] investigators believe that the offense under investigation has been and continues to be accomplished through the user account __________ at __________, an electronic communication service provider located at __________. The listed subscriber for this account is [name], [address], [telephone]. __________, and others yet unknown, are the subjects of the above investigation.
4. A pen register, as defined in Title 18, United States Code, Section 3127(3), is "a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted." A trap and trace device is defined in Title 18, United States Code, Section 3127(4) as "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communication." These definitions reflect the significant amendments made by the USA PATRIOT Act of 2001 216, Pub. L. No. 107-56, 115 Stat. 272, 288-90 (2001).
5. [provider] is a provider of electronic mail communication services.
6. It is possible to identify the other addresses with which a user of [provider's] service is communicating via email. The "headers" on an electronic mail message contain, among other information, the network addresses of the source and destination(s) of the communication. Internet electronic mail addresses adhere to the standardized format "username@network", where username identifies a specific user mailbox associated with network, the system on which the mailbox is located. Standard headers denoting the source and destination addresses of an electronic mail message are "To:" and "Cc:" (destinations), and "From:" (source). For example, a message containing the headers
From: jane@doe.com
To: richard@roe.com
Cc: pat@address.com
indicates that user "jane" (on the doe.com system) is the sender, and that users "richard" (with a mailbox on roe.com) and "pat" (at address.com) are the intended recipients. Multiple destination addresses may be specified in the To: and Cc: fields.
7. These source and destination addresses, analogous to the origination and destination phone numbers captured by traditional trap and trace devices and pen registers installed on telephone lines, constitute "routing" and "addressing" information within the meaning of the statute, as amended by the USA PATRIOT Act in October 2001. As with traditional telephonic pen registers and trap and trace devices, it is feasible to use a combination of hardware and software to ascertain the source and destination addresses associated with Internet electronic mail.
8. Accordingly, for the above reasons, the applicant requests that the Court:
A. Enter an order authorizing the installation and use of a trap and trace device to identify the source address of electronic mail communications directed to the subscriber account [user account] at [provider].
B. Enter an order authorizing the installation and use of a pen register to determine the destination addresses of electronic mail communications originating from [user account], along with the date and time of such communications.
The applicant is not requesting, and does not seek to obtain, the contents of any communications.
9. The applicant requests that the foregoing installation and use be authorized for a period of 60 days.
10. The applicant further requests that the Order direct that, upon service of the order upon it, [provider] furnish information, facilities, and technical assistance necessary to accomplish the installation of the pen register and trap and trace device, including installation and operation of the device unobtrusively and with a minimum of disruption of normal service. [provider] shall be compensated by [investigating agency] for reasonable expenses incurred in providing such facilities and assistance in furtherance of the Order.
11. The applicant further requests that the Order direct that the information collected and recorded pursuant to the Order shall be furnished to [investigating agency] at reasonable intervals during regular business hours for the duration of the Order.
12. The applicant further requests that the Order direct that the tracing operation shall encompass tracing the communications to their true source, if possible, without geographic limit.
13. The applicant further requests that pursuant to Title 18, United States Code, Section 3123(d)(2) the Court's Order direct [provider], and any other person or entity providing wire or electronic communication service in the United States whose assistance is used to facilitate the execution of this Order, and their agents and employees not to disclose to the listed subscriber, or any other person, the existence of this Order, the pen register and trap and trace devices, or this investigation unless or until otherwise ordered by the court and further, pursuant to Title 18, United States Code, Section 3123(d)(1), that this application and Order be SEALED.
The foregoing is based on information provided to me in my official capacity by agents of [investigative agency].
I declare under penalty of perjury that the foregoing is true and correct.
Dated this day of , 2002.
____________________________
Assistant United States Attorney
UNITED STATES DISTRICT COURT
_______ DISTRICT OF __________
IN THE MATTER OF THE APPLICATION ) No.
OF THE UNITED STATES OF AMERICA )
FOR AN ORDER AUTHORIZING THE )
INSTALLATION AND USE OF PEN )
REGISTER AND TRAP AND TRACE DEVICES )
) FILED UNDER SEAL
ORDER
This matter has come before the Court pursuant to an application under Title 18, United States Code, Section 3122 by _____________, an attorney for the Government, which application requests an Order under Title 18, United States Code Section 3123 authorizing the installation and use of pen register and trap and trace devices to collect the source addresses of electronic mail communications directed to, and destination addresses of electronic mail communications originating from, user account ___________ at [provider name]. [provider name] is located at [address of provider]. The account is registered to [name/address].
The Court finds that the applicant has certified that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation into possible violations of Title 18, United States Code, Section __________, by __________ [and others yet unknown].
IT IS THEREFORE ORDERED, pursuant to Title 18, United States Code, Section 3123, that pen register and trap and trace devices be installed and used to identify the source address of electronic mail communications directed to, and the destination addresses of electronic mail communications originating from, [user account], along with the date and time of such communications, but not the contents of such communications;
IT IS FURTHER ORDERED, pursuant to Title 18, United States Code, Section 3123(c)(1), that the use and installation of the foregoing occur for a period not to exceed 60 days;
IT IS FURTHER ORDERED, pursuant to Title 18, United States Code, Section 3123(b)(2) and in accordance with the provisions of section 3124(b), that [provider], upon service of the order upon it, shall furnish information, facilities, and technical assistance necessary to accomplish the installation of the pen register and trap and trace devices, including installation and operation of the devices unobtrusively and with a minimum of disruption of normal service;
IT IS FURTHER ORDERED, that the results of the pen register and trap and trace devices shall be furnished to [agency] at reasonable intervals during regular business hours for the duration of the Order;
IT IS FURTHER ORDERED, that the tracing operation shall encompass tracing the communications to their true source, if possible, without geographic limit;
IT IS FURTHER ORDERED that [agency] compensate [provider] for expenses reasonably incurred in complying with this Order; and
IT IS FURTHER ORDERED, pursuant to Title 18, United States Code, Section 3123(d), that [provider name], and any other person or entity providing wire or electronic communication service in the United States whose assistance is used to facilitate the execution of this Order, and their agents and employees shall not disclose to the listed subscriber, or any other person, the existence of this Order, the pen register and trap and trace devices, or this investigation unless or until otherwise ordered by the court and further, pursuant to Title 18, United States Code, Section 3123(d)(1), that this application and Order be SEALED.
Dated this day of __________, 2002.
UNITED STATES MAGISTRATE JUDGE
3) Model form for IP pen register/trap and trace on a computer network intruder
The sample application and order below are designed for use in investigating a computer network intrusion. The order authorizes the collection of source and destination information (e.g., source and destination IP addresses and ports) for network transmissions to and from a specified network computer. Because the order does not authorize the collection of communications contents, it is not a substitute for an order issued under Title III, 18 U.S.C. 2510 et seq. The order is primarily useful in situations where the objective is to identify and locate the intruder, or to map the intruder's patterns of behavior (such as the identities of other network hosts used or victimized by the intruder).
IN THE MATTER OF THE APPLICATION )
OF THE UNITED STATES OF AMERICA )
FOR AN ORDER AUTHORIZING THE ) MISC. NO.
INSTALLATION AND USE OF A PEN )
REGISTER AND TRAP & TRACE DEVICE )
_____________, an Assistant United States Attorney for the ____ District of _____, applies for an order authorizing the installation and use of pen register and trap and trace devices on an Internet-connected computer operated by [ victim institution name and address], in the ______ District of ______. In support of said application, the applicant states:
1. The applicant is an "attorney for the government" as defined in Rule 54(c) of the Federal Rules of Criminal Procedure, and therefore, pursuant to Title 18, United States Code, Section 3122, may apply for an order authorizing the installation and use of trap and trace devices and pen registers.
2. The applicant certifies that Federal Bureau of Investigation is conducting a criminal investigation of unknown individuals in connection with possible violations of 18 U.S.C. 1030 (fraud and related activity involving computers, i.e., "computer hacking") and related statutes; that it is believed that the subjects of the investigation are using a computer system operated by the [victim], in the _______ District of _______, in furtherance of the described offenses; and that the information likely to be obtained from the pen register and trap and trace devices is relevant to the ongoing criminal investigation. Specifically, the information derived from such an order would provide evidence of the source of the attacks [and the identity of other systems being used to coordinate the attacks].
3. A pen register, as defined in Title 18, United States Code, Section 3127(3), is "a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted." A trap and trace device is defined in Title 18, United States Code, Section 3127(4) as "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communication." These definitions reflect the significant amendments made by the USA PATRIOT Act of 2001 216, Pub. L. No. 107-56, 115 Stat. 272, 288-90 (2001).
4. Data packets transmitted over the Internet -- the mechanism for all Internet communications -- contain addressing information closely analogous to origination phone numbers captured by traditional trap and trace devices installed on telephone lines and destination phone numbers captured by traditional pen registers. Devices to determine the source and destinations of such communications can be implemented through a combination of hardware and software.
5. To date, the investigation has identified a computer at [victim] which is being used to commit or assist in the commission of the offenses under investigation, a machine identified by the Internet Protocol address (4) __________. Based upon the configuration of the system, any incoming or outgoing port may be used for communication, including redirected communications, involved in the offenses under investigation. (5)
6. The investigation to date indicates that [brief recitation of relevant facts].
[7. It is believed that TCP ports 25, 80, 110, and 143 (relating to email and Worldwide Web traffic (6) are not being used in the commission of these crimes and that traffic on these ports can be excluded from the scope of the order.]
8. Accordingly, for the above reasons, the applicant requests that the Court enter an order authorizing the use of pen register and trap and trace devices to trace the source and destination of all electronic communications directed to or originating from any port (except ports 25, 80, 110, and 143) of the [victim] computer identified by the network address _________ and to record the date, time, and duration of the transmissions of these communications for a period of 60 days. The applicant is not requesting, and does not seek to obtain, the contents of such electronic communications (as defined at 18 U.S.C. 2510(8)).
9. The applicant further requests that the Order direct that [victim], and any other electronic communications provider whose assistance may (pursuant to 18 U.S.C. 3123(a)) facilitate the execution of the order, upon service of the order upon them, furnish information, facilities, and technical assistance necessary to accomplish the installation of the trap and trace devices and pen registers including installation and operation of the devices unobtrusively and with a minimum of disruption of normal service. These entities shall be compensated by the Federal Bureau of Investigation for reasonable expenses incurred in providing such facilities and assistance in furtherance of the Order.
10. The applicant further requests that the Order direct that the information collected and recorded pursuant to the Order be furnished to Special Agents of the Federal Bureau of Investigation at reasonable intervals during regular business hours for the duration of the Order.
11. The applicant further requests that the Order direct that the tracing shall encompass tracing the communications to their true source, if possible, without geographic limit.
12. Further, applicant respectfully requests the Court order that, pursuant to 18 U.S.C. 3123(d)(2), [victim] and any other person or entity providing wire or electronic communication service in the United States whose assistance is used to facilitate the execution of this Order, and their agents and employees, make no disclosure of the existence of this Application and Order, except as necessary to effectuate it, unless and until authorized by this Court and that, pursuant to 18 U.S.C. 3123(d)(1), the Clerk of Court seal the Order (and this Application) until further order of this Court. Providing prior notice to the subjects of the investigation could seriously jeopardize the ongoing investigation, as such a disclosure would give the subjects of the investigation an opportunity to destroy evidence, change patterns of behavior to evade detection, notify confederates, or flee from prosecution.
The foregoing is based on information provided to me in my official capacity by agents of the Department of Justice, including the Federal Bureau of Investigation.
Executed on ___, 2002.
__________________________
Assistant United States Attorney
IN THE MATTER OF THE APPLICATION )
OF THE UNITED STATES OF AMERICA )
FOR AN ORDER AUTHORIZING THE ) MISC. NO.
INSTALLATION AND USE OF A PEN )
REGISTER AND TRAP & TRACE DEVICE )
This matter comes before the Court pursuant to an application under Title 18, United States Code, Section 3122 by ___________________ , an attorney for the government, which application requests an order under Title 18, United States Code, Section 3123 authorizing the installation and use of a pen register and trap and trace devices on computers operated by [victim], which computers are located at__________________. The Court finds that the applicant has certified that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation into possible violations of 18 U.S.C. 1030 by individuals currently unknown.
IT IS ORDERED, pursuant to Title 18, United States Code, Section 3123, that agents of the Federal Bureau of Investigation may install trap and trace devices to trace the source and destination of all electronic communications directed to or originating from any port (except ports 25, 80, 110, or 143) of the computer at [victim] computer network with the network address __________ and record the date, time, and duration (but not the contents) of these communications for a period of 60 days.
IT IS FURTHER ORDERED, pursuant to Title 18, United States Code, Section 3123(b)(2), that [victim] and any other electronic communications provider whose assistance may (pursuant to 18 U.S.C. 3123(a)) facilitate the execution of the order, upon service of this Order upon them, shall furnish information, facilities, and technical assistance necessary to accomplish the installation of the trap and trace devices and pen registers including installation and operation of the devices unobtrusively and with a minimum of disruption of normal service;
IT IS FURTHER ORDERED, that the Federal Bureau of Investigation compensate [victim] and any other person or entity providing wire or electronic communication service in the United States whose assistance is used to facilitate the execution of this Order for expenses reasonably incurred in complying with this Order;
IT IS FURTHER ORDERED, that the results of the trap and trace devices and the pen registers shall be furnished to the Federal Bureau of Investigation at reasonable intervals during regular business hours for the duration of the Order; and
IT IS FURTHER ORDERED, that the tracing operation shall encompass tracing the communications to their true source, if possible, without geographic limit;
IT IS FURTHER ORDERED, pursuant to Title 18, United States Code, Section 3123(b), that this Order and the Application be sealed until otherwise ordered by the Court, and that [victim] and any other person or entity providing wire or electronic communication service in the United States whose assistance is used to facilitate the execution of this Order shall not disclose the existence of the trap and trace devices and pen registers, or the existence of the investigation to any person, except as necessary to effectuate this Order, unless or until otherwise ordered by the Court.
ENTERED: ________, 2002
FOR THE COURT:
_____________________________
United States Magistrate Judge
Post-PATRIOT Act: The Government is not required to provide notice to a subscriber or customer for the items sought in Part A. below. The information requested below can be obtained with use of an administrative subpoena authorized by Federal or State statute or a Federal or State grand jury or trial subpoena or a 2703(d) order or a search warrant. See 2703(c)(2). If you request the items in Part B (contents), then you must give prior notice or delay notice pursuant to 2705(a).
You are to provide the following information as [insert specifics on how you want to receive the information, e.g. printouts and as ASCII data files (on 100 megabyte disk for use with a Zip drive, if available, etc.)]:
A. For any accounts registered to [subscriber], or [associated with subscriber], [you should routinely add associated accounts because many ISPs may not provide the associated account information unless specifically requested] the following customer or subscriber account information:
(A) name(s);
(B) address(es);
(C) local and long distance telephone connection records, or records of session times and durations;
(D) length of service (including start date) and types of service utilized;
(E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and
(F) means and source of payment for such service (including any credit card or bank account number)
B. The contents of wire or electronic communications held or maintained in [ISP's] computer systems on behalf of the accounts identified in Part A at any time up through and including the date of this Subpoena, EXCEPT THAT you should NOT produce any unopened incoming communications (i.e., communications in "electronic storage") less than 181 days old.
"Electronic storage" is defined in 18 U.S.C. 2510(17) as "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication." The government does not seek access to any such materials, unless they have been in "electronic storage" for more than 180 days.
(Appendix F updated December 2006)
This appendix provides sample language for agents and prosecutors who wish to obtain a warrant authorizing the search and seizure of computers. The discussion focuses first on the proper way to describe the property to be seized in the warrant itself, which in turn requires consideration of the role of the computer in the offense. The discussion then turns to drafting an accompanying affidavit that establishes probable cause, describes the agent's search strategy, and addresses any additional statutory or constitutional concerns.
The first step in drafting a warrant to search and seize computers or computer data is to describe the property to be seized for the warrant itself. This requires a particularized description of the evidence, contraband, fruits, or instrumentalities of the crime that the agents hope to obtain by conducting the search.
Whether the “property to be seized” should contain a description ofinformation (such as computer files) or physical computer hardware depends on the role of the computer in the offense. In some cases, the computer hardware is itself contraband, evidence of a crime, or a fruit orinstrumentality of a crime. In these situations, Fed. R. Crim. P. 41 expressly authorizes the seizure of the hardware, and the warrant will ordinarily request its seizure. In other cases, however, the computer hardware is merely a storage device for electronic files that are themselves contraband, evidence, or instrumentalities of crime. In these cases, the warrant should request authority to search for and seize the information itself, not the storage devices that the agents believe they must seize to recover the information. Although the agents may need to seize the storage devices for practical reasons (e.g., the electronic media cannot be imaged without first seizing the hardware), such practical considerations are best addressed in the accompanying affidavit. The “property to be seized” described in the warrant should fall within one or more of the categories listed in Rule 41(b):
(1) “property that constitutes evidence of the commission of a criminal offense”
This authorization is a broad one, covering any item that an investigator “reasonably could . . . believe” would reveal information that would aid in a particular apprehension or conviction. Andresen v. Maryland, 427 U.S. 463, 483 (1976). Cf. Warden v. Hayden, 387 U.S. 294, 307 (1967) (noting that restrictions on what evidence may be seized result mostly from the probable cause requirement). The word “property” in Rule 41(b)(1) includes both tangible and intangible property. See United States v. New York Tel. Co., 434 U.S. 159, 169 (1977) (“Rule 41 is not limited to tangible items but is sufficiently flexible to include within its scope electronic intrusions authorized upon a finding of probable cause.”); United States v. Biasucci, 786 F.2d 504, 509-10 (2d Cir. 1986) (holding that the fruits of video surveillance are “property” that may be seized using a Rule 41 search warrant). Accordingly, data stored in electronic form is “property” that may properly be searched and seized using a Rule 41 warrant. See United States v. Hall, 583 F. Supp. 717, 718-19 (E.D. Va. 1984).
(2) “contraband, the fruits of crime, or things otherwise criminally possessed”
Property is contraband “when a valid exercise of the police power renders possession of the property by the accused unlawful and provides that it may be taken.” Hayden, 387 U.S. at 302 (quoting Gouled v. United States, 255 U.S. 298, 309 (1921)). Common examples of items that fall within this definition include child pornography, see United States v. Kimbrough, 69 F.3d 723, 731 (5th Cir. 1995), pirated software and other copyrighted materials, see United States v. Vastola, 670 F. Supp. 1244, 1273 (D.N.J. 1987), counterfeit money, narcotics, and illegal weapons. The phrase “fruits of crime” refers to property that criminals have acquired as a result of their criminal activities. Common examples include money obtained from illegal transactions, see United States v. Dornblut, 261 F.2d 949, 951 (2d Cir. 1958) (cash obtained in drug transaction), and stolen goods. See United States v. Burkeen, 350 F.2d 261, 264 (6th Cir. 1965) (currency removed from bank during bank robbery).
(3) “property designed or intended for use or which is or had been used as a means of committing a criminal offense”
Rule 41(c)(3) authorizes the search and seizure of “property designed or intended for use or which is or had been used as a means of committing a criminal offense.” This language permits courts to issue warrants to search and seize instrumentalities of crime. See United States v. Farrell, 606 F.2d 1341, 1347 (D.C. Cir. 1979). Computers may serve as instrumentalities of crime in many ways. For example, Rule 41 authorizes the seizure of computer equipment as an instrumentality when a suspect uses a computer to view, acquire, and transmit images of child pornography. See Davis v. Gracey, 111 F.3d 1472, 1480 (10th Cir. 1997) (stating in an obscenity case that “the computer equipment was more than merely a 'container' for the files; it was an instrumentality of the crime.”); United States v. Lamb, 945 F. Supp. 441, 462 (N.D.N.Y. 1996). Similarly, a hacker's computer may be used as an instrumentality of crime, and a computer used to run an illegal Internet gambling business would also be an instrumentality of the crime.
Here are examples of how to describe property to be seized when the computer hardware is merely a storage container f or electronic evidence:
(A) All records relating to violations of 21 U.S.C. 841(a) (drug trafficking) and/or 21 U.S.C. 846 (conspiracy to traffic drugs) involving [the suspect] since January 1, 2006, including lists of customers and related identifying information; types, amounts, and prices of drugs trafficked as well as dates, places, and amounts of specific transactions; any information related to sources of narcotic drugs (including names, addresses, phone numbers, or any other identifying information); any information recording [the suspect's] schedule or travel from 1995 to the present; all bank records, checks, credit card bills, account information, and other financial records.
The terms “records” and “information” include all of the foregoing items of evidence in whatever form and by whatever means they may have been created or stored, including any electrical, electronic, or magnetic form (such as any information on an electronic or magnetic storage device, including floppy diskettes, hard disks, ZIP disks, USB drives, memory sticks, CD-ROMs, optical discs, backup tapes, printer buffers, smart cards, memory calculators, pagers, personal digital assistants such as Palm Pilot computers, as well as printouts or readouts from any magnetic storage device); any handmade form (such as writing, drawing, painting); any mechanical form (such as printing or typing); and any photographic form (such as microfilm, microfiche, prints, slides, negatives, videotapes, motion pictures, photocopies).
(B) Any copy of the X Company's confidential May 17, 2005 report, in electronic or other form, including any recognizable portion or summary of the contents of that report.
(C) [For a warrant to obtain records stored with an ISP pursuant to 18 U.S.C. Section 2703(a)] All stored electronic mail of any kind sent to, from and through the e-mail address [JDoe@isp.com], or associated with the user name “John Doe,” account holder [suspect], or IP Address [xxx.xxx.xxx.xxx] / Domain name [x.com] between Date A at Time B and Date X at Time Y. Content and connection log files of all activity from January 1, 2006, through March 31, 2006, by the user associated with the e-mail address [JDoe@isp.com], user name “John Doe,” or IP Address [xxx.xxx.xxx.xxx] / Domain name [x.x.com] between Date A at Time B and Date X at Time Y. including dates, times, methods of connecting (e.g., telnet, ftp, http), type of connection (e.g., modem, cable / DSL, T1 / LAN), ports used, telephone dial-up caller identification records, MAC address, and any other connection information or traffic data. All business records, in any form kept, in the possession of [Internet Service Provider], that pertain to the subscriber(s) and account(s) associated with the e-mail address [JDoe@isp.com], user name “John Doe,” or IP Address [xxx.xxx.xxx.xxx] / Domain name [x.x.com] between Date A at Time B and Date X at Time Y, including records showing the subscriber's full name, all screen names associated with that subscriber and account, all account names associated with that subscriber, methods of payment, phone numbers, all residential, business, mailing, and e-mail addresses, detailed billing records, types and lengths of service, and any other identifying information.
Here are examples of how to describe the property to be seized when the computer hardware itself is evidence, contraband, or an instrumentality of a crime:
(A) Any computers (including file servers, desktop computers, laptop computers, mainframe computers, and storage devices such as hard drives, CDs, USB drives and floppy disks) that were or may have been used as a means to provide images of child pornography over the Internet in violation of 18 U.S.C. 2252A that were accessible via the Internet address www.[xxxxxxxx].com.
(B) Dell Inspiron Model 700m laptop computer with a black case.
An affidavit to justify the search and seizure of computer hardware and/or files should include, at a minimum, the following sections: (1) definitions of any technical terms used in the affidavit or warrant; (2) a summary of the offense, and, if known, the role that a targeted computer played in the offense; and (3) an explanation of any special computer forensic issues, such as the need to remove the hardware or media for off-site imaging or forensic analysis. In addition, warrants that raise special issues (such as sneak-and-peek warrants, or warrants that may implicate the Privacy Protection Act, 42 U.S.C. 2000aa) require thorough discussion of those issues in the affidavit. Agents and prosecutors with questions about how to tailor an affidavit and warrant for a computer-related search may contact either their local CHIP or the Computer Crime & Intellectual Property Section at (202) 514-1026.
It may be helpful to include a section near the beginning of the affidavit explaining any technical terms that the affiant may use. Although many judges are computer literate, judges generally appreciate a clear, jargon-free explanation of technical terms that may help them understand the merits of the warrant application. At the same time, agents and prosecutors should resist the urge to pad affidavits with long, boilerplate descriptions of well-known technical phrases. As a rule, affidavits should only include the definitions of terms that are likely to be unknown by a generalist judge and are used in the remainder of the affidavit. Here are some sample definitions:
Every device on the Internet has an address that allows other devices to locate and communicate with it. An Internet Protocol (IP) address is a unique number that identifies a device on the Internet. Other addresses include Uniform Resource Locator (URL) addresses, such as “http://www.usdoj.gov,” which are typically used to access web sites or other services on remote devices. Domain names, host names, and machine addresses are other types of addresses associated with Internet use.
A cookie is a file that is generated by a web site when a user on a remote computer accesses it. The cookie is sent to the user's computer and is placed in a directory on that computer, usually labeled “Internet” or “Temporary Internet Files.” The cookie includes information such as user preferences, connection information such as time and date of use, records of user activity including files accessed or services used, or account information. The cookie is then accessed by the web-site on subsequent visits by the user, in order to better serve the user's needs.
A process of reducing the number of bits required to represent some information, usually to reduce the time or cost of storing or transmitting it. Some methods can be reversed to reconstruct the original data exactly; these are used for faxes, programs and most computer data. Other methods do not exactly reproduce the original data, but this may be acceptable (for example, for a video conference).
A hacker attempting a DoS Attack will often use multiple IP or email addresses to send a particular server or web site hundreds or thousands of messages in a short period of time. The server or web-site will devote system resources to each transmission. Due to the limited resources of servers and web-sites, this bombardment will eventually slow the system down or crash it altogether.
A domain is a group of Internet devices that are owned or operated by a specific individual, group, or organization. Devices within a domain have IP addresses within a certain range of numbers, and are usually administered according to the same set of rules and procedures.
A domain name identifies a computer or group of computers on the Internet, and corresponds to one or more IP addresses within a particular range. Domain names are typically strings of alphanumeric characters, with each “level” of the domain delimited by a period (e.g., Computer.networklevel1.networklevel2.com). A domain name can provide information about the organization, ISP, and physical location of a particular network user.
Encryption refers to the practice of mathematically scrambling computer data as a communications security measure. The encrypted information is called “ciphertext.” “Decryption” is the process of converting the ciphertext back into the original, readable information (known as “plaintext”). The word, number or other value used to encrypt/decrypt a message is called the “key.”
FTP is a method of communication used to send and receive files such as word-processing documents, spreadsheets, pictures, songs, and video files. FTP sites are online “warehouses” of computer files that are available for copying by users on the Internet. Although many sites require users to supply credentials (such as a password or user name) to gain access, the IP Address of the FTP site is often all that is required to access the site, and users are often identified only by their IP addresses.
A firewall is a dedicated computer system or piece of software that monitors the connection between one computer or network and another. The firewall is the gatekeeper that certifies communications, blocks unauthorized or suspect transmissions, and filters content coming into a network. Hackers can sidestep the protections offered by firewalls by acquiring system passwords, “hiding” within authorized IP addresses using specialized software and routines, or placing viruses in seemingly innocuous files such as e-mail attachments.
Hacking is the deliberate infiltration or sabotaging of a computer or network of computers. Hackers use loopholes in computer security to gain control of a system, steal passwords and sensitive data, and/or incapacitate a computer or group of computers. Hacking is usually done remotely, by sending harmful commands and programs through the Internet to a target system. When they arrive, these commands and programs instruct the target system to operate outside of the parameters specified by the administrator of the system. This often causes general system instability or the loss of data.
A hash value (or simply “hash”), also called a message digest, is a number generated from a string of text or other data. The hash is substantially smaller than the data itself, and is generated by a mathematical algorithm formula in such a way that it is unique for that data set. If the original data is altered, the hash value will change. Similarly, if the hash values for two data sets match, it is reasonably certain that the two sets are identical.
Hashes play a role in computer forensics where they are used to ensure that images of electronic media are accurately made by forensic software. They are also used in child pornography investigations to compare suspected child pornography images against known child pornography images.
IM is a communications service that allows two users to send messages through the Internet to each other in real-time. Users subscribe to a particular messaging service (e.g., AOL Instant Messenger, MSN Messenger) by supplying personal information and choosing a screen-name to use in connection with the service. When logged in to the IM service, users can search for other users based on the information that other users have supplied, and they can send those users messages or initiate a chat session. Most IM services also allow files to be transferred between users, including music, video files, and computer software. Due to the structure of the Internet, a transmission may be routed through different states and/or countries before it arrives at its final destination, even if the communicating parties are in the same state.
The Internet is a global network of computers and other electronic devices that communicate with each other via standard telephone lines, high-speed telecommunications links (e.g., fiber optic cable), and wireless transmissions. Due to the structure of the Internet, connections between devices on the Internet often cross state and international borders, even when the devices communicating with each other are in the same state.
IRC is a popular Internet service that allows users to communicate with each other in real-time. IRC is organized around the “chat-room” or “channel,” in which users congregate to communicate with each other about a specific topic. A “chat-room” typically connects users from different states and countries, and IRC messages often travel across state and national borders before reaching other users. Within a “chat-room” or “channel,” every user can see the messages typed by other users.
No user identification is required for IRC, allowing users to log in and participate in IRC communication with virtual anonymity, concealing their identities by using fictitious “screen names.” Furthermore, participants to IRC communications may enable logging, which will create a transcript of the chat- room communication.
Many individuals and businesses obtain their access to the Internet through businesses known as Internet Service Providers (“ISPs”). ISPs provide their customers with access to the Internet using telephone or other telecommunications lines such as cable TV, DSL or fiber optic service; provide Internet e-mail accounts that allow users to communicate with other Internet users by sending and receiving electronic messages through the ISPs' servers; remotely store electronic files on their customers' behalf; and may provide other services unique to each particular ISP.
ISPs maintain records pertaining to the individuals or companies that have subscriber accounts with it. Those records could include identifying and billing information, account access information in the form of log files, e-mail transaction information, posting information, account application information, and other information both in computer data format and in written record format. ISPs reserve and/or maintain computer disk storage space on their computer system for the use of the Internet service subscriber for both temporary and long-term storage of electronic communications with other parties and other types of electronic data and files. E-mail that has not been opened is stored temporarily by an ISP incident to the transmission of the e-mail to the intended recipient, usually within an area known as the home directory. Such temporary, incidental storage is defined by statute as “electronic storage,” and the provider of such a service is an “electronic communications service” provider. A service provider that is available to the public and provides storage facilities after an electronic communication has been transmitted and opened by the recipient, or provides other long term storage services to the public for electronic data and files, is providing a “remote computing service.”
The Internet Protocol address (or simply “IP” address) is a unique numeric address used by computers on the Internet. An IP address looks like a series of four numbers, each in the range 0-255, separated by periods (e.g., 121.56.97.178). Every computer attached to the Internet must be assigned an IP address so that Internet traffic sent from and directed to that computer may be directed properly from its source to its destination. Most Internet service providers control a range of IP addresses.
When an ISP or other provider uses dynamic IP addresses, the ISP randomly assigns one of the available IP addresses in the range of IP addresses controlled by the ISP each time a user dials into the ISP to connect to the Internet. The customer's computer retains that IP address for the duration of that session (i.e., until the user disconnects), and the IP address cannot be assigned to another user during that period. Once the user disconnects, however, that IP address becomes available to other customers who dial in at a later time. Thus, an individual customer's IP address normally differs each time he dials into the ISP.
Static IP address A static IP address is an IP address that is assigned permanently to a given user or computer on a network. A customer of an ISP that assigns static IP addresses will have the same IP address every time.
JPEG is the name of a standard for compressing digitized images that can be stored on computers. JPEG is often used to compress photographic images, including pornography. Such files are often identified by the “.jpg” extension (such that a JPEG file might have the title “picture.jpg”) but can easily be renamed without the “.jpg” extension.
Log files are computer files that contain records about system events and status, the identity and activities of users, and anomalous or unauthorized computer usage. Names for various log files include, but are not limited to: user logs, access logs, audit logs, transactional logs, and apache logs. Logs can also maintain records regarding the identification of users on a network, as well as Internet sites accessed by the computer.
MP3 is the name of a standard for compressing audio recordings (e.g., songs, albums, concert recordings) so that they can be stored on a computer, transmitted through the Internet to other computers, or listened to using a computer. Despite its small size, an MP3 delivers near CD-quality sound. Such files are often identified by the filename extension “.mp3,” but can easily be renamed without the “.mp3” extension.
On the Internet, information is usually transmitted through many different locations before it reaches its final destination. While in transit, such information is contained within “packets.” Both authorized users, such as system security experts, and unauthorized users, such as hackers, use specialized technology - packet sniffers - to “listen” to the flow of information on a network for interesting packets, such as those containing logins or passwords, sensitive or classified data, or harmful communications such as viruses. After locating such data, the packet sniffer can read, copy, redirect, or block the communication.
P2P networks differ from conventional networks in that each computer within the network functions as both a client (using the resources and services of other computers) and a server (providing files and services for use by “peer” computers). There is often no centralized server in such a network. Instead, a search program or database tells users where other computers are located and what files and services they have to offer. Often, P2P networks are used to share and disseminate music, movies, and computer software.
A router is a device on the Internet that facilitates communication. Each Internet router maintains a table that states the next step a communication must take on its path to its proper destination. When a router receives a transmission, it checks the transmission's destination IP address with addresses in its table, and directs the communication to another router or the destination computer. The log file and memory of a router often contain important information that can help reveal the source and network path of communications. Wireless computer networks utilize wireless routers that maintain information on computers that are connected to the wireless network.
A server is a centralized computer that provides services for other computers connected to it via a network. The other computers attached to a server are sometimes called “clients.” In a large company, it is common for individual employees to have client computers at their desktops. When the employees access their e-mail, or access files stored on the network itself, those files are pulled electronically from the server, where they are stored, and are sent to the client's computer via the network. Notably, server computers can be physically stored in any location: it is common for a network's server to be located hundreds (and even thousands) of miles away from the client computers. Servers can serve as a location to store shared files, and can be used to store backup information regarding network activity.
In larger networks, it is common for servers to be dedicated to a single task. For example, a server that is configured so that its sole task is to support a web site is known simply as a “web server.” Similarly, a server that only stores and processes e-mail is known as a “mail server.”
The art and science of hiding information by embedding messages within other, seemingly harmless messages or graphic images. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks) with bits of different information that will not be visible to someone who views the files in the normal manner. This hidden information could be plain text, encrypted text, images, or any other sort of electronic data.
Trace programs are used to determine the path that a communication takes to arrive at its destination. A trace program requires the user to specify a source and destination IP address. The program then launches a message from the source address, and at each “hop” on the network (signifying a device such as a router), the IP address of that device is displayed on the source user's screen or copied to a log file.
Most services offered on the Internet assign users a name or ID, which is a pseudonym that computer systems use to keep track of users. User names and IDs are typically associated with additional user information or resources, such as a user account protected by a password, personal or financial information about the user, a directory of files, or an email address.
A virus is a malicious computer program designed by a hacker to (1) incapacitate a target computer system, (2) cause a target system to slow down or become unstable, (3) gain unauthorized access to system files, passwords, and other sensitive data such as financial information, and/or (4) gain control of the target system to use its resources in furtherance of the hacker's agenda.
Once inside the target system, a virus may begin making copies of itself, depleting system memory and causing the system to shut down, or it may begin issuing system commands or altering crucial data within the system.
Other malicious programs used by hackers are, but are not limited to: “worms” that spawn copies that travel over a network to other systems, “trojan horses” that are hidden in seemingly innocuous files such as email attachments and are activated by unassuming authorized users, and “bombs” which are programs designed to bombard a target email server or individual user with messages, overloading the target or otherwise preventing the reception of legitimate communications.
It may be helpful and necessary to include a paragraph explaining how certain computer files can reside indefinitely in free or slack space and thus be subject to recovery with specific forensic tools:
Based on your affiant's knowledge, training, and experience, including the experience of other agents with whom the affiant has spoken, your affiant knows that computer files or remnants of such files can be recovered months or even years after they have been downloaded onto a hard drive, deleted or viewed via the Internet. Electronic files downloaded to a hard drive can be stored for years at little or no cost. Even when such files have been deleted, they can be recovered months or years later using readily-available forensics tools. When a person “deletes” a file on a home computer, the data contained in the file does not actually disappear; rather, that data remains on the hard drive until it is overwritten by new data. Therefore, deleted files, or remnants of deleted files, may reside in free space or slack space - that is, in space on the hard drive that is not allocated to an active file or that is unused after a file has been allocated to a set block of storage space - for long periods of time before they are overwritten. In addition, a computer's operating system may also keep a record of deleted data in a “swap” or “recovery” file. Similarly, files that have been viewed via the Internet are automatically downloaded into a temporary Internet directory or “cache.” The browser typically maintains a fixed amount of hard drive space devoted to these files, and the files are only overwritten as they are replaced with more recently viewed Internet pages. Thus, the ability to retrieve residue of an electronic file from a hard drive depends less on when the file was downloaded or viewed than on a particular user's operating system, storage capacity, and computer habits.
The next step is to describe the role of the computer in the offense, to the extent it is known. For example, is the computer hardware itself evidence of a crime or contraband? Is the computer hardware merely a storage device that may or may not contain electronic files that constitute evidence of a crime? To introduce this topic, it may be helpful to explain at the outset why the role of the computer is important for defining the scope of your warrant request.
Your affiant knows that computer hardware, software, and electronic files may be important to a criminal investigation in two distinct ways: (1) the objects themselves may be contraband, evidence, instrumentalities, or fruits of crime, and/or (2) the objects may be used as storage devices that contain contraband, evidence, instrumentalities, or fruits of crime in the form of electronic data. Rule 41 of the Federal Rules of Criminal Procedure permits the government to search for and seize computer hardware, software, and electronic files that are evidence of crime, contraband, instrumentalities of crime, and/or fruits of crime. In this case, the warrant application requests permission to search and seize [images of child pornography, including those that may be stored on a computer]. These [images] constitute both evidence of crime and contraband. This affidavit also requests permission to seize the computer hardware that may contain [the images of child pornography] if it becomes necessary for reasons of practicality to remove the hardware and conduct a search off-site. Your affiant believes that, in this case, the computer hardware is a container for evidence, a container for contraband, and also itself an instrumentality of the crime under investigation.
If applicable, the affidavit should explain why probable cause exists to believe that the tangible computer items are themselves contraband, evidence, instrumentalities, or fruits of the crime, independent of the information they may hold.
Your affiant knows that when an individual uses a computer to obtain unauthorized access to a victim computer over the Internet, the individual's computer will generally serve both as an instrumentality for committing the crime, and also as a storage device for evidence of the crime. The computer is an instrumentality of the crime because it is “used as a means of committing [the] criminal offense” according to Rule 41(b )(3). In particular, the individual's computer is the primary means for accessing the Internet, communicating with the victim computer, and ultimately obtaining the unauthorized access that is prohibited by 18 U.S.C. 1030. The computer is also likely to be a storage device for evidence of crime because computer hackers generally maintain records and evidence relating to their crimes on their computers. Those records and evidence may include files that recorded the unauthorized access, stolen passwords and other information downloaded from the victim computer, the individual's notes as to how the access was achieved, records of Internet chat discussions about the crime, and other records that indicate the scope of the individual's unauthorized access.
It is common for child pornographers to use personal computers to produce both still and moving images. For example, a computer can be connected toa video camera, VCR, or DVD-player, using a device called a video capture board: the device turns the video output into a form that is usable by computer programs. Alternatively, the pornographer can use a digital camera to take photographs or videos and load them directly onto the computer. The output of the camera can be stored, transferred or printed out directly from the computer. The producers of child pornography can also use a device known as a scanner to transfer photographs into a computer-readable format. All of these devices, as well as the computer, constitute instrumentalities of the crime.
When the computer is merely a storage device for electronic evidence, the affidavit should explain this clearly. The affidavit should explain why there is probable cause to believe that evidence of a crime may be found in the location to be searched. This does not require the affidavit to establish probable cause that the evidence may be stored specifically within a computer. However, the affidavit should explain why the agents believe that the information may in fact be stored as an electronic file stored in a computer.
Your affiant knows that child pornographers generally prefer to store images of child pornography in electronic form as computer files. The computer's ability to store images in digital form makes a computer an ideal repository for pornography. A small portable disk can contain hundreds or thousands of images of child pornography, and a computer hard drive can contain tens of thousands of such images at very high resolution. The images can be easily sent to or received from other computer users over the Internet. Further, both individual files of child pornography and the disks that contain the files can be mislabeled or hidden to evade detection.
Based on actual inspection of [spreadsheets, financial records, invoices], your affiant is aware that computer equipment was used to generate, store, and print documents used in [suspect's] [tax evasion, money laundering, drug trafficking, etc.] scheme. There is reason to believe that the computer system currently located on [suspect's] premises is the same system used to produce and store the [spreadsheets, financial records, invoices], and that both the [spreadsheets, financial records, invoices] and other records relating to [suspect's] criminal enterprise will be stored on [suspect's computer].
The affidavit should also contain a careful explanation of any special computer forensic issues that may impact upon the computer search.Such an explanation is particularly important when practical considerations require that agents seize computer hardware that is merely a storage device for evidence of crime and search it off-site. Similarly, searches for computer evidence in sensitive environments (such as functioning businesses) may require that the agents adopt an incremental approach designed to minimize the intrusiveness of the search. The affidavit should explain the agents' approach in sufficient detail in order to provide adequate assurance to the reviewing court regarding the presence of these issues, and their consideration by the agents. Here is sample language that can apply in recurring situations:
#. Based upon my training and experience and information related to me by agents and others involved in the forensic examination of computers, I know that computer data can be stored on a variety of systems and storage devices including hard disk drives, floppy disks, compact disks, magnetic tapes and memory chips. I also know that during the search of the premises it is not always possible to search computer equipment and storage devices for data for a number of reasons, including the following:
a. Searching computer systems is a highly technical process which requires specific expertise and specialized equipment. There are so many types of computer hardware and software in use today that it is impossible to bring to the search site all of the necessary technical manuals and specialized equipment necessary to conduct a thorough search. In addition, it may also be necessary to consult with computer personnel who have specific expertise in the type of computer, software application or operating system that is being searched.
b. Searching computer systems requires the use of precise, scientific procedures which are designed to maintain the integrity of the evidence and to recover “hidden,” erased, compressed, encrypted or password-protected data. Computer hardware and storage devices may contain “booby traps” that destroy or alter data if certain procedures are not scrupulously followed. Since computer data is particularly vulnerable to inadvertent or intentional modification or destruction, a controlled environment, such as a law enforcement laboratory, is essential to conducting a complete and accurate analysis of the equipment and storage devices from which the data will be extracted.
c. The volume of data stored on many computer systems and storage devices will typically be so large that it will be highly impractical to search for data during the execution of the physical search of the premises. A single megabyte of storage space is the equivalent of 500 double-spaced pages of text. A single gigabyte of storage space, or 1,000 megabytes, is the equivalent of 500,000 double-spaced pages of text. Storage devices capable of storing 160 gigabytes (GB) of data are now commonplace in desktop computers. Consequently, each non-networked, desktop computer found during a search can easily contain the equivalent of 80 million pages of data, which, if printed out, would result in a stack of paper over four miles high. Further, a 160 GB drive could contain as many as approximately 150 full run movies or 150,000 songs.
d. Computer users can attempt to conceal data within computer equipment and storage devices through a number of methods, including the use of innocuous or misleading filenames and extensions. For example, files with the extension “.jpg” often are image files; however, a user can easily change the extension to “.txt” to conceal the image and make it appear that the file contains text. Computer users can also attempt to conceal data by using encryption, which means that a password or device, such as a “dongle” or “keycard,” is necessary to decrypt the data into readable form. In addition, computer users can conceal data within another seemingly unrelated and innocuous file in a process called “steganography.” For example, by using steganography a computer user can conceal text in an image file which cannot be viewed when the image file is opened. Therefore, a substantial amount of time is necessary to extract and sort through data that is concealed or encrypted to determine whether it is evidence, contraband or instrumentalities of a crime.
In light of these concerns, your affiant hereby requests the Court's permission to seize the computer hardware (and associated peripherals) that are believed to contain some or all of the evidence described in the warrant, and to conduct an off-site search of the hardware for the evidence described, if, upon arriving at the scene, the agents executing the search conclude that it would be impractical to search the computer hardware on-site for this evidence.
Generally, in the absence of a requirement by the magistrate, committing to an incremental search approach is not advised. However, some magistrates are requiring that applying agents demonstrate a willingness to minimize the impact of a computer seizure in a corporate environment. In such cases, the following language should be considered:
Your affiant recognizes that the [Suspect] Corporation is a functioning company with [approximately #]/[numerous] employees, and that a seizure and removal of the [Suspect] Corporation's computer network may have the unintended and undesired effect of limiting the company's ability to provide service to its legitimate customers who are not engaged in [the criminal activity under investigation]. In response to these concerns, the agents who execute the search will take an incremental approach to minimize the inconvenience to [Suspect Corporation's] legitimate customers and to minimize the need to seize equipment and data. This incremental approach, which will be explained to all of the agents on the search team before the search is executed, will proceed as follows:
A. The computer forensic examiner will attempt to create an electronic “image” of all computers that are likely to store [the computer files described in the warrant]. Generally speaking, imaging is the taking of a complete electronic picture of the computer's data, including all hidden sectors and deleted files. Imaging a computer permits the agents to obtain an exact copy of the computer's stored data without actually seizing the computer hardware. The computer forensic examiner or another technical expert will then conduct an off-site search for [the computer files described in the warrant] from the image copy at a later date.
B. If “imaging” proves impractical, or even impossible for technical reasons, then the agents will seize those components of the [Suspect Corporation's] computer system that the computer forensic examiner believes must be seized to permit the agents to locate [the computer files described in the warrant] at an off-site location. The components will be seized and taken into the custody of the agent. If employees of [Suspect Corporation] so request, the computer forensic examiner will, to the extent practicable, attempt to provide the employees with copies of any files [not within the scope of the warrant] that may be necessary or important to the continuing function of the [Suspect Corporation's] legitimate business. If, after inspecting the computers, the analyst determines that some or all of this equipment is no longer necessary to retrieve and preserve the evidence, the government will return it within a reasonable time.
Searching [the suspect's] computer system for the evidence described in [Attachment A] will require a range of computer forensic analysis techniques. Criminals can mislabel or hide files and directories; encode communications to avoid using key words; attempt to delete files to evade detection; or take other steps designed to frustrate law enforcement searches for information. In order to properly execute the search authorized by the warrant, specially trained agents or forensic analysts will be required to conduct a thorough forensic analysis of the seized media, such as scanning areas of the disk not allocated to listed files, or opening every file and scanning its contents briefly to determine whether it falls within the scope of the warrant. In light of these difficulties, your affiant requests permission to use whatever computer forensic analysis techniques appear necessary to locate and retrieve the evidence described in [Attachment A].
The affidavit should also contain discussions of any special legal considerations that may factor into the search or how it will be conducted. These considerations are discussed at length in Chapter 2. Agents can use this checklist to determine whether a particular computer-related search raises such issues:
1. Is the search likely to result in the seizure of any drafts of publications (such as books, newsletters, Web site postings, etc.) that are unrelated to the search and are stored on the target computer? If so, the search may implicate the Privacy Protection Act, 42 U.S.C. 2000aa.
2. Is the target of the search an ISP, or will the search result in the seizure of a mail server? If so, the search may implicate the Electronic Communications Privacy Act, 18 U.S.C. 2701-12.
3. Does the target store electronic files or e-mail on a server maintained in a remote location? If so, the agents may need to obtain more than one warrant. Agents should be sensitive to the fact that these remote locations may be located in areas out of the jurisdiction of the issuing magistrate, and may be located outside of the United States.
4. Will the search result in the seizure of privileged files, such as attorney-client communications? If so, special precautions may be in order, and special approval may be required. See the guidance in USAM 9-13.420.
5. Are the agents requesting authority to execute a “sneak-and-peek” search? If so, the proposed search must satisfy the standard defined in 18 U.S.C. 3103a(b).
6. Are the agents requesting authority to dispense with the “knock and announce” rule?
[Note: as discussed in Chapter 4.D.3.c of this manual, agents and prosecutors should adopt a cautious approach to accepting the fruits of future monitoring conducted by providers under the provider exception. Furthermore, law enforcement may be able to avoid this issue by reliance on the computer trespasser exception. However, in cases in which law enforcement chooses to accept the fruits of future monitoring by providers, this letter may reduce the risk that any provider monitoring and disclosure will exceed the acceptable limits of 2511(2)(a)(i).]
This letter is intended to inform [law enforcement agency] of [Provider's] decision to conduct monitoring of unauthorized activity within its computer
network pursuant to 18 U.S.C. 2511(2)(a)(i), and to disclose some or all of the fruits of this monitoring to law enforcement if [Provider] deems it will assist in
protecting its rights or property. On or about [date], [Provider] became aware that it was the victim of unauthorized intrusions into its computer network.
[Provider] understands that 18 U.S.C. 2511(2)(a)(i) authorizes
an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service[.]
This statutory authority permits [Provider] to engage in reasonable monitoring of unauthorized use of its network to protect its rights or property, and also to disclose intercepted communications to [law enforcement] to further the protection of [Provider]'s rights or property. Under 18 U.S.C. 2702(c)(3), [Provider] is also permitted to disclose customer records or other information related to such monitoring if such disclosure protects the [Provider]'s rights and property.
To protect its rights and property, [Provider] plans to [continue to] conduct reasonable monitoring of the unauthorized use in an effort to evaluate the scope of the unauthorized activity and attempt to discover the identity of the person or persons responsible. [Provider] may then wish to disclose some or all of the fruits of its interception, records, or other information related to such interception, to law enforcement to help support a criminal investigation concerning the unauthorized use and criminal prosecution for the unauthorized activity of the person(s) responsible.
[Provider] understands that it is under absolutely no obligation to conduct any monitoring whatsoever, or to disclose the fruits of any monitoring, records, or other information related to such monitoring, and that 18 U.S.C. 2511(2)(a)(i) does not permit [law enforcement] to direct or request [Provider] to intercept, disclose, or use monitored communications, associated records, or other information for law enforcement purposes.
Accordingly, [law enforcement] will under no circumstances initiate, encourage, order, request, or solicit [Provider] to conduct nonconsensual monitoring absent an appropriate court order or a relevant exception to the Wiretap Act (e.g., 18 U.S.C. 2511(2)(i)), and [Provider] will not engage in monitoring solely or primarily to assist law enforcement absent such circumstances. Any monitoring and/or disclosure will be at [Provider's] initiative. [Provider] also recognizes that the interception of wire and electronic communications beyond the permissible scope of 18 U.S.C. 2511(2)(a)(i) may potentially subject it to civil and criminal penalties.
Sincerely,
General Counsel
This letter authorizes [law enforcement agency] to monitor computer trespasser activity on [Owner / Operator]'s computer. [Owner / Operator] maintains a computer [exclusively for the use of X financial institution(s) / the United States Government / that is used in interstate or foreign commerce / and the use of this computer by a financial institution or the United States Government is affected by such unauthorized activity]. Therefore, this computer is a "protected computer" under 18 U.S.C. 1030(e)(2).
An unauthorized user, without a contractual basis for any access, has accessed this computer, and is therefore a computer trespasser as defined by 18 U.S.C. 2510(21). The [Owner / Operator] understands that under 18 U.S.C. 2511(2)(i)(I), [law enforcement agency] may not "intercept [the trespasser's] wire or electronic communications...transmitted to, through, or from" this computer without authorization from [Owner / Operator].
To protect its computer from the adverse effects of computer trespasser activity, the [Owner / Operator] authorizes [law enforcement agency] to monitor the communications of the trespasser to, through, and from this protected computer. The fruits of such monitoring may support a criminal investigation and possible prosecution of the person(s) responsible for such unauthorized use.
This authorization in no way represents consent to the interception, retrieval, or disclosure of communications other than those transmitted to or from the computer trespasser, and [law enforcement agency] may not acquire such communications in the course of its monitoring, pursuant to 18 U.S.C. 2511(3)(i)(IV), except under separate lawful authority.
Sincerely,
[Owner / Operator] General Counsel
1. "Electronic storage" is a term of art, specifically defined in 18 U.S.C. 2510(17) as "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication." The government does not seek access to any such materials. Communications not in "electronic storage" include any e-mail communications received by the specified accounts that the owner or user of the account has already accessed, viewed, or downloaded.
2. 18 U.S.C. 2711(3) states "the term 'court of competent jurisdiction' has the meaning assigned by section 3127, and includes any Federal court within that definition, without geographic limitation."
3. "Electronic storage" is a term of art, specifically defined in 18 U.S.C. 2510(17) as "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication." The government does not seek access to any such materials. Communications not in "electronic storage" include any e-mail communications received by the specified accounts that the owner or user of the account has already accessed, viewed, or downloaded.
4. An Internet Protocol (IP) address is a unique numerical address identifying each computer on the Internet. IP addresses are conventionally written in the dot-punctuated form num1.num2.num3.num4 (e.g., 192.168.3.47).
5. A "port" in the Transmission Control Protocol used over the Internet is a numeric identifier for a particular type of service being offered by a machine. For example, port 80 is typically reserved for World Wide Web traffic, so that a computer that wishes to retrieve information from a web server would typically connect to port 80. Often, however, hackers run programs which listen at a particular port, but do not provide the typically expected protocol at that port. These are often used as "back doors" into computer systems.
6. TCP port 25 is specifically reserved for the Simple Mail Transfer Protocol (commonly referred to as SMTP), port 80 is reserved for Hypertext Transfer Protocol (HTTP, or web traffic), port 110 is reserved for the Post Office Protocol version 3 (POP3), and port 143 is reserved for the Internet Mail Access Protocol (IMAP). [Modify list of excluded ports as needed.]