Orin Kerr , April 26, 2007 at 1:22pm] Trackbacks Virtual Analogies, Physical Searches, and the Fourth Amendment:



Here's the quick version of the facts. The cops think that Ray Andrus may have downloaded child pornography onto his home computer, so they go to his house to do a "knock and talk." Andrus lives with his elderly parents, and Andrus's elderly father is the only one home. The father consents to the cops searching his home and any computers there. The cops take away a computer, and then search it off-site using computer forensic software. They quickly find child pornography.



Okay, now here's the interesting twist. After the agents discover the child pornography, they learned that the child pornography files were accessible to users only using the son's user profile, which was protected by a password that the father did not know. That is, a user wanting to find the file would need to know the son's password to see it; to another user, the file would be hidden. How could that happen? As I have explained [D]igital evidence searches generally occur at both a "logical" or "virtual" level and a "physical" level. The distinction between physical searches and logical searches is fundamental in computer forensics: while a logical search is based on the file systems found on the hard drive as presented by the operating system, a physical search identifies and recovers data across the entire physical drive without regard to the file system. Most users think of computer searches as occuring at the virtual level, because that's the user experience. But computer forensic software works at the physical level: it treats the hard drive as a physical device that contains millions of zeros and one, not as a virtual "box" of information accessed through an operating system. User profiles and most password protection operate only at a virtual level, so a goverment forensic analyst operating at a physical level wouldn't even notice the difference unless he was specifically looking for it.



Why does it matter? Well, it matters because the answer to the legal question seems to hinge on whether you apply the Fourth Amendment from a virtual perspective or a physical perspective. From a virtual user's perspective, the child pornography was hidden to the father; it was behind a password-protected gate. Under these facts, the father couldn't consent to a search because he would lack common authority over it. From a physical perspective, however, the file was present on the hard drive just like all the other information. Under these facts, the father could consent to the search because he had access rights to the machine generally. It's the classic



The Court divided on which perspective to take. The majority (Judge Murphy, joined by the recently-arrived Judge Gorsuch) did not directly address the question of "common authority," relying instead on the "apparent authority" doctrine. Under the apparent authority doctrine, officers can rely on third-party consent if they reasonably conclude that a person has the right to provide consent even if later turns out that he doesn't. This was a sensible move by the majority, because the apparent authority doctrine focuses more on the physical perspective that the officers have rather than a virtual perspective that a user has. Viewed from the physical perspective, the investigators reasonably did not know about the user profile and reasonably believed that the father had rights to consent to that part of the hard drive.



Judge McKay dissented, and instead adopted a virtual perspective. To Judge McKay, the virtual perspective was the only one that mattered: a computer file was a container, and a password-protected computer file was a locked container. Using forensic software to look at a computer from a physical perspective was therefore avoiding the virtual locks. Judge McKay argued that officers should not be allowed to rely on the apparent authority from the physical perspective without first making an inquiry into whether there might be password protection of some kind from a virtual perspective.



I think the majority is probably right, but it's a tremendously interesting case either way. How do you measure the reasonableness of a belief when understandings of what computers are and how they work are so different among typical users and forensic analysts? Should the law follow the understandings of the experts who understand the techology or the general users who don't?



Thanks to Related Posts (on one page): Another Clash Between Virtual And Physical Perspectives in Internet Law: Virtual Analogies, Physical Searches, and the Fourth Amendment: The Tenth Circuit has handed down an opinion on how the Fourth Amendment applies to computers that raises a fascinating clash between virtual analogies and physical facts. The case involves the effect of user profiles and password protection on third-party consent rights, which turns out to be an issue that has a lot of practical importance for computer forensic searches; it's certainly come up in discussions within the government, and now for the first time a court has suggested the framework for an answer. The case is United States v. Andrus Here's the quick version of the facts. The cops think that Ray Andrus may have downloaded child pornography onto his home computer, so they go to his house to do a "knock and talk." Andrus lives with his elderly parents, and Andrus's elderly father is the only one home. The father consents to the cops searching his home and any computers there. The cops take away a computer, and then search it off-site using computer forensic software. They quickly find child pornography.Okay, now here's the interesting twist. After the agents discover the child pornography, they learned that the child pornography files were accessible to users only using the son's user profile, which was protected by a password that the father did not know. That is, a user wanting to find the file would need to know the son's password to see it; to another user, the file would be hidden. How could that happen? As I have explained in this article , there are two basic ways to search a computer:Most users think of computer searches as occuring at the virtual level, because that's the user experience. But computer forensic software works at the physical level: it treats the hard drive as a physical device that contains millions of zeros and one, not as a virtual "box" of information accessed through an operating system. User profiles and most password protection operate only at a virtual level, so a goverment forensic analyst operating at a physical level wouldn't even notice the difference unless he was specifically looking for it.Why does it matter? Well, it matters because the answer to the legal question seems to hinge on whether you apply the Fourth Amendment from a virtual perspective or a physical perspective. From a virtual user's perspective, the child pornography was hidden to the father; it was behind a password-protected gate. Under these facts, the father couldn't consent to a search because he would lack common authority over it. From a physical perspective, however, the file was present on the hard drive just like all the other information. Under these facts, the father could consent to the search because he had access rights to the machine generally. It's the classic problem of perspective that I wrote about in the Georgetown Law Journal in 2003: the facts hinge on whether you take a physical (external) or virtual (internal) perspective.The Court divided on which perspective to take. The majority (Judge Murphy, joined by the recently-arrived Judge Gorsuch) did not directly address the question of "common authority," relying instead on the "apparent authority" doctrine. Under the apparent authority doctrine, officers can rely on third-party consent if they reasonably conclude that a person has the right to provide consent even if later turns out that he doesn't. This was a sensible move by the majority, because the apparent authority doctrine focuses more on the physical perspective that the officers have rather than a virtual perspective that a user has. Viewed from the physical perspective, the investigators reasonably did not know about the user profile and reasonably believed that the father had rights to consent to that part of the hard drive.Judge McKay dissented, and instead adopted a virtual perspective. To Judge McKay, the virtual perspective was the only one that mattered: a computer file was a container, and a password-protected computer file was a locked container. Using forensic software to look at a computer from a physical perspective was therefore avoiding the virtual locks. Judge McKay argued that officers should not be allowed to rely on the apparent authority from the physical perspective without first making an inquiry into whether there might be password protection of some kind from a virtual perspective.I think the majority is probably right, but it's a tremendously interesting case either way. How do you measure the reasonableness of a belief when understandings of what computers are and how they work are so different among typical users and forensic analysts? Should the law follow the understandings of the experts who understand the techology or the general users who don't?Thanks to Howard for the link.