Last week, the Ninth Circuit released its decision in U.S. v. Cotterman, articulating a new and fascinating standard for border searches of electronic devices. An en banc majority held that government agents need “reasonable suspicion” to justify “forensic examination” of electronic devices at the border. The ruling has been characterized as a win for digital privacy rights – as a general rule, no suspicion whatsoever is required to search people and property at the border. This jump from “no suspicion required” to “reasonable suspicion required” limits when the government can do “forensic examinations,” and grants an exceptional level of protection to electronic devices.

The decision raises a lot of questions – myriad law review articles dissecting it are doubtless being drafted as I write this blog post – but I’m especially curious to get the XRDS audience’s perspective on two, which I’ll be tackling in two separate blog posts.

Today’s question: does the court’s distinction between “forensic” and “manual” examinations of electronic devices make sense to you?

The opinion holds that “computer forensic examinations” like the one conducted by the ICE agent in this case require reasonable suspicion, unlike most border searches. So what is (and what isn’t) a computer forensic examination?

The Factual Background of U.S. v. Cotterman

Mr. Cotterman and his wife came back into the U.S. from Mexico with several digital devices, including laptops and digital cameras. At the border, a DHS database returned a hit on Mr. Cotterman’s name, and the border agent noticed password-protected files when he opened and looked at their laptops. The Cottermans’ computers then went to a senior ICE agent for “computer forensic examination.” The examiner used a program called EnCase to copy the hard drives and analyze their contents, and then personally examined both computers. Ultimately, the examiner located a number of images of child pornography “within the unallocated space” on Cotterman’s laptop.

Computer Forensic Examination: What Does That Mean?

The opinion never expressly defines the phrase “forensic examination,” but it distinguishes “application of computer software to analyze a hard drive” from “manual review of files on an electronic device” and says that the former requires suspicion. Following that train of thought, “forensic examination” must be application of computer software to analyze a hard drive. We can further infer that applying computer software to analyze a hard drive is distinct from manual review. So what’s manual review?

I think it’s reasonable to conclude that the initial examination of the laptops was a “manual review”: the agent opened them and clicked around enough to notice some password-protected files. According to the case’s logic, what the first border agent did wasn’t the forensic search. This tells us the majority is concerned about law enforcement using special law enforcement software to analyze a hard drive. After all, the first agent technically did “apply computer software” when he used the operating system, but under the ruling only the EnCase analysis required reasonable suspicion.

The court says the EnCase program “gave the examiner access to far more data, including password-protected, hidden or encrypted, and deleted files, than a manual user could access.” It says that computer forensic examination “is a powerful tool capable of unlocking password-protected files, restoring deleted material, and retrieving images viewed on web sites.” Based on this, the court goes on to conclude that such a search is unusually invasive and therefore warrants extra protection. Part 2 will go into this line of reasoning in a bit more detail; the salient point for this post is that these three things – password-protected/hidden/encrypted files, deleted material, and web history – raise the privacy stakes in the majority’s view. This is why the ruling singles out the application of software to analyze a hard drive: the court assumes the agents couldn’t have cracked the password-protected files or recovered the deleted images from unallocated space without EnCase.

So, Computing Machinery experts: is it reasonable for the court to assume that the images in unallocated space couldn’t have been recovered without special forensic software? Could an especially skilled technician retrieve the same depth of information without special software like EnCase, creating a huge hole in the majority’s reasoning? Does the majority mean what it thinks it means? 

Coming up in part 2: does digital data really need its own special standard?