In re Three Hotmail Email Accounts: [Redacted]@hotmail.Com [Redacted]@hotmail.Com [Redacted]@hotmail.Com Belonging to

• Decision Date: 28 March 2016
• Docket Number: CASE NUMBER: 16-MJ-8036-DJW
• Parties: In the Matter of the Search of premises known as: Three Hotmail Email accounts: [redacted]@hotmail.com [redacted]@hotmail.com [redacted]@hotmail.com Belonging to and Seized from [redacted]
• Court: U.S. District Court — District of Kansas

In the Matter of the Search of premises known as:

Three Hotmail Email accounts: [redacted]@hotmail.com

[redacted]@hotmail.com [redacted]@hotmail.com

Belonging to and Seized from [redacted]

CASE NUMBER: 16-MJ-8036-DJW

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF KANSAS

March 28, 2016

SEARCH WARRANT

MEMORANDUM AND ORDER DENYING APPLICATION FOR SEARCH WARRANT

The United States has submitted an Application and Affidavit for Search Warrant ("Application") pursuant to 18 U.S.C. §§ 2703(a), 2703(b)(1)(A), and 2703(c)(1)(A) requiring an electronic communication services provider ("Email Provider"), to disclose copies of electronic communications, including the content of email and other account-related information, for the email accounts ("target email accounts") identified in the Application. Here, the Email Provider is Microsoft Corporation. In the affidavit in support of probable cause, the government alleges that the target email accounts were utilized to obtain, crack, and facilitate the distribution of illicit versions of proprietary software, in violation of 18 U.S.C. §§ 371 (conspiracy), 1029 (access device fraud), 1030 (computer intrusion), 1343 (wire fraud), and 2319 (copyright infringement). The Application seeks a search warrant to obtain ESI in each target email account from Microsoft in its search for fruits, evidence and/or instrumentalities of the violation of those laws. For the reasons discussed below, the Application for search warrant is denied without prejudice.

I. PROPOSED SEARCH WARRANT

The proposed search warrant is structured to identify two categories of information: (1) information to be disclosed by an Email Provider to the government under 18 U.S.C. § 2703, and (2) information to be seized by the government. The first section of the warrant orders Microsoft (the Email Provider) to disclose to the government copies of the following records and other information, including the content of the communications, for each account or identifier associated with the target email accounts:

The contents of all emails associated with the account, including stored or preserved copies of emails sent to and from the account, draft emails, archived emails, the source and destination addresses associated with each email, the date and time at which each email was sent, and the size and length of each email, as well as the entirety of header information for each email;

All records or other information regarding the identification of the account, to include full name, physical address, telephone numbers and other identifiers, records of session times and durations, the date on which the account was created, the length of service, the IP address used to register the account, log-in IP addresses associated with session times and dates, account status, alternative email addresses provided during registration, methods of connecting, log files, and means and source of payment (including any credit or bank account number);

The types of service utilized and/or associated with this account to include all identifiers for these services and any connection logs associated with the usage of these services;

All records or other information stored at any time by an individual using the account, including address books, contact and buddy lists, calendar data, pictures, and files; and

All records pertaining to communications between the Provider and any person regarding the account, including contacts with support services and records of actions taken.

The second section of the proposed warrant provides:

Upon receipt of this information from the Provider, government-authorized persons will review that information to locate the items that constitute fruits, contraband,evidence, and instrumentalities of violations of 18 U.S.C. §§ 371 (conspiracy), 1029 (access device fraud), 1030 (computer intrusion), 1343 (wire fraud), and 2319 (copyright infringement), those violations involving [redacted],¹ and others known and unknown, and occurring since September 7, 2008, including, for each account or identifier listed above, information pertaining to the following matters:

a. Evidence of the scanning or theft of intellectual property to include copyright-protected material and those bearing trademarks;

b. Evidence of using access device(s) to fraudulently obtain intellectual property;

c. Evidence of developing, using, or distributing tools or code to circumvent copy controls associated with intellectual property;

d. Evidence of developing, using, or distributing software, code, or script as part of a "man-in-the-middle" computer intrusion;

e. Evidence indicating how and when the email account was accessed or used, to determine the geographic and chronological context of account access, use, and events relating to the crime under investigation and to the email account owner;

f. Evidence indicating the email account owner's state of mind as it relates to the crime under investigation;

g. The identity of the person(s) who created or used the user ID, including records that help reveal the whereabouts of such person(s).

h. The identity of the person(s) who communicated with the user ID about matters relating to the scanning or theft of intellectual property, or the various means to steal the intellectual prope1iy such as access device fraud, computer intrusion, or circumventing copy controls, including records that help reveal their whereabouts.

II. BACKGROUND

For clarity, the Court needs to define or more fully define some terms that will be used throughout this Memorandum Opinion. As this opinion focuses on a warrant for email, the Court will use the term "electronically stored information," or "ESI" for short, to describe the allof the possible information that may be found in an email account. This obviously includes the email communications themselves, but it also includes any other digital data that may reside, or is associated with, the email account, such as contact lists, chat transcripts, calendars, pictures, and files. Basically, anything that can be stored in an email account falls under this umbrella term. The Court will also be using the terms ex ante and ex post, which mean before and after, respectively. Magistrate judges decide ex ante because the facts of the case have not developed—indeed, no case has been filed other than the request for the warrant. District judges decide ex post because the facts of the case have developed already, as the search warrant has been executed. This Court will speak of "ex ante instructions," which simply means a set of instructions—which may contain conditions, limitations, restrictions, or guidelines—given before the warrant is approved but which govern the warrant should it be approved. Similarly, the Court will use the term "search protocol," which is a document submitted by the government explaining to the Court how it will conduct its search of an individual's ESI. A search protocol may set forth how the government will search the ESI, the search software used, the keywords for which the government will search, or what the government will do with ESI that falls outside the scope of the warrant (such as returning or destroying it). Importantly, a search protocol is to inform the Court as to how the government intends to search the ESI. A search protocol may be required as part of a court's ex ante instructions.

Finally, the Court will also be referring to "imaging," which in the technological sense to which the Court is referring means making an exact, duplicate copy—the result of which is an "image." Law enforcement commonly images a seized hard drive in order to perform a search of the data at their forensic lab. This allows the individual to retain the computer or device(assuming they have not been arrested) and allows the government to retain an exact copy of the device as it existed in that particular moment.

III. RELEVANT LAW

A. The Stored Communications Act, 18 U.S.C. §§ 2701 et seq.

The Application seeks authorization to obtain from and search the ESI contained in the email account of a particular customer (suspect) of Microsoft pursuant to the Stored Communications Act of 1986 ("SCA").² In the email context, a government entity may require an Email Provider to disclose the contents of a wire or electronic communication that has been in electronic storage for 180 days or less pursuant to a warrant issued in compliance with the Federal Rules of Criminal Procedure.³ For contents stored for more than 180 days, the statute authorizes a government entity to require an Email Provider to disclose the contents of the communications under the procedures outlined in subsection (b).⁴ Section 2703(b)(1)(A) authorizes a government entity to require a provider of remote computing services to disclose the contents of any wire or electronic communication without notice to the subscriber or customer if the government obtains a warrant issued pursuant to the Federal Rules of Criminal Procedure.

B. Federal Rule of Criminal Procedure 41

Federal Rule of Criminal Procedure 41 governs searches and seizures. In 2009, Rule 41 was amended to address ESI. Rule 41(e)(2)(B) sets forth a two-step procedure ("Two-Step Procedure") for warrants seeking ESI. On Step One, "officers may seize or copy the entire storage medium;" on Step Two, officers can review—i.e. search—that copy later "to determinewhat electronically stored information falls within the scope of the warrant."⁵ This process is necessary because "computers and other electronic storage media commonly contain such large amounts of information that it is often impractical for law enforcement to review all of the information during execution of the warrant at the search location."⁶

Importantly, however, the Advisory Committee notes: "[t]he amended rule does not address the specificity of description that the Fourth Amendment may require in a warrant for electronically stored information, leaving the application of this and other constitutional standards concerning...