U.S. v. Heckenkamp, 05-10322.

• Citation: 482 F.3d 1142
• Decision Date: 05 April 2007
• Docket Number: No. 05-10323.,No. 05-10322.,05-10322.,05-10323.
• Parties: UNITED STATES of America, Plaintiff-Appellee, v. Jerome T. HECKENKAMP, Defendant-Appellant. United States of America, Plaintiff-Appellee, v. Jerome T. Heckenkamp, Defendant-Appellant.
• Court: United States Courts of Appeals. United States Court of Appeals (9th Circuit)

482 F.3d 1142

UNITED STATES of America, Plaintiff-Appellee, v. Jerome T. HECKENKAMP, Defendant-Appellant.

United States of America, Plaintiff-Appellee, v. Jerome T. Heckenkamp, Defendant-Appellant.

No. 05-10322.

No. 05-10323.

United States Court of Appeals, Ninth Circuit.

Argued and Submitted August 17, 2006.

Filed April 5, 2007.

Benjamin Coleman, San Diego, CA, for the appellant.

Hanley Chew, Assistant United States Attorney, San Francisco, CA, for the appellee.

Appeal from the United States District Court for the Northern District of California; James Ware, District Judge, Presiding. D.C. Nos. CR-03-20041-JW, CR-00-20355-JW.

Before CANBY, HAWKINS, and THOMAS, Circuit Judges.

THOMAS, Circuit Judge.

In this case, we consider whether a remote search of computer files on a hard drive by a network administrator was justified under the "special needs" exception to the Fourth Amendment because the administrator reasonably believed the computer had been used to gain unauthorized access to confidential records on a university computer. We conclude that the remote search was justified.

Although we assume that the subsequent search of the suspect's dorm room was not justified under the Fourth Amendment, we conclude that the district court's denial of the suppression motion was proper under the independent source exception to the exclusionary rule.

I

In December 1999, Scott Kennedy, a computer system administrator for Qualcomm Corporation in San Diego, California, discovered that somebody had obtained unauthorized access to (or "hacked into," in popular parlance) the company's computer network. Kennedy contacted Special Agent Terry Rankhorn of the Federal Bureau of Investigation about the intrusion.

Kennedy was able to trace the intrusion to a computer on the University of Wisconsin at Madison network, and he contacted the university's computer help desk, seeking assistance. Jeffrey Savoy, the University of Wisconsin computer network investigator, promptly responded to Kennedy's request and began examining the university's system. Savoy found evidence that someone using a computer on the university network was in fact hacking into the Qualcomm system and that the user had gained unauthorized access to the university's system as well. Savoy was particularly concerned that the user had gained access to the "Mail2" server on the university system, which housed accounts for 60,000 individuals on campus and processed approximately 250,000 emails each day. At that time, students on campus were preparing for final exams, and Savoy testified that "the disruption on campus would be tremendous if e-mail was destroyed." Through his investigation of the Mail2 server, Savoy traced the source of intrusion to a computer located in university housing. The type of access the user had obtained was restricted to specific system administrators, none of whom would be working from the university's dormitories.

Savoy determined that the computer that had gained unauthorized access had a university Internet Protocol ("IP") address¹ that ended in 117. In addition, Savoy determined that Heckencamp, who was a computer science graduate student at the university, had checked his email from that IP address 20 minutes before and 40 minutes after the unauthorized connections between the computer at the IP address ending in 117, the Mail2 server, and the Qualcomm server. Savoy determined that the computer at that IP address had been used regularly to check Heckencamp's email account, but no others. Savoy became extremely concerned because he knew that Heckenkamp had been terminated from his job at the university computer help desk two years earlier for similar unauthorized activity, and Savoy knew that Heckenkamp "had technical expertise to damage [the university's] system."

Although Savoy was confident that the computer that had gained the unauthorized access belonged to Heckenkamp, he checked the housing records to ensure that the IP address was assigned to Heckenkamp's dorm room. The housing department initially stated that the IP address corresponded to a different room down the hall from Heckenkamp's assigned room. The housing department acknowledged that the records could be inaccurate but stated that they would not be able to verify the location of the IP address until the next morning. In order to protect the university's server, Savoy electronically blocked the connection between IP address 117 and the Mail2 server.

After blocking the connection, Savoy contacted Rankhorn. After Savoy informed Rankhorn of the information he had found, Rankhorn told Savoy that he intended to get a warrant for the computer, but he did not ask Savoy to take any action or to commence any investigation.

Later that night, Savoy decided to check the status of the 117 computer from home because he was still concerned about the integrity of the university's system. He logged into the network and determined that the 117 computer was not attached to the network. However, Savoy was still concerned that the same computer could have "changed its identity," so he checked the networking hardware to determine if the computer that was originally logged on at the 117 address was now logged on at a different IP address. His search confirmed that the computer was now logged on at an IP address ending in 120.

Based on this discovery, Savoy became even more concerned that the Mail2 server "security could be compromised at any time," particularly because "the intruder at this point knows that he's being investigated" and might therefore interfere with the system to cover his tracks. Savoy concluded that he needed to act that night.

Before taking action, Savoy wanted to verify that the computer logged on at 120 was the same computer that had been logged on at 117 earlier in the day. He logged into the computer, using a name and password he had discovered in his earlier investigation into the 117 computer. Savoy used a series of commands to confirm that the 120 computer was the same computer that had been logged on at 117 and to determine whether the computer still posed a risk to the university server. After approximately 15 minutes of looking only in the temporary directory, without deleting, modifying, or destroying any files, Savoy logged off of the computer.

Savoy then determined that "[the 120] machine need[ed] to get off line immediately or as soon as possible" based on "a university security need." He contacted both Rankhorn and a Detective Scheller, who worked for the university police. Savoy informed them of his discoveries and concerns. Rank-horn asked Savoy to wait to take action because he was attempting to get a search warrant. However, Savoy felt that he needed to protect the university's system by taking the machine off line immediately. Therefore, he made the decision to coordinate with the university police to take the computer off line and to "let [the] university police coordinate with the FBI."

Together with Scheller and other university police officers, Savoy went to the room assigned to Heckenkamp.² When they arrived at the room, the door was ajar, and nobody was in the room. Savoy and Scheller entered the room and disconnected the network cord attaching the computer to the network. Savoy noted that the computer had a screen saver with a password, which prevented him from accessing the computer. In order to be sure that the computer he had disconnected from the network was the computer that had gained unauthorized access to the Mail2 server, Savoy wanted to run some commands on the computer. Detective Scheller located Heckenkamp, explained the situation and asked for Heckenkamp's password, which Heckenkamp voluntarily provided.

Savoy used the password to run the commands on the computer and verified that it was the computer used to gain the unauthorized access. After Savoy confirmed that he had the right computer, Scheller advised Heckenkamp that he was not under arrest, but Scheller requested that Heckenkamp waive his Miranda rights and give a statement. Heckenkamp waived his rights in writing and answered the investigator's and detectives' questions. In addition, Heckenkamp authorized Savoy to make a copy of his hard drive for later analysis, which Savoy did. At no time did Savoy or Scheller search Heckenkamp's room. Throughout his testimony, Savoy emphasized that his actions were taken to protect the university's server rather than for law enforcement purposes.

The federal agents obtained a search warrant from the Western District of Wisconsin, which was executed the following day. Pursuant to the warrant, the agents seized the computer and searched Heckenkamp's room.

Heckenkamp was indicted in both the Northern and Southern Districts of California on multiple offenses, including counts of recklessly causing damage by intentionally accessing a protected computer without authorization, in violation of 18 U.S.C. § 1030(a)(5)(B). In separate orders, Judge Ware in the Northern District and Judge Jones in the Southern District denied Heckenkamp's motions to suppress the evidence gathered from (1) the remote search of his computer, (2) the image taken of his computer's hard drive, and (3) the search conducted pursuant to the FBI's search warrant.³

The two cases were eventually consolidated before Judge Ware. Heckenkamp entered a conditional guilty plea to two counts of violating 18 U.S.C. § 1030(a)(5)(B), which allowed him to appeal the denials of his motions to suppress. The district court entered its judgment and commitment orders on April 28, 2005, and Heckenkamp filed a timely notice of appeal.

We review de novo both a court's denial of a motion to suppress evidence and a court's determination of whether an individual's expectation of privacy was objectively reasonable. United States v. Bautista, 362 F.3d 584, 588-89 (9th Cir.2004).

II

As a prerequisite to establishing the illegality of a search under the Fourth Amendment, a...