On June 25, 2014, the United States Supreme Court issued a ruling requiring a search warrant to search a cell phone. For some law enforcement agencies, this will constitute a fundamental shift in dealing with searching mobile devices.
In light of the ruling, it is imperative the warrents law enforcement agencies use for searches of mobile devices are as thorough as possible. Law enforcement agencies utilize search warrant templates or ‘boilerplates’ that have been handed down from one investigator to another. Unfortunately, these templates, while tried and true, have failed to keep track of technological advances and are missing critical sources of evidence.
Nearly everyone in the United States has a mobile device such as a cell phone. A 2013 study by the Pew Research Center’s Internet and American Life Project found that 91% of adults own a cell phone. According to the National Center for Health Statistics 39.4% of households are wireless only. These statistics give law enforcement statistical certainty a criminal suspect owns a mobile phone.
Obtaining a search warrant for a mobile device to look for evidence is not as burdensome as some believe. If probable cause exists to arrest a suspect, probable cause exists to search the mobile device. The key is to articulate the likely usage of the device before, during, or after the commission of the crime.
Experience has shown there are certain types of crimes where a mobile device is unlikely to be used, but those crimes are few and far between. The instructors from POLICE TECHNICAL have encountered criminal cases involving mobile devices such as:
- Pedophiles who use their mobile devices to communicate with and recruit victims and to store images, videos, and other mementos of their heinous crimes.
- Drivers who communicate their location, plans, and intoxication level using social media, digital photos and videos, phone calls, and text messages from their mobile devices.
- Burglars who target specific locations and communicating about alarm systems, dogs, street lighting conditions, access points, and egress routes.
- Organized retail theft ‘booster rings’ who focus on specific stores and possess digital ‘shopping lists’ of preferred items to steal and fence.
- Car thieves who look for specific makes and models of vehicles and describe the best way to steal them as well as communicating police pursuit policies in the area.
Some crimes, such as narcotics dealing, require mobile communication devices. Gangs are conspiratorial and often use mobile devices to coordinate the group’s activities. Articulating these facts is essential in an affidavit to support the search of any seized device. When you consider applying for a search warrant, think about the nexus of the device to the crime. Is it probable the suspect(s) used the device?
Before the commission of the crime?
Street level robbers also use cell phones to commit their crimes. While they will commit the crime with little or no preplanning, they might perform surveillance on the target person or location. They will coordinate with lookouts and getaway drivers to ensure there is no immediate police presence and easy escape routes from the scene. Articulating this knowledge is based on the prior training and experience of the office and may be documented in a search warrant example.
Based on your Affiant’s prior training and experience and the experience and training of other veteran law enforcement officers with whom I have discussed patterns, trends, and methods of operation regarding this and other types of crimes, your Affiant is aware [robbery/ narcotics/weapons trafficking] is an inherently conspiratorial crime. The nature of the conspiracy requires participating members to communicate in order to coordinate their planning prior to the commission of the crime as well as during the actual commission of the crime. Such communications are commonly made using mobile devices such as tablet computers, mobile phones, and Wi-Fi capable portable gaming consoles.
During the commission of the crime?
Similarly, suspects may communicate during the commission of a crime. Narcotics, robbery, and other crimes require the suspects to actively communicate while the crime is being committed.
Based on your Affiant’s prior training and experience and the experience and training of other veteran law enforcement officers with whom I have discussed patterns, trends, and methods of operation regarding this and other types of crimes, your Affiant is aware [robbery/burglary] is commonly a conspiratorial crime involving the use of others to assist during the commission of the crime. This assistance comes in the form of other suspects, both known and unknown, who will monitor police radio traffic and alert the perpetrators of the impending arrival of law enforcement, lookouts who will maintain visual surveillance on the approaches to the crime scene to alert their associates of the presence of law enforcement, and getaway drivers who will assist the perpetrators with their escape. Communications between co-conspirators is essential to the successful commission of the crime and the subsequent escape from the area of the crime. Such communications are commonly made using mobile devices such as tablet computers, mobile phones, and Wi-Fi capable gaming consoles.
After the commission of the crime?
Once a crime has been committed, suspects are also likely to use their phones after the fact. Law enforcement officers are aware those who commit crimes will take steps to conceal their activities and, complicating the law enforcement investigation. This is true of almost every crime, including those not traditionally conspiratorial. For example, domestic violence investigators will tell you suspects may contact the victim after the crime to apologize. Others will take steps to create alibis for their whereabouts during the crime, conspire with others to conceal or destroy evidence, or make plans to flee the jurisdiction where the crime occurred.
Based on your Affiant’s prior training and experience and the experience and training of other veteran law enforcement officers with whom I have discussed patterns, trends, and methods of operation regarding this and other types of crimes, your Affiant is aware suspects who commit the crime of [homicide/assault/domestic violence] will often attempt to conceal or destroy physical evidence of the crime, conspire with others to create alibis, boast or brag about the commission of the crime, and/or attempt to flee the jurisdiction where the crime occurred. Communications between the perpetrator and those who knowingly or unknowingly assist them is essential to the concealment of the crime and possible flight from the area of the crime. Such communications are commonly made using mobile devices such as tablet computers, mobile phones, and Wi-Fi capable gaming consoles.
Common Search Warrant and Affidavit Errors
A review of law enforcement search warrants performed by POLICE TECHNICAL instructors revealed common errors and deficits in the standard language used to search a mobile device. Law enforcement investigators should review their search warrants and consider the following common errors and omissions:
Failing to request the corresponding call detail records in addition to a search of the phone
Law enforcement has traditionally treated searching mobile devices and investigating the records cellular service providers maintain as two separate disciplines. In fact, both avenues of investigation should be explored simultaneously. The Supreme Court ruling provides an opportunity to blend the investigation of the mobile device and the corresponding the cell phone company’s records together. If officers have probable cause to search a mobile device’s contents they also have probable cause to search cellular service provider’s records for corresponding evidence that may assist their investigation and/or prove their case. In many cases a search warrant was required to obtain cell site location information (CSLI), GPS data, other historical location data, and the stored content the provider maintained, such as incoming or archived voicemail messages and email messages. With the addition of a few lines to a search warrant affidavit and the face sheet of the warrant, law enforcement officers can now gain access to sources of data that were previously overlooked. The following language was adopted from a search warrant by Santa Clara County Deputy District Attorney Mike Galli.
The following items that may be contained in or at the cellular service provider, [INSERT PROVIDER] who has been determined to have provided service to the listed phone number [INSERT PHONE NUMBER] associated with the seized device.
a. Subscriber information, including by way of example and not limitation:
iii.Identifying information such as date of birth, driver license number, and/or social security number
iv.Subscriber contact information including electronic mail addresses, contact phone numbers also referred to as ‘can be reached numbers’
b.Billing and credit information, including by way of example and not limitation:
iii.Method and source of payment information including credit card numbers, electronic funds transfers, and locations of cash payments.
iv. Credit information including any credit report run by the provider prior to authorizing service
e.Service information, including by way of example and not limitation:
i. Purchase and activation location
ii.Types of service subscribed to
iii. Additional phone numbers associated with the same account
iv. Make, model, and serial numbers of the phone(s) associated with the account
d.Call detail records
v.Incoming/outgoing phone calls, SMS/MMS text message, including the content thereof, data events date, time, and duration of same
vi. Cell site location information including beginning and ending cell sites for any recorded events, per call measurement data (PCMD) and/or timing advance (TA) information alternately known Real Time Data or Round Trip Data.
Failing to investigate applications installed on the device
Increasingly, criminal suspects are using alternate communications methods from their mobile devices. These are applications and services installed on a device that use Wi-Fi for voice, messaging, and email outside of the services the cellular provider offers. Additionally, there are covert applications for storing images, videos, text and multimedia messages, contacts, files, and other data that may be concealed as during a manual or forensic examination. Knowing what applications the suspect downloaded can help identify any other communications channels for follow-up investigations. Both Google and Apple are able to search for applications downloaded and installed on devices associated with their customers’ accounts.
Failing to search associated cloud storage and backup files
There are numerous cloud storage applications that allow a user to store and transfer documents and files. Depending on the case under investigation, cloud storage services such as Dropbox and Google Drive may contain relevant evidence that is not recovered during a forensic examination of the mobile device. Additionally, Apple allows customers to back up their data to the iCloud storage system. There may be evidence located in the backup files that was deleted or inaccessible on the mobile device. Some cellular service providers have additional backup functionality that’s accessible with a search warrant. AT&T’s Mobile Locate service periodically backs up contacts, photos, and videos from its customer’s mobile devices. If this information is not specified in a search warrant, the company will not provide it or even notify law enforcement of its existence.
Using broad language such as “Any and all…”
The phrase “any and all” has been seen as a catch all by law enforcement officers writing search warrants for years. Unfortunately, the phrase has been found unconstitutionally vague, broad, burdensome, and inadequate in meeting the reasonable particularity requirement of the Fourth Amendment by U.S. courts. Depending on the local jurisdiction’s requirements, some law enforcement agencies have begun using the alternate phrase “including by way of example and not limitation…”
Failing to support the items to be searched in the affidavit
Every item to be seized pursuant to the search warrant must be supported in the affidavit. However, some search warrant templates have a long list of items to be seized from the mobile device without supporting language in the affidavit. There are two competing schools of thought with appropriate wording in a search warrant. The first federal law enforcement agencies use is a 40-60 page affidavit describing in painstaking detail all of the locations to be searched including: contact information stored in the electronic phone book, phone call logs with recordation of incoming, outgoing, and missed calls, short message service (SMS) and multimedia message service (MMS) text/media essages, and calendar events. The problem with this type of search warrant is if officers miss anything by not specifying it in the warrant, such as the file system or application data, they risk losing it during a suppression hearing. The second school of thought is to specify evidence of the crime wherever it may be located on the mobile device. The challenge with this warrant is it may be viewed as vague. The solution is a warrant that addresses the potential negatives from either type; specific enough to search for and locate the relevant evidence without requiring the time and obsession with detail.
Not listing external storage media, including by way of example and not limitation, Micro SD cards
Micro SD cards are external storage media inserted into a mobile device to increase the storage capacity. Micro SD cards are an important source of information during mobile device forensic examinations because they have large storage capacity and can retain deleted data, such as images and videos, for a considerable length of time. However, most law enforcement search warrants do not specify Micro SD cards as an item to be searched. While there is no specific case law addressing this issue, an argument could be made the Micro SD card is a separate container within the mobile device and, if not specifically addressed in the search warrant, would fall outside the search warrant’s purview. One needs only to look at current law enforcement practice to find the similarities. A good search warrant for a residence is not limited to a search at 123 Main Street. Most search warrants include language such as, “… and any outbuildings, garages, sheds, basements, and safes.” Even though these buildings and containers are on the property to be searched, they are viewed as separate containers and judicial authorization is sought to include them in the search. Micro SD cards and other external storage media should be treated in the same manner.
Failing to authorize password bypass
When people engage handset security on their mobile devices, they have higher privacy expectations. While there is no specific case law requiring judicial authorization for bypassing a handset security lock, the actual mechanics of the process may make proactively seeking it a convenience. Apple and Google are able to either circumvent handset security features and provide data from the device or remotely reset the security features. These methods require specific judicial authorization to compel the companies to provide assistance. There are also technical methods for retrieving or bypassing the handset security codes from popular models and operating systems. However, these methods are invasive and can be destructive to the evidence. When seeking a search warrant for an Apple or Google device, it may be prudent to include the appropriate language in the original warrant to prevent repeated trips to the magistrate. Examples and guidelines on these procedures can be found at the end of this document.
Failing to specify deleted data
Users who delete data from their mobile device consider the material to be gone. With models of mobile devices and operating systems, modern forensic techniques are able to recover data even after it has been deleted. While no known precedent exists for specific judicial authorization to recover this deleted data, it may be wise to address the issue in the initial search warrant. This limits suppression challenges by criminal defense attorneys.
Failing to list the possible need for assistance from other agencies
Law enforcement agencies may not have the requisite equipment or expertise to examine a mobile device. These agencies usually rely on larger municipal, state, and/or federal law enforcement agencies to assist them with evidence recovery from a device. While not a statutory requirement, some law enforcement agencies need specific judicial authorization to assist with an investigation. This is true of federal law enforcement agencies who assist their municipal, state, county, or tribal partners. For law enforcement officers who routinely send their mobile devices to another agency for examination, it is good practice to build judicial authorization for this practice into the search warrant.
Failing to seek a waiver of statutory timelines for execution of the mobile device search warrant
Every state has a statutory time requirement for the execution of the warrant. However, this time limit may not correspond to a forensic examiner and his agency’s operational capabilities. It is rare to find a mobile device forensic examiner who doesn’t have a backlog of cases. This backlog varies based on the number of devices waiting for examination, the operational or investigative urgency regarding a device, and the time and methods facilitating the examination. Check with the forensic examiner prior to submitting a search warrant for a mobile device. If the forensic examiner won’t be able to begin his examination prior to the statutory time limit, it may be sensible to seek a judicial waiver.
On 6/25/2014 your Affiant spoke with Detective John Smith with the ABC High Tech Crimes Task Force. Detective Smith is a forensic examiner assigned to the task force. Detective Smith told your Affiant there is a 21-day back log of mobile devices submitted for forensic examination. Many of these previously submitted devices are considered a priority based on the crime type or pending court cases. Furthermore, Detective Smith told me a complete forensic examination may take between eight to 40 hours to complete depending on the complexity of the device, any internal and external storage media associated with the device, and whether it is password protected or not. Your Affiant requests 30 days for the execution and return of the search warrant for the listed device and any internal and external storage media.
The Supreme Court’s decision was unanimous and emphatic. Absent exigent circumstances or other warrantless search exception, such as searchable probation or parole, law enforcement officers will need to obtain a warrant to search a suspect’s phone. Law enforcement officers are presented with a choice when considering the new requirement. We can lament the decision and complain about how it made an already difficult job more complicated or we can adapt. As a benefit, investigators can leverage the probable cause requirement to target sources of information that were previously overlooked such as provider records, cell site location data, application data, and backup files.
Obtaining a search warrant has additional benefits. It makes it more difficult for a defense attorney to suppress evidence obtained as a result of the judicially authorized search. It also gives law enforcement officers the opportunity to hone their search warrant writing skills, which can then be applied to other criminal investigations requiring a warrant. Search warrants will no longer be considered the exclusive purview of the experienced investigator, detective, or narcotics officer. Patrol officers and deputies will find themselves writing search warrants for phones to recover evidence related to their arrests.
Nearly everyone has a phone or mobile device and almost every crime can involve those devices. It is difficult to commit a crime without using a mobile device before, during, or after the commission of a crime. The evidence of those crimes rests in the suspect’s mobile device and in the records maintained by the provider. The choice is simple. Either write a warrant to search the phone or don’t and miss critical evidence in a criminal investigation. The search warrant requirement may add some time and effort to complete an investigation, but in the long run, the Supreme Court decision is a benefit for the law enforcement community.
About the Author: Aaron Edens is an Instructor with POLICE TECHNICAL, the Managing Editor of POLICE PUBLISHING, the author of 150 Search Warrants, Court Orders, and Affidavits, and a former police officer in northern California. Edens spent six years as an Intelligence Unit Detective assigned to the FBI-Joint Terrorism Task Force. Edens has been a certified mobile phone examiner since 2005 and has completed over 1,000 forensic examinations. Contacts: POLICE TECHNICAL provides superior quality technical training to law enforcement personnel nationally. firstname.lastname@example.org 812-232-4200.