Go to home page - Ministry of Justice.
 

See Also:

Crime Prevention Unit

Organised Crime


Office of the Minister of Justice
Cabinet Business Committee

LAW COMMISSION REPORT SEARCH AND SURVEILLANCE POWERS

Paper 3: Computer Searches

Proposal

1. The Law Commission report on Search and Surveillance Powers (NZLC R97) was tabled in Parliament on 7 August 2007. This paper is part of a suite of 8 papers in relation to that report and proposes procedures for law enforcement agencies to conduct computer searches.

Executive Summary

2. The current law providing for the issue of a search warrant, in section 198 of the Summary Proceedings Act 1957, was not drafted with computer searches in mind and needs updating to provide clear authority for conducting computer searches.

3. I propose updating and clarifying existing law to make explicit that search powers and requirements following seizure of evidential material apply to intangible data. Distinctions between intangible and tangible material should be made in the proposed legislation only where such modifications are necessary to recognise the unique aspects of searching for and dealing with intangible material.

4. No specific authority exists in statute for searching data that is accessible from a computer at the search location but which is held on a computer system at another location (remote access). I recommend that authority for remote access be provided in carefully circumscribed situations.

Background

5. Information retrieved from computers assists law enforcement agencies in detecting, investigating and prosecuting criminal activity. Computer searches are necessary to investigate computer-related crime – both crime that is facilitated by computer (such as the distribution of child pornography) and crime that is committed against the owners of computer systems (such as hacking and transmitting computer viruses). Computer searches are also necessary to access evidence of non-computer related crime, such as record keeping of illegal drug transactions. In addition computer searches are vital in investigating serious and complex fraud cases and specialist programmes can be used to recover deleted and partly overwritten material.

6. The concepts underpinning search and seizure powers apply equally to searches of computers and other electronic devices, such as mobile phones and electronic organisers. If the item being searched for could be held in documentary form in a filing cabinet, it could also be held in electronic form in a computer or other device. However, the law regulating search and seizure powers has largely been drafted with tangible material in mind and have often been overtaken by developments in technology and search methods. Thus the application of general search and seizure powers to computer searches is uncertain.

Current approach

7. The general search warrant regime under section 198 of the Summary Proceedings Act 1957 was developed before computer searches were contemplated. The legislative framework and terminology is thus directed at tangible rather than intangible data. However, in some cases the courts have interpreted section 198 as extending to the accessing of computer data. Some recent legislative provisions also contemplate that section 198 warrants allow computer data to be accessed. But the extent to which computers and other data storage devices can be operated or accessed and data copied under the present general statutory search regime is unclear. While the courts have recognised the search methods employed by enforcement agencies to access and seize material from computers and have proposed relevant protocols, legislation is largely silent as to the use of such technology for law enforcement purposes.

Proposed approach

Generic regime to apply to computers

8. Often enforcement officers exercising search powers will not know in advance whether material is held in tangible or intangible form. If enforcement officers had to apply for a separate search warrant upon finding computers or other electronic devices upon which evidential material could be stored that would be a more restrictive approach than for tangible material. That approach would create an incentive for criminals to use an electronic medium to conduct or record criminal activity.

9. Adopting a functional equivalence approach, which maintains that no greater costs or stringent standards of security should exist than in a paper-based environment, it is proposed that there should generally be the same powers of search and requirements imposed on enforcement agencies following seizure in respect of both tangible and intangible material.

10. It is therefore recommended that whenever a search power authorises a search for information which may be held in tangible or intangible form, the officer exercising the power may, without any additional authorisation and without meeting any additional threshold or procedural requirements, search a computer or other electronic device that may contain the sought evidential material. This overall approach should be adopted whether the search takes place under warrant or a warrantless power.

11. To address the deficiencies in the current law, a number of recommendations are made to ensure that the framework proposed in this suite of papers allows appropriate access to computers found in the exercise of search powers and that general post seizure procedures apply, with necessary modifications.

Computer search methods

12. Computer searches can be conducted in different ways:

  • by directly accessing data on the target computer and printing out evidential material found or copying it to disk;
  • by use of devices that preview and quarantine data on the target computer and allow evidential material to be copied;
  • by making (cloning) and searching a forensic copy of the hard-drive of the target computer, rather than searching the hard-drive directly.

13. The first method is problematic (although sometimes necessary) as it gives rise to the risk that the computer data will inadvertently be altered and its evidential integrity may therefore be open to challenge. A principal objective in the forensic examination of computer data is to ensure that the examination process does not alter the data being searched. Therefore, the latter two methods are favoured as they both preserve the integrity of the evidential material. However, the use of such methods may give rise to privacy concerns due to the amount of information that may be copied or removed from a computer. These concerns can be minimised by the application of the proposed protections, requirements and post-seizure procedures (discussed below) which are to apply to all searches.

14. The choice of method may depend on the agency searching, the circumstances of the case or the nature of the evidential material being sought. As computer search methods are indispensable forensic tools for law enforcement purposes, each method should be clearly authorised under the proposed search and seizure regime. The general power proposed to remove an item from the search location for examination, where it is not reasonably practicable to determine at that place if it may be seized pursuant to a search power (see Paper 6: Clarification and Codification), should apply to computers or data storage devices.

Plain view seizures

15. Plain view seizures are discussed in Paper 1: Overview. They result when material that is obviously evidence of criminal offending, other than that for which the search power is being exercised, is discovered. Because a great deal of information may come into plain view during forensic analysis of a computer hard-drive, due the large amount of potentially searchable material, consideration has been given to whether the plain view doctrine ought to be more restrictive in the context of computer searches.

16. In my view, the protections afforded by section 21 of the Bill of Rights Act, and the prospect that material seized outside the scope of the search power will be rendered inadmissible, unless falling within the plain view doctrine, provide appropriate limits on law enforcement activities. It is therefore recommended that the plain view doctrine should apply to seizures of intangible material without additional restrictions. It should be noted that application of the plain view doctrine will not authorise enforcement officers to search for evidence of other offences (by trawling through large amounts of data stored on a computer). Separate authority will be required for that purpose.

Requiring assistance

17. Section 198B of the Summary Proceedings Act 1957 allows a constable executing a search warrant to require certain specified people (including those who own or lease a computer or who are in possession or control of a computer) to provide reasonable assistance to a constable in gaining access to data held on or accessible from a computer on premises specified in a warrant. The utility of this provision could be greatly enhanced by clarifying and extending its scope.

18. It is proposed that the section 198B power be clarified and extended in a number of important respects to:

  • apply to the accessing of data held in or accessible from any data storage device (such as internet e-mail accounts and mobile phones) found at the place to be searched;
  • extend the definition of “specified person” to third party service providers (such as internet service providers and telecommunications providers) that hold access information;
  • expressly include in the assistance required to be provided the handing over of access codes, passwords and encryption keys;
  • apply to relevant enforcement agencies, in addition to the police, that are empowered to access computers while exercising search powers;
  • apply to warrantless searches (which are limited to situations of urgency and generally reserved for the more serious offences so that assistance may be even more critical to law enforcement).

19. I recommend that these proposals be adopted and that the maximum term of imprisonment for failure to assist under section 198B of the Summary Proceedings Act be increased from 3 months to 12 months. The penalty should better reflect the adverse consequences that non-compliance can have for an investigation. As it currently stands, the penalty is unlikely to provide an incentive for a person to cooperate, if evidence of a serious crime is being concealed.

Circumventing security

20. It is proposed (in Paper 6: Clarification and Codification) that law enforcement agencies may use reasonable force to gain entry to places or to break open things in exercising a search power. However, “force” is not the apt term to describe what may be needed to access a computer. The legislation should therefore also permit “reasonable measures” to gain access to computer data and to create a forensic copy of a computer hard drive or data storage device. Those measures that are reasonable will depend on the individual case, but may include circumventing manufacturers’ anti-copying mechanisms and reverse engineering of software and systems to access seized data.

Remote access

21. A computer found at the search location may be part of a computer network and may provide access to data held at another location. In some circumstances (where the physical location of the data storage device is unknown or where there is the risk of imminent destruction of the data) remote rather than direct access may be the best or only option to search the data and secure the evidential material contained in that data. Enforcement agencies currently have no power to access data remotely without a search warrant to search the particular location in which the data is stored. The circumstances in which such remote access should be permitted need to be made explicit. Detailed consideration has been given to three of the possible reforms considered by the Commission.

1: A general power to execute search by remote access

22. Under this reform, in any case where a search power exists and where the enforcement agency has sufficient access information, the agency could conduct a computer search remotely, without physically entering the search premises where the data or any part of the relevant network is located. It may be more efficient for the enforcement agency and, because it would not involve a physical search of premises, it may intrude less on the search subject’s privacy. Nevertheless such power may well provoke widespread concern about state hacking into the lives of private citizens and there would likely be a lack of public confidence that privacy interests in relation to computer data could be adequately protected. This reform is not recommended.

2: Remote access to data from a computer found at the search location

23. This reform involves remote access to data from a computer found at the search location when not all the data accessible from that computer is stored at that location. Given that network data may be accessed from multiple locations it would be artificial and unduly restrictive to limit search powers only to data stored at the search site. Such limitation may provide an incentive for servers and data storage devices to be hidden in unlikely places to avoid being searched by enforcement agencies. It is proposed that the New Zealand regime permit remote access within the terms of the search power only if accessing the data would be lawful if conducted by the computer’s authorised user. If the user has been unlawfully accessing a computer system (hacking), it will not provide the enforcement agency with the power to do likewise. The purpose of this proposal is to limit remote access by law enforcement agencies to lawful user access only - i.e. user access not in breach of section 252 of the Crimes Act 1961 (accessing a computer system without authorisation). Where the remote access is lawful, the enforcement agency could then undertake any seizure of data (for example by downloading images, even if so-doing is unlawful for the user) authorised by the search power being exercised.

24. Remote access in those circumstances should also be permitted without warrant, where a warrantless power exists. Given the limited and urgent situations in which warrantless powers are available, there is no basis to limit such search to non-remote data.

3: Access to data in the absence of a specific physical location

25. This reform deals with access to remotely stored data in the absence of a specific physical location to be searched, such as where e-mail accounts are accessed from any computer with internet access capability. A suspect may use an internet data storage facility, accessible by user name and password from any computer providing internet access, to access e-mail communications remotely. There may be no specific physical location that can be searched, as required under the second reform, referred to above.

26. Without a specific power to search internet data storage facilities, enforcement agencies would be unable to access valuable evidential material from sources that criminal enterprises are increasingly using to evade detection. It is recommended that search warrant framework allow search warrants for places such as webmail accounts and other intangible remote storage spaces, provided that the place to be searched is sufficiently identifiable by reference to access information (such as user name and password).

Privacy implications of remote searches

27. A search of a computer or other data storage device may reveal an extensive amount of personal information, portraying a comprehensive picture of a person’s lifestyle, financial position or even medical conditions. When the search occurs from a remote location, issues about covert state hacking inevitably arise. These concerns highlight the need to carefully balance human rights and law enforcement values and to proceed with caution in formulating a remote access framework. The appropriate balance is struck in proposing that remote access be authorised only in narrowly specified circumstances, as recommended above. Further, proposals elsewhere in the Commission’s report will, to some extent, address the concerns. For example a specialist and adequately trained cadre of issuing officers is proposed, and provision made for rules regulating the retention of searched material (see Paper 6: Clarification and Codification). In addition, notification of the search (including where this occurs remotely) will be required unless a judge postpones or authorises dispensation of notification in narrowly defined circumstances (see also Paper 6).

Post seizure provisions

28. Generally the generic provisions relating to notification of the search or dealing with items seized following search (including privileged or confidential communications) can be applied to computer searches and copies made of the computer hard-drive, with necessary modification. In a small number of instances additional requirements need to be imposed.

Notification of the search

29. In addition to the general notification procedures proposed following a search, an additional requirement should be imposed where a computer search involves remotely accessing data from a computer at the search premises (reform 2, paragraph 23, above). Information about the search should be provided to the owner of the data accessed remotely, if the identity of the relevant person is known or is reasonably discoverable by the enforcement agency. However, in accordance with the proposed general search regime this will be subject to a judge authorising postponement or dispensation of notification of the search where so doing would prejudice on-going or subsequent investigations.

Returning and disposing of items removed and copies generated for examination

30. The general proposals for return of items seized (see Paper 6: Clarification and Codification) do not adequately deal with data that has been forensically copied. Therefore, it is proposed that unless there is a lawful basis for the retention of forensic copies (where the examination reveals the presence of evidential material), they should be destroyed (by deleting, erasing or otherwise wiping the data).

Retaining forensic copies

31. Where, following examination of forensically copied data, an enforcement agency discovers evidential material, in order to maintain the evidential integrity of the data, it should be empowered to retain forensic copies in their entirety (and not be required to separate and destroy irrelevant material). Seized items that are copies will not be subject to the general proposal requiring return if prosecution has not been commenced within six months of seizure. Nor will a person be able to apply to the court for a forensic copy to be given to them. After the proceedings have concluded, the enforcement agency should be entitled to retain forensic copies as part of its official record of the investigation, in case it is subject to review, appeal or an application for the prerogative of mercy.

Custody of retained material

32. In addition to the general proposals regarding custody of seized material, specific authority should be given to enforcement agencies to conduct subsequent searches of forensic copies that are retained, as an investigation progresses, so long as the searches are within the parameters of the original search power (relating to the same evidential material permitted by the original power). Any search that exceeds that initial search power will require judicial authorisation.

Recommendations

I recommend that Cabinet Business Committee:

1. Agree that searches of computers generally be regulated by the generic search and seizure regime that applies to tangible items (subject to any necessary modification), in preference to the creation of a different regime carrying more restrictive requirements;

2. Agree that law enforcement agencies exercising a search power have express authority to access and copy intangible material from computers and data storage devices including by means of specialist forensic methods, such as previewing and cloning, either before or after removal for examination;

3. Agree that the plain view doctrine apply to the seizure of intangible material, without any additional restrictions;

4. Agree that the power under section 198B of the Summary Proceedings Act 1957 requiring assistance from specified persons in order to gain access to data:

  • be retained;
  • be extended to apply to access to data held in or accessible from all types of data storage devices found at the place to be searched;
  • expressly include the provision of access codes, passwords and encryption keys and related information as a form of required assistance;
  • be extended to apply to third party service providers that hold such access information;
  • be extended so that assistance can be required by relevant enforcement agencies, in addition to the police, that are empowered to search computers;
  • be extended to warrantless searches;
  • increase the maximum penalty for failing to assist to a term of imprisonment not exceeding 12 months;

5. Agree that enforcement officers have the power to use such measures as are reasonable to gain lawful access to any data storage device located at or accessible from the place or thing to be searched or to create a forensic copy;

6. Agree that remote access to computer data be permitted:

  • where the access is within the terms of the search power and is otherwise lawful, regardless of whether the data is stored at or remotely accessed from the search premises or elsewhere; or
  • under search warrant for places such as internet data storage facilities where there is no specific physical location that can practicably be searched prior to remote access but where a particular search area can be adequately specified by reference to access information;

7. Agree that where a computer search involves remote access to data held at a place other than the search location, the owner of the data be notified of the search, if their identity is known or reasonably discoverable by the enforcement agency, subject to any judicially authorised postponement or dispensation of notice;

8. Agree that once the enforcement agency has carried out an examination of forensically copied data, unless there is a basis for ongoing retention, all such data be deleted, erased or otherwise destroyed;

9. Agree that where a basis for retaining forensically copied data is established, the enforcement agency be empowered to retain the forensic copy in its entirety and should not be required to separate and destroy irrelevant material;

10. Agree that enforcement agencies be authorised to conduct further searches of forensic copies that are retained, provided that such searches remain within the parameters of the initial search power.

Hon Annette King
Minister of Justice

Date signed:

Contact Us | Careers | Site Map | Access Keys | Privacy Statement | Disclaimer | newzealand.govt.nz
Copyright © New Zealand Ministry of Justice, Tāhū o te Ture

skip navigation to content Accesskey information Home Page Site Map Search this site Contact information NZ Government Portal