Court Upholds Remote Search of Computer Used by Hacker

Friday, April 6, 2007

Page 1

Court Upholds Remote Search of Computer Used by Hacker

By a MetNews Staff Writer

A remote search of files on the hard drive of a computer suspected of being used to hack into a university network was constitutional, the Ninth U.S. Circuit Court of Appeals ruled yesterday.

U.S. District Judge James Ware of the Northern District of California properly denied a former University of Wisconsin student’s motions to suppress evidence gathered from his dormitory computer in a 1999 investigation, the panel concluded.

Heckenkamp came to the attention of the university network administrator and the FBI in 1999 after an administrator for Qualcomm Corporation in San Diego notified federal authorities that someone had obtained unauthorized access into the company’s network. An FBI agent traced the intrusion to a computer on the university’s network and requested that network investigator Jeffrey Savoy help him locate the intrusion’s source.

Savoy discovered evidence that someone using a computer on the university network was hacking into not only the Qualcomm system but the school’s system as well.

After determining the computer’s IP address, he traced the source of the intrusion to a computer located in university housing and determined that the computer in question had been used regularly by Heckencamp, who was then a computer science graduate student. The investigator found that the computer had been used to check Heckenkamp’s e-mail 20 minutes before and 40 minutes after its unauthorized connections with the university’s e-mail server and Qualcomm’s server.

Knowing that Heckenkamp had been fired from his job at the university computer help desk two years earlier for similar unauthorized activity and that he had the technical expertise to damage the school’s system, Savoy became concerned and electronically blocked the connection between the computer and the university’s e-mail server.

When he checked on the suspect IP address later that night, he discovered the computer had been detached from that address and was logged on at a different address.

He believed the network’s security could be “compromised at any time,” he testified, because the intruder apparently knew that he was being investigated and might interfere with the system to cover his tracks. Savoy concluded he needed to take action that night in order to protect the university server.

He contacted a university police detective and FBI agent, who advised him to wait because he was attempting to get a search warrant. Savoy, however, felt he needed to take the machine offline immediately and thus coordinated with university police to do so.

He and the officers went to Heckenkamp’s dormitory room, which was not occupied at the time, and disconnected the network cord attaching the computer to the network after verifying that was in fact the machine used to access the network. The police then located Heckenkamp, whom Savoy consulted to verify that the computer he had disconnected was the correct one.

The student was told he was not under arrest, but was asked to submit to questioning, which he did, along with authorizing Savoy to make a copy of his hard drive for later analysis. No one searched Heckenkamp’s room during the encounter.

Federal agents searched the room the next day pursuant to a warrant, and seized Heckenkamp’s computer.

He was subsequently indicted in both the Northern and Southern Districts of California on numerous charges including violation of 18 U.S.C. Sec. 1030(a)(5)(B)—recklessly causing damage by intentionally accessing a protected computer without authorization.

Ware denied Heckenkamp’s motions to suppress the evidence gathered from Savoy’s warrantless remote search of his computer, the image Savoy took of the hard drive, and the FBI’s search. The defendant conditionally pled guilty and then appealed.

Writing for the Ninth Circuit, Judge Sidney R. Thomas said the remote search was justified under the “special needs” exception to the Fourth Amendment’s warrant requirement. That exception renders a warrant unnecessary when special needs beyond the normal need for law enforcement make the warrant and probable cause requirement impracticable.

While noting Heckenkamp did have a reasonable expectation of privacy in his personal computer because the university’s computer policy provided that all computer files would generally be free from access by unauthorized users, Thomas concluded:

“The integrity and security of the campus e-mail system was in jeopardy. Although Savoy was aware that the FBI was also investigating the use of a computer on the university network to hack into the Qualcomm system, his actions were not taken for law enforcement purposes. Not only is there no evidence that Savoy was acting at the behest of law enforcement, but also the record indicates that Savoy was acting contrary to law enforcement requests that he delay action.”

As for the FBI’s seizure of Heckenkamp’s computer, the judge said, it was based on independent probable cause set forth in the affidavit supporting the search warrant.

Judges William C. Canby Jr. and Michael Daly Hawkins concurred in the opinion.

The case is United States v. Heckenkamp, 05-10322.