United States v. Heckenkam

482 F.3d 1142 (9th Cir 2007)

Facts

Kennedy, a computer system administrator discovered that somebody had 'hacked into,' the company's computer network. Kennedy contacted Special Agent Terry Rankhorn of the FBI. The hack was traced to the University of Wisconsin at Madison. Kennedy contacted the university's computer help desk, seeking assistance. Savoy, Wisconsin's computer network investigator, began examining the university's system. Someone using a computer on the university network was hacking into the Qualcomm system and that the user had gained unauthorized access to the university's system as well. Savoy traced the source of intrusion to a computer located in university housing. The type of access the user had obtained was restricted to specific system administrators, none of whom would be working from the university's dormitories. The IP address ended in 117. Heckencamp (D), was a computer science graduate student at the university. D had checked his email from that IP address 20 minutes before and 40 minutes after the unauthorized connections between the computer at the IP address ending in 117. D had been terminated from his job at the university computer help desk two years earlier for similar unauthorized activity, and Savoy knew that D 'had technical expertise to damage [the university's] system.' Savoy blocked the connection and informed Rankhorn of the information he had found. Later that night, Savoy decided to check the status of the 117 computer. He also checked the networking hardware to determine if the computer that was originally logged on at the 117 address was now logged on at a different IP address. The computer was now logged on at an IP address ending in 120. Savoy concluded that he needed to act that night because of security concerns. Savoy logged into the computer, using a name and password he had discovered in his earlier investigation into the 117 computer. He confirmed that the 120 computer was the same computer that had been logged on at 117 and to determine whether the computer still posed a risk to the university server. He looked only in the temporary directory, without deleting, modifying, or destroying any files. He contacted both Rankhorn and a Detective Scheller, who worked for the university police. Rankhorn asked Savoy to wait to take action because he was attempting to get a search warrant. Savoy felt that he needed to protect the university's system by taking the machine offline immediately. Therefore, he made the decision to coordinate with the university police to take the computer offline and to 'let [the] university police coordinate with the FBI.' They arrived at the room, the door was ajar, and nobody was in the room. Savoy and Scheller entered the room and disconnected the network cord. D was located, and D voluntarily provided his password. Savoy verified that it was the computer used to gain the unauthorized access. Scheller advised D that he was not under arrest, but Scheller requested D waive his Miranda rights and give a statement. D waived his rights in writing and answered the investigator's and detectives' questions. D authorized Savoy to make a copy of his hard drive for later analysis. A search warrant was executed the following day. The agents seized the computer and searched D's room. D was indicted on multiple offenses. D's motions to suppress the evidence gathered from (1) the remote search of his computer, (2) the image taken of his computer's hard drive, and (3) the search conducted pursuant to the FBI's search warrant were denied. D entered a conditional guilty plea to two counts of violating 18 U.S.C. § 1030(a)(5)(B), which allowed him to appeal the denials of his motions to suppress. D filed a timely notice of appeal.