US District Court Says Calculating a Hash Value = Search

bfwebster writes "Orin Kerr over at The Volokh Conspiracy (a great legal blog, BTW) reports on a US District Court ruling issued just last week which finds that doing hash calculations on a hard drive is a form of search and thus subject to 4th Amendment limitations. In this particular case, the US District Court suppressed evidence of child pornography on a hard drive because proper warrants were not obtained before imaging the hard drive and calculating MD5 hash values for the individual files on the drive, some of which ended up matching known MD5 hash values for known child pornography image and video files. More details at Kerr's posting." Update: 10/28 16:23 GMT by T : Headline updated to reflect that this is a Federal District Court located in Pennsylvania, rather than a court of the Commonwealth itself.

Bad way to search for kiddie porn

[betterunixthanunix]

This sounds like the worse possible way to search for kiddie porn, because a suspect who wanted to conceal his activities could just change a single pixel, and the entire hash would change. They would need a signature method that doesn't change dramatically when a single bit changes, like something based on a frequency analysis.

I dont see how the 4th amendment applies here

[Phizzle]

The guy whose computer was searched, abandoned the computer and gave up any rights at that point, the person who found the porn was computers new owner. Just like any trash tossed out becomes public domain, there should have been zero expectation of privacy at that point. I am not a legal scholar, but I do not see how the 4th amendment applies here. It would be no different than if this was a diary in a different language and the person who inherited the diary found a translator, upon finding criminal evidence it would be fully admissible.

Law Enforcement Storage of Naughty Things

[tripdizzle]

"some of which ended up matching known MD5 hash values for known child pornography image and video files." Wait, so law enforcement has a database of kiddie porn and kiddie porn md5's? Some perverted bureaucrat found himself the right job.

Re:MD5 Collisions...

[dhTardis]

Each character is a hex digit, not any alphanumeric, so it's 16^32=2^128 possibilities instead of 36^32. That's 186 billion times smaller, but it's still a lot.

Re:It's good to see.

[xouumalperxe]

You have to set the bar somewhere, and then stick to it. Sure, you can be more lenient on edge cases, but you still need to say "the limit is X", or the whole legal system is a farce made out of "fuzzy rules we're kind of supposed to follow".

In particular, when we get to the 17-yo case, it's as simple as this: did you think, in good faith, that she was of age? If yes, you should be home free. We're talking reasonable doubt here. It's reasonable to think a 17-yo is 18 or 19. If it was publicized as kiddie porn in any way, I don't care if she's 15 or day shy of 18. You had the information available, you're screwed.

Re:It's good to see.

[Alpha830RulZ]

Actually, it looks like a pretty good search technique. It's fast, easy to automate, probably a low percentage of false positives, and can be used to link perps together through shared files. As you note, it would be easy for the pervs to block, by dropping a few bits, but I suspect it would be effective for a while.

It's still a search, with all that goes along with that. But it's probably better than having Officer O'Reilly deciding that your picture of your daughter playing at the beach sans diaper is porn.

Re:It's good to see.

[alta]

Yes, easy, but many of the porn collectors aren't going to be bothered with actually doing the edit...

So, go out and make a program that will automatically change a few bits in each file in a directory. Make it a TSR, and watch for all files in a directory. Sell it, profit.

Then the fbi will be after your list of customers (child porn collectors) because it's more complete than theirs.

Shit, the FBI should write this program and sell it from a fake company.