U.S. v. Heckenkamp

Citation: United States v. Heckenkamp, 482 F.3d 1142 (9th Cir. 2007).

Factual Background
In December of 1999, Scott Kennedy, working as a computer system administrator for Qualcomm Corporation in San Diego, California, determined that someone had gained unauthorized access into the company’s computer network. Kennedy contacted Special Agent Terry Rankhorn of the Federal Bureau of Investigation about the hacking]. Kennedy later traced the [[unauthorized user to the University of Wisconsin at Madison network and contacted the university’s computer network investigator, Jeffrey Savoy.

Savoy determined that the unauthorized user had accessed the “Mail2” server, which held 60,000 individual accounts on campus and processed around 250,000 emails per day. Savoy was very concerned for the security of the “Mail2” server and took steps to trace the unauthorized user. He determined that the IP address used to hack into the Qualcomm server belonged to Jerome T. Heckenkamp. Two years prior, Heckenkamp had been terminated from his job at the university computer help desk for engaging in unauthorized activity. Furthermore, Heckenkamp was a computer science graduate student at the university and Savoy believed that Heckenkamp was fully capable of severely damaging the university server].

Because of the severity of the situation, Savoy blocked Heckenkamp’s connection to the “Mail2” server. Later, Savoy determined that Heckenkamp’s computer had “changed its identity” by switching its IP address and was back on the university network. He determined that this new user was in fact the same unauthorized user by running a series of commands on the computer. Savoy spent no more than 15 minutes on the computer, looking only in the temporary directory without deleting, modifying or destroying any files. Savoy then contacted the Housing Department to confirm Heckenkamp’s dormitory number and informed the university police of the situation. Based on a “university security need” Savoy and Detective Scheller, who worked for the university police, went to Heckenkamp’s room to disconnect his computer from the university network despite FBI agent Rankhorn’s request that they wait for a search warrant to be issued.

Heckenkamp was not in his room when Savoy and Scheller arrived. The door was left ajar so Savoy and Scheller entered the room and disconnected the network cord attaching the computer to the network. After running a series of commands on the computer, Savoy confirmed that Heckenkamp’s computer was the same one used to gain unauthorized access to the “Mail2” server. Scheller then located Heckenkamp, told him of the situation and Heckenkamp waived his Miranda rights in writing and authorized Savoy and Scheller to make a copy of his hard drive. Soon after, the federal agents obtained a search warrant from the Western District of Wisconsin to search Heckencamp’s room and seize the computer.

Trial Court Proceedings
Jerome T. Heckenkamp was indicted in both the Northern and Southern Districts of California for multiple offenses, including recklessly causing damage by intentionally accessing a protected computer without authorization, in violation of 18 U.S.C. §1030(a)(5)(B). The courts denied Heckenkamp’s motions to suppress the evidence gathered from the remote search of his computer, the copy taken of his computer’s hard drive which he authorized and for the search conducted pursuant to the FBI’s search warrant under the independent source exception to the exclusionary rule.

Heckenkamp entered a conditional guilty plea to two counts of violating 18 U.S.C. §1030(a)(5)(B), allowing him to appeal the denial of his motions to suppress.

Appellate Court Proceedings
The appellate court conducted a de novo review of whether Heckenkamp had an objectively reasonable expectation of privacy and if the district court erred by denying Heckenkamp’s motion to suppress evidence found during the remote search of his computer and the search of his dormitory room.

The court ruled that even though Heckenkamp had an undisputed objectively reasonable expectation of privacy in his personal computer and in his dormitory room, the remote search of computer files on his hard drive by the network administrator was justified under the “special needs” exception to the Fourth Amendment because the administrator reasonably believed that the computer had been used to gain unauthorized access to confidential records. Because Heckenkamp had been the subject of a disciplinary action in the past for hacking the University of Wisconsin computer network, the unauthorized user’s IP address was traced to Heckenkamp and he was a computer science graduate student who had the knowledge to severely compromise the university network’s security, Savoy had sufficient justification to conduct a remote search pursuant to the “special needs” exception to the warrant requirement.

After determining that the “special needs” exception applied, the court balanced the need to search against the intrusiveness of the search to determine its constitutionality. The factors weighed were the subject of the search’s privacy interest (Heckenkamp’s computer and dorm room), the government’s interest in performing the search and the scope of the intrusion. Although objectively reasonable expectations of privacy are recognized for personal computers and dwelling areas, the court determined that there was a compelling governmental interest in conducting the search because of the immediate security risk the unauthorized user posed and because the remote search conducted by Savoy was not intrusive, but very limited, the remote search was not unconstitutional.

Furthermore, the court stated that even if the search had violated Heckenkamp’s Fourth Amendment rights, the evidence uncovered during the search was still admissible under the independent source exception to the exclusionary rule. Deciding if the independent source exception applies, courts excise the tainted evidence and determine whether the remaining uncovered evidence is enough to show probable cause to a neutral magistrate. In this case, the fact that the server intrusion was traced to Heckenkamp’s computer and dorm room coupled with the fact that Heckenkamp had been in trouble for similar behavior in the past, there was enough evidence for a neutral magistrate to find probable cause for a search of Heckenkamp’s computer and dorm room even without the information obtained from his computer or dorm room.

The Court concluded that the remote search of Heckenkamp’s computer was justified under the special needs exception to the warrant requirement. The later search of Heckenkamp’s dorm room was also justified, based on information obtained outside of the university search of Heckenkamp’s room. Therefore the district court did not err in denying the suppression motions and the district court’s judgment was affirmed.