United States v. Jerome T. Heckenkamp, United States of America v. Jerome T. Heckenkamp

482 F.3d 1142, 2007 WL 1051579
CourtCourt of Appeals for the Ninth Circuit
DecidedApril 5, 2007
Docket05-10322, 05-10323
StatusPublished
Cited by49 cases

This text of 482 F.3d 1142 (United States v. Jerome T. Heckenkamp, United States of America v. Jerome T. Heckenkamp) is published on Counsel Stack Legal Research, covering Court of Appeals for the Ninth Circuit primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook
United States v. Jerome T. Heckenkamp, United States of America v. Jerome T. Heckenkamp, 482 F.3d 1142, 2007 WL 1051579 (9th Cir. 2007).

Opinion

THOMAS, Circuit Judge.

In this case, we consider whether a remote search of computer files on a hard drive by a network administrator was justified under the “special needs” exception to the Fourth Amendment because the administrator reasonably believed the computer had been used to gain unauthorized access to confidential records on a university computer. We conclude that the remote search was justified.

Although we assume that the subsequent search of the suspect’s dorm room was not justified under the Fourth Amendment, we conclude that the district court’s denial of the suppression motion was proper under the independent source exception to the exclusionary rule.

I

In December 1999, Scott Kennedy, a computer system administrator for Qual-comm Corporation in San Diego, California, discovered that somebody had obtained unauthorized access to (or “hacked into,” in popular parlance) the company’s computer network. Kennedy contacted Special Agent Terry Rankhorn of the Federal Bureau of Investigation about the intrusion.

Kennedy was able to trace the intrusion to a computer on the University of Wisconsin at Madison network, and he contacted the university’s computer help desk, seeking assistance. Jeffrey Savoy, the University of Wisconsin computer network investigator, promptly responded to Kennedy’s request and began examining the university’s system. Savoy found evidence that someone using a computer on the university network was in fact hacking into the Qualcomm system and that the user had gained unauthorized access to the university’s system as well. Savoy was particularly concerned that the user had gained access to the “Mail2” server on the univer *1144 sity system, which housed accounts for 60,000 individuals on campus and processed approximately 250,000 emails each day. At that time, students on campus were preparing for final exams, and Savoy testified that “the disruption on campus would be tremendous if e-mail was destroyed.” Through his investigation of the Mail2 server, Savoy traced the source of intrusion to a computer located in university housing. The type of access the user had obtained was restricted to specific system administrators, none of whom would be working from the university’s dormitories.

Savoy determined that the computer that had gained unauthorized access had a university Internet Protocol (“IP”) address 1 that ended in 117. In addition, Savoy determined that Heckencamp, who was a computer science graduate student at the university, had checked his email from that IP address 20 minutes before and 40 minutes after the unauthorized connections between the computer at the IP address ending in 117, the Mail2 server, and the Qualcomm server. Savoy determined that the computer at that IP address had been used regularly to check Heckencamp’s email account, but no others. Savoy became extremely concerned because he knew that Heckenkamp had been terminated from his job at the university computer help desk two years earlier for similar unauthorized activity, and Savoy knew that Heckenkamp “had technical expertise to damage [the university’s] system.”

Although Savoy was confident that the computer that had gained the unauthorized access belonged to Heckenkamp, he checked the housing records to ensure that the IP address was assigned to Hecken-kamp’s dorm room. The housing department initially stated that the IP address corresponded to a different room down the hall from Heckenkamp’s assigned room. The housing department acknowledged that the records could be inaccurate but stated that they would not be able to verify the location of the IP address until the next morning. In order to protect the university’s server, Savoy electronically blocked the connection between IP address 117 and the Mail2 server.

After blocking the connection, Savoy contacted Rankhorn. After Savoy informed Rankhorn of the information he had found, Rankhorn told Savoy that he intended to get a warrant for the computer, but he did not ask Savoy to take any action or to commence any investigation.

Later that night, Savoy decided to check the status of the 117 computer from home because he was still concerned about the integrity of the university’s system. He logged into the network and determined that the 117 computer was not attached to the network. However, Savoy was still concerned that the same computer could have “changed its identity,” so he checked the networking hardware to determine if the computer that was originally logged on at the 117 address was now logged on at a different IP address. His search confirmed that the computer was now logged on at an IP address ending in 120.

Based on this discovery, Savoy became even more concerned that the Mail2 server “security could be compromised at any time,” particularly because “the intruder at this point knows that he’s being investigated” and might therefore interfere with the system to cover his tracks. Savoy concluded that he needed to act that night.

Before taking action, Savoy wanted to verify that the computer logged on at 120 was the same computer that had been *1145 logged on at 117 earlier in the day. He logged into the computer, using a name and password he had discovered in his earlier investigation into the 117 computer. Savoy used a series of commands to confirm that the 120 computer was the same computer that had been logged on at 117 and to determine whether the computer still posed a risk to the university server. After approximately 15 minutes of looking only in the temporary directory, without deleting, modifying, or destroying any files, Savoy logged off of the computer.

Savoy then determined that “[the 120] machine need[ed] to get off line immediately or as soon as possible” based on “a university security need.” He contacted both Rankhorn and a Detective Scheller, who worked for the university police. Savoy informed them of his discoveries and concerns. Rank-horn asked Savoy to wait to take action because he was attempting to get a search warrant. However, Savoy felt that he needed to protect the university’s system by taking the machine off fine immediately. Therefore, he made the decision to coordinate with the university police to take the computer off line and to “let [the] university police coordinate with the FBI.”

Together with Scheller and other university police officers, Savoy went to the room assigned to Heckenkamp. 2 When they arrived at the room, the door was ajar, and nobody was in the room. Savoy and Scheller entered the room and disconnected the network cord attaching the computer to the network. Savoy noted that the computer had a screen saver with a password, which prevented him from accessing the computer. In order to be sure that the computer he had disconnected from the network was the computer that had gained unauthorized access to the Mail2 server, Savoy wanted to run some commands on the computer. Detective Scheller located Heckenkamp, explained the situation and asked for Heckenkamp’s password, which Heckenkamp voluntarily provided.

Savoy used the password to run the commands on the computer and verified that it was the computer used to gain the unauthorized access.

Free access — add to your briefcase to read the full text and ask questions with AI

Related

VanDyck v. United States
D. Arizona, 2022
United States v. Shane Nault
41 F.4th 1073 (Ninth Circuit, 2022)
People v. McCavitt
2021 IL 125550 (Illinois Supreme Court, 2021)
People v. McCavitt
2019 IL App (3d) 170830 (Appellate Court of Illinois, 2020)
United States v. Patrakis
297 F. Supp. 3d 1123 (D. Hawaii, 2017)
United States v. Hever Guzman-Guerrero
706 F. App'x 374 (Ninth Circuit, 2017)
United States v. Dontavious M. Blake
868 F.3d 960 (Eleventh Circuit, 2017)
United States v. Taylor
250 F. Supp. 3d 1215 (N.D. Alabama, 2017)
United States v. Mohamed Mohamud
843 F.3d 420 (Ninth Circuit, 2016)
United States v. Broy
209 F. Supp. 3d 1045 (C.D. Illinois, 2016)
People v. Aguilar CA6
California Court of Appeal, 2016
United States v. Ammons
207 F. Supp. 3d 732 (W.D. Kentucky, 2016)
United States v. Matish
193 F. Supp. 3d 585 (E.D. Virginia, 2016)
People v. Appleton
245 Cal. App. 4th 717 (California Court of Appeal, 2016)
United States v. Muhtorov
187 F. Supp. 3d 1240 (D. Colorado, 2015)

Cite This Page — Counsel Stack

Bluebook (online)
482 F.3d 1142, 2007 WL 1051579, Counsel Stack Legal Research, https://law.counselstack.com/opinion/united-states-v-jerome-t-heckenkamp-united-states-of-america-v-jerome-ca9-2007.