Great piece by Paul Ohm on the breadth of material taken by authorities when they confiscate modern computers:
In other words, all of the rules that govern police searches of
news offices were created in the age of typewriters, desks, filing
cabinets, and stacks of paper.
Now, flash forward thirty years. The police who searched Jason
Chen’s home seized the following: A MacBook, HP server, two Dell
desktop computers, iPad, ThinkPad, two MacBook Pros, Iomega NAS,
three external hard drives, and three flash drives. They also
seized other storage-containing devices, including two digital
cameras and two smart phones. If Jason Chen’s computing habits are
anything like mine, the police likely seized many terabytes of
disk space, storing hundreds of thousands (millions?) of files,
containing information stretching back years. […]
At the very least, the courts should forbid the police from
looking at any file timestamped before March 18, 2010, and in
addition, they should force the police to comply with the
Comprehensive Drug Testing rules.
The Comprehensive Drug Testing rules (which Ohm describes in his piece) are very fair, and ought to be applied here. But the timestamp idea, however well-intentioned, isn’t practical — timestamps are trivial to change.