Agencies should limit the scope of suspicion-based policing activities to that which is no broader than necessary to acquire the information or evidence that justifies the intrusion in question; and they should take steps to minimize the acquisition of information from third parties who themselves are not properly subject to investigation.
a. Limiting the scope of intrusions. In carrying out suspicion-based policing activities, agencies and officers should take steps to limit the scope of the intrusion to that which is necessary to acquire the information sought. See § 1.04 (on the importance of minimizing the overall intrusiveness of policing). Courts routinely have held under the Fourth Amendment that a search must be limited to the specific persons or places in which the item sought could be found. An officer may not, for example, search for a sawed-off shotgun in a jewelry box. (Police may, of course, under the “plain view” doctrine, seize any contraband or evidence that they happen to come across.) Courts have applied similar principles to limit the scope of searches of computers or other personal devices that typically contain vast stores of information unrelated to the investigation at issue. Similarly, a number of state and federal statutes regulating various surveillance activities—most notably the wiretap provisions of Title III of The Omnibus Crime Control and Safe Streets Act of 1968—require agencies to minimize the acquisition of communications or records that go beyond the scope of the original authorization.
This same general principle should apply to investigative activities that fall short of a Fourth Amendment search. Minimization is particularly important when it comes to technologically enhanced searches, or searches of third-party records, which have the potential to sweep in a great deal of personal information beyond that which is originally sought. Agencies can accomplish this in various ways. For example, some models of drones can be programmed to follow a specific flight path and avoid pointing their cameras at any location that is not covered by the authorization in question. When searching a person’s location history to confirm whether the individual was near a particular crime scene, officers can refrain from looking up information about any other addresses or locations where that person has been.
A bedrock principle of Fourth Amendment law is that searches must be narrowly tailored to ensure that they do not “take on the character of the wide-ranging exploratory searches the Framers intended to prohibit.” Maryland v. Garrison, 480 U.S. 79, 84 (1987); see also Telford Taylor, Two Studies of Constitutional Interpretation 24-41 (1969). The scope of a lawful search under the Fourth Amendment is “defined by the object of the search” and limited to “the places in which there is probable cause to believe that it may be found.” United States v. Ross, 456 U.S. 798, 824 (1982); Arizona v. Hicks, 480 U.S. 321, 325 (1987) (“[T]aking action, unrelated to the objectives of the authorized intrusion, . . . produce[s] a new invasion of respondent’s privacy unjustified by the  circumstance that validated the entry.”). As the Court explained in Ross, “Just as probable cause to believe that a stolen lawnmower may be found in a garage will not support a warrant to search an upstairs bedroom, probable cause to believe that undocumented aliens are being transported in a van will not justify a warrantless search of a suitcase.” 456 U.S. at 824.
This principle takes on still greater importance in the digital world. Riley v. California, 573 U.S. 373, 396-397 (2014) (“[A] cell phone search would typically expose to the government far more than the most exhaustive search of a house.”); Orin S. Kerr, Executing Warrants for Digital Evidence: The Case for Use Restrictions on Nonresponsive Data, 48 Tex. Tech L. Rev. 1, 3 (2015) (noting that “[t]he facts of computer storage . . . create the prospect that computer warrants that are specific on their face will resemble general warrants in execution simply because of the new technological environment”). Likewise, searches of large private databases “have the potential to expose exceedingly sensitive information about countless individuals not implicated in any criminal activity, who might not even know that the information about them has been seized and thus can do nothing to protect their privacy.” United States v. Comprehensive Drug Testing, Inc., 621 F.3d 1162, 1176 (9th Cir. 2010). See also § 2.05 (Acquiring or Accessing Data, Records, or Physical Evidence Held by Third Parties).
For this reason, courts and policymakers have imposed a variety of limitations on the scope of permissible intrusions. In Groh v. Ramirez, 540 U.S. 551 (2004), for example, the Court made clear that for physical searches, the warrant itself must identify not only the particular place to be searched, but also the items sought. Cf. Andresen v. Maryland, 427 U.S. 463 (1976) (upholding a warrant authorizing the seizure of any evidence “showing or tending to show fraudulent intent [in violation of a specified code provision] . . . together with other fruits, instrumentalities and evidence of crime at this [time] unknown”). In the context of cell-phone searches, courts have required agencies to submit search protocols that limit the scope of the search to the specific applications or functions that are likely to contain the information sought. E.g., In re Search of Apple iPhone, IMEI 013888003738427, 31 F. Supp. 3d 159, 169 (D.D.C. 2014) (denying search warrant application for cell phone because it did not explain “how the search will proceed, and thus how the government intend[ed] to limit its search of data outside the scope of the warrant”); United States v. Phua, Nos. 2:14-cr-00249-AGP-PAL, 2015 WL 1281603, at *7 (D. Nev. Mar. 20, 2015) (same). Similarly, courts have required search protocols or prescreening procedures before granting search-warrant applications for e-mail accounts. E.g., In re Search of Info. Associated with [Redacted]@mac.com, 25 F. Supp. 3d 1, 8-9 (D.D.C. 2014) (requiring government to work with online-services provider to prescreen information based on specific search protocol); In re [Redacted]@gmail.com, 62 F. Supp. 3d 1100, 1104 (N.D. Cal. 2014) (denying search warrant application for e-mail account and suggesting that the government must, at minimum, identify a “date restriction” or make a “commitment to return or destroy evidence that is not relevant to its investigation”); see also Orin S. Kerr, Searches and Seizures in a Digital World, 119 Harv. L. Rev. 531, 576-577 (2005) (arguing that the plain-view doctrine should be narrowed or abolished for digital-evidence searches).
Minimization requirements likewise have played an important role in federal statutes governing various forms of government information gathering and surveillance. See, e.g., Title III of The Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. § 2518 (requiring officials to take steps to minimize interception of communications unrelated to wiretap authorization); Foreign Intelligence Surveillance Act of 1978, 50 U.S.C. § 1801(h) (requiring “specific procedures . . . designed . . . to minimize the acquisition and retention . . . of non-publicly available information concerning non-consenting United States persons”).
Importantly, legislatures and agencies have also recognized the importance of these protections in contexts that do not directly implicate the Fourth Amendment. For example, legislatures have imposed various limits on the use of drones. See, e.g., Ky. Rev. Stat. Ann. § 500.130 (providing that law enforcement utilizing an unmanned aircraft system (UAS) “shall minimize data collection on nonsuspects”). Agencies have also issued guidance restricting the use of automated license-plate recognition (ALPR) systems—including restrictions on queries of the dataset or limits on the purposes for which the system may be used. See, e.g., Seattle Police Dep’t Manual § 16.170 (restricting use of ALPR to limited purposes such as locating stolen vehicles, and noting that “ALPR will not be used to intentionally capture images in private area or areas where a reasonable expectation of privacy exists”). And some have imposed procedures for the use of social media—for example, by limiting the duration of social media investigations or prohibiting the retention of information that is unrelated to criminal activity. See, e.g., Georgia Bureau of Investigation Investigative Division Directive 8-6-5 (requiring officers to terminate investigation after 30 days if it does not yield information related to criminal activity); Austin Police Department General Orders, G.O. 455.8, 455.9 (requiring investigations involving online alias to be reviewed every 90 days, and providing for deletion of all information that does not relate to criminal nexus within 14 days).