I think this is generally a correct result: See my article Searches and Seizures in a Digital World, 119 Harv. L. Rev. 531 (2005), for the details. Still, given the lack of analysis here it’s somewhat hard to know what to make of the decision. Which stage was the search — the creating the duplicate? The running of the hash? It’s not really clear. I don’t think it matters very much to this case, because the agent who got the positive hit on the hashes didn’t then get a warrant. Instead, he immediately switched over to the EnCase “gallery view” function to see the images, which seems to be to be undoudtedly a search. Still, it’s a really interesting question.
Also, it seems that the Government failed to make the strongest argument that running the hash isn’t a search: If the hash is for a known image of child pornography, then running a hash is a direct analog to a drug-sniffing dog in Illinois v. Caballes, 543 U.S. 405 (2005). Although Caballes is cited in the opinion for other reasons, it seems that the government didn’t make the Caballes argument.
Well, it’s a direct analog to a drug-sniffing dog if the dog is allowed to chew open your luggage, strew it over the tarmac, bite holes in anything that might possible be impermeable to odor, and then give an alert when it finds a smell it likes.
To calculate a hash value, a piece of software has to read every byte in a file and do fairly complicated math and other operations on it. That would be different from seeing whether air molecules wafting out from a piece of luggage contain scents you’re interested in. (How do I believe the hash isn’t just a simple CRC or something like that? Because pornographers aren’t that stupid. If you could get a hash mismatch by making tiny changes to a few pixels, or by padding the file with random data, or appending different caption information, or compressing the file, or changing the color balance, or slightly changing scale, cropping, rotation blah blah blah, there would be scripts out there that would do exactly that transparently every time an image was opened or saved. So the search software isn’t just doing a simple hash, it is — if it’s any good at all — opening the files, parsing their contents, effectively recreating any images contained in them and only then doing a hash.)
So yeah, I’d agree that it’s hard to think that doing a hash of the kind needed to look for child porn is anything other than a search.