                 FOR PUBLICATION
 UNITED STATES COURT OF APPEALS
      FOR THE NINTH CIRCUIT

UNITED STATES OF AMERICA,             
                Plaintiff-Appellee,        No. 05-10322
               v.                           D.C. No.
JEROME T. HECKENKAMP,                     CR-03-20041-JW
             Defendant-Appellant.
                                      

UNITED STATES OF AMERICA,                 No. 05-10323
                Plaintiff-Appellee,
               v.                           D.C. No.
                                          CR-00-20355-JW
JEROME T. HECKENKAMP,
                                             OPINION
             Defendant-Appellant.
                                      
       Appeal from the United States District Court
         for the Northern District of California
         James Ware, District Judge, Presiding

                  Argued and Submitted
        August 17, 2006—San Francisco, California

                    Filed April 5, 2007

 Before: William C. Canby, Jr., Michael Daly Hawkins, and
             Sidney R. Thomas, Circuit Judges.

                 Opinion by Judge Thomas




                           3877
                 UNITED STATES v. HECKENKAMP              3881


                         COUNSEL

Benjamin Coleman, San Diego, California, for the appellant.

Hanley Crew, Assistant United States Attorney, San Fran-
cisco, California, for the appellee.


                         OPINION

THOMAS, Circuit Judge:

   In this case, we consider whether a remote search of com-
puter files on a hard drive by a network administrator was jus-
tified under the “special needs” exception to the Fourth
Amendment because the administrator reasonably believed
the computer had been used to gain unauthorized access to
confidential records on a university computer. We conclude
that the remote search was justified.

  Although we assume that the subsequent search of the sus-
pect’s dorm room was not justified under the Fourth Amend-
ment, we conclude that the district court’s denial of the
3882               UNITED STATES v. HECKENKAMP
suppression motion was proper under the independent source
exception to the exclusionary rule.

                                    I

   In December 1999, Scott Kennedy, a computer system
administrator for Qualcomm Corporation in San Diego, Cali-
fornia, discovered that somebody had obtained unauthorized
access to (or “hacked into,” in popular parlance) the compa-
ny’s computer network. Kennedy contacted Special Agent
Terry Rankhorn of the Federal Bureau of Investigation about
the intrusion.

   Kennedy was able to trace the intrusion to a computer on
the University of Wisconsin at Madison network, and he con-
tacted the university’s computer help desk, seeking assistance.
Jeffrey Savoy, the University of Wisconsin computer network
investigator, promptly responded to Kennedy’s request and
began examining the university’s system. Savoy found evi-
dence that someone using a computer on the university net-
work was in fact hacking into the Qualcomm system and that
the user had gained unauthorized access to the university’s
system as well. Savoy was particularly concerned that the user
had gained access to the “Mail2” server on the university sys-
tem, which housed accounts for 60,000 individuals on campus
and processed approximately 250,000 emails each day. At
that time, students on campus were preparing for final exams,
and Savoy testified that “the disruption on campus would be
tremendous if e-mail was destroyed.” Through his investiga-
tion of the Mail2 server, Savoy traced the source of intrusion
to a computer located in university housing. The type of
access the user had obtained was restricted to specific system
administrators, none of whom would be working from the
university’s dormitories.

  Savoy determined that the computer that had gained unau-
thorized access had a university Internet Protocol (“IP”) address1
  1
   An IP address is a standard way of identifying a computer that is con-
nected to the Internet. An IP address is comprised of four integers less
than 256 separated by periods.
                 UNITED STATES v. HECKENKAMP               3883
that ended in 117. In addition, Savoy determined that Hecken-
camp, who was a computer science graduate student at the
university, had checked his email from that IP address 20
minutes before and 40 minutes after the unauthorized connec-
tions between the computer at the IP address ending in 117,
the Mail2 server, and the Qualcomm server. Savoy deter-
mined that the computer at that IP address had been used reg-
ularly to check Heckencamp’s email account, but no others.
Savoy became extremely concerned because he knew that
Heckenkamp had been terminated from his job at the univer-
sity computer help desk two years earlier for similar unautho-
rized activity, and Savoy knew that Heckenkamp “had
technical expertise to damage [the university’s] system.”

   Although Savoy was confident that the computer that had
gained the unauthorized access belonged to Heckenkamp, he
checked the housing records to ensure that the IP address was
assigned to Heckenkamp’s dorm room. The housing depart-
ment initially stated that the IP address corresponded to a dif-
ferent room down the hall from Heckenkamp’s assigned
room. The housing department acknowledged that the records
could be inaccurate but stated that they would not be able to
verify the location of the IP address until the next morning.
In order to protect the university’s server, Savoy electroni-
cally blocked the connection between IP address 117 and the
Mail2 server.

   After blocking the connection, Savoy contacted Rankhorn.
After Savoy informed Rankhorn of the information he had
found, Rankhorn told Savoy that he intended to get a warrant
for the computer, but he did not ask Savoy to take any action
or to commence any investigation.

   Later that night, Savoy decided to check the status of the
117 computer from home because he was still concerned
about the integrity of the university’s system. He logged into
the network and determined that the 117 computer was not
attached to the network. However, Savoy was still concerned
3884            UNITED STATES v. HECKENKAMP
that the same computer could have “changed its identity,” so
he checked the networking hardware to determine if the com-
puter that was originally logged on at the 117 address was
now logged on at a different IP address. His search confirmed
that the computer was now logged on at an IP address ending
in 120.

   Based on this discovery, Savoy became even more con-
cerned that the Mail2 server “security could be compromised
at any time,” particularly because “the intruder at this point
knows that he’s being investigated” and might therefore inter-
fere with the system to cover his tracks. Savoy concluded that
he needed to act that night.

   Before taking action, Savoy wanted to verify that the com-
puter logged on at 120 was the same computer that had been
logged on at 117 earlier in the day. He logged into the com-
puter, using a name and password he had discovered in his
earlier investigation into the 117 computer. Savoy used a
series of commands to confirm that the 120 computer was the
same computer that had been logged on at 117 and to deter-
mine whether the computer still posed a risk to the university
server. After approximately 15 minutes of looking only in the
temporary directory, without deleting, modifying, or destroy-
ing any files, Savoy logged off of the computer.

   Savoy then determined that “[the 120] machine need[ed] to
get off line immediately or as soon as possible” based on “a
university security need.” He contacted both Rankhorn and a
Detective Scheller, who worked for the university police.
Savoy informed them of his discoveries and concerns. Rank-
horn asked Savoy to wait to take action because he was
attempting to get a search warrant. However, Savoy felt that
he needed to protect the university’s system by taking the
machine off line immediately. Therefore, he made the deci-
sion to coordinate with the university police to take the com-
puter off line and to “let [the] university police coordinate
with the FBI.”
                   UNITED STATES v. HECKENKAMP                    3885
   Together with Scheller and other university police officers,
Savoy went to the room assigned to Heckenkamp.2 When they
arrived at the room, the door was ajar, and nobody was in the
room. Savoy and Scheller entered the room and disconnected
the network cord attaching the computer to the network.
Savoy noted that the computer had a screen saver with a pass-
word, which prevented him from accessing the computer. In
order to be sure that the computer he had disconnected from
the network was the computer that had gained unauthorized
access to the Mail2 server, Savoy wanted to run some com-
mands on the computer. Detective Scheller located Heck-
enkamp, explained the situation and asked for Heckenkamp’s
password, which Heckenkamp voluntarily provided.

   Savoy used the password to run the commands on the com-
puter and verified that it was the computer used to gain the
unauthorized access. After Savoy confirmed that he had the
right computer, Scheller advised Heckenkamp that he was not
under arrest, but Scheller requested that Heckenkamp waive
his Miranda rights and give a statement. Heckenkamp waived
his rights in writing and answered the investigator’s and
detectives’ questions. In addition, Heckenkamp authorized
Savoy to make a copy of his hard drive for later analysis,
which Savoy did. At no time did Savoy or Scheller search
Heckenkamp’s room. Throughout his testimony, Savoy
emphasized that his actions were taken to protect the universi-
ty’s server rather than for law enforcement purposes.

  The federal agents obtained a search warrant from the
Western District of Wisconsin, which was executed the fol-
lowing day. Pursuant to the warrant, the agents seized the
computer and searched Heckenkamp’s room.

  Heckenkamp was indicted in both the Northern and South-
  2
   They also went to the room the housing department stated was con-
nected to the IP address ending in 117 to ensure that those records were
not correct.
3886               UNITED STATES v. HECKENKAMP
ern Districts of California on multiple offenses, including
counts of recklessly causing damage by intentionally access-
ing a protected computer without authorization, in violation of
18 U.S.C. § 1030(a)(5)(B). In separate orders, Judge Ware in
the Northern District and Judge Jones in the Southern District
denied Heckenkamp’s motions to suppress the evidence gath-
ered from (1) the remote search of his computer, (2) the image
taken of his computer’s hard drive, and (3) the search con-
ducted pursuant to the FBI’s search warrant.3

   The two cases were eventually consolidated before Judge
Ware. Heckenkamp entered a conditional guilty plea to two
counts of violating 18 U.S.C. § 1030(a)(5)(B), which allowed
him to appeal the denials of his motions to suppress. The dis-
trict court entered its judgment and commitment orders on
April 28, 2005, and Heckenkamp filed a timely notice of
appeal.

  We review de novo both a court’s denial of a motion to
suppress evidence and a court’s determination of whether an
individual’s expectation of privacy was objectively reason-
able. United States v. Bautista, 362 F.3d 584, 588-89 (9th Cir.
2004).

                                   II

   [1] As a prerequisite to establishing the illegality of a
search under the Fourth Amendment, a defendant must show
that he had a reasonable expectation of privacy in the place
searched. Rakas v. Illinois, 439 U.S. 128, 143 (1978). An
individual has a reasonable expectation of privacy if he can
“ ‘demonstrate a subjective expectation that his activities
would be private, and he [can] show that his expectation was
one that society is prepared to recognize as reasonable.’ ”
  3
    Judge Ware later reaffirmed his denial of the motion to suppress when
Heckenkamp filed a renewed motion to suppress after the cases were con-
solidated.
                 UNITED STATES v. HECKENKAMP              3887
Bautista, 362 F.3d at 589 (quoting United States v. Nerber,
222 F.3d 597, 599 (9th Cir. 2000)). No single factor deter-
mines whether an individual legitimately may claim under the
Fourth Amendment that a place should be free of warrantless
government intrusion. Rakas, 439 U.S. at 152-153 (Powell, J.,
concurring). However, we have given weight to such factors
as the defendant’s possessory interest in the property searched
or seized, see United States v. Broadhurst, 805 F.2d 849, 852
n.2 (9th Cir. 1986), the measures taken by the defendant to
insure privacy, see id., whether the materials are in a con-
tainer labeled as being private, see id., and the presence or
absence of a right to exclude others from access, see Bautista,
362 F.3d at 589.

   [2] The government does not dispute that Heckenkamp had
a subjective expectation of privacy in his computer and his
dormitory room, and there is no doubt that Heckenkamp’s
subjective expectation as to the latter was legitimate and
objectively reasonable. Minnesota v. Olson, 495 U.S. 91, 95-
96 (1990). We hold that he also had a legitimate, objectively
reasonable expectation of privacy in his personal computer.
See United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004)
(“Individuals generally possess a reasonable expectation of
privacy in their home computers.”); see also United States v.
Buckner, 473 F.3d 551, 554 n.2 (4th Cir. 2007) (recognizing
a reasonable expectation of privacy in password-protected
computer files); Trulock v. Freeh, 275 F.3d 391, 403 (4th Cir.
2001) (same).

   [3] The salient question is whether the defendant’s objec-
tively reasonable expectation of privacy in his computer was
eliminated when he attached it to the university network. We
conclude under the facts of this case that the act of attaching
his computer to the network did not extinguish his legitimate,
objectively reasonable privacy expectations.

  [4] A person’s reasonable expectation of privacy may be
diminished in “transmissions over the Internet or e-mail that
3888              UNITED STATES v. HECKENKAMP
have already arrived at the recipient.” Lifshitz, 369 F.3d at
190. However, the mere act of accessing a network does not
in itself extinguish privacy expectations, nor does the fact that
others may have occasional access to the computer. Leventhal
v. Knapek, 266 F.3d 64, 74 (2d Cir. 2001). However, privacy
expectations may be reduced if the user is advised that infor-
mation transmitted through the network is not confidential
and that the systems administrators may monitor communica-
tions transmitted by the user. United States v. Angevine, 281
F.3d 1130, 1134 (10th Cir. 2002); United States v. Simons,
206 F.3d 392, 398 (4th Cir. 2000).

   [5] In the instant case, there was no announced monitoring
policy on the network. To the contrary, the university’s com-
puter policy itself provides that “[i]n general, all computer
and electronic files should be free from access by any but the
authorized users of those files. Exceptions to this basic princi-
ple shall be kept to a minimum and made only where essential
to . . . protect the integrity of the University and the rights and
property of the state.” When examined in their entirety, uni-
versity policies do not eliminate Heckenkamp’s expectation
of privacy in his computer. Rather, they establish limited
instances in which university administrators may access his
computer in order to protect the university’s systems. There-
fore, we must reject the government’s contention that Heck-
enkamp had no objectively reasonable expectation of privacy
in his personal computer, which was protected by a screen-
saver password, located in his dormitory room, and subject to
no policy allowing the university actively to monitor or audit
his computer usage.

                                III

   [6] Although we conclude that Heckenkamp had a reason-
able expectation of privacy in his personal computer, we con-
clude that the search of the computer was justified under the
“special needs” exception to the warrant requirement. Under
the special needs exception, a warrant is not required when
                 UNITED STATES v. HECKENKAMP                3889
“ ‘special needs, beyond the normal need for law enforce-
ment, make the warrant and probable-cause requirement
impracticable.’ ” Griffin v. Wisconsin, 483 U.S. 868, 873
(1987) (quoting New Jersey v. T.L.O., 469 U.S. 325, 351
(1985) (Blackmun, J., concurring in the judgment)). If a court
determines that such conditions exist, it will “assess the con-
stitutionality of the search by balancing the need to search
against the intrusiveness of the search.” Henderson v. City of
Simi Valley, 305 F.3d 1052, 1059 (9th Cir. 2002) (citing Fer-
guson v. City of Charleston, 532 U.S. 67, 78 (2001)).

                               A

   [7] Here, Savoy provided extensive testimony that he was
acting to secure the Mail2 server, and that his actions were not
motivated by a need to collect evidence for law enforcement
purposes or at the request of law enforcement agents. This
undisputed evidence supports Judge Jones’s conclusion that
the special needs exception applied. The integrity and security
of the campus e-mail system was in jeopardy. Although
Savoy was aware that the FBI was also investigating the use
of a computer on the university network to hack into the
Qualcomm system, his actions were not taken for law
enforcement purposes. Not only is there no evidence that
Savoy was acting at the behest of law enforcement, but also
the record indicates that Savoy was acting contrary to law
enforcement requests that he delay action.

   [8] Under these circumstances, a search warrant was not
necessary because Savoy was acting purely within the scope
of his role as a system administrator. Under the university’s
policies, to which Heckenkamp assented when he connected
his computer to the university’s network, Savoy was autho-
rized to “rectif[y] emergency situations that threaten the integ-
rity of campus computer or communication systems[,]
provided that use of accessed files is limited solely to main-
taining or safeguarding the system.” Savoy discovered
through his examination of the network logs, in which Heck-
3890             UNITED STATES v. HECKENKAMP
enkamp had no reasonable expectation of privacy, that the
computer that he had earlier blocked from the network was
now operating from a different IP address, which itself was a
violation of the university’s network policies.

   [9] This discovery, together with Savoy’s earlier discovery
that the computer had gained root access to the university’s
Mail2 server, created a situation in which Savoy needed to act
immediately to protect the system. Although he was aware
that the FBI was already seeking a warrant to search Heck-
enkamp’s computer in order to serve the FBI’s law enforce-
ment needs, Savoy believed that the university’s separate
security interests required immediate action. Just as requiring
a warrant to investigate potential student drug use would dis-
rupt operation of a high school, see T.L.O., 469 U.S. at 352-
53 (Blackmun, J., concurring in the judgment), requiring a
warrant to investigate potential misuse of the university’s
computer network would disrupt the operation of the univer-
sity and the network that it relies upon in order to function.
Moreover, Savoy and the other network administrators gener-
ally do not have the same type of “adversarial relationship”
with the university’s network users as law enforcement offi-
cers generally have with criminal suspects. 469 U.S. at 349-50
(Powell, J., concurring).

   [10] The district court was entirely correct in holding that
the special needs exception applied.

                               B

   Once a court determines that the special needs doctrine
applies to a search, it must “assess the constitutionality of the
search by balancing the need to search against the intrusive-
ness of the search.” Henderson, 305 F.3d at 1059 (citing Fer-
guson, 532 U.S. at 78). The factors considered are the subject
of the search’s privacy interest, the government’s interests in
performing the search, and the scope of the intrusion. See id.
at 1059-60.
                 UNITED STATES v. HECKENKAMP                 3891
   [11] Here, although Heckenkamp had a subjectively real
and objectively reasonable expectation of privacy in his com-
puter, the university’s interest in maintaining the security of
its network provided a compelling government interest in
determining the source of the unauthorized intrusion into sen-
sitive files. The remote search of the computer was remark-
ably limited given the circumstances. Savoy did not view,
delete, or modify any of the actual files on the computer; he
was only logged into the computer for 15 minutes; and he
sought only to verify that the same computer that had been
connected at the 117 IP address was now connected at the 120
IP address. Here, as in Henderson, “the government interest
served[ ] and the relative unobtrusiveness of the search” lead
to a conclusion that the remote search was not unconstitu-
tional. Id. at 1061.

   [12] The district court did not err in denying the motion to
suppress the evidence obtained through the remote search of
the computer.

                               IV

   The district court also did not err in denying the motion to
suppress evidence obtained during the searches of Heck-
enkamp’s room. Assuming, without deciding, that Savoy and
the university police violated Heckenkamp’s Fourth Amend-
ment rights when they entered his dormitory room for non-
law-enforcement purposes, the evidence obtained through the
search was nonetheless admissible under the independent
source exception to the exclusionary rule.

   [13] Under the independent source exception, “ ‘informa-
tion which is received through an illegal source is considered
to be cleanly obtained when it arrives through an independent
source.’ ” Murray v. United States, 487 U.S. 533, 538-39,
(1988) (quoting United States v. Silvestri, 787 F.2d 736, 739
(1st Cir. 1986)). Therefore, we have held that “ ‘[t]he mere
inclusion of tainted evidence in an affidavit does not, by itself,
3892             UNITED STATES v. HECKENKAMP
taint the warrant or the evidence seized pursuant to the war-
rant.’ ” United States v. Reed, 15 F.3d 928, 933 (9th Cir.
1994) (quoting United States v. Vasey, 834 F.2d 782, 788 (9th
Cir. 1987)). In order to determine whether evidence obtained
through a tainted warrant is admissible, “[a] reviewing court
should excise the tainted evidence and determine whether the
remaining untainted evidence would provide a neutral magis-
trate with probable cause to issue a warrant.” Id. (quoting
Vasey, 834 F.2d at 788).

   [14] Here, even without the evidence gathered through the
allegedly improper search, there is sufficient information in
the affidavit to establish probable cause. The affidavit recited
evidence that the server intrusion had been tracked “to a cam-
pus dormitory room computer belonging to Jerome T. Heck-
enkamp”; that “[t]he computer is in Room 107, Noyes House,
Adams Hall on the University of Wisconsin-Madison”; and
that “Heckenkamp previously had a disciplinary action in the
past for unauthorized computer access to a University of Wis-
consin system.” This was sufficient evidence to obtain the
warrant to search “Room 107, Noyes House, Adams Hall.”

                               V

   Although Heckenkamp had a reasonable expectation of pri-
vacy in his personal computer, a limited warrantless remote
search of the computer was justified under the special needs
exception to the warrant requirement. The subsequent search
of his dorm room was justified, based on information obtained
by means independent of the university search of the room.
Therefore, the district courts properly denied the suppression
motions.

  The judgment of the district court is AFFIRMED.
