Computer Forensics and Legal Technology Blog

A couple of weeks ago, Brian Glass posted a very helpful comment, Forensic Toolkit v3 Tips and Tricks — on a Budget.  His comment focused on how to “get close to SSD performance on the cheap” and he discussed the practice of partitioning a large hard drive, but using only the outer sectors of the platter, and frequent defragmentation.  In my comment, today, I want to encourage readers to adopt Glass’ advice, and, if you have the budget, to consider a few other enhancements to improve performance.

In my practice, I spared no expense on equipment, including the latest OCz SSD drives, dual Xeon processors, and 24GB of RAM, yet I still experienced unacceptable performance from FTK v3.3.   For example, an evidence load of a 500GB drive with indexing, entropy test, and hashing enabled (but not OCR of images, or thumbnailing) still took over 20 hours.

Although I lay no claim to the best optimizations, I have found the following helpful:

• You should have a minimum of 2GB of RAM for every processor core.  If you are running dual six-core processors, you have twelve cores (not counting hyperthreading psuedo-cores) and would, therefore, need 24GB minimum.  Source: February 2011 System Specifications Guide at 3.
• The FTK machine should have a minimum of two disks: one for the FTK engine, and the other used solely to host the FTK temporary files directory.  This is because, according to one FTK technical support rep I corresponded with, the disk hosting that directory experiences the greatest i/o demands, because it is to this directory that the FTK engine and Oracle database read and write from in passing data off to each other. It is accessible through Tools > Preferences (see FTK Users Guide for v3.3, p. 38 of 396)  If you have the budget, consider hosting the temporary directory on its own SSD drive, apart from the operating system, pagefile, Oracle, or FTK engine.
• According to bench testing on FTK v. 3 by Digital Intelligence on a single-box configuration, the greatest performance enhancements came not from increasing the CPU speed or system memory, but using the fastest possible hard-drive for the Oracle database.
• Unlike the system tested by Digital Intelligence, you should have a dual machine system (exclusive of FTK distributed processing engines): one for FTK, and the other for Oracle.  Network speed should be 1Gbit, not 100Mbit.  Source: February 2011 System Specifications Guide at 3.
• The Oracle machine should be configured with at least two disks: one for Oracle and the operating system; and the other for the Oracle database.  Ideally, I recommend three separate disks: one for Oracle and the O/S, one for the page file, and one for the Oracle database.
• For all disks requiring intensive i/o (that hosting the FTK temp files, and the Oracle database drive), you should use a SSD (such as the OCz Vertex 3 Pro (6 GBPs)), or Serial Attached SCSI (SAS, 10,000 RPM) or, if you’re using 7,200 RMP SATA drives, a RAID 0 configuration.    To use these disk configurations, you’ll need a motherboard that supports the SATA-3 standard and  preferably has onboard RAID.   For example, SuperMicro is one manufacturer of boards that support multiple processors, onboard RAID, SAS, and SATA-3.
• During evidence loading, your machine[s] should be physically disconnected from the Internet (including wireless adapters). Disable any resident antivirus programs and disable the Microsoft Indexer, both of which may compete with Oracle or the FTK engine for resources.
• I recommend Ghost or the Windows 7 system image/restore to load a fresh image on both of your machines for each new case you work (and to use FTK to archive the case on to an external drive, upon completion).  This way, in the unlikely event your machine was to become infected from the evidence drive (for example, by trying to run an executable on the evidence drive that contains a Trojan), you will not preserve the infection for subsequent work.

I will conclude with this anecdote: Recently, I conducted a child pornography investigation at a law enforcement facility, where I was prohibited from using SSD drives in my equipment, because the detective-analyst had read a report that data cannot be complete wiped from SSDs.  He was concerned that I might inadvertently retain contraband even after completing a forensic wipe.   Although, based on the current caselaw, I did not believe the prosecution had a legal right to dictate what equipment I used, I solved the problem by purchasing six 40GB refurbished Western Digital drives from NewEgg for $10 each, and configured them as RAID-0 on the SAS backplane of the motherboard.  I didn’t run any bench tests to determine whether this 240GB array was as fast as a single OCz Vertex 3 drive, but it ran flawlessly and cost only $60.

Whether or not you’re on a tight budget, FTK 3.x with Oracle presents substantial impediments to hardware capacity and processing time.  Nevertheless, these impediments can be mitigated through creativity and resourcefulness.

In my first post several weeks ago, I discussed some of the special obligations that digital forensics investigators may have while in the employ of a lawyer. I elaborated briefly on the duty to zealously guard the attorney-client privilege, to correctly apply the work product doctrine, and to conduct investigations in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party. In this second part of the series, I will explore another important factor for consideration by examiners: the legality of investigative techniques.

Consider, for example, whether an examiner, at the direction of the attorney, may take possession of a computer belonging to a husband, but seized by a wife in preparation for marital dissolution proceedings.  If a court finds that the wife did not have equal dominion over the computer (e.g., if the computer, or some portion thereof, was password-protected by the husband, or belonged to the husband’s employer), the taking of the computer for analysis might constitute a crime. See, e.g., Moore v. Moore, No. 350446/07, 2008 N.Y. Misc. LEXIS 5221, at *1 (N.Y. Sup. Ct. Aug. 4, 2008) (holding that a wife seeking a divorce could use evidence she found on a computer taken from husband’s car just before she petitioned for marital dissolution, because the computer was a family computer (not a work computer as alleged by husband), the taking occurred before the commencement of the dissolution case, and husband’s car was considered the family car).

Many states have statutes criminalizing unauthorized access to computers or protected networks.  Likewise, evidence obtained from a keylogger or spyware deployed by the client or examiner may violate state or federal law (e.g., the Stored Communications Act). See Sean L. Harrington, Why Divorce Lawyers Should Get Up to Speed on CyberCrime Law, Minn. St. B. Ass’n Computer & Tech. L. Sec. (Mar. 24, 2010, 9:40 PM), http://mntech.typepad.com/msba/2010/03/why-divorce-lawyers-should-get-up-to-speed-on-cybercrime-law.html (collecting cases regarding unauthorized computer access).

Also, certain types of “cyber sleuthing” or penetration testing may be unlawful under various state and federal statutes.  For example, the Computer Fraud and Abuse Act, last amended in 2008, criminalizes anyone who commits, attempts to commit, or conspires to commit an offense under the Act. 18 U.S.C. § 1030 (2006). Offenses include knowingly accessing without authorization a protected computer (for delineated purposes) or intentionally accessing a computer without authorization (for separately delineated purposes).  Various statutory phrases, such as “without authorization” and “access,” have been the continuing subject of appellate review.  See, e.g., State v. Allen, 917 P.2d 848 (Kan. 1996) (affirming trial court’s holding that the State did not prove the defendant committed a crime); see also Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1624–42 (2003) (showing how and why courts have construed unauthorized access statutes in an overly broad manner that threatens to criminalize a surprising range of innocuous conduct involving computers).

Yet another area of legality concerns recently enacted laws in some states requiring digital forensics examiners to be licensed as private investigators.  Texas passed such a law that provides for up to one year imprisonment and a $14,000 fine for persons conducting unlicensed computer investigations. Tex. Occ. Code Ann. § 1702.104 (2011); see also Private Security Bureau Opinion Summaries: Computer Forensics, Tex. Dep’t Pub. Safety, 4–5 (Aug. 21, 2007).  The Opinion clarifies that the Act applies to computer forensics, defined as:

The public and courts will be negatively impacted if e-discovery, forensic investigations, network testing, and other computer services can be performed only by licensed private investigators because not all licensed private investigators are qualified to perform computer forensic services and many qualified computer forensic professionals would be excluded because they are not licensed.

Indeed, very few licensed private investigators are qualified to perform computer forensics services.  Nevertheless, the trend seems to be leading away from state licensing requirements.

Undoubtedly, one of the thorniest legal problems facing unwary examiners is that of child pornography (“contraband”) encountered in digital forensics investigations. See generally Beryl Howell, Digital Contraband: Finding Child Porn in the Workplace, reprinted in White Collar Crimes 2008, ABA-CLE (2008).

Federal law prohibits the knowing production, receipt, shipment, distribution, reproduction, sale, or possession of “any . . . visual depiction involv[ing] the use of a minor engaging in sexually explicit conduct,” or of “any material that contains an image of child pornography . . . .” 18 U.S.C. §§ 2251(a), 2252(a), 2252A (a) (2006). Violations are punishable by a mandatory minimum term of imprisonment for five years and up to twenty years, (18 U.S.C. §§ 1466A(a)(2)(B), 2252(b)(1), 2252A(b)(1) (2006)) except for mere possession, which is punishable for up to ten years. 18 U.S.C. §§ 1466A(b)(2)(B), 2252(b)(2), 2252A(b)(2) (2006).

Congress, in enacting the Adam Walsh Act of 2006, reasoned that child pornography as prima facie contraband should not be distributed to or copied by defendants, their attorneys, or experts. Adam Walsh Child Protection and Safety Act, H.R. 4472, 109th Cong. § 501(2)(E) (2006).  Therefore, an examiner who encounters contraband during an investigation outside of a law enforcement facility must cease work, and contact law enforcement to come to the place of the investigation to seize the contraband.  See Larry Daniel, Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom (Kindle Edition, 2011) at 3602-3603 (“[I]f a non-law-enforcement examiner is analyzing evidence in any kind of case and finds child pornography, he or she is required to stop the examination and notify law enforcement so the evidence can be turned over to authorities”); Bill Nelson, et al., Guide to Computer Forensics and Investigations 508 (4th ed. 2010) at 176 (“The evidence must be turned over to law enforcement. This material is contraband and must not be stored by any person or organization other than a law enforcement agency”).  An expert or attorney who e-mails or delivers the contraband may be prosecuted for copying or distribution. See, e.g., United States v. Flynn, 709 F. Supp. 2d 737, 739 (D. S.D. 2010) (indicting an attorney, who claimed he was doing research for a potential client by investigating the existence of child pornography on a P2P network, for possession and distribution of child pornography); see also State v. Brady, No. 2005–A–0085, 2007 WL 1113969, *2 (Ohio Ct. App. Apr. 13, 2007) (recounting that notwithstanding a state court protective order, the Federal Bureau of Investigation executed a search warrant on court-appointed defense expert’s residence, seized his computer and media, and the Government threatened an indictment for violation of 18 U.S.C. § 2252A), rev’d on other grounds, 894 N.E.2d 671 (Ohio 2008).

It should be noted that Section 3509(m) of the Adam Walsh Act technically does not apply to state criminal proceedings; it expressly governs the Federal Rules of Criminal Procedure. Allen v. Tennessee, 2009 WL 348555, at *6 (U.S. Jan. 11, 2010); State ex rel. Tuller v. Crawford, 211 S.W.3d 676, 679 (Mo. Ct. App. 2007); Commonwealth v. Ruddock, No. 08–1439, 2009 WL 3400927, at *1 (Mass. Supp. Oct. 16, 2009); State v. Blount, No. 81-CR-09-1180, slip op. at 6 (Minn. Dist. Ct., Apr. 7, 2010).  Accordingly, state courts sometimes order a forensic copy be provided to the defense expert under a protective order, which the court found would adequately serve the purpose of the Adam Walsh Act “to protect children from sexual exploitation and to prevent child abuse and child pornography.” Id. ; see also Ruddock, supra, 2009 WL 3400927, at *3 (issuing protective order to prevent “unnecessary disclosure”).  As I will explain below, the expert who takes custody of such contraband is playing with fire, unless he or she has some standing agreement with the local office of the U.S. Attorney for that district.

Notwithstanding the non-applicability of the Act to state court criminal proceedings, and notwithstanding state court protective orders, the Government has prosecuted defense attorneys and experts for contraband acquired in the performance of their official duties. United States v. Flynn, 709 F. Supp. 2d 737, 743 (D. S.D 2010); State v. Brady, 894 N.E.2d 671, 673 (Ohio 2008).

Arguably, there is a rational basis for why an expert should have access to the evidence in his or her own lab, because of the increased costs and inefficiencies of conducting the analysis at law enforcement facilities. See Sharon Nelson et al., “In Defense of the Defense: The Use of Computer Forensics in Child Pornography Cases,” Sensei Enterprises, Inc. (2009)  (“The beleaguered defense expert is forced, often by economics, to do whatever it is possible to do in one or two eight hour days. Frequently, the expert has to fight to use hi/her own equipment and to work in privacy”); Larry Daniel, Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom (Kindle Edition, 2011) at 2127-2130 (“If the case involves child pornography images, the examiner must travel to and perform all of the work at a law enforcement agency. This will add to the expense as the examiner must charge for all the time spent at the agency, including computer processing time that might not be charged for if the case were analyzed in the examiner’s lab”).see also Blount, supra, note 149 (crediting expert’s testimony that conducting the examination at law enforcement facilities would approximately double the cost); Knellinger, supra, note 101 471 F.Supp.2d at 647-48 (crediting testimony that conducting examination at law enforcement facilities would exacerbate costs).   A useful analogy when considering whether a defense attorney should take possession of child pornography is that, in a drug possession case, the prosecutor does not keep samples of a controlled substance in the case files, and instead must inspect the evidence under controlled conditions where it is kept at the law enforcement facility.

In conclusion, the maxim that ignorance of the law is no excuse is sound, and another compelling reason why a capable digital forensics expert ideally should have a solid legal background.  Indeed, an unwary examiner may be asked by a well-intentioned, but uninformed or negligent attorney to engage in conduct that is unlawful.  Alternatively, the examiner’s work, unbeknownst to the attorney, may lead him or her into a briar bush frought with peril.  Because the examiner will not have an attorney client relationship with the retaining attorney, and notwithstanding that the attorney is obligated to diligently supervise non-lawyers, the ultimate personal responsibility for the legality of the examiner’s work belongs to the examiner.

Significant legal and ethical challenges confront digital forensics investigators, for which some may not be well prepared. Just as many lawyers may be confounded by technology in dealing with digital forensics matters, many digital forensics experts lack formal legal training, and are uninformed about their special obligations in the employ of a lawyer. These obligations include zealously guarding the attorney-client privilege, applying the work product doctrine, developing reports, exhibits, and testimony (that are both admissible and understandable to a lay jury or judge), and conducting their work in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party.

In certain situations, such as where digital forensics examiners serve as special masters (see Fed.R.Civ.P. 53) or third-party neutrals (see Model Rules of Prof’l Conduct R. 2.4 cmt. 1), they are regarded as officers of the court.

The use of a third-party neutral has significant advantages. See, e.g., Craig Ball, Neutral Examiners, Forensic Focus, http://www.forensicfocus.com/index.php?name=Content&pid=346.  First, as an officer of the court, the expert is subject to the court’s inherent powers, thereby providing an extra measure of accountability for misconduct (e.g., confidentiality breaches).  Second, a third-party neutral is ostensibly impartial, which impartiality presumptively aids in the fact-finding process and administration of justice. Third, the third-party neutral is aptly situated to resolve discovery disputes, including issues of confidentiality, relevance, and privilege, and, if necessary, obtain court intervention or in camera review to resolve such disputes.

But if the examiner is not appointed by the court, but rather is retained by a party to an adversarial proceeding, he or she is nevertheless obliged to ferret out the truth.  See, e.g., Ferron v. Search Cactus, L.L.C., No. 2:06-CV-327, 2008 WL 1902499, at *4 (S.D. Ohio Apr. 28, 2008) (court deemed both plaintiff’s and defendant’s computer experts as officers of the court in order to protect the confidentiality of certain ESI found on plaintiff’s computer that was unrelated to the suit).

1. Work Product Doctrine

The work product doctrine enhances a lawyer’s ability to render competent counsel, as the United States Supreme Court observed in Hickman v. Taylor:

[I]t is essential that a lawyer work with a certain degree of privacy, free from unnecessary intrusion by opposing parties and their counsel. Proper preparation of a client’s case demands that he assemble information, sift what he considers to be the relevant from the irrelevant facts, prepare his legal theories and plan his strategy without undue and needless interference.

329 U.S. 495, 510–11 (1947).  It is therefore imperative that both attorneys and examiners understand the doctrine and how it applies to digital forensics examinations. Enjoying the privilege of work product immunity is one of several reasons the expert should be directly retained by the attorney (rather than the attorney’s client).

Some lawyers conflate the work product doctrine with the attorney-client privilege (discussed below). Although the work product doctrine is broader than the attorney-client privilege, it is not a privilege, but rather a limited immunity from production, and can be overcome in certain situations. See Fed. R. Civ. P. 26(b)(3)(A). The doctrine applies in both civil and criminal cases, and protects not only documents and tangible things prepared by attorneys, but also those prepared by an attorney’s consultants, sureties, indemnitors, insurers, or agents.” Id.  In the context of such examinations, the work product doctrine also covers the “mental impressions, conclusions, opinions, or legal theories of a party’s attorney or other representative concerning the litigation.” Fed. R. Civ. P. 26 (b)(3)(B).

The prudent digital forensics expert should, therefore, take affirmative steps to keep confidential the software and hardware used during the examination, as well as his or her theories, algorithms, cryptology, notes, tools, processes, methods, search queries, resource materials, mental impressions, and techniques. And, because the doctrine may be overcome in limited circumstances, attorneys should give careful consideration to whether they instruct their experts to memorialize preliminary findings in writing.  For example, in the popular textbook, Guide to Computer Forensics and Investigations, (Bill Nelson, et al., 4th ed. 2010), the authors explain:

[The forensic tool] also produces a case log file, where you can maintain a detailed record of all activities during your examination, such as keyword searches and data extractions . . . . At times, however, you might not want the log feature turned on. If you’re following a hunch, for example, but aren’t sure the evidence you recover is applicable to the investigation, you might not want opposing counsel to see a record of this information because he or she could use it to question your methods and perhaps discredit your testimony. Look through the evidence first before enabling the log feature to record searches. This approach isn’t meant to conceal evidence; it’s a precaution to ensure that your testimony can be used in court”).

But see Univ. of Pittsburgh v. Townsend, No. 3:04-CV-291, 2007 U.S. Dist. LEXIS 24620 (E.D. Tenn. Mar. 30, 2007) (holding that it was improper for the counsel to have instructed or otherwise suggested to the experts that all e-mails be destroyed, as they became the subject of multiple discovery requests).

In 2010, Fed. R. Civ. P. Rule 26 was amended to give experts’ draft reports the protection of the work product doctrine, exempting them from mandatory disclosure. Fed. R. Civ. P. 26(b)(4)(B). The rule expressly provides that the doctrine applies to “protect drafts of any report or disclosure required under Rule 26(a)[(2)], regardless of the form in which the draft is recorded.” The amended rule also applies work product protection to communications between experts and the counsel who retain them, with three exceptions: (1) communications pertaining to the expert’s compensation; (2) facts or data that the attorney provided and the expert considered in forming opinions; and (3) assumptions that the attorney provided and that the expert relied on. Fed. R. Civ. P. 26(b)(4)(C).  Critics contend the amendment affords attorneys too much latitude in drafting experts’ reports or influencing their opinions. See, e.g., Robert Ambrogi, Changes to Rule 26 Bring Praise — Albeit Faint, Bullseye Legal Blog (June 1, 2011).  The counter argument is that “[t]he risk of an attorney influencing an expert witness does not go unchecked in the adversarial system, for the reasonableness of an expert opinion can be judged against the knowledge of the expert’s field and is always subject to the scrutiny of other experts.” Haworth, Inc. v. Herman Miller, Inc., 162 F.R.D. 289, 295–96 (W.D. Mich. 1995).

One area of particular concern relating to the work product doctrine and digital forensics investigations is the applicability of the 2006 Adam Walsh Act and similar state statutes. Under 18 U.S.C. § 3509 (m), added by Section 504 of Title V of the Adam Walsh Act, “any property or material that constitutes child pornography . . . shall remain in the care, custody or control of either the government or the court.” Title V of the Act contains congressional findings that: “[e]very instance of viewing images of child pornography represents a renewed violation of the privacy of the victims and a repetition of their abuse;” that “[c]hild pornography constitutes prima facie contraband, and as such should not be distributed to, or copied by, child pornography defendants or their attorneys;” and that “[i]t is imperative to prohibit the reproduction of child pornography in criminal cases so as to avoid repeated violation and abuse of victims, so long as the government makes reasonable accommodations for the inspection, viewing, and examination of such material for the purposes of mounting a criminal defense.” Adam Walsh Child Protection and Safety Act of 2006, Pub. L. 109-248, §§. 501(2)(D)–(F), 120 Stat. 587, 624 (2006).

“Ample opportunity” and “reasonable access” under the Act requires: (1) “the government [to] supply reasonably up-to-date tools (hardware and software) and facilities [in order to] construct a reasonable, available forensic defense,” (2) “[ability of] a defense expert to utilize his or her hardware or software,” and (3) “that the analysis be performed in a situation where attorney-client privilege and work product will not be easily, accidentally exposed to the government, and in a facility which is open to the defense at its request during normal working hours, and to the extent feasible, during non-working hours.” United States v. Flinn, 521 F. Supp. 2d 1097, 1101 (E.D. Cal. 2007). In State v. Boyd, the Supreme Court of Washington held that preparation for trial would “likely require revisiting the evidence many times before and during trial” and, therefore, where the evidence consists of a computer hard drive, “adequate representation requires providing a ‘mirror image’ of that hard drive; enabling the defense attorney to consult with computer experts who can tell how the evidence made its way onto the computer,” and that anything less could place an undue burden on defense counsel or a defense expert, interfering with a defendant’s constitutional rights. 160 Wash.2d 424, 433–37, 158 P.3d 54 (2007).

In my experience, most government agencies endeavor to provide reasonable access, but others, perhaps well-meaning, have sought to dictate what equipment the defense expert may use (including the number of computers, and a restriction of both optical read/write drives and solid state drives), or have proposed the examiner work in a small room alongside state staff, or have required the examiner to use state equipment to conduct Internet research during the examination, or have proposed limiting the examiner to a black-and-white printout of the forensic report or to an electronic copy on a read/write optical device supplied by the state, and insisting that the work product be inspected by a state employee prior to removal from the facility. These limitations not only violate the work product doctrine, but also implicate a defendant’s right to effective counsel and due process, and are likely to result in relinquishment of the media containing the contraband to the defense expert under the Act’s so-called “safety valve.” 18 U.S.C. § 3509(m)(2)(B).  This has already happened in several cases. See, e.g., State v. Allen, No. E2007-01018-CCA-R3-CD, 2009 Tenn. Crim. App. Lexis 114 (Tenn. Crim. App. Feb. 12, 2009); United States v. Knellinger, 471 F. Supp. 2d 640, 650 (E.D. Va. 2007); State v. Johnson, No. 1 CA-CR 09-0300, 2010 WL 1424369 (Ariz. Ct. App. Apr. 8, 2010).

2. Attorney-Client Privilege and Confidentiality

The attorney-client privilege is one of the most hallowed tenets of American common law. The primary function of the privilege “is to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and administration of justice.” Upjohn Co. v. United States, 449 U.S. 383, 389 (1981). Without the privilege, which withholds otherwise relevant evidence, “the client would be reluctant to confide in his lawyer and it would be difficult to obtain fully informed legal advice.” Fisher v. United States, 425 U.S. 391, 403 (1976). In general, communications are protected under the attorney-client privilege if (1) a person is seeking legal advice from a lawyer acting in his legal capacity, (2) the communication is made for the purpose of obtaining legal advice, (3) the communication is made in confidence, and (4) the communication is made by the client. Restatement (Third) of the Law Governing Lawyers § 68 (2000).

So, you might ask, how might this apply to digital forensics examinations?

I respectfully propose that the following statement by the Colorado supreme court is incorrect:

[A]s both a legal and practical matter, the defense expert’s relationship with the defendant and counsel has been protected from intrusions by the state. The law has recognized several doctrines that afford a degree of confidentiality to the expert-defense relationship. Thus, statements made to the expert by the defendant and counsel may be protected by the attorney-client privilege.

Hutchinson v. People, 742 P.2d 875, 881 (Colo. 1987) (underline emphasis added).

Specifically, statements made to the expert by the defendant and counsel are probably not protected by the attorney client privilege. First, only the client’s statements enjoy the privilege (or the attorney’s statements to the client that contain the substance of the client’s statements, such as an answer by the attorney giving some indication of the client’s question).  See. e.g., Kennedy v. Yamaha Motor Corp., 2010 Phila. Ct. Com. Pl. Lexis 24 at *4 (Pa. C.P., Feb. 2, 2010). (“Attorney-client privilege is perhaps a misnomer, since only the client’s statements enjoy a privilege.  Communications of the attorney, on the other hand, are not privileged, except to the narrow extent to which they reveal communications made by the client”).

Courts may, indeed, construe a client’s direct communications to the digital forensics expert as privileged, if the expert is regarded an agent of the attorney. Fin. Techs. Int’l, Inc. v. Smith, 49 Fed. R. Serv. 3d 961, 967 (S.D.N.Y. 2000).  And it is true that an expert is not considered a third-party whose presence destroys the privilege if the expert’s presence is deemed necessary to secure and facilitate communication between the client and the attorney (not unlike an interpreter). See United States v. Kovel, 296 F.2d 918, 921–922 (2d Cir. 1961); In re Grand Jury Proceedings, 220 F.3d 568, 571 (7th Cir. 2000); United States v. Cote, 456 F.2d 142, 143 (8th Cir. 1972).  But I do not believe that communications between an attorney and an expert are automatically afforded attorney-client privilege, because these are not communications made in confidence to an attorney while seeking legal advice. See Matthew P. Matiasevich, I (Might) Get By With a Little Help from my Expert (May, 2010), 21st Annual Spring Symposia of the ABA Section of Real Property, Trust, and Estate Law (“The attorney-client privilege rarely applies to experts for the simple reason that the expert is almost never the client and hence communications are not confidential”).  For this reason, and although it may hinder the expert’s efficacy, the expert should probably avoid asking questions of the attorney like, “So, did your client admit to knowingly downloading those images?”

My opinion notwithstanding, both the expert and the attorney would owe a duty to the client—the holder of the privilege—to maintain confidentiality. The attorney’s obligation is detailed in the Model Rules of Professional Conduct in Rules 1.6 (governing disclosure by a lawyer of information relating to the representation of a client during the lawyer’s representation of the client), 1.18 (the lawyer’s duties regarding information provided to the lawyer by a prospective client), and 1.9 (the lawyer’s duty not to reveal information relating to the lawyer’s prior representation of a former client).

But, the expert, who usually isn’t present at the time of the communication, is also obliged to zealously protect any information the expert discovers that implicates communications made by the client to his or her attorney.  And this obligation is another reason why digital forensics experts working in litigation support roles really need some legal acumen: He or she needs to correctly recognize and, as necessary, segregate attorney-client privileged data. For example, if the expert encounters e-mails between a client and her attorney, which the client subsequently forwarded to a friend, will the expert recognize a privilege? See generally Jonathan Feld & Blake Mills, The Selective-Waiver Doctrine: Is it Still Alive?, 16 Business Crimes Bulletin 4, 4, (Dec. 2008). When in doubt, the expert should consider the communication privileged and consult with the attorney. Note this exhortation reveals that the integrity of the privilege itself could depend upon the integrity of the communication channel between the expert and the attorney.

3. Information Security

Attorney-client privilege aside, a competent digital forensics expert should also have background and training in information security protocols and be able to observe strict confidentiality of all data entrusted to him or her, as my colleagues Sharon Nelson and John Simek eloquently argue:

Not all cases are shrouded in secrecy, but a fair proportion of them are. There are well known figures getting divorced, major companies with proprietary information at issue, public figures in the headlines and people charged with felonies. . . . During the course of a major case where the expert has been identified, the press will undoubtedly come sniffing around the expert probing for information. A good expert knows the standard answer, “I’m sorry, I have no comment” and is as immoveable as the Great Wall of China.

Sharon D. Nelson & John W. Simek, Finding Wyatt Earp: Your Computer Forensics Expert, Sensei Enterprises, Inc. (2005). A recent Associated Press article, Anthony Computer Expert Backs Off Reported Claims, seems to demonstrate the foregoing point well. But, because the Rules of Professional Conduct do not apply to digital forensics examiners, the only enforcement mechanisms are contractual provisions—i.e., a confidentiality clause in the retainer agreement—and loss of reputation and business. The prudent attorney should, therefore, include a confidentiality provision in the engagement agreement, which may give rise to a breach of contract action if damages are sustained. Also, if the expert is retained while a case is active, either or both parties may move the court for a protective order regarding the expert’s handling of confidential data, under which the expert would be subject to the court’s inherent supervisory powers, including sanctions and contempt authority.

This op-ed post by Sean L. Harrington provides opinions that do not necessarily reflect the positions of the Minnesota State Bar Association or its other constituents.

————————————————

The media and blogosphere is abuzz with news that Barry Ardolf, the disgruntled neighbor who “hacked” in the WEP-secured wireless network of his neighbor and Minnesota lawyer, Matt Kostolnik. Last week, Ardolf was sentenced to eighteen years. See, e.g., Martha Neil, “Neighbor Gets 18 Years for Hacking Lawyer’s Wi-Fi Account, Using His ID to Harass Others,” ABA Journal, July 13, 2011.

There are at least a few lessons to learn from this case: (1) Don’t use WEP to secure your wireless network (it can be hacked in as little as four to ten minutes), (2) law firms benefit from having good working relationships with competent digital forensics investigators, and the most obvious: (3) check with your local police department or lawyer before you act ib any brainy ideas about hacking into your neighbor’s computer network in an effort to frame him for possessing child pornography and threatening the Vice President (or any other purpose).

But that’s not really what this comment is about. Rather, the comment focuses, in part, on whether Internet users could bear defamation liability for statements (in blogs and comments) based upon uncharged conduct contained in a Government court filing, and whether the Government should use more restraint in discussing uncharged conduct that may give rise to various unintended consequences.

Almost as interesting as the underlying facts is the story behind how those facts were uncovered. The Anoka County Sherriff deputy who worked on the case recently provided a case study for the Minnesota chapter of the HTCIA (http://mn-htcia.org).  He was joined by cybersleuth Scott Johnson, whose methodical investigation ultimately produced the probable cause evidence needed to obtain a search warrant for Ardolf’s residence. In addition, one of the Minnesota FBI cybercrime unit’s special agents, who participated in the Government’s investigation, provided a separate case study. Attending those case studies and conversing with the presenters has provided additional insight into the case than what has been publicly reported.

The short version of the facts is this: On August 2, 2008, just one day after Kostolnik and his family moved into their Blaine, Minnesota, neighborhood, their then 4–year-old son wandered on or near Ardolf’s property. Ardolf returned the boy, but not before allegedly kissing him on the lips.¹ The father confronted Ardolf about the incident. According to Ardolf:

He was upset and demanded that I never go on his property, never to talk to him, his wife, or any of his children under any circumstances. I felt powerless, humiliated, and victimized. That summer, neighbors who had previously invited me to dinner shunned me.²

The boy’s parents reported the incident to police. According to the police report, the mother’s perceptions regarding the manner of Ardolf’s contact with her son caused her great distress.

In response to the Kostolnik’s reporting of the incident to police, Ardolf engaged in conduct that the Government described as “a calculated campaign to terrorize his neighbors, doing whatever he could to destroy the careers and professional reputations of Matt and Bethany Kostolnik, to damage the Kostolniks’ marriage, and to generally wreak havoc on their lives.” ³  Among other things, Ardolf intruded into the Kostolniks’ wireless account; intercepted their mail; sent fraudulent e-mails to Kostolnik’s colleagues; and in one e-mail (in Kostolnik’s name), threatened the Vice President, Governor Pawlenty, and other officials. In addition, Ardolf planted an image of child pornography into an e-mail and a MySpace page — both in Kostolnik’s name.

Eventually, through the efforts of the private investigator (Johnson, retained privately) and the Anoka County Sheriff, Ardolf was identified as the culprit. The subsequent search of his home yielded the Kostolniks’ intercepted mail, numerous computer-hacking books, and compact disks containing hacking software. Several computers were seized, which contained voluminous inculpatory evidence, including evidence of the network intrusion, identity theft, and eight child pornography files (all derivatives of the same image), which Ardolf has used in his campaign, and which files formed the basis of those counts against him.⁴

It has been reported that Ardolf has no prior criminal record, although the police report (mentioned above) states Ardolf had, at that time, a “Suspense File for domestic assault.” According to both the indictment and the Government’s Presentencing Memorandum, Ardolf’s actions in this case continued a pattern of previous conduct  involving another victim.⁵  The prior criminal conduct would not have been discovered but for the search warrant executed in this case.⁶

During the trial, Ardolf fired two lawyers in succession, and proceeded pro se. The trial court nevertheless appointed stand-by counsel. Ardolf reportedly withdrew from a plea deal that would have resulted in only two years’ imprisonment, and proceeded to trial. In December 2010 — only three days into the jury trial — Ardolf threw in the towel and inexplicably pleaded guilty to all counts and, as a result, the charges were not put to a jury. Subsequently, he contended in a hand-written memorandum to the judge that his attorney coerced him into doing so.⁷  Finally, Ardolf coached his children to appeal to the judge’s emotions in granting Ardolf leniency and to conform to Ardolf’s version of events regarding the Kostolnik’s 4–year old boy.⁸

The result: Ardolf was sentenced to 18 years imprisonment (followed by 20 years’ probation), a $10,600 fine, and forfeiture to the Government under 18 U.S.C. § 2253(a) of the computer equipment and of the Blaine home (which, upon information and belief, has no mortgage and is worth $290,000). The court recommended defendant be excluded from any computer-based activities or technical training during the term of his incarceration.  Further, during the 20 years of supervised release, Ardolf must register as a sex offender, may have no contact with persons under the age of 18 (except in limited circumstances), may not be engaged in any computer-related employment, may not “possess or use a computer or have access to any on-line service without the prior approval ofthe U.S. Probation Office,”  and must obtain gainful employment if possible or, alternatively, work twenty hours of community service.

The extraordinary facts of this case (including both defendant’s conduct and the case outcome), coupled with incomplete media coverage, warrant further discussion.

Ardolf’s presentencing memorandum discloses that his wife died unexpectedly in 2000, and he has been a widower and single parent to three children for the past 11 years.⁹   As a result of Ardolf’s incarceration, the children will be deprived of any meaningful contact with their only surviving parent (as Ardolf himself noted in his Acceptance of Responsibility Statement (“I am leaving my children with no parent”)).¹⁰

Moreover, because Minnesota is not a community property state, the decedent-wife’s property (including any contributions toward the paid-for home) may have gone entirely to Ardolf, and all of Ardolf’s assets (which defendant’s memorandum suggest were tied up in the value of the home) now go to the Government.  This may mean that the three children will also be deprived not only of their mother’s estate (which they presumably had been receiving by way of a continuing measure of support from the father, or would eventually receive from their father in the future), but also of their father’s income for food, shelter, school books, clothes, and college tuition.

The Government, however, did propose an alternative to forfeiture of the Blaine home:  Because “the Government’s overriding goal is the removal of defendant from the Alamo Circle neighborhood in Blaine, Minnesota, to provide for the safety of the victims . . . the Government had offered to allow defendant to sell the house and to put the money in a trust to benefit his three children.”¹¹   The offer was conveyed both to defendant’s current counsel, as well as to his previous counsel immediately after entered his guilty plea. Upon information and belief, Ardolf declined the Government’s offer both times yet, had he agreed, the Government would not have sought an Order of Forfeiture.

Notwithstanding that defendant inexplicibly rejected the offer, the Government contended that it would not act on the Order of Forfeiture if the defendant, through counsel, arranged to have the proceeds placed in a trust administered by a neutral trustee to provide for the three children.  The trial judge noted, during the six-hour sentencing hearing, that the Government’s offer in this regard was unprecedented in his experience.  Upon information and belief, Ardolf might now be taking steps to  accept the Government’s offer, although his standyby counsel was unable to corroborate this for lack of authorization to comment on this or other facts of the case.

Additionally, although Ardolf’s presentencing memorandum contains the obligatory apologies to the court and the victims, it also maintains Ardolf’s continuing objection to assertions contained in the Presentence Investigation Report (referenced in Defendant’s Position Paper as to Sentencing Factors)¹² that his contact with the neighbors’ boy was inappropriate, which incident gave rise to the dispute.  Although the police report was closed with the notation that no criminal sexual conduct was found (and Ardolf was therefore not charged in connection with the same), News outlets worldwide¹³ have reproduced a quoted statement contained in the Government’s pre-sentencing memorandum referring to Ardolf as a pedophile.¹⁴

As a result of the widely-published but uncharged conduct, several Web sites and forum posts (e.g., http://www.sodahead.com/united-states/man-gets-18–years-in-prison-for-hacking-neighbors-wifi-fair-or-foul/question-1970305/) now freely characterize Ardolf as a “pedophile,” and “child molester.”  Many anonymous posters have expressed satisfaction about what other prisoners will likely do to Ardolf as a putative pedophile. Id. Indeed, “Such offenders . . . often are placed into protective custody with other prisoners seen to be under a threat. ‘Once their crime has become known, they usually don’t make it’ without protective custody.” ¹⁵

Aside from the collateral consequence, this raises the academic question of whether repeating a statement that is defamatory per se relating to uncharged conduct, which statement and uncharged conduct is memorialized in the Government’s presentence memorandum, may give rise to liability. The Minnesota Court of Appeals has held that, “[I]n almost every circumstance a reasonable listener would believe that calling a person a pedophile imputes serious sexual misconduct or criminal activity to that person. It is, therefore, defamatory per se.” ¹⁶ 

To begin this analysis, one must assume that Ardolf’s conduct does not fit within the meaning of “pedophile,” since a defense of “truthfulness” is dispositive.  And it is well-settled that one spouse’s statement to the other —even a statement that is defamatory per se— is absolutely privileged.¹⁷   Further, unless it falls within the so-called “sham exception,” such a statement contained in any petitioning (such as statement filed with the police) would be entitled to SLAPP immunity.¹⁸ Likewise, most states recognize an absolute privilege for defamatory communications preliminary to, or in the course of a judicial proceeding if the communication has “some relation” to the proceeding.¹⁹ But a republication of that statement could only qualify for the narrow Fair Report privilege if the republisher relied upon an official public document for the allegedly defamatory information, made clear that the document or statement was the source, and fairly and accurately used the source.

Few (if any) of the news stories, blog posts, or comments have clearly attributed the “pedophile” statement to the Government’s court filing.  Nevertheless, there is still the constitutional limitation for matters of public concern, which requires a libel plaintiff to prove that the publisher or broadcaster either knew that the allegedly-defamatory statement was false, was reckless as to truth, or was negligent as to its falsity.²⁰

Significantly, some courts have held that there can be no defamation where plaintiff had no reputation to injure (as may appear to be the case with Ardolf, at the time of this writing).²¹ But even if so, should Ardolf’s reputation be measured at the time the statement was uttered (when his reputation was not yet lowered by his own conduct)? At the time it was published to a third party (presumably, when the victims were interviewed by the Government)?  At the time of the republication?  Or at the time of the libel suit?  If Ardolf’s reputation is properly measured as of today (lowered by reason of his conviction), would Ardolf nevertheless have a viable cause of action because his current reputation is lowered not by reason of charges and/or convictions relating to the alleged inappropriate contact?

If so, would anonymous posters on Sodahead.com and other sites have reason for concern?  In some other countries, the answer seems to be yes: Recently, Google was held by a Brazilian court to have defamed a priest by allowing an anonymous Internet user’s post on Orkut (a Google-owned social networking site), which called the priest a “pedophile.” And a U.S. state court recently ordered the Indianapolis Star to turn over the identities of anonymous posters who made defamatory comments.²²  An amicus brief filed by PublicCitizen.org on appeal contends such an outcome is permissible if five standards are satisfied: (1) Give Notice: Courts require the plaintiff (and sometimes the Internet Service Provider) to provide reasonable notice to the potential defendants and an opportunity for them to defend their anonymity before issuance of any subpoena. (2) Require Specificity: Courts require the plaintiff to allege with specificity the speech or conduct that has allegedly violated its rights. (3) Ensure Facial Validity: Courts review each claim in the complaint to ensure that it states a cause of action upon which relief may be granted based on each statement and against each defendant. (4) Require an Evidentiary Showing: Courts require the plaintiff to produce evidence supporting each element of its claims. (5) Balance the Equities: Weigh the potential harm (if any) to the plaintiff from being unable to proceed against the harm to the defendant from losing the First Amendment right to anonymity.²³

The issue, therefore, is whether the legitimate purposes to be served by the Government’s inclusion of this scandalous matter outweighed the risk of prejudicial effects or unintended consequences, such as those mentioned above.

Ordinarily, a sentencing judge may conduct a broad inquiry, largely unlimited either as to the kind of information he may consider, or the source from which it may come.²⁴ The commentary in the U.S. Sentencing Guidelines Manual expressly permits “reliable” hearsay evidence at sentencing, and courts have concluded hearsay is admissible in sentencing as long as it bears some indicia of reliability.²⁵  On the other hand, in United States v. Booker, ²⁶ the Supreme Court held that insofar as the federal Sentencing Guidelines required a judge to increase a sentence based on facts found by the judge using a preponderance of the evidence standard, they violated the Sixth Amendment right of a criminal defendant to be tried by a jury and to have every element of an offense proved by the Government beyond a reasonable doubt.²⁷ It is this author’s understanding that the trial court made a thorough and contemplative assessment of the sentencing guidelines and the statutory sentencing factors, and explicated its decision therefor in detail, which can be confirmed when the sentencing transcript is made available to the public.

Nevertheless, because the defendant in this case was neither charged with, nor convicted of, any crimes relating to the August 2, 2008 incident, there was little utility in its inclusion in presentencing filings.  In addition to the prejudicial effect on the judicial process,²⁸ the inclusion of these statements has brought the victims further unwanted publicity.  And, although the Government’s presentment is afforded prosecutorial immunity, it has now become the basis for defendant to be (arguably, perhaps) libeled, subjecting the defendant to public scorn and ridicule beyond the moral disapprobation that members of society expect Ardolf’s convictions to express.²⁹ Not only may this endanger defendant in the prison population (thereby exacerbating the Government’s obligations and expense in incarcerating defendant for years to come), but it also risks eroding the public’s confidence in the justice system.

______________________________

¹ Government’s pre-sentencing memorandum (Dist. Minn., No. 10–cr-00159, Document 109 at 4 (“With her back to Ardolf, [the mother] heard him plant a wet kiss on [the child]”).

² Defendant’s Position Paper as to Sentencing Factors, (Document 108) at 25-25.

³ Document 109 at 5.

⁴ Defendant’s Position Paper as to Sentencing Factors, Document 108 (“[T]he preliminary pre-sentence report at #25 states: ‘Eight files depicting the complete image or the altered image, which was posted on the Myspace.com page, were found during the search warrant on various computer equipment and hard drives’”).

⁵ Document 109 at 2.

⁶ Id.

⁷ Document 80.

⁸ Document 109 at 25–27.  This author has been informed that, at sentencing, the Court noted that it did not take that event into consideration the Government’s assertions regarding the August 2, 2008 catalyst incident, but the author has not yet been able to confirm this because the sentencing transcript has not yet been released.

⁹ Document 108 at 19.

¹⁰ Id. at 24.

¹¹ Document 110 at 22-23.

¹² Id. at 20

¹³ See, e.g., http://slashdot.org/story/11/07/13/0445224/The-Wi-Fi-Hacking-Neighbor-From-Hell; http://www.twincities.com/north/ci_18458202?nclick_check=1; http://www.wired.com/threatlevel/2011/07/hacking-neighbor-from-hell/; http://www.msnbc.msn.com/id/43744533/ns/technology_and_science-security/t/wi-fi-hacker-sentenced-after-cyberattacks-neighbors/.

¹⁴ Government’s pre-sentencing memorandum (Dist. Minn., No. 10–cr-00159, Document 109 at 4-5

¹⁵ Michael S. James, “Prison is ‘Living Hell’ for Pedophiles, ABC News (Aug. 26, 2003). http://abcnews.go.com/US/story?id=90004 (last visited July 17, 2011).

¹⁶ Longbehn v. Schoenrock, 727 N.W.2d 153, 159 (Minn. Ct. App. 2007).

¹⁷ Restatement of Torts, 2d, § 592 (A husband or a wife is absolutely privileged to publish to the other spouse defamatory matter concerning a third person. The confidential character of the relationship of husband and wife is the basis for the privilege stated in this Section. Communications between spouses are so completely protected that under no circumstances can they be made the basis of an action for defamation. This is true although the matter communicated is known to be false and the purpose of the communication is altogether improper).

¹⁸ See City of Columbia v. Omni Outdoor Adver., Inc., 499 U.S. 365, 380 (1991).

¹⁹ See Restatement (Second) of Torts 587 (1977) (parties); id. 588 (witnesses); id. 589 (attorneys).

²⁰ Gertz v. Robert Welch, Inc., 680 F.2d 527 (7th Cir. 1982), cert. denied, 459 U.S. 1226 (1983).

²¹ See, e.g., Kevorkian v. AMA, 237 Mich. App. 1, 12 (Mich. Ct. App. 1999) (“In those instances where an allegedly libelous statement cannot realistically cause impairment of reputation because the person’s reputation is already so low . . . the claim should be dismissed so that the costs of defending against the claim of libel, which can themselves impair vigorous freedom of expression, will be avoided.”), quoting Brooks v Am. Broad. Co Inc., 932 F.2d 495, 501 (CA 6, 1991).

²² Jeffrey M. Miller v. Junior Achievement of Central Indiana, Inc., (In re Indiana Newspaper, Inc.) No. 49D14–1003–PL-014761.

²³ Dendrite v. Doe,775 A.2d 756, 760-61.

²⁴ United States v. Wallace, 408 F.3d 1046, 1047-48 (8th Cir., May 23, 2005) (quoting Nichols v. United States, 511 U.S. 738, 747, 128 L. Ed. 2d 745, 114 S. Ct. 1921 (1994)).

²⁵ Id.

²⁶ 543 U.S. 220 (2005).

²⁷ Id. at 243-44. 

²⁸ See Note, A Proposal to Ensure Accuracy in Presentence Investigation Reports, 91 Yale L.J. 1225, 1228 (1982) (recommending rule amendments to allow challenges to presentence reports for both sentencing and parole); Timothy Bakken, The Continued Failure of Modern Law to Create Fairness and Efficiency: The Presentence Investigation Report and Its Effect on Justice, 40 N.Y.L. Sch. L. Rev. 363, 366 (1996) (“‘[A]vailable data on the federal probation officer’s workload indicates that little, if any, verification of information is possible.’”); Robert Hanlon, Hard Time Lightly Given: The Standard of Persuasion at Sentencing, 54 Brooklyn L. Rev. 465, 493–494 (1988) (“the scope of the information allowed — hearsay testimony, uncorroborated evidence, including that from accomplices, allegations of unproven or even uncharged crimes — is so broad as to create the substantial possibility of inaccurate information being considered. The possibility of prejudicial error is exacerbated when much of the information is derived from sources likely to view the defendant in the most negative light — law enforcement officials and criminal prosecutors. In addition, information obtained from codefendants is more likely to be affected by self-serving interests, such as an attempt to transfer blame or placate prosecutors to obtain favored treatment”).

²⁸ Dan M. Kahan, What’s Really Wrong with Shaming Sanctions, 84 TEX. L. REV. 2075, 2077 (2006).

When’s the last time –in an intellectual property case or any case– you’ve heard of counterclaims of champerty (an improper arrangement where a party with no interest in a lawsuit agrees to finance and bear the expense of litigation in exchange for a portion of the proceeds) or barratry (creating legal business by stirring up disputes and quarrels, generally for the benefit of the lawyer who sees fees in the matter)?

Perhaps it’s long overdue.  These are the counterclaims now being levied against the specious litigation mill, Righthaven, LLC.   Righthaven, which is co-owned by Vegas attorney Steven Gibson and Stephens Medial, LLC, has an interesting [alleged] lawsuit business model:  First, it scours the Internet for copyrighted content owned by its newspaper clients, including Fair Use multi-line excerpts of articles (not entire works). Next, the newspaper-client licenses the work to Righthaven.  Righthaven then sues –without any takedown request– the party alleged to have infringed the work.  Many, if not most, of the 215 suits filed so far in the U.S. Court for the District of Nevada are mom & pop bloggers. As part of its business model, Righthaven claims damages of up to $150,000 under the Copyright Act’s statutory damages provisions and demands transfer of the Web site domain to Righthaven. These threats have been successfully used, thus far, to intimidate some defendants into a quick settlement.

Righthaven has already lost one or two suits under Fair Use. In Righthaven v. Realty One Group, Inc., the court granted a Motion to Dismiss on Fair Use grounds. As aptly argued, by counsel for Realty One:

Plaintiff brings these claims with unclean hands, which mandates dismissal of this action. The defense of unclean hands can be invoked as a defense in a copyright infringement action. See 4 Nimmer on Copyright § 13.09[B]. The actions of Plaintiff Righthaven in pursuing the instant action for copyright infringement smack of barratry. Righthaven was created by its counsel, Steven Gibson, apparently to pursue violations of the copyrights it purchased from the Review Journal. Righthaven is not the author of the work that was alleged to have been copied. In fact, Righthaven purchased the copyright in the Program Article sometime after the alleged infringement occurred, and likely purchased the copyright with the specific intention of pursuing this action against Mr. Nelson.

The barratry claim was not reached in Realty One, because the case settled one day before the Order granting the Motion to Dismiss issued. But, separately, a judge in Righthaven LLC v. Center For Intercultural Organizing sua sponte ordered Righthaven to show cause why the case should not be dismissed under the 17 U.S.C. § 107 Fair Use exception.  The show cause hearing is set for February 10, 2011.

And most recently, counsel for Choudhry and Pak.org –in addition to filing a Motion to Dismiss– filed separately an Answer and counterclaim for, inter alia, “barratry, champerty, and maintenance.”

Technologically, Righthaven v. Choudhry may be interesting, because Righthaven is suing for an allegedly protected work that appeared to exist on Choudhry’s site, but which Choudhry alleges actually was not hosted by his site. In the Motion to Dismiss, Choudhry’s counsel explains that the image was substituted in by the client’s browser by means of an “inline link . . . by virtue of an automated RSS feed published by a third party.” Choudhry defined inline link as, “a line of computer code used in internet web pages to direct a user’s browser program to a third-party site to retrieve an image directly from that thirdparty site.” Relying on Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146, 1160-1161 (9th Cir. 2007), Choudhry argued that inline linking does not reproduce, distribute, or display copyrighted material. Rather than providing an image directly to an end user, inline linking directs the web browsers of its users to load content from a third party source. Thus, it is the third party that is reproducing, distributing, or displaying any allegedly infringing image, not the provider of the inline link.

More importantly, the Choudhry case, and others appear to demonstrate a lack of a good faith inquiry into the facts, as required by Fed.R.Civ.P. Rule 11.   The pro se defendant in Righthaven v. Eiser, argued as much, when she alleged in her response that she did not post the newspaper column at issue, and that Righthaven’s suit “was undertaken without any diligence in determining the facts or party allegedly responsible for placing the allegedly owned and copyrighted article on the Internet weblog.”

Yet the court ruled that “The scope of the written Policy . . . is not entirely clear.”  Why?  Because, said the court, the policy did not specify whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. Id.  Because the Policy used “general language” to refer to its “media systems and services” but didn’t define those terms. Id. Because the policy did not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by the employer. Id.

So, let’s get this straight:  To have an effective policy, and to purge an employees’ “reasonable expectation of privacy,” an employer must explicate in detail every fact scenario that is in-scope for the policy, what is meant by network media systems and services, and, further, the policy must disclose: the nature and character of the monitoring software that is in use by the company, the inherent caching functionality of the browser software that is installed on the workstations throughout the enterprise; and an explanation of how the operating system stores files and [fails to] delete files?

Yet, just one year earlier, a lower New Jersey appellate court, citing several federal cases, ruled “we conclude that defendant had no reasonable expectation of privacy in the personal information stored in his workplace computer.”  State v. M.A., 402 N.J. Super. 353 (App. Div. 2008) (which has not been overruled).  If you read that decision, much emphasis is placed upon the fact that the computer was owned by the company, and that employees were warned that the company reserved the right to monitor communications  –facts no different than Stengart. Indeed, the only difference is that in State v. M.A., the court found that, even if defendant had a subjective reasonable expectation of privacy [as later was conferred to plaintiff in Stengart], he lost that expectation because he was using the computer for criminal activity (“A burglar plying his trade in a summer cabin during the off season may have a thoroughly justified subjective expectation of privacy, but it is not one which the law recognizes as ‘legitimate'”).

Last week, the California court in Petrovich, supra, which considered Stengart, and distinguished Stengart as a dissimilar fact situation, ruled that an employee who used the employer’s computer and corporate e-mail account (in violation of corporate policy) to communicate with her lawyer, and having been advised that the employer randomly monitors e-mail usage, was analogous to the employee consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard.

____________________

¹Curiously, even `though the court did not formally refer the matter to attorney regulation counsel, and even `though a violation of the Rules of Professional Conduct does not give rise to a private cause of action, the court remanded the case back to the trial court to fashion an “appropriate remedy,” on the basis of the violation.