Legal Techology

One of my clients, a Texas divorce law firm, recently presented the following fact situation to me, which prompted me to write this article:

Lawyer accepted a case where client (hereinafter “wife”) surreptitiously took husband’s laptop three or four months ago while the parties were still residing together, and had it forensically imaged by a private investigator.1 Wife intends to present evidence obtained from the laptop in support of her petition for marital dissolution.2

Issue: Is the lawyer precluded from introducing evidence and does the lawyer incur any malpractice, tort, or attorney disciplinary liability in possessing, viewing, or proffering evidence obtained from the laptop?

My conclusions —based on somewhat cursory research— appear immediately below. I’ve provided some annotations as footnotes for application in Minnesota (for academic discussion purposes only, not as legal advice). I found very little in the way of Minnesota published cases regarding unauthorized computer access. See, e.g., In re Trudeau, 705 N.W.2d 409 (Minn. 2005) (attorney discipline conditional admission based, in part, on respondent’s unauthorized computer access by installing and using an email spyware program).

(1) If husband’s laptop was not an employer’s computer, and if husband’s laptop was not password protected by him (requiring wife or wife’s private investigator to circumvent any security measure that would create a reasonable expectation of privacy), then wife probably had equal dominion over laptop, as a matter of law (see Texas statute re: “effective consent,” infra). However, to whatever extent the court’s evidentiary ruling is discretionary, the court might well frown on procurement of evidence through such means, and husband might attempt to invoke the Unclean Hands doctrine. This is even more likely so if that area of the hard-drive was password-protected (from wife), or if the laptop belonged to an employer.

(2) Unless some Texas Rule of Evidence and/or rule of Civil Procure (unknown to me) bars admissibility of evidence based upon “unlawful interception of communications,” in a civil case (compare Tex. Code Crim. Proc. Ann. art. 38.23(a)) or based upon any violation of criminal or administrative law, and if wife’s conduct in surreptitiously taking laptop for forensic imaging would not constitute an act of “interception” in violation of Tex. Penal Code Ann. § 16.02(b)(1) or unauthorized access under § 33.02, the evidence recovered from the hard-drive probably is admissible, subject to the court’s broad discretion.

My conclusions are based on cases from around the country. Although, this fact situation does not appear to have been yet addressed Texas’ appellate courts, I did find the following authorities and analysis helpful:

• Tex.Penal Code Ann. § 33.02 (“A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner”).3

• Tex.Penal Code Ann. § 33.01(12) (“‘Effective consent’ includes consent by a person legally authorized to act for the owner. Consent is not effective if: (A) induced by deception, as defined by Section 31.01, or induced by coercion . . . (E) used for a purpose other than that for which the consent was given”).4

• Tex.Penal Code Ann. § 16.02(c)(4)(B). (It is an affirmative defense to prosecution a person not acting under color of law intercepts a wire, oral, or electronic communication and is one of the parties to the communication has given prior consent to the interception, unless the communication is intercepted for the purpose of committing an unlawful act).

• Vaughn v. Drennon, 202 S.W.3d 308, 320 ( Tex.App., 2006) (tort case, noting that the intrusion-upon-seclusion type of invasion of privacy is “generally associated with either a physical invasion of a person’s property or eavesdropping on another’s conversation with the aid of wiretaps, microphones, or spying”)

• Signorelli v. State, 2008-TX-V0117.004 (In a criminal context, “Generally, when a third party has equal control over the thing to be searched, the third party may properly consent to the search.”)

• Lasater v. State, 2007-TX-V0829.002 (discussing reasonable expectation of privacy and scope of consent, where defendant granted victim limited consent to enter his home, and victim searched for and found evidence she provided to law enforcement)

But see Tave v. Alanis, 109 S.W.3d 890 (Tex.App., Dallas, 2003) (School district employee’s termination affirmed, where employee accessed and subsequently disseminated confidential information (inadvertently left on a computer assigned to him for classroom use) violated the District’s policy and constituted conduct could cause the public, students, or employees to lose confidence in the administration and integrity of the District).

So, whereas I found no Texas appellate cases that directly address the fact situation, the cases below from around the country do. In reading through these cases, the advocate should pay particular attention to “effective consent,” (in Minnesota “without authorization,” which phrase is defined under Minn. Stat. § 609.87(b)) and the meaning of the phrase “interception of electronic communications.” Although some courts, have held that recorded screen-shots constitute “interception of electronic communications,” (e.g., O’Brien v. O’brien, infra), under the narrow reading of the Wiretap Act adopted by the Fifth, Ninth and Eleventh Circuits, very few seizures of electronic communications from computers will constitute “interceptions.” Larue, Wiechman, Terry, & Turner, Trails from the Aether: Cyber-Evidence, (State Bar of Texas CLE, 2007). The advocate should also consider whether a violation of criminal law by wife (or wife’s PI) could translate to liability to the firm as an “accessory after the fact,” and that some judges in similar cases from other states based their discretionary decisions on whether the conduct in obtaining the hard-drive was an unlawful act.

(1) Bailey v. Bailey, 2008 WL 324156 (E.D. Mich)). In this recent case from the US District Court for the Eastern District of Michigan, the parties were married for nearly 30 years and had three children. Husband became suspicious of his wife’s activities and installed keystroke logging software on both home computers, with which he was obtained wife’s e-mail and instant-messaging passwords. Husband used these passwords to access her e-mail and messages and learned of her extra-marital activities. Husband fled the marital home with the parties’ three children. He provided the e-mails and messages to his divorce attorney and petitioned for divorce. A custody dispute ensued and husband’s attorney used the wife’s e-mails to impeach her. Wife lost custody and was granted only supervised visitation. After the divorce action concluded, wife sued ex-husband, his attorney and her attorney. Husband and his attorney were sued for violation of (1) 18 U.S.C. §2511 (the Wiretap Act); (2) 18 U.S.C. §2701 (the Stored Communications Act) against husband; (3) 18 U.S.C. §2512 (Wiretap Act) against the husband, his attorney and a John Doe who supplied the keystroke logging software; (4) MCL § 750.539a et seq. and MCL §750.540 (Michigan’s Eavesdropping statutes) against the husband, his attorney and John Doe; (5) invasion of privacy against the husband and his attorney; (6) intentional infliction of emotional distress against all defendants; and (7) malpractice against the wife’s own attorney.

The Wiretap Act. Wife claim against husband and his attorney was based on their obtaining her e-mails and messages using the password retrieved from the key logger software. Under § 2511 (1)(a), a person violates this Act if he or she “intentionally intercepts…any…electronic communication” (c) “intentionally discloses…any…electronic communication…knowing…the information was obtained through the interception of a …electronic communication in violation of [the Act]” and (d) intentionally uses…any…electronic communication” (c) “intentionally discloses…any…electronic communication…knowing…the information was obtained through the interception of a …electronic communication in violation of [the Act]” Defendants successfully argued that there was no “interception” as defined in the Wiretap Act. The court agreed and reasoned that the key logging software only allowed the husband to learn his wife’s passwords, which he then used to access her e-mail. Since the husband did not obtain the e-mails and messages contemporaneously with the transmission, the court ruled the Wiretap Act was inapplicable. The court also ruled that that § 2512 of the Act does not provide for a private right of action and the court dismissed wife’s claim based regarding husband, his attorney and a John Doe who supplied the key logger software.

Stored Communications Act. Wife contended her husband violated the Stored Communications Act by accessing her e-mails. The Act provided that a person was in violation if that person (a)(1) “intentionally accesses without authorization a facility through which an electronic communication service is provided…and thereby obtains…a…electronic communications while it is in electronic storage in such system…” Although husband accessed the wife’s e-mail on her Internet service provider’s (ISP) server and not from the messages stored on her home computer, he argued, because wife had already accessed her e-mails, the Act was inapplicable. But, the court found that the messages on the ISP’s server were stored for purposes of backup protection (since the wife had already accessed those messages) but that does not take it out of the provisions of the Stored Communications Act and therefore the husband’s motion for summary judgment on this count was denied.

Invasion of Privacy tort claim: The court granted husband’s attorney’s motion for summary judgment because there was no evidence the attorney participated in the “intrusion of another’s seclusion,” as alleged by wife. But, the court stated that the wife had a right to privacy in her private e-mail account. Husband’s defense was that wife could not establish her claim because his actions were not objectionable to a reasonable man, because they were subsequent and based upon his inadvertently discovery of wife’s extra-marital activities, and because they were necessary and prudent to protect his family and children. The court found that an issue of fact existed as to whether or not use of keystroke logging to gain access to the wife’s e-mail was objectionable to a reasonable man. Intentional Infliction of Emotional Distress tort claim: The court dismissed wife’s IIED cause-of-action because the use of the key logger did not constitute “extreme and outrageous conduct.”

(2) In Moore v. Moore, (NYLJ, August 14, 2008, at 26, col 1 [Sup Ct, New York County]), a New York County trial court recently ruled that a wife seeking a divorce can use evidence of her husband’s internet activities with another woman which she found on a computer she took from her husband’s car.

The Moore’s were married in 1963. Wife took a laptop computer from husband’s car just before she petitioned for marital dissolution. According to wife’s attorney, she was searching the computer for financial information when she came upon a large number of salacious instant messages which the husband exchanged with a woman in Texas.

Wife’s counsel informed husband’s counsel she had the computer, and the parties agreed to make forensic images from of the computer’s hard drive. The materials found on the hard drive were repeatedly referred to by the wife in affidavits submitted to the Court without objection by husband.

Subsequently, husband moved to suppress the contents of the hard drive. The Court denied the motion, finding that the wife did not commit a crime or otherwise violate the husband’s rights in taking the computer and copying its contents.

The Court noted that the attorneys for the parties specifically agreed to image the hard drive, and husband waived his objection by not timely moving to suppress the evidence. The Court determined that the computer was a family computer and not a work computer as alleged by the husband. The Court also found that the taking of the computer was appropriate since it was done before the commencement of the dissolution case and was taken from the family car.

(3) In O’Brien v. O’Brien, 899 So.2d 1133 (Fla.App. 5 Dist. 2005), a Florida appeals court ruled that wife “illegally obtained” records of husband’s Internet conversations with another woman as the two played Yahoo Dominoes online. “It is illegal and punishable as a crime under (state law) to intercept electronic communications,” wrote the panel.

The court barred wife from revealing the contents of the intercepted conversations, and said the chat records could not be introduced as evidence in the divorce proceedings. At issue in a civil case arising out of the divorce proceedings was whether the use of the spyware, called Spector, violated Florida’s wiretapping law, which provides that a person who “intentionally intercepts” any “electronic communication” commits a criminal act.

Wife’s lawyers argued that the monitoring didn’t fall under the law’s prohibitions and was kin to reading a stored file on her husband’s computer–which would not be treated as wiretapping. But the court concluded, “because the spyware installed by the wife intercepted the electronic communication contemporaneously with transmission, copied it and routed the copy to a file in the computer’s hard drive, the electronic communications were intercepted in violation of the Florida Act.”

(4) In Gurevich v Gurevich (2009 NY Slip Op 29191) the Supreme Court considered CPLR 4506 5 in the context of matrimonial proceedings in which the wife sought to lead email communications obtained from her husband’s email account after the service of the divorce action.

The parties had been married for 16 years prior to separation, during which husband had provided wife with the password to his email account, and during which both parties had access to each others email accounts. After separation, wife changed her email password, but the husband neither changed his, nor told or gave notice to the wife that she was not permitted to access his account.

Husband argued that wife was aware he used one password for all his computer accounts, and that she was unreasonable in her belief that, despite his not changing his password until some two years after separation, she was allowed to access his accounts. Husband argued that the content of his emails were inadmissible under CPLR 4506 by reason that the wife had acted unlawfully under Penal Law 250.05 (hereinafter “eavesdropping statute”). Further, husband argued that the initiation of the divorce proceedings was an implied revocation of any authority previously given to her to access his account. The Supreme Court rejected husband’s contention, holding “there is no statute that would recognize an ‘implied revocation upon service of a divorce action’ and bar the use of the email ‘stored.’”

The court examined the eavesdropping statute and CPLR 4506, and rejected wife’s contention that CPLR 4506 did not apply to electronic communications:

She relies on dicta in the case of Pure Power Boot Camp v. Warrior Fitness Boot Camp (587 F.Supp.2d 548 [SD NY 2008]) for the proposition that “[t]he plain language of the statute [CPLR 4506] seems to limit its application to the contents of the overheard or recorded communication[s]'” not electronic communication. However, the U.S. District Court further stated that “[u]ltimately, a determination of the meaning of CPLR § 4506 is unnecessary, and better left to the New York state courts.” Furthermore, the court in Power Boot Camp v. Warrior Fitness Boot Camp in a footnote stated “Penal Law section 250.05 explicitly includes “electronic communication . . . .”

Husband argued that CPLR 4506 and the eavesdropping statute were not limited to communication or transmission, but also applied to “the intentional acquiring, receiving, collecting, . . . of an electronic communication, without the consent of the sender or intended receiver thereof . . .”

The Supreme Court considered cases cited by wife and the legislative intent behind the eavesdropping statute (to prohibit the interception of communications, not the access of stored communications) and found that she was entitled to rely on the content of the email transmission:

It is this court’s understanding from the reading of the statute, legislative history and case law that the purpose of Penal Law section 250.00 is to prohibit individuals from intercepting communication going from one person to another, and in this case an email from one person to another. In the case at bar the email was not “in transit,” but stored in the email account. Even assuming the husband’s facts, as stated, to be true, the wife may have unlawfully retrieved information from a computer; in violation of Penal Law 153.10 but there was no interception and accordingly fails to fall within scope of CPLR 4506 as presently written.

(5) 6 In White v. White, 781 A.2d at 87-88, the family computer and entertainment center were located in the sun room, where the husband slept; the wife and the parties’ children often used the sun room to utilize the computer, watch television, and adjust the stereo volume. It was in the sun room that the wife discovered, fatefully, a letter from the husband to his girlfriend.

Shortly after the wife discovered the letter, she hired a private investigative firm, and unbeknownst to the husband–and without using the husband’s password–the PI firm copied the husband’s files from the computer’s hard drive. Such files contained e-mail sent between the husband and his girlfriend, as well as images [uh-oh] that he viewed on [and apparently downloaded from] Netscape. It was only while being deposed during the divorce proceedings that the husband learned that the wife had accessed his e-mail; he had thought–incorrectly as it turned out–that his e-mail and attachments could not be read without his AOL password. Understandably concerned about his e-mails, the husband sought to suppress the electronic evidence, based on violations of the New Jersey Wiretap Act. The New Jersey court opined that, in order to understand the error of the husband’s thinking, it was necessary to understand the technical workings of America Online Service [“AOL”], the husband’s Internet Service Provider [“ISP], explaining as follows:

[i]ncoming e-mails are received on the AOL e-mail server and are accessible to an AOL user only after dialing in and authenticating with the user’s screen name and password. Also, a user cannot send an e-mail via the AOL server until he has similarly dialed in….AOL’s server receives and maintains the e-mail until the recipient dials into AOL and accesses (seeks to read) his mail. In addition, an AOL user can save his e-mails and attachments on his computer’s hard drive. AOL offers the Personal Filing Cabinet [“PFC”] feature, which is created automatically on the hard drive during the installation of AOL on the user’s computer. The PFC is named for user’s screen name…[A]n AOL user must voluntarily choose to save the e-mail, attachment or address to his PFC or address book. The AOL user can save e-mail, attachments, or addresses either by using the automatic AOL feature or manually. To save automatically to the PFC on the hard drive, the user must select that option in “Mail Preferences.”

Specifically, in the main tool bar, the user chooses “Mail Center,” “Preferences” and then checks “Retain All Mail I Send in My Personal Filing Cabinet” and/or “Retain All Mail I Read in My Personal  Filing Cabinet”….Additionally, in the “Notes” section of [the Help screens], AOL informs the user that he can read mail stored in the PFC when he is not signed onto AOL, i.e. the PFC is on the hard drive. Similarly… AOL informs the user that e-mail saved in the PFC will remain on the hard drive until the user deletes it.

Id. at 87-88.

Thus, the only way for the husband to be sure that his e-mail would be saved permanently was to use the PFC file on the his hard drive, because his e-mail could not be saved permanently on AOL’s server. Id. at 88. Not knowing his e-mails were being saved, he took no steps to delete them, nor any steps to protect them with a password, which meant that any computer user could view his PFC and e-mails by simply opening the AOL software on the hard drive, and that was exactly what happened: the wife’ s expert simply opened the AOL software and viewed and copied the husband’s emails.

Turning to the legal issues in the case, the New Jersey court first held that the doctrine of interspousal immunity was inapplicable, and that the New Jersey Wiretap Act applied to unauthorized access of electronic communications of one’s spouse. Id. at 88.

Next, the court noted that the New Jersey act [identical to the federal act] prohibited “access” to electronic information in “temporary, immediate storage,” in backup protection, or in transmission. Id. at 89. The court observed that the e-mail in the hard-drive of the computer was in “post-transmission storage.” Id. Pursuant to the statutory language, the court held that the New Jersey act was not meant to extend to e-mail retrieved by the recipient and then stored, but rather protected only those electronic communications which were in the course of transmission, or were backup to that course of transmission. Id. at 90.

The Court then rejected the husband’s argument that the wife accessed his e-mail “without authorization.” Id. Since other courts had held that “without authorization” meant using a computer from which one has been prohibited, or using another’s password or code use the family computer, the court stated that nonetheless she had the authority to do so. Id. (citations omitted). Additionally, according to the court, the wife did not use the husband’s password or code without authorization, but instead accessed the information in question by roaming in and out of different directories on the hard drive. Id.

Finally, the New Jersey court held that the wife did not “intercept” the husband’s e-mails, since the concept of “interception” did not apply to “electronic storage.” Id. at 91. The husband’s electronic communications had already ceased being in “electronic storage,” i.e., they were in post-transmission storage, and therefore the court held that the wife did not “intercept” them. Id.

1 Under Texas law, a person performing computer forensics analysis must be licensed as a private investigator in that state.
Texas is not a no-fault divorce state, and divorces may be tried to a jury.
See Minn. Stat. §§ 609.89 (Computer theft) & 609.891 (Unauthorized Computer Access, amended 2006).
Minn. Stat. § 609.891 uses the phrase, “without authorization”
Under CPLR 4506, (Eavesdropping evidence; admissibility; motion to suppress in certain cases), “The contents of any overheard or recorded communication, conversation or discussion, or evidence derived therefrom, which has been obtained by conduct constituting the crime of eavesdropping, as defined by section 250.05 of the penal law, may not be received in evidence any trial, hearing or proceeding before any court or grand jury, or before any legislative committee, department, officer, agency, regulatory body, or other authority of the state, or a political subdivision thereof; provided, however, that such communication, conversation, discussion or evidence, shall be admissible in any civil or criminal trial, hearing or proceeding against a person who has, or is alleged to have, committed such crime of eavesdropping.”
The White v. White case digest is excerpted in its entirety from Larue, Wiechman, Terry, & Turner, Trails from the Aether: Cyber-Evidence, (State Bar of Texas CLE, 2007).

I’ve been negligent in posting here since the end of April because of competing priorities.  Nevertheless, I’ve been scanning for news items with you in mind:
Sam Glover informs us at his Lawyerist blog (here) of a fantastic new Firefox plug-in called RECAP that, while a user is browsing documents in PACER, provides the option to download a free copy from (if the document exists there) by placing an icon next to the regular download link. Alternatively, if you download a document that isn’t on, RECAP will upload the document thereto.  More info. is at

Judges and journalists have more in common than they probably realize: They search for the truth every day, they’re never entirely sure who’s lying to them and they routinely publish writings that live forever in the public record.“\

So begins an article published by The First Amendment Center discussing the difficulty in determining who is a journalist, including “online contributors, bloggers and tweeters,” and citing the recent Texas Court of Appeals decision in Kaufman v. Islamic Society of Arlington, where the court held that a contributor to a Web site was entitled to a statutory right of interlucutory appeal available to members of “the electronic or print media.”

The court, finding support from other jurisdictions, extended the First Amendment and other protections to Internet publications as “a type of nontraditional electronic media.” Although the court did hold that not everyone who publishes to the Internet qualifies under Texas’ interlocutory appeal statute, the court rejected the argument that an Internet author never is a member of the media.

Here are some other news stories from the last few months that I thought you’d find interesting:

A New Jersey Superior Court will decide in a defamation case whether a Shellee Hale, a woman who posted comments online about the pornography industry, should have the same protections as working journalists.  Hale, who writes four blogs and has contributed to The Wall Street Journal and Business Week, is seeking protection from disclosing her sources.

Tom Cafferty, counsel to the New Jersey Press Association, suggested in an interview with The Star-Ledger that her claim to privilege may be dubious and contends that judges realize they must be careful who gets the protection, because If the newsperson’s shield is extended to everyone who posts items on the internet, “then everyone is a journalist and the privilege becomes meaningless,” he said.

This is a recurring theme that I have written about previously, and –doubtless– will be revisited again.  For one view on this topic, see Randall Eliason, Leakers, Bloggers, and Fourth Estate Inmates: The Misguided Pursuit of a Reporter’s Privilege, 24 Cardozo Arts & Ent. L.J. 385 (2006).

Another view is that bloggers –many of them working anonymously– have taken on an increasing role as vanguards of accountability and accuracy in public discourse. See, e.g., Walaika Haskins, Bloggers Greatest Hits, Volume I & Volume II, TechNewsWorld (June 27 & July 11, 2007).

In a concurring opinion released earlier this month in Andrew v. Clark (4th Cir.), Judge J. Harvey Wilkinson, III, wrote:

It is well known that the advent of the Internet and the economic downturn have caused traditional news organizations throughout the country to lose circulation and advertising revenue to an unforeseen extent. As a result, the staffs and bureaus of newsgathering organizations—newspapers and television stations alike— have been shuttered or shrunk. Municipal and statehouse coverage in particular has too often been reduced to low-hanging fruit. The in-depth investigative report, so essential to exposure of public malfeasance, may seem a luxury even in the best of economic times, because such reports take time to develop and involve many dry (and commercially unproductive) runs. And in these most difficult of times, not only investigative coverage, but substantive reports on matters of critical public policy are increasingly shortchanged.

. . .

The verdict is still out on whether the Internet and the online ventures of traditional journalistic enterprises can help fill the void left by less comprehensive print and network coverage of public business. While the Internet has produced information in vast quantities, speedy access to breaking news, more interactive discussion of public affairs and a healthy surfeit of unabashed opinion, much of its content remains derivative and dependent on mainstream media reportage. It likewise remains to be seen whether the web—or other forms of modern media—can replicate the deep sourcing and accumulated insights of the seasoned beat reporter and whether niche publications and proliferating sites and outlets can provide the community focus on governmental shortcomings that professional and independent metropolitan dailies have historically brought to bear.

A Wall Street Journal article of the same caption (above) was published April 23, 2009, regarding a case in New Jersey, where an employer obtained access to a private Internet forum where employees were disparaging the company’s managements.  The company then fired the employees involved.

It’s generally well-settled that an employee has no reasonable expectation of privacy when the employer has disseminated a notice that use of company equipment is a waiver of that right.  However, in this case, no such notice was given.  Nevertheless, it’s not clear (to me) whether a claim could be made out, if plaintiffs asserted that the injury-in-fact was employment termination.

The plaintiffs allege common-law invasion of privacy and “accessing without permission the electronic communications being stored on the plaintiff’s private group,” in violation of the Stored Communications Act, 18 U.S.C. 2701 et seq., and a parallel state statute, N.J.S.A. 156A-27. Among other counts, they allege that management “used the improperly accessed and monitored electronic communications to wrongfully discharge the plaintiffs.”

The case is Pietrylo, et al v. Hillstone Restaurant Group, No. 06-cv-05754 (D. N.J.).

Over a year ago, I discussed a magistrate’s opinion in a case captioned in re Boucher, which held that providing a PGP passphrase or otherwise decrypting an encrypted PGP volume to aid in a law enforcement investigation against one’s self violated the Fifth Amendment.  I’m amazed to discover that there is even a Wikipedia page for this case (here).

The magistrate’s decision has been reversed by the U.S. Judge for the District of Vermont, directing defendant to produce the drive in an unencrypted form.

Because I need not attempt to duplicate Professor Orin Kerr’s apt coverage of this latest development, allow me to point you to his commentary here.

Defendant’s attorney, Jim Budreau, filed an interlocutory appeal to the Second Circuit.

Under the Electronic Communications Privacy Act of 1986, ISPs based in the United States are already required to retain data affixed to an IP address for at least 90 days — upon the request of law enforcement.

However, the so-called  SAFETY Act of 2009 would, inter alia, require any, “provider of an electronic communication service or remote computing service” to “retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.”

If enacted, Internet cafes, ISPs, hotels, universities, and employers would be required to keep logs of all data associated with IP addresses assigned individual users – from e-mail logins to search queries to visited Web sites.

Further reading:

In recent research presented at the Black Hat 2008 conference in Las Vegas, Greg Conti and Erik Dean from the United States Military Academy have adapted a new concept to computer forensics: visualization. The researchers demonstrated how visual computer forensic methods can dramatically reduce the time it takes to review files by substituting visual heuristics for traditional modes of file signature identification, file extension selection or hexadecimal searching.

By placing more data in front of the examiner in a smaller amount of screen space, the review speed of many file types is claimed to dramatically increase. In short, visual forensic tools have the potential to save an examiner a significant amount of analysis time.

“Visualization has the potential to dramatically change the field of computer forensics,” urge Conti and Dean.  “Each time we created a new visualization tool there were always surprising insights. Visualizations create windows on data that hasn’t ever been readily visible, much to the dismay of people trying to hide information in the dark corners of a computer.”

Full story at:

The tools are available for free download.  I will experiment with them on data from an actual case and may report my findings here in a future post.

A litigant, who was subject to an order to produce his hard drive, argued in mitigation of spoliation of evidence by reason that he was a novice computer user who was having problems with his computer because it was severely infected with viruses, spyware and adware and that he sought professional help in correcting those problems.  The Oklahoma Supreme Court reversed an order declining to impose sanctions. The following is adapted from that court’s November 10, 2008 opinion.

The litigant first sought help from a friend, who was not successful in resolving the problems. He then hired a professional to repair the computer. Although he maintained that at no time were evidentiary materials intentionally deleted from the computer, the record reflected that at least three kinds of “wiping” software were downloaded onto the computer during the period that the parties were actively negotiating to obtain the information contained on the computer’s hard drive.

Specifically, AbsoluteShield File Shredder was used and a file named “cable.doc” was removed; later the programs CyberScrub 3.5 and Window Washer were installed and the Window Washer program ran several times thereafter. The record reflects that the CyberScrub 3.5 program was last accessed on the same date that a motion to compel was granted by the trial judge.

The record further reveals that, after the motion to compel was granted, the litigant contacted a computer security company, Jarvis Incorporated, and asked about hiring a computer expert to work on his computer. On Jarvis’s recommendation, the plaintiff hired another technician to work on his computer. The litigant told neither Jarvis nor the technician that the computer was the subject of a court order and/or that certain files needed to be preserved before it was worked on. The technician testified that he could have preserved the hard drive before working on it by making a “clone” of it if he had known it was needed. Indeed, the technician had removed the hard drive and worked on it for approximately one week and used a “drive wiper” program called Terminus 6 on the hard drive.

The litigant admitted that the technician used the Terminus program and admitted targeted destruction of specific files by the technician due to the desire to retain settings on his computer. Barnett says that it was the technician’s decision to use the wiping software.

A neutral court-appointed expert found no evidence that files associated with viruses had been destroyed with the Terminus program and further noted that a log identifying the files deleted by the Terminus program had itself been deleted. The expert’s report stated that there were six documents with links in the Recent Documents folder of plaintiff’s computer that had no matching document on the hard drive, indicating that those files had been deleted.

A concern that I have is that wiping utilities are becoming more and more commonplace, even being packaged with ordinary utilities that ship with new computers or come with ISP services (e.g., MSN, which makes SpySweeper, McAffee and a number of wiping & anti-forensic utilities available).  The popularity of these utilities, as well as encryption, has increased because of the growing awareness of identity theft, among other reasons.  Even disk defragmenting tools, such as DiskKeeper, create a nightmare for forensic analysists attempting to located deleted files on a target system.

Whereas, in the past, such utilities required a knowing use (mens rea), the use of such utilities today may not be an indication of intent to spoliate.  This means that the standard may shift more and more –as the case above illustrates– from scienter to negligence.  Therefore, counsel will increasingly need to observe strict data preservation protocols when litigation becomes reasonably forseeable and to communicate these obligations to clients promptly.

Some obvious questions that are often raised include:

  • Must clients be instructed to immediately cease using a computer –at the first hint of reasonably forseeable litigation– until the hard-drive can be forensically imaged?  If so, what about the accumulating data that is created after the imaging date?
  • If a client takes reasonable steps to preserve extant potentially-responsive data, must the client disable the use defragmenting utilities and other anti-forensic utilities that arguably are necessary for maintaining the optimum efficiency of a computer (especially considering that litigation may last several years)?
  • Assuming the h.d.d. wasn’t imaged, If a client has taken reasonable steps to preserve the obvious potentially-responsive data, should the client also have been expected to identify and preserve files that have been deleted but are still recoverable (given that further use of the computer will overwrite these files)?

For counsel seeking to discover ESI, the availability of that evidence may decrease as a result of the widespread use of anti-forensic utilities, but the shifting jurisprudence may allow for adverse jury instructions based on the missing evidence, which instructions possibly could be more damaging than the destroyed evidence, itself.

The Massachusetts Supreme Judicial Court granted permission to a valedictorian graduate of Concord Law School, waiving the requirement of graduation from an ABA accredited school.  A digest of the case, Mitchell v. Board of Bar Examiners, is reported at the Legal Profession Blog (here).

Previously, I had written about four grads from this same school, who’ve been admitted to SCotUS.  In fact, I recall meeting a local judge –can’t recall whether district or county– at the 2006 Bar Convention in Brainard who was an adjunct professor for Concord.

In re Bilski, __ F.3d __ (Fed. Cir. 2008)(en banc): The Federal Circuit affirmed the decision of the Board of Patent Appeals (BPAI) that Bilski’s claimed invention for a method of hedging risks in commodities trading does not satisfy the patentable subject matter requirements of 35 U.S.C. § 101.

Here’s the test for patentable subject matter: “A claimed process is surely patent-eligible under § 101 if: (1) it is tied to a particular machine or apparatus, or (2) it transforms a particular article into a different state or thing.” The Federal Circuit’s standard is different than the one articulated in State Street, which stated that the proper inquiry is whether the invention yielded a “useful, concrete, and tangible result”.  However, the Federal Circuit clearly took great pains to adhere to Supreme Court precedent.

Much has been written about In re Bilski, but go get the best analysis that money can’t buy: read if for yourself and see what you think (

« Previous PageNext Page »