In the last few years, an number of ethics opinions concerning information technology are aimed at the increasing entrustment of client data to third partis (viz. so-called “cloud computing”), and are trending along with proposed or enacted data privacy litigation across the country. For example, California’s proposed Formal Opinion 08–0002 requires a lawyer to evaluate information security and finds that “attorneys are faced with an ongoing responsibility of evaluating the level of security of technology that has increasingly become an indispensable tool in the practice of law.” State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. Interim No. 08-0002 (2010)   Alabama’s Ethics Committee Opinion 2010–02 requires attorneys to exercise reasonable care against unauthorized access, which includes becoming knowledgeable about a cloud provider’s storage and security. Arizona’s Ethics Opinion 09–04 provides, in pertinent part, that:

[W]hether a particular system provides reasonable protective measures must be informed by the technology reasonably available at the time to secure data against unintentional disclosure. As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information.

It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult experts in the field.

State Bar of Ariz., Ethics Op. 09-04, Confidentiality: Maintaining Client Files; Electronic Storage; Internet (12/2009) (citations and quotations omitted) (citing N.J. Ethics Op. 701).

Likewise, Opinion 842 of the New York State Bar Association requires lawyers to “stay abreast of technological advances,” (New York State Bar, Ass’n Comm. on Prof’l Ethics, Op. 842 (2010) (quoting N.Y. State 782 (2004))), and Minnesota’s Rule 1.6 requires that “[a] lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.” Minn. R. Prof’l. Conduct 1.6 cmt. 15 (emphasis added). See also Minn. Lawyers Prof’l Responsibility Bd., Op. No. 22, A Lawyer’s Ethical Obligations Regarding Metadata (2010).

And, earlier this year, the ABA Commission on Ethics 20/20 released it’s a proposal for comment regarding “lawyers’ growing use of technology, especially technology that stores or transmits confidential information.”  The commission recommended amendments to Model Rules 1.6 and 5.3, adding a paragraph to the former requiring attorneys to “make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, confidential information, including information in electronic form.” The Commission also is concerned with the inadvertent transmission of information and recommend that lawyers have a duty to notify the sender of both physical and electronic information under certain circumstances.

The Arkansas Supreme Court reversed and remanded a death row inmate’s murder conviction, ordering a new trial because one juror slept and another used the Twitter service during court proceedings.

Significantly, the trial court instructed the jurors prior to opening arguments, as follows:

When you’re back in the jury room, it’s fine with me to use your cell phone if you need to call home or call business. Just remember, never discuss this case over your cell phone. And don’t Twitter anybody about this case. That did happen down in Washington County and almost had a, a $15 million law verdict overthrown. So don’t Twitter. Don’t use your cell phone to talk to anybody about this case other than perhaps the length of the case or something like that.

In one message, the Juror 2 wrote: “Choices to be made. Hearts to be broken…We each define the great line.” Less than an hour before the jury announced its verdict, he tweeted: “It’s over.”  Others including references to the trial, such as, “the coffee sucks here” and “Court. Day 5. Here we go again.”

The supreme court observed:

Because of the very nature of Twitter as an … online social media site, Juror 2’s tweets about the trial were very much public discussions. Even if such discussions were one-sided, it is in no way appropriate for a juror to state musings, thoughts, or other information about a case in such a public fashion . . . More troubling is the fact that after being questioned about whether he had tweeted during the trial, Juror 2 continued to tweet during the trial.

A couple of weeks ago, Brian Glass posted a very helpful comment, Forensic Toolkit v3 Tips and Tricks — on a Budget.  His comment focused on how to “get close to SSD performance on the cheap” and he discussed the practice of partitioning a large hard drive, but using only the outer sectors of the platter, and frequent defragmentation.  In my comment, today, I want to encourage readers to adopt Glass’ advice, and, if you have the budget, to consider a few other enhancements to improve performance.

In my practice, I spared no expense on equipment, including the latest OCz SSD drives, dual Xeon processors, and 24GB of RAM, yet I still experienced unacceptable performance from FTK v3.3.   For example, an evidence load of a 500GB drive with indexing, entropy test, and hashing enabled (but not OCR of images, or thumbnailing) still took over 20 hours.

Although I lay no claim to the best optimizations, I have found the following helpful:

  • You should have a minimum of 2GB of RAM for every processor core.  If you are running dual six-core processors, you have twelve cores (not counting hyperthreading psuedo-cores) and would, therefore, need 24GB minimum.  Source: February 2011 System Specifications Guide at 3.
  • The FTK machine should have a minimum of two disks: one for the FTK engine, and the other used solely to host the FTK temporary files directory.  This is because, according to one FTK technical support rep I corresponded with, the disk hosting that directory experiences the greatest i/o demands, because it is to this directory that the FTK engine and Oracle database read and write from in passing data off to each other. It is accessible through Tools > Preferences (see FTK Users Guide for v3.3, p. 38 of 396)  If you have the budget, consider hosting the temporary directory on its own SSD drive, apart from the operating system, pagefile, Oracle, or FTK engine.
  • According to bench testing on FTK v. 3 by Digital Intelligence on a single-box configuration, the greatest performance enhancements came not from increasing the CPU speed or system memory, but using the fastest possible hard-drive for the Oracle database.
  • Unlike the system tested by Digital Intelligence, you should have a dual machine system (exclusive of FTK distributed processing engines): one for FTK, and the other for Oracle.  Network speed should be 1Gbit, not 100Mbit.  Source: February 2011 System Specifications Guide at 3.
  • The Oracle machine should be configured with at least two disks: one for Oracle and the operating system; and the other for the Oracle database.  Ideally, I recommend three separate disks: one for Oracle and the O/S, one for the page file, and one for the Oracle database.
  • For all disks requiring intensive i/o (that hosting the FTK temp files, and the Oracle database drive), you should use a SSD (such as the OCz Vertex 3 Pro (6 GBPs)), or Serial Attached SCSI (SAS, 10,000 RPM) or, if you’re using 7,200 RMP SATA drives, a RAID 0 configuration.    To use these disk configurations, you’ll need a motherboard that supports the SATA-3 standard and  preferably has onboard RAID.   For example, SuperMicro is one manufacturer of boards that support multiple processors, onboard RAID, SAS, and SATA-3.
  • During evidence loading, your machine[s] should be physically disconnected from the Internet (including wireless adapters). Disable any resident antivirus programs and disable the Microsoft Indexer, both of which may compete with Oracle or the FTK engine for resources.
  • I recommend Ghost or the Windows 7 system image/restore to load a fresh image on both of your machines for each new case you work (and to use FTK to archive the case on to an external drive, upon completion).  This way, in the unlikely event your machine was to become infected from the evidence drive (for example, by trying to run an executable on the evidence drive that contains a Trojan), you will not preserve the infection for subsequent work.

I will conclude with this anecdote: Recently, I conducted a child pornography investigation at a law enforcement facility, where I was prohibited from using SSD drives in my equipment, because the detective-analyst had read a report that data cannot be complete wiped from SSDs.  He was concerned that I might inadvertently retain contraband even after completing a forensic wipe.   Although, based on the current caselaw, I did not believe the prosecution had a legal right to dictate what equipment I used, I solved the problem by purchasing six 40GB refurbished Western Digital drives from NewEgg for $10 each, and configured them as RAID-0 on the SAS backplane of the motherboard.  I didn’t run any bench tests to determine whether this 240GB array was as fast as a single OCz Vertex 3 drive, but it ran flawlessly and cost only $60.

Whether or not you’re on a tight budget, FTK 3.x with Oracle presents substantial impediments to hardware capacity and processing time.  Nevertheless, these impediments can be mitigated through creativity and resourcefulness.

In my first post several weeks ago, I discussed some of the special obligations that digital forensics investigators may have while in the employ of a lawyer. I elaborated briefly on the duty to zealously guard the attorney-client privilege, to correctly apply the work product doctrine, and to conduct investigations in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party. In this second part of the series, I will explore another important factor for consideration by examiners: the legality of investigative techniques.

Consider, for example, whether an examiner, at the direction of the attorney, may take possession of a computer belonging to a husband, but seized by a wife in preparation for marital dissolution proceedings.  If a court finds that the wife did not have equal dominion over the computer (e.g., if the computer, or some portion thereof, was password-protected by the husband, or belonged to the husband’s employer), the taking of the computer for analysis might constitute a crime. See, e.g., Moore v. Moore, No. 350446/07, 2008 N.Y. Misc. LEXIS 5221, at *1 (N.Y. Sup. Ct. Aug. 4, 2008) (holding that a wife seeking a divorce could use evidence she found on a computer taken from husband’s car just before she petitioned for marital dissolution, because the computer was a family computer (not a work computer as alleged by husband), the taking occurred before the commencement of the dissolution case, and husband’s car was considered the family car).

Many states have statutes criminalizing unauthorized access to computers or protected networks.  Likewise, evidence obtained from a keylogger or spyware deployed by the client or examiner may violate state or federal law (e.g., the Stored Communications Act). See Sean L. Harrington, Why Divorce Lawyers Should Get Up to Speed on CyberCrime Law, Minn. St. B. Ass’n Computer & Tech. L. Sec. (Mar. 24, 2010, 9:40 PM), (collecting cases regarding unauthorized computer access).

Also, certain types of “cyber sleuthing” or penetration testing may be unlawful under various state and federal statutes.  For example, the Computer Fraud and Abuse Act, last amended in 2008, criminalizes anyone who commits, attempts to commit, or conspires to commit an offense under the Act. 18 U.S.C. § 1030 (2006). Offenses include knowingly accessing without authorization a protected computer (for delineated purposes) or intentionally accessing a computer without authorization (for separately delineated purposes).  Various statutory phrases, such as “without authorization” and “access,” have been the continuing subject of appellate review.  See, e.g., State v. Allen, 917 P.2d 848 (Kan. 1996) (affirming trial court’s holding that the State did not prove the defendant committed a crime); see also Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1624–42 (2003) (showing how and why courts have construed unauthorized access statutes in an overly broad manner that threatens to criminalize a surprising range of innocuous conduct involving computers).

Yet another area of legality concerns recently enacted laws in some states requiring digital forensics examiners to be licensed as private investigators.  Texas passed such a law that provides for up to one year imprisonment and a $14,000 fine for persons conducting unlicensed computer investigations. Tex. Occ. Code Ann. § 1702.104 (2011); see also Private Security Bureau Opinion Summaries: Computer Forensics, Tex. Dep’t Pub. Safety, 4–5 (Aug. 21, 2007).  The Opinion clarifies that the Act applies to computer forensics, defined as:

[T]he analysis of computer-based data, particularly hidden, temporary, deleted, protected or encrypted files, for the purpose of discovering information related (generally) to the causes of events or the conduct of persons.  We would distinguish such a content-based analysis from the mere scanning, retrieval and reproduction of data associated with electronic discovery or litigation support services.

Id., at 4.

And Michigan’s new law makes unlicensed digital forensics work a felony punishable by up to four years imprisonment, damages, and a $5,000 fine. 2008 Mich. Pub. Acts 67.

In 2008, North Carolina’s Private Protective Services Board proposed to amend General Statute Section 74C-3 to include “Digital Forensic Examiner” as among the roles that must be licensed by the state. See Mack Sperling, North Carolina May Require Licensing for Computer Forensic Consultants, but Do We Need It?, N.C. Bus. Litig. Rep. (Sept. 24, 2008). The measure was defeated. S. 584, 2009 Gen. Assemb., Reg. Sess. (N.C. 2009) (amending GS 74C–3(b) to exempt from the definition of private protective services a person engaged in (1) computer or digital forensic services or the acquisition, review, or analysis of digital or computer-based information, whether for the purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court, or (2) network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network).

Meanwhile, the American Bar Association has discouraged such legislation, concluding, “[c]omputer forensic assignments often require handling data in multiple jurisdictions.  For example, data may need to [be] imaged from hard drives in New York, Texas and Michigan.  Does the person performing that work need to have licenses in all three states?” Gilbert Whittemore, Report to the House of Delegates, 2008 A.B.A. Sec. Sci. & Tech. L. 2 .  The ABA Report opined:

The public and courts will be negatively impacted if e-discovery, forensic investigations, network testing, and other computer services can be performed only by licensed private investigators because not all licensed private investigators are qualified to perform computer forensic services and many qualified computer forensic professionals would be excluded because they are not licensed.

Indeed, very few licensed private investigators are qualified to perform computer forensics services.  Nevertheless, the trend seems to be leading away from state licensing requirements.

Undoubtedly, one of the thorniest legal problems facing unwary examiners is that of child pornography (“contraband”) encountered in digital forensics investigations. See generally Beryl Howell, Digital Contraband: Finding Child Porn in the Workplace, reprinted in White Collar Crimes 2008, ABA-CLE (2008).

Federal law prohibits the knowing production, receipt, shipment, distribution, reproduction, sale, or possession of “any . . . visual depiction involv[ing] the use of a minor engaging in sexually explicit conduct,” or of “any material that contains an image of child pornography . . . .” 18 U.S.C. §§ 2251(a), 2252(a), 2252A (a) (2006). Violations are punishable by a mandatory minimum term of imprisonment for five years and up to twenty years, (18 U.S.C. §§ 1466A(a)(2)(B), 2252(b)(1), 2252A(b)(1) (2006)) except for mere possession, which is punishable for up to ten years. 18 U.S.C. §§ 1466A(b)(2)(B), 2252(b)(2), 2252A(b)(2) (2006).

Congress, in enacting the Adam Walsh Act of 2006, reasoned that child pornography as prima facie contraband should not be distributed to or copied by defendants, their attorneys, or experts. Adam Walsh Child Protection and Safety Act, H.R. 4472, 109th Cong. § 501(2)(E) (2006).  Therefore, an examiner who encounters contraband during an investigation outside of a law enforcement facility must cease work, and contact law enforcement to come to the place of the investigation to seize the contraband.  See Larry Daniel, Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom (Kindle Edition, 2011) at 3602-3603 (“[I]f a non-law-enforcement examiner is analyzing evidence in any kind of case and finds child pornography, he or she is required to stop the examination and notify law enforcement so the evidence can be turned over to authorities”); Bill Nelson, et al., Guide to Computer Forensics and Investigations 508 (4th ed. 2010) at 176 (“The evidence must be turned over to law enforcement. This material is contraband and must not be stored by any person or organization other than a law enforcement agency”).  An expert or attorney who e-mails or delivers the contraband may be prosecuted for copying or distribution. See, e.g., United States v. Flynn, 709 F. Supp. 2d 737, 739 (D. S.D. 2010) (indicting an attorney, who claimed he was doing research for a potential client by investigating the existence of child pornography on a P2P network, for possession and distribution of child pornography); see also State v. Brady, No. 2005–A–0085, 2007 WL 1113969, *2 (Ohio Ct. App. Apr. 13, 2007) (recounting that notwithstanding a state court protective order, the Federal Bureau of Investigation executed a search warrant on court-appointed defense expert’s residence, seized his computer and media, and the Government threatened an indictment for violation of 18 U.S.C. § 2252A), rev’d on other grounds, 894 N.E.2d 671 (Ohio 2008).

It should be noted that Section 3509(m) of the Adam Walsh Act technically does not apply to state criminal proceedings; it expressly governs the Federal Rules of Criminal Procedure. Allen v. Tennessee, 2009 WL 348555, at *6 (U.S. Jan. 11, 2010); State ex rel. Tuller v. Crawford, 211 S.W.3d 676, 679 (Mo. Ct. App. 2007); Commonwealth v. Ruddock, No. 08–1439, 2009 WL 3400927, at *1 (Mass. Supp. Oct. 16, 2009); State v. Blount, No. 81-CR-09-1180, slip op. at 6 (Minn. Dist. Ct., Apr. 7, 2010).  Accordingly, state courts sometimes order a forensic copy be provided to the defense expert under a protective order, which the court found would adequately serve the purpose of the Adam Walsh Act “to protect children from sexual exploitation and to prevent child abuse and child pornography.” Id. ; see also Ruddock, supra, 2009 WL 3400927, at *3 (issuing protective order to prevent “unnecessary disclosure”).  As I will explain below, the expert who takes custody of such contraband is playing with fire, unless he or she has some standing agreement with the local office of the U.S. Attorney for that district.

Notwithstanding the non-applicability of the Act to state court criminal proceedings, and notwithstanding state court protective orders, the Government has prosecuted defense attorneys and experts for contraband acquired in the performance of their official duties. United States v. Flynn, 709 F. Supp. 2d 737, 743 (D. S.D 2010); State v. Brady, 894 N.E.2d 671, 673 (Ohio 2008).

Arguably, there is a rational basis for why an expert should have access to the evidence in his or her own lab, because of the increased costs and inefficiencies of conducting the analysis at law enforcement facilities. See Sharon Nelson et al., “In Defense of the Defense: The Use of Computer Forensics in Child Pornography Cases,” Sensei Enterprises, Inc. (2009)  (“The beleaguered defense expert is forced, often by economics, to do whatever it is possible to do in one or two eight hour days. Frequently, the expert has to fight to use hi/her own equipment and to work in privacy”); Larry Daniel, Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom (Kindle Edition, 2011) at 2127-2130 (“If the case involves child pornography images, the examiner must travel to and perform all of the work at a law enforcement agency. This will add to the expense as the examiner must charge for all the time spent at the agency, including computer processing time that might not be charged for if the case were analyzed in the examiner’s lab”).see also Blount, supra, note 149 (crediting expert’s testimony that conducting the examination at law enforcement facilities would approximately double the cost); Knellinger, supra, note 101 471 F.Supp.2d at 647-48 (crediting testimony that conducting examination at law enforcement facilities would exacerbate costs).   A useful analogy when considering whether a defense attorney should take possession of child pornography is that, in a drug possession case, the prosecutor does not keep samples of a controlled substance in the case files, and instead must inspect the evidence under controlled conditions where it is kept at the law enforcement facility.

In conclusion, the maxim that ignorance of the law is no excuse is sound, and another compelling reason why a capable digital forensics expert ideally should have a solid legal background.  Indeed, an unwary examiner may be asked by a well-intentioned, but uninformed or negligent attorney to engage in conduct that is unlawful.  Alternatively, the examiner’s work, unbeknownst to the attorney, may lead him or her into a briar bush frought with peril.  Because the examiner will not have an attorney client relationship with the retaining attorney, and notwithstanding that the attorney is obligated to diligently supervise non-lawyers, the ultimate personal responsibility for the legality of the examiner’s work belongs to the examiner.

Next week is, October 20, is the 2011 Computer & Technology Law Institute!
The conference includes sessions with the latest news, thoughtful analysis and practice tips about today’s key computer and tech law issues.


  • Erica Newland, Center for Democracy & Technology, Washington DC, and Jerry Cerasale, Direct Marketing Association, Washington DC, on “On-Line Behavioral Advertising”
  • Jon M. Garon on “Navigating through the Cloud – Legal and Regulatory Management for Software as a Service”
  • Outstanding faculty including in-house perspectives from 3M, Best Buy, Medtronic, SunGard and Wells Fargo
  • Nine information-packed, practical sessions including focus on cloud computing questions and answers; mobile data security; insurance coverage for data breaches; Internet power-houses’ policies and practices “as law” – plus your critical year in review
  • 6.75 credits including 1.0 ethics credit (applied for)
  • And more!

More details are available here (opens in a new window).

Significant legal and ethical challenges confront digital forensics investigators, for which some may not be well prepared. Just as many lawyers may be confounded by technology in dealing with digital forensics matters, many digital forensics experts lack formal legal training, and are uninformed about their special obligations in the employ of a lawyer. These obligations include zealously guarding the attorney-client privilege, applying the work product doctrine, developing reports, exhibits, and testimony (that are both admissible and understandable to a lay jury or judge), and conducting their work in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party.

In certain situations, such as where digital forensics examiners serve as special masters (see Fed.R.Civ.P. 53) or third-party neutrals (see Model Rules of Prof’l Conduct R. 2.4 cmt. 1), they are regarded as officers of the court.

The use of a third-party neutral has significant advantages. See, e.g., Craig Ball, Neutral Examiners, Forensic Focus,  First, as an officer of the court, the expert is subject to the court’s inherent powers, thereby providing an extra measure of accountability for misconduct (e.g., confidentiality breaches).  Second, a third-party neutral is ostensibly impartial, which impartiality presumptively aids in the fact-finding process and administration of justice. Third, the third-party neutral is aptly situated to resolve discovery disputes, including issues of confidentiality, relevance, and privilege, and, if necessary, obtain court intervention or in camera review to resolve such disputes.

But if the examiner is not appointed by the court, but rather is retained by a party to an adversarial proceeding, he or she is nevertheless obliged to ferret out the truth.  See, e.g., Ferron v. Search Cactus, L.L.C., No. 2:06-CV-327, 2008 WL 1902499, at *4 (S.D. Ohio Apr. 28, 2008) (court deemed both plaintiff’s and defendant’s computer experts as officers of the court in order to protect the confidentiality of certain ESI found on plaintiff’s computer that was unrelated to the suit).

1. Work Product Doctrine

The work product doctrine enhances a lawyer’s ability to render competent counsel, as the United States Supreme Court observed in Hickman v. Taylor:

[I]t is essential that a lawyer work with a certain degree of privacy, free from unnecessary intrusion by opposing parties and their counsel. Proper preparation of a client’s case demands that he assemble information, sift what he considers to be the relevant from the irrelevant facts, prepare his legal theories and plan his strategy without undue and needless interference.

329 U.S. 495, 510–11 (1947).  It is therefore imperative that both attorneys and examiners understand the doctrine and how it applies to digital forensics examinations. Enjoying the privilege of work product immunity is one of several reasons the expert should be directly retained by the attorney (rather than the attorney’s client).

Some lawyers conflate the work product doctrine with the attorney-client privilege (discussed below). Although the work product doctrine is broader than the attorney-client privilege, it is not a privilege, but rather a limited immunity from production, and can be overcome in certain situations. See Fed. R. Civ. P. 26(b)(3)(A). The doctrine applies in both civil and criminal cases, and protects not only documents and tangible things prepared by attorneys, but also those prepared by an attorney’s consultants, sureties, indemnitors, insurers, or agents.” Id.  In the context of such examinations, the work product doctrine also covers the “mental impressions, conclusions, opinions, or legal theories of a party’s attorney or other representative concerning the litigation.” Fed. R. Civ. P. 26 (b)(3)(B).

The prudent digital forensics expert should, therefore, take affirmative steps to keep confidential the software and hardware used during the examination, as well as his or her theories, algorithms, cryptology, notes, tools, processes, methods, search queries, resource materials, mental impressions, and techniques. And, because the doctrine may be overcome in limited circumstances, attorneys should give careful consideration to whether they instruct their experts to memorialize preliminary findings in writing.  For example, in the popular textbook, Guide to Computer Forensics and Investigations, (Bill Nelson, et al., 4th ed. 2010), the authors explain:

[The forensic tool] also produces a case log file, where you can maintain a detailed record of all activities during your examination, such as keyword searches and data extractions . . . . At times, however, you might not want the log feature turned on. If you’re following a hunch, for example, but aren’t sure the evidence you recover is applicable to the investigation, you might not want opposing counsel to see a record of this information because he or she could use it to question your methods and perhaps discredit your testimony. Look through the evidence first before enabling the log feature to record searches. This approach isn’t meant to conceal evidence; it’s a precaution to ensure that your testimony can be used in court”).

But see Univ. of Pittsburgh v. Townsend, No. 3:04-CV-291, 2007 U.S. Dist. LEXIS 24620 (E.D. Tenn. Mar. 30, 2007) (holding that it was improper for the counsel to have instructed or otherwise suggested to the experts that all e-mails be destroyed, as they became the subject of multiple discovery requests).

In 2010, Fed. R. Civ. P. Rule 26 was amended to give experts’ draft reports the protection of the work product doctrine, exempting them from mandatory disclosure. Fed. R. Civ. P. 26(b)(4)(B). The rule expressly provides that the doctrine applies to “protect drafts of any report or disclosure required under Rule 26(a)[(2)], regardless of the form in which the draft is recorded.” The amended rule also applies work product protection to communications between experts and the counsel who retain them, with three exceptions: (1) communications pertaining to the expert’s compensation; (2) facts or data that the attorney provided and the expert considered in forming opinions; and (3) assumptions that the attorney provided and that the expert relied on. Fed. R. Civ. P. 26(b)(4)(C).  Critics contend the amendment affords attorneys too much latitude in drafting experts’ reports or influencing their opinions. See, e.g., Robert Ambrogi, Changes to Rule 26 Bring Praise — Albeit Faint, Bullseye Legal Blog (June 1, 2011).  The counter argument is that “[t]he risk of an attorney influencing an expert witness does not go unchecked in the adversarial system, for the reasonableness of an expert opinion can be judged against the knowledge of the expert’s field and is always subject to the scrutiny of other experts.” Haworth, Inc. v. Herman Miller, Inc., 162 F.R.D. 289, 295–96 (W.D. Mich. 1995).

One area of particular concern relating to the work product doctrine and digital forensics investigations is the applicability of the 2006 Adam Walsh Act and similar state statutes. Under 18 U.S.C. § 3509 (m), added by Section 504 of Title V of the Adam Walsh Act, “any property or material that constitutes child pornography . . . shall remain in the care, custody or control of either the government or the court.” Title V of the Act contains congressional findings that: “[e]very instance of viewing images of child pornography represents a renewed violation of the privacy of the victims and a repetition of their abuse;” that “[c]hild pornography constitutes prima facie contraband, and as such should not be distributed to, or copied by, child pornography defendants or their attorneys;” and that “[i]t is imperative to prohibit the reproduction of child pornography in criminal cases so as to avoid repeated violation and abuse of victims, so long as the government makes reasonable accommodations for the inspection, viewing, and examination of such material for the purposes of mounting a criminal defense.” Adam Walsh Child Protection and Safety Act of 2006, Pub. L. 109-248, §§. 501(2)(D)–(F), 120 Stat. 587, 624 (2006).

“Ample opportunity” and “reasonable access” under the Act requires: (1) “the government [to] supply reasonably up-to-date tools (hardware and software) and facilities [in order to] construct a reasonable, available forensic defense,” (2) “[ability of] a defense expert to utilize his or her hardware or software,” and (3) “that the analysis be performed in a situation where attorney-client privilege and work product will not be easily, accidentally exposed to the government, and in a facility which is open to the defense at its request during normal working hours, and to the extent feasible, during non-working hours.” United States v. Flinn, 521 F. Supp. 2d 1097, 1101 (E.D. Cal. 2007). In State v. Boyd, the Supreme Court of Washington held that preparation for trial would “likely require revisiting the evidence many times before and during trial” and, therefore, where the evidence consists of a computer hard drive, “adequate representation requires providing a ‘mirror image’ of that hard drive; enabling the defense attorney to consult with computer experts who can tell how the evidence made its way onto the computer,” and that anything less could place an undue burden on defense counsel or a defense expert, interfering with a defendant’s constitutional rights. 160 Wash.2d 424, 433–37, 158 P.3d 54 (2007).

In my experience, most government agencies endeavor to provide reasonable access, but others, perhaps well-meaning, have sought to dictate what equipment the defense expert may use (including the number of computers, and a restriction of both optical read/write drives and solid state drives), or have proposed the examiner work in a small room alongside state staff, or have required the examiner to use state equipment to conduct Internet research during the examination, or have proposed limiting the examiner to a black-and-white printout of the forensic report or to an electronic copy on a read/write optical device supplied by the state, and insisting that the work product be inspected by a state employee prior to removal from the facility. These limitations not only violate the work product doctrine, but also implicate a defendant’s right to effective counsel and due process, and are likely to result in relinquishment of the media containing the contraband to the defense expert under the Act’s so-called “safety valve.” 18 U.S.C. § 3509(m)(2)(B).  This has already happened in several cases. See, e.g., State v. Allen, No. E2007-01018-CCA-R3-CD, 2009 Tenn. Crim. App. Lexis 114 (Tenn. Crim. App. Feb. 12, 2009); United States v. Knellinger, 471 F. Supp. 2d 640, 650 (E.D. Va. 2007); State v. Johnson, No. 1 CA-CR 09-0300, 2010 WL 1424369 (Ariz. Ct. App. Apr. 8, 2010).

2. Attorney-Client Privilege and Confidentiality

The attorney-client privilege is one of the most hallowed tenets of American common law. The primary function of the privilege “is to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and administration of justice.” Upjohn Co. v. United States, 449 U.S. 383, 389 (1981). Without the privilege, which withholds otherwise relevant evidence, “the client would be reluctant to confide in his lawyer and it would be difficult to obtain fully informed legal advice.” Fisher v. United States, 425 U.S. 391, 403 (1976). In general, communications are protected under the attorney-client privilege if (1) a person is seeking legal advice from a lawyer acting in his legal capacity, (2) the communication is made for the purpose of obtaining legal advice, (3) the communication is made in confidence, and (4) the communication is made by the client. Restatement (Third) of the Law Governing Lawyers § 68 (2000).

So, you might ask, how might this apply to digital forensics examinations?

I respectfully propose that the following statement by the Colorado supreme court is incorrect:

[A]s both a legal and practical matter, the defense expert’s relationship with the defendant and counsel has been protected from intrusions by the state. The law has recognized several doctrines that afford a degree of confidentiality to the expert-defense relationship. Thus, statements made to the expert by the defendant and counsel may be protected by the attorney-client privilege.

Hutchinson v. People, 742 P.2d 875, 881 (Colo. 1987) (underline emphasis added).

Specifically, statements made to the expert by the defendant and counsel are probably not protected by the attorney client privilege. First, only the client’s statements enjoy the privilege (or the attorney’s statements to the client that contain the substance of the client’s statements, such as an answer by the attorney giving some indication of the client’s question).  See. e.g., Kennedy v. Yamaha Motor Corp., 2010 Phila. Ct. Com. Pl. Lexis 24 at *4 (Pa. C.P., Feb. 2, 2010). (“Attorney-client privilege is perhaps a misnomer, since only the client’s statements enjoy a privilege.  Communications of the attorney, on the other hand, are not privileged, except to the narrow extent to which they reveal communications made by the client”).

Courts may, indeed, construe a client’s direct communications to the digital forensics expert as privileged, if the expert is regarded an agent of the attorney. Fin. Techs. Int’l, Inc. v. Smith, 49 Fed. R. Serv. 3d 961, 967 (S.D.N.Y. 2000).  And it is true that an expert is not considered a third-party whose presence destroys the privilege if the expert’s presence is deemed necessary to secure and facilitate communication between the client and the attorney (not unlike an interpreter). See United States v. Kovel, 296 F.2d 918, 921–922 (2d Cir. 1961); In re Grand Jury Proceedings, 220 F.3d 568, 571 (7th Cir. 2000); United States v. Cote, 456 F.2d 142, 143 (8th Cir. 1972).  But I do not believe that communications between an attorney and an expert are automatically afforded attorney-client privilege, because these are not communications made in confidence to an attorney while seeking legal advice. See Matthew P. Matiasevich, I (Might) Get By With a Little Help from my Expert (May, 2010), 21st Annual Spring Symposia of the ABA Section of Real Property, Trust, and Estate Law (“The attorney-client privilege rarely applies to experts for the simple reason that the expert is almost never the client and hence communications are not confidential”).  For this reason, and although it may hinder the expert’s efficacy, the expert should probably avoid asking questions of the attorney like, “So, did your client admit to knowingly downloading those images?”

My opinion notwithstanding, both the expert and the attorney would owe a duty to the client—the holder of the privilege—to maintain confidentiality. The attorney’s obligation is detailed in the Model Rules of Professional Conduct in Rules 1.6 (governing disclosure by a lawyer of information relating to the representation of a client during the lawyer’s representation of the client), 1.18 (the lawyer’s duties regarding information provided to the lawyer by a prospective client), and 1.9 (the lawyer’s duty not to reveal information relating to the lawyer’s prior representation of a former client).

But, the expert, who usually isn’t present at the time of the communication, is also obliged to zealously protect any information the expert discovers that implicates communications made by the client to his or her attorney.  And this obligation is another reason why digital forensics experts working in litigation support roles really need some legal acumen: He or she needs to correctly recognize and, as necessary, segregate attorney-client privileged data. For example, if the expert encounters e-mails between a client and her attorney, which the client subsequently forwarded to a friend, will the expert recognize a privilege? See generally Jonathan Feld & Blake Mills, The Selective-Waiver Doctrine: Is it Still Alive?, 16 Business Crimes Bulletin 4, 4, (Dec. 2008). When in doubt, the expert should consider the communication privileged and consult with the attorney. Note this exhortation reveals that the integrity of the privilege itself could depend upon the integrity of the communication channel between the expert and the attorney.

3. Information Security

Attorney-client privilege aside, a competent digital forensics expert should also have background and training in information security protocols and be able to observe strict confidentiality of all data entrusted to him or her, as my colleagues Sharon Nelson and John Simek eloquently argue:

Not all cases are shrouded in secrecy, but a fair proportion of them are. There are well known figures getting divorced, major companies with proprietary information at issue, public figures in the headlines and people charged with felonies. . . . During the course of a major case where the expert has been identified, the press will undoubtedly come sniffing around the expert probing for information. A good expert knows the standard answer, “I’m sorry, I have no comment” and is as immoveable as the Great Wall of China.

Sharon D. Nelson & John W. Simek, Finding Wyatt Earp: Your Computer Forensics Expert, Sensei Enterprises, Inc. (2005). A recent Associated Press article, Anthony Computer Expert Backs Off Reported Claims, seems to demonstrate the foregoing point well. But, because the Rules of Professional Conduct do not apply to digital forensics examiners, the only enforcement mechanisms are contractual provisions—i.e., a confidentiality clause in the retainer agreement—and loss of reputation and business. The prudent attorney should, therefore, include a confidentiality provision in the engagement agreement, which may give rise to a breach of contract action if damages are sustained. Also, if the expert is retained while a case is active, either or both parties may move the court for a protective order regarding the expert’s handling of confidential data, under which the expert would be subject to the court’s inherent supervisory powers, including sanctions and contempt authority.

This op-ed post by Sean L. Harrington provides opinions that do not necessarily reflect the positions of the Minnesota State Bar Association or its other constituents.


The media and blogosphere is abuzz with news that Barry Ardolf, the disgruntled neighbor who “hacked” in the WEP-secured wireless network of his neighbor and Minnesota lawyer, Matt Kostolnik. Last week, Ardolf was sentenced to eighteen years. See, e.g., Martha Neil, “Neighbor Gets 18 Years for Hacking Lawyer’s Wi-Fi Account, Using His ID to Harass Others,” ABA Journal, July 13, 2011.

There are at least a few lessons to learn from this case: (1) Don’t use WEP to secure your wireless network (it can be hacked in as little as four to ten minutes), (2) law firms benefit from having good working relationships with competent digital forensics investigators, and the most obvious: (3) check with your local police department or lawyer before you act ib any brainy ideas about hacking into your neighbor’s computer network in an effort to frame him for possessing child pornography and threatening the Vice President (or any other purpose).

But that’s not really what this comment is about. Rather, the comment focuses, in part, on whether Internet users could bear defamation liability for statements (in blogs and comments) based upon uncharged conduct contained in a Government court filing, and whether the Government should use more restraint in discussing uncharged conduct that may give rise to various unintended consequences.

Almost as interesting as the underlying facts is the story behind how those facts were uncovered. The Anoka County Sherriff deputy who worked on the case recently provided a case study for the Minnesota chapter of the HTCIA (  He was joined by cybersleuth Scott Johnson, whose methodical investigation ultimately produced the probable cause evidence needed to obtain a search warrant for Ardolf’s residence. In addition, one of the Minnesota FBI cybercrime unit’s special agents, who participated in the Government’s investigation, provided a separate case study. Attending those case studies and conversing with the presenters has provided additional insight into the case than what has been publicly reported.

The short version of the facts is this: On August 2, 2008, just one day after Kostolnik and his family moved into their Blaine, Minnesota, neighborhood, their then 4–year-old son wandered on or near Ardolf’s property. Ardolf returned the boy, but not before allegedly kissing him on the lips.1 The father confronted Ardolf about the incident. According to Ardolf:

He was upset and demanded that I never go on his property, never to talk to him, his wife, or any of his children under any circumstances. I felt powerless, humiliated, and victimized. That summer, neighbors who had previously invited me to dinner shunned me.2

The boy’s parents reported the incident to police. According to the police report, the mother’s perceptions regarding the manner of Ardolf’s contact with her son caused her great distress.

In response to the Kostolnik’s reporting of the incident to police, Ardolf engaged in conduct that the Government described as “a calculated campaign to terrorize his neighbors, doing whatever he could to destroy the careers and professional reputations of Matt and Bethany Kostolnik, to damage the Kostolniks’ marriage, and to generally wreak havoc on their lives.” 3  Among other things, Ardolf intruded into the Kostolniks’ wireless account; intercepted their mail; sent fraudulent e-mails to Kostolnik’s colleagues; and in one e-mail (in Kostolnik’s name), threatened the Vice President, Governor Pawlenty, and other officials. In addition, Ardolf planted an image of child pornography into an e-mail and a MySpace page — both in Kostolnik’s name.

Eventually, through the efforts of the private investigator (Johnson, retained privately) and the Anoka County Sheriff, Ardolf was identified as the culprit. The subsequent search of his home yielded the Kostolniks’ intercepted mail, numerous computer-hacking books, and compact disks containing hacking software. Several computers were seized, which contained voluminous inculpatory evidence, including evidence of the network intrusion, identity theft, and eight child pornography files (all derivatives of the same image), which Ardolf has used in his campaign, and which files formed the basis of those counts against him.4

It has been reported that Ardolf has no prior criminal record, although the police report (mentioned above) states Ardolf had, at that time, a “Suspense File for domestic assault.” According to both the indictment and the Government’s Presentencing Memorandum, Ardolf’s actions in this case continued a pattern of previous conduct  involving another victim.5  The prior criminal conduct would not have been discovered but for the search warrant executed in this case.6

During the trial, Ardolf fired two lawyers in succession, and proceeded pro se. The trial court nevertheless appointed stand-by counsel. Ardolf reportedly withdrew from a plea deal that would have resulted in only two years’ imprisonment, and proceeded to trial. In December 2010 — only three days into the jury trial — Ardolf threw in the towel and inexplicably pleaded guilty to all counts and, as a result, the charges were not put to a jury. Subsequently, he contended in a hand-written memorandum to the judge that his attorney coerced him into doing so.7  Finally, Ardolf coached his children to appeal to the judge’s emotions in granting Ardolf leniency and to conform to Ardolf’s version of events regarding the Kostolnik’s 4–year old boy.8

The result: Ardolf was sentenced to 18 years imprisonment (followed by 20 years’ probation), a $10,600 fine, and forfeiture to the Government under 18 U.S.C. § 2253(a) of the computer equipment and of the Blaine home (which, upon information and belief, has no mortgage and is worth $290,000). The court recommended defendant be excluded from any computer-based activities or technical training during the term of his incarceration.  Further, during the 20 years of supervised release, Ardolf must register as a sex offender, may have no contact with persons under the age of 18 (except in limited circumstances), may not be engaged in any computer-related employment, may not “possess or use a computer or have access to any on-line service without the prior approval ofthe U.S. Probation Office,”  and must obtain gainful employment if possible or, alternatively, work twenty hours of community service.

The extraordinary facts of this case (including both defendant’s conduct and the case outcome), coupled with incomplete media coverage, warrant further discussion.

Ardolf’s presentencing memorandum discloses that his wife died unexpectedly in 2000, and he has been a widower and single parent to three children for the past 11 years.9   As a result of Ardolf’s incarceration, the children will be deprived of any meaningful contact with their only surviving parent (as Ardolf himself noted in his Acceptance of Responsibility Statement (“I am leaving my children with no parent”)).10

Moreover, because Minnesota is not a community property state, the decedent-wife’s property (including any contributions toward the paid-for home) may have gone entirely to Ardolf, and all of Ardolf’s assets (which defendant’s memorandum suggest were tied up in the value of the home) now go to the Government.  This may mean that the three children will also be deprived not only of their mother’s estate (which they presumably had been receiving by way of a continuing measure of support from the father, or would eventually receive from their father in the future), but also of their father’s income for food, shelter, school books, clothes, and college tuition.

The Government, however, did propose an alternative to forfeiture of the Blaine home:  Because “the Government’s overriding goal is the removal of defendant from the Alamo Circle neighborhood in Blaine, Minnesota, to provide for the safety of the victims . . . the Government had offered to allow defendant to sell the house and to put the money in a trust to benefit his three children.”11   The offer was conveyed both to defendant’s current counsel, as well as to his previous counsel immediately after entered his guilty plea. Upon information and belief, Ardolf declined the Government’s offer both times yet, had he agreed, the Government would not have sought an Order of Forfeiture.

Notwithstanding that defendant inexplicibly rejected the offer, the Government contended that it would not act on the Order of Forfeiture if the defendant, through counsel, arranged to have the proceeds placed in a trust administered by a neutral trustee to provide for the three children.  The trial judge noted, during the six-hour sentencing hearing, that the Government’s offer in this regard was unprecedented in his experience.  Upon information and belief, Ardolf might now be taking steps to  accept the Government’s offer, although his standyby counsel was unable to corroborate this for lack of authorization to comment on this or other facts of the case.

Additionally, although Ardolf’s presentencing memorandum contains the obligatory apologies to the court and the victims, it also maintains Ardolf’s continuing objection to assertions contained in the Presentence Investigation Report (referenced in Defendant’s Position Paper as to Sentencing Factors)12 that his contact with the neighbors’ boy was inappropriate, which incident gave rise to the dispute.  Although the police report was closed with the notation that no criminal sexual conduct was found (and Ardolf was therefore not charged in connection with the same), News outlets worldwide13 have reproduced a quoted statement contained in the Government’s pre-sentencing memorandum referring to Ardolf as a pedophile.14

As a result of the widely-published but uncharged conduct, several Web sites and forum posts (e.g.,–years-in-prison-for-hacking-neighbors-wifi-fair-or-foul/question-1970305/) now freely characterize Ardolf as a “pedophile,” and “child molester.”  Many anonymous posters have expressed satisfaction about what other prisoners will likely do to Ardolf as a putative pedophile. Id. Indeed, Such offenders . . . often are placed into protective custody with other prisoners seen to be under a threat. ‘Once their crime has become known, they usually don’t make it’ without protective custody.” 15

Aside from the collateral consequence, this raises the academic question of whether repeating a statement that is defamatory per se relating to uncharged conduct, which statement and uncharged conduct is memorialized in the Government’s presentence memorandum, may give rise to liability. The Minnesota Court of Appeals has held that, “[I]n almost every circumstance a reasonable listener would believe that calling a person a pedophile imputes serious sexual misconduct or criminal activity to that person. It is, therefore, defamatory per se.” 16 

To begin this analysis, one must assume that Ardolf’s conduct does not fit within the meaning of “pedophile,” since a defense of “truthfulness” is dispositive.  And it is well-settled that one spouse’s statement to the other —even a statement that is defamatory per se— is absolutely privileged.17   Further, unless it falls within the so-called “sham exception,” such a statement contained in any petitioning (such as statement filed with the police) would be entitled to SLAPP immunity.18 Likewise, most states recognize an absolute privilege for defamatory communications preliminary to, or in the course of a judicial proceeding if the communication has “some relation” to the proceeding.19 But a republication of that statement could only qualify for the narrow Fair Report privilege if the republisher relied upon an official public document for the allegedly defamatory information, made clear that the document or statement was the source, and fairly and accurately used the source.

Few (if any) of the news stories, blog posts, or comments have clearly attributed the “pedophile” statement to the Government’s court filing.  Nevertheless, there is still the constitutional limitation for matters of public concern, which requires a libel plaintiff to prove that the publisher or broadcaster either knew that the allegedly-defamatory statement was false, was reckless as to truth, or was negligent as to its falsity.20

Significantly, some courts have held that there can be no defamation where plaintiff had no reputation to injure (as may appear to be the case with Ardolf, at the time of this writing).21 But even if so, should Ardolf’s reputation be measured at the time the statement was uttered (when his reputation was not yet lowered by his own conduct)? At the time it was published to a third party (presumably, when the victims were interviewed by the Government)?  At the time of the republication?  Or at the time of the libel suit?  If Ardolf’s reputation is properly measured as of today (lowered by reason of his conviction), would Ardolf nevertheless have a viable cause of action because his current reputation is lowered not by reason of charges and/or convictions relating to the alleged inappropriate contact?

If so, would anonymous posters on and other sites have reason for concern?  In some other countries, the answer seems to be yes: Recently, Google was held by a Brazilian court to have defamed a priest by allowing an anonymous Internet user’s post on Orkut (a Google-owned social networking site), which called the priest a “pedophile.” And a U.S. state court recently ordered the Indianapolis Star to turn over the identities of anonymous posters who made defamatory comments.22  An amicus brief filed by on appeal contends such an outcome is permissible if five standards are satisfied: (1) Give Notice: Courts require the plaintiff (and sometimes the Internet Service Provider) to provide reasonable notice to the potential defendants and an opportunity for them to defend their anonymity before issuance of any subpoena. (2) Require Specificity: Courts require the plaintiff to allege with specificity the speech or conduct that has allegedly violated its rights. (3) Ensure Facial Validity: Courts review each claim in the complaint to ensure that it states a cause of action upon which relief may be granted based on each statement and against each defendant. (4) Require an Evidentiary Showing: Courts require the plaintiff to produce evidence supporting each element of its claims. (5) Balance the Equities: Weigh the potential harm (if any) to the plaintiff from being unable to proceed against the harm to the defendant from losing the First Amendment right to anonymity.23

The issue, therefore, is whether the legitimate purposes to be served by the Government’s inclusion of this scandalous matter outweighed the risk of prejudicial effects or unintended consequences, such as those mentioned above.

Ordinarily, a sentencing judge may conduct a broad inquiry, largely unlimited either as to the kind of information he may consider, or the source from which it may come.24 The commentary in the U.S. Sentencing Guidelines Manual expressly permits “reliable” hearsay evidence at sentencing, and courts have concluded hearsay is admissible in sentencing as long as it bears some indicia of reliability.25  On the other hand, in United States v. Booker, 26 the Supreme Court held that insofar as the federal Sentencing Guidelines required a judge to increase a sentence based on facts found by the judge using a preponderance of the evidence standard, they violated the Sixth Amendment right of a criminal defendant to be tried by a jury and to have every element of an offense proved by the Government beyond a reasonable doubt.27 It is this author’s understanding that the trial court made a thorough and contemplative assessment of the sentencing guidelines and the statutory sentencing factors, and explicated its decision therefor in detail, which can be confirmed when the sentencing transcript is made available to the public.

Nevertheless, because the defendant in this case was neither charged with, nor convicted of, any crimes relating to the August 2, 2008 incident, there was little utility in its inclusion in presentencing filings.  In addition to the prejudicial effect on the judicial process,28 the inclusion of these statements has brought the victims further unwanted publicity.  And, although the Government’s presentment is afforded prosecutorial immunity, it has now become the basis for defendant to be (arguably, perhaps) libeled, subjecting the defendant to public scorn and ridicule beyond the moral disapprobation that members of society expect Ardolf’s convictions to express.29 Not only may this endanger defendant in the prison population (thereby exacerbating the Government’s obligations and expense in incarcerating defendant for years to come), but it also risks eroding the public’s confidence in the justice system.


1 Government’s pre-sentencing memorandum (Dist. Minn., No. 10–cr-00159, Document 109 at 4 (“With her back to Ardolf, [the mother] heard him plant a wet kiss on [the child]”).

2 Defendant’s Position Paper as to Sentencing Factors, (Document 108) at 25-25.

3 Document 109 at 5.

4 Defendant’s Position Paper as to Sentencing Factors, Document 108 (“[T]he preliminary pre-sentence report at #25 states: ‘Eight files depicting the complete image or the altered image, which was posted on the page, were found during the search warrant on various computer equipment and hard drives’”).

5 Document 109 at 2.

6 Id.

7 Document 80.

8 Document 109 at 25–27.  This author has been informed that, at sentencing, the Court noted that it did not take that event into consideration the Government’s assertions regarding the August 2, 2008 catalyst incident, but the author has not yet been able to confirm this because the sentencing transcript has not yet been released.

9 Document 108 at 19.

10 Id. at 24.

11 Document 110 at 22-23.

12 Id. at 20

13 See, e.g.,;;

14 Government’s pre-sentencing memorandum (Dist. Minn., No. 10–cr-00159, Document 109 at 4-5

15 Michael S. James, “Prison is ‘Living Hell’ for Pedophiles, ABC News (Aug. 26, 2003). (last visited July 17, 2011).

16 Longbehn v. Schoenrock, 727 N.W.2d 153, 159 (Minn. Ct. App. 2007).

17 Restatement of Torts, 2d, § 592 (A husband or a wife is absolutely privileged to publish to the other spouse defamatory matter concerning a third person. The confidential character of the relationship of husband and wife is the basis for the privilege stated in this Section. Communications between spouses are so completely protected that under no circumstances can they be made the basis of an action for defamation. This is true although the matter communicated is known to be false and the purpose of the communication is altogether improper).

18 See City of Columbia v. Omni Outdoor Adver., Inc., 499 U.S. 365, 380 (1991).

19 See Restatement (Second) of Torts 587 (1977) (parties); id. 588 (witnesses); id. 589 (attorneys).

20 Gertz v. Robert Welch, Inc., 680 F.2d 527 (7th Cir. 1982), cert. denied, 459 U.S. 1226 (1983).

21 See, e.g., Kevorkian v. AMA, 237 Mich. App. 1, 12 (Mich. Ct. App. 1999) (“In those instances where an allegedly libelous statement cannot realistically cause impairment of reputation because the person’s reputation is already so low . . . the claim should be dismissed so that the costs of defending against the claim of libel, which can themselves impair vigorous freedom of expression, will be avoided.”), quoting Brooks v Am. Broad. Co Inc., 932 F.2d 495, 501 (CA 6, 1991).

22 Jeffrey M. Miller v. Junior Achievement of Central Indiana, Inc., (In re Indiana Newspaper, Inc.) No. 49D14–1003–PL-014761.

23 Dendrite v. Doe,775 A.2d 756, 760-61.

24 United States v. Wallace, 408 F.3d 1046, 1047-48 (8th Cir., May 23, 2005) (quoting Nichols v. United States, 511 U.S. 738, 747, 128 L. Ed. 2d 745, 114 S. Ct. 1921 (1994)).

25 Id.

26 543 U.S. 220 (2005).

27 Id. at 243-44. 

28 See Note, A Proposal to Ensure Accuracy in Presentence Investigation Reports, 91 Yale L.J. 1225, 1228 (1982) (recommending rule amendments to allow challenges to presentence reports for both sentencing and parole); Timothy Bakken, The Continued Failure of Modern Law to Create Fairness and Efficiency: The Presentence Investigation Report and Its Effect on Justice, 40 N.Y.L. Sch. L. Rev. 363, 366 (1996) (“‘[A]vailable data on the federal probation officer’s workload indicates that little, if any, verification of information is possible.’”); Robert Hanlon, Hard Time Lightly Given: The Standard of Persuasion at Sentencing, 54 Brooklyn L. Rev. 465, 493–494 (1988) (“the scope of the information allowed — hearsay testimony, uncorroborated evidence, including that from accomplices, allegations of unproven or even uncharged crimes — is so broad as to create the substantial possibility of inaccurate information being considered. The possibility of prejudicial error is exacerbated when much of the information is derived from sources likely to view the defendant in the most negative light — law enforcement officials and criminal prosecutors. In addition, information obtained from codefendants is more likely to be affected by self-serving interests, such as an attempt to transfer blame or placate prosecutors to obtain favored treatment”).

28 Dan M. Kahan, What’s Really Wrong with Shaming Sanctions, 84 TEX. L. REV. 2075, 2077 (2006).

That’s the title –without the question mark– of a report appearing in the Journal of Digital Forensics, Security, and Law (JDFSL).  If there was a question, I think the answer is an emphatic Yes, and it affects both technologists and attorneys alike.

SSDs changing the technical and legal landscape

The report posits –and I agree– that the fact we computer forensics analysts have had access to a treasure trove of evidence found as deleted files and slack file space was just good fortune taken for granted, because the natural state of modern digital storage is not to ‘preserve deleted data’ as magnetic drives have done for the past few decades, but rather to purge deleted files to improve read and write speeds.

According to the article, we should be aware that a “paradigm shift” is taking place in technology storage from magnetic hard drives to solid-state drives (SSDs); that solid-state drives have the “capacity to destroy evidence catastrophically under their own volition;” that it is “imprudent and potentially reckless to rely on existing evidence collection processes and procedures;” and that conventional assumptions about the behaviour of storage media are no longer valid. Id.

Why computer forenscis analysts should care about SSDs:

In summation, report authors Bell & Boddington note that the latest generation of SSDs on the market (of which I own three) use firmware controllers to equally distribute data across the drive’s blocks, so that they’re being accessed and used with equally over time; and they use a “garbage collection” process to identify deleted or slack file data so as to make these blocks available for reuse subject to the aforesaid equal allocation. The authors further posit that, because the garbage collection runs within the SSD (just by turning it on), using a write-blocker on the SSD during an investigation will have no effect  — i.e., evidence spoliation will resume as soon as the SSD is energized (which it must be to retrieve data from). The end-result is that deleted data and slack-file evidence, which historically has yielded an abundance for fruit in digital forensics investigations, is no longer persistent.


Why litigators should care about SSDs:

The following may be welcome news to defense attorneys, as authors Bell & Boddington warn:

  • that data stored on all types of solid-state drives “should be immediately and henceforth considered to be a ‘grey area’ as far as forensic recovery and legal validation are concerned until extensive studies have been made of drive and data behavior;”
  • that evidence spoliation may take place extremely suddenly, extremely quickly and automatically without human awareness or control;
  • that present-day evidence indicating ‘no data’ does not authoritatively prove that data did not exist at the time of capture;
  • that evidence of deleted data being permanently erased or partially corrupted is not evidence of intentional permanent erasure or corruption;
  • that hashes not matching at the end of a forensic analysis should be evaluated to establish if the original or subsequent images could have been taken during or after a garbage collection;
  • that past metadata and data blocks may be deleted without warning and without the opportunity to realise that they had existed at time of capture;
  • that quick-formatting of disks is a reasonable activity that an innocent person might choose to do to improve performance, tidy up a disk, etc., yet may completely eradicate evidence from a disk within minutes;
  • that there are no longer any guarantees for previously deleted file data to be preserved on an SSD, regardless of whether the drive image was taken during a ‘live’ capture of evidence or following a ‘dead’ capture of evidence;
  • that drives can clearly self-modify their data after physical evidence has been gathered, despite best practice efforts by forensic analysts to prevent such behavior using traditionally effective write-blockers;
  • that it would be an unwise investment of time for analysts to try to develop workaround procedures that operate against the drive controller behavior specifically identified, because new firmware & models are regularly released;
  • that it would be imprudent to develop procedures for physical asset capture whereby operators attempt to distinguish SSDs from HDDs, because of the similar physical appearance of the drives and the need to gain access to the computer’s internals, and because hybrid disks incorporate both HDD and SSD technologies;
  • that it is unwise to assume that irreversible file erasure suggests intent to destroy evidence in cases where a defendant has quick-formatted a SSD drive prior to police seizure; and
  • that the issues identified in the Bell & Boddington report will later come to affect large USB flash drives as well.

Mobile Devices Changing the technical and legal Landscape

Perhaps needless to say, mobile devices are pervasive and, to a growing extent, replacing traditional PCs in the home. Some PC users, who have been besieged with and befuddled by malware, spyware, computer viruses, and maintaining a complex operation system (viz. Microsoft Windows), have replaced their computers with tablets and other devices, including Apple’s iPad, Sony WebTV, Samsung Galaxy, inter alia. Some people I know have even substituted their trouble-prone PCs with ordinary smart-phones (iPhone, Android, inter alia).

Because mobile devices use a variety of operating systems, file systems, and data storage models; and because some are proprietary and, perhaps, not subject to standards (or, at best, subject to rapidly evolving standards); and because some use proprietary hardware connections and protocols, an ordinary computer forensics analyst with expertise in Windows, Macintosh, or Linux has not the skills, software, or hardware to conduct a competent analysis.  Further, the technology is evolving and being released with blinding speed.

Cloud Computing Changing the technical and legal Landscape

Cloud computing is defined by the National Institute of Standards and Technology (NIST) as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

For companies, this may mean entrusting either data or computing resources or both to other companies’ data centers, like Microsoft (NASDAQ:MSFT), Salesforce (NYSE:CRM), or EMC (NYSE:EMC).   For private individuals, it may mean entrusting personal data from their computer or mobile devices to, for example, Apple’s MobileMe, or Motorolla’s Motoblur.

Cloud computing raises digital evidence challenges regarding the location of potential responsive data, preservation, and analysis. Because data can be stored anywhere in the world, it may reside in a jurisdiction where subpoena power or privacy laws are non-existent or not enforced, and establishing a chain of custody might prove difficult or impossible, where data integrity and authenticity (where was it stored, who had access to it, was data leaked, was the data commingled, etc.) cannot be fully ascertained.  Moreover, data entrusted to the cloud may be logically  (and certainly physically) disassociated from the local metadata usually accompanying it (e.g., registry entries, temp files, etc.) and which may not exist in the virtual/cloud environment.  For example, modifying data in a cloud environment, rather than locally, might be less likely to result in metadata written to a client device’s hard-drive (if it has one), and more likely to reside in the packets and client or host server logs, if applicable.


The foregoing is a summary, not an exhaustive discussion, of three challenges facing the discipline and profession of digital forensics examinations and electronic discovery.  Computer forensics examiners will be hard-pressed to stay current, to diversify, and to rely on a network referral partners in order to understand and meet their clients’ needs.  Lawyers will need to understand how these developments may hurt or help their clients’ causes, and to become even more vigilant in selecting a digital forensics consultant to identify what expertise is needed in a particular case.  finally, it will be the lawyers’ responsibility, and not the experts or the courts, to understand these developments and the judiciary on its import, lest the outcome of justice be the result of ignorance.

Perhaps it’s safe to assume that many employees of any company might have have been inconvenienced, if not annoyed, if an automated, compulsory e-mail deletion policy went into effect.

Such a policy, implemented in many corporations across America in contemplation of the December, 2009 federal rules amendments affecting e-discovery practice, was effectuated throughout U.S. Bank’s Lotus Notes e-mail system in 2009, permanently deleting electronic mail aged 90 days thereafter.  The policy complimented a mature litigation hold procedure, about which all bank employees receive mandatory training.

So, when a 21-year old veteran of the bank filed an employment discrimination suit against the bank following termination of her employment, the issue arose as to the whereabouts of certain erstwhile e-mails.  This in turn required a determination as to when the bank’s duty to preserve evidence attached.

Plaintiff contended that a letter she wrote to the human resources dep’t triggered the duty-to-preserve. Although the court in this case (Viramontes v. U.S. Bancorp et al., 2011 U.S. Dist. Lexis 7850 (N.D.Ill. January 27, 2011)) did not explicate in detail when the duty to preserve attaches, it ordinarily does whenever a reasonably credible threat of litigation is received or, based upon the totality of the circumstances, it would appear to a reasonable person that litigation concerning a dispute is more likely than not. See, generally, Zubulake v. UBS Warburg, 220 F.R.D. 212 (S.D.N.Y., 2003) (“Zubulake IV”).

Here, the court found that a complaint letter to human resources, which did not so much as hint as litigation, did not trigger the duty to preserve and, therefore, the filing of the EEOC complaint was the effective date.

In light of the effective date when the bank’s duty to preserve was triggered, the court found that the safe harbor provision of Fed.R.Civ.P. 37(e) insulated the bank from spoliation sanctions. The so-called safe harbor provision provides insulation from sanctions where evidence has been spoliated as a result of routine, good-faith operation of an electronic information system, rather than spoliation from bad faith or recklessness.

When’s the last time –in an intellectual property case or any case– you’ve heard of counterclaims of champerty (an improper arrangement where a party with no interest in a lawsuit agrees to finance and bear the expense of litigation in exchange for a portion of the proceeds) or barratry (creating legal business by stirring up disputes and quarrels, generally for the benefit of the lawyer who sees fees in the matter)?

Perhaps it’s long overdue.  These are the counterclaims now being levied against the specious litigation mill, Righthaven, LLC.   Righthaven, which is co-owned by Vegas attorney Steven Gibson and Stephens Medial, LLC, has an interesting [alleged] lawsuit business model:  First, it scours the Internet for copyrighted content owned by its newspaper clients, including Fair Use multi-line excerpts of articles (not entire works). Next, the newspaper-client licenses the work to Righthaven.  Righthaven then sues –without any takedown request– the party alleged to have infringed the work.  Many, if not most, of the 215 suits filed so far in the U.S. Court for the District of Nevada are mom & pop bloggers. As part of its business model, Righthaven claims damages of up to $150,000 under the Copyright Act’s statutory damages provisions and demands transfer of the Web site domain to Righthaven. These threats have been successfully used, thus far, to intimidate some defendants into a quick settlement.

Righthaven has already lost one or two suits under Fair Use. In Righthaven v. Realty One Group, Inc., the court granted a Motion to Dismiss on Fair Use grounds. As aptly argued, by counsel for Realty One:

Plaintiff brings these claims with unclean hands, which mandates dismissal of this action. The defense of unclean hands can be invoked as a defense in a copyright infringement action. See 4 Nimmer on Copyright § 13.09[B]. The actions of Plaintiff Righthaven in pursuing the instant action for copyright infringement smack of barratry. Righthaven was created by its counsel, Steven Gibson, apparently to pursue violations of the copyrights it purchased from the Review Journal. Righthaven is not the author of the work that was alleged to have been copied. In fact, Righthaven purchased the copyright in the Program Article sometime after the alleged infringement occurred, and likely purchased the copyright with the specific intention of pursuing this action against Mr. Nelson.

The barratry claim was not reached in Realty One, because the case settled one day before the Order granting the Motion to Dismiss issued. But, separately, a judge in Righthaven LLC v. Center For Intercultural Organizing sua sponte ordered Righthaven to show cause why the case should not be dismissed under the 17 U.S.C. § 107 Fair Use exception.  The show cause hearing is set for February 10, 2011.

And most recently, counsel for Choudhry and –in addition to filing a Motion to Dismiss– filed separately an Answer and counterclaim for, inter alia, “barratry, champerty, and maintenance.”

Technologically, Righthaven v. Choudhry may be interesting, because Righthaven is suing for an allegedly protected work that appeared to exist on Choudhry’s site, but which Choudhry alleges actually was not hosted by his site. In the Motion to Dismiss, Choudhry’s counsel explains that the image was substituted in by the client’s browser by means of an “inline link . . . by virtue of an automated RSS feed published by a third party.” Choudhry defined inline link as, “a line of computer code used in internet web pages to direct a user’s browser program to a third-party site to retrieve an image directly from that thirdparty site.” Relying on Perfect 10, Inc. v., Inc., 508 F.3d 1146, 1160-1161 (9th Cir. 2007), Choudhry argued that inline linking does not reproduce, distribute, or display copyrighted material. Rather than providing an image directly to an end user, inline linking directs the web browsers of its users to load content from a third party source. Thus, it is the third party that is reproducing, distributing, or displaying any allegedly infringing image, not the provider of the inline link.

More importantly, the Choudhry case, and others appear to demonstrate a lack of a good faith inquiry into the facts, as required by Fed.R.Civ.P. Rule 11.   The pro se defendant in Righthaven v. Eiser, argued as much, when she alleged in her response that she did not post the newspaper column at issue, and that Righthaven’s suit “was undertaken without any diligence in determining the facts or party allegedly responsible for placing the allegedly owned and copyrighted article on the Internet weblog.”

« Previous PageNext Page »