Computer Forensics and Legal Technology Blog

This is a brief mention about yet another case, Holmes v. Petrovich, LLC, announced last week, concerning whether an employee enjoys a reasonable expectation of privacy when sending and receiving personal e-mails while using corporate resources.  I last wrote about this topic in March of last year, concerning Stengart v. Loving Care Agency, 990 A.2d 650 (N.J. 2010), and in June, 2008, I discussed Quon v. Arch Wireless, a Ninth Circuit decision that established, among other things, that employers could not obtain the contents of employee emails or text messages from a service provider without employee consent, pursuant to the Stored Communications Act. And, in December, 2007, I discussed  Long v. Marubeni America Corporation,  2006 WL 2998671 (S.D.N.Y., October 19, 2006), where that court held that both the attorney client and work product privileges were waived by employees using a company computer system to transmit otherwise privileged communications to private counsel, which communications were sent from private password-protected accounts (not from the employer’s email system).

In Marubeni America Corp., a cache of the emails were retained by the company’s system as “temporary internet files.” Because the company could and did obtain these emails by reviewing its own system, the court held that the waiver was created through employees’ failure to maintain the confidentiality of these communications with regard to the company’s electronic communications policy, which policy advised employees not to use the company system for personal purposes and warned that they had no right of privacy in any materials sent over the system. The court reached this result notwithstanding its factual finding that employees were without knowledge that a cache of their email communications had been retained.

In Stengart, supra, plaintiff was provided with a laptop computer to conduct company business. From the laptop, she had access to the Internet through the employer’s server, and she used her laptop to access a personal, password-protected Yahoo! e-mail account, through which she communicated with her attorney about her situation at work.  She never saved her Yahoo ID or password on the company laptop.  Because plaintiff, “plainly took steps to protect the privacy of those e-mails and shield them from her employer . . . us[ing] a personal, password-protected e-mail account instead of her company e-mail address and . . . not sav[ing] the account’s password on her computer,” the court ruled she had a subjective expectation of privacy in messages to and from her lawyer discussing the subject of a future lawsuit, and that defendant’s lawyers violated RPC 4.4(b) in reading those e-mails.¹

Although I am a privacy advocate, I don’t mind mentioning that –in my opinion– the New Jersey Supreme Court used reasoning of dubious providence to preserve the sanctity of the attorney-client privilege.  That may be laudable (in our profession), but doubtful reasoning does not provide clarity or certainty about what doctrines and principles truly govern the outcome of these cases from one jurisdiction to the next, and –as the Stengart case demonstrated– attorneys can be subject to discipline based on how a particular court chooses to view the issue.

An example of such reasoning is where the Stengart court explained:

Unbeknownst to [plaintiff], certain browser software in place automatically made a copy of each web page she viewed, which was then saved on the computer’s hard drive in a “cache” folder of temporary Internet files. Unless deleted and overwritten with new data, those temporary Internet files remained on the hard drive.

Whether plaintiff knew that the browser created a cache of the Web pages she visited is irrelevant.  In child pornography cases, for example, the trend has been for courts to disregard defendants’ knowledge of browser software caching, because liability should attach to defendant’s act of “reach[ing] out to the Internet through use of a web browser” to obtain the content.  Ty E. Howard, Don’t Cache out your Case, 19 Berkely Tech. L.J. 1227 (2004).  Likewise, an employee has relinquished dominion over information (and assumed risk) by using a company-owned computer, and volitionally placing the unencrypted information into the company’s information stream.

Moreover, plaintiff had been advised, “The company reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company’s media systems and services at any time, with or without notice. . . . . E-mail and voice mail messages, internet use and communication and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.”

Hat tip to The Legal Profession Blog:

From Stengart v. Loving Care Agency, Inc. (NJ, en banc) (March 30, 2010):

This case presents novel questions about the extent to which an employee can expect privacy and confidentiality in e-mails with her attorney, which she sent and received through her personal, password-protected, web-based e-mail account using an employer-issued computer.

The Court held that an employee “could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.” Employer’s counsel violated Rule 4.4(b) by reading those e-mails and failing to promptly notify the employee. The court noted that no reported New Jersey decision offered direct guidance on the issue.

One of my clients, a Texas divorce law firm, recently presented the following fact situation to me, which prompted me to write this article:

Lawyer accepted a case where client (hereinafter “wife”) surreptitiously took husband’s laptop three or four months ago while the parties were still residing together, and had it forensically imaged by a private investigator.¹ Wife intends to present evidence obtained from the laptop in support of her petition for marital dissolution.²

Issue: Is the lawyer precluded from introducing evidence and does the lawyer incur any malpractice, tort, or attorney disciplinary liability in possessing, viewing, or proffering evidence obtained from the laptop?

My conclusions —based on somewhat cursory research— appear immediately below. I’ve provided some annotations as footnotes for application in Minnesota (for academic discussion purposes only, not as legal advice). I found very little in the way of Minnesota published cases regarding unauthorized computer access. See, e.g., In re Trudeau, 705 N.W.2d 409 (Minn. 2005) (attorney discipline conditional admission based, in part, on respondent’s unauthorized computer access by installing and using an email spyware program).

(1) If husband’s laptop was not an employer’s computer, and if husband’s laptop was not password protected by him (requiring wife or wife’s private investigator to circumvent any security measure that would create a reasonable expectation of privacy), then wife probably had equal dominion over laptop, as a matter of law (see Texas statute re: “effective consent,” infra). However, to whatever extent the court’s evidentiary ruling is discretionary, the court might well frown on procurement of evidence through such means, and husband might attempt to invoke the Unclean Hands doctrine. This is even more likely so if that area of the hard-drive was password-protected (from wife), or if the laptop belonged to an employer.

(2) Unless some Texas Rule of Evidence and/or rule of Civil Procure (unknown to me) bars admissibility of evidence based upon “unlawful interception of communications,” in a civil case (compare Tex. Code Crim. Proc. Ann. art. 38.23(a)) or based upon any violation of criminal or administrative law, and if wife’s conduct in surreptitiously taking laptop for forensic imaging would not constitute an act of “interception” in violation of Tex. Penal Code Ann. § 16.02(b)(1) or unauthorized access under § 33.02, the evidence recovered from the hard-drive probably is admissible, subject to the court’s broad discretion.

My conclusions are based on cases from around the country. Although, this fact situation does not appear to have been yet addressed Texas’ appellate courts, I did find the following authorities and analysis helpful:

• Tex.Penal Code Ann. § 33.02 (“A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner”).³

• Tex.Penal Code Ann. § 33.01(12) (“‘Effective consent’ includes consent by a person legally authorized to act for the owner. Consent is not effective if: (A) induced by deception, as defined by Section 31.01, or induced by coercion . . . (E) used for a purpose other than that for which the consent was given”).⁴

• Tex.Penal Code Ann. § 16.02(c)(4)(B). (It is an affirmative defense to prosecution a person not acting under color of law intercepts a wire, oral, or electronic communication and is one of the parties to the communication has given prior consent to the interception, unless the communication is intercepted for the purpose of committing an unlawful act).

• Vaughn v. Drennon, 202 S.W.3d 308, 320 ( Tex.App., 2006) (tort case, noting that the intrusion-upon-seclusion type of invasion of privacy is “generally associated with either a physical invasion of a person’s property or eavesdropping on another’s conversation with the aid of wiretaps, microphones, or spying”)

• Signorelli v. State, 2008-TX-V0117.004 (In a criminal context, “Generally, when a third party has equal control over the thing to be searched, the third party may properly consent to the search.”)

• Lasater v. State, 2007-TX-V0829.002 (discussing reasonable expectation of privacy and scope of consent, where defendant granted victim limited consent to enter his home, and victim searched for and found evidence she provided to law enforcement)

• But see Tave v. Alanis, 109 S.W.3d 890 (Tex.App., Dallas, 2003) (School district employee’s termination affirmed, where employee accessed and subsequently disseminated confidential information (inadvertently left on a computer assigned to him for classroom use) violated the District’s policy and constituted conduct could cause the public, students, or employees to lose confidence in the administration and integrity of the District).

So, whereas I found no Texas appellate cases that directly address the fact situation, the cases below from around the country do. In reading through these cases, the advocate should pay particular attention to “effective consent,” (in Minnesota “without authorization,” which phrase is defined under Minn. Stat. § 609.87(b)) and the meaning of the phrase “interception of electronic communications.” Although some courts, have held that recorded screen-shots constitute “interception of electronic communications,” (e.g., O’Brien v. O’brien, infra), under the narrow reading of the Wiretap Act adopted by the Fifth, Ninth and Eleventh Circuits, very few seizures of electronic communications from computers will constitute “interceptions.” Larue, Wiechman, Terry, & Turner, Trails from the Aether: Cyber-Evidence, (State Bar of Texas CLE, 2007). The advocate should also consider whether a violation of criminal law by wife (or wife’s PI) could translate to liability to the firm as an “accessory after the fact,” and that some judges in similar cases from other states based their discretionary decisions on whether the conduct in obtaining the hard-drive was an unlawful act.

(1) Bailey v. Bailey, 2008 WL 324156 (E.D. Mich)). In this recent case from the US District Court for the Eastern District of Michigan, the parties were married for nearly 30 years and had three children. Husband became suspicious of his wife’s activities and installed keystroke logging software on both home computers, with which he was obtained wife’s e-mail and instant-messaging passwords. Husband used these passwords to access her e-mail and messages and learned of her extra-marital activities. Husband fled the marital home with the parties’ three children. He provided the e-mails and messages to his divorce attorney and petitioned for divorce. A custody dispute ensued and husband’s attorney used the wife’s e-mails to impeach her. Wife lost custody and was granted only supervised visitation. After the divorce action concluded, wife sued ex-husband, his attorney and her attorney. Husband and his attorney were sued for violation of (1) 18 U.S.C. §2511 (the Wiretap Act); (2) 18 U.S.C. §2701 (the Stored Communications Act) against husband; (3) 18 U.S.C. §2512 (Wiretap Act) against the husband, his attorney and a John Doe who supplied the keystroke logging software; (4) MCL § 750.539a et seq. and MCL §750.540 (Michigan’s Eavesdropping statutes) against the husband, his attorney and John Doe; (5) invasion of privacy against the husband and his attorney; (6) intentional infliction of emotional distress against all defendants; and (7) malpractice against the wife’s own attorney.

The Wiretap Act. Wife claim against husband and his attorney was based on their obtaining her e-mails and messages using the password retrieved from the key logger software. Under § 2511 (1)(a), a person violates this Act if he or she “intentionally intercepts…any…electronic communication” (c) “intentionally discloses…any…electronic communication…knowing…the information was obtained through the interception of a …electronic communication in violation of [the Act]” and (d) intentionally uses…any…electronic communication” (c) “intentionally discloses…any…electronic communication…knowing…the information was obtained through the interception of a …electronic communication in violation of [the Act]” Defendants successfully argued that there was no “interception” as defined in the Wiretap Act. The court agreed and reasoned that the key logging software only allowed the husband to learn his wife’s passwords, which he then used to access her e-mail. Since the husband did not obtain the e-mails and messages contemporaneously with the transmission, the court ruled the Wiretap Act was inapplicable. The court also ruled that that § 2512 of the Act does not provide for a private right of action and the court dismissed wife’s claim based regarding husband, his attorney and a John Doe who supplied the key logger software.

Stored Communications Act. Wife contended her husband violated the Stored Communications Act by accessing her e-mails. The Act provided that a person was in violation if that person (a)(1) “intentionally accesses without authorization a facility through which an electronic communication service is provided…and thereby obtains…a…electronic communications while it is in electronic storage in such system…” Although husband accessed the wife’s e-mail on her Internet service provider’s (ISP) server and not from the messages stored on her home computer, he argued, because wife had already accessed her e-mails, the Act was inapplicable. But, the court found that the messages on the ISP’s server were stored for purposes of backup protection (since the wife had already accessed those messages) but that does not take it out of the provisions of the Stored Communications Act and therefore the husband’s motion for summary judgment on this count was denied.

Invasion of Privacy tort claim: The court granted husband’s attorney’s motion for summary judgment because there was no evidence the attorney participated in the “intrusion of another’s seclusion,” as alleged by wife. But, the court stated that the wife had a right to privacy in her private e-mail account. Husband’s defense was that wife could not establish her claim because his actions were not objectionable to a reasonable man, because they were subsequent and based upon his inadvertently discovery of wife’s extra-marital activities, and because they were necessary and prudent to protect his family and children. The court found that an issue of fact existed as to whether or not use of keystroke logging to gain access to the wife’s e-mail was objectionable to a reasonable man. Intentional Infliction of Emotional Distress tort claim: The court dismissed wife’s IIED cause-of-action because the use of the key logger did not constitute “extreme and outrageous conduct.”

(2) In Moore v. Moore, (NYLJ, August 14, 2008, at 26, col 1 [Sup Ct, New York County]), a New York County trial court recently ruled that a wife seeking a divorce can use evidence of her husband’s internet activities with another woman which she found on a computer she took from her husband’s car.

The Moore’s were married in 1963. Wife took a laptop computer from husband’s car just before she petitioned for marital dissolution. According to wife’s attorney, she was searching the computer for financial information when she came upon a large number of salacious instant messages which the husband exchanged with a woman in Texas.

Wife’s counsel informed husband’s counsel she had the computer, and the parties agreed to make forensic images from of the computer’s hard drive. The materials found on the hard drive were repeatedly referred to by the wife in affidavits submitted to the Court without objection by husband.

Subsequently, husband moved to suppress the contents of the hard drive. The Court denied the motion, finding that the wife did not commit a crime or otherwise violate the husband’s rights in taking the computer and copying its contents.

The Court noted that the attorneys for the parties specifically agreed to image the hard drive, and husband waived his objection by not timely moving to suppress the evidence. The Court determined that the computer was a family computer and not a work computer as alleged by the husband. The Court also found that the taking of the computer was appropriate since it was done before the commencement of the dissolution case and was taken from the family car.

(3) In O’Brien v. O’Brien, 899 So.2d 1133 (Fla.App. 5 Dist. 2005), a Florida appeals court ruled that wife “illegally obtained” records of husband’s Internet conversations with another woman as the two played Yahoo Dominoes online. “It is illegal and punishable as a crime under (state law) to intercept electronic communications,” wrote the panel.

The court barred wife from revealing the contents of the intercepted conversations, and said the chat records could not be introduced as evidence in the divorce proceedings. At issue in a civil case arising out of the divorce proceedings was whether the use of the spyware, called Spector, violated Florida’s wiretapping law, which provides that a person who “intentionally intercepts” any “electronic communication” commits a criminal act.

Wife’s lawyers argued that the monitoring didn’t fall under the law’s prohibitions and was kin to reading a stored file on her husband’s computer–which would not be treated as wiretapping. But the court concluded, “because the spyware installed by the wife intercepted the electronic communication contemporaneously with transmission, copied it and routed the copy to a file in the computer’s hard drive, the electronic communications were intercepted in violation of the Florida Act.”

(4) In Gurevich v Gurevich (2009 NY Slip Op 29191) the Supreme Court considered CPLR 4506 ⁵ in the context of matrimonial proceedings in which the wife sought to lead email communications obtained from her husband’s email account after the service of the divorce action.

The parties had been married for 16 years prior to separation, during which husband had provided wife with the password to his email account, and during which both parties had access to each others email accounts. After separation, wife changed her email password, but the husband neither changed his, nor told or gave notice to the wife that she was not permitted to access his account.

Husband argued that wife was aware he used one password for all his computer accounts, and that she was unreasonable in her belief that, despite his not changing his password until some two years after separation, she was allowed to access his accounts. Husband argued that the content of his emails were inadmissible under CPLR 4506 by reason that the wife had acted unlawfully under Penal Law 250.05 (hereinafter “eavesdropping statute”). Further, husband argued that the initiation of the divorce proceedings was an implied revocation of any authority previously given to her to access his account. The Supreme Court rejected husband’s contention, holding “there is no statute that would recognize an ‘implied revocation upon service of a divorce action’ and bar the use of the email ‘stored.’”

The court examined the eavesdropping statute and CPLR 4506, and rejected wife’s contention that CPLR 4506 did not apply to electronic communications:

She relies on dicta in the case of Pure Power Boot Camp v. Warrior Fitness Boot Camp (587 F.Supp.2d 548 [SD NY 2008]) for the proposition that “[t]he plain language of the statute [CPLR 4506] seems to limit its application to the contents of the overheard or recorded communication[s]'” not electronic communication. However, the U.S. District Court further stated that “[u]ltimately, a determination of the meaning of CPLR § 4506 is unnecessary, and better left to the New York state courts.” Furthermore, the court in Power Boot Camp v. Warrior Fitness Boot Camp in a footnote stated “Penal Law section 250.05 explicitly includes “electronic communication . . . .”

Husband argued that CPLR 4506 and the eavesdropping statute were not limited to communication or transmission, but also applied to “the intentional acquiring, receiving, collecting, . . . of an electronic communication, without the consent of the sender or intended receiver thereof . . .”

The Supreme Court considered cases cited by wife and the legislative intent behind the eavesdropping statute (to prohibit the interception of communications, not the access of stored communications) and found that she was entitled to rely on the content of the email transmission:

It is this court’s understanding from the reading of the statute, legislative history and case law that the purpose of Penal Law section 250.00 is to prohibit individuals from intercepting communication going from one person to another, and in this case an email from one person to another. In the case at bar the email was not “in transit,” but stored in the email account. Even assuming the husband’s facts, as stated, to be true, the wife may have unlawfully retrieved information from a computer; in violation of Penal Law 153.10 but there was no interception and accordingly fails to fall within scope of CPLR 4506 as presently written.

(5) ⁶ In White v. White, 781 A.2d at 87-88, the family computer and entertainment center were located in the sun room, where the husband slept; the wife and the parties’ children often used the sun room to utilize the computer, watch television, and adjust the stereo volume. It was in the sun room that the wife discovered, fatefully, a letter from the husband to his girlfriend.

Shortly after the wife discovered the letter, she hired a private investigative firm, and unbeknownst to the husband–and without using the husband’s password–the PI firm copied the husband’s files from the computer’s hard drive. Such files contained e-mail sent between the husband and his girlfriend, as well as images [uh-oh] that he viewed on [and apparently downloaded from] Netscape. It was only while being deposed during the divorce proceedings that the husband learned that the wife had accessed his e-mail; he had thought–incorrectly as it turned out–that his e-mail and attachments could not be read without his AOL password. Understandably concerned about his e-mails, the husband sought to suppress the electronic evidence, based on violations of the New Jersey Wiretap Act. The New Jersey court opined that, in order to understand the error of the husband’s thinking, it was necessary to understand the technical workings of America Online Service [“AOL”], the husband’s Internet Service Provider [“ISP], explaining as follows:

[i]ncoming e-mails are received on the AOL e-mail server and are accessible to an AOL user only after dialing in and authenticating with the user’s screen name and password. Also, a user cannot send an e-mail via the AOL server until he has similarly dialed in….AOL’s server receives and maintains the e-mail until the recipient dials into AOL and accesses (seeks to read) his mail. In addition, an AOL user can save his e-mails and attachments on his computer’s hard drive. AOL offers the Personal Filing Cabinet [“PFC”] feature, which is created automatically on the hard drive during the installation of AOL on the user’s computer. The PFC is named for user’s screen name…[A]n AOL user must voluntarily choose to save the e-mail, attachment or address to his PFC or address book. The AOL user can save e-mail, attachments, or addresses either by using the automatic AOL feature or manually. To save automatically to the PFC on the hard drive, the user must select that option in “Mail Preferences.”

Specifically, in the main tool bar, the user chooses “Mail Center,” “Preferences” and then checks “Retain All Mail I Send in My Personal Filing Cabinet” and/or “Retain All Mail I Read in My Personal  Filing Cabinet”….Additionally, in the “Notes” section of [the Help screens], AOL informs the user that he can read mail stored in the PFC when he is not signed onto AOL, i.e. the PFC is on the hard drive. Similarly… AOL informs the user that e-mail saved in the PFC will remain on the hard drive until the user deletes it.

Id. at 87-88.

Thus, the only way for the husband to be sure that his e-mail would be saved permanently was to use the PFC file on the his hard drive, because his e-mail could not be saved permanently on AOL’s server. Id. at 88. Not knowing his e-mails were being saved, he took no steps to delete them, nor any steps to protect them with a password, which meant that any computer user could view his PFC and e-mails by simply opening the AOL software on the hard drive, and that was exactly what happened: the wife’ s expert simply opened the AOL software and viewed and copied the husband’s emails.

Turning to the legal issues in the case, the New Jersey court first held that the doctrine of interspousal immunity was inapplicable, and that the New Jersey Wiretap Act applied to unauthorized access of electronic communications of one’s spouse. Id. at 88.

Next, the court noted that the New Jersey act [identical to the federal act] prohibited “access” to electronic information in “temporary, immediate storage,” in backup protection, or in transmission. Id. at 89. The court observed that the e-mail in the hard-drive of the computer was in “post-transmission storage.” Id. Pursuant to the statutory language, the court held that the New Jersey act was not meant to extend to e-mail retrieved by the recipient and then stored, but rather protected only those electronic communications which were in the course of transmission, or were backup to that course of transmission. Id. at 90.

The Court then rejected the husband’s argument that the wife accessed his e-mail “without authorization.” Id. Since other courts had held that “without authorization” meant using a computer from which one has been prohibited, or using another’s password or code use the family computer, the court stated that nonetheless she had the authority to do so. Id. (citations omitted). Additionally, according to the court, the wife did not use the husband’s password or code without authorization, but instead accessed the information in question by roaming in and out of different directories on the hard drive. Id.

Finally, the New Jersey court held that the wife did not “intercept” the husband’s e-mails, since the concept of “interception” did not apply to “electronic storage.” Id. at 91. The husband’s electronic communications had already ceased being in “electronic storage,” i.e., they were in post-transmission storage, and therefore the court held that the wife did not “intercept” them. Id.
Endnotes

____________________
¹ Under Texas law, a person performing computer forensics analysis must be licensed as a private investigator in that state.
² Texas is not a no-fault divorce state, and divorces may be tried to a jury.
³ See Minn. Stat. §§ 609.89 (Computer theft) & 609.891 (Unauthorized Computer Access, amended 2006).
⁴ Minn. Stat. § 609.891 uses the phrase, “without authorization”
⁵ Under CPLR 4506, (Eavesdropping evidence; admissibility; motion to suppress in certain cases), “The contents of any overheard or recorded communication, conversation or discussion, or evidence derived therefrom, which has been obtained by conduct constituting the crime of eavesdropping, as defined by section 250.05 of the penal law, may not be received in evidence any trial, hearing or proceeding before any court or grand jury, or before any legislative committee, department, officer, agency, regulatory body, or other authority of the state, or a political subdivision thereof; provided, however, that such communication, conversation, discussion or evidence, shall be admissible in any civil or criminal trial, hearing or proceeding against a person who has, or is alleged to have, committed such crime of eavesdropping.”
⁶ The White v. White case digest is excerpted in its entirety from Larue, Wiechman, Terry, & Turner, Trails from the Aether: Cyber-Evidence, (State Bar of Texas CLE, 2007).

I’ve been negligent in posting here since the end of April because of competing priorities.  Nevertheless, I’ve been scanning for news items with you in mind:
Sam Glover informs us at his Lawyerist blog (here) of a fantastic new Firefox plug-in called RECAP that, while a user is browsing documents in PACER, provides the option to download a free copy from public.resource.org (if the document exists there) by placing an icon next to the regular download link. Alternatively, if you download a document that isn’t on public.resource.org, RECAP will upload the document thereto.  More info. is at https://www.recapthelaw.org/

“Judges and journalists have more in common than they probably realize: They search for the truth every day, they’re never entirely sure who’s lying to them and they routinely publish writings that live forever in the public record.“\

So begins an article published by The First Amendment Center discussing the difficulty in determining who is a journalist, including “online contributors, bloggers and tweeters,” and citing the recent Texas Court of Appeals decision in Kaufman v. Islamic Society of Arlington, where the court held that a contributor to a Web site was entitled to a statutory right of interlucutory appeal available to members of “the electronic or print media.”

The court, finding support from other jurisdictions, extended the First Amendment and other protections to Internet publications as “a type of nontraditional electronic media.” Although the court did hold that not everyone who publishes to the Internet qualifies under Texas’ interlocutory appeal statute, the court rejected the argument that an Internet author never is a member of the media.

Here are some other news stories from the last few months that I thought you’d find interesting:

• Most recent developments regarding the former employee charged with stealing top secret code in Goldman Sachs’ high-frequency trading program
• Report: Shortage of cyber experts may hinder govt
• Sec’y of Defense Creates Cyber Defense Command
• Bloggers, Beware: What You Write Can Get You Sued
• No Bail for Blogger Accused of Threatening Federal Circuit Panel
• Do Interactive Websites Have a Legal Duty to Remove Malicious Content?
• Law Students Teach Scalia About Privacy and the Web
• Supreme Court Will Hear Sarbanes-Oxley Challenge: Accounting Oversight Board Wields Too Much Power, Plaintiffs Say
• Government Secrets Found on Computer Sold on eBay
• Hackers into Virginia database demand $10M million ransom
• Prison Awaiting Hostile Bloggers? Proposed congressional legislation would demand up to two years in prison for those whose electronic speech is meant to ‘coerce, intimidate, harass, or cause substantial emotional distress to a person
• Lawmaker Defends Imprisoning Hostile Bloggers
• Minnesota Court Orders Release of DUI ‘Breathalyzer’ Source Code
• Federal Reserve Tech Arrested
• Report labels U.S. Computer security “embarassing”

It is well known that the advent of the Internet and the economic downturn have caused traditional news organizations throughout the country to lose circulation and advertising revenue to an unforeseen extent. As a result, the staffs and bureaus of newsgathering organizations—newspapers and television stations alike— have been shuttered or shrunk. Municipal and statehouse coverage in particular has too often been reduced to low-hanging fruit. The in-depth investigative report, so essential to exposure of public malfeasance, may seem a luxury even in the best of economic times, because such reports take time to develop and involve many dry (and commercially unproductive) runs. And in these most difficult of times, not only investigative coverage, but substantive reports on matters of critical public policy are increasingly shortchanged.

. . .

The verdict is still out on whether the Internet and the online ventures of traditional journalistic enterprises can help fill the void left by less comprehensive print and network coverage of public business. While the Internet has produced information in vast quantities, speedy access to breaking news, more interactive discussion of public affairs and a healthy surfeit of unabashed opinion, much of its content remains derivative and dependent on mainstream media reportage. It likewise remains to be seen whether the web—or other forms of modern media—can replicate the deep sourcing and accumulated insights of the seasoned beat reporter and whether niche publications and proliferating sites and outlets can provide the community focus on governmental shortcomings that professional and independent metropolitan dailies have historically brought to bear.

A Wall Street Journal article of the same caption (above) was published April 23, 2009, regarding a case in New Jersey, where an employer obtained access to a private Internet forum where employees were disparaging the company’s managements.  The company then fired the employees involved.

It’s generally well-settled that an employee has no reasonable expectation of privacy when the employer has disseminated a notice that use of company equipment is a waiver of that right.  However, in this case, no such notice was given.  Nevertheless, it’s not clear (to me) whether a claim could be made out, if plaintiffs asserted that the injury-in-fact was employment termination.

The plaintiffs allege common-law invasion of privacy and “accessing without permission the electronic communications being stored on the plaintiff’s private group,” in violation of the Stored Communications Act, 18 U.S.C. 2701 et seq., and a parallel state statute, N.J.S.A. 156A-27. Among other counts, they allege that management “used the improperly accessed and monitored electronic communications to wrongfully discharge the plaintiffs.”

The case is Pietrylo, et al v. Hillstone Restaurant Group, No. 06-cv-05754 (D. N.J.).

Over a year ago, I discussed a magistrate’s opinion in a case captioned in re Boucher, which held that providing a PGP passphrase or otherwise decrypting an encrypted PGP volume to aid in a law enforcement investigation against one’s self violated the Fifth Amendment.  I’m amazed to discover that there is even a Wikipedia page for this case (here).

The magistrate’s decision has been reversed by the U.S. Judge for the District of Vermont, directing defendant to produce the drive in an unencrypted form.

Because I need not attempt to duplicate Professor Orin Kerr’s apt coverage of this latest development, allow me to point you to his commentary here.

Defendant’s attorney, Jim Budreau, filed an interlocutory appeal to the Second Circuit.

Between law school and the CISSP, CSOXP and CHFI exams, I guess I must not be doing a good job keeping up with current events.  If I had, I would’ve known about this November decision from the the U.S. Court for the Middle District of Pennsylvania, where a judge is characterized in an article by Dan Goodin as saying, “a hard drive is comprised of many platters, or magnetic data storage units, mounted together,” and, therefore each platter constitutes its own separate container and the lawful acquisition of one didn’t breach the others.” What?!

Indeed, that genius bit of reasoning was the basis of a suppression order, finding that a landlord’s eviction of a tenant and subsequent discovery of child pornography would have given way to a valid gov’t seizure under the private search doctrine if prosecutors had limited their activities to the same file search employed by the landlord rather than a file-signature inventory.

I’m all for the Exclusionary Rule –which is on the brink of abolishment– as a deterrent for police misconduct, but the problem with this reasoning is that the separate internal platters of a hard-drive are certainly not separate containers.  Individual files are stored in sectors and often span across several platters.  A Windows file search would access the same sectors that an EnCase hashing routine (discussed in the opinion) would access.  The judge’s reasoning would have been valid if there was more than one hard-drive in the computer and the landlord’s search was confined to one, but the Government had accessed the others [without a warrant].

Whereas Goodin didn’t pick up on this, I was relieved to discover that another blogger, Rich Cannata did. In his December 11, 2008 post, Rich wrote:

Wow.  While the Judge deserves some recognition for an attempt at technical savvy, this analogy falls quite short.  Under the guise of this analogy, the geometry of the hard drives platter’s determined what is searchable and what is not.  If the target is a 500GB Seagate drive with four platters and eight read/write heads, is less data is to be considered within the scope of the search than if the exact same information were stored on a 500GB Samsung drive with one platter and two read write heads? If the data is stored on a RAID array, how do you determine which platters in which drives are within the scope of the search?  The judge also skips over the fact that even in the Runyan case, there were two recording surfaces for each floppy disk.  Since the introduction of MS-DOS 1.1, the Microsoft operating system has used both sides of a diskette, these are distinctly two separate recording surfaces of a floppy disk, yet it appears to the computer user as a single “container”.  Using the single platter logic, in the Runyan case, they would have only been within bounds to search the side of the floppy disk that contained the file that the third party found/viewed.  In this context, it appears that a logical volume should be the boundary for a container, but, with the advances in drive density, considering this as a boundary is disconcerting.

Tomorrow afternoon, I am taking the CHFI exam.  While studying through the official 2,721 page exam courseware, I encountered a “case study” that was laughable.  Let me share it with you

TargetMac and OneMac are two magazines that cater to the growing Ipod users. The CEO of TargetMac is Bryan Smith and the CEO of OneMac is John Beetlesman.  Bryan  calls John one day and convinces him to purchase TargetMac.  The lawyers of both companies were called in to finalize the deal.  The lawyers draft the sale contract, which restricts removal of sensitive and confidential information and non solicitation of TargetMac customers and working staff. A non compete clause was also added in the agreement.

It has been two years and John Beetlesman is suspicious about Bryan’s activities.  John suspects Bryan has breached the contract.  John knows that you are a CHFI professional and provide computer forensics services to his clients.  John’s company lawyer, Smith Franklyn, contacts you to investigate and provide evidence to support the breach of contract so that John can file a lawsuit against Bryan at local civil court in San Francisco, California.

How do you investigate this incident?

Answer:

1. You want to examine hard disk and laptop computers of Bryan’s home and office for evidence.
2. You ask the lawyer Smith Franklyn to obtain a search and seizure warrant at Bryan’s home located at 37 Albert Avenue, San Jose and his office located at 46, Mathew Street, Santa Monica.
3. Smith Franklyn works with the local District Attorney to obtain the required search warrant.
4. Smith Franklyn and you visit Bryan’s home and seize his computer which is a HP Pavilion Model 1172.
5. You later visit Bryan’s office and seize his laptop, floppy disks and CD-ROMS.
6. You place the devices carefully in anti-static bags and transport it to the forensics laboratory.
7. Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd commands.
8. Generate MD5 or SHA-l hashes of the bit stream images.
9. Prepare the chain of custody and store the original hard disk in a secure location. You would be investigating the bit stream image copy.
10. You are ready for investigation.
11. You are asked to retrieve: a. Any document in the computer which shows proof for breach of contract.
12. You load the bit stream image in AccessData Forensic Tool Kit (FI’K) and browse every single file in the file system.
13. You also read every single email displayed in FTK.
14. After many days/nights of investigation you retrieve the following crucial evidence:

15. You run a password cracking utility to crack the encrypted file “Business Plan AppleMac Magazine.doc” and the password was “planapple”.
16. These above documents clearly indicate that his new business would compete with TargetOnes’s business.
17. You copy these files to a CD-ROM.
18. You use FTK report facility feature and produce a professional report.
19. You deliver the report to the company along with the fee for the forensics service you rendered.

Based on your submitted report the lawyer, Smith Franklyn initiates a $20 million lawsuit against Bryan. After two weeks the court of law holds Smith Franklyn Bryan guilty and asks to pay the amount.

In my judgment, this portion of the courseware was not written with the aid of an attorney.  First, in a civil matter –contract breach– one doesn’t obtain a “search and seizure warrant” with the aid of the district attorney.  A plaintiff first files suit, then issues a narrowly tailored request for production (or subpoena, if it is third-party property) and then awaits opposing counsel’s Motion to Quash and for Protective Order.

Second, assuming the Court finds that the suit is not a fishing expedition (which this fact situation appears to be), an adverse would never be entitled to “visit Bryan’s home and seize his computer . . . and later visit Bryan’s office and seize his laptop, floppy disks and CD-ROMS.”  Instead, one would expect to retain a third-party vendor to search for potentially-responsive ESI or the court would appoint a special master for that same purpose.

This calls to mind a recent decision by the Colorado Supreme Court in November in the case of Cantrell v. Cameron, 195 P.3d 659 (Colo. 2008) (en banc).  The case arose from a traffic accident in which the allegedly negligent party (Cameron) was accused of using his laptop computer while driving.  Cantrell asked to inspect Cameron’s laptop for evidence that it was in use at the time of the accident.  Cameron agreed to a limited inspection, but wouldn’t produce the laptop without a written agreement limiting the scope of the inspection.  Whereas Cameron insisted the scope be limited “to the time of the accident,” Cantrell understandably wanted a broader search to confirm that there had been no subsequent manipulation of the hard drive.  Cantrell sought an order to compel, which the trial court granted.  Cameron then filed for a writ of prohibition with the state’s Supreme Court.

In its ruling, the Colorado Supreme Court noted:

personal computers may contain a great deal of confidential data.  Computers today touch on all aspects of daily life . . . they are postal services, playgrounds, jukeboxes, dating services, movie theaters, daily planners, shopping malls, personal secretaries, virtual diaries, and more. Very often, computers contain intimate, confidential information about a person. When the right to confidentiality is invoked, discovery of personal computer information thus requires serious consideration of a person’s privacy interests.

195 P.3d at 661. (quotations and citations omitted).As a result of these findings, the court concluded that the trial court abused its discretion in issuing an unqualified order directing Cameron to produce his laptop for inspection and without establishing parameters to balance the truth-seeking purpose of discovery with the privacy interests at stake.

In my opinion, Cantrell had a right to ascertain that the hard-drive had not been tampered with, which required inspection of the entire drive. In most cases, I would argue that the entire hard drive is certainly needed, although a very small fraction of ESI on the drive will be relevant.

By way of example, I was very recently involved in a case where I obtained the entire hard-drive for inspection.  All the data sought resided in slack-file space, deleted files and printer spool files (documents drafted in MS-Word and sent to the printer, but never saved, probably in an effort to leave no record).  Obviously, opposing counsel would not have been able to direct his client to extract that information (let alone produce it in a readily usable form).

The answer to this dilemma, which would not have conflicted with the Colorado Supreme Court’s ruling, is: (a) to craft a narrowly-tailored discover request that is limited in relevance to the case but specific enough to overcome efforts to conceal data; and (b) to retain an third-party vendor (or ask the court to appoint a special master); and (c) to provide the forensic analyst with as much specific guidance as possible to discover potentially responsive data.  When questions arise as to whether data discovered is relevant or privileged, they may be resolved by an in camera review or the special master, if applicable, will make that call.