Computer Forensics and Legal Technology Blog

Along similar lines, a ethics opinion released recently by the Maine Board of Bar Overseers addressed the ethical implications of using a third-party to process and store a law firm’s electronically stored information (ESI). (Hat tip to The Legal Profession Blog for this one). The opinion provides, in pertinent part:

With the pervasive and changing use of evolving technology in communication and other aspects of legal practice, particular safeguards which might constitute reasonable efforts in a specific context today may be outdated in a different context tomorrow. Therefore, rather than attempting to delineate acceptable and unacceptable practices, this opinion will outline guidance for the lawyer to consider in determining when professional obligations are satisfied.

At a minimum, the lawyer should take steps to ensure that the company providing transcription or confidential data storage has a legally enforceable obligation to maintain the confidentiality of the client data involved. See ABA Ethics Opinion 95-398 (lawyer who allows computer maintenance company access to lawyer’s files must ensure that company establishes reasonable procedures to protect confidentiality of information in files, and would be “well-advised” to secure company’s written assurance of confidentiality); N.J. Sup. Comm. Prof. Ethics Opinion 701 (“Lawyers may maintain client files electronically with a third party as long as the third party has an enforceable obligation to preserve the security of those files and uses technology to guard against reasonably foreseeable hacking.”)

In the U.S., there is presently neither a universal code of professional conduct or responsibility nor a national licensing body for computer forensics examiners or legal technologists. Certainly, there is none that I know of for data warehousing. In addition to the suggestions I made in the earlier post (which included working under a well-drafted contract), one consideration in selecting an expert is whether he or she belongs to a professional organization (e.g., IACIS, HTCIA, etc.) that imposes a code of ethics on its members and offers hortarory guidelines for separation of duties, among other things.

The hapless attorney who mis-mailed a document outlining a billion dollar settlement deal may have simply been the victim of his/her email program’s address autocomplete function, resulting in the message being sent to a New York Times reporter with the same surname as the intended recipient.  Outlook has that autocomplete function, as do some of the webmail services (e.g., Gmail).

It goes without saying that any “attorney-client privileged…for intended recipient” signature file that may have been included had no effect whatsoever in stopping the Times reporter from scooping the story.

Cheers.

For the current ‘good faith’ discovery system to function in the electronic age, attorneys and clients must work together to ensure that both understand how and where electronic documents, records and emails are maintained and to determine how best to locate, review, and produce responsive documents.

So said the Court in Qualcomm v. Broadcom, (S. D. Calif.) in its Jan. 7, 2007 Order imposing sanctions and referring six attorneys to the State Bar of California Office of Chief Disciplinary Counsel because plaintiff failed to produce emails that were clearly requested in discovery and witnesses testified falsely on an issue that “became crucial to the…litigation.”

One witness identified twenty-one emails that were believed to be both substantially probative and relevant, yet counsel did not produce the emails or conduct a further search. After the trial, Qualcomm’s general counsel “admitted Qualcomm had thousands of relevant unproduced documents and that their review of these documents ‘revealed facts that appear to be inconsistent with certain arguments that [counsel] made on Qualcomm’s behalf at trial and in the equitable hearing following trial’ ” There were over 46,000 such documents. The Court further noted:

It is inconceivable that these talented, well-educated, and experienced lawyers failed to discover through their interactions with Qualcomm any facts or issues that caused (or should have caused) them to question the sufficiency of Qualcomm’s document search and production…the Court finds that these attorneys did not conduct a reasonable inquiry into the adequacy of Qualcomm’s document search and production and, accordingly, they are responsible, along with Qualcomm, for the monumental discovery violation.

The Court ordered Qualcomm to pay $8.5M to Broadcom but, because “the attorneys’ fees sanction is so large,” the Court declined to fine Qualcomm, noting that, “If the imposition of an $8.5 million dollar sanction does not change Qualcomm’s conduct, the Court doubts that an additional fine would do so.”

The court referred six attorneys to the attorney regulation counsel, finding:

the Sanctioned Attorneys assisted Qualcomm in committing this incredible discovery violation by intentionally hiding or recklessly ignoring relevant documents, ignoring or rejecting numerous warning signs…the Sanctioned Attorneys then used this lack of evidence to repeatedly and forcefully make false statements and arguments to the court and jury.

Significantly, the Pennsylvania Superior Court held that defendant’s acquiescence to the installation of a DVD drive was a de facto acquiescence to the installation of software (whether he knew it or not). The court reasoned that he, therefore, “volitionally relinquished any expectation of privacy in that item by delivering it to CircuitCity employees knowing that those employees were going to install and test a DVD drive.”

In arriving at this conclusion, the court employed the legal theory of “abandonment,” whereby an individual evidences an intent to relinquish control over personal property (“whether a person prejudiced by the search had voluntarily discarded, left behind, or otherwise relinquished his interest in the property in question so that he could no longer retain a reasonable expectation of privacy with regard to it at the time of the search”) (quoting Commonwealth v. Shoatz, 366 A.2d 1216, 1220 (1976)).

Yet, although the court explained that the legal construct “revolves around the issue of intent,” it rejected defendant’s assertion that he did not intend for CircuitCity employees to access his personal video cache any more than he expected them to access his personal financial information or other files.  The court specifically noted that defendant “failed to either inquire as to how the DVD drive would be tested or otherwise restrict the employees’ access to his computer files.”  The court also noted that CircuitCity was employing a commercially acceptable manner for testing the DVD drive, rather than setting out to discover illicit contraband.

While I take no position on the ruling of the court, it occurs to me that this is an instance where “ignorance” commands a higher premium than “intent.”  Another such case was Long v. Marubeni America Corporation, 2006 WL 2998671 (S.D.N.Y., October 19, 2006), where that court held that both the attorney client and work product privileges were waived by employees using a company computer system to transmit otherwise privileged communications to private counsel, which communications were sent from private password-protected accounts (not from the employer’s email system).   Significantly, a cache of the emails were retained by the company’s system as “temporary internet files.” Because the company could and did obtain these emails by reviewing its own system, the court held that the waiver was created through employees’ failure to maintain the confidentiality of these communications with regard to the company’s electronic communications policy, which policy advised employees not to use the company system for personal purposes and warned that they had no right of privacy in any materials sent over the system. The court reached this result notwithstanding its factual finding that employees were without knowledge that a cache of their email communications had been retained.

Thus, in these cases, and including the recent In Re Boucher (defendant, who used PGP to encrypt alleged contraband not required to divulge passphrase), we see where a presumption of a reasonable expectation of privacy can be overcome by a defendant’s failure to take specific precautions to safeguard property or communications. The phrase, “knew or reasonably should have known” is employed in these cases to mean that lack technological expertise on the part of a layperson may result in waiver.

The latter objective is to be accomplished, in part, by “transferring the functions of the existing Computer Crime and Intellectual Property section (CCIPs) that relate to intellectual property enforcement to the new IP Division” and to provide the DoJ with new resources targeted to improve IP law enforcement, including local law enforcement grants and additional investigative and prosecutorial personnel. It also requires that DoJ prepare an annual report that details its IP enforcement activities.

The Press Release is located here: http://judiciary.house.gov/newscenter.aspx?A=887

purchased a CD to transfer that music into his computer.” [emphasis in the orig.]

The case is Atlantic Recording Corp. v. Howell.

In fact, the RIAA Web page concerning piracy does state, in pertinent part:

[T]here’s no legal “right” to copy the copyrighted music on a CD onto a CD-R. However, burning a copy of CD onto a CD-R, or transferring a copy onto your computer hard drive or your portable music player, won’t usually raise concerns . . . Enjoy the music.

However, like the Minnesota PGP case that I characterized in another post as widely misrepresented, I believe that the position of RIAA and Atlantic in this case appears to be similarly misconstrued. If one actually reads the supplemental brief, Atlantic makes clear that the gravamen of the claims isn’t the possession of a backup copy of legally purchased materials but, rather, the fact that the backup copy resided in a folder share that was utilized by a file-sharing program:

It is undisputed that Defendant possessed unauthorized copies of Plaintiffs’ copyrighted sound recordings on his computer. Exhibit B to Plaintiffs’ Complaint is a series of screen shots showing the sound recording and other files found in the KaZaA shared folder on Defendant’s computer on January 30, 2006. Virtually all of the sound recordings on Exhibit B are in the “.mp3” format.  Defendant admitted that he converted these sound recordings from their original format to the .mp3 format for his and his wife’s use.  The .mp3 format is a “compressed format [that] allows for rapid transmission of digital audio files from one computer to another by electronic mail or any other file transfer protocol.”  Once Defendant converted Plaintiffs’ recording into the compressed .mp3 format and they are in his shared folder, they are no longer the authorized copies distributed by Plaintiffs. Moreover, Defendant had no authorization to distribute Plaintiffs’ copyrighted recordings from his KaZaA shared folder. Each of the 11 sound recordings on Exhibit A to Plaintiffs’ Complaint were stored in the .mp3 format in the shared folder on Defendant’s computer hard drive, and each of these eleven files were actually disseminated from Defendant’s computer. Each of these actual, unauthorized disseminations ofPlaintiffs’ copyrighted works violates Plaintiffs’ exclusive distribution right under the Copyright Act. In addition, Defendant unlawfully distributed all 54 of Plaintiffs’ Sound Recordings by making unauthorized copies of the recordings available to other KaZaA users for download.

Id. at 15-16. [citations to the record and authorities omitted; emphasis supplied].

Notably, Atlantic complained that Howell had spoliated evidence of his alleged wrongdoing, an allegation that we’re seeing raised more and more often in litigation, as lawyers start catching on to electronic discovery practices:

One of the best ways to test a defendant’s denial of responsibility for illegal file sharing would be to look at the contents of the defendant’s computer hard drive, which would show, among other things, the existence of peer-to-peer software programs, the user’s chosen preferences for the use of such programs, the dates of use of such programs, the profile of the individual using such programs, and any sound recordings that were downloaded using such programs. A forensic examination might also provide indications of particular instances of distribution from Defendant’s shared folder. That information, however, has now been intentionally “wiped” from Defendant’s computer. Defendant’s intentional destruction of this evidence severely and irreparably prejudices Plaintiffs’ ability to prove their claim against Defendant and warrants harsh sanctions.

Supplemental brief at 14.

In Levie, the defendant-appellant’s seized computer contained PGP, a cryptography program, which was inaccessible to the investigator.  In rejecting Levie’s bid for a new trial, said the court, inter alia:

We find that evidence of appellant’s internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him.

As a result, this case stirred waves in techie circles & blogs accross the nation and was unfairly characterized by journalists as, “Minnesota court takes dim view of encryption.” (See, e.g., here or here).

I posit that the case was unfairly mischaracterized because the inaccessible PGP archive, by itself, did not result in an adverse jury instruction and the totality-of-the-circumstances was the apparent standard adopted by the trial court.   I.e., the record showed that Levie took a large number of pictures of a minor child with a digital camera and that he uploaded those pictures onto his computer soon after taking them. 695 N.W.2d at 624.

Prof. Orin Kerr came to a similar (albeit differently reasoned) conclusion in his blog post, The Myth of Crypto as a Crime:

Obviously, the idea that using encryption necessarily reflects criminal activity is rather silly; Internet users use encryption all the time for all sorts of legitimate reasons. As many critics of the new decision have noted, it makes no sense to see encryption as inherently linked to crime. But contrary to the blogospheric common wisdom, no court ever said it was.

[emphasis in original]. Kerr reasoned, instead, that the court regarded Levie’s use of PGP as evidence that he was a sophisticated computer user, which might explain why the police found no child pornography or nude child photos on his computer.

In cases like these, attorneys often may wonder, “Can a court force a defendant to give up his passphrase?”  (side note: I always include, in routine e-discovery interrogatories that I prepare for my attorney-clients, specific requests for the passwords and password phrases to all encyrpted archives and other repositories containing potentially responsive ESI).  This question is certain to arise more frequently in the near future, including in civil cases (and especially in domestic relations cases).¹

To help answer that question, the U.S.D.C. for the District of Vermont court declined to compel a defendant to surrender his PGP passphrase, finding that compelling a defendant to surrender his PGP passphrase would violate his Constitutional right not to incriminate himself.

The case, In re Boucher, involved child pornography, as you might have expected. Yet, the case law involving the compulsory surrender of encryption passphrases is quite unsettled.

If this case is appealed, it has the potential of creating an important precedent.

___________________________

¹ Unfortunately, perhaps, we should not be looking to domestic relations case law for guidance on issues of substantive constiutional law (such as the privilege against self-incrimination).  See, e.g., David N. Heleniak, The New Star Chamber, 57 Rutgers Law Review no. 3 (Spring 2005), 1009, discussing the “due process fiasco” of family law and characterizing family courts “an area of law mired in intellectual dishonesty and injustice.” In the article, Heleniak identified six commonplace deprivations of fundamental due process: seizure of children and railroading innocent parents into jail through denial of trial by jury; denial of poor defendants to free counsel; denial of right to take depositions; lack of evidentiary hearings; lack of notice; and improper standard of proof). In family law, “the burden of proof may be shifted to the defendant,” according to a handbook for local officials published by the National Conference of State Legislatures.

In its October 22, 2007 Order granting defendant Philip Smith’s motion for summary judgment, the District Court of South Carolina dismissed defamation, trademark infringement, and invasion of privacy claims brought by plaintiff BidZirk LLC, an auction listing company.

The claims arose out of the pro se defendant-blogger’s publication of articles on his blog, featuring plaintiff’s trademark, that were critical of plaintiffs’ eBay auction listing business.  Plaintiffs asserted that defendant’s use of their mark in an article critical of plaintiff’s business tarnished their famous trademark in violation of the Federal Trademark Dilution Act (“FTDA”). The Court held plaintiff’s trademark dilution claims failed because defendant used the mark in connection with “news reporting and news commentary,” a non-actionable use under the Federal dilution statute.

Pursuant thereto, a party cannot be found guilty of diluting the mark of another if the mark is used in “news reporting or news commentary.” 15 U.S.C. § 1125(c)(4)(C).  The Court held that Smith’s use of the trademark was, in fact, a protected use in the course of “news reporting or news commentary.”. The court noted that, while “not all bloggers are journalists, some bloggers are, without question, journalists.”  The Court had examined “the content of the material, not the format, to determine whether it is journalism.”   The Court found that it was not written solely to denigrate plaintiffs but, rather, it was written for the purpose of conveying information to the public about the use of auction listing companies, based on the author’s personal experience and supported by his research. It also provided a checklist to aid consumers in selecting such companies.  These attributes “evidences [an] intent to report what [Smith] believed was a newsworthy story for consumers.”

The court further dismissed plaintiffs’ defamation claim, finding the challenged statements non-actionable statements of opinion.  Said the Court, “Opinion statements, defamatory or otherwise, are not actionable unless they contain provably true or false connotations.” The statements were an opinion statement that could not be fairly characterized as true or false and, which statements included terms that have, “different meanings to different people.”  Thus, because the statement was not capable of being characterized as false, there was no liability for defamation.

Finally, the Court dismissed plaintiffs’ invasion of privacy claim, arising from a link found on Smith’s blog to a picture of plaintiffs found elsewhere on the Internet, accompanied by Smith’s commentary.  According to plaintiffs, the accompanying text implied that they were ‘irresponsible and overcommitted’ and impermissibly cast them in a false light. The Court rejected this claim, finding that South Carolina does not recognize a claim for false light invasion of privacy and, even if it did, the claim would fail as the article did not cast plaintiffs in a false light and (“Nothing about Smith’s statements would be highly offensive to a reasonable person,” an essential prerequisite to a false light invasion of privacy claim”).

Similarly, plaintiffs’ ‘wrongful appropriation of personality’ invasion of privacy claim failed: A required element of such a claim is the “intentional [non-consensual] use of the plaintiff’s name, likeness, or identity by the defendant for his own benefit,” which was missing here. Smith did not use a picture of plaintiffs but, instead, only linked to one found on another site.  In addition, plaintiffs waived any privacy right they had in the photograph in question by consenting to its use on the other non-password protected internet site. Finally, there was no apparent benefit to Smith by his use of the link.

The Court sua sponte sanctioned plaintiffs’ attorney, Kevin Elwell, under Rule 11, for filing a lis pendens against Smith’s condominium. The Court fined Elwell $1,000, which he directed be paid directly to Smith.