MSBA Computer and Technology Law Section

Wolfram Alpha and Litigation

Damien Riehl — Tue, 09 Jun 2009 14:34:18 -0500

Tech enthusiasts are excited about the "computational knowledge engine" that swears it is not a search engine: Wolfram Alpha. Rather than simply giving links to other sites, Wolfram Alpha attempts to provide one-stop answers to questions. Here are examples:

Graph unemployment rate differences between Minneapolis and Saint Paul
Financial information for Microsoft
Number of Internet users

Lawyers could certainly use some of this information in their practices. As an example, a query can provide the weather information (cloud cover, temperature, wind speed, relative humidity, etc.) for any particular day -- complete with hour-by-hour graphs. Here is the weather in Fargo, North Dakota on June 23, 2001. This information could be helpful in cases ranging from slip-and-fall cases to car accidents.

Undoubtedly, Google and the other mainstream search engines will pick up on these capabilities. In fact, they already have: Google Squared and Bing's "decision search engine".

Another blogger seeks journalist status

Sean Harrington — Mon, 27 Apr 2009 04:03:17 -0500

A New Jersey Superior Court will decide in a defamation case whether a Shellee Hale, a woman who posted comments online about the pornography industry, should have the same protections as working journalists. Hale, who writes four blogs and has contributed to The Wall Street Journal and Business Week, is seeking protection from disclosing her sources.

Tom Cafferty, counsel to the New Jersey Press Association, suggested in an interview with The Star-Ledger that her claim to privilege may be dubious and contends that judges realize they must be careful who gets the protection, because If the newsperson's shield is extended to everyone who posts items on the internet, "then everyone is a journalist and the privilege becomes meaningless," he said.

This is a recurring theme that I have written about previously, and --doubtless-- will be revisited again. For one view on this topic, see Randall Eliason, Leakers, Bloggers, and Fourth Estate Inmates: The Misguided Pursuit of a Reporter's Privilege, 24 Cardozo Arts & Ent. L.J. 385 (2006).

Another view is that bloggers --many of them working anonymously-- have taken on an increasing role as vanguards of accountability and accuracy in public discourse. See, e.g., Walaika Haskins, Bloggers Greatest Hits, Volume I & Volume II, TechNewsWorld (June 27 & July 11, 2007).

In a concurring opinion released earlier this month in Andrew v. Clark (4th Cir.), Judge J. Harvey Wilkinson, III, wrote:

It is well known that the advent of the Internet and the economic downturn have caused traditional news organizations throughout the country to lose circulation and advertising revenue to an unforeseen extent. As a result, the staffs and bureaus of newsgathering organizations—newspapers and television stations alike— have been shuttered or shrunk. Municipal and statehouse coverage in particular has too often been reduced to low-hanging fruit. The in-depth investigative report, so essential to exposure of public malfeasance, may seem a luxury even in the best of economic times, because such reports take time to develop and involve many dry (and commercially unproductive) runs. And in these most difficult of times, not only investigative coverage, but substantive reports on matters of critical public policy are increasingly shortchanged.

. . .

The verdict is still out on whether the Internet and the online ventures of traditional journalistic enterprises can help fill the void left by less comprehensive print and network coverage of public business. While the Internet has produced information in vast quantities, speedy access to breaking news, more interactive discussion of public affairs and a healthy surfeit of unabashed opinion, much of its content remains derivative and dependent on mainstream media reportage. It likewise remains to be seen whether the web—or other forms of modern media—can replicate the deep sourcing and accumulated insights of the seasoned beat reporter and whether niche publications and proliferating sites and outlets can provide the community focus on governmental shortcomings that professional and independent metropolitan dailies have historically brought to bear.

Employers Watching Workers Online Spurs Privacy Debate

Sean Harrington — Mon, 27 Apr 2009 02:58:45 -0500

A Wall Street Journal article of the same caption (above) was published April 23, 2009, regarding a case in New Jersey, where an employer obtained access to a private Internet forum where employees were disparaging the company's managements. The company then fired the employees involved.

It's generally well-settled that an employee has no reasonable expectation of privacy when the employer has disseminated a notice that use of company equipment is a waiver of that right. However, in this case, no such notice was given. Nevertheless, it's not clear (to me) whether a claim could be made out, if plaintiffs asserted that the injury-in-fact was employment termination.

The plaintiffs allege common-law invasion of privacy and "accessing without permission the electronic communications being stored on the plaintiff's private group," in violation of the Stored Communications Act, 18 U.S.C. 2701 et seq., and a parallel state statute, N.J.S.A. 156A-27. Among other counts, they allege that management "used the improperly accessed and monitored electronic communications to wrongfully discharge the plaintiffs."

The case is Pietrylo, et al v. Hillstone Restaurant Group, No. 06-cv-05754 (D. N.J.).

Decrypt hard drive for gov't or face jail time

Sean Harrington — Tue, 31 Mar 2009 23:16:35 -0500

Over a year ago, I discussed a magistrate's opinion in a case captioned in re Boucher, which held that providing a PGP passphrase or otherwise decrypting an encrypted PGP volume to aid in a law enforcement investigation against one's self violated the Fifth Amendment. I'm amazed to discover that there is even a Wikipedia page for this case (here).

The magistrate's decision has been reversed by the U.S. Judge for the District of Vermont, directing defendant to produce the drive in an unencrypted form.

Because I need not attempt to duplicate Professor Orin Kerr's apt coverage of this latest development, allow me to point you to his commentary here.

Defendant's attorney, Jim Budreau, filed an interlocutory appeal to the Second Circuit.

No cryptographic hash analysis without warrant - How did I miss this one?

Sean Harrington — Mon, 30 Mar 2009 01:48:54 -0500

Between law school and the CISSP, CSOXP and CHFI exams, I guess I must not be doing a good job keeping up with current events. If I had, I would've known about this November decision from the the U.S. Court for the Middle District of Pennsylvania, where a judge is characterized in an article by Dan Goodin as saying, "a hard drive is comprised of many platters, or magnetic data storage units, mounted together," and, therefore each platter constitutes its own separate container and the lawful acquisition of one didn't breach the others." What?!

Indeed, that genius bit of reasoning was the basis of a suppression order, finding that a landlord's eviction of a tenant and subsequent discovery of child pornography would have given way to a valid gov't seizure under the private search doctrine if prosecutors had limited their activities to the same file search employed by the landlord rather than a file-signature inventory.

I'm all for the Exclusionary Rule --which is on the brink of abolishment-- as a deterrent for police misconduct, but the problem with this reasoning is that the separate internal platters of a hard-drive are certainly not separate containers. Individual files are stored in sectors and often span across several platters. A Windows file search would access the same sectors that an EnCase hashing routine (discussed in the opinion) would access. The judge's reasoning would have been valid if there was more than one hard-drive in the computer and the landlord's search was confined to one, but the Government had accessed the others [without a warrant].

Whereas Goodin didn't pick up on this, I was relieved to discover that another blogger, Rich Cannata did. In his December 11, 2008 post, Rich wrote:

Wow. While the Judge deserves some recognition for an attempt at technical savvy, this analogy falls quite short. Under the guise of this analogy, the geometry of the hard drives platter’s determined what is searchable and what is not. If the target is a 500GB Seagate drive with four platters and eight read/write heads, is less data is to be considered within the scope of the search than if the exact same information were stored on a 500GB Samsung drive with one platter and two read write heads? If the data is stored on a RAID array, how do you determine which platters in which drives are within the scope of the search? The judge also skips over the fact that even in the Runyan case, there were two recording surfaces for each floppy disk. Since the introduction of MS-DOS 1.1, the Microsoft operating system has used both sides of a diskette, these are distinctly two separate recording surfaces of a floppy disk, yet it appears to the computer user as a single “container”. Using the single platter logic, in the Runyan case, they would have only been within bounds to search the side of the floppy disk that contained the file that the third party found/viewed. In this context, it appears that a logical volume should be the boundary for a container, but, with the advances in drive density, considering this as a boundary is disconcerting.

Plaintiffs must prove actual damages for statutory damages award under Stored Communications Act

Sean Harrington — Mon, 30 Mar 2009 00:05:12 -0500

According to a March 18^th ruling by the Fourth Circuit, plaintiffs must prove actual damages in order to be eligible for an award of statutory damages under the federal Stored Communications Act, but that a showing of actual damages is not required for awards of punitive damages or attorney fees. Plaintiff had sued under the Stored Communications Act, 18 U.S.C.A. § 2707(a), alleging that her former employer and its president illegally accessed her personal email account for over a year. Van Alstyne v. Electronic Scriptorium Ltd., No. 07-1892.

Further reading: Marcia Coyle, E-Mail Theft Case Sparks First-of-a-Kind Ruling, Law.com, March 27, 2009.

A dose of reality

Sean Harrington — Sun, 29 Mar 2009 23:40:19 -0500

Tomorrow afternoon, I am taking the CHFI exam. While studying through the official 2,721 page exam courseware, I encountered a "case study" that was laughable. Let me share it with you

TargetMac and OneMac are two magazines that cater to the growing Ipod users. The CEO of TargetMac is Bryan Smith and the CEO of OneMac is John Beetlesman. Bryan calls John one day and convinces him to purchase TargetMac. The lawyers of both companies were called in to finalize the deal. The lawyers draft the sale contract, which restricts removal of sensitive and confidential information and non solicitation of TargetMac customers and working staff. A non compete clause was also added in the agreement.

It has been two years and John Beetlesman is suspicious about Bryan's activities. John suspects Bryan has breached the contract. John knows that you are a CHFI professional and provide computer forensics services to his clients. John's company lawyer, Smith Franklyn, contacts you to investigate and provide evidence to support the breach of contract so that John can file a lawsuit against Bryan at local civil court in San Francisco, California.

How do you investigate this incident?

Answer:

1. You want to examine hard disk and laptop computers of Bryan's home and office for evidence.
2. You ask the lawyer Smith Franklyn to obtain a search and seizure warrant at Bryan's home located at 37 Albert Avenue, San Jose and his office located at 46, Mathew Street, Santa Monica.
3. Smith Franklyn works with the local District Attorney to obtain the required search warrant.
4. Smith Franklyn and you visit Bryan's home and seize his computer which is a HP Pavilion Model 1172.
5. You later visit Bryan's office and seize his laptop, floppy disks and CD-ROMS.
6. You place the devices carefully in anti-static bags and transport it to the forensics laboratory.
7. Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd commands.
8. Generate MD5 or SHA-l hashes of the bit stream images.
9. Prepare the chain of custody and store the original hard disk in a secure location. You would be investigating the bit stream image copy.
10. You are ready for investigation.
11. You are asked to retrieve: a. Any document in the computer which shows proof for breach of contract.
12. You load the bit stream image in AccessData Forensic Tool Kit (FI'K) and browse every single file in the file system.
13. You also read every single email displayed in FTK.
14. After many days/nights of investigation you retrieve the following crucial evidence:

a. Encrypted file titled "Business Plan AppleMac Magazine"
b. Excel spreadsheet "revenuestreams.xls"
c. Numerous email messages back and forth with his investors.

15. You run a password cracking utility to crack the encrypted file "Business Plan AppleMac Magazine.doc" and the password was "planapple".
16. These above documents clearly indicate that his new business would compete with TargetOnes's business.
17. You copy these files to a CD-ROM.
18. You use FTK report facility feature and produce a professional report.
19. You deliver the report to the company along with the fee for the forensics service you rendered.

Based on your submitted report the lawyer, Smith Franklyn initiates a $20 million lawsuit against Bryan. After two weeks the court of law holds Smith Franklyn Bryan guilty and asks to pay the amount.

In my judgment, this portion of the courseware was not written with the aid of an attorney. First, in a civil matter --contract breach-- one doesn't obtain a "search and seizure warrant" with the aid of the district attorney. A plaintiff first files suit, then issues a narrowly tailored request for production (or subpoena, if it is third-party property) and then awaits opposing counsel's Motion to Quash and for Protective Order.

Second, assuming the Court finds that the suit is not a fishing expedition (which this fact situation appears to be), an adverse would never be entitled to "visit Bryan's home and seize his computer . . . and later visit Bryan's office and seize his laptop, floppy disks and CD-ROMS." Instead, one would expect to retain a third-party vendor to search for potentially-responsive ESI or the court would appoint a special master for that same purpose.

This calls to mind a recent decision by the Colorado Supreme Court in November in the case of Cantrell v. Cameron, 195 P.3d 659 (Colo. 2008) (en banc). The case arose from a traffic accident in which the allegedly negligent party (Cameron) was accused of using his laptop computer while driving. Cantrell asked to inspect Cameron's laptop for evidence that it was in use at the time of the accident. Cameron agreed to a limited inspection, but wouldn't produce the laptop without a written agreement limiting the scope of the inspection. Whereas Cameron insisted the scope be limited "to the time of the accident," Cantrell understandably wanted a broader search to confirm that there had been no subsequent manipulation of the hard drive. Cantrell sought an order to compel, which the trial court granted. Cameron then filed for a writ of prohibition with the state's Supreme Court.

In its ruling, the Colorado Supreme Court noted:

personal computers may contain a great deal of confidential data. Computers today touch on all aspects of daily life . . . they are postal services, playgrounds, jukeboxes, dating services, movie theaters, daily planners, shopping malls, personal secretaries, virtual diaries, and more. Very often, computers contain intimate, confidential information about a person. When the right to confidentiality is invoked, discovery of personal computer information thus requires serious consideration of a person's privacy interests.

195 P.3d at 661. (quotations and citations omitted).

As a result of these findings, the court concluded that the trial court abused its discretion in issuing an unqualified order directing Cameron to produce his laptop for inspection and without establishing parameters to balance the truth-seeking purpose of discovery with the privacy interests at stake.

In my opinion, Cantrell had a right to ascertain that the hard-drive had not been tampered with, which required inspection of the entire drive. In most cases, I would argue that the entire hard drive is certainly needed, although a very small fraction of ESI on the drive will be relevant.

By way of example, I was very recently involved in a case where I obtained the entire hard-drive for inspection. All the data sought resided in slack-file space, deleted files and printer spool files (documents drafted in MS-Word and sent to the printer, but never saved, probably in an effort to leave no record). Obviously, opposing counsel would not have been able to direct his client to extract that information (let alone produce it in a readily usable form).

The answer to this dilemma, which would not have conflicted with the Colorado Supreme Court's ruling, is: (a) to craft a narrowly-tailored discover request that is limited in relevance to the case but specific enough to overcome efforts to conceal data; and (b) to retain an third-party vendor (or ask the court to appoint a special master); and (c) to provide the forensic analyst with as much specific guidance as possible to discover potentially responsive data. When questions arise as to whether data discovered is relevant or privileged, they may be resolved by an in camera review or the special master, if applicable, will make that call.