Monday, April 23, 2007

2007-02-23 Phoney Fax Frees Felon

The NY Lawyer reports that "Officials released a prisoner from a state facility after receiving a phony fax that ordered the man be freed, and didn't catch the mistake for nearly two weeks."

Ok, so there were typos in the Order, the order "demanded" the prisoner's release, and the fax was sent from a grocery store.

The real message is this: Better crafted documents will follow. They will have letterheads, "signatures" and all the trappings of "legitimate" court documents.

Think that can't happen? Remember Parmalat? In that 18 billion dollar bankruptcy, company officials scanned, and then pieced together, a document purporting to confirm the existing of billions of dollars in foreign bank account. How? Scanned Bank of America Letterhead, signature of a BofA VP (technology area) and created document content with bank account number, deposit amount, and a confirmation. The auditors ate it whole.

Saturday, April 21, 2007

2007-04-21 Photoshopping the Evidence

A article appearing today on poses the question: When does "photoshopping out" that tanning factory refuse pool abutting your gazebo cross the line between unethical and illegal?

While the article seems to argue a sliding scale, e.g., "greener grass" vs a foundation crack, one can make two observations pertinent to emerging authentication issues for computer-generated information offered into evidence:

The first is that digital data manipulation is becoming more pervasive. Much more pervasive.The second is that, as an attorney, any undisclosed alteration to a photo upon which I rely to my economic or other detriment (such as health, perhaps?) may well be actionable.

The attorney analyzing this makes appropriately conditional statements.

n.b.: I am not disregarding the duty of a buyer to physically inspect premises, but in instances where photographic evidence is the only proof of something, the "trend" may not be your "friend".

Wednesday, April 18, 2007

2007-04-18 Two Good Spoliation of Electronic Evidence Decisions. Oh, and adverse inferences, to boot.

From April 2007: Spoliation and eDiscovery Opinion in Teague v. Target Corp. d/b/a Target Stores, Inc. Slip Copy, 2007 WL 1041191 (W.D.N.C. 2007). Here, a United States District Court Judge (and not a magistrate) found that the plaintiff had spoliated evidence by not preserving her home computernot preserving her computer well after she retained counsel and filed her EEOC charge:

"Plaintiff clearly had an obligation to preserve her computer because it contained electronic evidence relating to her claims against Target and her efforts to mitigate her damages. As noted earlier, she had already hired counsel and filed an EEOC charge. Under the circumstances the court concludes that there is enough evidence that Plaintiff discarded the computer with a “culpable state of mind.” The electronic information contained on the computer was clearly relevant to her claims and to the defenses of the Defendant. Accordingly, the court finds that an adverse inference instruction to the jury is warranted and appropriate." Teague v. Target Corp. d/b/a Target Stores, Inc. Slip Copy, 2007 WL 1041191 at *2.

From January 2007: Spoliation and eDiscovery Opinion and Order by Magistrate Judge Andrew Peck of the Southern District of New York: In re NTL, Inc. Securities Litigation, 2007 WL 241344 (S.D.N.Y. 2007); 1:02-cv-03013-LAK-AJP (SDNY January 30, 2007).
What we are seeing here is that what I consider to be the draw back prior to the tsunami. In the coming months there will be a flood of predominantly magistrate-judge level decisions on eDiscovery matters. The amended (to include) eDiscovery provisions of the Federal Rules of Civil Procedure is nearly four months old. The visibility of magistrate judges will increase with the upcoming torrent of eDiscovery issues and disputes. My wager is that since magistrate judges have generally been delegated with decision-making authority on discovery matters, the largest volume of decisional authority will come from magistrate-level rulings.

The Court here found that defendants engaged in spoliation of evidence (including emails) after what appears to have been a half-hearted effort to impose a litigaiton hold after notice of litigation or impending litigation occurred.

In what I believe will be of increasing importance in eDiscovery, the Court cites well established decisional authority interpreting the meaning of "control" pursuant to the provisions of Fed. R. Civ. P. 34.

"'The test for the production of documents is control, not location.'" In re Flag Telecom Holdings, Ltd. Sec. Litig., 236 F.R.D. at 180 (quoting Marc Rich & Co. v. United States,707 F.2d 663, 667 (2d Cir.), cert denied, 463 U.S. 1215, 103 S. Ct. 3555 (1983)). "Documents may be within the control of a party even if they are located abroad." In re Flag Telecom Holdings, Ltd.Sec. Litig., 236 F.R.D. at 180." In re NTL, Inc. Securities Litigation, 2007 WL 241344 at *17.

If "location" is not part of the "test" for document production, it appears that an accessibility argument based on "location" (as in, "we store the backup tapes at Cobalt Peak secure underground storage facility) won't fly.

Another interesting snippet, embracing within the definition of control the "practical ability" to obtain documents :

"Under Rule 34, "'control' does not require that the party have legal ownership or actual physical possession of the documents at issue; rather, documents are considered to be under a party's control when that party has the right, authority, or practical ability to obtain the documents from a non-party to the action." Bank of New York v. Meridien Biao Bank Tanzania Ltd., 171 F.R.D. 135, 146-47 (S.D.N.Y. 1997); see also, e.g., In re Flag Telecom Holdings, Ltd. Sec. Litig., 236 F.R.D. at 180; Exp.-Imp. Bank of the United States v. Asia Pulp & Paper Co., 233 F.R.D. 338, 341 (S.D.N.Y. 2005); Dietrich v. Bauer, 2000 WL 1171132 at *3 ("'Control' has been construed broadly by the courts as the legal right, authority or practical ability to obtain the materials sought upon demand.") (emphasis added); In re NASDAQ Market-Makers Antitrust Litig., 169 F.R.D. 493, 530 (S.D.N.Y. 1996); Golden Trade, S.r.L. v. Lee Apparel Co., 143 F.R.D. 514, 525 (S.D.N.Y.1992) (The courts have "interpreted Rule 34 to require production if the party has the practical ability to obtain the documents from another, irrespective of his legal entitlement to the documents.")(emphasis added)." In re NTL, Inc. Securities Litigation, at *17.

What we are seeing is what I consider to be the beginning of a flood of magistrate-judge level decisions on eDiscovery matters. The eDiscovery rules are still new, (although arguably applicable to open-discovery matters) but since magistrate judges have generally been delegated with decision-making authority on discovery matters, their visibility will increase with the torrent of eDiscovery issues, disputes and rulings to come.

Friday, April 13, 2007


The heightening "DR3" tension, by which I mean the tension among document retention, disaster recovery, and discovery requests, is highlighted by the current kerfuffle over White House staffer email gone missing, and then rising like the phoenix. Interesting recount of events are reported in today's New York Times and elsewhere.

It appears that, by using the facilities (i.e. email accounts) of the Republican National Committee, as many as 50 WH staffers may have violated the Presidential Records Act. That act generally requires in perpetuity preservation of certain government documents. The RNC, however, has a document retention policy providing for the destruction of all emails after 30 days. Oops.

There have been conflicting statements in connection with these emails. They are "missing," "lost," or "deleted." Some 2400 pages of documents are reported by the NYT to have now been located and provided to Congress. Karl Rove is reported to have understood that "all" of his emails were being archived. All in all, one huge mess.

This points to two major DR3 tensions, the first of which is between document retention programs and statutory or regulatory retention laws and regulations having conflicting requirements.

The second DR3 issue is the "copies" or "backups" of documents which, according to the "document retention" program, now suddenly crop up after they are believed to have been destroyed in accordance with said document retention policy.

This parade of horribles underscores the need for C-level and other top management to be involved in the architecting and actual comprehension of document retention policies (and by this I don't mean having your IT people nod and tell you that "all is ok") and to institute some way to ensure, in a persistent manner, the proper enforcement of those policies.

Guess what, fellas and gals? This is all about information security and legal issues, and none of it is about perimeter defense.

2007-04-13 The High Cost of Backdating

For those who have steadfastly stated to me during the past 10 years that there is no way to quantify losses or potential risk of liability for time-based data manipulation, I offer the restitution arrangement agreed to by Sanjay Kumar, former CEO of Computer Associates and now convicted felon. He agreed to repay 800 million (that an 8 with 8 zeroes after the digit) for his acts, which included backdating contracts and cost Computer Associates (now CA) a bundle in earnings restatements. He actually has only $52 million to pay at the moment, but those funds are coming from his, and from his family's assets.

Friday, April 06, 2007


Science News Online Article: Computing Photographic Forgeries

Dartmouth Professor develops software program to detect digital image forgery. "The eyes are a partial mirror into the world in which you're photographed," Farid says. If there are two white dots in each eye, there had to have been two separate light sources. So, if a photo shows two dots in one person's eyes and only one dot in another person's eyes, it must have been spliced together from two different originals."


Here's the "yes but" ---

This presumes (1) that all eyeballs are aimed in the same direction; (2) that there is no "outlier" light source (such as a strobe or flash, or spot light) that provides a focused second source of light.
Really, the eyes are a partial mirror "of" the world in which one is photographed. This researcher has been a big promoter of near pixel-by-pixel forensic photographic analysis, and is a promoter as well of his own technology he claims accomplishes same. Nice to know he calls this a "bag of tricks" ---

Hypo time: Two dueling digital photographs. One digitally signed. The altered one. With a time and date match. Saved into different image formats (perhaps removing or rendering uninterpretable those nasty "layers") before digital signature applied. The argument: "It's digitally signed, and you can see that it hasn't been altered, kind sir (or madam)." The other is legitimate, but alas, not digitally signed. The argument: "Your honor, believe me, this photograph is the real McCoy. The other is fake.) The arguments on both sides become almost Kafkaesque.

The following excerpt is from David Levy, in his Chapter on "Authenticity in a Digital Environment" published by the Council of Library and Information Resources. He states the issue quite well: "Without the security of stable digital objects, what might we do? One possibility would be to maintain audit trails, indicating the series of transformations that has brought a particular document to the desktop. Such a trail (akin to an object's provenance) could conceivably lead back to the creation of the initial document or, at least, back to a version that we had independent reasons to trust as authentic. Having such an audit trail (and trusting it) would allow us to decide whether any of the transformations performed had violated the document's claimed authenticity. A second possibility would ignore the history of transformations and would instead specify what properties the document in question would have to have to be authentic. This would be akin to using a script or a score to ascertain the authenticity of a performance."

Rather than seeking "provenance", Professor Farid prefers "scripting." Of course, the scripting is Farid's "mathematical" bag'o tricks. They may work to ferret out forgeries or alterations, or they may not (e.g., is "sampling" used?). My apprehension is not that it might or might not work, but that, by imparting blind trust to a script, we might never know under what circumstances it would not work.

Another good quote from David Levy:

"Understanding what we want to accomplish, and what we can accomplish, with regard to authenticity in the digital realm will take considerable effort."

Content authentication information, be it image or otherwise, should be verifiably embedded or associated with data at the time data is first instantiated. It certainly would save a great deal of time and resources.


Wednesday, April 04, 2007


Ok. Back in Blog. Not sure I wanted to continue, but I will. I am also widening (or narrowing, depends on perspective) to include digital evidence, eDiscovery, and information technology law issues generally. Enjoy.

April 4, 2007: There is an upcoming ABA book on Digital Evidence, for which I have written a chapter or two. Stay tuned.

April 4, 2007: Order Granting Motion to Compel eDiscovery (from a February 2007 decision): For those who thought Zubulake provides a shield rather than a sword, here's my cross-post from the American Bar Association Information Security Committee List-Serve:

The following decision by Magistrate Judge Facciola in the U.S. District Court for the District of Columbia shouldn't be seen as the tsunami; but you might notice the tide going out... The decision does provide some support for applying the new eDiscovery rules to pending matters (at least where the discovery period is still open) ---something about which I was unsure. It is also interesting that most of the initial discovery rulings will fall on the shoulders of the magistrate judges (at least in Federal Courts).

The short holding: Defendant was ordered by the judge to perform "another and more complete search"

Some interesting observations:

"Under the rule pertaining to discovery of electronically stored information, accessible data must be produced at the cost of the producing party; cost-shifting does not even become a possibility unless there is first a showing of inaccessibility."

The Court then refers to suggestions it made as to where missing years of emails (sandwiched in between years in which emails had been produced) might be found:

"As I explained in my prior opinion, the sought emails, if they exist, could be located in one or more
of several places: (1) Peskoff' s NextPoint Management email account; (2) the email accounts of other employees, agents, officers, and representatives of the NextPoint entities; (3) the hard drive of Peskoff's computer or any other depository for NextPoint emails, searchable with key words; (4) other places within Peskoff' s computer, such as its "slack space," FN1 searchable with the help of a computer forensic technologist; and (5) backup tapes of Mintz Levin's servers."
"According to the Davis affidavit, Mintz Levin created back-up tapes that were overwritten every 14 days. Davis Aff. ¶ 30. After the two-week storage period, tapes are overwritten with new back-up files. Davis Aff. ¶ 20. Therefore, Davis states, anything Peskoff seeks dating back two years is long gone. Davis Aff. ¶ 30. Peskoff points out that the defendant provided no instruction to retain electronic mail at the time the archive file was created. Pls. Resp. at 3-4. In this case, a hard drive, never searched, was produced and the plaintiff's sent and received emails were produced, but (1) there are significant and unexplained gaps in what was produced, and (2) other searches of electronic data that I specifically suggested could be done were not. Furthermore, all of the unopened emails in the Inbox-a total of fourteen-are dated the same day, a date following plaintiff's departure from NextPoint. The 10,436 emails in the "Old Mail" subfolder are all unopened. The emails in the "Old Mail" subfolder are for the period June 25, 2003, to April 14, 2004, but the emails in the 65 other subfolders are all dated for the period June 2000 to June 2001. Thus, there are gaps of several years among the various subfolders with no emails whatsoever during these time periods. While there may be reasons why this is so, on this record all one can say is that this phenomenon is inexplicable."

So, the Court ignores the "long gone" argument provided by a document retention program and asks for other possible outliers.

As for inaccessibility providing a shield, well, the court appears to indicate inaccessible doesn't mean hard to accomplish:

"The obvious negative corollary of this rule [Fed. R. Civ. P 26(b)2(B) is that accessible data must be produced at the cost of the producing party; cost-shifting does not even become a possibility unless there is first a showing of inaccessibility. Thus, it cannot be argued that a party should ever be relieved of its obligation to produce accessible data merely because it may take time and effort to find what is necessary."

The upshot: "The defendant must therefore conduct a search of all depositories of electronic information in which one may reasonably expect to find all emails to Peskoff, from Peskoff, or in which the word "Peskoff" appears. Once the search is completed, defendant must make the results available to plaintiff in the same format as the electronically stored information was previously made available" Peskoff v. Faber --- F.R.D. ----, 2007 WL 530096 (D.D.C.2007).

My favorites: "obvious negative corollary" and the inexplicable "phenomenon" of a multi-year gap in an email records. That's one heckuva document retention policy. Honorable mention: 10,000-plus unopened emails.

[Inexplicable Time-lapse]

Sept 2006: The Florida Professional Ethics committee approved AO-06-2, relating how to handle metadata containing confidential information. Happy to say that Florida takes a centrist position. Recipient must not "mine" (and you miners know who you are) and senders must take appropriate measures to makes sure they don't include MD containing confidential information.