Key differences under the California Act include: (i) the right of a party to request production in a specific format; (ii) a responding party bears the burden of proving that data are inaccessible; and (iii) an explicit right to inspect, copy, test, and or sample ESI in the possession or control of a third party.

Limits on ESI Discovery can be appropriate where: (i) the information can be produced from a less-burdensome source, (ii) the discovery sought is unreasonably cumulative or duplicative, or (ii) the burden of producing the ESI outweighs the benefit.

ESI that “is from a source that is not reasonably accessible because of undue burden or expense” shall not be produced, provided the responding party provides written responses identifying data classified as inaccessible and the responding party takes affirmative action to seek a protective order and bear the burden of demonstrating that the ESI is in accessible.  If it is established that the electronically stored information is from a source that is not reasonably accessible because of undue burden or expense, the court may nevertheless order discovery if the opposing party shows good cause.

A party that inadvertently produces ESI that is subject to a claim of privilege or attorney work product protection may seek the return of the ESI by notifying the receiving party.  Upon notice, the opposing party must sequester or return (and not use) the ESI until the claim of privilege is resolved.  The opposing party, where appropriate, may file a motion within 30 days to contest the producing party’s claim of privilege.

          

California Electronic Discovery Act Signed Into Law — Takes Effect Immediately originally appeared on Law Blog 2.0 on July 7, 2009.

Going to Court to force an ISP to disclose the identity of anonymous blogger raises many legal road blocks including issues of First Amendment rights. For example,

On June 13, 2007, the New Jersey Township of Manalapan filed a malpractice suit against its former attorney Stuart Moskovitz, alleging misconduct regarding the Township’s purchase of polluted land in 2005. The decision to file suit was met by a lively debate in the regional press and among local bloggers. One blogger who was particularly critical of the Township, of this and other decisions, was Blogspot blogger “datruthsquad”

(http://www.eff.org/cases/manalapan-v-moskovitz).

Long story short the Township lost, a copy of Electronic Freedom Foundation’s (“EFF”) motion squash is available here motiontoquashmpa-signed; and the Court order squashing the subpoena is available here order-122107.  However, there may exist an alternative method for “unmasking” anonymous bloggers, cyber-stalkers, etc. using public information.  Everyone has a unique writeprint (basically a written fingerprint that can be used to identify him or her).  This technique s has traditionally been used to identify the true author of a text (e.g. a book) where authorship is disputed or unknown. Forensics linguistics has been used to provide evidence in trademark disputes cases, identifying the author of anonymous texts (such as threat or harassment letters), and identifying cases of plagiarism. The identification process relies on the analysis of an individual’s particular patterns of language use (vocabulary, collocations, pronunciation, spelling, grammar, etc.). The term “idiolect” is defined as the speech patterns of a specific person (a dialect, unique in pronunciation, grammar, and vocabulary to a single person). Stylistic features can be used to create a fingerprint of an individual’s writing style (a linguistic fingerprint is called a “writeprint”). A writeprint is composed of features that represent an author’s writing style, which are consistent across all of an individual’s writings. For a gentle introduction, see Digital fingerprints: tiny behavioral differences can reveal your identity, by Julie Rehmeyer in the January 13, 2007 issue of Science News (Westlaw cite 2007 WLNR 2239738).

Email identification is a unique subset of authorship identification. When identifying authorship of anonymous emails, the following considerations have been noted:

• The identification of an author is usually attempted from a small set of known candidates; and

• Other evidence in the form of e-mail headers, e-mail trace route, e-mail attachments, time stamps, or other independent evidence is often used in conjunction with linguistic analysis to establish the identity of the author.

Two studies (both funded by security related government agencies) have applied forensic linguistics to the identification of the authorship of anonymous emails. (See A. Anderson, M. Corney, O. de Vel, and G. Mohay; Identifying the Authors of Suspect E-mail, Communications of the ACM, 2001 (available at eprints.qut.edu.au/archive/00008039/01/8039.pdf); see also Jiexun Li, Rong Zheng, Hsinchun Chen; From Fingerprint to Writeprint, Communications of the ACM (April 2006)).

Characteristics of an email that are relevant in establishing authorship include:

• Composition and writing, such as particular syntactic and structural layout traits;

• Patterns of vocabulary usage;

• Unusual language usage (e.g., converting the letter “f” to “ph”); and

• The excessive use of digits or upper-case letters.

Id.

These studies have found that a dataset of available e-mail used to conduct an evaluation ideally should include about 50 emails per author where each author’s emails include in total approximately 12,000 words. Id. However, other studies have shown that a total of 20 documents for each author are adequate to achieve sufficient accuracy for purposes of authorship identification of an unknown email if additional independent corroborating features are also available. Id. One study, focusing on knowledge acquisition within an organization (for purposes of maintaining institutional knowledge which is lost when an employee leaves an organization) found that email text analysis was superior to a content matter based approached in identifying subject matter expertise within an organization. Campbell, Christopher S.; Maglio, Paul P; Cozzi, Alex; and Dom, Bryon, Expertise Identification using Email Communications, IBM Almaden Research Center (ACM © 2003). Moreover, this study finds a small number of emails sufficient to identify a subject matter expert within an organization. Id.

The literature has found the following stylistic features relevant in describing an individual’s dialect:

• Number of blank lines/ total number of lines;

• Average sentence length;

• Average word length (number of characters);

• Vocabulary richness: (distinct words (V) / total number of words (M));

• Total number of function words (Conjunctions, prepositions, and articles) / total number of words;

• Total number of words three letters or less: all, at, his;

• Hapax legomenon / total number of words (hapax legomenon is a word which occurs only once in the text);

• Hapax legomenon/ total number of unique words;

• Total number of characters in words/ total number of characters in the body of the email (C);

• Total number of alphabetic characters in words/ total number of characters in the body of the email (C);

• Total number of upper case characters in words/ total number of characters in the body of the email (C);

• Total number of digit characters in words/ total number of characters in the body of the email (C);

• Total number of white space characters/ total number of characters in the body of the email (C);

• Total number of space characters/ total number white space characters; and

• Total number of tab spaces/ total number of characters in the body of the email (C).

To date there is only one application publicly available for performing authorship analysis of emails. This application is a python script called Unmask. The application was presented at a computer security conference in 2002 to demonstrate the ease with which stylistic patterns could be used to identify authorship and demographic information of an author using only the text of an email or IRC chat session log. Unmask has been used by forensic examiners for the last few years to identify the authorship of unknown emails with a high degree of accuracy (depending on the stylistic features used). Accuracy ranges between 97.85% and 99.01%. Unmask identifies the author of anonymous email text by analyzing select stylistic features and matching properties of the anonymous text with a known email text. Unmask does not use all the listed stylistic features. A summary of features recognized by various researchers has been compiled for reference purposes. The stylistic features detailed above can also be used to classify emails based on the geographical origin of the author, gender, age, occupation, and sexual orientation.

Unmask is available at http://www.immunitysec.com/downloads/unmask1.0.tar.gz. Unmask was developed by Dave Aitel, who currently is CTO of Immunity Security.¹ Unmask was written soon after Dave Aitel’s departure from the National Security Agency where he worked for six years. Similar tools are known to be in use by the Federal Government for purposes of identifying terrorists and other criminals: these tools are not publically available. By compounding it he expands the differences between different people. The more you match, the more an individual score will increase, however, this is not a linear function. There are some really obvious words, like “a”, “the”, “I”, and “an” that a hypothetical email user will use, and thus common doubles. The frequency of triples is significantly less frequent. Punctuation

Relatively minor differences between the raw scores for two hypothetical test users may reflect significant differences in the likelihood of a match. For example Jane may have a raw score of 20 and John a raw score of 18 and John when identifying an unknown email compared against each users known sample emails. Jane compared against John shows that John’s score is ninety percent that of Jane. Numerous, normal, stylistic similarities between Jane and John will result in their scores hitting a local minimum value that reflects these “normal” stylistic similarities. Beyond this local minimum value unusual and unique stylistic features become a factor (the relative magnitude of these differences are significantly smaller as compared to normal stylistic similarities) accordingly these few matches reflect an exponentially difference in the quality of the match. Accordingly, a 10% relative difference in raw score may potentially equate to a 99% match for Jane and 10% (or less likelihood) of a match for John, even though Jane and John share styles are objectively very close to each-other.

Some unique features of the matching algorithm should be carefully considered when evaluating the quality of a given match:

• Two hypothetical users, with a strong command of English that use a lot of articles, prepositions and conjunctions where there is little bias of either user toward a given combination of words, the more significant small variations become;

• Individuals with a limited vocabulary will have their stylistic features padded by less common words, and generally by default will match less well, accordingly, the likelihood of error is significantly higher where comparing an anonymous email against a universe of potential email users some of which have a good command of English and other users who have a limited English vocabulary. However, users with a limited command of English will likely have stylistics variations that are indicate of their demographic group or nationality; and

• Unique words have been to shown to be strongly correlated to a given user. However, the Unmask algorithm may not match long and/or odd word combinations especially where the sample size for a given library of emails for a given user test case becomes extremely large. Nevertheless the matching algorithm should not be significantly affected with emails because emails are relatively short (opposed to other types of written texts) and where the total sample size of 12,000 words among all emails for a given user is maintained.

Figure 1 – Functions Words (Prepositions, Articles, and Conjunctions Are Distinctive Features)

The few courts that have addressed the issue over the last century have generally found linguistic stylistic features to be admissible evidence:

• In the Matter of the Estate of Violet Houssien, 3AN-98-59 P/R, Superior Court for the State of Alaska(1999)(available at http://www.touchngo.com/sp/html/sp-5496.htm), Court held that the disputed will was not authored by the decedent but by the Appellants [or at their direction].

• In the Matter of the Appeal of Amarjit Saluja, 30082 and 94-16 (1994 California State Personnel Board)(available at http://www.spa.ca.gov/spblaw/pdsindex.htm), the Court found that employee authored anonymous letters that harmed other employees.

• In United States v Larson, 596 F2d 759 (CA8 Minn. 1979), the court held that the jury in a criminal prosecution had been properly permitted to consider evidence showing that one ransom note contained three separate misspellings of “approach” as “approuch,” while a letter known to be written by the accused also contained the same misspelling.

• In Josephs v Briant, 115 Ark 538, 172 SW 1002 (Ark. 1914), court allowed evidence of spelling peculiarities, as well as syntactical peculiarities, to establish authorship of a document.

• In Bartholomew v Walsh, 191 Mich. 252, 157 NW 575 (Mich. 1916), evidence of punctuation characteristics and technical typing characteristics were found admissible.

• In Re Cravens’ Estate, 206 Okla. 174, 242 P2d 135 (Okla. 1952), the court allowed evidence of distinctive punctuation technique along with other typing characteristics to show that a purported testator had not typed certain portions of a disputed will.

Over the last 25 years, with the evolution of more advanced statistical methods and algorithms to identify authorship of a document, this type of evidence has not been challenged. Statistical methods of evaluating the authorship of an article are distinct from traditional literary theory (which in at least one researcher’s opinion is not sufficient to satisfy a Daubert challenge). See C. Chaski., A Daubert-inspired assessment of current techniques for language-based author identification, Technical Report, US National Institute of Justice, 1998 (available at www.ncjrs.org). Writeprinting authors using stylistic features is a new method to combat cybercrime where law enforcement or victims of cybercrimes can use a criminal’s own anonymous emails, blog entries and IRC chat sessions as evidence of their illegal conduct.

          

Fingerprinting (Writeprinting) Text Using Stylistic Features Can Be Used To Accurately Identify the Authorship of Anonymous Emails, Blog Entries and IRC Chat Sessions originally appeared on Law Blog 2.0 on June 20, 2009.

The scenario is illustrated by a recent case in the Southern District of New York.  In Arista Records, LLC v. Usenet.com Inc., 2009 WL 185992 (S.D.N.Y. Jan. 26, 2009).  In Arista (at page 26-27) the Court found the evidence at issue (Usenet usage logs) to be “transitory in nature” and “not routinely created or maintained” in the regular course of business.  Nevertheless the Court found that while the:

Rule 37(f) of the Federal Rules of Procedure limits sanctions for the loss of ESI in certain cases.  Rule 37(f) provides that “Absent exceptional circumstances, sanctions cannot be imposed for loss of ESI resulting from a routine, good faith operation of an electronic information system.” This Rule responds to a distinctive and necessary feature of computer systems — the recycling, overwriting, and alteration of electronically stored information that attends normal use.  This Rule however is not intended to provide a shield for a party that intentionally destroys specific information because of its relationship to litigation, or for a party that allows such information to be destroyed in order to make it un-available in discovery by exploiting the routine operation of an information system.  Depending on the underlying circumstances (including notice), good faith may require that a party intervene to modify or suspend certain features of the routine operation of a computer system to prevent the loss of information, if that information is subject to a preservation obligation.

A recent case in the Northern District of California provides one example of the application of this safe harbor.  In this case a party without reasonable notice that a given class of documents was relevant to a pending litigation was protected under Rule 37(f) from sanctions when the information was purged as part of the defendant company’s document retention policy. In Gippetti v. UPS, Inc., 2008 WL 3264483 (N.D. Cal. Aug. 6, 2008)2, the plaintiff requested discovery of digital records, called “tachographs” showing the fleet vehicles’ speeds and the length of time they are moving or stationary, to support his claim that other drivers were not disciplined for the same alleged infractions. Most of this information had been purged pursuant to a document retention policy.  The plaintiff then moved for spoliation sanctions, claiming that the defendant knew or should have known that the tachographs would be relevant to the litigation

In this instance, however, the defendant company:

• Had a documented retention policy that provided tachgraphs were retained for only 37 days;
• The Company produced existing tachograph records covering the most recent two-month period of time (the only available records given the document retention policy; and
• The Company’s document retention policy dated back to 2002, a date prior to the litigation.

The Court found sanctions to be inappropriate because the defendant has no notice that tachographs were relevant to his claims, that they were not directly related to the defendant’s affirmative defense, and they were destroyed in accordance with a routine company policy.

In some instances courts have even failed to sanction a part even though relevant information may have been lost due to routine computer maintenance activities. See Maxpower Corp. v. Abraham, 2008 WL 1925138 (W.D. Wis. April 29, 2008). Former employees who went to work for a competitor, of the plaintiff obtained an order allowing it to inspect the former employees’ laptop hard drives.  However, the plaintiffs’ computer forensic expert determined that the defendants’ laptops found that the evidence of hard drive wiping.  The inspection established that the former employees had deleted information from the hard drives after the suit had been filed.  However, the defendants presented evidence that the wiping of their laptops was done for maintenance purposes.  The Court denied the plaintiffs’ motion for sanctions, finding insufficient evidence to support the argument that wiping the hard drive constituted deliberate spoliation.

          

Avoiding Rule 37(f) Safe Harbor Protection in Absence of Specific Electronic Discovery Requests originally appeared on Law Blog 2.0 on March 10, 2009.