The Ninth Circuit’s decision is certainly inconsistent with the Seventh Circuit’s analysis, to the extent the Seventh Circuit based liability under the CFAA on an agency theory where the servant (the employee) unilaterally aquireed an interest inconsistent with his principle (his employer) the serverant (the employee) lost his right (authorization) to access his employer’s (the principle’s) protected computer. The operative language cited in Citrin (following the Restatement (Second) of Agency §§ 112, 387 (1958): “Unless otherwise agreed, the authority of the agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.”

Because the employee in LVRC Holdings was authorized to use the company computer and to access the information, he did not violate the CFAA regardless of his motivation. The opinion most likely would have been different under a slightly different factual scenario. First, if the employer had a policy prohibiting employees from emailing company data to their personal email accounts or requiring employees to return or destroy confidential information upon the conclusion of their employment then the employee would have exceeded his level of authorization regardless of whether his interests were aligned or not aligned with his former employer. In LVRC Holding the employee was authorized to use the company computer and to access the information, he did not violate the statute, under the 9th Circuit’s decision the former employee’s motivation is irrelevant.

I believe the conclusion reached by the 9th circuit and 7th circuit can be rationally reconciled based on the factual differences between the two cases. The Court in Citrin properly reasoned that congress intended that the CFAA should apply to disgruntled employees in certain situations but the 9th circuit’s decision provides a better basis for defining culpability under the CFAA. Courts do not want to engage in mind-games to assess the employee’s intention (or motivation) in order reach a conclusion regarding whether an employee’s conduct violated or did not violate the CFAA

The CFAA was intended to reach:

Attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii)attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii).

However, the CFAA cannot become a catchall basis for finding criminal and/or civil liability in the absence of other relevant legal authority.

          

9th Circuit Decision in LVRC Holdings Rejects 7th Circuit’s Holding in Citrin Based on a Motivation Theory of Liability Under the Computer Fraud and Abuse Act originally appeared on Law Blog 2.0 on September 18, 2009.

a.    Take immediate action to stop the incident from continuing or recurring.

b.    If the incident does not involve the loss of confidential information or have other serious impacts to individuals IT should repair the system, restore service, and preserve evidence of the incident.

c.    If the incident involves the loss of confidential information or critical data or has other potentially serious impacts, you should consult with your general counsel or your legal counsel for guidance under applicable federal and state laws.

e.    File a Security Incident Report including a description of the incident and documenting any actions taken thus far.

f.     Refrain from discussing the incident with others until a response plan has been formulated.

g.    Repair the system and restore service.

h.    Preserve evidence of the incident.

Did a reportable security breach occur?

Some factors to consider when evaluating a potential security breach.

When determining whether or not acquisition has actually or is reasonably believed to have occurred, on should consider, at a minimum, the following indicators:

1. The information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other devices that have the capability of containing information, or such as a misdirected electronic mail transmission received and opened by an unauthorized person containing notice-triggering information.
2. The information has been downloaded or copied (e.g., any evidence that download or copy activity has occurred which may require forensic analysis);
3. The attacker deleted security logs or otherwise “covered their tracks”;
4. The duration of exposure in relation to maintenance of system logs or in cases of an inadvertent or unauthorized Web site posting;
5. The attack vector is known for seeking and collecting personal information;
6. The information was used by an unauthorized person, such as instances of identity theft reported or fraudulent accounts opened.

Appropriate Incident Handling Procedures Are Key.

DOs

1. Immediately isolate the affected system to prevent further intrusion, release of data, damage, etc.
2. Use the telephone to communicate. Attackers may be capable of monitoring email traffic.
3. Immediately notify your security incident response team.
4. Activate all auditing software, if not already activated.
5. Preserve all pertinent system logs, e.g., firewall, router, and intrusion detection system.
6. Make backup copies of damaged or altered files, and keep these backups in a secure location.
7. Identify where the affected system resides within the network topology.
8. Identify all systems and agencies that connect to the affected system.
9. Identify the programs and processes that operate on the affected system(s), the impact of the disruption, and the maximum allowable outage time.
10. In the event the affected system is collected as evidence, make arrangements to provide for the continuity of services, i.e., prepare redundant system and obtain data back-ups. To assist with your operational recovery of the affected system(s), pre-identify the associated IP address, MAC address, Switch Port location, ports and services required, physical location of system(s), the OS, OS version, patch history, safe shut down process, and system administrator or backup.

DON’Ts

1. Delete, move, or alter files on the affected systems.
2. Contact the suspected perpetrator.
3. Conduct a forensic analysis.

Other Considerations

1. Collect information for each server, router, switch, and Data Service Unit (DSU) including:
   • IP address
   • Media Access Control (MAC) address
   • Switch Port location (switch name and port number)
   • Port assignment
   • Ports and services are required
   • Statement that all other unneeded ports and services are closed and/or removed
   • Responsible system administrator and backup
   • Physical location of server
   • Physical security implemented
   • Emergency contact information (both technical and user management)
   • OS/Version/Patch history
   • Systems supported, impact of outage, and maximum allowable outage (MAO)
   • Shutdown script (if applicable)
   • Recovery process
2. Identify all external connections, assess the need for the connections, the security risk to each connection, and any recommended safeguards or strategies.
3. Provided an adequate security message and warning banner on your system.
4. Implement a keystroke monitoring program.
5. Does personal information reside on, or is it transmitted through the affected system (as defined by federal and/or state security breach notification statutes)?

Steps to Minimize Potential Liability

1. Review physical and electronic access by employees and investigate abnormal activity in ALL computing environments.
2. Review system administrators, field accounts, and special access rights for appropriate access levels.
3. Ensure that systems are always backed up and the data is securely placed in an offsite location. Periodically conduct data restore tests.
4. Ensure that current anti-virus protection software and upgrades are installed, operational, and monitored. In addition, schedule routine virus scans on servers and desktops.
5. Remove sensitive information from websites.
6. Limit the size and manage the type of email attachments that can be received (certain systems allow you to disable executable files).
7. Keep the IT Operational Recovery Plan (ORP) and Business Continuity Plan (BCP) up-to-date, tested, and ready for implementation.
8. Establish security accountability for any and all users at appropriate levels.
9. Improve security on access to critical assets and facilities with technology environments.
10. Remove unnecessary services on routers, ports, servers, and network devices.
11. Trace or monitor the necessary services.
12. Designate an Information Security Officer (ISO) who shall report to the Director of the department or designee. The ISO shall not report to the Chief Information Officer (CIO).
13. Continuously educate management on the priority of security and the security risks associated with Information Technology.
14. Install warning banners at the login process for access to all state systems and applications.
15. Increase user awareness in security by continuously enhancing technology use policy such as “non-personal use of email.”
16. Verify that software updates and patches are continuously installed on a timely basis to operating systems and applications. Be wary of standard software installations. These installations often include services or features which you do not use and do not update.
17. Ensure that current anti-virus protection software and upgrades are installed, operational, and monitored.
18. Improve or remove user accounts with weak passwords, default or built-in passwords, old passwords, or no passwords. All accounts must have passwords and passwords should be complex and difficult to guess.
19. Require use of passwords containing alpha-numeric-special character combinations. Passwords should expire after a set period of time and employ a password history to prevent repeated passwords.
20. Ask if you have a policy which cancels log-ins/passwords when employees leave your organization. If so, verify that the policy is enforced.
21. Implement intrusion detection, provide monitoring on critical information systems, such as maintaining system logs on write only CDs.
22. Restrict non-business use of e-mail.
23. Review your remote access procedures and policies. Who is granted access? How is it monitored? If virtual private network (VPN) access is provided, have minimum security standards been established for the remote computer? How is this verified?
24. Enforce a policy regarding Internet use (viruses such as Trojan Horses can be introduced by visiting websites).
25. Restrict use of chat room software, AOL Instant Messenger, IRC Chat, ICQ Chat, (viruses can be introduced by visiting chat rooms).
26. Maintain a firewall between your system and any untrusted system (Internet connection).

Recommended Resources

NIST Special Publication 800-61 (Rev. 1)(Mar 2008    ) Computer Security Incident Handling Guide (available at http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf).
NIST Special Publication 800-86(Aug 2006) Guide to Integrating Forensic Techniques into Incident Response (available at http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf).
NIST Special Publication 800-83(Nov 2005) Guide to Malware Incident Prevention and Handling (available at http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf).

          

Evaluating Secutiy Incidents — Security Incident DOs and DON’Ts originally appeared on Law Blog 2.0 on September 8, 2009.

Aggressive E-Discovery

The references to the use or misuse of this "e-mail system" in paragraph 4 could reasonably be interpreted to refer only to the company's work-based system and not to an employee's personal private email account accessed via the company's computer.

<noscript> <META HTTP-EQUIV=Refresh CONTENT="0; URL=/ym/login?nojs=1"> </noscript>

          

Analysis of Former Employee’s Laptop Can Raise Privilege Issues originally appeared on Law Blog 2.0 on July 10, 2009.

Key differences under the California Act include: (i) the right of a party to request production in a specific format; (ii) a responding party bears the burden of proving that data are inaccessible; and (iii) an explicit right to inspect, copy, test, and or sample ESI in the possession or control of a third party.

Limits on ESI Discovery can be appropriate where: (i) the information can be produced from a less-burdensome source, (ii) the discovery sought is unreasonably cumulative or duplicative, or (ii) the burden of producing the ESI outweighs the benefit.

ESI that “is from a source that is not reasonably accessible because of undue burden or expense” shall not be produced, provided the responding party provides written responses identifying data classified as inaccessible and the responding party takes affirmative action to seek a protective order and bear the burden of demonstrating that the ESI is in accessible.  If it is established that the electronically stored information is from a source that is not reasonably accessible because of undue burden or expense, the court may nevertheless order discovery if the opposing party shows good cause.

A party that inadvertently produces ESI that is subject to a claim of privilege or attorney work product protection may seek the return of the ESI by notifying the receiving party.  Upon notice, the opposing party must sequester or return (and not use) the ESI until the claim of privilege is resolved.  The opposing party, where appropriate, may file a motion within 30 days to contest the producing party’s claim of privilege.

          

California Electronic Discovery Act Signed Into Law — Takes Effect Immediately originally appeared on Law Blog 2.0 on July 7, 2009.

Employee Theft

With unemployment reaching 10% employers are  more at risk then ever from former employees who are let go, regardless of the reason attempt to take punitive action against their former employer.  Recent cases highlight actions by former employees which put their former employer at risk through the spoliation of relevant data and/or theft of company trade secrets.   Spoliation occurs when a party is aware of pending litigation, or should reasonably be able to anticipate pending litigation, and the party fails to suspend the destruction of documents that may be relevant to anticipated litigation; the party is also required suspend routine document purging (or passive) destruction of data by systems.  Accordingly, in anticipation of potential legal issues resulting with from the termination of an employee’s, an employer should specifically define the scope (or absence thereof) of the employee’s right/expectation of privacy when using work owned information systems or computers in a policy or employee handbook. Nat’l Econ. Research Assocs., Inc. v. Evans, 2006 WL 2440008 (Mass. Super. Ct. Aug. 3, 2006)(relating to privilege of attorney-client communication of employee with his/her attorney), see also Sprenger v. The Rector and Board of Visitors of Virginia Tech, 2008 U.S. Dist. LEXIS 47115 (W.D. Va. June 17, 2008)(relating to spousal privilege).  Second, the employer should remind the departing employee of the former employee’s duty not to steal company trade secrets and/or other confidential material regardless of the reason.  Finally, employer should inform the former employee that he/she should not delete and/or destroy relevant data if he/she anticipates bringing legal action.

Spoliation

The Eastern District Court of Virginia, in Rambus a 2004 a case arising out of an intellectual property dispute, stated the relevant principle: “even if a party’s intentional destruction of documents was not in bad faith, it would be guilty of spoliation if it reasonably anticipated litigation when it did so.”  In this case, as a result of the Defendant failure to stop both active and passive deletion of data, the Court granted the Defendant’s motion and ordered the Plaintiff to produce documents relating to its document retention.  See Rambus, Inc. v. Infineon Technologies AG, 222 F.R.D. 280 (E.D. Va. 2004); see also In re Intel Corp. Microprocessor Antitrust Litig., 2008 WL 2310288 (D. Del. June 4, 2008)(Intel did not turn off the 35 day auto-delete function on its employee e-mail system.  Intel claimed this was unnecessary because it instructed employees to hold important documents and because key employees (“custodians”) were moved to a different server that automatically stored the emails.  Intel discovered a lapse in the plan and hired outside counsel to interview the custodians and correct the problem.  The Court ordered the production of the attorney’s notes from the interviews).

Theft by Terminated Employees

Terminated employees often bring legal action against their former employer (or the former employer, on discovering theft of trade secrets and other confidential information files, brings suit against the former employee and his/her new employer).  In anticipation of this action, an employee may take home his company owned laptop and delete and/or destroy company data or attempt to hold hostage company confidential information under the auspices that said information relates to the former employee’s discrimination action against their former employer.  Alternatively, the former employee may seek to leverage trade secrets taken from their former employer to get a new position with the former employer’s key competitor.  Many employees fail to appreciate the gravity of these actions.

Often former employees (and the new employers) fail to take appropriate steps to preserve data even when they not only anticipate bringing a subsequent legal action but actually hire an attorney and file a complaint against their former employer.  In one recent case, a former employee accused of stealing company trade secrets was sued by his former employer.  In  Beard Research, Inc. v. Kates, 2009 WL 1515625 (Del. Ch. May 29, 2009) the Defendant former employee had purchased a computer for work purposes, and subsequent to the commencement of legal action deleted data from his drive, and then later had the drive replaced with a new drive when the old drive failed by his new employer (also a Defendant in the case).  The old drive subject to the ligation hold was disposed of by the Defendant’s new employer’s technical support group (who happened to be also handling the e-discovery aspects of the case).  Just prior to turning over the drive the former employee also defragmented the hard drive (after deleting potentially relevant evidence).  The Defendant failed to notify the Plaintiffs’ of his actions which resulted in the loss of key data.  The Plaintiffs’ claimed that defendants interfered with business relationships and misappropriated trade secrets, plaintiffs sought sanctions for the destruction of information which belonged to a former employee of plaintiff (a defendant in the case).

The Court found that “drawing an adverse inference is appropriate when an actor is under a duty to preserve evidence and takes part in the destruction of evidence while being consciously aware of the risk that he or she will cause or allow evidence to be spoliated by action or inaction and that the risk would be deemed substantial and unjustified by a reasonable person,” the court determined that an adverse inference was appropriate in this case for deletion of the data and the replacement/loss of the original drive.  The Court also found that Defendants responsible for the loss of evidence resulting from Defendant’s failure to “take reasonable steps to ensure that [Defendant] preserved his laptop computer…”

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (18 USC 1030) provides an alternative cause of action whereby an employer may effectively counter the bad acts of a former employee who takes advantage of his/her former privledges either to delete data and/or duplicate trade secrets for their own purposes. Generally 18 USC 1030 provides that whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains (a) information contained in a financial record of a financial institution [or] (b) information from any protected computer if the conduct involved an interstate or foreign communication then (c) a plaintiff may maintain a civil action against the violator, if the plaintiff suffers damage or loss by reason of a violation of this section in excess of 5000 dollars. The distinction between authorized access to an information system and when an action becomes unauthorized and/or the employee exceeds his/or her authorization has been clarified over the last couple of years In a series of cases, former employers were able to sustain actions under the Computer Fraud and Abuse Act. See Charles Schwab & Co., Inc. v. Carter, Not Reported in F.Supp.2d, 2005 WL 2369815 (N.D.Ill., September 27, 2005); HUB Group, Inc. v. Clancy, 2006 U.S. Dist. LEXIS 2635 (E.D. Pa., January 26, 2006)(Integrity of Plaintiff’s database damaged by Defendants actions actionable under 18 USC 1030). The clasical application of this law in the employment context is where an employee accepts a jobs with a competitor but the employee uses his/her position to collect company secrets to deliver to the employee’s new employer. However a recent case has extended the application of 18 USC 1030 to employees who refuse to return work computers following termination of employment and the former employee deleted information from said laptop. See Lasco Foods Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, — F.Supp.2d , 2009 WL 151687 (E.D.Mo., 2009).

Key issues to keep in mind are (1) maintaining control over key pieces of evidence, (2) ensuring a proper chain of custody form accounting for each individual who has touched a piece of evidence, (3) be proactive in reminding opposing counsel of his/her duties and obligations and (4) do not be afraid to use the Computer Fraud and Abuse Act to mitigate damage done by former employers unauthorized use of your company’s information system.

          

Former Emloyees Misuse of Company Owned Computers: E-Discovery Issues and Claims Under 18 USC 1030 originally appeared on Law Blog 2.0 on July 6, 2009.

Going to Court to force an ISP to disclose the identity of anonymous blogger raises many legal road blocks including issues of First Amendment rights. For example,

On June 13, 2007, the New Jersey Township of Manalapan filed a malpractice suit against its former attorney Stuart Moskovitz, alleging misconduct regarding the Township’s purchase of polluted land in 2005. The decision to file suit was met by a lively debate in the regional press and among local bloggers. One blogger who was particularly critical of the Township, of this and other decisions, was Blogspot blogger “datruthsquad”

(http://www.eff.org/cases/manalapan-v-moskovitz).

Long story short the Township lost, a copy of Electronic Freedom Foundation’s (“EFF”) motion squash is available here motiontoquashmpa-signed; and the Court order squashing the subpoena is available here order-122107.  However, there may exist an alternative method for “unmasking” anonymous bloggers, cyber-stalkers, etc. using public information.  Everyone has a unique writeprint (basically a written fingerprint that can be used to identify him or her).  This technique s has traditionally been used to identify the true author of a text (e.g. a book) where authorship is disputed or unknown. Forensics linguistics has been used to provide evidence in trademark disputes cases, identifying the author of anonymous texts (such as threat or harassment letters), and identifying cases of plagiarism. The identification process relies on the analysis of an individual’s particular patterns of language use (vocabulary, collocations, pronunciation, spelling, grammar, etc.). The term “idiolect” is defined as the speech patterns of a specific person (a dialect, unique in pronunciation, grammar, and vocabulary to a single person). Stylistic features can be used to create a fingerprint of an individual’s writing style (a linguistic fingerprint is called a “writeprint”). A writeprint is composed of features that represent an author’s writing style, which are consistent across all of an individual’s writings. For a gentle introduction, see Digital fingerprints: tiny behavioral differences can reveal your identity, by Julie Rehmeyer in the January 13, 2007 issue of Science News (Westlaw cite 2007 WLNR 2239738).

Email identification is a unique subset of authorship identification. When identifying authorship of anonymous emails, the following considerations have been noted:

• The identification of an author is usually attempted from a small set of known candidates; and

• Other evidence in the form of e-mail headers, e-mail trace route, e-mail attachments, time stamps, or other independent evidence is often used in conjunction with linguistic analysis to establish the identity of the author.

Two studies (both funded by security related government agencies) have applied forensic linguistics to the identification of the authorship of anonymous emails. (See A. Anderson, M. Corney, O. de Vel, and G. Mohay; Identifying the Authors of Suspect E-mail, Communications of the ACM, 2001 (available at eprints.qut.edu.au/archive/00008039/01/8039.pdf); see also Jiexun Li, Rong Zheng, Hsinchun Chen; From Fingerprint to Writeprint, Communications of the ACM (April 2006)).

Characteristics of an email that are relevant in establishing authorship include:

• Composition and writing, such as particular syntactic and structural layout traits;

• Patterns of vocabulary usage;

• Unusual language usage (e.g., converting the letter “f” to “ph”); and

• The excessive use of digits or upper-case letters.

Id.

These studies have found that a dataset of available e-mail used to conduct an evaluation ideally should include about 50 emails per author where each author’s emails include in total approximately 12,000 words. Id. However, other studies have shown that a total of 20 documents for each author are adequate to achieve sufficient accuracy for purposes of authorship identification of an unknown email if additional independent corroborating features are also available. Id. One study, focusing on knowledge acquisition within an organization (for purposes of maintaining institutional knowledge which is lost when an employee leaves an organization) found that email text analysis was superior to a content matter based approached in identifying subject matter expertise within an organization. Campbell, Christopher S.; Maglio, Paul P; Cozzi, Alex; and Dom, Bryon, Expertise Identification using Email Communications, IBM Almaden Research Center (ACM © 2003). Moreover, this study finds a small number of emails sufficient to identify a subject matter expert within an organization. Id.

The literature has found the following stylistic features relevant in describing an individual’s dialect:

• Number of blank lines/ total number of lines;

• Average sentence length;

• Average word length (number of characters);

• Vocabulary richness: (distinct words (V) / total number of words (M));

• Total number of function words (Conjunctions, prepositions, and articles) / total number of words;

• Total number of words three letters or less: all, at, his;

• Hapax legomenon / total number of words (hapax legomenon is a word which occurs only once in the text);

• Hapax legomenon/ total number of unique words;

• Total number of characters in words/ total number of characters in the body of the email (C);

• Total number of alphabetic characters in words/ total number of characters in the body of the email (C);

• Total number of upper case characters in words/ total number of characters in the body of the email (C);

• Total number of digit characters in words/ total number of characters in the body of the email (C);

• Total number of white space characters/ total number of characters in the body of the email (C);

• Total number of space characters/ total number white space characters; and

• Total number of tab spaces/ total number of characters in the body of the email (C).

To date there is only one application publicly available for performing authorship analysis of emails. This application is a python script called Unmask. The application was presented at a computer security conference in 2002 to demonstrate the ease with which stylistic patterns could be used to identify authorship and demographic information of an author using only the text of an email or IRC chat session log. Unmask has been used by forensic examiners for the last few years to identify the authorship of unknown emails with a high degree of accuracy (depending on the stylistic features used). Accuracy ranges between 97.85% and 99.01%. Unmask identifies the author of anonymous email text by analyzing select stylistic features and matching properties of the anonymous text with a known email text. Unmask does not use all the listed stylistic features. A summary of features recognized by various researchers has been compiled for reference purposes. The stylistic features detailed above can also be used to classify emails based on the geographical origin of the author, gender, age, occupation, and sexual orientation.

Unmask is available at http://www.immunitysec.com/downloads/unmask1.0.tar.gz. Unmask was developed by Dave Aitel, who currently is CTO of Immunity Security.¹ Unmask was written soon after Dave Aitel’s departure from the National Security Agency where he worked for six years. Similar tools are known to be in use by the Federal Government for purposes of identifying terrorists and other criminals: these tools are not publically available. By compounding it he expands the differences between different people. The more you match, the more an individual score will increase, however, this is not a linear function. There are some really obvious words, like “a”, “the”, “I”, and “an” that a hypothetical email user will use, and thus common doubles. The frequency of triples is significantly less frequent. Punctuation

Relatively minor differences between the raw scores for two hypothetical test users may reflect significant differences in the likelihood of a match. For example Jane may have a raw score of 20 and John a raw score of 18 and John when identifying an unknown email compared against each users known sample emails. Jane compared against John shows that John’s score is ninety percent that of Jane. Numerous, normal, stylistic similarities between Jane and John will result in their scores hitting a local minimum value that reflects these “normal” stylistic similarities. Beyond this local minimum value unusual and unique stylistic features become a factor (the relative magnitude of these differences are significantly smaller as compared to normal stylistic similarities) accordingly these few matches reflect an exponentially difference in the quality of the match. Accordingly, a 10% relative difference in raw score may potentially equate to a 99% match for Jane and 10% (or less likelihood) of a match for John, even though Jane and John share styles are objectively very close to each-other.

Some unique features of the matching algorithm should be carefully considered when evaluating the quality of a given match:

• Two hypothetical users, with a strong command of English that use a lot of articles, prepositions and conjunctions where there is little bias of either user toward a given combination of words, the more significant small variations become;

• Individuals with a limited vocabulary will have their stylistic features padded by less common words, and generally by default will match less well, accordingly, the likelihood of error is significantly higher where comparing an anonymous email against a universe of potential email users some of which have a good command of English and other users who have a limited English vocabulary. However, users with a limited command of English will likely have stylistics variations that are indicate of their demographic group or nationality; and

• Unique words have been to shown to be strongly correlated to a given user. However, the Unmask algorithm may not match long and/or odd word combinations especially where the sample size for a given library of emails for a given user test case becomes extremely large. Nevertheless the matching algorithm should not be significantly affected with emails because emails are relatively short (opposed to other types of written texts) and where the total sample size of 12,000 words among all emails for a given user is maintained.

Figure 1 – Functions Words (Prepositions, Articles, and Conjunctions Are Distinctive Features)

The few courts that have addressed the issue over the last century have generally found linguistic stylistic features to be admissible evidence:

• In the Matter of the Estate of Violet Houssien, 3AN-98-59 P/R, Superior Court for the State of Alaska(1999)(available at http://www.touchngo.com/sp/html/sp-5496.htm), Court held that the disputed will was not authored by the decedent but by the Appellants [or at their direction].

• In the Matter of the Appeal of Amarjit Saluja, 30082 and 94-16 (1994 California State Personnel Board)(available at http://www.spa.ca.gov/spblaw/pdsindex.htm), the Court found that employee authored anonymous letters that harmed other employees.

• In United States v Larson, 596 F2d 759 (CA8 Minn. 1979), the court held that the jury in a criminal prosecution had been properly permitted to consider evidence showing that one ransom note contained three separate misspellings of “approach” as “approuch,” while a letter known to be written by the accused also contained the same misspelling.

• In Josephs v Briant, 115 Ark 538, 172 SW 1002 (Ark. 1914), court allowed evidence of spelling peculiarities, as well as syntactical peculiarities, to establish authorship of a document.

• In Bartholomew v Walsh, 191 Mich. 252, 157 NW 575 (Mich. 1916), evidence of punctuation characteristics and technical typing characteristics were found admissible.

• In Re Cravens’ Estate, 206 Okla. 174, 242 P2d 135 (Okla. 1952), the court allowed evidence of distinctive punctuation technique along with other typing characteristics to show that a purported testator had not typed certain portions of a disputed will.

Over the last 25 years, with the evolution of more advanced statistical methods and algorithms to identify authorship of a document, this type of evidence has not been challenged. Statistical methods of evaluating the authorship of an article are distinct from traditional literary theory (which in at least one researcher’s opinion is not sufficient to satisfy a Daubert challenge). See C. Chaski., A Daubert-inspired assessment of current techniques for language-based author identification, Technical Report, US National Institute of Justice, 1998 (available at www.ncjrs.org). Writeprinting authors using stylistic features is a new method to combat cybercrime where law enforcement or victims of cybercrimes can use a criminal’s own anonymous emails, blog entries and IRC chat sessions as evidence of their illegal conduct.

          

Fingerprinting (Writeprinting) Text Using Stylistic Features Can Be Used To Accurately Identify the Authorship of Anonymous Emails, Blog Entries and IRC Chat Sessions originally appeared on Law Blog 2.0 on June 20, 2009.

When the File Investigator TOOLS product (http://www.forensicinnovations.com/fitools.html) finds encrypted files, it reports the type of encrypted file and, when possible, what encryption algorithm is used. While some encrypted files can’t be narrowed down to a specific application, just knowing that they are encrypted can be important. In a legal case, knowing that potential evidence is encrypted and intentionally hidden can provide the leverage to entice the encryption key from the owner or show the court intent to conceal evidence. Employers can use this tool to catch employees hiding data on company computers and potentially collecting intellectual property. This technology is also available to our business partners and as a licensed API. For further details, and a discussion on this topic, visit the Innovations Blog, http://www.forensicinnovations.com/blog.

The product has three operating modes, and the SDK (application interface) can be licensed and used in programs that run on Windows, Unix, and Linux.  There is a demo version is limited to 100 files.  The licensed version will identify 30,000 files. There is also a command line DOS type interface. The product identifies over 100+ fields. (See the table below).

The screen shots below shows the two interfaces.

fiwdir \? Command Line Options

Windows Interface

In addition to identifying the above fields of metadata it appears this tool can also be populated with data from the NIST NSRL database.   The National Software Reference Library (NSRL) collects software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS is a collection of digital signatures of known, traceable software applications. There are application hash values in the hash set which may be considered malicious, i.e. steganography tools and hacking scripts.  Other hashes can be found in the haskeeper database.

.

Fields Identified

          

File Identification Tool — Good Product for Identifying Encrypted Files. originally appeared on Law Blog 2.0 on May 20, 2009.

The scenario is illustrated by a recent case in the Southern District of New York.  In Arista Records, LLC v. Usenet.com Inc., 2009 WL 185992 (S.D.N.Y. Jan. 26, 2009).  In Arista (at page 26-27) the Court found the evidence at issue (Usenet usage logs) to be “transitory in nature” and “not routinely created or maintained” in the regular course of business.  Nevertheless the Court found that while the:

Rule 37(f) of the Federal Rules of Procedure limits sanctions for the loss of ESI in certain cases.  Rule 37(f) provides that “Absent exceptional circumstances, sanctions cannot be imposed for loss of ESI resulting from a routine, good faith operation of an electronic information system.” This Rule responds to a distinctive and necessary feature of computer systems — the recycling, overwriting, and alteration of electronically stored information that attends normal use.  This Rule however is not intended to provide a shield for a party that intentionally destroys specific information because of its relationship to litigation, or for a party that allows such information to be destroyed in order to make it un-available in discovery by exploiting the routine operation of an information system.  Depending on the underlying circumstances (including notice), good faith may require that a party intervene to modify or suspend certain features of the routine operation of a computer system to prevent the loss of information, if that information is subject to a preservation obligation.

A recent case in the Northern District of California provides one example of the application of this safe harbor.  In this case a party without reasonable notice that a given class of documents was relevant to a pending litigation was protected under Rule 37(f) from sanctions when the information was purged as part of the defendant company’s document retention policy. In Gippetti v. UPS, Inc., 2008 WL 3264483 (N.D. Cal. Aug. 6, 2008)2, the plaintiff requested discovery of digital records, called “tachographs” showing the fleet vehicles’ speeds and the length of time they are moving or stationary, to support his claim that other drivers were not disciplined for the same alleged infractions. Most of this information had been purged pursuant to a document retention policy.  The plaintiff then moved for spoliation sanctions, claiming that the defendant knew or should have known that the tachographs would be relevant to the litigation

In this instance, however, the defendant company:

• Had a documented retention policy that provided tachgraphs were retained for only 37 days;
• The Company produced existing tachograph records covering the most recent two-month period of time (the only available records given the document retention policy; and
• The Company’s document retention policy dated back to 2002, a date prior to the litigation.

The Court found sanctions to be inappropriate because the defendant has no notice that tachographs were relevant to his claims, that they were not directly related to the defendant’s affirmative defense, and they were destroyed in accordance with a routine company policy.

In some instances courts have even failed to sanction a part even though relevant information may have been lost due to routine computer maintenance activities. See Maxpower Corp. v. Abraham, 2008 WL 1925138 (W.D. Wis. April 29, 2008). Former employees who went to work for a competitor, of the plaintiff obtained an order allowing it to inspect the former employees’ laptop hard drives.  However, the plaintiffs’ computer forensic expert determined that the defendants’ laptops found that the evidence of hard drive wiping.  The inspection established that the former employees had deleted information from the hard drives after the suit had been filed.  However, the defendants presented evidence that the wiping of their laptops was done for maintenance purposes.  The Court denied the plaintiffs’ motion for sanctions, finding insufficient evidence to support the argument that wiping the hard drive constituted deliberate spoliation.

          

Avoiding Rule 37(f) Safe Harbor Protection in Absence of Specific Electronic Discovery Requests originally appeared on Law Blog 2.0 on March 10, 2009.

One product called CD/DVD inspector used by the DOJ and FBI can retrieve information not otherwise available to the average user.  (http://www.infinadyne.com/cddvd_inspector.html)   This tool in particular seems to be marketed to law enforcement.  Another
product with fewer features is ISOBuster available at http://www.isobuster.com/isobuster.php.  This product has been included in FTK Toolkit for imaging disks of common formats, apparently, similar support is not found in EnCase.  To ensure that one knows what is precisely being provided to the government he/she must use either use CD/DVD Inspector to perform an analysis of the disk prior to
turning the item over to the government (third party), or one follow a duplication process outline above.

Linux can use mkisofs and cdrkit (http://www.cdrkit.org/) to write multi-format CD/ DVDs.  For example to make an HFS, Rockridge, and Joliet using “mkisofs -o output.iso -V “volume lable” -r -J -hfs -map MAP_FILE -magic MAGIC_FILE ./”.

File System
Metadata

File system metadata can establish when a file was last changed, modified, and/or viewed (Modified Access Created is abbreviated as “MAC” times).  MAC times are pieces of file system metadata that record when a file was last modified, accessed, or changed.  UNIX (and Linux) file systems follow this standard and store these three pieces of file time metadata.  Windows file systems, such as FAT32 and
NTFS are use “ctime” to refer to “creation time”.

Modification time (mtime)

A file’s modification time described when the content of the file most recently changed. Because most file systems do not compare data written to a file with what is already there, if a program overwrites part of a file with the same data as previously existed in
that location, the modification time will be updated even though the contents did not technically change.

Access time

A file’s access time identifies when the file was most recently opened for reading. A running program can maintain a file as “open” for some time, so the time at which a file was opened may differ from the time data was most recently read from the file.

Change time (ctime) and creation time

Unix and Windows file systems interpret ‘ctime’ differently:

·   Unix systems maintain the historical interpretation of ctime as being the time when certain file metadata, note its contents, were last changed, such as the file’s permissions or owner (e.g. ‘This files metadata was changed on 05/05/02 12:15pm’); and

·   Windows systems are the only systems that use ctime to mean ‘creation time’ (also called ‘birth time’) (e.g. ‘This file was created on 05/05/02 12:15pm’).

Identifying Tampering

Inconsistencies can be identified by comparing the root directory timestamps with file metadata contained within the CD/ DVD disk.  Note, the Access, Modification and Change times in the root directory are the same.  All other files within the CD/DVD should
predate the Access, Modification and Change times of the root directory. 

The root directory is created when the CD/DVD is written.

If the root directory post-dates files from a given CD/DVD, this provides evidence of tampering.

          

CD/DVDs Present Unique E-Discovery Challenges originally appeared on Law Blog 2.0 on August 20, 2008.

A TIFF production (along with a load-file containing agreed upon meta-data fields and OCR text) is the industry standard in many jurisdictions. (A few attorneys (and a lot of e-discovery vendors) more daring than I may attempt a native production but I do not recommend it.) TIFF is an abbreviation for “Tagged Image File Format”. A TIFF is an industry file format, which consists of the image and header information. In other words, a TIFF is simply a picture of a document. This picture contains no other data about the contents of the original file; when a native file is converted to a TIFF file, the text of the document and associated meta-data is lost. The use of a TIFF based production methodology is desirable due to the difficulties and risks in producing native files. Native files are virtually impossible to redact, bates-stamp, and review. (The very act of opening up the document will passively change attributes of the file being reviewed.)

The Federal Rules of Civil Procedure require that counsel produce documents in a reasonably usable format or the format that the documents are maintained by counsel’s client. In the situation where counsel produces native documents (in a native production) the production would be acceptable under the Federal Rules of Civil Procedure (even in some cases where the data may not be search-able as is often the case with legacy data).  Assuming we are dealing with legacy data, a production is not reasonably usable if counsel converts native files to TIFF images in lieu of producing the native files, but fails to produce the OCR text and reasonably necessary meta-data fields (e.g., for an email common meta-data fields include To, From, CC, BCC, Subject, Date, and Attachments).

Legal counsel, in order to make life more difficult for the opposing counsel, may try to produce only TIFF images (without OCR text and meta-data fields). One such case in the Eastern District of California, L.H. v. Schwarzenegger, 2008 WL 2073958 (E.D. Cal. May 14, 2008), illustrates the situation and the consequences.  In this case the defendant’s counsel converted native documents from their original format, which was search-able into PDF files that were not search-able. (Note a PDF file that is not search-able, for purposes of our analysis, is the same as a TIFF image; however, the PDF file format is much more complex then the TIFF format and can potentially (and generally does) include search-able text and other data.)  The Court in the Eastern District of California, in the above case, found the production inconsistent with Rule 34 because the defendant’s counsel produced documents which were not search-able while the original (native) documents had been search-able. The Court in this case awarded the plaintiff monetary sanctions in light of defendant’s “purposeful foot dragging on discovery” and resulting prejudice to the plaintiff’s case.  Other jurisdictions have similarly recognized this same rule. See DE Technologies, Inc. v. Dell, Inc., No. Civ.A. 7:04CV00628 (W.D. Va. Jan. 12, 2007), (court found that counsel’s production was “reasonably usable” and thus in compliance with Rule 34 because the documents produced could be searched); see also D’Onofrio v. SFX Sports Group, Inc., 247 F.R.D. 43 (D.D.C.2008)(court holding that Rule 34 does not require production of electronically stored information in the original format unless necessary for it to be reasonably usable).

Committee Note to Rule 34(b) (to the recently amended Federal Rules of Civil Procedures) states that “[i]f the responding party ordinarily maintains the information it is producing in a way that makes it search-able by electronic means, the information should not be produced in a form that removes or significantly degrades this feature.” A party who converts native documents to TIFF images without an accompanying load-file, without search-able text, and with a bare minimum of meta-data has not produced the data in a “reasonably usable” format.  “The option to produce in a reasonably
usable form does not mean that a responding party is free to convert electronically stored information from the form in which it is ordinarily maintained to a different form that makes it more difficult or burdensome for the requesting party to use the information efficiently in the litigation.”  (Committee Note to Rule 34(b)(as amended December 2006)).

Principle 12 of the Sedona Principles, Best Practices Recommendations & Principles for Addressing Electronic Document Production (2d ed. June 2007) similarly states that:

Absent party agreement or court order specifying the form or forms of production, production should be made in the form or forms in which the information is ordinarily maintained or in a reasonably usable form, taking into account the need to produce reasonably accessible meta-data that will enable the receiving party to have the same ability to access, search, and display the information as the producing party where appropriate or necessary in light of the nature of the information and the needs of the case.

There are two cases often cited by those opposing the production of OCR text along with at least some meta-data.  These cases either predate
the e-Discovery Amendments of December 2006 as is the case Wyeth, or rely on precedent that predates the e-Discovery amendments as is the case in Pace. See Pace v. International Mill Service, Inc., 2007 WL 1385385 (N.D. Ind. 5-7-2007); see also Wyeth v. Impax Laboratories, Inc.,
2006 WL 3091331 (D. Del. 10-26-2006)(The court in Pace relied on Williams v. Sprint/United Management Co., 230 F.R.D. 640
(D. Kan. 2005), for the prpposition, “[a]bsent a special request for meta-data,” a production of documents in PDF or TIFF images”).

A production of TIFF Images that does include OCR text along with a minimum set of meta-data (in the view of many Courts especially those in California) may not be considered “reasonably usable” and counsel may risk sanctions.  However, an equally likely result may be a motion to compel the production of native documents (also undesirable).  Courts when confronted with this scenario frequently will order the production of the native documents where the TIFF production is limiting and prejudicial to opposing counsel. See Nova Measuring Instruments Ltd. v. Nanometrics, Inc., 417 F. Supp.2d 1121 (N.D. Cal. 2006)(court granted motion to compel production of native file format, were original production format failed to include meta-data); see also Lorraine v. Markel American Ins. Co., 241 F.R.D. 534 (D. Md. 5-4-2007)(court finding meta-data essential aspect of an electronic evidence),

          

Produce in a Reasonably Usable Format or in the Form in Which Data Are Stored in the Normal Course of Business or Risk Potential Sanctions and an Order to Compel the Production of Native Documents originally appeared on Law Blog 2.0 on July 24, 2008.