An Open Letter to Judges About Computer Forensic Exams
I just read another opinion where the Court decided to let one side's computer expert examine an opposing party's computers. The Court seemed more concerned with who would pay for the exam than what its consequences might be.
I'm a lawyer and computer forensic examiner, and I make part of my living doing just the sort of examinations the court ordered. I've done a whole bunch of them. So, while part of me wants to encourage courts to order more forensic exams — and I can surely attest to their efficacy in resurrecting data thought gone and exposing case-making evidence — the angel at my ear requires me to softly whisper, "WHAT THE HECK WERE YOU THINKING, JUDGE?!?
Why didn't you use a neutral?
I could say, "You never know what a computer forensic examiner will find," except I KNOW what we find: We find trouble.
I wish I had a nickel for every litigant that crowed they had nothing on their computers to hide. Whether their confidence was grounded on integrity, ignorance or an evidence erasure program, it's an ugly business to have to defend what a forensic exam turns up.
-
We find privileged communications.
-
We find intensely embarrassing and personal information.
-
We find sexually explicit material, racist and sexist content and all manner of nasty stuff.
-
We find evidence of dishonesty, perhaps related to the case but perhaps not.
-
We find evidence of criminality: sometimes pirated tunes, sometimes embezzled millions.
-
We find evidence of data destruction that may or may not constitute spoliation.
Now, when we find this stuff, and it has nothing to do with the issues in the case, what do we do with it? If we're a neutral, we keep our eyes on the prize, stick to a sensible protocol and let the extraneous stuff stay that way (unless it's the rare instance of child pornography).
But when it's the other side's partisan expert performing the exam, the examiner's obligations run to the client, and so dirt of any description may get handed over. It's not the partisan expert's place to decide whether the client might abuse the information. It's not the partisan's place to suppress it.
Though you can ameliorate the problem by a well-crafted examination protocol that "neutralizes" the partisan, you can't cure it. For one, lawyers don't draft good forensic examination protocols. Instead, they tend to cobble them together through compromise, memorialize them as an order and then hand an unworkable incantation to the examiner. Do lawyers understand how bound up data is on a drive and what it means to "recover all deleted information?" Do they have any idea what it costs and how long it takes to literally do it, not just run some script? Do they appreciate what the results will look like to them?
A bigger issue is conflict of interest. When a judge orders a partisan expert not to share certain information they've found with the client, a wedge is driven between the expert's obligation to serve the Court and the obligation to serve the client. How can a partisan expert serve the client in their subsequent work and testimony when ordered not to consider all the evidence they've seen? That's a tough tiger to ride.
So please, Your Honors, think about these concerns next time you're inclined to say, "Let the other side's expert take a look." The exam is a great idea. It will help find the truth and correct a miscarriage of justice, but (except when it's a sanction) please use neutrals, not partisans, as examiners.
An added plus is lower cost, because where one partisan expert necessarily begets another, the findings of a competent, trusted neutral may be enough to forestall a swearing match.
I must confess that I have been and will continue to be a big fan of Craig Ball and his his prolific writings, however I must weigh in on his appeal to judges to solely enlist the services of a neutral forensic examiner. While there are a great many scenarios where a court appointed neutral is the logical solution to a contentious e-discovery dispute, examiners retained by a litigant or their counsel does not necessarily result in the mayhem Mr. Ball describes. Established computer forensic service providers provide the necessary recommendations in formulating examination protocols that eventually must be agreed upon by opposing counsel and their computer forensic expert(s) long before the examination commences. In a well crafted protocol, an examiner should be constrained in both the searching parameters and in disclosures with their own client before the producing party has first reviewed the results of the examination for relevance and responsivness. In a majority of these examinations, the "partisan" examiner is prohibited from providing any ESI to their client whatsoever. It is the producing party's role to produce any examination results after the redaction stage has been completed.
A named computer forensic examiner in a computer examination protocol submitted to the court is accompanied by a sworn affidavit that requires the examiner to remain within the confines of the agreed upon examination parameters set forth in the examination protocol.
Again, neutral examiners will always have their place in a wide array of difficult situations. So too, will client retained examiners fulfill the important objectives associated with searching and recovering relevant ESI within the confines of a well crafted examination protocol.
Posted by: Robert Guinaugh | March 30, 2010 at 07:36 PM
Dear Mr. Guinaugh:
Thanks for the comment. The scenario you describe IS the use of a neutral examiner, isn't it? The examiner has been "neutralized" by the Court's order establishing the protocol. You're (correctly) assuming that the examiner will find what there is to find and tender it to producing party's counsel for privilege review and production. The only thing that makes the examiner a partisan in your scenario is who chose the examiner and who paid the bill.
In your hypo, the examiner is essentially washed up as a partisan adviser and can't effectively serve the side for whom he or she is ostensibly working. Sure, we can claim that the examiner will create a 'Chinese Wall' in his or her head, careful to advise without sharing or using any off-limits information; but how well does that work?
Won't subsequent partisan work be impacted by what was learned learned from protected data? Isn't the examiner always at risk of being accused of using the protected data in further work? It's a conflict in practice, and it hurts both examiner and client.
My point is that once the Court "neutralizes" a partisan expert, I don't think the expert can thereafter effectively fulfill his or her role as a partisan adviser in the same case. You can't unring a bell.
A telling example of how things go wrong is seen in Technical Sales Assocs., Inc. v. Ohio Star Forge Co., Nos. 07-11745, 08-13365 E.D. Mich. May 1, 2009, discussed in a Law.com article here: http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202435729989&EDD_Tale_Caught_in_the_Middle
I don't think we are saying different things as much as applying different labels.
Posted by: Craig Ball | March 30, 2010 at 08:12 PM
So, if I understand correctly, what you are saying is that no forensic expert hired by either side would be non-partisan and only a forensic expert hired by the court would suffice? For example, if Plaintiff wants to forensically review Defendant's hard drive, Plaintiff would make that request to the court and the judge would effectively hire the forensic expert to review Defendant's hard drive with Plaintiff being ordered to pay the bill? That seems a reasonable course of action, because it is true, once you've seen something how do you not react to it? If I ask you, as our forensic vendor, your opinion of which of three issues we should pursue, and you've seen the Defendant's hard drive and know that issue two is the one we should pursue, what do you say? If you say issue two, you might be compromizing the neutralization by the court. But if you say one or three, then you're deliberately misleading your client. Say nothing and you are no longer useful to your client and you lose all future forensic work on this case. And what if you would have said issue two without knowing what you now know? How do you prove that what you would have said isn't influenced by what you saw?
Posted by: Wayne Akin | March 31, 2010 at 04:39 PM
Dear Mr. Akin:
I think you did a better job than I did explaining the conflict. Thank you.
To be clear, I'm not suggesting that the Court must alone select and engage the examiner. The optimum course would be for the court to direct the parties to agree upon an examiner. Failing that, the parties could each submit a list of three candidates from which the Court might choose, The examiner would be paid by one or both parties per the Court's direction (often one side pays the cost of the exam they sought but can seek to recoup same based on the results or as costs if the case concludes favorably to them),
The important point is that the examiner's duty runs to the Court, and neither side has any special access to the examiner. Except as needed to, e.g., resolve privilege issues, neither side has any ex parte access to the examiner, and the examiner doesn't take sides or assist one side or the other. That is, irrespective of who pays, the examiner is always a third-party who stands in the shoes of the Court.
And to be clear to my fellow forensic examiner readers, any of you can be this neutral examiner, so long as you're not disqualified by virtue of a relationship with one of the parties or counsel. This isn't put forward as something that gives any edge to me certainly.
Posted by: Craig Ball | March 31, 2010 at 05:11 PM
Dear Craig,
You seem to be describing a Special Master, what with the suggestion that the Court should direct the parties to agree upon an examiner. I can see the need for that in an overly-contentious case (we've all seen some of those) where there's so much bickering and fighting that nothing can be accomplished. However, in the normal course of events, I find myself in disagreement with some of your points.
Your main point seems to take the position that a forensic expert hired by one party cannot be impartial, and I completely disagree with that. Our sole responsibility is to the facts, and we are limited in our fact-finding by what we are tasked to do. Simply because we have an image of a system does not give us carte blanche to do as we will. If the case does not revolve around misuse of corporate resources, we are not looking for evidence of pornography, etc. If we happen to see such by chance while we’re looking for other activity, that does not mean we have “partisan” obligation to inform the client (with the exception of contraband).
You also state that in the event the Court orders an examiner not to discuss the case with their client, this drives a wedge between examiner and client. While I do see that this could create some level of tension, I don’t see it as a show-stopper; as professionals (legal and forensic) this shouldn’t be an issue. Aside from the requisite skills, a forensic investigator must have integrity; that is the basis of our reputation. If we do an excellent job with outstanding professionalism, regardless of the results or outcome being in line with what our client wanted to find, we will retain the client.
In your post on Forensic Focus, you state, “Trial by ambush is fun, but it's what discovery was designed to end. Having to hire a second examiner to keep pace with the partisan examiner is wasteful.” It may seem to be wasteful, but every party is entitled to a defense (or offense), and any such involving ESI is going to require a forensic investigator that they can work with (this doesn’t mean revealing all information willy-nilly; refer to the second paragraph). A Court-directed “neutral” is not working with either side, and thus both sides will end up being ambushed the same as would happen in a scenario where the Court ordered the examiner not to communicate findings to their client.
In summary, while I think there are situations that would benefit from your proposed “neutral” examiner, I do not think that this should be the standard. I take that position because it is my opinion that a professional forensic investigator has a responsibility, first and foremost, to the truth, and is obligated to focus the investigation on the matter at hand (ie, keep eyes on the prize). It’s simply a matter of professional integrity.
Regards,
Frank
Posted by: Frank McClain | April 09, 2010 at 12:56 PM
Does every state/court employ the use of court appointed forensic experts?
Posted by: Paul Bobby | May 10, 2010 at 03:50 PM
I haven't surveyed every state to know, but I'd expect that each state has some mechanism for the use of court-appointed neutral experts. Certainly, the use of neutral forensic experts remains the exception in practice.
Posted by: Craig Ball | May 10, 2010 at 03:56 PM
Who foots the bill for a neutral expert? If it's the court, is that the reason for slow adoption perhaps?
Posted by: Paul Bobby | May 20, 2010 at 09:13 AM
In my experience, the cost of the neutral is borne by one or both of the parties. If there's a bad actor (i.e., somone who deleted or failed to preserve data), the bad actor typically pays. If there is no established bad actor, the party seeking the exam usually pays. Else, the Court assesses the costs against both parties in equal shares or as the judge sees fit.
One interesting aspect of using a neutral is that the expenditures for same can usually be taxed as costs against the loser at the conclusion of the case. This is typically not the case for the work of partisan experts.
Posted by: Craig Ball | May 20, 2010 at 10:52 AM
I agree with Mr. Ball that once an e-discovery dispute deteriorates the best way out of the mess may be for the Court to order a neutral forensic expert. I also think that as forensic and legal professionals we could do more to help educate the corporate counsel and other litigants about alternative approaches to e-discovery. Specifically, approaches that may be more cost effective and less likely to further escalate disputes. My coauthors and I delineated one such approach, Mediated Investigative E-Discovery, in an article published recently by the Federal Courts Law Review at www.fclr.org. In the article we proposed a process in which a digital forensic investigator conducts the search for ESI on behalf of both parties and at the direction of the parties, as well as facilitates agreements on production between the parties. I am interested in any ideas that would help potential litigants become aware of and have an opportunity to consider the benefits of the Mediated Investigative E-Discovery.
Best regards,
Suman Beros
Posted by: Suman Beros | May 27, 2010 at 08:33 PM