Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
The Courts Government Privacy News

New Rules Proposed on Electronic Evidence 129

davidtspf writes "The committee that makes the rules of procedure for U.S. federal courts is now considering new rules governing electronic evidence, how much litigants need to produce at trial, and under what circumstances. Civil rights attorneys are arguing that the rules will make it harder to find smoking guns, while a number of corporations, including Microsoft have submitted comments arguing for further limits. LawMeme has an article with more background, comparing the process to debates over IP law that occur in a vacuum of empirical data, and encouraging techies to submit requests to extend the public comment period, which ended today."
This discussion has been archived. No new comments can be posted.

New Rules Proposed on Electronic Evidence

Comments Filter:
  • Rule #1 (Score:2, Funny)

    by Anonymous Coward
    No evidence should be submitted in pdf format.
    • Nor Word .doc format.
    • Actually, PDF is one of our preferred formats for presenting (electronicallly) examination results because:

      The formatting information is fixed, so what you see is what gets printed;

      Detectives (almost always) don't have the capability to edit PDF, but they all have the ability to view it since Acrobat Viewer is part of the standard build.

      (I am a forensic computer analyst for a state police service.)
  • by GLowder ( 622780 ) on Wednesday February 16, 2005 @10:00AM (#11688617)

    My take would be MS wants more restrictions to so it's own leaked memos can't be used against it so easily.
    Just my two cents.
    • That is no different than any other company or individual.

      I can honestly say I know of know one who wants their deepest, darkest secrets being revealed in a court room.

      Why would you expect anything less from MSFT or anyone else?
      • Funny, I was thinking along the same lines but with a twist.

        Maybe so many people have been fired at work for allegedly surfing pr0n and come to find out it was a collaborative effort from the admins and managers just to remove a single person?

        What if someone was forging BG's logs to make him look jacko freaky and releasing the data to the internet. If you dont know by now that all electronic logs that are created by a machine can be created by a person that looks like it came from a machine.
        • ...all electronic logs...

          Exactly, bits are bits are bits and there is no way to tell whether a collection of bits is truthful for the purpose for which it may be represented in a court room. Unless there is some kind of strong encryption/authentication system on the e-mail for example, there is no iron-clad way to determine whether either the text itself or times and autherships are true. Digital pictures can be altered, making it difficult and sometimes impossible to tell whether they are telling the trut
  • Not Entirely Bad (Score:5, Interesting)

    by Trolling4Columbine ( 679367 ) on Wednesday February 16, 2005 @10:00AM (#11688618)
    Would stricter rules not force the RIAA (and their ilk) to produce stronger evidence against defendants in copyright violation lawsuits?
    • by FreeUser ( 11483 ) on Wednesday February 16, 2005 @10:09AM (#11688697)
      Would stricter rules not force the RIAA (and their ilk) to produce stronger evidence against defendants in copyright violation lawsuits?

      I doubt it. Rules for whistleblowing will have one standard, rules corporations can use against individuals will have another.

      It won't be phrased that blatently. Instead it will be one set of rules for submitting confidential data (internal memos, emails, chatroom logs) and another, much laxer set of rules, for accusations of copyright infringement.

      Be assured, the end result will almost certainly mean less corporate accountability, and less protection of individuals against corporate whichhunts.
      • My thought is that, if a double standard will come into play here, it will be more blatant than you're thinking. The rules will not be laxer for accusations of copyright infringement. Rather, they could simply be different for natural persons than they are for corporate entities. It'd be very hard to argue, however, that corporations should have less of a burden of document production than individuals, when corporations will almost invariably have better retention as a matter of both corporate policy and
      • WRONG (Score:5, Informative)

        by zymurgyboy ( 532799 ) <.moc.oohay. .ta. .yobygrumyz.> on Wednesday February 16, 2005 @12:14PM (#11689932)
        Wistleblowing and copyright infrigement are not issues specifically covered by the Federal Rules of Civil Procedure.

        These rules only cover "standards", if you will, for how evidence is collected in the discovery process; how it is traded back and forth (produced) between plaintiff and defendent counsel; rules for deposing witnesses; and most importantly, in this case, standards for how the production materials are formatted. That is what is being addressed here.

        Currently the Rules of Civil (and Criminal for that matter) Procedure are designed to govern how cases are litigated in a paper world. Electronic evidence (and a virtual lack of standards for it) have created a host of problems for this antiquated process that is by orders of magnitude more difficult to deal with than was ever previously enountered in the paper world. Whereas before, when someone got sued their paper files would get taken. The files were static objects. Maybe a few people would get a copy of a particular document and it was much easier to determine who the recipients were. Now that more material is traded back and forth through e-mail and other means, this happens on a much faster pace, it's much easier to spray copies around to a variety of recipients and much harder to keep track of who had what and when they had it.

        Also, electronic communications will keep several revisions of a document which may have been through away and not retained in the paper world. This frequently happens without the custodian's knowledge more often than not, unless a very deliberate attempt to implement, maintain and enforce a document management and retention policy. Indeed, the electronic communications revolution has made the proverbial smoking guns much more numerous than in the past by it's very nature.

        Volume and velocity of communication is only one part of the problem. File formats are just as big a piece of the puzzle. Word vs. Word Perfect documents being an example. If electronic documents are not properly handled you can easily be accused of spoliation of evidence, with or without any malintent. By simply converting a WordPerfect document to Word format, it can change pagination, formatting, and destroy metadata that the recipient wasn't even aware existed. Having "exact" copies, traceable back to their source (chain of custody) of a document as it was produced to you "in the normal course of business (to use the vernacular)" is extremely important if you intend to use all or part of it as evidence. This is (on of) a lawyer's worst nightmares.

        These are just a few of the problems relating to the federal rules and electronic documents. Outside of the Sedona Conference, these have largely been unaddressed up until very recently. It looks like the Rules of Civil Procedure are going to standardize on production of documents in native format. One school of thought has been to take the native documents and print them to a static format for production purposes (such as tiff, pdf, jpg). Looks like their shying away from that approach and leaning toward the "native format" position both have their advantages and potential pitfalls, some of which I outlined above.

        Anyway, in response to your post and in summary, you shouldn't read so much into Microsoft having an opinion here. Their opinion on the matter isn't out of line with most other businesses in this regard, nor is it necessarily bad for the little guy either. This is a double edged sword and it is as sharp on one side as it is on the other. If anyone will "win" out of this, it will be trial lawyers, in the sense that you will need to make sure you have counsel that is accutely aware of the electronic discovery universe and how to take advantage of it while making sure you don't get cut.

        This is simply a badly needed revision of the rules that will make it more fair for plaintiffs and defendants alike. I wouldn't anything more into it than that.

        • Re:WRONG (Score:4, Insightful)

          by zymurgyboy ( 532799 ) <.moc.oohay. .ta. .yobygrumyz.> on Wednesday February 16, 2005 @12:42PM (#11690323)
          To expand a bit: if your looking for a corporate consiracy, look to lobbying and legislation and how they are related. If there is to be a double standard, it will be found in the laws passed by Congress.

          To say it would be embedded into the Federal Rules of Civil Procedure would be sort of like blaming a programming language or its compiler for viruses that are written using it.

        • Native format production would certainly comply with the letter and spirit of the proposed rule changes. However, I think it might be equally feasible (and desirable) to produce in TIFF/PDF with an underlying (searchable) database containing all metadata. The message, I think, is that you have to preserve and produce the underlying metadata. How you do that (native form, database) is up to you to do (and, if necessary, you have to convince the court and the other side that you've been reasonable in compl
          • Native format production would certainly comply with the letter and spirit of the proposed rule changes. However, I think it might be equally feasible (and desirable) to produce in TIFF/PDF with an underlying (searchable) database containing all metadata. The message, I think, is that you have to preserve and produce the underlying metadata. How you do that (native form, database) is up to you to do (and, if necessary, you have to convince the court and the other side that you've been reasonable in complyi

            • Zymurgyboy -

              I agree that the proposed rule allows for a lot of flexibility, and that there's no way to render a relational database or a sound file to TIFF or PDF. I think the rule will quash games like trying to foist a printout of a relational database (or, even better yet, a DLL file (been there, done that)). I've already gotten into fights over the (lack of) utility of printouts of excel spreadsheets.

              But for document review/production of "standard" files - and by that I'm thinking of email and word
              • Expense is the main problem with handling e-mail, as you correctly state that there are a number of vendors and technologies to handle it. And you're also correct that there are no real alternatives to this process. I nearly always vend this type of work out, not so much because I want to or don't have the requisite software and knowhow, but the volumes is almost always more than I can cost effectively handle in-house (I'm a timekeeper, but IANAL; I'm a geek in their direct employ), much less devote the t
    • Yes, but that would come from Congress and would not be embedded in the Fed. Rules of Civ. Proc. by the committee which maintains them.

  • Long gone... (Score:1, Insightful)

    by ectotherm ( 842918 )
    Long gone are the days of Ollie North and "Shredder Gate"...
  • by MosesJones ( 55544 ) on Wednesday February 16, 2005 @10:01AM (#11688630) Homepage


    Of course they do, otherwise their emails will continue to show in court that they are guilty as hell. There should be no different standard applied to electronic communcations over written notes. If you write a note its admissable, if its electronic it should be equally admissable (and easier to get hold of).

    • by grasshoppa ( 657393 ) on Wednesday February 16, 2005 @10:07AM (#11688686) Homepage
      Well. Except electronic versions are easier to fake than the real thing.

      Example: From memory, I can construct an email that is exactly like the real ones I get. Down to the Message-ID header looking authentic. Depending on the email system, that may be all that's required.

      This is much harder to do with written communications. Should they still be held to the same standard? *shrug* If you can guarantee me that all electronic comms are authentic, then I don't see why not, otherwise...
      • Thats an arguable statement. I can make paper forged documents a lot easier then i can electronic ones...in fact I don't know how to fake the message-id header.

        I think that any document entered to court should be validated and proved 100% authentic before it is admissable.

        I do agree that the laws for evidence should be the same. If you accidentally send that incriminating document to someone who was no the intended recipient, it doesn't disqualify your document and its intent.
        • It would be easy to fake any e-mail you want on a system you control.
          seriously, laughably, easy.
          Going back in time, as in inserting your faked e-mail into an offsite tape backup, would be a little harder.
          On the other hand, the people looking for evidence are very unlikely to be able to properly access your offsite library; they are most likely going to order the company geeks to do it for them, unless you are talking about a government sponsored full-bore witchhunt, of course.
          • It would be easy to fake any e-mail you want on a system you control. seriously, laughably, easy.

            Know your IT staff
            Love your IT staff
            Pay your IT staff better then the other person
            Pray your IT staff doesn't sell you out
      • False.

        Electronic data, such as email, gets routinely copied multiple times.

        I work in thie field. One of our MAJOR expenses is eliminating duplicates.

        If a document was suspect of being "forged", we would just have to see how many duplicates were created.

        If something was dated last year, it would start to show up in all the back up tapes we got (which we had to get to make sure they did not get incriminating evidence and then delete it immediately).

        In general, most electronic documents are EXTREMELY di

        • Yes, the copies will determine if someone tries to fake a document later on. But I thought they were talking about proof that the document came from the right person, that the headers say the document came from.

          For example, to play jokes, I sometimes send emails to my coworkers claiming to be from our boss. Those emails get copied & backed up just like real ones. And the coworkers can not tell that the email was not from the boss. So how would you prove in court that the boss really did send the em
          • By looking at back up copies of HIS email, and the email servers. They would not show anything being sent from his computer, and quite likely show them originating on your computer.
            • And if somebody walked into his office while he was in the bathroom? Management arn't really known for being security concious when it come to computers, so it's likely he didn't lock the screen (or log out) for the few minutes he's away from his desk. It'd be pretty easy to write an email and send it from HIS computer on HIS account and leave a nice electronic trail for somebody to follow and verify.
        • Hm. Most of your argument has to do with copies and backups.

          What if a document were created on a computer that was not included in the backup schedule, or was somehow excluded from regular backup?

          For instance, if someone wanted to forge a document, they could operate on a removable USB drive. I won't say that I'm familar with the average backup system of the industry at large, but I'd guess that such drives would be excluded from the backup schedule.

          If that's the case, then the forged document would ap
          • Yes, it is possible to carefully create a document so that it's identity can not be proven 'false' - such a document would however not be considered evidence.

            It would be the equivelent of saying:

            "Look, I have proof that you insisted on me having sex with you - here is a letter where you blatantly requested sex, typed on generic white paper, using a generic laser print font and ink, that has your name printed on the bottom. Yes, I know you did not sign it, but I SAW you print it out and give it me, whil

            • I see where you're coming from. I guess I'm still a bit skeptical.

              For email, your argument makes a lot of sense. There are lots of email servers where a legitimate email would leave a trace. While it's simple to forge an email, the traces it leaves would let one track where it came from.

              But other documents might not have as strong of an audit trail. For example, Photoshop only recently got the ability to store a history of what actions were performed by whom on a document for exactly these audit purpo
      • What you present is exactly why I'm in favor forcing all mail to have electonic signatures.

        The PO has standards, why shouldn't email?
    • If you don't want stuff getting out can't you just CC: someone in the legal department? Or have I been watching "Law and Order" too much?

      • BZZT. You can't just cc: the legal department to cloak something in the attorney-client privilege. While that might cause an email to be flagged by a first-tier reviewer (or search algorithm) as privileged, for the privilege to truly attach, you need to be seeking legal advice.
    • ...If you write a note its admissable, if its electronic it should be equally admissable (and easier to get hold of)...

      The problem is that electronic bits can be easily altered in such a manner that it is impossible even for the best experts to tell that this has been done. Altering a paper note in an undetectable manner is considerably more difficult.
  • Hmm (Score:5, Interesting)

    by t_allardyce ( 48447 ) on Wednesday February 16, 2005 @10:02AM (#11688632) Journal
    So wait this can be good or bad, either you will no longer be able submit digital pictures and financial records as evidence of XYZ Corp.'s illegal under the table dealings with Senator Cock-Nose allowing them to kill babies, dump nuclear waste and go tax free, or it can make it impossible for the RIAA/MPAA/DMCARCALSVPT to subpoena you with a print-out of your ISP's traffic log for stealing Britney Spears record sales or talking about breaking encryption schemes.
    • Re:Hmm (Score:3, Insightful)

      ... either you will no longer be able submit digital pictures and financial records as evidence of XYZ Corp.'s illegal ... dealings or it can make it impossible for the RIAA/MPAA/DMCARCALSVPT to subpoena you ...

      Yes, either one.

      Which do you think the lobbyists are pushing for?

      • > > ... either you will no longer be able submit digital pictures and financial records as evidence of XYZ Corp.'s illegal ... dealings or it can make it impossible for the RIAA/MPAA/DMCARCALSVPT to subpoena you ...
        >
        > Yes, either one.
        > Which do you think the lobbyists are pushing for?

        Both of your arguments are based on a false dichotomy.

        The correct answer is "both". You will be unable to submit digital pictures and financial records as evidence of XYZ Corp's illegal dealings, and si

  • Fool (Score:5, Interesting)

    by Anonymous Coward on Wednesday February 16, 2005 @10:02AM (#11688638)
    If you beleive that electronic data can't be forged to fit what ever you want then I have a big bridge to sell you too.
    • Re:Fool (Score:5, Insightful)

      by Peyna ( 14792 ) on Wednesday February 16, 2005 @10:33AM (#11688869) Homepage
      The same goes for paper documents, what's your point?
      • The same goes for paper documents, what's your point?

        The difference is that it is trivial to create a fake electronic document. Paper documents have inherent security features, like the paper and ink they are printed with, the typeface, the minute flaws in the printing machinery, etc.

        A person who might not have been willing to fake a paper document (because of the risks of being detected) might be much more willing to fake an electronic one.

        • Paper documents have inherent security features, like the paper and ink they are printed with, the typeface, the minute flaws in the printing machinery, etc.

          I can send a Word document to the laser printer in the mail room set in Times New Roman 12pt just as easily as my boss can. If I put "Boss" instead of "Peon" into the letterhead, I don't see how you would tell the fake memo from the real one.
          • I can send a Word document to the laser printer in the mail room set in Times New Roman 12pt just as easily as my boss can.

            Right, but those are not the only possible scenarios. If I had some enemy X and I wanted to forge a typewritten letter by X indicating an intent to commit a murder, I'd have a hard time doing it in a way that couldn't be disputed in court. On the other hand, it's much easier to fake an EMAIL indicating an intent to murder.

    • Can you sell it as a replacement for the SF / Oakland Bay Bridge?

      Thanks!
      Ah-null'd
    • Re:Fool (Score:4, Informative)

      by gurps_npc ( 621217 ) on Wednesday February 16, 2005 @11:49AM (#11689643) Homepage
      You are pretty foolish.

      I work in this field.

      While it is true that anything can be forged, in any major company it is INCREDIBALLY easy to detect forgery of electronic documents. Yes it can be done, but it would be FAR more expensive than forging paper documents.

      Why? COPIES. BACKUP. EMAIL SERVERS Emails for example are incredibally dificult to convincing forge. When I send an email to you, it does NOT just go to your computer. It goes all over the company network, getting backed up, tarred, zipped, etc. In order to convincingly forge an email from IBM to say Microsoft, I would have to:

      1. Find all those files in IBM's computer. Good luck. Hope you don't miss one.

      2. Edit all those files, being sure to use correct permissions and reset things like Last modified date.

      3. See steps 1 and 2? Repeat for Microsoft's computers.

      In general, it is FAR easier to forge a hand letter to Microsoft from IBM than an electronic email

      • What files are you talking about? The email server software I know of mostly don't keep logs by default, and those that do have short expiries.
        • You send an email at any company that is networked and everything is back up.

          At my law firm, if my PC blows up, I can get the following: [li]a restore from the daily back up. We keep 30 days back up available, via our emergencey servers in another city. Should be able to do this in minutes. [li]A restore from the weekly back up on raids. Takes about one hour to access. We keep 50 of these (one year's worth). [li]A restore from the monthly tape backups. We keep these forever.

          For us, that is not just

      • Hmm.. what about cases where they intentionally weren't backed up, or the backups were erased? Yeah, you might be able to do forensic recovery of a deleted item on a backup (or the original media), but then again, you might not. And your system might be great for eliminating false positives, but what about false negatives? I want to instill doubt that I ever said something in an e-mail, so I proceed with steps 1 and 2. It's not just about forging evidence, it's also about denying that it ever existed.
      • gurps npc, most of the "big" electronic discovery issues to date have involved large companies with large networks and massive backups. (I guess the other cases are criminal/forensic cases, but that's another story.) Lack of duplicates of the "smoking gun" emails across the network is definitely a "smoking gun" pointing at forgery.

        As the cost of full-blown electronic discovery lowers, though, I wonder whether forgery will become a bigger problem. I can think of several small companies who use their ISP'
      • ...In general, it is FAR easier to forge a hand letter...

        So now you find two or three or more copies of a purported e-mail and they are all slightly different because they went through various computers etc. How do you unambiguously determine which is the truthful one? Electronic bits are ephemeral creations whose arrangements can be undetectable altered with varying degrees of difficulty, ranging from trivially easy to quite difficult. Alterations of ink on paper with a true signature are much harder to m
        • Wrong. It is NOT two or three more copies.

          It is more like HUNDREDS.

          Look. I send an email from my computer at IBM to your computer at MSFT.

          One month later there exists:

          a copy on your computer, assuming you have not deleted it.

          a copy on on my computer, assuming I have not deleted it.

          a copy on each of our daily back ups.

          a copy on all 4 of our weekly back ups, and another copy on all 4 of your weekly back ups.

          Assuming that they keep one month of daily back ups available, that is 70 copies. I repea

          • ...at IBM to your computer at MSFT...

            Granted that this scenario may happen at large corporations who can afford an expensive IT dept. but at small businesses and with individuals it is much less likely. Backups are unfortunately not done as rigourosly as needed and because of storage costs, data are often erased if it is felt it is no longer needed. Some people even deliberately erase almost all communications and other data that they feel may someday be used in a court proceeding.

            E-mail also aren't the
  • Good news I guess (Score:5, Insightful)

    by null etc. ( 524767 ) on Wednesday February 16, 2005 @10:04AM (#11688653)
    This is clearly a step in the right direction.

    Now, we can hope that punishment for computer-related crimes is brought down to reasonable levels. As much as I hate the fear of identity thieves and hackers, I think it's ridiculous that someone can get less time in jail for committing murder than for hacking into a corporate network.

    And we've all heard of "consultants" who were jailed by a company because the consultant tested the company's network security, but the company didn't like it. Penalties and jail-time were harsh, even though no bad intentions were evident.

    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • I think we should keep those who seek to destroy our infrastructure in check by restricting their ability to use technology.

        Please? Like disallowing them to use a computer and put their abilities to good use? Do you think some computer crack which is disallowed to use computers will get a good member of the society? Dream on. You'll be creating *real bad* criminals that way.

        There is one thing that really helps: catch the criminals. Punishment is not as important. If they get 3 weeks prison for defacing
      • ...but I think in such a technological-dependent society like ours, I think we should keep those who seek to destroy our infrastructure in check by restricting their ability to use technology.

        What about picking the correct problem? The problem is not the people attacking the infrastructure: they are the symptom. The problem is the vulnerability of the infrastructure and its brittleness. Screw the attackers - make the system resilient and tough and decentralized enough to turn more or less any kind of atta

  • Well (Score:2, Insightful)

    by Anonymous Coward
    I don't see any reason to convict Microsoft of having some invested interest in this. The rules being discussed suck and a lot of people can see that.
  • by ChibiLZ ( 697816 ) <john@NosPAm.easygoldguide.com> on Wednesday February 16, 2005 @10:06AM (#11688673) Homepage Journal
    I'm thinking that this is a good thing. I like how the proposed amendment to 37(f) leaves things nice and open by saying, "...should not be subject to sanctions when information is destroyed 'because of the routine operation of the party's electronic information system.'"

    Could we see a new ISP springing up that 'routinely' wipes out logs every week? Might it provide better security and anonymity for its customers?

    Of course there's the downside of better protecting true criminals, but I think in today's Big Brother-esque, PATRIOT act society, a little more protection from overreaching laws is a good thing.
    • >Could we see a new ISP springing up that 'routinely' wipes out logs every week? Might it provide better security and anonymity for its customers?

      Anonymizer.com claims they don't retain logs. Ziplip used to advertise that they didn't keep any record of a message after it was sent, but today their sales pitch is that they retain the records for you for compliance with HIPAA, Sarbanes-Oxley, GLBA or whatever.
    • by slittle ( 4150 ) on Wednesday February 16, 2005 @10:42AM (#11688950) Homepage
      Short retention would basically force The Man to have some manners, as just showing up with a van full of goons and confiscating everything won't do them much good. If they want data on someone, they'll have to have a proper order that said data on said someone over a certain period be kept.

      This also means it will be much harder to mine for minor infractions post-fact, and instead persue actual "true criminals" - ie. the kind they are willing to invest time into actively following and getting warrants and whatnot.
      • Short retention would basically force The Man to have some manners, as just showing up with a van full of goons and confiscating everything won't do them much good. If they want data on someone, they'll have to have a proper order that said data on said someone over a certain period be kept.

        Spot on, my friend. And to expand on that thought, this is why solid document management and retention policies are so important. Lack of awareness of the legal risks; and the fact they're so difficult to construct i

    • "Could we see a new ISP springing up that 'routinely' wipes out logs every week? Might it provide better security and anonymity for its customers?"

      I am not a lawyer and the following is not legal advice:

      In the US, any ISP who wants to routinely wipe it's logs weekly, fortnightly, or nightly, or not even keep logs at all, doesn't need this new law to give them permission to do so. Except for those cases where contractual or accounting practices require the retention of billing and usage data, there are n
  • by moz25 ( 262020 ) on Wednesday February 16, 2005 @10:07AM (#11688688) Homepage
    To take one example, the proposed amendment to Rule 37(f) says that responding parties should not be subject to sanctions when information is destroyed "because of the routine operation of the party's electronic information system." This rule would encourage strategic actors to design or purchase systems that routinely destroy data they might otherwise save if not for the potential litigation costs of preserving incriminating documents.

    That would certainly work to the advantage of those not eager to be confronted with old memos :-)
    • This seems to be in opposition to sarbanes- oxley regulations, which specifically require communications to be held and maintained. So either this would not be doable for public companies, or sarbanes-oxley regulations would have to change.
      • This would only be the case once litigation is initiated, however. The communications aren't protected until they have some potential to become evidence. It wouldn't against the law for a company, or an individual for that matter, have a policy which formatted the storage media with ones and zeros for all of their systems every evening if they wanted to.

        According to the proposed 37(f) this would be just fine and you would not be destroying evidence (and this is the key word to watch here). I'll leave i

        • In the case of the sarbanes-oxley regulations formatting those hard drives for a public company, any public company, is not allowed if the message relates to the system which falls under the sarbanes-oxley regulations.
    • >That would certainly work to the advantage of those not eager to be confronted with old memos :-)

      And to the disadvantage of those who used to have evidence that could clear them, but who automatically threw it out.

      Either way money is an issue. Electronic storage is dirt cheap (better than dirt cheap: have you priced dirt lately?) but paying lawyers to read all your old email is so expensive that entire companies exist to streamline the process.

      In other words, even non-scummy defendants would benefit
    • It's already pretty common practice to limit the size of corporate email to about 3 months worth of emails... anything beyond that is deleted. Ostensibly, this is a disk quota, but the push is from legal departments that are slammed with hundreds of fishing expeditions into corporate emails every month.
      The time and effort required to pull and organize all of the data from a request to search all electronic records for any mention of "Product Frobozz" is not trivial. Doing it several times per day for differ
  • Platter dust (Score:2, Interesting)

    by Anonymous Coward
    Is a readable hard drive with incriminating data required for a conviction? If so, one could do whatever they want (illegally) in a vmware session with the virtual disk stored in a ramdisk. Then, when the police come and unplug the machine for evidence, all the evidence is erased.

    --
    Dogs are annoying. Go ECFA.
    • Re:Platter dust (Score:5, Informative)

      by MathFox ( 686808 ) on Wednesday February 16, 2005 @10:53AM (#11689035)
      When you're talking about admissible evidence for criminal proscecution, the data in RAM certainly is admissible. It is a practical forensic problem to store the data on a non-volatile medium without destroying its value as evidence. People have been convicted on the basis of the contents of their swap partition.

      When a computer forencist is involved in a raid, he knows what evidence he has to look for. He has a plan of attack. That could include forcing a crashdump of the RAM on a Unix server to analyse the processes that are running. A lot of incriminating information is found in the space that was taken up by deleted files.

      Another way of obtaining incriminating information is from "third party" logfiles, network taps, etc. Doing as much investigation without the suspect knowing it.

      I am not a computer forencist, but I applied for the job.

      • Anyone using their PC for criminal activity shouldn't have any writable media on their system.

        They should also lock out intruders at the network level and at the console.

        While they are at it, they should be inside an underground lead-lined bunker with no connection to the outside world except a faraday-caged ventallation shaft. What about the AC power line? They should run everything off of batteries or fuel cells.

        Anyone need a spare laptop to go with their fallout shelter?
    • Which is why the first rule of electronic evidence gathering isn't to simply just power-down the machine.
  • Re: (Score:2, Interesting)

    Comment removed based on user account deletion
    • The presence of a multitude of back ups results in a similar situation for all documents.

      It is easy to fake a digital document for your brother/sister/family.

      But IBIS or RVM (companies that process documents for law firms), will find an origianl, unaltered copy of the document without even trying.

  • I think it will help end the more trivial law suits and still let the serious ones work. A main problem is that some companies choose to settle rather than fight because the settlement is cheaper than the cost of retrieving the information off of old unsupported media or computer systems.
  • Good steps (Score:2, Insightful)

    With all the zombies out there and the ease of altering digital documents, it's near impossible to really verify the source of most things floating around nowadays.
    • False.

      It is easy to give your sister an altered document.

      But in any major company, there are SO many back up copies, dated copies, tarred files, that it would be incredibally dificult to alter ALL the copies.

      Hm Your Honor Judge, we have 23 copies of this document. The three copies from their main document state "I fired Joe because he was late on 7 occasains". But the other 20 copies say "I fired Joe's black but cause his sister wouldn't put out".

  • I suspect... (Score:5, Interesting)

    by the_skywise ( 189793 ) on Wednesday February 16, 2005 @10:26AM (#11688821)
    This is related to the Banes-Oxley act which mandated that all email conversations (as well as other electronic documentation) must be backed up regularly and for a fixed period of time.

    IANAL but it appears that a side effect of this is that it elevates this form of business communication as more legally binding above and beyond normal paper document communications. IE Official business memos are legally required to be stored but simple interperonsal memo communication between officers is not. But if it IS kept and found, it's legally admissable.

    The law change (to help prevent another Enron) elevates all communication to a stored status. From the consumer side this is "good" because smoking guns are easier to find. But from the business side this is "bad" because a lot of ideas get thrown around when trying to develop business plans. Ideas that may be quasi-legal to begin with, but not recognizable as such until they bounce the plan off one of the legal team and he quashes it. End of story right? Not if that communication is part of the official record because it was emailed. Now it becomes a smoking gun as part of a "pattern of intent to do illegal buisness practices".
    • I don't want to pick "nits" with this parent, but that is "Sarbanes-Oxley" and NOT "Banes-Oxley".

      BTW: Both corporations AND government (as currently practiced in the USA) would benefit from tightening access to internal electronic documentation (such as emails). Do not expect a level playing field for the average citizen when it comes to electronic evidence, however. Illegal P2P downloads will continue to be considered just short of "terrorism" in the eyes of government.
      Since government benefits from the
    • For some companies operating on the edge of the law, particularly ones at one physical location, paper memos and informal meetings without official minutes make make a comeback.
      • There's a great scene in Cryptonomicon where Randy is explaining to Eberhard the reason that they have not been privy to the development of a major shift in corporate strategy until it is officially announced to everyone. He takes him aside for a two-person conversation, in which he explains the occasional desirability of making major business decisions as a series of two-person conversations rather than a single large bull session with everyone involved.
  • by PornMaster ( 749461 ) on Wednesday February 16, 2005 @10:28AM (#11688826) Homepage
    My first reaction was to say that corporate e-mails should be PGP (or similar) encrypted, but private keys would be subject to subpoena, wouldn't they?
    • I'm not very familiar with PGP, never having reason to use it, but aren't PGP private keys a short memorable sequence which the recepient uses to decode a message encoded with his public key?
      So if I'm subpoenaed couldn't I just say 'I forgot the private key because of all the stress this subpoena placed me under'
      Now all they have is an encrypted message that can never be decrypted.
      • The passphrase is used to encrypt the private key, "unlocking" it for use.

        I'm not sure about the feasibility of brute-forcing the passphrase to get the private key (stored on disk, USB key, whatever medium).
      • On the other hand, now you're sitting in jail in contempt of court until you remember your passphrase and produce your key.

        The really paranoid solution would be yes, to encrypt documents, but to have a key that recognizes two passphrases -- one that decrypts the document to the real version, and one that decrypts it to something totally banal, like an e-mail to your husband on what to bring home from the store. Then you encrypt everything so that the court doesn't think you encrypting your shopping list

  • After reading the LawMeme article, I understood this to be mostly focusing on how cooporate electronic information would be handled, though if it is applied to corp info then it will likely later be applied to personal info. It does seem that it would open up more than a few loop holes that would allow big corporations to get away with things while the common user would not, for example a large company could easily decide to copy all possibly incriminating back-ups to a less accessable media, but how many
  • by jolyonr ( 560227 ) on Wednesday February 16, 2005 @10:43AM (#11688954) Homepage
    Back in the past I did a lot of work as a computer forensic expert on behalf of most of the UK police forces, Crown Prosecution Service, etc.

    Always there would be attempts by the defence to get some of the evidence struck off as inadmissable before the session got underway before the Jury.

    I remember one case - the evidence was a print-out showing the log of an investigator connecting to a BBS and downloading something illegal (AT&T calling card numbers or similar).

    The defence pointed to a line 2/3 down the page and said there's a letter missing from the start of one of the lines. It said 'ogin' instead of 'Login'. Therefore the printer wasn't working correctly, and if we couldn't trust that the evidence shouldn't be admitted.

    So, I take the stand and pick up the evidence bundle, and point out to the judge, with no small amount of amusement, that the original page had been hole-punched (not obvious in the photocopies) and the L had been punched out. The judges are not stupid, they know when the defence are 'trying it on'. All the evidence in that trial was allowed to stand, and as soon as the trial got underway the defendent changed his plea to guilty!

    Jolyon
  • The post says that the comment period ended today. That does not mean that comments cannot still be submitted. Informed helpful comments submitted after the deadline can be considered. I myself have no position on the proposed rule changes, but as someone who has participated in rule-making procedures I thought I'd point that out.
  • AFAIK, all evidence, electronic or physical, has to be admitted under oath by a witness. "Yes, that's mine."

    Discovery is better, because they produce documents which are presumed authentic. Smoking guns are most frequently found in discovery material. If I had an outside source, I'd look through the discovery mountain to confirm it. IANAL

    When someone tries to deny evidence, things get stickier. You'd have to find a different witness "Yes, I got that and we talked about it". Or show that the message ha

    • IANALY and I haven't read the PDF, but it seems to me from what I have read that the proposed amendments relate mostly to discovery. Discovery under the Federal Rules of Civil Procedure (those being the rules to be amended here) is multi-facted.

      As I see it, the big one here is the discovery device of document requests. You (a lawyer for party A) send a request for production of documents to party B, for instance "All sales records for the period from January 1, 1999 through January 1, 2002." And they
      • The problem is that it might be unreasonably burdensome to say "I want a copy of every internal e-mail for the years 1999-2001."

        See SCO v. IBM, for details of just such a burdensome fishing expedition that was granted.
  • Reading through the comments, I see several people misinterpreting the nature of the rule changes.

    The proposed changes are to the Federal Rules of CIVIL Procedure. This affects CIVIL lawsuits, and does not (directly) impact criminal prosecutions (for "hacking" or otherwise). The rule changes also don't have much to do with the admissibility or authentication of evidence.

    Among other things, if adopted, the rule changes would do things like require electronic production of electronic records (i.e., don't bother trying to print out that database). Also, the proposed Rule 37(f) safe harbor for failure to preserve doesn't protect parties from sanctions for intentional or reckless failure to preserve information.

    IAAL. So, there.

//GO.SYSIN DD *, DOODAH, DOODAH

Working...