New Rules Proposed on Electronic Evidence 129
davidtspf writes "The committee that makes the rules of procedure for U.S. federal courts is now considering new rules governing electronic evidence, how much litigants need to produce at trial, and under what circumstances. Civil rights attorneys are arguing that the rules will make it harder to find smoking guns, while a number of corporations, including Microsoft have submitted comments arguing for further limits. LawMeme has an article with more background, comparing the process to debates over IP law that occur in a vacuum of empirical data, and encouraging techies to submit requests to extend the public comment period, which ended today."
Rule #1 (Score:2, Funny)
Re:Rule #1 (Score:1)
Re:Rule #1 (Score:1)
The formatting information is fixed, so what you see is what gets printed;
Detectives (almost always) don't have the capability to edit PDF, but they all have the ability to view it since Acrobat Viewer is part of the standard build.
(I am a forensic computer analyst for a state police service.)
Microsoft's real interests... (Score:3, Insightful)
My take would be MS wants more restrictions to so it's own leaked memos can't be used against it so easily.
Just my two cents.
Re:Microsoft's real interests... (Score:3, Insightful)
I can honestly say I know of know one who wants their deepest, darkest secrets being revealed in a court room.
Why would you expect anything less from MSFT or anyone else?
Re:Microsoft's real interests... (Score:1)
Maybe so many people have been fired at work for allegedly surfing pr0n and come to find out it was a collaborative effort from the admins and managers just to remove a single person?
What if someone was forging BG's logs to make him look jacko freaky and releasing the data to the internet. If you dont know by now that all electronic logs that are created by a machine can be created by a person that looks like it came from a machine.
Re:Microsoft's real interests... (Score:2)
Exactly, bits are bits are bits and there is no way to tell whether a collection of bits is truthful for the purpose for which it may be represented in a court room. Unless there is some kind of strong encryption/authentication system on the e-mail for example, there is no iron-clad way to determine whether either the text itself or times and autherships are true. Digital pictures can be altered, making it difficult and sometimes impossible to tell whether they are telling the trut
Re:Microsoft's real interests... (Score:2)
There is no problem with trusting the computers. After all they are only machines that do what their master tell them to do. It is the people that run the computers that often are not trustworthy. MS wants to set thing up so only they and their designates can be the master of your computer. This means that if they can be trusted, then this might work. The problem is that MS is run by people and what makes anybody think that their people are more trustworthy than the average computer u
Not Entirely Bad (Score:5, Interesting)
No, they'll want their cake and eat it too (Score:5, Insightful)
I doubt it. Rules for whistleblowing will have one standard, rules corporations can use against individuals will have another.
It won't be phrased that blatently. Instead it will be one set of rules for submitting confidential data (internal memos, emails, chatroom logs) and another, much laxer set of rules, for accusations of copyright infringement.
Be assured, the end result will almost certainly mean less corporate accountability, and less protection of individuals against corporate whichhunts.
Why not distinguish people from corporations? (Score:2)
WRONG (Score:5, Informative)
These rules only cover "standards", if you will, for how evidence is collected in the discovery process; how it is traded back and forth (produced) between plaintiff and defendent counsel; rules for deposing witnesses; and most importantly, in this case, standards for how the production materials are formatted. That is what is being addressed here.
Currently the Rules of Civil (and Criminal for that matter) Procedure are designed to govern how cases are litigated in a paper world. Electronic evidence (and a virtual lack of standards for it) have created a host of problems for this antiquated process that is by orders of magnitude more difficult to deal with than was ever previously enountered in the paper world. Whereas before, when someone got sued their paper files would get taken. The files were static objects. Maybe a few people would get a copy of a particular document and it was much easier to determine who the recipients were. Now that more material is traded back and forth through e-mail and other means, this happens on a much faster pace, it's much easier to spray copies around to a variety of recipients and much harder to keep track of who had what and when they had it.
Also, electronic communications will keep several revisions of a document which may have been through away and not retained in the paper world. This frequently happens without the custodian's knowledge more often than not, unless a very deliberate attempt to implement, maintain and enforce a document management and retention policy. Indeed, the electronic communications revolution has made the proverbial smoking guns much more numerous than in the past by it's very nature.
Volume and velocity of communication is only one part of the problem. File formats are just as big a piece of the puzzle. Word vs. Word Perfect documents being an example. If electronic documents are not properly handled you can easily be accused of spoliation of evidence, with or without any malintent. By simply converting a WordPerfect document to Word format, it can change pagination, formatting, and destroy metadata that the recipient wasn't even aware existed. Having "exact" copies, traceable back to their source (chain of custody) of a document as it was produced to you "in the normal course of business (to use the vernacular)" is extremely important if you intend to use all or part of it as evidence. This is (on of) a lawyer's worst nightmares.
These are just a few of the problems relating to the federal rules and electronic documents. Outside of the Sedona Conference, these have largely been unaddressed up until very recently. It looks like the Rules of Civil Procedure are going to standardize on production of documents in native format. One school of thought has been to take the native documents and print them to a static format for production purposes (such as tiff, pdf, jpg). Looks like their shying away from that approach and leaning toward the "native format" position both have their advantages and potential pitfalls, some of which I outlined above.
Anyway, in response to your post and in summary, you shouldn't read so much into Microsoft having an opinion here. Their opinion on the matter isn't out of line with most other businesses in this regard, nor is it necessarily bad for the little guy either. This is a double edged sword and it is as sharp on one side as it is on the other. If anyone will "win" out of this, it will be trial lawyers, in the sense that you will need to make sure you have counsel that is accutely aware of the electronic discovery universe and how to take advantage of it while making sure you don't get cut.
This is simply a badly needed revision of the rules that will make it more fair for plaintiffs and defendants alike. I wouldn't anything more into it than that.
Re:WRONG (Score:4, Insightful)
To say it would be embedded into the Federal Rules of Civil Procedure would be sort of like blaming a programming language or its compiler for viruses that are written using it.
Re:WRONG (Score:2)
Re:WRONG (Score:2)
Re:WRONG (Score:2)
I agree that the proposed rule allows for a lot of flexibility, and that there's no way to render a relational database or a sound file to TIFF or PDF. I think the rule will quash games like trying to foist a printout of a relational database (or, even better yet, a DLL file (been there, done that)). I've already gotten into fights over the (lack of) utility of printouts of excel spreadsheets.
But for document review/production of "standard" files - and by that I'm thinking of email and word
Re:WRONG (Score:2)
Re:No, they'll want their cake and eat it too (Score:1, Offtopic)
Re:Not Entirely Bad (Score:2)
Long gone... (Score:1, Insightful)
Re:Long gone... (Score:1)
Companies want more limits... (Score:5, Insightful)
Of course they do, otherwise their emails will continue to show in court that they are guilty as hell. There should be no different standard applied to electronic communcations over written notes. If you write a note its admissable, if its electronic it should be equally admissable (and easier to get hold of).
Re:Companies want more limits... (Score:5, Insightful)
Example: From memory, I can construct an email that is exactly like the real ones I get. Down to the Message-ID header looking authentic. Depending on the email system, that may be all that's required.
This is much harder to do with written communications. Should they still be held to the same standard? *shrug* If you can guarantee me that all electronic comms are authentic, then I don't see why not, otherwise...
Re:Companies want more limits... (Score:2, Interesting)
I think that any document entered to court should be validated and proved 100% authentic before it is admissable.
I do agree that the laws for evidence should be the same. If you accidentally send that incriminating document to someone who was no the intended recipient, it doesn't disqualify your document and its intent.
Re:Companies want more limits... (Score:3, Interesting)
seriously, laughably, easy.
Going back in time, as in inserting your faked e-mail into an offsite tape backup, would be a little harder.
On the other hand, the people looking for evidence are very unlikely to be able to properly access your offsite library; they are most likely going to order the company geeks to do it for them, unless you are talking about a government sponsored full-bore witchhunt, of course.
Re:Companies want more limits... (Score:2)
Know your IT staff
Love your IT staff
Pay your IT staff better then the other person
Pray your IT staff doesn't sell you out
Re:Companies want more limits... (Score:3, Insightful)
Electronic data, such as email, gets routinely copied multiple times.
I work in thie field. One of our MAJOR expenses is eliminating duplicates.
If a document was suspect of being "forged", we would just have to see how many duplicates were created.
If something was dated last year, it would start to show up in all the back up tapes we got (which we had to get to make sure they did not get incriminating evidence and then delete it immediately).
In general, most electronic documents are EXTREMELY di
Re:Companies want more limits... (Score:1)
For example, to play jokes, I sometimes send emails to my coworkers claiming to be from our boss. Those emails get copied & backed up just like real ones. And the coworkers can not tell that the email was not from the boss. So how would you prove in court that the boss really did send the em
Re:Companies want more limits... (Score:2)
Re:Companies want more limits... (Score:2)
Re:Companies want more limits... (Score:2)
But it is also fairly easy to get someone's signature on a blank peice of paper.
Re:Companies want more limits... (Score:3, Interesting)
What if a document were created on a computer that was not included in the backup schedule, or was somehow excluded from regular backup?
For instance, if someone wanted to forge a document, they could operate on a removable USB drive. I won't say that I'm familar with the average backup system of the industry at large, but I'd guess that such drives would be excluded from the backup schedule.
If that's the case, then the forged document would ap
Re:Companies want more limits... (Score:2)
It would be the equivelent of saying:
"Look, I have proof that you insisted on me having sex with you - here is a letter where you blatantly requested sex, typed on generic white paper, using a generic laser print font and ink, that has your name printed on the bottom. Yes, I know you did not sign it, but I SAW you print it out and give it me, whil
Re:Companies want more limits... (Score:2)
For email, your argument makes a lot of sense. There are lots of email servers where a legitimate email would leave a trace. While it's simple to forge an email, the traces it leaves would let one track where it came from.
But other documents might not have as strong of an audit trail. For example, Photoshop only recently got the ability to store a history of what actions were performed by whom on a document for exactly these audit purpo
Re:Companies want more limits... (Score:1)
The PO has standards, why shouldn't email?
Re:Companies want more limits... (Score:1)
Re:Companies want more limits... (Score:2)
Re:Companies want more limits... (Score:2)
The problem is that electronic bits can be easily altered in such a manner that it is impossible even for the best experts to tell that this has been done. Altering a paper note in an undetectable manner is considerably more difficult.
Hmm (Score:5, Interesting)
Re:Hmm (Score:3, Insightful)
Yes, either one.
Which do you think the lobbyists are pushing for?
Re:Hmm (Score:2)
>
> Yes, either one.
> Which do you think the lobbyists are pushing for?
Both of your arguments are based on a false dichotomy.
The correct answer is "both". You will be unable to submit digital pictures and financial records as evidence of XYZ Corp's illegal dealings, and si
Fool (Score:5, Interesting)
Re:Fool (Score:5, Insightful)
Re:Fool (Score:2)
The difference is that it is trivial to create a fake electronic document. Paper documents have inherent security features, like the paper and ink they are printed with, the typeface, the minute flaws in the printing machinery, etc.
A person who might not have been willing to fake a paper document (because of the risks of being detected) might be much more willing to fake an electronic one.
Re:Fool (Score:2)
I can send a Word document to the laser printer in the mail room set in Times New Roman 12pt just as easily as my boss can. If I put "Boss" instead of "Peon" into the letterhead, I don't see how you would tell the fake memo from the real one.
Re:Fool (Score:2)
Right, but those are not the only possible scenarios. If I had some enemy X and I wanted to forge a typewritten letter by X indicating an intent to commit a murder, I'd have a hard time doing it in a way that couldn't be disputed in court. On the other hand, it's much easier to fake an EMAIL indicating an intent to murder.
Re:Fool (Score:1)
Thanks!
Ah-null'd
Re:Fool (Score:4, Informative)
I work in this field.
While it is true that anything can be forged, in any major company it is INCREDIBALLY easy to detect forgery of electronic documents. Yes it can be done, but it would be FAR more expensive than forging paper documents.
Why? COPIES. BACKUP. EMAIL SERVERS Emails for example are incredibally dificult to convincing forge. When I send an email to you, it does NOT just go to your computer. It goes all over the company network, getting backed up, tarred, zipped, etc. In order to convincingly forge an email from IBM to say Microsoft, I would have to:
1. Find all those files in IBM's computer. Good luck. Hope you don't miss one.
2. Edit all those files, being sure to use correct permissions and reset things like Last modified date.
3. See steps 1 and 2? Repeat for Microsoft's computers.
In general, it is FAR easier to forge a hand letter to Microsoft from IBM than an electronic email
Re:Fool (Score:2)
Re:Fool (Score:2)
At my law firm, if my PC blows up, I can get the following: [li]a restore from the daily back up. We keep 30 days back up available, via our emergencey servers in another city. Should be able to do this in minutes. [li]A restore from the weekly back up on raids. Takes about one hour to access. We keep 50 of these (one year's worth). [li]A restore from the monthly tape backups. We keep these forever.
For us, that is not just
Re:Fool (Score:2)
Re:Fool (Score:2)
As the cost of full-blown electronic discovery lowers, though, I wonder whether forgery will become a bigger problem. I can think of several small companies who use their ISP'
Re:Fool (Score:2)
So now you find two or three or more copies of a purported e-mail and they are all slightly different because they went through various computers etc. How do you unambiguously determine which is the truthful one? Electronic bits are ephemeral creations whose arrangements can be undetectable altered with varying degrees of difficulty, ranging from trivially easy to quite difficult. Alterations of ink on paper with a true signature are much harder to m
Re:Fool (Score:2)
It is more like HUNDREDS.
Look. I send an email from my computer at IBM to your computer at MSFT.
One month later there exists:
a copy on your computer, assuming you have not deleted it.
a copy on on my computer, assuming I have not deleted it.
a copy on each of our daily back ups.
a copy on all 4 of our weekly back ups, and another copy on all 4 of your weekly back ups.
Assuming that they keep one month of daily back ups available, that is 70 copies. I repea
Re:Fool (Score:2)
Granted that this scenario may happen at large corporations who can afford an expensive IT dept. but at small businesses and with individuals it is much less likely. Backups are unfortunately not done as rigourosly as needed and because of storage costs, data are often erased if it is felt it is no longer needed. Some people even deliberately erase almost all communications and other data that they feel may someday be used in a court proceeding.
E-mail also aren't the
Re:Fool (Score:2)
Generally you do not need to prove which is the fake and which is the copy. The existence of both demonstrates that an attempt was made to forge a document. That combined with the location of the "anomolos copy" generally defeats the purpose of forging a document.
For example - say a company is accused of discriminating against blacks. Two copies of a memo are found - one of which says "no
Good news I guess (Score:5, Insightful)
Now, we can hope that punishment for computer-related crimes is brought down to reasonable levels. As much as I hate the fear of identity thieves and hackers, I think it's ridiculous that someone can get less time in jail for committing murder than for hacking into a corporate network.
And we've all heard of "consultants" who were jailed by a company because the consultant tested the company's network security, but the company didn't like it. Penalties and jail-time were harsh, even though no bad intentions were evident.
Re: (Score:3, Insightful)
Re:Good news I guess (Score:1)
Please? Like disallowing them to use a computer and put their abilities to good use? Do you think some computer crack which is disallowed to use computers will get a good member of the society? Dream on. You'll be creating *real bad* criminals that way.
There is one thing that really helps: catch the criminals. Punishment is not as important. If they get 3 weeks prison for defacing
Re:Good news I guess (Score:2)
What about picking the correct problem? The problem is not the people attacking the infrastructure: they are the symptom. The problem is the vulnerability of the infrastructure and its brittleness. Screw the attackers - make the system resilient and tough and decentralized enough to turn more or less any kind of atta
Re:Good news I guess (Score:2)
Where I live, they execute murderers.
Just out of curiosity, where you live, do companies have their own jails?
Re:Good news I guess (Score:2)
Throw 'im in the brig! Yaaaaaaar.
Randal Schwartz is not blameless (Score:2)
I don't think he did anything malicious, but he admitted he did things that anybody competent in security work or system administration at the time would have told you are a bad ide
Well (Score:2, Insightful)
1 step forward, 1 step back? (Score:5, Insightful)
Could we see a new ISP springing up that 'routinely' wipes out logs every week? Might it provide better security and anonymity for its customers?
Of course there's the downside of better protecting true criminals, but I think in today's Big Brother-esque, PATRIOT act society, a little more protection from overreaching laws is a good thing.
Re:1 step forward, 1 step back? (Score:3, Informative)
Anonymizer.com claims they don't retain logs. Ziplip used to advertise that they didn't keep any record of a message after it was sent, but today their sales pitch is that they retain the records for you for compliance with HIPAA, Sarbanes-Oxley, GLBA or whatever.
Re:1 step forward, 1 step back? (Score:4, Insightful)
This also means it will be much harder to mine for minor infractions post-fact, and instead persue actual "true criminals" - ie. the kind they are willing to invest time into actively following and getting warrants and whatnot.
Re:1 step forward, 1 step back? (Score:2)
Spot on, my friend. And to expand on that thought, this is why solid document management and retention policies are so important. Lack of awareness of the legal risks; and the fact they're so difficult to construct i
Re:1 step forward, 1 step back? (Score:2)
I am not a lawyer and the following is not legal advice:
In the US, any ISP who wants to routinely wipe it's logs weekly, fortnightly, or nightly, or not even keep logs at all, doesn't need this new law to give them permission to do so. Except for those cases where contractual or accounting practices require the retention of billing and usage data, there are n
Destroying evidence? (Score:4, Insightful)
That would certainly work to the advantage of those not eager to be confronted with old memos
Re:Destroying evidence? (Score:3, Insightful)
Re:Destroying evidence? (Score:2)
According to the proposed 37(f) this would be just fine and you would not be destroying evidence (and this is the key word to watch here). I'll leave i
Re:Destroying evidence? (Score:1)
Re:Destroying evidence? (Score:3, Interesting)
And to the disadvantage of those who used to have evidence that could clear them, but who automatically threw it out.
Either way money is an issue. Electronic storage is dirt cheap (better than dirt cheap: have you priced dirt lately?) but paying lawyers to read all your old email is so expensive that entire companies exist to streamline the process.
In other words, even non-scummy defendants would benefit
Document Retention Polcies (Score:1)
The time and effort required to pull and organize all of the data from a request to search all electronic records for any mention of "Product Frobozz" is not trivial. Doing it several times per day for differ
Platter dust (Score:2, Interesting)
--
Dogs are annoying. Go ECFA.
Re:Platter dust (Score:5, Informative)
When a computer forencist is involved in a raid, he knows what evidence he has to look for. He has a plan of attack. That could include forcing a crashdump of the RAM on a Unix server to analyse the processes that are running. A lot of incriminating information is found in the space that was taken up by deleted files.
Another way of obtaining incriminating information is from "third party" logfiles, network taps, etc. Doing as much investigation without the suspect knowing it.
I am not a computer forencist, but I applied for the job.
Criminals should use bootable CDs (Score:2, Funny)
They should also lock out intruders at the network level and at the console.
While they are at it, they should be inside an underground lead-lined bunker with no connection to the outside world except a faraday-caged ventallation shaft. What about the AC power line? They should run everything off of batteries or fuel cells.
Anyone need a spare laptop to go with their fallout shelter?
Re:Platter dust (Score:2)
Re: (Score:2, Interesting)
Re:3d and photoshop (Score:2)
It is easy to fake a digital document for your brother/sister/family.
But IBIS or RVM (companies that process documents for law firms), will find an origianl, unaltered copy of the document without even trying.
good (Score:1)
Good steps (Score:2, Insightful)
Re:Good steps (Score:2)
It is easy to give your sister an altered document.
But in any major company, there are SO many back up copies, dated copies, tarred files, that it would be incredibally dificult to alter ALL the copies.
Hm Your Honor Judge, we have 23 copies of this document. The three copies from their main document state "I fired Joe because he was late on 7 occasains". But the other 20 copies say "I fired Joe's black but cause his sister wouldn't put out".
I suspect... (Score:5, Interesting)
IANAL but it appears that a side effect of this is that it elevates this form of business communication as more legally binding above and beyond normal paper document communications. IE Official business memos are legally required to be stored but simple interperonsal memo communication between officers is not. But if it IS kept and found, it's legally admissable.
The law change (to help prevent another Enron) elevates all communication to a stored status. From the consumer side this is "good" because smoking guns are easier to find. But from the business side this is "bad" because a lot of ideas get thrown around when trying to develop business plans. Ideas that may be quasi-legal to begin with, but not recognizable as such until they bounce the plan off one of the legal team and he quashes it. End of story right? Not if that communication is part of the official record because it was emailed. Now it becomes a smoking gun as part of a "pattern of intent to do illegal buisness practices".
Re:I suspect... (Score:2)
BTW: Both corporations AND government (as currently practiced in the USA) would benefit from tightening access to internal electronic documentation (such as emails). Do not expect a level playing field for the average citizen when it comes to electronic evidence, however. Illegal P2P downloads will continue to be considered just short of "terrorism" in the eyes of government.
Since government benefits from the
the solution to this - snail-mail and face-time (Score:1)
The two-person conversation (Score:2)
Encryption no panacea? (Score:3, Interesting)
Re:Encryption no panacea? (Score:1)
So if I'm subpoenaed couldn't I just say 'I forgot the private key because of all the stress this subpoena placed me under'
Now all they have is an encrypted message that can never be decrypted.
Re:Encryption no panacea? (Score:2)
I'm not sure about the feasibility of brute-forcing the passphrase to get the private key (stored on disk, USB key, whatever medium).
Re:Encryption no panacea? (Score:2)
The really paranoid solution would be yes, to encrypt documents, but to have a key that recognizes two passphrases -- one that decrypts the document to the real version, and one that decrypts it to something totally banal, like an e-mail to your husband on what to bring home from the store. Then you encrypt everything so that the court doesn't think you encrypting your shopping list
Personal verses Corporate (Score:2, Insightful)
Just let the judge decide what's admissable (Score:5, Interesting)
Always there would be attempts by the defence to get some of the evidence struck off as inadmissable before the session got underway before the Jury.
I remember one case - the evidence was a print-out showing the log of an investigator connecting to a BBS and downloading something illegal (AT&T calling card numbers or similar).
The defence pointed to a line 2/3 down the page and said there's a letter missing from the start of one of the lines. It said 'ogin' instead of 'Login'. Therefore the printer wasn't working correctly, and if we couldn't trust that the evidence shouldn't be admitted.
So, I take the stand and pick up the evidence bundle, and point out to the judge, with no small amount of amusement, that the original page had been hole-punched (not obvious in the photocopies) and the L had been punched out. The judges are not stupid, they know when the defence are 'trying it on'. All the evidence in that trial was allowed to stand, and as soon as the trial got underway the defendent changed his plea to guilty!
Jolyon
Re deadlines for comments- late comments ok (Score:1, Insightful)
What's the big deal? Fishing? (Score:2)
Discovery is better, because they produce documents which are presumed authentic. Smoking guns are most frequently found in discovery material. If I had an outside source, I'd look through the discovery mountain to confirm it. IANAL
When someone tries to deny evidence, things get stickier. You'd have to find a different witness "Yes, I got that and we talked about it". Or show that the message ha
Re:What's the big deal? Fishing? (Score:2)
As I see it, the big one here is the discovery device of document requests. You (a lawyer for party A) send a request for production of documents to party B, for instance "All sales records for the period from January 1, 1999 through January 1, 2002." And they
Re:What's the big deal? Fishing? (Score:2)
See SCO v. IBM, for details of just such a burdensome fishing expedition that was granted.
Re:What's the big deal? Fishing? (Score:1)
This is for CIVIL litigation, not criminal stuff! (Score:5, Insightful)
The proposed changes are to the Federal Rules of CIVIL Procedure. This affects CIVIL lawsuits, and does not (directly) impact criminal prosecutions (for "hacking" or otherwise). The rule changes also don't have much to do with the admissibility or authentication of evidence.
Among other things, if adopted, the rule changes would do things like require electronic production of electronic records (i.e., don't bother trying to print out that database). Also, the proposed Rule 37(f) safe harbor for failure to preserve doesn't protect parties from sanctions for intentional or reckless failure to preserve information.
IAAL. So, there.