The AC post to which I'm replying is spot-on as to what many large comapnies are facing.
Courts are getting more savvy and are declining to impose blanket obligatons to preserve (or, heavens forbid, produce) "all" information.
Lawyers who understand the costs of information management are successfully narrowing the scope of what needs to be preserved (and produced), in order to let the company move on with its normal business.
The leading treatise / think-tank on eDiscovery issues, The Sedona Conference, captures this notion:
A party's preservation obligation does not require "freezing" of all electronically stored information, including all email. Organizations need not preserve "every shred of paper, every email or electronic documents, and every back-up tape," nor do they have to go to extraordinary measures to preserve "all" potentially relevant information. Comment 5.g., The Sedona Principles Addressing Electronic Document Production, Second Edition (June, 2007).
Of course, lawyers on the other side of the argument try to get closer to "all" than the people on the responding side. Figuring out where the line should be drawn continues to be the tricky part.
Regarding the Rule 37 "safe harbor", it's really not very helpful to most litigants, because, "Good faith in the routine operation of an information system may involve a party's intervention to modify or supsend certain fe atures of that routine operation in order to prevent the loss of information, if that information is subject to a preservation obligation." See Advisory Committee Notes to Rule 37(f).
So if your normal policy is that some "automatic" routine operates to delete potentially relevant (and "accessible") information, your opponent will argue that you're not acting in good faith if, upon reasonable anticipation of litigation, you didn't take action to suspend that automatic routine.
I am a lawyer and my practice focuses on eDiscovery. In other words, I translate between lawyers and people who read/.
Lots of interesting comments in this thread. There is a lot of FUD out there (like that's news). I hardly know where to start.
First, sophisticated litigants have seen increased costs from eDiscovery compliance, because "Joe Average" lawyer on the other side is getting more sophisticated about these issues. The new eDiscovery rules require companies to make pretty specific disclosures regarding what electronically stored information they have that might contain potentially relevant information. Federal judges are also more sophisticated on these issues now, and are expecting more of people. It's becoming a lot more difficult to 'hide your head in the sand' and hope the other side doesn't ask about this stuff.
Because the cost of searching, reviewing and producing email (and other electronic information) can be so burdensome, the table stakes for pursuing or defending a lawsuit can be higher than "before".
theMerovingian said: The FRCP are not a set of regulations to govern businesses, it just means that parties with digital information will bear the burden to produce it in the event of a lawsuit.
Not entirely true. In some cases, courts have held that cost-shifting is appropriate.
theMerovingian said: Depending on the frequency with which your company is sued, it may or may not be a good idea to make it faster to access your backups.
This is dangerous advice. There are companies out there which are making it cheaper to access backups. If you make it faster and easier to access information on offline (tape) or nearline storage, then you may reduce your ability to argue that the information is "not reasonably accessible due to undue cost or burden" under Rule 26(b)(2)(B). I have seen clients tripped up because IT people somehow get the notion that the lawyers WANT them to have really long retention periods on backups "just in case". While lawsuits sometimes require backup tapes to be held, if there isn't a lawsuit, it often isn't helpful to keep this data lying around when there isn't any business need for it.
theMerovingian said: However, anyone who deletes or destroys documents once a court order has been issued is in pretty big trouble if they get caught.
Agreed on the court order part -- don't violate court orders! But there's lots of room to argue before that order gets issued. When a company is sued, does that mean they have to create a bitstream image of each and every computer in the organization? (After all, just continuing to use the computer overwrites the pagefile and other unallocated space -- that's destroying potentially relevant data!) There are vendors (and even some lawyers) out there who are telling companies that they have to do this. The real answer is that in many cases, locking down every last bit of data is not necessary.
"noidentity" said: Why is this tagged privacy? This applies to businesses, not people.
That statement is flat-out wrong. The Federal Rules of Civil Procedure apply to parties who are the subject of lawsuits (or third party subpoenas). It's often companies, but theu can apply to individuals, too.
In many of the RIAA lawsuits, defendants have gotten into trouble for deleting information on the computers -- i.e., information which the RIAA contended was evidence that they were illegally sharing files.
Most lawyers would agree that if an individual is sued by the RIAA, they cannot hand their home computer off to the guy at Best Buy and have him replace the hard drive.
Metachor, IAAL and 99% of my practice is eDiscovery-related. Call me a lawyer among techies, or a techie among lawyers, either way is hopefully accurate. I get lots of practice trying to explain this stuff to both the geeks and the technophobe lawyer/judges out there.
As far as I am aware, there's no information about RIAA cases that have progressed to trial yet -- see http://recordingindustryvspeople.blogspot.com/#tri al ("We do not have information on any trials, although it would seem that there must have been some, especially in cases where the defendants are representing themselves, without legal counsel.")
So by that token, one could say that the RIAA has not "lost" a trial related to internet piracy, either.
You would first look at the methdology used to acquire the evidence -- akin to whether the investigator used "good lab procedures". Does the MD5 hash match up? Did they "contaminate" the scene by booting up the computer first? You might get a bite or two on admissibility that way, but standard methodologies are pretty well known and understood these days.
Don't forget that there's really no 5th amendment issue on the computer search, because the defendant isn't being compelled to give testimony.
If I were defending the case, I think the more compelling cross-examination would be to attack the lack of evidence between whatever is on the computer and the defendant herself. For instance, do you know how many other people had access to that profile? So anyone in the house could have sat down at that computer and searched for those terms? Bonus points for those of us with tinfoil hats if you can make a plausible case for some remote access software being used on the computer to plant the browser history from afar (although that would probably try the patience of any judge without more than just hypothetical conjecture.)
This line of cross-examination is less effective if you have lots of browser history showing that during the searches for drugs, guns and murder, she engaged in her "normal" web browsing patterns or accessed personal websites (ie, webmail) that other hypothetical users wouldn't have been able to access.
Testimony arising out of a forensic computer examination is most often hybrid fact testimony and expert testimony. Without looking at the transcript (or really anything more than the news reports), it seems to me that the examiner simply offered her expert opinion that the computer was used to Google certain (incriminating) search terms. The opinion gets before the jury and the basis of that expert opinion (ie the browser history) gets out under Rule 703.
Whether the jury gets to take the printout of the browser history back to the jury room is a separate question, but my point is that the hearsay problem isn't what some of the commenters here are making it out to be.
Are the standards for admissibility of evidence lower in civil court than they are in criminal court? I don't know, personally, but I'd be interested the answer. Any lawyers reading this?
The standards for admissibility are the same. The RIAA decisions you probably have seen are not trial admissibility decisions, however. The ones I'm aware of are at from the motion to dismiss / summary judgment stage, where the judge usually decides if there's any "material facts" in dispute. (Huge oversimplification.) While evidence presented at the summary judgment stage needs to be admissible, this is procedurally a much different animal than the presentation of evidence to a jury.
Whoa, whoa, whoa. I don't think there's any need to subpoena Google. Just look at the browser history -- the search terms you google are clearly visible -- so an entry of http://www.google.com/search?hl=en&q=how+to+kill+s omeone is probably what they found. You authenticate the chain of custody of the computer where you retrieved the browser history (probably via a forensic image of the computer), and you have testimony from the investigator that the computer was retrieved from xyz location and handled in a forensically sound manner, etc. etc.
Once you have the foundation of the browser history entry, then you introduce expert testimony regarding what that history entry means -- in other words, that someone using that computer (and perhaps logged in via a certain user profile) went to Google and searched for those terms.
In this manner, it doesn't go in via the party admission hearsay exception.
On cross-examination, the other side could attack the chain of custody and could probably elicit admissions that the evidence just shows that the computer was used and that it could have been someone besides the defendant doing the searching. And then there's always the possibility of forgery / planted evidence -- but with the forensic image (which is usually hashed) and the chain-of-custody logs, you'd probably have a hard time. All of this stuff goes to the WEIGHT of the evidence, and not to its admissibility.
I suspect that when most judges and lawyers talk about producing a "copy" of a hard drive, they mean for a bitstream image of the drive (in other words, "dd if=/dev/hda of=crazybigimage.img"). Because that's what law enforcement agencies so commonly do, absent a clear understanding with the other side, I would be really reluctant to make any other assumptions.
Absent such an understanding, being ordered to "produce a copy" of the drive and only producing, say, a Norton Ghost image of the drive, is likely to put you squarely in the crosshairs of the judge and the other side for sanctions.
I'm assuming he already got past Daubert, but what about a motion in limine?
That's flat-out wrong. None of this evidence is going to the jury -- it's all being presented to the judge to determine whether or not discovery should occur -- ie, whether the requested information should be produced to the other side. You don't get to Daubert or motions in limine at the pre-trial discovery stage.
It actually would not surprise me that a computer forensics expert witness might not actually know what he's talking about. Almost every computer forensics person I know who work on the biggest cases, are actually ex-police detectives with some computer training. They have a habit of strictly adhering to "best practices" in their computer forensics investigations, because that is really all they know.
IAAL and my practice is 99% electronic discovery consulting.
Part of the theme that I saw (and was disturbed about) in the original affidavit was the suggestion that the "only" way to prove authenticity was to conduct a forensic examination. I've seen some vendors that are so used to conducting these types of examinations (and indeed have a financial incentive to do as many as possible) that they fall into this trap pretty easily.
So let's say that I'm in a routine contract dispute where the conduct in question happened three years ago, and I have a screenshot of an email message. And the original email message was deleted from the server and the laptop three years ago. How many forensic experts would suggest that we MUST take a full disk image to "prove" authenticity? Is there a 1% chance that a fragment of that original message might exist in the unallocated space? A 10% chance?
The problem is that to make a decision about HOW you go about "proving" authenticity and using the information at trial, you need to educate both the lawyers involved AND the judge invovled regarding what these technical terms really mean -- and what the associated costs and likelihood of finding something useful really is.
There is a fairly good chance that at least some of the web pages viewing those webmails are recoverable in swap space, file slack space, and unallocated space.
Those of us who have dealt with swap space, slack space and unallocated space understand what MAY be found there. I think there is certainly a way for a lawyer to say, "Judge, we have some screencaps / printouts of emails and there's some question as to whether or not they're genuine. We want more evidence to test their authenticity and to re-create how they looked." Alternately, they might want to search for evidence in the browser cache or evidence that they're forgeries.
But does that mean that the "only way to reliably know" what they looked like is to do the forensic analysis? Or that it is "necessary" to do this "[i]n order to determine authenticity and source"? All of this evidence might have been planted by the CIA or by some hacker in Kazakhstan. Good luck trying to explain that to a judge not interested in technical details.
What a lot of tech folks (and lawyers) lose sight of is that there's a cost-benefit analysis to all of these decisions. Might there be some fragment of data that's relevant, that would tend to prove or disprove authenticity? Of course. But does whatever the other side stands to gain from this discovery justify the cost and burden that will be incurred?
It doesn't mean the opposite either. If there is a chance he might recover something useful, he should get access to the hard drive. Welcome to the world of civil discovery.
That's not entirely true. Just because something MIGHT contain relevant evidence doesn't mean that it's automatically going to be within the scope of civil discovery. The revisions to the Federal Rules of Civil Procedure that will go into effect in a month specifically provide that absent "good cause", you don't have to produce data that is "not reasonably accessible due to undue burden or cost".
There's lots of wiggle room in those words, but in the example above, taking a look at printer ribbon wouild be unduly burdensome in most cases. (Technically, printer ribbon isn't "electronically stored information subject to 26(b)(2)(B), but that's pretty esoteric.) More to the point, in many cases items in the browser cache or in unallocated space on hard drives will NOT be "reasonably accessible" and thus is NOT within the scope of civil discovery (absent a showing of "good cause").
He'd have to delete it, and proof of deletion would be a mess. Right?
Presumably, that's part of what's going on in the (civil) discovery process. On the geeksunited website, there is a reference to imaging. I assume that means that the company is taking a forensic image of his computers. (Probably with Encase or dd.) That will let them see what source code is present, and I'm sure they'll also want to poke into what websites he visited (in order to fish for evidence that he mishandled the source).
We're all armchair lawyering this one because we don't know the extent of the communications. It could be sham (such as your example email to a deactivated account) or it could be a result of a face-to-face confrontation. I don't think there's anything on the website or the court docket that shines any light on that issue.
If the source code is evidence of criminal activity, you have every right to present it as evidence when you report said activity to the authorities.
I disagree.
It appears that he had a contractual duty to return company property -- the source code. The (alleged) use of the source code for criminal activity does not excuse the misappropriation of company property.
If I know that my former employer is breaking the law, am I justified in breaking into my (former) office and taking documents? It seems like the same thing here.
I think the bottom line is that Salzenberg's refusal to turn over the company's source code gives rise to a colorable claim for misappropriation of trade secrets.
Looking at it closer, it might just be the petition for return of property seized pursuant to the warrant. Thinking about the timing, I wouldn't be surprised if the charges never made it to the grand jury...
In any event, the geeksunited.com timeline says that on June 6 the "DA Drops Criminal Investigation".
Note that the DA is not reported as having dropped the charges.
As far as I can tell, this is incorrect.
The/.'d timeline on the geeksunite website says that on June 6, 2005, "DA Drops Criminal Investigation - Announces Return of the Seized Property to Salzenberg."
I agree that there's no explicit threat in the letter to disclose the source code, but the original TRO requires Salzenberg to identify "any websites on which defendant posted" the source code. It was definitely on the company's mind. (See my comments upthread, too.)
I haven't seen the complaint, but I think that regardless how good they are, Salzenburg's lawyers will have a hard time arguing that the company's civil claims are frivolous (thus making any recovery of attorneys fees difficult). I suppose a malicious prosecution or some sort of defamation claim might get them to fees, though.
The way I see the company's arguments, Salzenburg was asked to return company property "and he has refused to do so". (That's in the detective's affidavit supporting the search warrant.) The source code is company property, and he's (allegedly) refused to give it back. That gets the company most of the way to a prima facie case of trade secret misappropriation, I think.
We're all armchair lawyering this one without all of the facts. The point of my original post was to point out that the comapny's position was not as unreasonable as some of the other posts have suggested.
He had no time to dutifully erase his hard drive if he was already resigned or terminated after his CEO conversation
I posted this upthread, but I think it bears repeating. In the affidavit supporting the search warrant, the detective says that the company president sent emails to Salzenberg "asking him to return any and all company property to the business and he has refused to do so". The company's lawyers are probably going to use that piece of information for all it's worth in arguing that it's evidence of Salzenberg's bad intentions.
I agree, Salzenberg's letter does not contain an explicit threat to disclose source code. The company's argument, though, is probably that given the totality of the circumstances, they were afraid that their trade secrets might be mishandled. (And who knows what else might've been said or misinterpreted in communications other than what's in the letter.)
In the affidavit supporting the search warrant, the detective says that the company president sent emails to Salzenberg "asking him to return any and all company property to the business and he has refused to do so". It's that kind of fact that the detective and/or judge could have latched onto to come to the conclusion that the company's trade secrets actually were at risk.
Keep in mind, it appears that the criminal matter is closed...
Ok, the Pennsylvania Common Pleas Court is partially online, and the docket sheets are available with a little digging. Too bad the full text isn't available.
CRIMINAL MATTER: Docket Number: CP-46-MD-0002495-2005. Filed 4/27/2005. CASE STATUS: CLOSED. Last event was a hearing on the return of property, on 6/10/2005 before Judge William J. Furber, Jr.
CIVL MATTER: Docet Number: 05-11918 (Judge Hodgson). A deep link to the docket sheet is http://12.40.122.125/FCP2.WEB8/0/P12DIS?CASE-NO=05 -11918. Looks like a motion for a temporary restraining order and for expedited discovery and preservation of documents was filed on April 26, and was granted ex parte (without the defendant being able to argue) by Judge Joseph J. Smyth. The latest emergency motions appear to be filed to reinstate this order, presumably as a result of the computers being released after the criminal matters were dismissed. I am very curious to know what's going on with the intervenors - Radian Guaranty and Lisa Perdichizzi. It's Perdichizzi who filed a motion for sanctions against the Plaintiffs on June 22, and there's nothing on the docket sheets since then.
Looking at the documents posted online, there are TWO separate things going on.
The search warrant was issued in a CRIMINAL proceeding. It looks like the state isn't pressing criminal charges.
There appears to be a parallel civil action, with expedited discovery. The civil action appears to assert that Salzenberg misappropriated trade secrets, and the discovery is targeted at imaging Salzenberg's computers.
The authorizatoin for grabbing the computers happened pursuant to the search warrant in the criminal investigation, not the (expedited) civil discovery.
I have a feeling that this will be unpopular with many/. readers, but what about the perspective of the company? Were/are they really acting unreasonably?
Here's an employee who's signed an agreement not to disclose trade secrets, and he's threatened to disclose the source code. He has CVS access, and it looks like he's downloaded a lot of the source code to his personal computer. If the company is in the right and it's not "hijacking" open proxies, what's it supposed to do? Let this guy go and let him smear the company's name and product? Or worse, let him post the company's source code publicly? Salzenberg cites the Pennsylvania statutes on "unlawful use of computer" in his letter, but the misappropriation of trade secrets is also a statutory violation...
If everything Salzenberg says is true, then he's truly gotten a bum deal. But I'm sure his superiors at the company have a different story, and who knows what that might be. Unfortunately, it looks like this will result in some pretty ugly litigation before it gets resolved.
Slashdot Mirror
The AC post to which I'm replying is spot-on as to what many large comapnies are facing.
Courts are getting more savvy and are declining to impose blanket obligatons to preserve (or, heavens forbid, produce) "all" information.
Lawyers who understand the costs of information management are successfully narrowing the scope of what needs to be preserved (and produced), in order to let the company move on with its normal business.
The leading treatise / think-tank on eDiscovery issues, The Sedona Conference, captures this notion:
A party's preservation obligation does not require "freezing" of all electronically stored information, including all email. Organizations need not preserve "every shred of paper, every email or electronic documents, and every back-up tape," nor do they have to go to extraordinary measures to preserve "all" potentially relevant information.
Comment 5.g., The Sedona Principles Addressing Electronic Document Production, Second Edition (June, 2007).
Of course, lawyers on the other side of the argument try to get closer to "all" than the people on the responding side. Figuring out where the line should be drawn continues to be the tricky part.
Regarding the Rule 37 "safe harbor", it's really not very helpful to most litigants, because, "Good faith in the routine operation of an information system may involve a party's intervention to modify or supsend certain fe atures of that routine operation in order to prevent the loss of information, if that information is subject to a preservation obligation." See Advisory Committee Notes to Rule 37(f).
So if your normal policy is that some "automatic" routine operates to delete potentially relevant (and "accessible") information, your opponent will argue that you're not acting in good faith if, upon reasonable anticipation of litigation, you didn't take action to suspend that automatic routine.
IAAL, but IANYL.
I am a lawyer and my practice focuses on eDiscovery. In other words, I translate between lawyers and people who read /.
Lots of interesting comments in this thread. There is a lot of FUD out there (like that's news). I hardly know where to start.
First, sophisticated litigants have seen increased costs from eDiscovery compliance, because "Joe Average" lawyer on the other side is getting more sophisticated about these issues. The new eDiscovery rules require companies to make pretty specific disclosures regarding what electronically stored information they have that might contain potentially relevant information. Federal judges are also more sophisticated on these issues now, and are expecting more of people. It's becoming a lot more difficult to 'hide your head in the sand' and hope the other side doesn't ask about this stuff.
Because the cost of searching, reviewing and producing email (and other electronic information) can be so burdensome, the table stakes for pursuing or defending a lawsuit can be higher than "before".
theMerovingian said: The FRCP are not a set of regulations to govern businesses, it just means that parties with digital information will bear the burden to produce it in the event of a lawsuit.
Not entirely true. In some cases, courts have held that cost-shifting is appropriate.
theMerovingian said: Depending on the frequency with which your company is sued, it may or may not be a good idea to make it faster to access your backups.
This is dangerous advice. There are companies out there which are making it cheaper to access backups. If you make it faster and easier to access information on offline (tape) or nearline storage, then you may reduce your ability to argue that the information is "not reasonably accessible due to undue cost or burden" under Rule 26(b)(2)(B). I have seen clients tripped up because IT people somehow get the notion that the lawyers WANT them to have really long retention periods on backups "just in case". While lawsuits sometimes require backup tapes to be held, if there isn't a lawsuit, it often isn't helpful to keep this data lying around when there isn't any business need for it.
theMerovingian said: However, anyone who deletes or destroys documents once a court order has been issued is in pretty big trouble if they get caught.
Agreed on the court order part -- don't violate court orders! But there's lots of room to argue before that order gets issued. When a company is sued, does that mean they have to create a bitstream image of each and every computer in the organization? (After all, just continuing to use the computer overwrites the pagefile and other unallocated space -- that's destroying potentially relevant data!) There are vendors (and even some lawyers) out there who are telling companies that they have to do this. The real answer is that in many cases, locking down every last bit of data is not necessary.
"noidentity" said: Why is this tagged privacy? This applies to businesses, not people.
That statement is flat-out wrong. The Federal Rules of Civil Procedure apply to parties who are the subject of lawsuits (or third party subpoenas). It's often companies, but theu can apply to individuals, too.
In many of the RIAA lawsuits, defendants have gotten into trouble for deleting information on the computers -- i.e., information which the RIAA contended was evidence that they were illegally sharing files.
Most lawyers would agree that if an individual is sued by the RIAA, they cannot hand their home computer off to the guy at Best Buy and have him replace the hard drive.
Metachor, IAAL and 99% of my practice is eDiscovery-related. Call me a lawyer among techies, or a techie among lawyers, either way is hopefully accurate. I get lots of practice trying to explain this stuff to both the geeks and the technophobe lawyer/judges out there.
As far as I am aware, there's no information about RIAA cases that have progressed to trial yet -- see http://recordingindustryvspeople.blogspot.com/#tri al ("We do not have information on any trials, although it would seem that there must have been some, especially in cases where the defendants are representing themselves, without legal counsel.")
So by that token, one could say that the RIAA has not "lost" a trial related to internet piracy, either.
You would first look at the methdology used to acquire the evidence -- akin to whether the investigator used "good lab procedures". Does the MD5 hash match up? Did they "contaminate" the scene by booting up the computer first? You might get a bite or two on admissibility that way, but standard methodologies are pretty well known and understood these days.
Don't forget that there's really no 5th amendment issue on the computer search, because the defendant isn't being compelled to give testimony.
If I were defending the case, I think the more compelling cross-examination would be to attack the lack of evidence between whatever is on the computer and the defendant herself. For instance, do you know how many other people had access to that profile? So anyone in the house could have sat down at that computer and searched for those terms? Bonus points for those of us with tinfoil hats if you can make a plausible case for some remote access software being used on the computer to plant the browser history from afar (although that would probably try the patience of any judge without more than just hypothetical conjecture.)
This line of cross-examination is less effective if you have lots of browser history showing that during the searches for drugs, guns and murder, she engaged in her "normal" web browsing patterns or accessed personal websites (ie, webmail) that other hypothetical users wouldn't have been able to access.
Testimony arising out of a forensic computer examination is most often hybrid fact testimony and expert testimony. Without looking at the transcript (or really anything more than the news reports), it seems to me that the examiner simply offered her expert opinion that the computer was used to Google certain (incriminating) search terms. The opinion gets before the jury and the basis of that expert opinion (ie the browser history) gets out under Rule 703.
Whether the jury gets to take the printout of the browser history back to the jury room is a separate question, but my point is that the hearsay problem isn't what some of the commenters here are making it out to be.
Are the standards for admissibility of evidence lower in civil court than they are in criminal court? I don't know, personally, but I'd be interested the answer. Any lawyers reading this? The standards for admissibility are the same. The RIAA decisions you probably have seen are not trial admissibility decisions, however. The ones I'm aware of are at from the motion to dismiss / summary judgment stage, where the judge usually decides if there's any "material facts" in dispute. (Huge oversimplification.) While evidence presented at the summary judgment stage needs to be admissible, this is procedurally a much different animal than the presentation of evidence to a jury.
Whoa, whoa, whoa. I don't think there's any need to subpoena Google. Just look at the browser history -- the search terms you google are clearly visible -- so an entry of http://www.google.com/search?hl=en&q=how+to+kill+s omeone is probably what they found. You authenticate the chain of custody of the computer where you retrieved the browser history (probably via a forensic image of the computer), and you have testimony from the investigator that the computer was retrieved from xyz location and handled in a forensically sound manner, etc. etc.
Once you have the foundation of the browser history entry, then you introduce expert testimony regarding what that history entry means -- in other words, that someone using that computer (and perhaps logged in via a certain user profile) went to Google and searched for those terms.
In this manner, it doesn't go in via the party admission hearsay exception.
On cross-examination, the other side could attack the chain of custody and could probably elicit admissions that the evidence just shows that the computer was used and that it could have been someone besides the defendant doing the searching. And then there's always the possibility of forgery / planted evidence -- but with the forensic image (which is usually hashed) and the chain-of-custody logs, you'd probably have a hard time. All of this stuff goes to the WEIGHT of the evidence, and not to its admissibility.
IAAL.
I suspect that when most judges and lawyers talk about producing a "copy" of a hard drive, they mean for a bitstream image of the drive (in other words, "dd if=/dev/hda of=crazybigimage.img"). Because that's what law enforcement agencies so commonly do, absent a clear understanding with the other side, I would be really reluctant to make any other assumptions.
Absent such an understanding, being ordered to "produce a copy" of the drive and only producing, say, a Norton Ghost image of the drive, is likely to put you squarely in the crosshairs of the judge and the other side for sanctions.
I'm assuming he already got past Daubert, but what about a motion in limine?
That's flat-out wrong. None of this evidence is going to the jury -- it's all being presented to the judge to determine whether or not discovery should occur -- ie, whether the requested information should be produced to the other side. You don't get to Daubert or motions in limine at the pre-trial discovery stage.
It actually would not surprise me that a computer forensics expert witness might not actually know what he's talking about. Almost every computer forensics person I know who work on the biggest cases, are actually ex-police detectives with some computer training. They have a habit of strictly adhering to "best practices" in their computer forensics investigations, because that is really all they know.
IAAL and my practice is 99% electronic discovery consulting.
Part of the theme that I saw (and was disturbed about) in the original affidavit was the suggestion that the "only" way to prove authenticity was to conduct a forensic examination. I've seen some vendors that are so used to conducting these types of examinations (and indeed have a financial incentive to do as many as possible) that they fall into this trap pretty easily.
So let's say that I'm in a routine contract dispute where the conduct in question happened three years ago, and I have a screenshot of an email message. And the original email message was deleted from the server and the laptop three years ago. How many forensic experts would suggest that we MUST take a full disk image to "prove" authenticity? Is there a 1% chance that a fragment of that original message might exist in the unallocated space? A 10% chance?
The problem is that to make a decision about HOW you go about "proving" authenticity and using the information at trial, you need to educate both the lawyers involved AND the judge invovled regarding what these technical terms really mean -- and what the associated costs and likelihood of finding something useful really is.
There is a fairly good chance that at least some of the web pages viewing those webmails are recoverable in swap space, file slack space, and unallocated space.
Those of us who have dealt with swap space, slack space and unallocated space understand what MAY be found there. I think there is certainly a way for a lawyer to say, "Judge, we have some screencaps / printouts of emails and there's some question as to whether or not they're genuine. We want more evidence to test their authenticity and to re-create how they looked." Alternately, they might want to search for evidence in the browser cache or evidence that they're forgeries.
But does that mean that the "only way to reliably know" what they looked like is to do the forensic analysis? Or that it is "necessary" to do this "[i]n order to determine authenticity and source"? All of this evidence might have been planted by the CIA or by some hacker in Kazakhstan. Good luck trying to explain that to a judge not interested in technical details.
What a lot of tech folks (and lawyers) lose sight of is that there's a cost-benefit analysis to all of these decisions. Might there be some fragment of data that's relevant, that would tend to prove or disprove authenticity? Of course. But does whatever the other side stands to gain from this discovery justify the cost and burden that will be incurred?
IAAL and I do this stuff for a living.
It doesn't mean the opposite either. If there is a chance he might recover something useful, he should get access to the hard drive. Welcome to the world of civil discovery.
That's not entirely true. Just because something MIGHT contain relevant evidence doesn't mean that it's automatically going to be within the scope of civil discovery. The revisions to the Federal Rules of Civil Procedure that will go into effect in a month specifically provide that absent "good cause", you don't have to produce data that is "not reasonably accessible due to undue burden or cost".
There's lots of wiggle room in those words, but in the example above, taking a look at printer ribbon wouild be unduly burdensome in most cases. (Technically, printer ribbon isn't "electronically stored information subject to 26(b)(2)(B), but that's pretty esoteric.) More to the point, in many cases items in the browser cache or in unallocated space on hard drives will NOT be "reasonably accessible" and thus is NOT within the scope of civil discovery (absent a showing of "good cause").
IAAL and I do this stuff for a living.
He'd have to delete it, and proof of deletion would be a mess. Right?
Presumably, that's part of what's going on in the (civil) discovery process. On the geeksunited website, there is a reference to imaging. I assume that means that the company is taking a forensic image of his computers. (Probably with Encase or dd.) That will let them see what source code is present, and I'm sure they'll also want to poke into what websites he visited (in order to fish for evidence that he mishandled the source).
We're all armchair lawyering this one because we don't know the extent of the communications. It could be sham (such as your example email to a deactivated account) or it could be a result of a face-to-face confrontation. I don't think there's anything on the website or the court docket that shines any light on that issue.
If the source code is evidence of criminal activity, you have every right to present it as evidence when you report said activity to the authorities.
I disagree.
It appears that he had a contractual duty to return company property -- the source code. The (alleged) use of the source code for criminal activity does not excuse the misappropriation of company property.
If I know that my former employer is breaking the law, am I justified in breaking into my (former) office and taking documents? It seems like the same thing here.
I think the bottom line is that Salzenberg's refusal to turn over the company's source code gives rise to a colorable claim for misappropriation of trade secrets.
A deep link to the miscellaneous matter is http://ujsportal.pacourts.us/crystal/enterprise9/D SReportsPDF.csp?ct=4&dktno=200068158/a.
Looking at it closer, it might just be the petition for return of property seized pursuant to the warrant. Thinking about the timing, I wouldn't be surprised if the charges never made it to the grand jury...
In any event, the geeksunited.com timeline says that on June 6 the "DA Drops Criminal Investigation".
Note that the DA is not reported as having dropped the charges.
/.'d timeline on the geeksunite website says that on June 6, 2005, "DA Drops Criminal Investigation - Announces Return of the Seized Property to Salzenberg."
D SReportsPDF.csp?ct=4&dktno=200068158.
As far as I can tell, this is incorrect.
The
Also, the court's online system is reporting a miscellaneous action which looks to be related to the criminal matter, case CP-46-MD-0002495-2005, as "closed". I think a valid deep link to the criminal docket sheet is http://ujsportal.pacourts.us/crystal/enterprise9/
I agree that there's no explicit threat in the letter to disclose the source code, but the original TRO requires Salzenberg to identify "any websites on which defendant posted" the source code. It was definitely on the company's mind. (See my comments upthread, too.)
I haven't seen the complaint, but I think that regardless how good they are, Salzenburg's lawyers will have a hard time arguing that the company's civil claims are frivolous (thus making any recovery of attorneys fees difficult). I suppose a malicious prosecution or some sort of defamation claim might get them to fees, though.
The way I see the company's arguments, Salzenburg was asked to return company property "and he has refused to do so". (That's in the detective's affidavit supporting the search warrant.) The source code is company property, and he's (allegedly) refused to give it back. That gets the company most of the way to a prima facie case of trade secret misappropriation, I think.
We're all armchair lawyering this one without all of the facts. The point of my original post was to point out that the comapny's position was not as unreasonable as some of the other posts have suggested.
He had no time to dutifully erase his hard drive if he was already resigned or terminated after his CEO conversation
I posted this upthread, but I think it bears repeating. In the affidavit supporting the search warrant, the detective says that the company president sent emails to Salzenberg "asking him to return any and all company property to the business and he has refused to do so". The company's lawyers are probably going to use that piece of information for all it's worth in arguing that it's evidence of Salzenberg's bad intentions.
I agree, Salzenberg's letter does not contain an explicit threat to disclose source code. The company's argument, though, is probably that given the totality of the circumstances, they were afraid that their trade secrets might be mishandled. (And who knows what else might've been said or misinterpreted in communications other than what's in the letter.)
In the affidavit supporting the search warrant, the detective says that the company president sent emails to Salzenberg "asking him to return any and all company property to the business and he has refused to do so". It's that kind of fact that the detective and/or judge could have latched onto to come to the conclusion that the company's trade secrets actually were at risk.
Keep in mind, it appears that the criminal matter is closed...
Ok, the Pennsylvania Common Pleas Court is partially online, and the docket sheets are available with a little digging. Too bad the full text isn't available.
5 -11918. Looks like a motion for a temporary restraining order and for expedited discovery and preservation of documents was filed on April 26, and was granted ex parte (without the defendant being able to argue) by Judge Joseph J. Smyth. The latest emergency motions appear to be filed to reinstate this order, presumably as a result of the computers being released after the criminal matters were dismissed. I am very curious to know what's going on with the intervenors - Radian Guaranty and Lisa Perdichizzi. It's Perdichizzi who filed a motion for sanctions against the Plaintiffs on June 22, and there's nothing on the docket sheets since then.
CRIMINAL MATTER: Docket Number: CP-46-MD-0002495-2005. Filed 4/27/2005. CASE STATUS: CLOSED. Last event was a hearing on the return of property, on 6/10/2005 before Judge William J. Furber, Jr.
CIVL MATTER: Docet Number: 05-11918 (Judge Hodgson). A deep link to the docket sheet is http://12.40.122.125/FCP2.WEB8/0/P12DIS?CASE-NO=0
Looking at the documents posted online, there are TWO separate things going on.
The search warrant was issued in a CRIMINAL proceeding. It looks like the state isn't pressing criminal charges.
There appears to be a parallel civil action, with expedited discovery. The civil action appears to assert that Salzenberg misappropriated trade secrets, and the discovery is targeted at imaging Salzenberg's computers.
The authorizatoin for grabbing the computers happened pursuant to the search warrant in the criminal investigation, not the (expedited) civil discovery.
I have a feeling that this will be unpopular with many /. readers, but what about the perspective of the company? Were/are they really acting unreasonably?
Here's an employee who's signed an agreement not to disclose trade secrets, and he's threatened to disclose the source code. He has CVS access, and it looks like he's downloaded a lot of the source code to his personal computer. If the company is in the right and it's not "hijacking" open proxies, what's it supposed to do? Let this guy go and let him smear the company's name and product? Or worse, let him post the company's source code publicly? Salzenberg cites the Pennsylvania statutes on "unlawful use of computer" in his letter, but the misappropriation of trade secrets is also a statutory violation...
If everything Salzenberg says is true, then he's truly gotten a bum deal. But I'm sure his superiors at the company have a different story, and who knows what that might be. Unfortunately, it looks like this will result in some pretty ugly litigation before it gets resolved.