- Crime Lab
- Crime Scene
- Death Penalty
- Digital Forensic Insider
- Digital Forensics
- Evidence Collection
- Expert Forensic Voices
- Forensic Anthropology
- Forensic Psychology
- Impression Evidence
- Medical Examiner
- Mobile Forensics
- Police Procedure
- Sexual Assault Investigations
- Witness Testimony
Digital forensics examiners constantly confront ethical dilemmas for which they are ill prepared. The profession has endeavored to provide examiners with a framework within which the digital forensics examiner must not only recognize, classify, and manage ethical dilemmas, but also respect boundaries and honor obligations. This framework is the code of ethics. This article will continue the discussion from the last issue on the need for and contours of these codes.
Privacy and Confidentiality Issues
The fact that most examiners work under the aegis of an attorney is a matter of special concern that has received little attention in the discipline: the attorney who employs the examiner is obliged to serve in a supervisory capacity and is vicariously responsible for the examiner’s conduct.1 The oft-overlooked inverse of that rule is that the ethical standards of fidelity and confidentiality that bind the attorney who employs the examiner also bind the examiner as the attorney’s agent. These obligations generally fall under three categories: the work product doctrine; the attorney-client privilege; and the duty of confidentiality.
1. Work Product Doctrine
The work-product doctrine protects materials prepared in anticipation of litigation from discovery by opposing counsel.2 The doctrine enhances a lawyer’s ability to render competent counsel, as the United States Supreme Court observed in Hickman v. Taylor:
[I]t is essential that a lawyer work with a certain degree of privacy, free from unnecessary intrusion by opposing parties and their counsel. Proper preparation of a client's case demands that he assemble information, sift what he considers to be the relevant from the irrelevant facts, prepare his legal theories, and plan his strategy without undue and needless interference.3
It is therefore imperative that both attorneys and examiners understand the doctrine and how it applies to digital forensics examinations. Enjoying the privilege of work product immunity is one of several reasons the expert should be directly retained by the attorney, rather than the attorney’s client.
Some practitioners conflate the work product doctrine with the attorney-client privilege (discussed below). Although the work product doctrine is broader than the attorney-client privilege, it is not a privilege, but rather a limited immunity from production, which can be overcome in certain situations.4 The doctrine applies in both civil and criminal cases,5 and protects not only documents and tangible things prepared by attorneys, but also those prepared by an attorney’s “consultant, suretie, indemnitor, insurer, or agent.”6 In the context of such examinations, the work product doctrine also covers the “mental impressions, conclusions, opinions, or legal theories of a party’s attorney or other representative concerning the litigation.”7 A prudent expert should, therefore, take affirmative steps to keep confidential the software and hardware used during the examination, as well as his or her theories, algorithms, cryptology, notes, tools, processes, methods, search queries, resource materials, mental impressions, and techniques. And, because the doctrine may be overcome in limited circumstances, some attorneys may instruct their experts to refrain from memorializing preliminary findings in writing.8
In 2010, Fed. R. Civ. P. Rule 26 was amended to give experts’ draft reports the protection of the work product doctrine, exempting them from mandatory disclosure. The rule expressly provides that the doctrine applies to “protect drafts of any report or disclosure required under Rule 26(a)[(2)], regardless of the form in which the draft is recorded.”9 The amended rule also applies work product protection to communications between experts and the counsel who retain them,10 with three exceptions: 1) communications pertaining to the expert's compensation; 2) facts or data that the attorney provided and the expert considered in forming opinions; and 3) assumptions that the attorney provided and that the expert relied on.11 Critics contend the amendment affords attorneys too much latitude in drafting experts’ reports or influencing their opinions.12 The counter argument is that “[t]he risk of an attorney influencing an expert witness does not go unchecked in the adversarial system, for the reasonableness of an expert opinion can be judged against the knowledge of the expert’s field and is always subject to the scrutiny of other experts.”13
2. Attorney-Client Privilege and Confidentiality
The attorney-client privilege is one of the most hallowed tenets of American common law.14 The primary function of the privilege “is to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and administration of justice.”15 Without the privilege, which withholds otherwise relevant evidence, “the client would be reluctant to confide in his lawyer and it would be difficult to obtain fully informed legal advice.”16 In general, communications are protected under the attorney-client privilege if: 1) a person is seeking legal advice from a lawyer acting in his legal capacity, 2) the communication is made for the purpose of obtaining legal advice, 3) the communication is made in confidence, and 4) the communication is made by the client.17 So, how might this apply to digital forensics examinations?
[A]s both a legal and practical matter, the defense expert's relationship with the defendant and counsel has been protected from intrusions by the state. The law has recognized several doctrines that afford a degree of confidentiality to the expert-defense relationship. Thus, statements made to the expert by the defendant and counsel may be protected by the attorney-client privilege.18
Compare the foregoing pronouncement from one state court with that from another: “Attorney-client privilege is perhaps a misnomer, since only the client’s statements enjoy a privilege. Communications of the attorney, on the other hand, are not privileged, except to the narrow extent to which they reveal communications made by the client.”19 Courts may, indeed, construe a client’s direct communications to the digital forensics expert as privileged, if the expert is regarded an agent of the attorney.20 And it is true that an expert is not considered a third-party whose presence destroys the privilege but only if the expert’s presence is deemed necessary to secure and facilitate communication between the client and the attorney (not unlike an interpreter).21 Generally, however, communications between an attorney and an expert are not likely to be afforded attorney-client privilege, because these are not communications made in confidence to an attorney while seeking legal advice.22
This view notwithstanding, both the expert and the attorney would owe a duty to the client—the holder of the privilege—to maintain confidentiality. The attorney’s obligation is detailed in the Model Rules of Professional Conduct in Rules 1.6 (governing disclosure by a lawyer of information relating to the representation of a client during the lawyer’s representation of the client),23 1.18 (the lawyer’s duties regarding information provided to the lawyer by a prospective client),24 and 1.9 (the lawyer’s duty not to reveal information relating to the lawyer’s prior representation of a former client).25 But, the expert, who usually isn’t present at the time of the communication, is also obliged to zealously protect any information the expert discovers that implicates communications made by the client to his or her attorney.
Further, this expert obligation may be yet another compelling reason why an expert ideally should have some legal training, because he or she needs to correctly recognize and, as necessary, segregate attorney-client privileged data. For example, if the expert encounters e-mails between a client and her attorney, which the client subsequently forwarded to a friend, will the expert recognize a privilege?26 When in doubt, the expert should consult with the attorney.
Privilege aside, a competent digital forensics expert should also have background and training in information security protocols and be able to observe strict confidentiality of all data entrusted to him or her:
Not all cases are shrouded in secrecy, but a fair proportion of them are. There are well known figures getting divorced, major companies with proprietary information at issue, public figures in the headlines, and people charged with felonies. . . . During the course of a major case where the expert has been identified, the press will undoubtedly come sniffing around the expert probing for information. A good expert knows the standard answer, “I’m sorry, I have no comment” and is as immoveable as the Great Wall of China.27
One Associated Press article, Anthony Computer Expert Backs Off Reported Claims, demonstrates the foregoing point well.28 Nevertheless, because the Rules of Professional Conduct do not apply to digital forensics examiners, the only enforcement mechanisms are contractual provisions—i.e., a confidentiality clause in the retainer agreement—and “loss of reputation and business.”29 Therefore, to protect confidentiality, the engagement contract should include a confidentiality provision, which may give rise to a breach of contract action if damages are sustained. Also, if the expert is retained while a case is active, either or both parties may move the court for a protective order regarding the expert’s handling of confidential data, under which the expert would be subject to the court’s inherent supervisory powers, including sanctions and contempt authority.30
The Cyber Forensics Examiner’s Special Obligations in a Litigation Support Role
Cyber forensics examiners have special obligations if engaged in support of or in preparation for litigation. These obligations include zealously guarding the attorney-client privilege and applying the work product doctrine (both discussed above), developing reports, exhibits, and testimony (that are both admissible and understandable to a lay jury or judge), and conducting their activities in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party, or that may bring malpractice liability upon the lawyer.
Chief among the obligations is the duty of uncompromising candor. Whether an examiner is appointed by the court or retained by a party to an adversarial proceeding, he or she is obliged to ferret out the truth.31 “Where a proffered expert knows himself or herself to be a quack or otherwise to be offering false testimony, the situation is like that of any other witness who is perpetrating a fraud on the court. Such acts are illegal as well as unethical.”32 Moreover, some courts may deem the testifying cyber forensics experts not appointed by the court as officers of the court.33 Where digital forensics examiners serve as special masters34 or third-party neutrals,35 they certainly are regarded as officers of the court, and usually entitled to quasi-judicial immunity.36 As an officer of the court, the expert is subject to the court’s inherent powers, thereby providing an extra measure of accountability for misconduct (e.g., confidentiality breaches).37
And although it is beyond the scope of this comment to discuss the structure of the expert’s report and quality of testimony, a few words should be said about what the report should not contain: the report must never be tailored to support a particular outcome, as a material omission may constitute fraud.38 Likewise, examiners must resist overtures by attorneys, however well-intended or abstract, to submit any work product or testimony that is disrespectful of the truth, including overstating, understating, or omitting findings. Further, the ABA has stated that experts, unlike attorneys, do not owe a “duty of loyalty” to clients, noting that the attorney’s duty to advance the client’s objectives diligently through all lawful measures “is inconsistent with the duty of a testifying expert.”39 Rather, to provide reliable and valid testimony, Daubert imposes upon the expert the “ethical responsibility” to present a complete and unbiased representation of the research relevant to the matter.40 If the expert falsifies, distorts, or misrepresents the evidence, it will not be deemed reliable under the Daubert standard.41 Note that, although this duty of impartiality is codified in several codes of ethics,42 there is a vocal opposing view that it is not possible to impartially educate in an adversarial system because of pressures from hiring attorneys and because “of a strong tendency to identify with the side for which one is working.”43 Regardless of whether the expert is viewed as neutral or partisan, an expert generally should not switch sides of the same case or controversy, when he or she is in receipt of confidential information,44 particularly that subject to the attorney work product doctrine discussed above.
Finally, another salient consideration is the possibility that the conduct of the digital forensics examiner could be imputed to the attorney in certain situations under Model Rule 5.3. Perhaps the most common of such conduct is negligence, but the list could also include deception because of its popularity and efficacy as an investigative technique.45 Deceptive techniques are, however, proscribed in the practice of law by the Rules of Professional Conduct.46 And many states have held “[t]here are circumstances where failure to make a disclosure is the equivalent of an affirmative misrepresentation.”47
The question of whether deception, as used in Model Rule 8.4, exists in the context of a digital forensics, cloud forensics, or network forensics (intrusion detection) investigation is not well settled.48 Even if a digital forensics investigator refrains from using technology that is unlawful or contains malicious executable code, he or she foreseeably could use technology that arguably constitutes “deception.” For example, an investigator may employ a beaconing, such as “Web bugs,” surreptitious file objects commonly used by spammers placed in an e-mail messages or attachments that, when opened, may allow the sender to monitor user behavior.49 Beaconing and other forms of “active defense” or retaliatory hacking. Adopting the view that the foregoing constitutes “deception,” one might also view as deceptive the use other forms of “active defense,” such as honey-pots to attract hackers.50 A few state bar associations have already addressed these technology-related ethical pitfalls: The Philadelphia Bar Association Professional Guidance Committee advised in Opinion 2009–02 that an attorney who asks an agent (such as an investigator) to “friend” a party in Facebook in order to obtain access to that party’s non-public information, would violate, among others, Rule 5.3 of the Pennsylvania Rules of Professional Conduct.51 Likewise, the Association of the Bar of the City of New York Committee on Professional and Judicial Ethics issued Formal Opinion 2010–2, which provides that a lawyer violates, among others, New York Rules of Professional Conduct Rule 5.3, if an attorney employs an agent to engage in the deception of “friending” a party under false pretenses to obtain evidence from a social networking Web site.52
Legality of Digital Forensics Investigation Techniques
Another important factor for consideration by both attorneys and examiners in digital forensics investigations is the legality of investigation techniques. Consider, for example, whether an attorney or the examiner may take possession of a computer belonging to a husband, but seized by a wife in preparation for marital dissolution proceedings. If a court finds that the wife did not have equal dominion over the computer (i.e., if the computer, or some portion thereof, was password-protected by the husband, or belonged to the husband’s employer), the taking of the computer for analysis might constitute a crime.53 Likewise, evidence obtained from a keylogger, spyware, or persistent cookies may violate state or federal law (e.g., the Electronic Communications Privacy Act).54 Likewise, certain types of “cyber sleuthing” or penetration testing may be unlawful under various state and federal statutes. For example, the Computer Fraud and Abuse Act, last amended in 2008, criminalizes anyone who commits, attempts to commit, or conspires to commit an offense under the Act.55 Offenses include knowingly accessing without authorization a protected computer (for delineated purposes) or intentionally accessing a computer without authorization (for separately delineated purposes). Even if prosecution seems unlikely, any evidence obtained by unlawful means is inadmissible under the exclusionary rule. Various statutory phrases, such as “without authorization” and “access,” have been the continuing subject of appellate review,56 and, at the time of this writing, an amended version of the Computer Fraud and Abuse Act is currently pending before the House Judiciary Committee.57
Yet another area of legality concerns laws in some states requiring digital forensics examiners to be licensed as private investigators. Texas passed such a law that provides for up to one year imprisonment and a $14,000 fine for persons conducting unlicensed computer investigations.58 The attorney employing a non-licensed expert may also commit a criminal offense.59 And Michigan’s law makes unlicensed digital forensics work a felony punishable by up to four years imprisonment, damages, and a $5,000 fine.60 In 2008, North Carolina’s Private Protective Services Board proposed to amend General Statute Section 74C-3 to include “Digital Forensic Examiner” as among the roles that must be licensed by the state.61 The measure was defeated.62 Meanwhile, the American Bar Association has discouraged such legislation, observing, “[c]omputer forensic assignments often require handling data in multiple jurisdictions. For example, data may need to [be] imaged from hard drives in New York, Texas, and Michigan. Does the person performing that work need to have licenses in all three states?”63 The ABA Report concluded:
The public and courts will be negatively impacted if e-discovery, forensic investigations, network testing, and other computer services can be performed only by licensed private investigators because not all licensed private investigators are qualified to perform computer forensic services and many qualified computer forensic professionals would be excluded because they are not licensed.64
Indeed, very few licensed private investigators are qualified to perform computer forensics services.
Yet another area of legal concern is the tort or other liabilities of aggregation and inference (“Big Data”), and whether lawful data-mining performed by investigators outside of the formal discovery process could lead to invasion of privacy, intrusion upon seclusion, or other tort liability.65 A few prominent cases suggest that individuals maintain a privacy right in data that can be reconstructed through aggregation and inference.66 For example, in situations where technological tools or processes not readily available to the public are used to reveal the physical location of an internet user, it’s not difficult to imagine that a court might look to Kyllo v. United States, for the proposition that an individual’s reasonable expectation of privacy has been violated67 (although tort plaintiffs probably will need to establish they’ve suffered some greater injury than having their approximate physical locations discovered through IP address routing).68 At least one court has held that the use of persistent cookies is a violation of the Electronic Communications Privacy Act.69 Congress is currently considering reform to the ECPA and the Computer Fraud and Abuse Act, as well as comprehensive privacy legislation that would, in some circumstances, afford a private right of action to consumers whose personal information is collected without their consent.
Lastly, another consideration is the thorny matter of the cyber forensics examiner’s interactions with prosecutors. One is the perception or allegation of a prosecutor “shopping” for an expert, or reckless use of a tainted expert, which may constitute a violation of defendant’s due process rights,70 and may also be a violation of Rule 3.8 (Special Responsibilities of a Prosecutor).71 The following interview excerpt from The Right to Expert Assistance in a Post-Daubert, Post-DNA World,72illustrates this problem:
Because two police crime laboratories would not declare a positive bootprint match in the infamous Rolando Cruz prosecution, prosecutors sought out a third expert, Dr. Louise Robbins, who declared a match. A detective, who resigned because he believed the wrong people had been charged, later observed: "The first lab guy says it's not the boot. . . . We don't like that answer, so there's no paper [report]. We go to a second guy who used to do our lab. He says yes. So we write a report on Mr. Yes. Then Louise Robbins arrives. This is the boot, she says. That'll be $10,000. So now we have evidence."73
Another less frequent issue may arise when a digital forensics examiner encounters evidence during a non-criminal investigation and reports the findings to law enforcement. If law enforcement fails to obtain a warrant on probable cause to seize the media but instead gives directives to the examiner to search for additional corroborating evidence, the examiner may, in effect, be regarded as “deputized.” As an agent of the state, the examiner’s search—absent a valid warrant exception—may be in violation of the suspect’s Fourth Amendment rights from unreasonable searches, and any evidence procured therefrom may be inadmissible.
As an example, one certifying body, the (ISC)2® Committee, has recognized that it has a responsibility to provide guidance for “resolving good versus good, and bad versus bad, dilemmas,” and “to encourage right behavior,” such as: research; teaching; identifying, mentoring, and sponsoring candidates for the profession; and valuing the certificate. The Committee also has the responsibility to discourage certain behaviors, such as: raising unnecessary alarm, fear, uncertainty, or doubt; giving unwarranted comfort or reassurance; consenting to bad practice; attaching weak systems to the public network; professional association with non-professionals; professional recognition of or association with amateurs; or associating or appearing to associate with criminals or criminal behavior. But, because no code of ethics or law can prescribe the appropriate handling of the myriad ethical dilemmas the cyber forensics examiner will certainly confront, the examiner may need to obtain counsel, and ultimately must apply the ethical decision making principles of honesty, prudence, and compliance with the law and professional norms.
- Model Rules of Prof’l Conduct R. 5.1–.2 (2010) (governing the ethical responsibilities of both supervisory lawyers and subordinate lawyers). Model Rule 5.3 imposes ethical responsibilities upon lawyers who supervise nonlawyers.
- Bryan A. Garner, ed. (2000). "Work-product rule". Black's Law Dictionary (Abridged 7th ed. ed.). St. Paul, Minn.: West Group. p. 1298.
- 329 U.S. 495, 510–11 (1947).
- Hickman, 329 U.S. 495 at 510–15 (holding that courts may order production of some materials protected by the work product doctrine under certain circumstances); see also Fed. R. Civ. P. 26(b)(3)(A) (“[The materials] may be discovered if . . . they are otherwise discoverable under Rule 26(b)(1); and . . . the party shows that it has substantial need for the materials to prepare its case and cannot, without undue hardship, obtain their substantial equivalent by other means.”).
- United States v. Nobles, 95 S. Ct. 2160, 2169 (1975).
- Fed. R. Civ. P. 26(b)(3)(A).
- Fed. R. Civ. P. 26 (b)(3)(B); see also In re San Juan Dupont Plaza Hotel Fire Litig., 859 F.2d 1007, 1014 (1st Cir. 1988) (“[The work product doctrine provides] a zone of privacy within which to prepare the client’s case and plan strategy, without undue interference.”); United States v. Horn, 811 F. Supp. 739 (D. N.H. 1992), aff'd as to issue of work product doctrine, rev'd on other grounds, 29 F.3d 754 (1st Cir. 1994); Stanley D. Davis & Thomas D. Beisecker, Discovering Trial Consultant Work Product: A New Way to Borrow an Adversary's Wits?, 17 Am. J. Trial Advoc. 581, 619 (1994) (“[T]he attorney’s discussions of case theory and the consultant’s suggestions thereon should qualify for the higher protection accorded mental impressions.”).
- See, e.g.,Nelson, et al., supra Note 10, at 348–49(“[The forensic tool] also produces a case log file, where you can maintain a detailed record of all activities during your examination, such as keyword searches and data extractions . . . . At times, however, you might not want the log feature turned on. If you’re following a hunch, for example, but aren’t sure the evidence you recover is applicable to the investigation, you might not want opposing counsel to see a record of this information because he or she could use it to question your methods and perhaps discredit your testimony. Look through the evidence first before enabling the log feature to record searches. This approach isn’t meant to conceal evidence; it’s a precaution to ensure that your testimony can be used in court.”). But see Univ. of Pittsburgh v. Townsend, No. 3:04-CV-291, 2007 U.S. Dist. Lexis 24620 (E.D. Tenn. Mar. 30, 2007) (holding that it was improper for the counsel to have instructed or otherwise suggested to the experts that all e-mails be destroyed, as they became the subject of multiple discovery requests).
- Fed. R. Civ. P. 26(b)(4)(B).
- Fed. R. Civ. P. 26(b)(4)(C).
- Robert Ambrogi, Changes to Rule 26 Bring Praise — Albeit Faint, Bullseye Legal Blog (June 1, 2011), http://www.ims-expertservices.com/blog/2011/changes-to-rule-26-brings-praise-albeit-faint (last retrieved June 17, 2013).
- Haworth, Inc. v. Herman Miller, Inc., 162 F.R.D. 289, 295–96 (W.D. Mich. 1995).
- Upjohn Co. v. United States, 449 U.S. 383, 389 (1981) (citing 8 J. Wigmore, Evidence § 2290 (McNaughton rev. 1961)).
- Fisher v. United States, 425 U.S. 391, 403 (1976).
- United States v. El Paso Co., 682 F.2d 530, 538 n.9 (5th Cir. 1982) (quoting 8 J. Wigmore, Evidence § 2292 (McNaughton rev. 1961)); Restatement (Third) of the Law Governing Lawyers § 68 (2000).
- Hutchinson v. People, 742 P.2d 875, 881 (Colo. 1987).
- Kennedy v. Yamaha Motor Corp., 2010 Phila. Ct. Com. Pl. Lexis 24 at *4 (Pa. C.P., Feb. 2, 2010).
- Fin. Techs. Int'l, Inc. v. Smith, 49 Fed. R. Serv. 3d 961, 967 (S.D.N.Y. 2000).
- See United States v. Kovel, 296 F.2d 918, 921–922 (2d Cir. 1961); see also In re Grand Jury Proceedings, 220 F.3d 568, 571 (7th Cir. 2000) (“However, material transmitted to accountants may fall under the attorney-client privilege if the accountant is acting as an agent of an attorney for the purpose of assisting with the provision of legal advice.”); United States v. Cote, 456 F.2d 142, 143 (8th Cir. 1972) (“[The] test is whether the [expert's] services are a necessary aid to the rendering of effective legal services to the client.”). But see United States v. Ackert, 169 F.3d 136, 139 (2d Cir. 1999) (holding the privilege is vitiated by the presence of third parties who do not translate information from the client to the attorney, but rather provide information independently to the attorney).
- See Matthew P. Matiasevich, I (Might) Get By With a Little Help from my Expert: Expert Witnesses in Trust and Estate Litigation (May 6–7, 2010), available at http://www.americanbar.org/content/dam/aba/events/real_property_trust_estate/symposia/2011/rpte_symposia_2011_m2903_te_expert_help_litigation.authcheckdam.pdf (last retrieved June 17, 2013). Matiasevich presented at the 21st Annual Spring Symposia of the ABA Section of Real Property, Trust, and Estate Law. “The attorney-client privilege rarely applies to experts for the simple reason that the expert is almost never the client and hence communications are not confidential.” Id.
- Model Rules of Prof’l Conduct R. 1.6 (1983). Other professionals, such as accountants, are governed by similar rules. See Minn. Stat. §§ 326A.12–A.13 (2010) (discussing confidential communications, working papers, and clients’ records).
- Model Rules of Prof’l Conduct R. 1.18 (1983).
- Model Rules of Prof’l Conduct R. 1.9 (1983).
- In this example, whether the e-mail is privileged depends on whether the jurisdiction recognizes the so-called selective-waiver doctrine. See generally Jonathan Feld & Blake Mills, The Selective-Waiver Doctrine: Is it Still Alive?, 16 Business Crimes Bulletin 4, 4, (Dec. 2008), http://www.kattenlaw.com/files/Publication/30990f16-1392-4523-928a-0ffd17e4c01a/Presentation/PublicationAttachment/2c7f533d-947f-427c-9773-179747282b76/Feld--Business_Crimes--Selective_Waiver.pdf (last retrieved June 17, 2013).(discussing the origins of the selective-waiver doctrine).
- Sharon D. Nelson & John W. Simek, Finding Wyatt Earp: Your Computer Forensics Expert, Sensei Enterprises, Inc. (2005), http://www.senseient.com/storage/articles/Finding_Wyatt_Earp.pdf (last retrieved June 17, 2013).
- Kyle Hightower, Anthony Computer Expert Backs Off Reported Claims,Associated Press, July 20, 2011.
- See Note 40, supra.
- Nelson, et al., supra Note 10, at 523 (“Your only agenda should be finding the truth, so don’t think in terms of catching somebody or proving something. It’s not your job to win the case. Don’t become an advocate.”); Sharon D. Nelson & John W. Simek, Electronic Evidence: The Ten Commandments, Sensei Enterprises (2003), http://www.senseient.com/storage/articles/article18.pdf (last retrieved June 17, 2013). (“[G]ood experts are seekers of truth and will report their findings regardless of what those findings may be.”).
- Michael J. Saks, Scientific Evidence and the Ethical Obligations of Attorneys, 49 Clev. St. L. Rev. 421, 425 (2001).
- Ferron v. Search Cactus, L.L.C.No. 2:06-CV-327, 2008 WL 1902499, at *4 (S.D. Ohio Apr. 28, 2008) (both plaintiff’s and defendant’s computer experts as officers of the court in order to protect the confidentiality of certain ESI found on plaintiff’s computer that was unrelated to the suit).
- See Fed. R. Civ. P. 53 (authorizing the court to appoint one who performs certain duties consented to by the parties, and hold trial proceedings and make or recommend findings of fact on issues to be decided without a jury, if the appointment is warranted by (1) some exceptional condition; (2) the need to perform accounting or resolve a difficult computation of damage; or (3) to address pre-trial and post-trial matters that cannot be effectively and timely addressed by an available Article III judge or magistrate judge).
- Model Rules of Prof’l Conduct R. 2.4 cmt. 1 (2009) (“A third-party neutral is a person, such as a mediator, arbitrator, conciliator or evaluator, who assists the parties, represented or unrepresented, in the resolution of a dispute or in the arrangement of a transaction. Whether a third-party neutral serves primarily as a facilitator, evaluator or decisionmaker depends on the particular process that is either selected by the parties or mandated by a court.”).
- See, e.g., Meyers v. Contra Costa Cnty. Dep't of Social Servs.,812 F.2d 1154, 1159 (9th Cir. 1987) (stating that investigators reporting to the court are “officers of the court” because they are “performing a judicial function at the direction of [the] court.”); Davidson v. Sandstrom, 83 P.3d 648, 655 (Colo. 2004) (defining “investigators” as officers of the court); Ogden v. Ogden, 39 P.3d 513, 516 (Alaska 2001) (“[C]ourt-appointed custody investigators are officers of the court and perform quasi-judicial functions.”); Kahre v. Kahre, 916 P.2d 1355, 1362 (Okla. 1995) (stating that investigators are officers of the court). See also Douglas R. Richmond, The Emerging Theory of Expert Witness Malpractice, 22 Cap. U. L. Rev. 693, 706‒09 (1993).
- See Jones v. Lincoln Elec. Co., 188 F.3d 709, 738 (7th Cir. 1999) (holding that an expert witness is subject to court’s remedial contempt authority); United States v. Paccione, 964 F.2d 1269, 1274–75 (2d Cir. 1992) (“A court may bind non-parties to the terms of an injunction or restraining order to preserve its ability to render a judgment in a case over which it has jurisdiction.”).
- Fraud is defined as “[a] knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment.” Black’s Law Dictionary 731 (9th ed. 2009).
- ABA Formal Op. 97-407 (1997).
- Murphy, Note 19, supra, at 235.
- Int’l Society of Forensic Computer Examiners (“Maintain the utmost objectivity in all examinations and present findings accurately; Avoid any action that would appear to be a conflict of interest”); Int’l Ass’n of Computer Investigative Specialists (“Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved; Not withhold any findings, whether inculpatory or exculpatory, that would cause the facts of a case to be misrepresented or distorted.”); Int’l High Technology Crime Investigation Ass’n (“The HTCIA values the Truth uncovered within digital information and the effective techniques used to uncover that Truth, so that no one is wrongfully convicted.”).
- Christopher K. Steuart, Professional Responsibility and Working with Expert Witnesses.” (Sept. 14, 2007); accord Hutchinson v. Colorado, 742 P.2d 875, 882 (Colo. 1987) (“As a practical matter, an expert hired by defense counsel is likely to feel a degree of loyalty to the defendant’s cause. We need not ascribe this fact to base motives on the part of the experts; indeed, the nature of the adversary process, the confidentiality surrounding legal representation and professional norms and ethics of particular experts all may foster this attitude of loyalty to the defendant.”); Christa L. Klopfenstein, Discoverability of Opinion Work Product Materials Provided to Testifying Experts, 32 Ind. L. Rev. 481, 503 (1999) (“Unlike other types of trial witnesses, experts are part of a party's litigation team who, like the attorney, are employed expressly for the purpose of analyzing the strengths and weaknesses of a party's case . . . . Experts are not impartial witnesses. Like attorneys, they are paid to advocate a point of view.”).
- See, e.g., English Feedlot, Inc. v. Norden Labs, Inc., 833 F. Supp. 1498 (D.Colo., 1993) (expert was not disqualified for “side-switching” where no disclosure of confidential information occurred); Brooks Shoe Mfg. Co. v. Suave Shoe Corp., 716 F.2d 854 (11th Cir. 1983) (same); Wang Labs., Inc. v. Toshiba Corp., 762 F. Supp. 1246, 1248 (E. D. Va. 1991), (same), aff'd in part, rev'd in part on other grounds, 993 F.2d 858 (Fed. Cir. 1993). But see American Empire Surplus Lines Ins. Co. v. Care Centers, Inc., 484 F. Supp. 2d 855 (N.D. Ill. 2007) (side-switching expert disqualified even though she had no confidences from first engagement).
- See, e.g., Allan Lengel, Your New Facebook Friend May Be a Federal Agent, AolNews (Mar 26, 2010 11:44 AM), http://www.aolnews.com/2010/03/26/your-new-facebook-friend-may-be-a-federal-agent/; see also Craig Ball, Cross-examination of the Computer Forensics Expert, Craig Ball (2004), http://www.craigball.com/expertcross.pdf (last retrieved June 17, 2013).(“The world of computer forensics is heavily populated by former law enforcement officers from the Secret Service, FBI, Treasury, military investigative offices and local police forces.”). The Supreme Court has tacitly approved deception as a valid law enforcement technique in investigations and interrogations. See Illinois v. Perkins,496 U.S. 292, 297 (1990) (“Miranda forbids coercion, not mere strategic deception . . . .”); United States v. Russell, 411 U.S. 423, 434 (1973) (“Criminal activity is such that stealth and strategy are necessary weapons in the arsenal of the police officer.”).
- Model Rules of Prof'l Conduct R. 8.4 (2009).See, e.g.,In re Paulter, 47 P.3d 1175, 1176 (Colo. 2002) (prosecutor who impersonated a public defender in an attempt to induce the surrender of a murder suspect was disciplined for an act of deception that violated the Rules of Professional Conduct).
- In re Zotaley, 546 N.W.2d 16, 19 (Minn. 1996) (quoting comment to Minn. Rules of Prof’l Conduct R. 3.3 cmt. 3 (2009)).
- See Sharon D. Nelson & John W. Simek, Muddy Waters: Spyware’s Legal and Ethical Implications, GPSolo Magazine (Jan/Feb 2006), available at http://www.americanbar.org/newsletter/publications/gp_solo_magazine_home/gp_solo_magazine_index/spywarelegalethicalimplications.html (last retrieved June 17, 2013).(“The legality of spyware is murky, at best. The courts have spoken of it only infrequently, so there is precious little guidance.”).
- Richard M. Smith, Microsoft Word Documents That “Phone Home,”The Privacy Foundation (Aug. 30, 2000) (“A ‘Web bug’ could allow an author to track where a document is being read and how often. In addition, the author can watch how a "bugged" document is passed from one person to another or from one organization to another.”). And see Brian M. Bowen et al., Colum. Univ. Dep’t of Computer Sci., Baiting Inside Attackers Using Decoy Documents (2009), http://www.cs.columbia.edu/~angelos/Papers/2009/DecoyDocumentsSECCOM09.pdf (last retrieved June 17, 2013) (researchers successfully employed beaconing technology in decoy documents to track possible misuse of confidential documents).
- Nelson & Simek, supra note 103 (discussing spyware as “deceptive, at best,” and warning attorneys about running afoul of Rule 1.2 in that “a lawyer shall not counsel a client to engage, or assist a client, in conduct that the lawyer knows is criminal or fraudulent,” and Rule 8.4 in that:
- “it is professional misconduct for a lawyer to: (a) violate or attempt to violate the Rules of Professional Conduct, knowingly assist or induce another to do so, or do so through the acts of another; (b) commit a criminal or deliberately wrongful act that reflects adversely on the lawyer’s honesty, trustworthiness, or fitness to practice law; or (c) engage in conduct involving dishonesty, fraud, deceit, or misrepresentation that reflects adversely on the lawyer’s fitness to practice law.”
- Id. (quoting Model Rules of Prof'l Conduct R. 1.2, 8.4 (2009)).
- Phila. Bar Ass’n Prof’l Guidance Comm., Op. 2009-2 (2009), http://www.philadelphiabar.org/WebObjects/PBAReadOnly.woa/Contents/WebServerResources/CMSResources/Opinion_2009-2.pdf (last retrieved June 17, 2013).
- Ass’n of the Bar of the City of New York Comm. on Prof’l & Judicial Ethics, Formal Op. 2010-2 (Sept. 2010), http://www2.nycbar.org/Publications/reports/show_html.php?rid=1134 (last retrieved June 17, 2013).
- See Moore v. Moore, No. 350446/07, 2008 N.Y. Misc. Lexis 5221, at *1 (N.Y. Sup. Ct. Aug. 4, 2008) (holding that a wife seeking a divorce could use evidence she found on a computer taken from husband’s car just before she petitioned for marital dissolution, because the computer was a family computer (not a work computer as alleged by husband), the taking occurred before the commencement of the dissolution case, and husband’s car was considered the family car). See generally Minn. Stat. §§ 609.89, 609.891 (2010) (proscribing unauthorized computer access and theft) (amended 2006).
- Sean L. Harrington, Why Divorce Lawyers Should Get Up to Speed on CyberCrime Law, Minn. St. B. Ass’n Computer & Tech. L. Sec. (Mar. 24, 2010, 9:40 PM), http://mntech.typepad.com/msba/2010/03/why-divorce-lawyers-should-get-up-to-speed-on-cybercrime-law.html (last retrieved June 17, 2013) (collecting cases regarding unauthorized computer access).
- 18 U.S.C. § 1030 (2006).
- See, e.g., State v. Allen, 917 P.2d 848 (Kan. 1996) (affirming trial court’s holding that the State did not prove the defendant committed a crime); see also Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1624–42 (2003) (showing how and why courts have construed unauthorized access statutes in an overly broad manner that threatens to criminalize a surprising range of innocuous conduct involving computers).
- Peter J. Toren, Amending the Computer Fraud and Abuse Act, Bloomberg Law (2013). http://about.bloomberglaw.com/practitioner-contributions/amending-the-computer-fraud-and-abuse-act/ (last retrieved June 17, 2013).
- Tex. Occ. Code Ann. § 1702.104 (2011); see also Private Security Bureau Opinion Summaries: Computer Forensics, Tex. Dep’t Pub. Safety, 4–5 (Aug. 21, 2007), http://www.txdps.state.tx.us/psb/docs/psb_opin_sum.pdf (last retrieved June 17, 2013). The Opinion clarifies that the Act applies to computer forensics, defined as:
- [T]he analysis of computer-based data, particularly hidden, temporary, deleted, protected or encrypted files, for the purpose of discovering information related (generally) to the causes of events or the conduct of persons. We would distinguish such a content-based analysis from the mere scanning, retrieval and reproduction of data associated with electronic discovery or litigation support services.
- Id., at 4.
- Tex. Occ. Code Ann. § 1702.386 (2011); see also Joseph L. Lanza, Should Your Next Expert Witness be a Licensed Private Investigator?, 68 Tex. B.J. 118, 124 (2005) (discussing the Texas law, what it means to attorneys, who is exempt, and potential problems that may arise).
- 2008 Mich. Pub. Acts 67.
- Mack Sperling, North Carolina May Require Licensing for Computer Forensic Consultants, but Do We Need It?, N.C. Bus. Litig. Rep. (Sept. 24, 2008), http://www.ncbusinesslitigationreport.com/2008/09/articles/discovery-1/north-carolina-may-require-licensing-for-computer-forensic-consultants-but-do-we-need-it/ (last retrieved June 17, 2013) (reporting on proposed legislation and providing a draft at http://www.ncbusinesslitigationreport.com/uploads/file/Forensics%20Legislation.pdf (last retrieved June 17, 2013).
- S. 584, 2009 Gen. Assemb., Reg. Sess. (N.C. 2009), available at http://ncleg.net/Sessions/2009/FiscalNotes/Senate/PDF/SFN0584v3.pdf (last retrieved June 17, 2013).
- [The Bill] amends GS 74C–3(b) to exempt from the definition of private protective services a person engaged in (1) computer or digital forensic services or the acquisition, review, or analysis of digital or computer-based information, whether for the purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court, or (2) network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.
- Id. at 1; see also North Carolina Statutes, Laws.com, http://statutes.laws.com/north-carolina/Chapter_74C/GS_74C-3(exempting digital forensic examiners) (last retrieved June 17, 2013).
- Whittemore, supra note 29, at 14.
- Id. at 2.
- See, e.g.,Marshall Tanick, The Privacy Paradox, 65 Bench & Bar Minn. 8 (Sept., 2008) (discussing privacy and investigative issues, and collecting cases).
- See, e.g., U.S. Dep't of Def. v. Fed. Labor Relations Auth., 510 U.S. 487, 500 (1994) (“An individual's interest in controlling the dissemination of information regarding personal matters does not dissolve simply because that information may be available to the public in some form.”); United States v. Maynard, 615 F.3d 544, 558 (D.C. Cir. 2010).
- 533 U.S. 27, 40 (2001) (“Where, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a ‘search.’”).
- In Boring v. Google, 598 F. Supp. 2d 695; No. 08-6942009 U.S. Dist. Lexis 11682 (W.D. Pa. Feb. 17, 2009), aff’d in part, rev’d in part,362 F. App’x 273 (3rd Cir. 2010),plaintiff property owners filed suit against the internet search provider giant alleging, inter alia,invasion of privacy and trespass because Google publicly provided digital photographs of plaintiffs’ home and property without their authorization. The court found that plaintiffs failed to allege facts showing the intrusion was substantial, highly offensive, or transgressed decency standards. 598 F. Supp. 2d at 700.
- In re Pharmatrak, Inc. Privacy Litigation, 13 ILR 436, 329 F.3d 9 (1st Cir. 2003). (Use of tracking cookies to intercept electronic communications was within the meaning of the ECPA, because the acquisition occurred simultaneously with the communication).
- Imbler v. Craven, 298 F. Supp. 795, 807 (C.D. Cal. 1969), aff’d per curiam, 424 F.2d 631 (9th Cir. 1970) (holding that reckless use of highly suspicious false testimony violates due process); see also Paul C. Giannelli & Kevin C. McMunigal, Prosecutors, Ethics, and Expert Witnesses, 76 Fordham L. Rev. 1493, 1506 (2007) (“Some of the most disturbing revelations that emerged from the DNA exonerations that occurred in the 1990s concern the misconduct of prosecutors. . . . [A] significant contributor to these miscarriages of justice was the misuse of expert testimony. . . . The reckless use of a tainted expert should be considered a due process violation.”).
- But cf. Bennett L. Gershman, Misuse of Scientific Evidence by Prosecutors, 28 Okla. City U. L. Rev. 17, 39 (2003) (“Personal sanctions against a prosecutor for deliberate misconduct, such as civil liability and professional discipline, almost never happens.”).
- 89 Cornell L. Rev. 1305.
- Id. at 1308–09.
Sean Harrington is a cyber security policy analyst and information security risk assessor in the banking industry, as well as a digital forensics examiner in private practice. He is a graduate with honors from Taft Law School, and holds the CCFP, MCSE, CISSP, CHFI, and CSOXP certifications. Harrington has served on the board of the Minnesota Chapter of the High Technology Crime Investigation Association, is a current member of InfraGard, the Financial Services Roundtable’s legislative and regulatory working groups, FS-ISAC, and is a council member of the Minnesota State Bar Association’s Computer & Technology Law Section. Harrington teaches computer forensics for Century College in Minnesota, and recently contributed a chapter on the Code of Ethics for the forthcoming Official (ISC)2® Guide to the Cyber Forensics Certified Professional CBK®, and is an instructor for the new CCFP certification.