U.S. v. Morgan, et al: Know What You Don’t Have

[Editor’s Note: Tom O’Connor is an attorney, educator, and well respected e-discovery and legal technology thought leader. A frequent lecturer on the subject of legal technology, Tom has been on the faculty of numerous national CLE providers and has taught college level courses on legal technology. He has also written three books on legal technology and worked as a consultant or expert on computer forensics and electronic discovery in some of the most challenging, front page cases in the U.S. Tom is the Director of the Gulf Coast Legal Technology Center in New Orleans, LA ]

If you were practicing in federal court before email, ECF filing, and in the days when Joe Montana threw to Jerry Rice then you probably remember discovery productions were typically hardcopy documents you picked up at the US Attorney’s Office. The volume was so small it easily fit into your briefcase. Those were the days when everyone complained about not getting enough discovery. The challenge was moving to compel for more discovery when you didn’t know what you didn’t have.

Joe Montana and Jerry Rice

Fast forward to the present. Tom Brady is throwing to Rob Gronkowski (again but in a different city) and discovery is typically so voluminous it cannot be provided in hardcopy form. Productions can be hundreds of gigabytes and sometimes dozens of terabytes full of investigative reports, search warrant pleadings, surveillance audio and video, cell phone data, cell tower material, years of bank records, GPS data, social media materials, and forensic images of servers, desktop computers, and mobile devices. Common are duplicate folders of discovery produced “in the abundance of caution” to protect the Government against Brady violations. Despite the volume, the same issue exists: How do you know what you don’t have?

Tom Brady and Rob Gronkowski

US v Morgan (Western District of New York, 1:18-CR-00108 EAW, decided Oct 8, 2020) is an example of diligent defense counsel challenging the government on how it produced terabytes of data.

Defendants Robert Morgan, Frank Giacobbe, Todd Morgan, and Michael Tremiti were accused by way of a 114-count Superseding Indictment of running an illegal financial scheme spanning over a decade. The government alleged they defrauded financial institutions and government sponsored enterprises Freddie Mac and Fannie Mae in connection with the financing of multi-family residential apartment properties that they owned or managed. There were also allegations of related insurance fraud schemes against several of the defendants.

The government made several productions which the defense contended were deficient (including the lack of metadata on numerous documents) and, in several cases, omitted key pieces of evidence. The defense enlisted the help of e-Discovery experts, who stated the government failed to properly process and load evidence into their database for production to defense counsel.

The issue was brought before the court in defense motions to compel and dismiss. First to the magistrate judge then to the district court judge, which resulted in a critical analysis of the way the government handled the discovery.

CASE TIMELINE

The original status conference in the case was held on May 29, 2019. For the next year, a series of motions and hearings proceeded with regards to delays and failures on the part of the government to meet discovery deadlines imposed by the court.

An evidentiary hearing was finally held before district court Judge Elizabeth A. Wolford on July 14, 2020, continuing through the remainder of that week until July 17, 2020, and then resumed and concluded on July 22, 2020. There were multiple expert witnesses, and the review of that testimony is over 7 pages in the Opinion.

On September 10, 2020, oral argument on the motions to compel and dismiss was heard before Judge Wolford. The Court entered its Decision and Order on October 8, 2020.

There was no dispute that the discovery in this matter was not handled properly. In the second paragraph of the above cited Decision and Order, Judge Elizabeth A. Wolford states,

“The Court recognizes at the outset that the government has mishandled discovery in this case—that fact is self-evident and cannot be reasonably disputed. It is not clear whether the government’s missteps are due to insufficient resources dedicated to the case, a lack of experience or expertise, an apathetic approach to the prosecution of this case, or perhaps a combination of all of the above.”

Specifically, the government somehow failed to process and/or produce ESI from several devices seized pursuant to a search warrant executed in May 2018 and in one case, a cell phone, seems to have actually been lost. The court ultimately dismissed the case without prejudice. This gave the parties time to resolve the discovery issues. On March 4, 2021, a grand jury returned a new 104 count indictment.

More important for our purposes are the discussions regarding the ESI and production issues. They are outlined below.

PROJECT MANAGEMENT

The Court wasted no time in saying “It is evident that the government has demonstrated a disturbing inability to manage the massive discovery in this case, and despite repeated admonitions from both this Court and the Magistrate Judge, the government’s lackadaisical approach has manifested itself in repeated missed deadlines.”

And later, “To be clear, the Court does not believe the record supports a finding that any party acted in bad faith. Rather, the discovery in this case was significant, and the government failed to effectively manage that discovery. In the end, because of its own negligence, the government did not meet the discovery deadline set by the Magistrate Judge.”

COMPLEXITY OF LARGE AMOUNTS OF ESI

Judge Wolford made several references to the “massive discovery.” In an attempt to manage that data, the Magistrate Judge had initially directed the parties to draw up a document entitled “Data Delivery Standards” (hereinafter referred to as “the DPP”) which would control how documents were exchanged. It failed to do so for several reasons.

First was the large amount of data. Testimony by a defense expert witness at the evidentiary hearing of July 14, 2020, stated that “… the government’s Initial Production consisted of 1,450,837 documents, reflecting 882,841 emails and 567,996 other documents. Of those documents, 860,522 were missing DATE metadata, with over 430,000 documents reflecting no change in the DATE metadata field formatting after the DPP was agreed-upon. Once overlays were provided by the government, the DATE metadata field was corrected for almost one-third of the documents (primarily emails), but 590,448 documents still were missing DATE metadata, including 294,818 emails. Of those 294,818 emails, 169,287 had a misformatted DATE value and 125,531 had no DATE value. The Initial Production also contained missing values for the metadata fields of FILE EXTENSION, MD5 HASH, PATH, CUSTODIAN, MIME TYPE, and FILE SIZE— and the government overlays did not change the status of the information in any of those fields.”

Additionally, the USAO-WDNY’s processing tool was Nuix while another entity—the Litigation Technology Support Center in Columbia, South Carolina – processed some of the hard drives using a different processing tool called Venio. Additionally, the Federal Housing Finance Agency (“FHFA”) processed the Laptop Production using a “much more robust” version of Nuix than the system possessed by the USAO-WDNY.

These differing versions led to different productions which had different values for the metadata fields. Standardization on one tool could have prevented much of this. But the Court also noted that “… the quality review conducted by the government was insufficient to catch these errors.”

Inconsistent directions were an ongoing issue. For example, the Court found that “… the government prosecutors expressly instructed Mr. Bowman not to produce CUSTODIAN information for the Laptop Production, even though the government had provided similar information previously.”

Other government errors included:

  1. It applied different processing software inconsistently to the PST or OST files, thereby missing some metadata and producing varying results.
  2. It misformatted the DATE metadata caused by failing to catch the errors while conducting a quality review.
  3. It failed to produce native files in “the format in which they are ordinarily used and maintained during the normal course of business[.]” It produced near native or derivative native files from the OST or PST files without corresponding metadata.
  4. In many instances, load files necessary to install the document productions in the defense review software platform were missing.
  5. There were ongoing errors with respect to CUSTODIAN metadata, which were the result of human error on the part of the government.

WHAT DOES THIS MEAN TO YOU?

With regards to what specific steps can be used to take control of cases with large amounts of ESI, the Court mentioned several.

  1. Use an exchange protocol. In civil cases, this document would arise from FRCP Rule 26(f), which mandates a “Meet & Confer” conference of the parties so that they might plan for discovery through the presentation of a specific plan to the Court. 

    In Morgan, this was the document entitled the DPP. In criminal cases going forward, the new Federal Rule of Criminal Procedure 16.1 will address some of these concerns. Drawn up specifically as a response to deal with the manner and timing of the production of voluminous Electronically Stored Information (ESI) in complex cases, Subsection (a) requires the prosecution and defense counsel to confer “[n]o later than 14 days after the arraignment…to try to agree on a timetable and procedures for pretrial disclosure under Rule 16.1.” Subsection (b) authorizes the parties, separately or together, to “ask the court to determine or modify the time, place, manner or other aspects of disclosure to facilitate preparation for trial.”

  2. Standardize the use of technology. As Judge Wolford said, “In sum, the Court believes that it would have been much more prudent if the government, after reaching agreement with the defense about the DPP, had utilized a competent vendor to process the ESI (and all the previously produced ESI) in the same manner with the same settings and utilizing the same tools.”

  3. Get a data manager. A common saying in IT circles is that “someone needs to own the data.” In this case, where the Government used multiple parties who employed different tools to work with the data, nobody owned the data. This lack of a central manager “… led to electronic productions being produced in an inconsistent manner and, in some instances, in violation of the DPP.”

  4. Get an expert. After hearing multiple experts testify for several days on what had transpired with the ESI, the Court noted, “… electronic discovery is a complicated and very technical subject. As a result, facts can be easily spun in a light most favorable to one party’s position or the other. That occurred here on behalf of all parties.”

    Nonetheless, the experts were able to bring clarification to the issues of “missing” metadata and divergent processing results that had beleaguered the parties and the Court. This field, especially with large amounts of ESI, is a classic example of the old maxim, “do not try this at home.” Get an expert.

  5. Use a review tool. ESI in these large amounts are simply not able to be reviewed manually. Both parties here recognized that fact and, as the Court noted several times, most of the errors in the case were not due to software but what we nerds call the “loose nut on the keyboard” syndrome.

    Get review software. Get trained on it. Use it. One admonition I always make which could have avoided many delays in this matter is do not try to load everything at once into your review platform. Start with a small amount of sample data to be sure you are getting what you need. Which leads to our last takeaway.

  6. Talk with the government. Judge Wolford specifically noted that the “… the Court also concludes that Defendants and the government were not always communicating effectively regarding electronic discovery.” For example, none of the parties could recall “… any discussions during those negotiations about the processing tools that would be utilized or the type of native file that would be analyzed for purposes of creating a load file.”

CONCLUSION

The Morgan case illustrates there are ways to learn about what you don’t have so you can bring it to the government’s attention and if need be, to the Court. It is also example of a Court being knowledgeable about ESI productions. The Court noted often and in different ways that “… electronic discovery is challenging even under the best of circumstances. In other words, the facts and circumstances cannot be appropriately evaluated without considering the volume of discovery and the enormous efforts needed to manage an electronic production of this nature.”

Find an expert who understands your needs and has effective communication skills to convey to you, the government, and Court complex technical issues. For many years, Magistrate Judge Andrew Peck (SDNY, Retired) advocated “Bring-Your-Geek-To-Court Day,” in which parties bring an outside consultant or an in-house IT person to address disputes. If you were to remember only one thing form this case, it should be: Go get a geek.

Tom O’Connor
Director
Gulf Coast Legal Tech Center
toconnor@gulfltc.org
www.gulfltc.org 
Blog: https://technogumbo.wordpress.com/
Twitter: @gulfltc

Ephemeral Messaging Apps

[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

Ephemeral Messaging Apps are a popular form of communication. With privacy a concern for everyone, using a self-destructing message that works like disappearing ink for text and photos has a certain allure. All messages are purposely short-lived, with the message deleting on the receiver’s device, the sender’s device, and on the system’s servers seconds or minutes after the message is read. Although these apps were initially only used by teenagers, they are now a ubiquitous part of corporate culture.

According to the 6th Annual Federal Judges Survey, put together by Exterro, Georgetown Law CLE, and EDRM, 20 Federal Judges were asked “[w]hat new data type should legal teams be most worried about in the 5 years?”[1]  The overwhelming response was “Ephemeral Apps (Snapchat, Instagram, etc.).” Id.  In fact, 68% of those surveyed believed ephemeral messaging apps where the most worrisome new data type, whereas only 16% responded that biometric data (including facial recognition and fingerprinting) were the greatest risk. Only 5% were concerned with Text Messages and Mobile, and 0% were concerned with the traditional social media such as Facebook and Twitter.  Id.

Even now, Courts are attempting to sort out the evidentiary issues cause by ephemeral messaging apps, see e.g., Waymo LLC v. Uber Technologies, Inc. 17cv0939-WHA (NDCA).  This article discusses popular ephemeral messaging apps and discusses guidelines for addressing potential evidentiary issues.

Short technical background:

There are several background definitions relevant to this discussion:

  1. Text Messages – otherwise known as SMS (“Short Message Service”) messages, text messages allow mobile device users to send and receive messages of up to 160 characters. These messages are sent using the mobile phone carriers’ network. Twenty-three billion text messages are sent worldwide each day.  Generally, mobile carriers do not retain the contents of SMS messages, so the records will only show the phone number that sent or received the messages and the time it was sent or received.
  2. Messaging Apps – allow users to send messages not tethered to a mobile device (e., a phone number). With some apps, a user may send messages from multiple devices. These apps include iMessage, WhatsApp, and Facebook Messenger. Messaging Apps are generally free. Unlike text messages, these apps rarely have monthly billing records or records showing when messages were sent or received.
  3. Ephemeral Messaging Apps – are a subset of Messaging Apps that allow users to cause messages (words or media) to disappear on the recipient’s device after a short duration. The duration of the message’s existence is set by the sender. Messages can last for seconds or days, unless the receiver of the message takes a “screenshot” of the message before its disappearance.
  4. End-to-End Encryption – also known as E2EE, this is a type of encryption where only the communicating parties can decipher the messages, which prevents eavesdroppers from reading them in transit.

Common Disappearing Messaging Apps:

Messaging apps, like all apps, are changing.  The following is a list and description of several popular ephemeral messaging apps.


Snapchat – both a messaging platform and a social network. The app allows users to send messages and media (including words and emojis appearing on the media) that disappear after a set period of time. Photos and videos created on Snapchat are called “snaps.” Approximately 1 million snaps are sent per day.

Signal – an encrypted communications app that uses the Internet to send one-to-one and group messages which can include files, voice notes, images and videos, which can be set to disappear after a set period of time. According to Wired, Signal is the one messaging app everyone should be using.

Wickr Me – a messaging app that allows users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments.

Telegram – cloud-based instant messaging app with end-to-end encryption that allows users to send messages, photos, videos, audio messages and files. It has a feature where messages and attachments can disappear after a set period of time.

CoverMe – a private messaging app that allows users to exchange messages, files, photographs, and phone calls from a fake (or “burner”) phone number. It also allows for private internet browsing, and llows users to hide messages and files.

Confide – a messaging app that allows users to send end-to-end encrypted messages.  The user can also send self-destructing messages purportedly screenshot-proof.

Evidentiary Issues:

Messaging app data, like other forms of evidence, must, amongst other criteria, be relevant (Fed.R.Evid. 401); authenticated (Fed.R.Evid. 901 et seq); and comply with the best evidence rule (Fed.R.Evid 1001 et seq).

As for the Best Evidence Rule, based on the nature of disappearing messaging apps, the original writing of the message is not preserved for litigation. See Fed.R.Evid. 1004(a) (finding that the original is not required if “all the originals are lost or destroyed, and not by the proponent acting in bad faith.”) Sometimes, the contents of the message may be established by the testimony of a witness. In other cases, the contents of the message may be based on a screen shot of the message.

Authenticating messages from apps, regardless of their ephemeral nature, is often difficult—text messages can be easily faked. When it comes ephemeral messages, we often must rely upon a screenshot or testimony regarding the alleged contents of the message.  In such circumstances, the following factors—repurposed from Best Practices for Authenticating Digital Evidence—are useful[2]:

  • testimony from a witness who identifies the account as that of the alleged author, on the basis that the witness on other occasions communicated with the account holder;
  • testimony from a participant in the conversation based on firsthand knowledge that the screen shot fairly and accurately captures the conversation;
  • evidence that the purported author used the same messaging app and associated screen name on other occasions;
  • evidence that the purported author acted in accordance with the message (e.g., when a meeting with that person was arranged in a message, he or she attended);
  • evidence that the purported author identified himself or herself as the individual sending the message;
  • use in the conversation of the customary nickname, avatar, or emoticon associated with the purported author;
  • disclosure in the message of particularized information either unique to the purported author or known only to a small group of individuals including the purported author;
  • evidence that the purported author had in his or her possession information given to the person using messaging app;
  • evidence that the messaging app was downloaded on the purported author’s digital device; and evidence that the purported author elsewhere discussed the same subject.

Conclusion:

Ephemeral messaging app data will continue to impact investigators, attorneys, and the Court. Defense teams should be prepared for the challenges ephemeral messages cause from investigations to evidentiary issues.


[1]Available at https://www.exterro.com/2020-judges-survey-ediscovery.

[2] Hon. Grimm, Capra, and Joseph, Best Practices for Authenticating Digital Evidence (West Academic Publishing 2016), pp. 11-12.

 

Important 11th Circuit decision regarding compelling of unencrypted data

Editor’s Note: Justin Murphy is a counsel at Crowell & Moring’s Washington, D.C. office, where he practices in the White Collar & Regulatory Enforcement Group and E-Discovery and Information Management Group. Justin’s practice focuses on SEC enforcement, white collar criminal matters, e-discovery matters relating to internal and government investigations, and related civil litigation. He has represented clients in both federal and state criminal proceedings, including state trial panel work in Maryland. Justin has a wealth of expertise in electronic discovery issues in government investigations and criminal litigation, having both written and presented on the subject. In this blog entry, Justin discusses United States v. Doe, a big win for AFPD Chet Kaufman of the Florida Northern Federal Public Defender Office.

Appeals Court Finds Encrypted Data Beyond Reach of Government Investigators

by: Justin P. Murphy, Counsel, Crowell & Moring LLP

In an important decision that could have significant implications for government enforcement, the Eleventh Circuit ruled that a suspect could not be required to decrypt his computer hard drives because it would implicate his Fifth Amendment privilege and amount to the suspect’s testifying against himself.

In United States v. Doe, the government seized hard drives that it believed contained child pornography.  Some of the hard drives were encrypted, and the suspect refused to decrypt the devices, invoking his Fifth Amendment right against self-incrimination.  The Eleventh Circuit held that compelling the suspect to decrypt and produce the drives’ contents “would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.”  Moreover, the government could not force a suspect to decrypt and produce the information where it could not identify with “reasonable particularity” the existence of certain files, noting that an “act of production can be testimonial when that act conveys some explicit or implicit statement of fact that certain materials exist, are in the subpoenaed individual’s possession or control, or are authentic.”  The court also rejected the government’s attempt to immunize production of the drives’ contents because the government acknowledged that “it would use the contents of the unencrypted drives against” the suspect. 

This decision appears to limit government investigators’ ability to compel an individual to reveal the contents of devices encrypted with passwords or codes in a criminal investigation based only on government speculation as to what data may be contained in certain files.  Although a corporation or partnership does not enjoy Fifth Amendment protection, individuals and sole proprietorships do, and this decision could have a significant impact on small businesses and individuals who work in highly regulated industries including health care, government contracting, energy, chemicals, and others that may face government scrutiny. 

For a copy of the decision, please click here.