Wednesday, June 20, 2007

Is Your Virus Checker Going to Get You Sanctioned?

BNA's e-commerce reporter tells the tale this week of a defendant in a federal tax case, who found himself severely sanctioned for spoliation of evidence.

His crime? The court found that after he'd received a subpoena for "e-mail, computer print-outs, and any file, data, or information on a computer disk or hard drive," he nonetheless installed an anti-virus program which also included a feature that routinely 'wiped' the hard-drive of the computer.

The court rejected the defendant's contention that his activity fell within the purview of the e-discovery safe harbor for "good faith routine operations," as provided at Fed. R. Civ. P. 37(f). Wiping a hard drive is not a routine computer maintenance task, the court said, and here it was carefully calculated to deprive the government evidence.

I believe that in most cases the 'wiping' function only serves to completely clean a hard-drive of remanants of a file that has been "deleted" (very much in quotes) by Windows. As most of us know, "deleting" under native Windows does little more than removing the file from the hard drive's file system's directory records. There is no actual deletion of the file until the operating system happens to re-use the space the file had been previously stored in. Since that might take months or years to completely finish, a true deletion of the file requires extraordinary efforts -- Usually with the use of a non-native program known as a wiper. The wiper's principle is to do a true erasure of the former file, done by looking for the space that the files were stored in and over-writing random 1's and 0's over the now 'un-used' spaces on the hard drive to make sure the trash has really been sent out to the trash.

(There are even more obnoxious nooks and crannies within a Windows NTFS hard-drive, including the so-called 'slack' -- If we had to get into that depth I'd bore you to tears. Suffice it to say that "deleting" and Windows are not terribly compatible concepts.)

Wiping actually has little to do with virus-protection, and more to do with the idea that many of us would like to think that when we 'delete' something it actually gets deleted. Since many virus checking programs have since become more generalized suites of security programs, virus checking being just one part, it is entirely likely that many of our computers (and our clients computers) have these wipers installed today, and in many cases the wipers are set to automatically go out on the hard drive and do their jobs.

Therein lies the problem this gentleman had. Once he'd received the subpoena, he had an obligation to maintain the integrity of all of the evidence on his hard drives, which would include the retention of the bits on the hard drive that might have been evidence of files he'd "deleted" prior to the date of the subpoena.

If we give him the benefit of the doubt for a moment, and presume that he never deleted a single (relevant) file (prior to the subpoena or after), what the "wiper" did is wipe out the evidence that he could have used to his advantage to show that he never attempted to delete anything. If the wipe had not been done, a forensics person could have examined the drive and opined that there was no evidence that relevant files had been deleted. By taking away the primary piece of evidence that the forensics person could have used to show the defendant's lack of bad acting, the defendant suffered the sanction of a finding that he had deleted files, that the files would have been evidence of his underlying tax fraud, and the worst flowed from there.

On the other hand, if he had been deleting files that contained incriminating evidence, the sanctions led to the right result. The problem, of course, is that we'll never know. Was this an innocent person who killed his own defense, or was this a person who tried to hide evidence of a fraud and who got his just desserts? The evidence to prove which is forever lost to the wiper.

(That said -- The court did cite evidence of some files that had not been lost to the wiper, indicating a likely pattern of behavior that would not be consistent with the seemingly benign content that remained after the wiper had done its job. In other words, there was at least a significant amount of smoke there, and the court probably felt it was enough to conclude that there must have been a fire there before the wiper had done its job.)

(In this case, the wiper was not actually part of a virus program or suite, but was a separate program called GhostSurf that is designed to delete trails of what one might have visited on the Internet, so I'm not sure why the defendant even tried the argument that this was all part of his 'virus' regime. Likely, it has to do with how much of the public subsumes all 'bad stuff' on computers with the word 'virus.' Again, we should explore what our clients actually mean when they use buzz words like that, since often they are not accurate descriptions.)

The court's harsh assessment of wipers may be a bit over-stated, since wiping a hard drive is very much a routine computer maintenance task for those who are tasked to ensure that data security rules like GLBA, HIPAA and the EU Data Directive (which include obligations to ensure proper destruction of data that the holder is no longer entitled to hold). But, just like everything else, once the subpoena has arrived the rules immediately change. (And, if we find ourselves between the competing obligations of the subpoena and the data privacy rules, we must approach the court and seek relief, and not engage in our own rationalization of how to resolve that dilemma.)

All of which is to say that next time your client receives such a subpoena, particularly one where desktop PC hard drives are in play, be sure to add yet another question to your checklist -- Have you any automated 'wiper' programs in place on any of those systems, and if so have you turned off any automated functions of those programs?

The case is United States v. Krause, Bankr. D. Kan., No. 05-5775, 6/4/07.

(Sidebar: The court made note of how it came to its own understanding of this issue. "The Trustee’s experts presented to the Court a virtual 'live' tour of the imaged hard drives from Krause’s computers. This vastly simplified the Court's understanding of the technical aspects of the spoliation issues. Many of the exhibits referenced in this Order are computer screen shots from that virtual tour." Of course, one might argue that this sort of presentation could be so over-simplified that it could be overly leading regarding the conclusions that should be drawn. While it doesn't appear that this happened to this judge, I would always be very concerned about what an adversary might do in the guise of "helping" a judge understand arcane matters of computer operating systems.)

1 comment:

Michael McGuire said...

Ah, but on a Mac, the secure delete feature is built right into the operating system. So, what's a Mac owner to do, hmmm?

Vince, any opinion?