Castillo and Phaknikone: Let the Social Network Evidence Begin
Say you commit a crime. Let’s say the crime involves illegal possession of a firearm. Say that in the past you have posted information on Facebook or MySpace or Twitter or Flicker or YouTube or any other social network or Internet site. Say your posts included a photo on MySpace of you wearing a ski mask; holding a semi-automatic AR-15 rifle; making, umm, expletives; threatening your ex-wife; and, to say it as a court would say it, “displaying” your middle finger.
Say your ex-mother-in-law tells the police about your MySpace photo, and you get busted and prosecuted for federal firearms offenses. Can the MySpace photos and information, including you and your assault rifle and finger and threats, be admitted as evidence in the case against you?
Yes, says the United States Court of Appeals for the Eleventh Circuit last week in one of the first appellate opinions on the admissibility of evidence from social networks. United States v. Castillo.
Don’t worry about challenging the authenticity of the photo. That was such a long shot in Castillo that authenticity was not even raised on appeal.
How about arguing that the likelihood that the inflammatory and prejudicial impact of the photo outweighs its probative value? And that the photo is not even relevant because the AR-15 in the photo is not the firearm that you are charged with possessing illegally? The Castillo court held that the trial court was justified in allowing the jury to consider the photo with an instruction to the jury to ignore the finger and threats. The court ruled that possession of any "assault rifle" – even a gun other than the gun involved -- was relevant to the crime charged.
Or take a different case. Say you rob a bunch of banks, and at your criminal trial your MySpace profile page and account information and photographs from your MySpace are offered as evidence. One of the photos shows you holding a handgun. You get caught and prosecuted for bank robbery and weapons charges, and the prosecution offers the MySpace information as evidence. Under these circumstances, in a case that the U.S. Supreme Court declined to review yesterday, the trial court admitted the MySpace information as evidence. Though the Eleventh Circuit held that the MySpace evidence was inadmissible character evidence, the conviction was confirmed because of other overwhelming evidence. U.S. v. Phaknikone.
The messages of Castillo and Phaknikone are both clear and apparently contrary to what most users of social networks believe: you should assume that anything you post on a social network site will be discovered and admitted in any litigation, civil or criminal, in which you become involved.
Legal Implications of Cloud Computing -- Part 4.5 (Extending the Discussion of E-Discovery in the Cloud)
My colleagues Dave Navetta, Tanya Forsheit and Scott Blackmer have framed a definition and outlined the essential legal implications of cloud computing. Part One (the Basics), Part Two (Privacy), and Part Three (Relationships). Tanya has started a discussion of the application of electronic discovery and electronic evidence issues in the cloud. Part Four (Electronic Discovery). This post extends Tanya's discussion of the intersection between electronic discovery and the cloud.
In short, "cloud computing" is using the digital resources of providers in remote locations for creating, transmitting or storing digital information pursuant to an agreement that gives you access and some measure of ownership or control of the information, including the power to grant or withhold layers of access to persons within your organization and outside. Cloud computing creates a symbiotic relationship between those remote resources and you. Each of these characteristics of cloud computing -- location, resources, creation, storage, transmission, ownership, control, access and symbiotic relationship -- has important implications for the electronic discovery issues in litigation, and therefore should be understood and addressed in creating a relationship between a cloud provider and its customer.
Here are some comments on issues that Tanya has raised, a few additional electronic discovery issues likely to arise in the cloud, and clues about how those issues are developing and are likely to develop.
Possession, Custody or Control
As Tanya pointed out, the legal similarities and differences between premises-based data and data in the cloud pivot around whether the data is within the company's "custody, possession or control." ESI on a company's captive computers presents primarily "possession" issues. ESI in the cloud presents primarily "custody" and "control" issues.
The pivotal issue regarding custody or control of ESI in the cloud -- i.e., your ESI in the possession of a third party with whom you have the right to access the data but to exclude others -- is already clear: regardless of location or possession, you must produce discoverable ESI over which you have custody or control. There are already lots of cases about the duty to produce your relevant ESI that is in the possession of former employees, application service providers (ASPs), accountants, affiliates, subsidiaries, parent companies and some third-party providers. The test for determining custody, possession or control in the context of determining whether a party must produce relevant ESI has been construed broadly. In general, so long as you have the practical ability or contractual or other legal right to obtain the information, the fact that the ESI is not in your physical possession, or even within the United States, does not normally constrain your duty to produce the information. E.g., In re NTL, Inc. Securities Litigation.
For ESI that is not within the custody, possession or control of a party to litigation, relevant ESI within the custody, possession or control of a nonparty may be obtained by serving a subpoena upon the nonparty, including a cloud provider. Sedona Conference Commentary on Non-Party Production & Rule 45 Subpoenas.
Preservation and Negligence
In general, the duty to preserve relevant ESI for civil disputes attaches to your ESI in the cloud as well as to ESI in your possession. Given that the scope of the preservation duty, and the type and severity of sanctions for breaching the preservation duty -- i.e., for spoliation -- are complex, the duty and the remedies for breach of the duty may look somewhat different for ESI in the cloud than for ESI in your possession.
Inaccessibility and Location
For example, Rules 26(b)(2)(B) and 45(d)(2)(D) of the federal rules of civil procedure give some protection against needing to produce ESI whose existence and sources you identify as not reasonably accessible because of undue burden and cost. Isom, The Burden of Discovering Inaccessible Electronically Stored Information: Rules 26(b)(2)(B) & 45(d)(2)(D), 2009 Fed. Cts. L. Rev. 1 (January 2009).
Inaccessibility issues that may be unique to the cloud include: What level of cost to retrieve ESI from the cloud might excuse the duty to produce from the cloud? Might there be a duty to structure cloud contracts so that retrieval for production in civil litigation is not unduly costly in order to be entitled to the protection of these rules? Will the fact that ESI is in the cloud affect the specificity needed to satisfy the identification requirement of these rules? How will the cloud issues impact the burden that the holding party must carry to prove inaccessibility? How will cloud issues affect the weighing of factors to determine whether good cause exists to require the production of inaccessible ESI? Will the cloud influence whether the court should require cost shifting or cost sharing for production of the information?
Litigation Hold
"Litigation hold" often refers to the process and technology for preserving ESI. The cloud will add another dimension to the litigation hold process. Depending upon the search and retrieval capabilities of the cloud provider, implementation of a litigation hold may be more or less doable than for premises data.
Spoliation Liability and Remedies
Liability for failure to preserve relevant ESI that a party knows or should know to preserve is near-strict liability. But defining when the duty arises, and deciding what remedy is appropriate if spoliation is found -- what monetary, evidentiary or dispositive sanctions are appropriate -- turn on complex perceptions of fault, opportunity, bad faith, competence, intention and willfulness. For a time, the excuse that information in the cloud is out-of-sight-out-of-mind might be given weight. A lack of sophistication in structuring cloud technology that is litigation-friendly might be given weight. On the other hand, in some courts, the day may already have passed when you could find forgiveness in the excuse that you did not appreciate the extent of your data in the cloud. In any event, as awareness of cloud technology and processes grows, the law relating to duties with respect to information in the cloud will evolve. For now, the prudent path is to know as much as you can about what cloud data you and your company control, and to understand how to access, control and ultimately dispose of that data.
Initial Disclosures
Courts are requiring early and sophisticated awareness of the ESI that a party must disclose early in the litigation to support the party's claims and defenses. Courts are likely to require that this awareness include awareness of information in the cloud.
Search
Over the last two years, courts have begun to expect real, tested, testable expertise with search logic and technology in electronic discovery. At present, the fact that ESI is in the cloud usually complicates the search process. Cloud providers are likely to gain real advantage in the market by enhancing the efficiency of search and recovery of information from the cloud, including for electronic discovery.
Physical Inspection of Cloud Computers
In rare instances, usually only after showing actual spoliation or facts demonstrating a palpable risk of spoliation, a party can obtain an order to impound and/or inspect the hardware of a party on which ESI resides. For information in the cloud, in similarly rare instances, a party may get the right, usually by subpoena, physically to inspect relevant party information on the computers of the cloud providers.
Vicarious Liability
The extent to which a party will be liable for the acts of a cloud provider will continue to develop. For example, if ESI stored on the computers of a provider becomes unavailable or inaccessible as an economic or practical matter because of the bankruptcy of the provider, sorting out liability as between the provider and the owner of the information will be complex.
Privilege
Issues relating to privilege are likely to have an added layer of complexity for cloud information. These issues will include whether confidentiality of the information has been properly contained, and the mechanics of a quick peek or clawback for information claimed to be privileged.
Key Persons and Enterprise v. Manual Search
Several recent cases examine whether the identification and preservation of ESI may be done by focusing on key persons, or whether in some cases the search for data across an enterprise or at least across a defined segment of an enterprise may be required. These issues will likely be affected in future cases by whether data is stored in the cloud, and what the technology of search and access is in a given cloud platform.
Safe Harbor
Rule 37(e) provides that "absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system." This protection is likely to apply to ESI on cloud systems in much the same way as it is applied to premises systems.
Electronic Signatures Come of Age: From Elections to Commerce and Beyond
Yesterday, the Utah Supreme Court, interpreting Utah's version of the Uniform Electronic Transactions Act (UETA) held that electronic "signatures" gathered through the website of an independent candidate for Utah state governor are valid to put the candidate's name on Utah's November ballot. Court's Opinion. The court's decision is a huge step forward in recognizing the legal efficacy of electronic signatures that may reverberate around the nation.
UETA and ESIGN
Legislatures in 47 states have enacted a version of the UETA aimed at achieving the speed, efficiency and cost benefits that can be realized through electronic legal, business, commercial and governmental transactions, while assuring reliability and authenticity. Wikipedia on UETA. Congress has enacted the Electronic Signatures in Global and National Commerce Act (ESIGN) with similar goals for interstate and international commerce. Wikipedia on ESIGN. The Utah decision yesterday is one of the most detailed UETA decisions in the country, and appears to be the first to apply UETA to state or federal election law.
UETA and ESIGN are rare examples of law leading technology. States began enacting UETA in 1999, and ESIGN was adopted in 2000. Few technology systems existed at the time that met the reliability requirements of the statutes. The technology has been catching up to the law ever since. UETA is intended to remove barriers to electronic commerce by defining acceptable electronic recording standards to assure the authenticity and integrity of the electronic communications, electronic signatures and electronic storage.
Authenticity of Signatures over the Internet
The Internet, including blogs and social networks such as Facebook and Twitter, is changing the economics of mass communication, allowing messages to find an audience more because of the power of the message than the wealth of the person sending the message. This leveled power of communication is affecting all human interaction around the world. As applied to commercial and legal transactions, including elections, a critical issue in Internet communication is how to authenticate the person to make sure that the person is who he purports to be and to make sure that his apparent expression of intention is real and reliable. The increasing percentage of commerce done electronically shows that people are becoming more and more confident in the reliability of Internet commerce.
The Utah Case
But courts, companies and individuals have been slow to implement the available state (UETA) and federal (ESIGN) legislation aimed at encouraging and validating electronic commerce and electronic signatures. Yesterday's opinion by the Utah Supreme Court will help change that.
Farley Anderson wants to run for governor of Utah without affiliating with a major political party. Anderson collected the minimum 1,000 signatures consisting both of pen-and-paper signatures and of electronic messages to his website announcing his candidacy. Anderson tendered these paper and electronic signatures to the county clerks for the counties in which the signers live, and the county clerks certified that Anderson had obtained more than the minimum number of valid signatures if both the paper and the electronic signatures were counted. The Utah Lieutenant Governor, Gregg Bell, however, rejected all of the electronic signatures as invalid under Utah election law, and held that Anderson had therefore not qualified to have his name placed on the November ballots.
Relying heavily on Utah's version of UETA, the Utah Supreme Court held that the web-based communications that Anderson gathered constituted "signatures" within the meaning of the state statute setting the number of signatures required to get on the state November ballot.
Impact of Anderson Around the Nation
The Utah decision resolved many of the fundamental issues presented by UETA, and resolved them in a way that energizes UETA. UETA will have a broader application in states that follow Anderson than most commentators would have predicted.
"Transaction"
For example, UETA applies to transactions between two or more persons who agree that all or part of the transaction can be consummated and/or recorded electronically. A “transaction” is “an action or set of actions occurring between two or more persons relating to the conduct of business, commercial, or governmental affairs.” “Transactions” specifically include real estate and real estate recording transactions. UETA applies to most of the instruments used in real estate transactions, such as liens, deeds, mortgages, affidavits, non-testamentary trusts and notes, but “does not apply to a transaction to the extent it is governed by: (1) a law governing the creation and execution of wills, codicils, or testamentary trusts" and certain transactions under the Uniform Commercial Code. Lt. Governor Bell interpreted "transaction" as not including Anderson's method of acquiring signatures. The court disagreed. It held that the foregoing four exceptions (wills, codicils, testamentary trusts and certain UCC transactions) are narrow, and by implication UETA applies to a broad range of transactions, including elections.
Purpose: Facilitating Electronic Transactions
UETA provides that the act must be construed and applied (1) to facilitate electronic transactions consistent with other applicable law; (2) to be consistent with reasonable practices concerning electronic transactions and with the continued expansion of those practices; and (3) to effectuate its general purpose to make uniform the law with respect to the subject of this Act among States enacting it. UETA provides that, in general, the same deference given to tangible media such as paper should be extended to intangible media that are capable of storing, transmitting and reproducing information in human perceivable form. The Utah Supreme Court recognized that the policies sought to be advanced by UETA suggest that close questions will be resolved in favor of validating electronic recording.
State Agency Exemptions
Lt. Governor Bell argued that UETA allows governmental agencies to reject the use of electronic signatures. The Utah Supreme Court interpreted the language that Bell relied upon ("a state agency may ... make rules that identify specific transactions that the agency will never conduct by electronic means") narrowly. The court held that a state agency could exempt transactions that otherwise would be governed by UETA only if the agency complied with detailed rulemaking requirements.
Agreement to Electronic Transaction
UETA “applies only to transactions between parties each of which has agreed to conduct transactions by electronic means. Whether the parties agree to conduct a transaction by electronic means is determined from the context and surrounding circumstances, including the parties' conduct.” Lt. Bell argued that the "transaction" in question was between him as the chief election officer of the state and Anderson, and that the electronic transaction was invalid because Bell had not agreed with Anderson to conduct the transaction by electronic means. The court rejected this argument and held that the parties whose consent was needed were the nominee-hopeful and persons who signed the petition. Since Bell was not a party to the transaction whose authenticity was at issue, Bell's consent was irrelevant.
Preventing Fraud
Lt. Bell's final argument was that good ol' tactile paper is just plain more reliable than ephemeral electrons. The Utah Supreme Court's reaction to this is worth quoting:
The Lt. Governor ... contends that electronic signatures attached to a certificate of nomination lack 'apparent authority' as genuine signatures. This position is based on a theory that a holographic signature is self-authenticating because the reviewing party may merely look at the signature and see that someone put pen to paper to sign their name. In contrast, an electronic signature lacks apparent authority, because it appears as a typed list of names.... We are unpersuaded that an electronic signature presents special concerns regarding candidate fraud; a candidate could as easily handwrite or type fraudulent names onto a certificate of nomination.
Moreover, electronic signatures may be a better deterrent to candidate fraud because an electronic signature incorporates readily verifiable personal, but non-public, information. For instance, the signors of Mr. Anderson's petition apparently had to enter a security code that corresponds to the last four digits of their drivers license number before their signature would be counted.
Conclusion
Even advocates of electronic signatures and electronic commerce will be surprised that electronic signatures have been accepted in what might have seemed the most unlikely of contexts -- in validating signatures for nominating a candidate in a public election. The Anderson opinion is an important development in recognizing and interpreting UETA and in the march toward the expanded use and understanding of digital transactions.
Adobe eSignatures "beta" - Part 1 of 2
The vast majority of contracts in corporate contract settings today are still generally “signed” in a relatively conventional manner – either by overnighting originals that are then returned for countersigning, or by signing an execution version and then scanning to PDF for emailing to the other party, who then prints the partially executed PDF, signs and scans the now fully executed contract back to PDF for return to the other party. Given how central PDFs are to this second common method of document execution it seems natural for Adobe to officially step into the picture.
While Adobe Acrobat Reader 9.x already allows rudimentary “signing”, which Adobe states “assure[s] the sender that the PDF reached its intended recipient,” Adobe's eSignatures takes a different tack that is effectively a step ahead on one hand and a step back on the other, at least under a general understanding of what a “digital signature” is – namely, a process that verifies one's identity in a reproducible, reliable fashion using a means that prevents or at least discourages non-repudiation, typically through a form of encrypted certificate, whether self-certifying or issued by some central authority. (See Digital Signature Guidelines Tutorial).
Under this rubric, however, Adobe's eSignatures does not qualify as a traditional “digital signature”. Rather eSignatures focuses on “document authentication” with a means of electronic signature - not on verification of the actual “signers” beyond tying a putative signer to a specified email address. (Compare Digital Signatures with Electronic Signature; see generally, Digital Evidence and Electronic Signature Law Review). Indeed, further, in its definition of “'Electronic Signature' or 'Electronically Signed',” Adobe provides that:
“[f]or purposes of this Agreement, an Electronic Signature shall not include an electronic signature that employs any type of asymmetric cryptography or third party electronic signature certification ('Digital Signatures' or 'Digitally Signed').”
But Adobe is no babe in the digital woods, well-recognizing the present state of affairs and the limitations its position requires eSignatures to work within. Indeed, the Additional Terms of Use that accompany the eSignature beta clearly states that:
Adobe has not verified the identity of any signatory *** each signatory or party to a document is responsible for verifying the identity of each other....
Somewhat tongue in check, the Additional Terms of Use further advises that:
if you receive a document or a request to electronically sign a document and you are not the intended signatory, you should not electronically sign the document.
At first glance, then, this seemingly Grand Canyon-wide gap between a verified signature and eSignature's practice is troubling. However, upon reflection, the lack of individual party verification is less worrying than it appears – at least in corporate scenarios. After all, how many of us have reviewed, negotiated, signed and closed contracts without ever seeing, meeting or verifying – beyond confirming that a given phone number connects to party A's attorney or email address B communicates effectively with same – the other party to a commercial services or purchase/sales contract in non-financing, non-property transfer context?
Nevertheless, eSignatures does represent a disconnect between signer authentication and verifying the signed document, which Adobe attempts to deal with in as upfront a way as possible. In eSignatures' Additional Terms of Use Adobe assumes responsibility for two things only; namely verifying that:
(a) the document has been electronically signed by a person purporting to represent each party, and (b) no changes have been made to the document since the time of such electronic signature.
(emphasis added). In essence then, what eSignatures provides is an unverified, but valid electronic signing to a verified document – verified in the sense that Adobe, through eSignatures, acts as an escrow agent holding your uploaded PDF document (and eSignature in beta only accepts PDFs) and then releasing it once fully signed by the designated parties.
With this background in place, in Part 2 I'll cover eSignatures potential and run down the beta's surprising shortcomings that Adobe must address if eSignatures is to become a commonly used tool.
