http://www.dfinews.com/articles/2014/06/professional-ethics-digital-forensics-discipline-part-2?et_cid=3989679&et_rid=601517580&type=headline
Professional Ethics in the Digital Forensics Discipline: Part 2
Wed, 06/11/2014 – 8:33am
Sean Harrington
Get today’s news and top headlines for digital forensics professionals – Sign up now!
Digital forensics examiners constantly confront ethical dilemmas for which they are ill prepared. The profession has endeavored to provide examiners with a framework within which the digital forensics examiner must not only recognize, classify, and manage ethical dilemmas, but also respect boundaries and honor obligations. This framework is the code of ethics. This article will continue the discussion from the last issue on the need for and contours of these codes.
Privacy and Confidentiality Issues
The fact that most examiners work under the aegis of an attorney is a matter of special concern that has received little attention in the discipline: the attorney who employs the examiner is obliged to serve in a supervisory capacity and is vicariously responsible for the examiner’s conduct.1 The oft-overlooked inverse of that rule is that the ethical standards of fidelity and confidentiality that bind the attorney who employs the examiner also bind the examiner as the attorney’s agent. These obligations generally fall under three categories: the work product doctrine; the attorney-client privilege; and the duty of confidentiality.
1. Work Product Doctrine
The work-product doctrine protects materials prepared in anticipation of litigation from discovery by opposing counsel.2 The doctrine enhances a lawyer’s ability to render competent counsel, as the United States Supreme Court observed in Hickman v. Taylor:
[I]t is essential that a lawyer work with a certain degree of privacy, free from unnecessary intrusion by opposing parties and their counsel. Proper preparation of a client’s case demands that he assemble information, sift what he considers to be the relevant from the irrelevant facts, prepare his legal theories, and plan his strategy without undue and needless interference.3
It is therefore imperative that both attorneys and examiners understand the doctrine and how it applies to digital forensics examinations. Enjoying the privilege of work product immunity is one of several reasons the expert should be directly retained by the attorney, rather than the attorney’s client.
Some practitioners conflate the work product doctrine with the attorney-client privilege (discussed below). Although the work product doctrine is broader than the attorney-client privilege, it is not a privilege, but rather a limited immunity from production, which can be overcome in certain situations.4 The doctrine applies in both civil and criminal cases,5 and protects not only documents and tangible things prepared by attorneys, but also those prepared by an attorney’s “consultant, suretie, indemnitor, insurer, or agent.”6 In the context of such examinations, the work product doctrine also covers the “mental impressions, conclusions, opinions, or legal theories of a party’s attorney or other representative concerning the litigation.”7 A prudent expert should, therefore, take affirmative steps to keep confidential the software and hardware used during the examination, as well as his or her theories, algorithms, cryptology, notes, tools, processes, methods, search queries, resource materials, mental impressions, and techniques. And, because the doctrine may be overcome in limited circumstances, some attorneys may instruct their experts to refrain from memorializing preliminary findings in writing.8
In 2010, Fed. R. Civ. P. Rule 26 was amended to give experts’ draft reports the protection of the work product doctrine, exempting them from mandatory disclosure. The rule expressly provides that the doctrine applies to “protect drafts of any report or disclosure required under Rule 26(a)[(2)], regardless of the form in which the draft is recorded.”9 The amended rule also applies work product protection to communications between experts and the counsel who retain them,10 with three exceptions: 1) communications pertaining to the expert’s compensation; 2) facts or data that the attorney provided and the expert considered in forming opinions; and 3) assumptions that the attorney provided and that the expert relied on.11 Critics contend the amendment affords attorneys too much latitude in drafting experts’ reports or influencing their opinions.12 The counter argument is that “[t]he risk of an attorney influencing an expert witness does not go unchecked in the adversarial system, for the reasonableness of an expert opinion can be judged against the knowledge of the expert’s field and is always subject to the scrutiny of other experts.”13
2. Attorney-Client Privilege and Confidentiality
The attorney-client privilege is one of the most hallowed tenets of American common law.14 The primary function of the privilege “is to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and administration of justice.”15 Without the privilege, which withholds otherwise relevant evidence, “the client would be reluctant to confide in his lawyer and it would be difficult to obtain fully informed legal advice.”16 In general, communications are protected under the attorney-client privilege if: 1) a person is seeking legal advice from a lawyer acting in his legal capacity, 2) the communication is made for the purpose of obtaining legal advice, 3) the communication is made in confidence, and 4) the communication is made by the client.17 So, how might this apply to digital forensics examinations?
[A]s both a legal and practical matter, the defense expert’s relationship with the defendant and counsel has been protected from intrusions by the state. The law has recognized several doctrines that afford a degree of confidentiality to the expert-defense relationship. Thus, statements made to the expert by the defendant and counsel may be protected by the attorney-client privilege.18
Compare the foregoing pronouncement from one state court with that from another: “Attorney-client privilege is perhaps a misnomer, since only the client’s statements enjoy a privilege. Communications of the attorney, on the other hand, are not privileged, except to the narrow extent to which they reveal communications made by the client.”19 Courts may, indeed, construe a client’s direct communications to the digital forensics expert as privileged, if the expert is regarded an agent of the attorney.20 And it is true that an expert is not considered a third-party whose presence destroys the privilege but only if the expert’s presence is deemed necessary to secure and facilitate communication between the client and the attorney (not unlike an interpreter).21 Generally, however, communications between an attorney and an expert are not likely to be afforded attorney-client privilege, because these are not communications made in confidence to an attorney while seeking legal advice.22
This view notwithstanding, both the expert and the attorney would owe a duty to the client—the holder of the privilege—to maintain confidentiality. The attorney’s obligation is detailed in the Model Rules of Professional Conduct in Rules 1.6 (governing disclosure by a lawyer of information relating to the representation of a client during the lawyer’s representation of the client),23 1.18 (the lawyer’s duties regarding information provided to the lawyer by a prospective client),24 and 1.9 (the lawyer’s duty not to reveal information relating to the lawyer’s prior representation of a former client).25 But, the expert, who usually isn’t present at the time of the communication, is also obliged to zealously protect any information the expert discovers that implicates communications made by the client to his or her attorney.
Further, this expert obligation may be yet another compelling reason why an expert ideally should have some legal training, because he or she needs to correctly recognize and, as necessary, segregate attorney-client privileged data. For example, if the expert encounters e-mails between a client and her attorney, which the client subsequently forwarded to a friend, will the expert recognize a privilege?26 When in doubt, the expert should consult with the attorney.
Privilege aside, a competent digital forensics expert should also have background and training in information security protocols and be able to observe strict confidentiality of all data entrusted to him or her:
Not all cases are shrouded in secrecy, but a fair proportion of them are. There are well known figures getting divorced, major companies with proprietary information at issue, public figures in the headlines, and people charged with felonies. . . . During the course of a major case where the expert has been identified, the press will undoubtedly come sniffing around the expert probing for information. A good expert knows the standard answer, “I’m sorry, I have no comment” and is as immoveable as the Great Wall of China.27
One Associated Press article, Anthony Computer Expert Backs Off Reported Claims, demonstrates the foregoing point well.28 Nevertheless, because the Rules of Professional Conduct do not apply to digital forensics examiners, the only enforcement mechanisms are contractual provisions—i.e., a confidentiality clause in the retainer agreement—and “loss of reputation and business.”29 Therefore, to protect confidentiality, the engagement contract should include a confidentiality provision, which may give rise to a breach of contract action if damages are sustained. Also, if the expert is retained while a case is active, either or both parties may move the court for a protective order regarding the expert’s handling of confidential data, under which the expert would be subject to the court’s inherent supervisory powers, including sanctions and contempt authority.30
The Cyber Forensics Examiner’s Special Obligations in a Litigation Support Role
Cyber forensics examiners have special obligations if engaged in support of or in preparation for litigation. These obligations include zealously guarding the attorney-client privilege and applying the work product doctrine (both discussed above), developing reports, exhibits, and testimony (that are both admissible and understandable to a lay jury or judge), and conducting their activities in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party, or that may bring malpractice liability upon the lawyer.
Chief among the obligations is the duty of uncompromising candor. Whether an examiner is appointed by the court or retained by a party to an adversarial proceeding, he or she is obliged to ferret out the truth.31 “Where a proffered expert knows himself or herself to be a quack or otherwise to be offering false testimony, the situation is like that of any other witness who is perpetrating a fraud on the court. Such acts are illegal as well as unethical.”32 Moreover, some courts may deem the testifying cyber forensics experts not appointed by the court as officers of the court.33 Where digital forensics examiners serve as special masters34 or third-party neutrals,35 they certainly are regarded as officers of the court, and usually entitled to quasi-judicial immunity.36 As an officer of the court, the expert is subject to the court’s inherent powers, thereby providing an extra measure of accountability for misconduct (e.g., confidentiality breaches).37
And although it is beyond the scope of this comment to discuss the structure of the expert’s report and quality of testimony, a few words should be said about what the report should not contain: the report must never be tailored to support a particular outcome, as a material omission may constitute fraud.38 Likewise, examiners must resist overtures by attorneys, however well-intended or abstract, to submit any work product or testimony that is disrespectful of the truth, including overstating, understating, or omitting findings. Further, the ABA has stated that experts, unlike attorneys, do not owe a “duty of loyalty” to clients, noting that the attorney’s duty to advance the client’s objectives diligently through all lawful measures “is inconsistent with the duty of a testifying expert.”39 Rather, to provide reliable and valid testimony, Daubert imposes upon the expert the “ethical responsibility” to present a complete and unbiased representation of the research relevant to the matter.40 If the expert falsifies, distorts, or misrepresents the evidence, it will not be deemed reliable under theDaubert standard.41 Note that, although this duty of impartiality is codified in several codes of ethics,42 there is a vocal opposing view that it is not possible to impartially educate in an adversarial system because of pressures from hiring attorneys and because “of a strong tendency to identify with the side for which one is working.”43 Regardless of whether the expert is viewed as neutral or partisan, an expert generally should not switch sides of the same case or controversy, when he or she is in receipt of confidential information,44 particularly that subject to the attorney work product doctrine discussed above.
Finally, another salient consideration is the possibility that the conduct of the digital forensics examiner could be imputed to the attorney in certain situations under Model Rule 5.3. Perhaps the most common of such conduct is negligence, but the list could also include deception because of its popularity and efficacy as an investigative technique.45 Deceptive techniques are, however, proscribed in the practice of law by the Rules of Professional Conduct.46 And many states have held “[t]here are circumstances where failure to make a disclosure is the equivalent of an affirmative misrepresentation.”47
The question of whether deception, as used in Model Rule 8.4, exists in the context of a digital forensics, cloud forensics, or network forensics (intrusion detection) investigation is not well settled.48 Even if a digital forensics investigator refrains from using technology that is unlawful or contains malicious executable code, he or she foreseeably could use technology that arguably constitutes “deception.” For example, an investigator may employ a beaconing, such as “Web bugs,” surreptitious file objects commonly used by spammers placed in an e-mail messages or attachments that, when opened, may allow the sender to monitor user behavior.49 Beaconing and other forms of “active defense” or retaliatory hacking. Adopting the view that the foregoing constitutes “deception,” one might also view as deceptive the use other forms of “active defense,” such as honey-pots to attract hackers.50 A few state bar associations have already addressed these technology-related ethical pitfalls: The Philadelphia Bar Association Professional Guidance Committee advised in Opinion 2009–02 that an attorney who asks an agent (such as an investigator) to “friend” a party in Facebook in order to obtain access to that party’s non-public information, would violate, among others, Rule 5.3 of the Pennsylvania Rules of Professional Conduct.51 Likewise, the Association of the Bar of the City of New York Committee on Professional and Judicial Ethics issued Formal Opinion 2010–2, which provides that a lawyer violates, among others, New York Rules of Professional Conduct Rule 5.3, if an attorney employs an agent to engage in the deception of “friending” a party under false pretenses to obtain evidence from a social networking Web site.52
Legality of Digital Forensics Investigation Techniques
Another important factor for consideration by both attorneys and examiners in digital forensics investigations is the legality of investigation techniques. Consider, for example, whether an attorney or the examiner may take possession of a computer belonging to a husband, but seized by a wife in preparation for marital dissolution proceedings. If a court finds that the wife did not have equal dominion over the computer (i.e., if the computer, or some portion thereof, was password-protected by the husband, or belonged to the husband’s employer), the taking of the computer for analysis might constitute a crime.53 Likewise, evidence obtained from a keylogger, spyware, or persistent cookies may violate state or federal law (e.g., the Electronic Communications Privacy Act).54Likewise, certain types of “cyber sleuthing” or penetration testing may be unlawful under various state and federal statutes. For example, the Computer Fraud and Abuse Act, last amended in 2008, criminalizes anyone who commits, attempts to commit, or conspires to commit an offense under the Act.55 Offenses include knowingly accessing without authorization a protected computer (for delineated purposes) or intentionally accessing a computer without authorization (for separately delineated purposes). Even if prosecution seems unlikely, any evidence obtained by unlawful means is inadmissible under the exclusionary rule. Various statutory phrases, such as “without authorization” and “access,” have been the continuing subject of appellate review,56 and, at the time of this writing, an amended version of the Computer Fraud and Abuse Act is currently pending before the House Judiciary Committee.57
Yet another area of legality concerns laws in some states requiring digital forensics examiners to be licensed as private investigators. Texas passed such a law that provides for up to one year imprisonment and a $14,000 fine for persons conducting unlicensed computer investigations.58 The attorney employing a non-licensed expert may also commit a criminal offense.59 And Michigan’s law makes unlicensed digital forensics work a felony punishable by up to four years imprisonment, damages, and a $5,000 fine.60 In 2008, North Carolina’s Private Protective Services Board proposed to amend General Statute Section 74C-3 to include “Digital Forensic Examiner” as among the roles that must be licensed by the state.61 The measure was defeated.62 Meanwhile, the American Bar Association has discouraged such legislation, observing, “[c]omputer forensic assignments often require handling data in multiple jurisdictions. For example, data may need to [be] imaged from hard drives in New York, Texas, and Michigan. Does the person performing that work need to have licenses in all three states?”63 The ABA Report concluded:
The public and courts will be negatively impacted if e-discovery, forensic investigations, network testing, and other computer services can be performed only by licensed private investigators because not all licensed private investigators are qualified to perform computer forensic services and many qualified computer forensic professionals would be excluded because they are not licensed.64
Indeed, very few licensed private investigators are qualified to perform computer forensics services.
Yet another area of legal concern is the tort or other liabilities of aggregation and inference (“Big Data”), and whether lawful data-mining performed by investigators outside of the formal discovery process could lead to invasion of privacy, intrusion upon seclusion, or other tort liability.65 A few prominent cases suggest that individuals maintain a privacy right in data that can be reconstructed through aggregation and inference.66 For example, in situations where technological tools or processes not readily available to the public are used to reveal the physical location of an internet user, it’s not difficult to imagine that a court might look to Kyllo v. United States, for the proposition that an individual’s reasonable expectation of privacy has been violated67 (although tort plaintiffs probably will need to establish they’ve suffered some greater injury than having their approximate physical locations discovered through IP address routing).68 At least one court has held that the use of persistent cookies is a violation of the Electronic Communications Privacy Act.69 Congress is currently considering reform to the ECPA and the Computer Fraud and Abuse Act, as well as comprehensive privacy legislation that would, in some circumstances, afford a private right of action to consumers whose personal information is collected without their consent.
Lastly, another consideration is the thorny matter of the cyber forensics examiner’s interactions with prosecutors. One is the perception or allegation of a prosecutor “shopping” for an expert, or reckless use of a tainted expert, which may constitute a violation of defendant’s due process rights,70 and may also be a violation of Rule 3.8 (Special Responsibilities of a Prosecutor).71 The following interview excerpt from The Right to Expert Assistance in a Post-Daubert, Post-DNA World,72illustrates this problem:
Because two police crime laboratories would not declare a positive bootprint match in the infamous Rolando Cruz prosecution, prosecutors sought out a third expert, Dr. Louise Robbins, who declared a match. A detective, who resigned because he believed the wrong people had been charged, later observed: “The first lab guy says it’s not the boot. . . . We don’t like that answer, so there’s no paper [report]. We go to a second guy who used to do our lab. He says yes. So we write a report on Mr. Yes. Then Louise Robbins arrives. This is the boot, she says. That’ll be $10,000. So now we have evidence.”73
Another less frequent issue may arise when a digital forensics examiner encounters evidence during a non-criminal investigation and reports the findings to law enforcement. If law enforcement fails to obtain a warrant on probable cause to seize the media but instead gives directives to the examiner to search for additional corroborating evidence, the examiner may, in effect, be regarded as “deputized.” As an agent of the state, the examiner’s search—absent a valid warrant exception—may be in violation of the suspect’s Fourth Amendment rights from unreasonable searches, and any evidence procured therefrom may be inadmissible.
Conclusion
As an example, one certifying body, the (ISC)2® Committee, has recognized that it has a responsibility to provide guidance for “resolving good versus good, and bad versus bad, dilemmas,” and “to encourage right behavior,” such as: research; teaching; identifying, mentoring, and sponsoring candidates for the profession; and valuing the certificate. The Committee also has the responsibility to discourage certain behaviors, such as: raising unnecessary alarm, fear, uncertainty, or doubt; giving unwarranted comfort or reassurance; consenting to bad practice; attaching weak systems to the public network; professional association with non-professionals; professional recognition of or association with amateurs; or associating or appearing to associate with criminals or criminal behavior. But, because no code of ethics or law can prescribe the appropriate handling of the myriad ethical dilemmas the cyber forensics examiner will certainly confront, the examiner may need to obtain counsel, and ultimately must apply the ethical decision making principles of honesty, prudence, and compliance with the law and professional norms.