chevron-down Created with Sketch Beta.
March 01, 2016

Forensic Examination of Digital Devices in Civil Litigation: The Legal, Ethical and Technical Traps

Download a printable PDF of this article (log in for access).

A. Introduction

As children, many of us dreamed of growing up to be a spy. As portrayed in books and films, spies lead such fascinating lives. They go on missions that are always intriguing and sometimes sexy (think Sean Connery or Daniel Craig in James Bond), or exceptionally dangerous (think Matt Damon in Jason Bourne), or simply hilarious (think Melissa McCarthy in Spy or Mike Myers in Austin Powers). But spying is the last thing any lawyer or forensic investigator wants to be accused of doing—especially by a prosecutor claiming that a search of a digital device violated federal wiretap laws,1 federal laws protecting electronic information stored on computers,2 or state wiretapping, computer tampering, eavesdropping and privacy laws.3 Unfortunately perils do lurk behind the gathering of evidence from digital devices, especially devices that do not belong to the client. And bad things still can happen to good lawyers and forensic investigators who extract information from computers, tablets, and smartphones that are lawfully owned, possessed and used by the client. If curiosity can kill a cat, it can certainly cause problems for lawyers and forensic investigators who are not attuned to the potential hazards.

Lawyers have an ethical obligation to be competent in the matters they handle, including understanding technology involved in litigation. Litigators must be knowledgeable about the potential evidentiary value of smartphones, tablets and other digital devices. This means knowing what information is carried on them, and potentially retrieved from them, as well as being versed in the legal and ethical limitations on extracting digital data from such devices through forensic examination. The limiting principles that lawyers (and forensic examiners) must appreciate are found in laws that prohibit wiretapping, computer abuse, and eavesdropping, and protect privacy rights, as well as in the ethical first principle that lawyers may not engage in, or enable clients to engage in, criminal or fraudulent activity.

Lawyers are responsible for determining the legally permissible boundaries for conducting forensic examinations of digital devices, and in so doing must carefully consider the quality and scope of the consent given, i.e., the authority under which the examination is to be performed. What may start out as a lawful search may quickly turn questionable, or even plainly unlawful, depending on the scope of the permission granted, what evidence is developed, and how the recovered information implicates the privacy rights of third parties. While the evidence from such devices can amount to a smoking gun, you don’t want it to backfire and find yourself sued, prosecuted or disbarred for actions that, in hindsight, were not lawful and could have been avoided with a modicum of foresight.

This article is intended to give lawyers and forensic investigators the information they need to understand the essential Do’s and Don’ts when it comes to extracting electronically stored information from digital devices—to recognize the traps and intelligently navigate around them, rather than stumble into them and be accused of spying, with possible criminal charges, civil lawsuits and ethics investigations to follow. We also will point out grey areas where the law is not altogether clear, and offer some suggestions to keep legal and ethical risks at a manageable level.

B. The Contours of Permissible Snooping: What Not to Do

The urge to spy—and the perils of doing so—play out frequently in cases of suspected marital infidelity where one spouse goes looking for evidence of the illicit relationship. These imploding marital cases, involving sometimes extraordinary efforts at espionage, help to define the contours of permissible snooping in other contexts.

  • Wife reads husband’s emails stored on the family home computer; both spouses have full access to computer and wife views emails without any need to use husband’s password.4
  • Husband correctly guesses wife’s password for private web-based email account accessed by wife on home computer.5
  • Husband puts key-logging spyware on home computer that records wife’s password to private web-based email account.6
  • Wife installs spyware program on husband’s computer that takes screens shots and saves the information to a file on the computer.7
  • Wife installs spyware program that takes screens shots, and make copies of emails and texts, and transmits those communications to another computer.8
  • Wife installs spyware program on husband’s work laptop that routes incoming email to wife’s computer; she then alters emails from sender to make them read as though her husband is having an affair with sender, and replies to sender using husband’s laptop at work.9
  • Ex-girlfriend accesses, without permission, former boyfriend’s Gmail account to create zombie emails, sending email from private account that looks like he sent them.10
  • Husband hires private investigator to place a wiretap on wife’s phone11

Such trickery is not limited to people embroiled in failing personal relationships. Corporate espionage occurred between major league baseball teams after a staff member of the Houston Astros moved to a rival club, the St. Louis Cardinals. The director of baseball operations for the Cardinals, Christopher Correa, used the name and password of the former Astros staffer to gain unauthorized access to the Astros’ proprietary software and files.12 The FBI determined that the crime was committed using a computer located at a St. Louis Spring training facility in Florida, and eventually traced the actual hacking to the Cardinals’ director of baseball operations, who pleaded guilty in federal court to five counts of unauthorized access to a protected computer.13

Ethical and legal problems can arise even without intentional acts of marital or industrial espionage.

In one case pulled from our files, a generous husband and father—Dad—gave two iPads as Christmas presents—one to his Wife and the other to his teenaged Daughter. He innocently set up “Family Sharing” through the iPad Settings to intentionally link both computers. He did so in order to allow Wife to see all text messages sent and received by Daughter on her iPad. As fate would have it, after the parents separated, Daughter brought her iPad to Dad’s place, and left the device open and running. What should pop up on Daughter’s screen? You guessed it: Wife’s flirtatious text messages to her boyfriend, sent from Wife’s iPad. So much for “family sharing.”

Unintended and embarrassing communications can occur even after a digital device is turned back to its owner following a period of authorized use by a third party. In one such case, a middle school student was loaned the use of a laptop by the school he attended. His father, who happened to be an FBI agent, installed the eBlaster spyware program on the laptop to keep track of his son’s internet activity. (The spyware program was set up to generate reports to the father’s email address.) When the time came to return the computer to the school, the father arranged for the memory of the laptop to be wiped clean but did not realize the eBlaster program remained despite the scrubbing. He returned the laptop directly to the school’s principal. The agent was extremely surprised to receive, several days later, eBlaster email reports indicating the laptop was being used to access child pornography sites. Needless to say, the school principal was even more surprised to get a visit from the FBI.14

The same kind of continuing, unintended communication can happen when an employee is terminated and hands in an employer-issued (and owned) smartphone or tablet. If the employee arranged for the device to receive private web-based email, such as Gmail, over the company’s network, and if the employee did not take steps to disable access to that account at the time of separation, the emails will still show up on the device. In that case, the employer may choose to read the ex-employee’s private email on the handed–in device, without the former employee ever knowing.15

But what can a litigant or lawyer do with any of these overseen or overheard communications? Can the eavesdropper keep monitoring surreptitiously those communications? What if the snooping party brings the device to his lawyer’s office? Can the attorney or a staff member record the leaking private text messages or emails and use them as evidence? Does the lawyer have ethical responsibilities to avoid exploiting this accidental eavesdropping? What if a lawyer or investigator poses as a third party and communicates with the cheating spouse (or fired employee) to extract admissions? What if the lawyer sees the former spouse or employee sending a text message or email to his or her lawyer? Does that waive the privilege?

With respect to all such leaked communications, a lawyer might be tempted to tell the client, “Let’s not use this material—yet. We’ll put out discovery demands that specifically call for it, and if they say it does not exist—Bam! We drop the bomb on the court and get them sanctioned!”

The question is: Who gets sanctioned?

No case is worth damaging your reputation or worse … losing your livelihood or liberty.

C. The Bonanza of Digital Data

1. Sources and Types of Digital Data

Ninety percent of American adults own a cell phone.16 Sixty-four percent own a “smartphone.”17 One study of consumer behavior reports that 85 percent of people say “mobile devices are a central part of their everyday life,” with consumers revealing they spend on average 3.3 hours per day using a mobile device.18 According to another poll, “nearly three-quarters of smartphone users report being within five feet of their phones most of the time, with 12 percent admitting that they even use their phones in the shower.”19 Americans use smartphones for text messages, internet use, voice/video calls, emails, social networking sites, video and music, with usage patterns differing somewhat by age.20

Forty-two percent of American adults own a tablet computer such as an iPad or Android-based tablet.21

Through the use of all digital devices in the world, humans create more than 2.5 quintillion (18 zeros) bytes of data every day.22 This includes roughly 145 billion email messages.23 Global downloads were predicted to reach 76.9 billion in 2014.24 Ninety percent of the data in the world today was created in the last two years.25 Much of the burgeoning digital data is stored on mobile devices or can be accessed remotely by them.26

2. Digital Data from Mobile Devices – Relevance to Civil Litigation

Smartphones and tablets produce a wide range of digital files that may be relevant to a civil lawsuit. The value of the evidence may run the gamut from modest to smoking gun. The evidence may come in the form of candid statements in emails (and attachments), Short Message System (SMS) text messages, voice messages, and even instant messenger (IM) networked communications, as well as social media sites. Call histories can plot communications among pertinent actors against critical dates. Who called whom and when, as well as what websites were visited and when, and what applications were downloaded and when, can either tend to incriminate or exonerate. GPS location tracking records may do the same. Photographs and videos may be probative. Pertinent information also may lie beyond the digital devices themselves in cloud-based accounts (social media sites) accessed through the smartphone (think Craigslist, Facebook and Twitter). Notably, the digital device may contain the passwords needed to access remotely stored information.

The ability of a smartphone to broadcast its location, and inferentially the location of its owner, is of great interest to prosecutors and regularly used to build a case against a criminal defendant, including defeating an alibi defense.27 But location-revealing operations of smartphones can have important consequences in civil litigation as a well. That evidence may be found not just in the GPS data recorded on the phone but also in network communications that register the phone (or ping it) when it is within the network and connecting to cell towers.28 This latter category of digital data, known as historical cell site location information (“CSLI”), is recorded (if at all) on the network; it is not recorded on the phone. Between GPS data on the phone and CSLI data potentially available from the carrier, the data can place a phone (and its owner) in specific physical locations at specific times.

A competent lawyer needs to recognize the potential treasure trove of relevant information that mobile digital devices contain and to take steps to specifically request discovery of mobile devices and to preserve the digital information that is stored on them. Early requests for such information—and directives to preserve such evidence—are essential given the risk of files being overwritten or deleted or altered by normal operation of the device (as discussed below), not to mention the risk that users will upgrade their device to catch the latest technology improvements with the result that the old phone goes back to the carrier and is wiped clean or destroyed. The lifespan of a smartphone may end before a lawsuit starts.

3. Special Consideration: Smartphones and Tablets in the Workplace

In addition to the widespread personal ownership of mobile digital devices, many employers provide cell phones and tablets to their employees. Some employees purchase the device through their employer and use that personally-owned device on the employer’s network. An increasingly more common way of managing workplace communications is to have employees bring their own digital devices to work—with more and more companies establishing bring your own device (“BYOD”) policies that specify what workers need to do in order to connect their personal devices to the employer’s network, no matter where the devices were purchased. With decreasing frequency—see the epic decline of the BlackBerry—

employers will provide to their employees mobile devices that remain the property of the company and must be returned to the company when the employment ends.

No matter who owns the digital device, the employer has the right to establish a condition of employment that any communication by the employee on the employer’s network is not private. But that condition of employment must be unambiguous and evenly applied to be enforceable.29 And even where it is, such a policy may not authorize every search of the device that the employer may wish to undertake, as discussed in Section E, infra.

D. Primer on Digital Forensic Examination

1. Digital Forensic Examination Explained

What is digital forensics? Digital forensics is the process of uncovering and interpreting electronic data. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying, and validating the digital information for the purpose of reconstructing past events. This is typically undertaken in connection with matters in litigation, where the results will be used in a court of law, though digital forensics can be used for other purposes as well.30

The examination of digital devices has evolved significantly over the past decade. Historically, forensic examiners would image and forensically review the contents of a single hard drive contained within a laptop or desktop computer. Today the data subject to forensic review can span multiple fixed devices, corporate networks, applications, and mobile devices.

As noted above, mobile devices (smartphones and tablets) have become an integral part of peoples’ lives, and as such, can play an important role in litigation. Coupled with the frequent use of personal devices at work (including through BYOD policies) these compact handheld devices often contain a large volume of potentially relevant business and personal information including call and calendar items, memos, address books, passwords, and credit card numbers.

The value of a forensic examination typically lies in its ability to recreate what a user was doing on a digital device for the weeks or months leading up to a particular event. That “event” in civil litigation could be the termination or separation of an employee from a company (including evidence of harassing conduct in a discrimination lawsuit), departures of key employees to a competitor (with claims of trade secret misappropriation), receipt of a subpoena or other government regulatory inquiry, or the filing of a lawsuit or other administrative proceeding. Given how regularly people use their digital devices, it goes without saying that they inevitably leave electronic trails.

2. The Basics of Forensic Examination

The first step is to make an exact image of the digital information extant on the device—a virtual snapshot that leaves intact on the device the original data and metadata. The forensic examiner’s oath is to do no harm, to leave the device “as is” and only apply data extraction software to the forensic duplicate image—never to the original data.

A variety of forensic software is available to help extract digital files. This includes programs specifically designed to recover and analyze deleted Internet search histories.

A skilled forensic examiner, following careful, evidence-preserving protocols and employing the right data extraction tools, offers the best chance to recover digital files that can be used later in court.31

3. Some Observations on Digital File Storage and Recovery

a. Memory limitations and instability

Smartphones have different operating systems (e.g., Apple IOS version 10 versus Android) complete with different file and storage architecture, that record and store digital files in manufacturer-specific, proprietary conventions including highly variable, and increasingly robust encryption. But all smartphones share a basic design limitation, namely, space. In order to give smartphones the most “smarts” designers use a combination of “volatile” (unstable) and “non-volatile” (stable) memory. One often hears about “temporary” files that are routinely overwritten, such as web browser search histories and download histories, that may reside in a temporary “cache.” Those are examples of volatile/unstable digital memory files. They may contain exceptionally probative information notwithstanding their unstable format.

b. Apple Spotlight searches

iDevices allow users to search the entire device through a feature called “Spotlight search.” This feature searches for content on the device and stores the results of the search in a cache. A Spotlight search may reference deleted data. Forensic examination of the Spotlight cache can turn up deleted Short Message Service (SMS) texts. In some instances the examiner may be able to recover the complete text including associated phone number and date/time of the transmission. In other circumstances, only text fragments are recoverable with no identification of the phone number or the date and time of transmission. In one of our cases, the Spotlight search produced a mixed bag of complete and incomplete text messages on the same device, involving the same sender and receiver (as judged by the content of the messages themselves). That led counsel to try to piece together a unified chronology based on the content of the communications, despite the missing date/time information. That effort was only partially successful.

c. Other sources of information within smartphones

A Subscriber Identity Module (SIM) card contains information that may be relevant in a lawsuit, even though the information only authenticates the device on the network and stores limited data about the user’s identity.

Other sources of digital information include back-up files, synched folders linked to computers and other (linked) mobile devices, synched folders to cloud-based sources like Dropbox, and files synched to Enterprise BES systems like SharePoint. It is necessary to understand how a given digital device fits into the larger network of digital devices and services to appreciate where stored data may reside.

d. Passwords

Many mobile digital devices are protected by passwords. If the password is not available, the extraction of digital data from such a password-protected device may not be technologically feasible. It depends on the operating systems and the type of passwords used. iPhones, for example, may employ “simple” or “complex” passwords that present different forensic challenges.32 As a general rule, smartphone manufacturers are making it more difficult to forensically recover data without a viable password. In the escalating “war” between password-protected phones and law enforcement, police in Michigan worked with a Michigan State University computer science and engineering professor to unlock the iPhone of a man who was murdered, using a 3D replica of the victim’s fingerprints.33 Some cellphones are better than others at detecting “spoofs” of fingerprints.34

e. Encryption

Manufacturers of mobile devices employ sophisticated encryption programs and other software to prevent (or at least deter) unauthorized access to digital files on those devices. These programs erect potentially insurmountable barriers to forensic examination. Apple fortified the protections for its devices in 2014 by changing its design to prevent anyone from tapping into its device’s hardware—and thereby accessing protected data—without having a working passcode. Starting with the iPhone 5 model, Apple began using a program designed to automatically erase certain data after ten unsuccessful passcode attempts. Apple has resisted requests from law enforcement to turnover its “key” to allow access to its devices without a working passcode. Whether Apple can be forced by court order to unlock one of its devices was partially litigated in a criminal investigation involving the San Bernardino terrorists.35 The FBI obtained an order from the federal district court in Riverside, California, directing Apple to help the FBI defeat the passcode requirement. When Apple fought back in court (and in the court of public opinion), the FBI said, in effect, “never mind” and canceled the hearing, after apparently identifying another way to defeat the passcode protection without triggering the auto-erase feature.36 The move by mobile device manufacturers to develop more sophisticated software to protect data means fewer mobile devices will be readily subject to forensic examination, even as forensic examiners develop countermeasures to try to overcome these protections.37 The “arms race” appears to squarely favor manufacturers at this point. Even with respect to criminal prosecutions involving terrorists, Congress does not appear ready to legislate a solution by giving law enforcement a permanent “back door” to such devices.

E. Ethical Considerations for Lawyers

1. Ethics Rules

A variety of ethics rules may be implicated by the forensic examination of a mobile device. As an initial matter, a lawyer’s competence will be called into question if he or she does not appreciate the possible evidentiary significance of digital files on mobile devices and does not act to preserve those files, or worse, takes steps to delete them. Indeed, a lawyer’s ethical obligations include a broadly stated requirement to be competent to handle discovery of electronically stored information.38 Counsel must be conversant with evolving technology and know when to associate with a technical consultant or experienced counsel to address e-discovery issues.39 Mishandling e-discovery may demonstrate a lack of competence; it may also lead to an ethical violation of an attorney’s duty of confidentiality if client confidential information is mistakenly produced.40 The California formal opinion concludes:

Electronic document creation and/or storage, and electronic communications, have become commonplace in modern life, and discovery of ESI is now a frequent part of almost any litigated matter. Attorneys who handle litigation may not ignore the requirements and obligations of electronic discovery. Depending on the factual circumstances, a lack of technological knowledge in handling e-discovery may render an attorney ethically incompetent to handle certain matters involving e-discovery, absent curative assistance …, even where the attorney may otherwise be highly experienced. It also may result in a violation of a duty of confidentiality, notwithstanding a lack of bad faith conduct.41

To help all practitioners to better understand their e-discovery obligations, the New York State Bar Association published a guide called, “Best Practices in E-Discovery in New York State and Federal Courts.”42 Every litigator should be conversant with these best practices.

2. Competence in Mobile Device Discovery

A single failure to preserve data will not likely constitute an ethical violation that subjects an attorney to grievance committee action,43 but such behavior can easily result in court-imposed sanctions based on the party’s spoliation of evidence (see, infra, C.4.) and the failure to request discovery of the opposing party’s digital devices likewise may not support a grievance action but could support a malpractice claim if the failure to request discovery falls below a competent lawyer’s standard of care. In other words, for a slew of reasons, every litigator must be sufficiently equipped to know what information is contained on, or accessed through, mobile devices, and be able to evaluate whether those digital files may have evidentiary value. Counsel must be attuned to preserve or request such evidence as part of actual or anticipated litigation. Preservation issues are especially pressing in the context of mobile devices. They not only have volatile data that may be overwritten in short order,44 but also are routinely upgraded with new models—with the older phones often turned in to the carrier and wiped clean.

3. Other Ethical Duties Implicated in Harvesting Digital Evidence through Forensic Examination of Mobile Devices

Lawyers, as well as investigators under the direction of counsel, may find themselves engaging in ethically dubious actions in intercepting wire or oral communications transmitted by mobile devices, or extracting digital files from or through a digital device. The conduct may involve acts that are affirmatively misleading, such as intentionally dissembling about one’s personal or professional status or falsely claiming ownership or right of access to the device or the information stored on it. Such conduct could constitute a violation of Rule 4.1, which prohibits lawyers from knowingly making a false statement of material fact to third persons. Employing software and other technology to surreptitiously capture and record digital information, or extracting digital files from a device, could potentially violate Rule 4.4 (respect for rights of third persons) which prohibits a lawyer form “obtaining evidence that violates the legal rights of [a third person].” Similarly, such conduct might violate Rule 3.4 (fairness to opposing party and counsel) and that rule’s prohibition against “knowingly engag[ing] in other illegal conduct contrary to these Rules” found in Rule 3.4(a)(6). Other potential ethical violations include Rule 8.4(c), which prohibits engaging in conduct that involves dishonesty, fraud, deceit, or misrepresentation, and Rule 8.4(d), which prohibits conduct that is prejudicial to the administration of justice.

In each case, counsel should ask what legal authority exists to (1) support the collection of the evidence from, or through, a given digital device, and (2) to thereafter make use of the harvested information. No matter how great the temptation, counsel should not act first (to see what is there) and then think later what to do with it (if the evidence was properly obtained). The prudent lawyer will want to consider whether the contemplated harvesting activity itself crosses any ethical lines.

People can find themselves in grey areas even as the innocent unintended recipient of a misdirected communication. Given the many ways in which digital information may be inadvertently sent—and monitored45—Rule 4.4(b) may have a role to play. That rule defines the applicable ethical standards in responding to inadvertent disclosures, to the extent the lawyer knows or reasonably should know the digital information was inadvertently sent.

The common phenomenon that law firms delegate responsibility for e-discovery to junior lawyers, and lawyers may delegate responsibility to forensic investigators, raises the specter of ethical violations in the form of failed oversight. Rule 5.3 requires lawyers to be responsible for the conduct of non-lawyers (such as forensic investigators), and Rules 5.1 and 5.2 makes supervising lawyers, as well as the lawyers they supervise, responsible for satisfying the rules of professional conduct. These duties are non-delegable and present another way in which lawyers can find themselves in violation of the ethics rules.

As a practical matter, a single ethical lapse in harvesting information from digital sources will rarely give rise to a formal grievance proceeding because those disciplinary bodies typically look for a series of mistakes or a pattern of misconduct before bringing disciplinary charges. Nor will a malpractice claim be apt to follow a one-off gaff given the practical hurdles that clients face in bringing such suits, owing to the inherent speculative nature of claiming that, but for the act of malpractice, the result would have been different. Instead, the most likely penalty for ethically misstepping in relation to discovery concerning mobile devices will come in the form of court sanctions, especially those associated with spoliation of evidence.

4. Spoliation

The deliberate deletion of files from a digital device, done expressly to deprive another party from accessing those files, would not only constitute an ethical breach in violation of the rules of professional conduct46 but could also constitute a federal criminal offense.47 Typically, spoliation of digital files in civil lawsuits is addressed only through court sanctions as discussed in Section F “Legal Constraints on Forensic Examination.”

Spoliation can also occur in the cloud. The Florida Bar issued guidelines for lawyers in advising clients about “cleaning up” social media sites (like Facebook) to remove information that might be used against them in a lawsuit.48 Such obstructionist efforts, however, will not constitute an ethical violation unless the conduct would also violate evidence-preservation obligations imposed under the substantive law.49 Lawyers should keep these preservation obligations in mind when considering where to look for digital evidence. As noted above, the examination of a digital device may reveal passwords and identifying information about web-based accounts, and lead a lawyer and investigator to view the web-based accounts. Those accounts may contain valuable information but the digital files stored there also may be altered or deleted just as digital files on any device. Whether hoping to find or avoid incriminating evidence, lawyers should be keenly aware of how easily digital files can be altered or destroyed and should consider forensic examination in appropriate cases.

F. Legal Constraints for Forensic Examination

1. The Federal Trilogy: (a) Wiretap (b) Stored Communication and (c) Computer Fraud and Abuse Acts

a. Wiretap Act: Interception of Wire Communications (18 U.S.C. § 2511)

The Act applies to the interception of telephone and other wire communications in transit, i.e., when the conversation is occurring. The Act makes it a crime to disclose or use the contents of an intercepted communication. By the Act’s plain terms, a client would violate the federal wiretap law by disclosing the intercepted communication to his or her lawyer. The lawyer in turn would separately violate the law by submitting the communication as an exhibit in court. Disclosing the intercepted communication in a publicly filed document is strategically pointless because the Act includes an express evidentiary bar that makes the intercepted communication inadmissible in either civil or criminal proceedings. For either the client or lawyer, the criminal penalties are severe: a felony punishable by a term of imprisonment of up to 5 years and a $250,000 fine.

The federal wiretap law also includes a civil private right of action, which authorizes damages of $100 per day and $10,000 per violation; reasonable attorneys’ fee; litigation costs; and punitive damages for wanton, reckless, or malicious conduct.

One illustration of how a civil party violated the federal wiretap law (and analogous state law) is found in Klumb v. Goan,50 which involved a spectacularly imploding marriage. The wife, a practicing attorney, fabricated digital evidence against her husband that created the appearance he was having an extramarital affair. To do this, she installed the eBlaster spyware program on her husband’s computer, which captured his email communications, and then proceeded to doctor the messages to make them read differently—incriminating him in an affair. She then altered the digital file of their premarital agreement to change its terms and fabricate rights to her husband’s family wealth. This “elaborate, deceptive scheme” was revealed only through detailed forensic sleuthing, that included comparing documents in temporary files, deleted emails, and saved files on multiple devices.51 The violation of the federal and state wiretap laws was based on the wife’s interception of her husband’s email communications through the eBlaster spyware, which did not just capture the emails stored on the husband’s computer, but re-sent them to the wife’s computer. The district court accepted the “router switching analysis” theory of interception, which looks to the spyware program’s actions in copying and transmitting the email back through the internet “to someone who was not authorized to receive it.”52 The court awarded the plaintiff $10,000 in liquidated statutory damages and another $10,000 in punitive damages, along with reasonable attorneys’ fees.53

b. Stored Communications Act (18 U.S.C. § 2701)

The Stored Communications Act (SCA) provides a civil cause of action against anyone who “(1) intentionally accesses without authorization a facility through which an electronic communication is provided; or (2) intentionally exceeds an authorization to access the facility, and thereby obtains, alters or prevents authorized access to a wire electronic communication while it is in electronic storage.”54 The civil cause of action provides for recovery of actual damages of no less than $1000, as well as reasonable attorneys’ fees, litigation costs, and punitive damages if the violation is found to be willful or intentional.

The SCA also authorizes criminal prosecution with the punishment up to one year for a first offense that does not involve commercial advantage or gain. Where such financial benefit is involved, the offense is punishable by up to five years.

Significantly, the SCA does not apply to information stored on the mobile device itself, but applies only to electronic communications that are “in electronic storage” at “a facility.” 55 This limitation makes the SCA inapplicable to the extraction of data from a hard drive or other memory storage on the digital device itself, as the case law makes clear.

The SCA was enacted in 1986 before the advent of mobile digital devices, social networking sites, cloud computing, and other features of modern digital communication. Its application to current digital technology and storage infrastructure presents uncertainties and challenges to both lawyers and courts. Civil litigators need to be attuned to the potential limitations of applying the SCA to contemporary digital devices and storage systems. For example, in Crispin v. Christian Audigier, Inc.,56 a federal court quashed civil subpoenas served on MySpace and Facebook on the grounds that some of the content on those sites was protected by the SCA. A defendant in a civil lawsuit—alleged to have breached a contract and infringed copyrights—subpoenaed Facebook and MySpace seeking production of certain communications. Initially a magistrate judge ruled that the SCA did not apply because social networking sites do not qualify as electronic communication service (“ECS”) providers and further, even if the SCA did apply, the requested communications were not held in “electronic storage” as defined by the SCA. But the district court overruled both of those findings after a motion to reconsider.57 The district court held that “Facebook and MySpace provide an electronic venue to communicate” and therefore qualify as ECS providers prohibited from disclosing communications pursuant to the SCA.58 The Crispin court demonstrated, for the first time, that the SCA can be applied to the discovery of information contained on social networking sites.

In a more recent case, the Second Circuit was called upon to determine if a criminal search warrant directed to a domestic commercial email service provider (Microsoft), which is considered an ECS provider under the SCA, could lawfully require Microsoft to produce emails of a Microsoft customer that were exclusively stored in Ireland. The district court upheld the warrant finding that “an SCA Warrant does not . . . involve the deployment of American law enforcement personnel abroad . . ., does not require even the physical presence of service provider employees at the location where data are stored . . . [and] places obligations only on the service provider to act within the United States.” 59 The circuit court reversed and remanded, concluding a search warrant for the contents of a customer’s electronic communications stored on servers located outside the United States is not authorized by the SCA60 In recognizing the limited territorial reach of the SCA, the decision illustrates the uncertainty that still exists in this area of law.

In the context of one spouse looking at the other spouse’s private emails, the case law indicates liability will not attach under the SCA unless the inquisitive spouse does something to overcome an effort to maintain privacy in those communications, such as using the spouse’s password without authorization, or using a digital device against the owner’s express wishes. In contrast, a Gmail account that is unprotected by a password and accessible on the family’s home computer would appear to be accessible to the other spouse just as the files on the hard drive.61 Accordingly, if one spouse leaves the Gmail account unprotected by a password and it is readable by the other spouse on the home computer that they share, such access would not appear to violate the SCA even if the spouse’s reading of the email is not specifically authorized because there was no express “prohibition” or unauthorized use.62

Numerous courts and commentators have noted the need to reform the SCA,63 and in the face of the continuing mismatch between the statute’s dated language and applications in modern cases, it is not surprising that some courts find creative ways to make the statute work better in contemporary settings. For example, the SCA provides an exception to its rule-against-disclosure in cases where the owner consents. At least one court has taken the position that it can order the plaintiff or defendant (the party who owns the stored information) to deliver a “properly executed consent and authorization” to gain lawful access to the SCA-protected records.64 Another case demonstrates the strict application of the SCA’s exception that a “user” of a service can authorize a third party to access a communications. In Konop v. Hawaiian Airlines, Inc.65 the court held the exception stated in § 2701(c)(2) did not apply because the person who authorized the access—an employee who gave his employer access to a website that was posting negative information about the employer—had never in fact actually logged into the website, and accordingly was not a “user” within the meaning of the SCA. Given the varying ways in which the SCA can be interpreted and applied, litigants need to be especially cautious when dealing with any claim under the SCA, and alert to conflicting authority and the potential uncertainty in how any particular judge will read the statute.

c. Computer Fraud and Abuse Act (18 U.S.C. § 1030)

The Computer Fraud and Abuse Act (“CFAA”) was originally enacted as a criminal statute, though it has since been amended to allow a private cause of action for any person damaged by computer fraud.66 The CFAA criminalizes various fraudulent or damaging activities related to the use of computers, as outlined in § 1030(a), and punishment can range anywhere from imprisonment of less than a year to upwards of twenty years to life depending on the severity of the offense and surrounding crimes and circumstances.67 The civil remedies are limited. The statute provides no exclusionary rule for civil litigation; damages are limited to economic losses only; and no suit may be brought unless the civil claimant can show one of the following: at least $5,000 in economic damages; modification or impairment of the treatment or care of an individual; physical injury; threat to public health or safety; or damage affecting a computer used by an entity of the United States Government for the furtherance of the administration of justice, national defense, or national security. See 1030(c)(4)(A)(i).

If a civil action is permitted, the CFAA is very broad in its reach. The statute applies to any “federally protected computer system,” which covers all computers that are used in interstate communication.68 Further, the CFAA defines “computer” to include those affecting foreign commerce and those that may be located outside of the United States69 and excludes only typewriters and hand-held calculators.70 Some courts have found that this definition includes basic cell phones, i.e., those that only make calls and send text messages without internet or app functionality.71 This broad definition, both by statute and by judicial interpretation, means that unauthorized access of nearly every digital device falls under the scope of the CFAA.

2. Special Considerations for Collecting Data on Clouds Governed by European Data Privacy Laws

The European Union has adopted a stringent data protection law that gives “data subjects” control over “processing” of their “personal data.”72 The EU data privacy law is a model for modern data privacy legislation. If a lawyer or investigator in the United States seeks access to digital information stored overseas on a server subject to the EU’s data privacy laws, an extra dose of caution is required.

3. State Wiretapping/Eavesdropping and Privacy Laws

State laws also provide meaningful limitations on invasions of privacy whether through conventional wiretapping statutes or other laws that apply to the use of eBlaster and other spyware programs that have become popular among amateur sleuths.73 It is beyond the scope of this article to identify and catalogue the governing laws in each state, or compare state laws to their federal analogs, but we offer a few high level observations. State law violations often are alleged in conjunction with federal offenses, and frequently are modeled on federal law. The prevalence of state law claims may suggest either easier or different elements to satisfy or, more likely, stronger remedies. Accordingly, no matter which side of the “v” you find yourself on, you should never overlook state equivalents to the federal Wiretap Law, Stored Communications Act and Computer Fraud and Abuse Act, or state common law claims for invasion of privacy and eavesdropping.

4. Discovery Obligations Respecting Mobile Devices

The failure to preserve electronically stored information—especially taking affirmative steps to delete such data—can support strong sanctions, including entering a default judgment against the spoliator.74 Fashioning an appropriate sanction may be hard where either the misconduct is not as egregious (e.g., the evidence was overwritten in the normal course as opposed to deliberately deleted to obstruct discovery) or the misconduct did not result in palpable prejudice. In one case where the prejudice had not yet been determined—because it was unknown if the failure to preserve had in fact resulted in a loss of material evidence—the court ordered the culpable party to pay for the innocent party to hire a forensic examiner to analyze the device to determine if any digital files were lost.75

G. The Scope of Authority to Search

After educating yourself on the salient facts, including who owns the subject digital device and what information you believe is stored on it or accessible through it, and securing consent to search—and only after familiarizing yourself with the ethical and legal standards described above—you should ask: “What is the scope of the authorization I possess to look or listen?” Just because you can lawfully begin monitoring communications does not mean you have the legal authority to do so indefinitely or that if you lawfully extract information from one device you can chase down leads on other devices or in the clouds. Lawful activity may become unlawful, especially when further forensic investigation starts impinging on the privacy interests of third parties. The loss of authority—going beyond the initial lawful scope—is neatly illustrated in Huff v. Spaw,76 which involved a series of private conversations overheard by a third party as the result of a single, accidental “pocket-dial” that lasted almost an hour.77 The “pocket dialer” was involved in a private business conversation on a hotel balcony in Italy; the unintended recipient was a colleague back in the United States who was very interested in that work-related conversation, particularly since it allegedly involved plans to discriminate against the colleague’s boss. The colleague in the US (the unintended recipient of the pocket dial) kept the call open, wrote down what she was hearing, and later used a recorder on her iPhone to record the last few minutes of the conversation.78 Over the course of the hour-long monitoring, the conversation moved from the incriminating statements about a business colleague—between business people—to innocuous personal conversations between the “pocket dialer” and his wife.79 The unintended recipient (eavesdropper) kept monitoring and recording what was being said.80 Both the pocket dialer and his wife sued the eavesdropper under federal laws prohibiting the intentional interception of oral communications. The district court granted summary judgment against the plaintiffs. The Sixth Circuit affirmed as to the pocket-dialer’s claims but remanded as to his wife’s claims. The circuit court reasoned that the pocket dialer had no reasonable expectation of privacy having negligently placed a pocket-dial call.81 The court took a different approach with respect to the wife of the pocket-dialer and the marital conversation that was overheard. The circuit court concluded that the wife had a reasonable expectation of privacy notwithstanding her husband’s negligent pocket dial, and the matter was remanded for further development of the record with respect to the alleged interception of that private oral communication.82 The Huff case stands as a stark reminder as to how easily we can transmit communications all over the world with our mobile devices even when we are not trying—with potentially serious consequences not just for the accidental dialer but also the receiver who chooses to listen.

H. Establishing Legal Authority to Examine Device

1. Ownership of Device Versus Ownership of Digital Files Stored on, or Accessible From, the Device

Just because a lawful owner of a device consents to its forensic examination does not necessarily mean every digital file stored on the device is fair game to inspect—i.e., falls within the scope of the owner’s consent to search. For example, it is possible for a password-protected file to be located on a device that is co-owned (requiring consent of the co-owner), or the files themselves may be under the exclusive control of a co-owner or even a third-party who was granted permission to use the device. More commonly, issues arise about scope of consent when the forensic examination leads to the identification of web-based accounts. These accounts may or may not be password-protected, and may present distinct considerations relating to the privacy rights of third-parties who communicated with the account holder. Lawyers and investigators need to be sensitive to how a lawful authorization to search may subsequently implicate the rights of third parties, who may have a reasonable expectation of privacy that could be invaded—just as the international hour-long eavesdropper in Huff found out. In that case the eavesdropping from a pocket-dial started out as lawful, when the conversation involved business matters, but strayed into unlawful eavesdropping as soon as the conversation turned to private matters involving a third party. Lawyers and investigators need to respect the lines that are foreseeably drawn by courts that are solicitous of third party privacy rights. Being forewarned is to be forearmed.

2. Post-Mortem Considerations Generally

Digital files owned by the decedent are considered part of the estate and subject to any provisions in the will. Many digital files have considerable financial value, including iTunes files, downloaded films, and purchased programs like Adobe Lightroom, Illustrator, and other expensive software. The digital devices on which these files are stored may also be part of the estate and subject to specific disposition by will but more typically fall within the residuary of the estate. If the owner of a digital device dies without a will, any mobile devices and digital files contained on them will pass by intestate succession. Social media accounts, and information stored in them, could well be deemed an asset of the decedent and be devised by gift or pass by intestate succession. But obtaining access to Facebook and other social media accounts of the decedent may be difficult with social media providers citing restrictive policies.83 This raises interesting issues of privacy, ownership, and control—not the traditional worry about the dead hand from the grave exerting control over the living, but rather, the live hand of Facebook trying to keep private matters private to protect the interests of the decedent. Given the many ways in which ordinary people lead quite extraordinary secret lives through various web-based personas and accounts, often associated with illicit sexual interests,84 there undoubtedly is some wisdom in letting accounts and account holders disappear after death rather than provide unwelcome news to surviving family members. For the lawyer and forensic investigator, the death of the person who owned the digital device presents increased challenges in terms of both the initial authorization to conduct the search—who has that authority?—and the uncertainty as to what information may be developed through the investigation that might lead into areas where the initial authorization has little or no application, particularly if the further inquiry relates to third parties.

I. Case Study of Post-Mortem Forensic Examination

A non-party committed suicide and left behind both a smartphone and tablet. The items were physically in possession of the decedent’s surviving spouse. This personal property passed to the spouse through intestate succession, with full rights of ownership, use, and control residing in the spouse. The digital files on the mobile devices belonged to the spouse as a natural corollary of owning the devices. The decedent could have made provisions in a will to separately dispose of (a) the mobile devices and (b) the digital files contained on them. But without a will making that specific distinction, and with only intestate succession rules applying to the transfer, we concluded the digital files on the mobile devices passed to the spouse along with the devices themselves. The spouse stood in relation to the devices and their contents just as the decedent had prior to committing suicide, possessing the same right of ownership of, and access to, the files on the devices.

Shortly before taking his own life, the decedent had used his mobile devices to communicate with one of the parties (the plaintiff) in a lawsuit alleging breach of an employment agreement and sexual discrimination. The content of those communications was believed to support certain defenses to the claims.

We obtained permission from the spouse to take physical custody of the mobile devices for purposes of a forensic examination, with the spouse expressly authorizing the retrieval of all files relevant to the litigation including emails and text messages, whether deleted or not, exchanged between the decedent and the plaintiff. These communications were known to contain highly personal messages (referencing sexual matters) between the decedent and plaintiff, as well as emails regarding Craigslist posting about sex with third parties who were not involved in the case. The forensic examination of the devices revealed a substantial number of files in the category of “relevant communications” with parties and witnesses in the litigation, and a lesser number of communications with third parties which did not appear to be related to the case. Only by doing further digging could those communications be definitively ruled in or out. But accessing a web-based account, like Craigslist, presents separate issues for both forensic investigators and lawyers. If the digital files on a device disclose both the password and account information for that cloud-based account, can the spouse access those accounts under the claim of ownership of the device? With no privacy rights of the deceased spouse surviving death, is there any legal interest that prevents the spouse from authorizing that further forensic investigation? We could think of none—we believed the spouse could lawfully authorize the search, but remained mindful of the privacy rights of unrelated third parties, for example people who had communicated with the decedent on Craigslist about sex who may have an expectation of privacy regarding those private communications. We obtained additional written permission to undertake the cloud-based analysis and put into place a protocol that would seek to avoid capturing cloud-based files that involved communications between the decedent and unrelated third parties. This proved to be a moot point since the investigator was unable to access the web-based account using the information on the mobile device.

But this exercise in looking past the mobile device to web-based accounts illustrates the need for caution. Counsel and the investigative team should always ask, “Do I have authority to do this additional step that takes the investigation beyond the four corners of the device itself?” The lessons of Huff, supra, should guide the decision-making. An investigative team may start out with clear legal authority to undertake the forensic examination of the device, but the information obtained may lead investigators in other directions, the proprietary of which may need to be separately considered. Judicial second-guessing of your decision remains a strong possibility with potentially serious consequences.

J. Conclusion

Forensic examination of digital devices can be a high-risk, high-reward undertaking. The evidence collected, if admissible,85 can be “game-changing.” We just don’t want it to be “career-ending.” Given the many privacy, ethics, and legal considerations that attach to such examinations, including state and federal laws designed to protect against wiretapping, computer abuse, spying, and eavesdropping, litigators and forensic investigators need to proceed with caution, and only after clearly determining the scope of the permission granted.

Endnotes

1. Electronic Communications Privacy Act (ECPA) (Wiretap Act), 18 U.S.C. §§ 2510-2522 (2016), discussed infra, Section E(1)(a).

2. Stored Communications Act (SCA) 18 U.S.C. §§2701-2712 (2016), discussed infra, Section E(1)(b).

3. See infra, Section E(1)(c) “State Wiretapping, Eavesdropping and Privacy Laws”; see generally Alison G. Turoff, Spying Spouses and Their High Tech Tools, 96 Ill. B.J. 348 (2008) (noting the Illinois Eavesdropping Act creates a felony punishable up to three years as well as a private cause of action); V.M. Wills & L. Parvis, The Changing American Family and the Law: When Do I Become a Spy?, 42 Md. B.J. 20 (2009) (analyzing Maryland civil and criminal laws prohibiting interception of wire and oral communications); Marlene E. Moses & Manuel B. Ross, Electronics Surveillance in Family Law, 50 Tenn. B.J. 28 (2014) (examining Tennessee wiretapping and stored communication act—Tennessee Personal and Commercial Computer Act).

4. A home computer shared by both spouses has been likened to a file cabinet that is equally accessed by them. Byrne v. Byrne, 650 N.Y.S.2d 499, 500 (Sup. Ct. 1996). See White v. White, 781 A.2d 85, 344 N.J. Super. 211 (2001) (spouse may lawfully copy files located on the hard drive of the family’s home computer). In contrast, according to one commentator, “intentionally accessing a spouse’s on-line email account, such as MSN’s Hotmail or Google’s Gmail, and obtaining copies of the spouse’s email messages without authorization are examples of prohibited activity” under the SCA. See Wills & Parvis, supra note 3, at 22; see discussion of the SCA, infra, Section F(1)(b).

5. See Bailey v. Bailey, 2008 U.S. Dist. LEXIS 8565, at *1 (E.D. Mich. Feb. 6, 2008) (husband said he guessed wife’s passwords on home computer, claiming all used family names).

6. U.S. v. Ropp, 347 F. Supp. 2d 831 (C.D. Cal. 2004); see Bailey, supra note 5 (finding no liability under federal wiretap laws because logging did not cause a contemporaneous interception of a wire communication but only permitted later access to stored emails; however, unauthorized access to stored emails stated cause of action for violation of Stored Communications Act (“SCA”)). See discussion of the SCA, infra, at Section F(1)(b); see generally Wills & Parvis, supra note 3, at 23.

7. O’Brien v. O’Brien, 899 So. 2d 1133, 1136-38 (Fla. Dist. Ct. App. 2005); see Boudreau v. Lussier, 2015 U.S. Dist. LEXIS 160075, at *5-*7, *24-*36 (D.R.I. June 2, 2015). Wills & Parvis, supra note 3, at 22. Spyware programs can be purchased to run activity reports on the computer being monitored—useful only if the “spy” has physical access to the computer—or can generate reports that are sent to the spy’s own email address. See Tharpe v. Lawidjaja, 8 F. Supp. 3d 743 (W.D. Va. 2014) (describing Spector Pro and eBlaster spyware software as very similar in capturing activity including email and texts but the former saves the activity reports to the computer being monitored, while eBlaster generates email activity reports for remote reading). Apparently as the result of being sued by unhappy spied-upon-spouses, SpectroSoft stopped marketing its spyware software to suspicious spouses. Hayes v. SpectroSoft Corp., No. 08-cv-187 (E.D. Tenn. Nov. 3, 2009).

8. Lussier, 2015 U.S. Dist. LEXIS 160075, at *5. See United States v. Councilman, 418 F.3d 67 (1st Cir. 2005) (commercial operator of interactive website for ordering books created program “to intercept and copy all incoming messages from Amazon.com before they were delivered to the recipient’s mailbox, and therefore, before the intended recipient could read the message”).

9. Klumb v. Goan, 884 F. Supp. 2d 644, 646-50, 653-59 (E.D. Tenn. 2012).

10. Anzaldua v. Northeast Ambulance Fire Dist., 793 F.3d 822 (8th Cir. July 10, 2015).

11. Peter M. Walzer, Anthony D. Storm & Autumn Miley-Boland, Wealth, Fame and Fortune: Navigating the Treacherous Waters of High Stakes Family Law Litigation, 26 J. Am. Acad. Matrim. Law. 403, 407-08 (2014).

12. See Press Release, U.S. Dept. of Justice, Former St. Louis Cardinals Official Pleads Guilty to Houston Astros Computer Intrusions (Jan. 8, 2016) (5 counts of violating 18 U.S.C. §§ 1030(a)(2)(C), (c)(2)(B)(iii)), available at http://www.justice.gov/opa/pr/former-st-louis-cardinals-official-pleads-guilty-houston-astros-computer-intrusions; Michael S. Schmidt, Cardinals Investigated for Hacking Into Astros’ Database, N.Y. TIMES, June 16, 2015, http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros-fbi.html?_r=0;l; Michael S. Schmidt, FBI Struggles to Pinpoint the Fingers Behind a Hacking, N.Y. Times, June 22, 2015, http://www.nytimes.com/2015/06/23/sports/baseball/in-baseball-hacking-case-blunder-helps-fbi-solve-one-riddle-where-but-not-another-who.html?_r=0..

13. See Press Release, U.S. Dept. of Justice, Former St. Louis Cardinals Official Pleads Guilty to Houston Astros Computer Intrusions (Jan. 8, 2016).

14. United States v. Weindl, 990 F. Supp. 2d 1099, 1105-08 (D. N. Mar. I. 2012).

15. Unintended broadcast and receipt of communications over mobile devices can take a variety of forms, with courts drawing fine lines between permissible and impermissible eavesdropping. The Sixth Circuit’s decision in Huff v. Spaw, 794 F.3d 543 (6th Cir. 2015) addressed such line-drawing in the context of a series of private conversations overheard as the result of an accidental “pocket-dial” that lasted almost an hour. The case, discussed in Section G, infra, is an important reminder not only of how easy it is to transmit communications all over the world with our mobile devices without even trying, but also how courts employ 20/20 hindsight in reviewing the lawfulness of the receiver’s actions in choosing to listen to such unintended transmissions.

16. Pew Research Center Mobile Technology Fact Sheet, http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/ (last visited Sept. 19, 2016).

17. Pew Research Center, U.S. Smartphone Use in 2015 (2015), available at http://www.pewinternet.org/files/2015/03/PI_Smartphones_0401151.pdf .

18. Salesforce Marketing Cloud, 2014 Mobile Behavior Report 5-6 (2014), available at https://www.marketingcloud.com/sites/exacttarget/files/deliverables/etmc-2014mobilebehaviorreport.pdf.

19. Riley v. California, 134 S. Ct. 2473, 2490 (2014) (citing Harris Interactive, 2013 Mobile Consumer Habits Study (June 2013)). That same study shows that we Americans have a very hard time putting down our phone, including the 55% of us who report using a smartphone while driving, 33% who report using the phone during a dinner date, and the 9% who could not put the phone down even during sex. Americans Can’t Put Down Their Smartphones Even During Sex, Marketwired (July 11, 2013, 8:00 ET), http://www.marketwired.com/press-release/americans-cant-put-down-their-smartphones-even-during-sex-1810219.htm.

20. U.S. Smartphone Use in 2015, supra note 17, at 8.

21. Pew Research Center Mobile Technology Fact Sheet, supra note 16.

22. How Lawyers Get into Trouble with Technology, Lawyerist.com (Aug. 20, 2014), https://lawyerist.com/76077/lawyers-get-trouble-technology/.

23. Id.

24. IDC Forecasts Worldwide Mobile Applications Revenues to Experience More Than 60% Compound Annual Growth Through 2014, EON (Dec. 13, 2010 8:03 AM), http://www.enhancedonlinenews.com/portal/site/eon/permalink/?ndmViewId=news_view&newsId=20101213005138&newsLang=en&permalinkExtra=IDC-Forecasts-Worldwide-Mobile-Applications-Revenues-Experience.

25. How Lawyers Get into Trouble with Technology, supra note 22.

26. Id.

27. See Martha Neil, Lawyer’s double murder trial delayed over use of subpoena rather than warrant for cellphone search, A.B.A. J. (2015), available at http://www.abajournal.com/news/article/lawyer_accused_of_wielding_power_of_attorney_as_lethal_weapon_sidesteps_ano (attorney-defendant asserted alibi defense that she was 119 miles away from father’s home when he was shot and killed; cellphone records showed her phone pinged 7 miles from her father’s house about five minutes after her father called 911). Such constitutional prohibitions on warrantless searches have no bearing on private party forensic searches, but these cases do illustrate widely varying judicial attitudes about expectations of privacy when using digital devices.

28. See generally In re Tel. Info. Needed for a Criminal Investigation, 119 F. Supp. 3d 1011, 1014 (N.D. Cal. 2015) (observing that a cell phone that is switched on and not set on “airplane mode” will constantly scan the network environment and ping the nearest cell site every seven to nine minutes, even if the user has turned off the phone’s GPS location services. As a result of the constant pinging—even when phones are not actively used—cell phones “generate a steady stream of data about the physical location of the phone ... the user may not be aware of how much information they are giving off as they move through the world.”); Jacob Brogan, Court Rules Police Need a Warrant to Access Location Data From Your Cellphone, Future Tense (July 31, 2015, 10:20 AM), http://www.slate.com/blogs/future_tense/2015/07/31/a_court_ruled_that_fourth_amendment_protections_extend_to_location_data.html. Such information, including data generated from applications continually running in the background, can provide compelling evidence as to the location of the phone and by inference the phone’s owner. Modern network technology in the form of many smaller cell cites allows location information to be more discriminating, in some cases permitting the phone’s location to be traced to a particular floor in a building. See In re Tel. Info., 119 F. Supp. 3d at 1015. In the context of the Fourth Amendment, courts have struggled with the question of whether people have a reasonable expectation of privacy in cell phone tracking data, triggering the requirement of a warrant. Compare United States v. Graham, 796 F.3d 332 (4th Cir. 2013) (splitting 2-1 no warrant needed where data obtained through good faith orders under Stored Communications Act), and United States v. Davis, 785 F.3d 498, 514, (11th Cir. 2015) (no warrant needed where order is obtained under SCA), with In re Tel. Info., 119 F. Supp. 3d at 1023-25 (warrant needed and distinguishing earlier cases as based on older technology and record evidence that location can be tracked even when the user turns off location tracking).

29. See generally Stengart v. Loving Care Agency, Inc., 201 N.J. 300, 324-25 (2010) (court found that while companies can adopt and enforce lawful policies relating to monitoring or regulating the use of workplace computers, an employee has a reasonable expectation of privacy while using a company issued laptop to access her personal email in order to communicate with her lawyer about a lawsuit filed against her employer).

30. Techopedia Digital Forensics, http://www.techopedia.com/definition/27805/digital-forensics (last visited Sept. 16, 2016).

31. One example of a specific protocol for examining digital devices for emails is found in Armour v. Wilson, No. 12-cv-851 RAJ (W.D. Wash. 2013), available at http://www.leagle.com/decision/In%20FDCO%2020130403789/ARMOUR%20v.%20WILSON (prior history at 2012 U.S. Dist. LEXIS 69966, 2012 WL 1821382 (W.D. Wash. May 18, 2012)).

32. See Ronen Engler & Christa M. Miller, 6 Persistent Challenges with Smartphone Forensics, Forensics Mag., Feb. 8, 2013, available at http://www.forensicmag.com/article/2013/02/6-persistent-challenges-smartphone-forensics. A mobile data extraction tool should be able to reveal a simple passcode automatically for all devices through iPhone 4. Due to improvements in Apple security, tools to allow passcode extraction and bypass may not be available for iPhone 4s or iPhone 5. Upon successful bypass of the passcode, “it will be possible to extract and decrypt all data including protected files.” Id. In contrast, a complex iPhone passcode requires manually inserting the correct passcode to extract and decrypt all data. It may be possible to divine the passcode by interviewing the owner’s close contacts. Even without a passcode, some data can be extracted and decrypted, but not protected files. Id.

33. See Olivia Solon, Police Seek to Unlock Murder Victim’s Phone Using 3D Replica of Fingertips, The Guardian, July 22, 2016, available at https://www.theguardian.com/technology/2016/jul/22/smartphone-fingerprint-security-police-unlock-3d-printer-murder-victim-biometrics.

34. Id.

35. See James Queally, Brian Bennett & Richard Winton, Why Apple Is Battling Investigators Over San Bernardino Terrorists’ iPhone, L.A. Times, Feb. 17, 2016, available at http://www.latimes.com/local/lanow/la-me-ln-why-apple-is-battling-terrorism-investigators-over-san-bernardino-shooter-s-iphone-20160217-story.html. The case involved an iPhone 5c issued by San Bernardino County to one of its employees who committed the attack at work. The phone had been locked with a four-digit passcode selected by the employee.

36. See Joshua Kopstein, Here’s How the FBI Might Unlock the San Bernardino iPhone Without Apple’s Help, Motherboard (Mar. 22, 2016), http://motherboard.vice.com/read/heres-how-the-fbi-might-be-unlocking-the-san-bernardino-iphone-without-apples. See 7 Takeaways From James Comey’s ABA Talk, A.B.A. J., Aug. 8, 2016 [hereinafter 7 Takeaways] (“The government dropped the court case after it found other means to access the data”), available at http://www.law.com/sites/almstaff/2016/08/08/7-takeaways-from-james-comeys-aba-talk/?cn=20160808&pt=Newswire%20B&src=EMC-Email&et=editorial&bu=Law.com.

37. 7 Takeaways, supra note 36 (“Comey said that in the first 10 months of the fiscal year, state and local law enforcement have asked for the FBI’s help in executing search warrants on about 5,000 devices. He said the agency has been unable to open about 650 of them.”).

38. State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. 2015-193 (2015), available at https://ethics.calbar.ca.gov/Portals/9/documents/Opinions/CAL%202015-193%20%5B11-0004%5D%20(06-30-15)%20-%20FINAL.pdf; State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op.11-0004 (2014), available at http://www.calbar.ca.gov/portals/0/documents/publiccomment/2014/2014_11-0004ESI03-21-14.pdf; see Roy Simon & Nicole Hyland, Simon’s New York Rules of Professional Conduct 66 (2015) (the duty of “competence” enshrined in Rule 1.1 includes keeping abreast of “changes in the law and its practice, including the benefits and risks associated with relevant technology.”).

39. State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. 2015-193, supra note 38, at 2-3.

40. Id.

41. Id.; See How Lawyers Get into Trouble with Technology, supra note 22. The Florida Supreme Court recently adopted amendments to the Rules Regulating the Florida Bar that (a) recognize the lawyer’s professional obligation to be technologically competent, or associate with someone who is, and (b) require attorneys to complete three hours of training (over a three-year reporting period) in an approved technology program. See Tera Brostoff, Florida Is First State to Require Technology CLEs (Bloomberg/BNA Oct. 6, 2016), available at http://ediscovery.bna.com/edrc/7082/split_display.adp?fedfid=98344415&vname=ddeenotallissues&jd=a0k2f0g0p9&split=0.

42. New York State Bar Association, Best Practices in E-Discovery in New York State and Federal Courts (2011), available at https://www.nysba.org/Sections/Commercial_Federal_Litigation/ComFed_Display_Tabs/Reports/ediscoveryFinalGuidelines_pdf.html.

43. See, e.g., State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. 2015-193, supra note 38.

44. See Erik Harris, Discovery of Portable Electronic Devices, 61 Ala. L. Rev. 193, 207-215 (2009); see id. at 213 (“Due to the various, and potentially volatile, [Portable Electronic Devices (PED)] data storage formats discussed above, PED data is inherently more unstable and its continued existence less certain than data from more conventional sources.”).

45. See Huff v. Spaw, 794 F.3d 543 (6th Cir. 2015).

46. Model Rules of Prof’l Conduct R. 3.4(a) (2003) prohibits lawyers from unlawfully obstructing another party’s access to evidence or unlawfully altering, destroying, or concealing a document or other material having potential evidentiary value. The rule further provides that lawyers cannot counsel or assist another person in such acts.

47. See U.S. v. Lundwall, 1 F. Supp. 2d 249 (S.D.N.Y. 1998) (district court denied motion to dismiss federal indictment alleging obstruction of justice where the federal government alleged that corporate officials destroyed documents sought during discovery in a class action employment discrimination case—that spoliation of evidence in a civil case could support criminal obstruction charge).

48. See Florida State Bar, Advisory Op. 14-1 (2015) (finding applicable Rule 4-3.4(a) which prohibits obstructing another party’s access to evidence).

49. Id.

50. 884 F. Supp. 2d 644 (E.D. Tenn. 2012).

51. Id. at 646-50, 653-59.

52. Id. at 661 (citing United States v. Szymuszkiewicz, 622 F.3d 701 (7th Cir. 2010)). See Luis v. Zang, 2016 U.S. App. LEXIS 15003; 2016 FED App. 0196PP (6th Cir. 2016) (reversing district court decision dismissing civil federal and state wiretapping claims against manufacturer of WebWatcher spyware, holding that plaintiff stated sufficient facts to make out violation of federal wiretap laws where manufacturer of spyware program employed its own servers to capture intercepted messages, concluding the acquisition occurred while the communications were “still in flight”).

53. Whether an electronic communication is in transit, and thus subject to being intercepted, or has come to rest and beyond the reach of the wiretap laws, is a recurring issue that plays out differently in different circumstances. The First Circuit’s en banc decision in United States v. Councilman, 418 F.3d 67 (1st Cir. 2005) is instructive in identifying the different ways that judges can look at statutory language and disagree on the question of whether an electronic communication had come to rest (or not). The case involved criminal charges against a rare books dealer who operated an interactive website for ordering books. He created a program “to intercept and copy all incoming messages from Amazon.com before they were delivered to the recipient’s mailbox, and therefore, before the intended recipient could read the message. This diversion intercepted thousands of messages . . . .” Id. at 70. The question presented was “whether interception of an e-mail message in temporary transient electronic storage states an offense under the Wiretap Act.” Id. at 69. The district court dismissed the wiretap charges concluding no interception had occurred with the meaning of the federal wiretap statute, believing the electronic communications were in storage when copied (i.e., taken without authorization by the dealer). That decision was affirmed by a divided panel of the First Circuit only to be vacated when reheard en banc. Id. at 71-72. The full court concluded that the Wiretap Act’s broad definition of “electronic communication” covered communications in “momentary storage.” Id. at 74; 75-82.

54. 18 U.S.C. § 2701 (2016) (providing for civil cause of action).

55. In re iPhone Application Litig., 844 F. Supp. 2d 1040 (N.D. Cal. 2012) (court found an individual’s computer, laptop, or mobile device does not constitute a “facility through which an electronic communication service is provided” under the SCA).

56. 717 F. Supp. 2d 965 (C.D. Cal. 2010).

57. Id. at 970.

58. Id. at 987.

59. Microsoft Corp. v. United States (In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp.), 2016 U.S. App. LEXIS 12926, *60-61, 829 F.3d 197 (2d Cir. N.Y. 2016) (internal quotations and citations removed).

60. Id., 2016 U.S. App. LEXIS 12926 at *60-61.

61. See White v. White, 344 N.J. Super. 211 (N.J. Super. Ct. Ch. Div. 2001) (liability under SCA requires access “without authorization” which has been interpreted to mean “using a computer from which one has been prohibited, or using another’s password or code without permission”). See generally Trulock v. Fresh, 275 F.3d 391 (4th Cir. 2001) (spouse has no authorization to access password protected files of spouse without permission of spouse, and cannot consent to search of the other user’s password protected files).

62. But see Potter v. Havlicek, 2007 U.S. Dist. LEXIS 10677 (S.D. Oh. 2007) (finding liability under SCA where husband accessed wife’s email account through wife’s use of a “remember me” feature that saved her password on the family home computer—saving herself from re-keying password each time—because that was not deemed implied consent to allow her husband to access her private email).

63. See generally Jeffrey Paul DeSousa, Self-storage Units and Cloud Computing: Conceptual and Practical Problems with the Stored Communications Act and Its Bar on ISP Disclosures to Private Litigants, 102 Geo. L.J. 247, 248 (2013); Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965, 972 (C.D. Cal. 2010) (court noted the antiquatedness of the SCA by pointing out it was “enacted [four years] before the advent of the World Wide Web in 1990 and before the introduction of the web browser in 1994.”); Microsoft Corp. v. United States (In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp.), 2016 U.S. App. LEXIS 12926, at *65(concurring opinion urged Congress to modernize the “badly outdated statute.

64. Romano v. Steelcase Inc., 907 N.Y.S.2d 650, 657 (Sup. Ct. 2010) (citing 18 U.S.C. § 2702(b)(3) as authority to direct “consent and authorization . . . permitting said Defendant to gain access to Plaintiff’s Facebook and MySpace records.”).

65. 236 F.3d 1035 (9th Cir. 2001).

66. 18 U.S.C. § 1030 (g) (2016).

67. Id. at § 1030(c).

68. Id. at § 1030(e)(2).

69. Id. at § 1030(e)(2)(B).

70. Id. at § 1030(e)(1).

71. United States v. Kramer, 631 F.3d 900 (8th Cir. 2011).

72. See Lilian Edwards & Edina Harbinja, Protecting Post-Mortem Privacy: Reconsidering The Privacy Interests of the Deceased in a Digital World, 32 Cardozo Arts & Ent. L.J. 83, 112-115 (2013).

73. See Turoff, supra note 3 (noting Illinois Eavesdropping Act creates a felony punishable up to three years as well as a private cause of action); Wills & Parvis, supra note 3, at 23-24 (analyzing Maryland civil and criminal laws prohibiting interception of wire and oral communications); Marlene E. Moses & Manuel B. Russ, Electronics Surveillance in Family Law, 50 Tenn. B.J. 28 (2014) (examining Tennessee wiretapping and stored communication act—Tennessee Personal and Commercial Computer Act).

74. See Gutman v. Klein, 2008 WL 4682208 (E.D.N.Y. 2008) (awarding attorneys’ fees to plaintiff for discovery motion practice and entering default judgment against defendant for deliberately deleting files from hard drive).

75. Nacco Materials Handling Group, Inc. v. Lilly Co., 278 F.R.D. 395 (W.D. Tenn. 2011).

76. 794 F.3d 543 (6th Cir. 2015).

77. Id. at 545-46.

78. Id.

79. Id at 546.

80. Id.

81. Id. at 549-52.

82. Id. at 552-54.

83. See Kristina Sherry, Social Media Assets Post-Mortem, 40 Pepp. L. Rev. 185, 190-192 (2012).

84. See, e.g., Michael Lipkin, Slain DLA Piper Atty Led Secret Life, Police Say, Law360 (Apr. 23, 2015), http://www.law360.com/articles/647459/slain-dla-piper-atty-led-secret-life-police-say.

85. For a discussion of admissibility of ESI, see Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534, 537-84 (D. Md. 2007); see also Paul W. Grimm et al., Back to the Future: Lorraine v. Markel American Insurance Co. and New Findings on the Admissibility of Electronically Stored Information, 42 Akron L. Rev. 357, 364 (2009); Gaeteno Ferro et al., Electronically Stored Information: What Matrimonial Lawyers and Computer Forensics Need to Know, 23 J. Am. Acad. of Matrim. Law 1, 15-22 (2010).