Is that a file cabinet in your pocket, or are you just happy to see me
Talking to lawyers about digital forensics
Many years ago, when the world was young, and a person could still use a flip phone without being accused of deliberate perversity, I was managing a small law office, and had to hire a receptionist.
Just a few years out of school myself, it was an absurd thing to be asked to do. I’d never ordered office supplies, and could barely retrieve a voicemail, and I was asked to be the person who hires, fires, and calls the locksmith afterward?
I interviewed a number of candidates, and hired the wrong one. I did it, because she said she liked lawyers.
Nobody likes lawyers, categorically. We’re terrible. We slice and dice the world into micro-distinctions, based on conjunctions, or their absence. We spend absurd amounts of time doing things nobody understands, and then expect the world to hop to and enact our instructions, on schedules tighter than any we’d accept.
Statistically, we’re a bunch of poli sci, philosophy, or literature majors with enough endurance or hard-headedness to spend three years learning a series of abstractions exlusively via assumptions drawn from abbreviated anecdotes about fox-hunting, bloated whales, falling barrels and railroad scales.
We stagger out of law school highly dependant on metaphorical reasoning.
If you have the misfortune to need to educate a lawyer on a scientific or technical concept, it’s useful to know your metaphor.
One that comes up often — and increasingly important when discussing digital forensics — is whether a computer1 is or is not, a “file cabinet.”
The law has long understood file cabinets. They lock, or not; they are full of documents. They can be searched. Unless melted, marred, or shot full of bullets, they are rarely, themselves, evidence.
And because lawyers love metaphors — the common law is made of them, after all — computers, and hard drives, and devices, which contain “files,” and “documents” were treated like odd-ball, plug-in-file cabinets for the purposes of searches and seizures.
Thus, just as the police wouldn’t be permitted to scoop up and retain birth certificates and school papers and children’s drawings when searching a file cabinet for evidence of money laundering, a warrant permitting the search of a computer and accompanying seizure of certain “documents,” “records,” or “files,” was presumed to require the government to forgo seizure of anything “non-responsive,2” whether by returning, deleting, or destroying anything outside the scope.
I can hear sphincters tightening. Forensically.
“Deleting?”
“Yes, deleting.”
“But, like, everything they decide isn’t responsive? Metadata and other emails, and things that could create a timeline? And maybe even things supporting an alibi?”
"Sure, because why would they get a warrant for an alibi?”
“But what about Brady3?”
“Yes, that is a Brady problem.4”
Courts have begun to recognize, over the past decade or so, that the “file cabinet” metaphor has become a bit strained.
The Second Circuit describes “digital storage media” as “coherent forensic objects,” with “contours5 more complex than” file cabinets.
If you are graced — or burdened — with technical knowledge, about “digital storage media” and are cursed to have to explain that knowledge to a lawyer, it couldn’t hurt to begin to explain how, precisely, it is, or is not, like a file cabinet.
Or hard drive, or phone.
See United States v. Ganias, 824 F.3d 199, 211 (2d Cir. 2016) (discussing treatment of non-responsive documents obtained via search warrant).
“Brady” is a short-hand reference to a prosecutor’s obligation to turn over exculpatory evidence to the defense. Brady v. Maryland, 373 U.S. 83 (1963).
“Although a defendant can be expected to possess data from his or her own email account, the same cannot be said for evidence recovered from the account of a co-defendant. Hence, it is conceivable that, by initially possessing and then destroying non-pertinent information, the Government could be accused of violating the requirements of Brady.” United States v. Matter of Search of Info. Associated With Fifteen Email Addresses Stored at Premises Owned, No. 2:17-CM-3152-WC, 2017 WL 4322826, at *9 (M.D. Ala. Sept. 28, 2017), on reconsideration sub nom. United States v. Matter of Search of Info. Associated with Fifteen Email Addresses Stored at Premises Owned , Maintained, Controlled or Operated by 1&1 Media, Inc., No. 2:17-CM-3152-WKW, 2017 WL 8751915 (M.D. Ala. Dec. 1, 2017) (citing Matter of Search of Information Associated with [redacted]@mac.com, 13 F. Supp. 3d at 167 n.10 (concluding Government's Brady concerns “are valid”); and United States v. Vallejo, 297 F.3d 1154, 1164 (11th Cir. 2002)).
Real file cabinets have curves, I guess. In the Second Circuit.
Bahahahah! I am sorry, but I had to leave a comment on our own Substack - solely in honor of footnote #5.