Opinion
No. CR-18-01015-001-TUC-RM (EJM)
05-29-2020
United States of America, Plaintiff, v. Justin William Perman, Defendant.
ORDER
Pending before the Court is the Government's Appeal (Doc. 129) of Magistrate Judge Eric J. Markovich's February 24, 2020 Disclosure Order (Doc. 128). Defendant responded to the Appeal. (Doc. 130.) For the following reasons, the Appeal will be denied, and the February 24, 2020 Disclosure Order affirmed.
I. Background
On May 30, 2018, Defendant was indicted on two counts of Extortion Relating to Damage to Protected Computer in violation of 18 U.S.C. § 1030(a)(7)(C). (Doc. 1.) The indictment alleges that, on February 2 and February 8, 2018, Defendant, "with intent to extort from Lisa Frank and/or Lisa Frank, Inc. [(hereinafter, "LFI")] money and other things of value, transmitted in interstate and foreign commerce communications containing a demand and request for money and other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion." (Id.) LFI is a company that produces and sells images of artwork, which the parties refer to as the intellectual property ("IP"). (See Doc. 68 at 98.) The IP relevant to the instant charges consists of about 40,000 pieces of artwork valued at approximately half a million dollars. (Doc. 86 at 63-4.) At issue in this case is not only LFI's access to its IP, but also its access to the passwords protecting the IP, which the Government contends are also the property of LFI. (Id. at 122-23.)
On or about October 5, 2017, Defendant, doing business as Interns Technology Group, and LFI entered into a contract. Pursuant to that contract, the Defendant was to provide technology support, including electronic back-up of assets, virus and malware protection, and network administration and maintenance. (Doc. 54 at 2.) On or about February 2, 2018, Defendant and LFI terminated their contract and ended their business relationship. (Id., Doc. 53 at 2.) Thereafter, several events occurred, the exact timeline of which is unclear to the Court but potentially relevant. (See Doc. 68 at 111.) LFI and Defendant, through retained counsel, entered into a settlement agreement ("Settlement Agreement" or "Agreement") to resolve the outstanding balance of LFI's account to Defendant Perman. (Doc. 53 at 2-3.) According to Defendant, the Settlement Agreement contained a provision that Defendant would enter passwords in LFI's system in exchange for payment pursuant to the Agreement. (Id.) Defendant entered the passwords and LFI paid Defendant $5,000 pursuant to the Agreement as well as an additional $400 that he requested when he entered the passwords. (Id., Doc. 54 at 4.)
The Court has not viewed the Settlement Agreement and is relying on the parties' representations of its contents.
During this same time period, around the time when Defendant and LFI terminated their business relationship, one of LFI's physical servers experienced a hardware malfunction. (Doc. 54 at 2-3.) There is no allegation that Defendant caused the hardware malfunction. (Id.) As a result of the malfunction, LFI was unable to access the data that had been stored on that server (hereinafter the "Dell server," see Doc. 123.). The only location where the Dell server data remained was on a back-up system, called "Shadow Protect," that had been set up by Defendant in the course of his work for LFI. (See Docs. 54, 126.) The Shadow Protect system was accessible only through an encrypted password called a "MIP." (Id.) Only Defendant knew the MIP. (Id.) The Government alleges that, when LFI learned that the Dell server had crashed and therefore the data, including the IP, that had been stored on it became unavailable, LFI asked Defendant for the MIP. (Id.) However, he allegedly refused to provide it until he received payment from LFI. (Id.) This refusal, according to the Government, forms the basis for the extortion charges. Defendant allegedly provided the MIP during what the Government calls a "money-for-password" meeting on March 29, 2018. (Doc. 126. Doc. 86 at 57-8.) LFI then paid Defendant approximately $5,400 and was able to access the data on the Shadow Protect system. (Id.) The parties agree that the data, as it existed on the Dell server that crashed, is now unavailable. (Docs. 68 at 109, 123, 126.)
Also during this same time period, Ms. Lisa Frank's personal laptop was infected with ransomware and she paid a ransom to regain access to that computer. (Doc. 86 at 22-23.) The Government contends that the ransomware on Ms. Frank's laptop was unrelated to the Dell server crashing or the inaccessibility of LFI's IP. (Id. at 58-9.)
The instant dispute is about the scope of the Government's disclosure obligations. Defendant moved to compel additional Government disclosure on February 22, 2019, arguing, among other things, that the Government had not met its disclosure obligations pursuant to Fed. R. Civ. P. 16(e), Brady v. Maryland, 373 U.S. 83 (1963) and the Jencks Act, and moving the Court to order disclosure of "mirror images of [LFI's] computer systems, as well as evidence of LFI's financial losses." (Doc. 53.) Defendant relies primarily on the affidavit (Doc. 53-1) and testimony (see Docs. 68, 86, 105) of Scott Greene, a technology forensics expert, to support his contention that broader discovery is necessary. The Government responded to the Motion to Compel, arguing that the Government had complied or was in the process of complying with its disclosure obligations and that the requested mirror images of LFI's entire server network are not discoverable because "none of the elements of the charged conduct include the need to gain access to LFI's servers and [IP] assets." (Doc. 54 at 5-6.) The Government argues that the case boils down to whether Defendant prevented LFI from accessing its backup data on the Shadow Protect system by withholding the MIP password until he received payment for it and therefore LFI's other assets, information, data, records, communications, or anything else are irrelevant, not probative or material to the charges, and not discoverable. (Id., Docs. 126, 129.)
Mirror images are exact duplicates of the information stored on a computer system, such as a server. (Doc. 68 at 29.) Mirror images capture all of the operating system items, including logs and deleted items. (Id. at 5-6, 11, 29.)
This argument notwithstanding, the Government has provided disclosure of LFI's communications with customers and information related to the ransomware. (Doc. 126.)
On April 10, 2019, an evidentiary hearing was held before Magistrate Judge Markovich at which the parties argued their positions regarding the requested discovery and Defendant presented testimony from expert witness Scott Greene. (Doc. 68.) Mr. Greene testified at length to the nature and extent of the digital information, such as logs of servers, backups, and firewalls (Doc. 68 at 36, 98), including dates and times that LFI accessed its intellectual property (Id. at 98), emails showing communications between Defendant and the victim as well as between the victim and her clients (Id. at 97), and mirror images of servers and backups (Id. at 96). The purpose of this information, according to Defendant, would be to show that on the relevant dates in February 2018, LFI in fact had access to its IP and was able to conduct its business. (See Doc. 68 at 76-81.) Judge Markovich then heard testimony from Government witness Daniel Langworthy, who owns Lightwave Technical Consulting ("Lightwave"), the business technology consulting firm that LFI hired in early March 2018 after its relationship with Defendant had terminated. (Id. at 100.) LFI hired Lightwave to help LFI resolve its inability to access its IP on the Shadow Protect backup system. (Id. at 101.) Mr. Langworthy testified that the only server which LFI was unable to access was the Dell server, which was connected to at least three virtual servers. (Id. at 108-110, Doc. 86 at 81-3.) The parties agree that the Dell server is, or would be, relevant to this case but dispute the relevance of LFI's other servers. (Id. at 109, Doc. 123 at 3.) Mr. Langworthy testified that LFI never lacked access to any of its other servers. (Id. at 109.)
Prior to hiring Lightwave, LFI had hired a different company based in California, Hybrid Apparel, to resolve its technology issues. (Doc. 68 at 111-12.)
Mr. Langworthy's testimony does not refer to this server as the "Dell server." However, for the sake of clarity and conciseness, the Court will use the term "Dell server" to refer to the server, including both the physical server that suffered the hardware malfunction and the three virtual servers connected to it, to refer to the server (which was backed up by Shadow Protect) that held the IP that LFI claims it could not access because of Defendant's actions. (See Doc. 123 at 3.)
The parties agree that the Dell server is "dead", and any data on it during the time from relevant to this case is now irretrievable. (Doc. 123 at 7.) --------
The evidentiary hearing was continued to April 30, 2020. (Docs. 75, 86.) On that date, Judge Markovich heard additional testimony from Mr. Langworthy and Mr. Greene, as well as from Government witness and Federal Bureau of Investigations ("FBI") Agent Michael Foster. (Doc. 86.) Mr. Langworthy reiterated that the data from the Dell server had been irrevocably lost and therefore nothing remained from which to create a mirror image of that server. (Id. at 5-6.) Mr. Langworthy testified that LFI retained access to at least some of its other servers during the time period in question but lacked access to the IP housed on the Dell server due to a hardware malfunction of that server. (Id. at 12, 20, 26.) Lightwave also was unable to create a backup of the Dell server, as it normally would have, because the data on the Dell server was irrevocably lost by the time Lightwave became involved. (Id. at 25-27.) Mr. Langworthy testified that the Dell server containing LFI's IP had crashed and the "backup archives," which were stored in Shadow Protect, "were the only copy of that data that existed." (Id. at 34.) Thus, it was the crash of the Dell server that created the urgent need for the MIP password that only Defendant had. (Id. at 32-33, 38, 41, 53-4.) Mr. Langworthy testified that he never contacted Defendant to request the missing MIP password but was aware that other people, specifically Agent Foster and an LFI employee, had contacted Defendant to request the MIP and other passwords. (Id. at 51-2.)
Agent Foster testified that he got involved in the case to ensure that LFI had access to its IP, which, when the FBI investigation commenced, was believed to exist only on the encrypted Shadow Protect backup system. (Doc. 86 at 63-4, 116-17.) Agent Foster testified that Defendant refused to provide the MIP password to the Shadow Protect backup system because LFI had not paid him for his services. (Id. at 64-5.) Agent Foster testified that any information contained on any of LFI's other servers, other than the Dell server that had crashed, was irrelevant because the case only involves LFI's access to the IP stored on the Shadow Protect backup system. (Id. at 74-5.) Agent Foster's testimony was unclear as to whether the IP that was stored on the Shadow Protect backup system may have been available on other servers to which LFI had access. (Id. at 82-4, 117, 158.) Agent Foster further testified to his email communications with Defendant during the months leading up to the indictment. (Id. at 103-112.)
At the conclusion of the evidentiary hearing, Judge Markovich ordered Defendant to create a "wish list" of items for discovery, including their relevance, and the Government to respond. (Doc. 86 at 175-6.) Defendant did so (Doc. 89) and the Government responded (Doc. 90.) Magistrate Judge Markovich issued an order on June 19, 2019 that (1) denied Defendant's request for information relating to the damages the victim's company sustained as a result of the alleged extortion and (2) ordered the Government to disclose, pursuant to a protective order to protect LFI's property interests, the following items:
(1) Mirror images of the following servers, computer systems and/or hard drives: (a) the backup server; and (b) any server, computer system, or hard drive that allegedly contained intellectual property, including Jazz, Perceptor, and Hyper-V.
(2) Logs for all of the victim company's servers, as well as logs for the Firewall, VMware and LogMeIn. The date range for these logs should begin with the date of the defendant's employment and end on the date the victim obtained access to her backup server.
(3) Emails between the victim and/or her company and customers that pertain to the delivery of artwork from the time the servers failed until the date the victim obtained access to her backup server.
(4) Emails between the victim and/or her company and the defendant that address requests for passwords, including the defendant's response(s) to any requests.
(5) Emails between the victim and/or her company and the subsequent computer firms that worked for the company that address attempts to access the backup server.
Explaining its reasoning for the ordered disclosure, the Court stated:
The Court is not convinced that this case is as simple as the government has portrayed in response to the Motion for Disclosure. In fact, as discussed below, the government's theory of the case is quite confusing given the allegations in the indictment, and more importantly, the grand jury testimony that led to the indictment. Both the indictment and grand jury testimony paint a picture that the victim could not access many, if not all, of her computer servers due to the defendant's conduct, and not just the backup server. Because the indictment sweeps much more broadly than simply the victim's access to her backup server, additional disclosure must be provided to the defense.
(Doc. 95 at 2.) The Order goes on to review the testimony presented by the Government at the grand jury proceeding, which indicated that Defendant had "changed administrator passwords on several servers" and thereby prevented LFI from accessing multiple computer systems, not just the Shadow Protect backup system. (Id. at 3.) The Order states, "the government has clearly changed its theory of the case since the indictment. It now claims this case is only about the defendant's refusal to provide the victim with the password for her backup server after several of her primary servers containing her artwork had failed." (Id. at 14-15.) As discussed infra, it appears that the Government agrees with this narrower characterization of the charges and has now limited its allegations to Defendant's alleged withholding of the MIP password for the Shadow Protect backup system. (Doc. 126.) It also appears that the Government agrees, or concedes, that LFI in fact did not lack access to other servers, other than the Dell server, during the relevant time period. (Id.)
A status conference was held on August 8, 2019 regarding the status of disclosure at which Magistrate Judge Markovich gave the parties deadlines by which to complete the mirror imaging and disclosure of the emails. (Docs. 103, 105.) On January 28, 2020, Defendant filed a Second Motion to Compel Supplemental Disclosure. (Doc. 123.) Defendant stated that he had not received, or been permitted to obtain, mirror images of several of the servers that he contends were within the scope of the disclosure ordered by Judge Markovich. (Id. at 5-6.) Defendant stated that Mr. Greene attempted to create a mirror image of the Dell server but was unable to do so because the data had been lost and the server is "dead." (Id. at 7.) Defendant stated that he then requested disclosure of LFI's other servers but did not receive it. (Id.) The Government responded that it had complied with the disclosure order. (Doc. 126.) The Government stated that it had provided disclosure of (1) One physical and three virtual servers (presumably, the Dell server); (2) ransomware; (3) emails; and (4) logs pertaining to the Dell server. (Id.) The Government stated that it did not disclose LFI's IP or the contents of the other servers that contain or contained IP. (Id.) On February 24, 2020, Magistrate Judge Markovich granted Defendant's Second Motion to Compel Supplemental Disclosure and ordered the Government to disclose mirror images of all LFI's servers, including but not limited to the Dell server and the backup servers, that contained LFI's intellectual property. (Doc. 128.)
The Government appealed Magistrate Judge Markovich's February 24, 2020 disclosure order to this Court. (Doc. 129.) The Government's Appeal makes four arguments: (1) the information, data, and assets contained on all of LFI's servers is not relevant to the charges in the case; (2) production of the requested server information will be extremely burdensome and expensive; (3) the servers in their current state are not the same as they were at the time of Defendant's alleged extortion because they have been replaced and reconfigured; and (4) disclosure of all of LFI's IP assets, even under a protective order, places the company at risk of either intentional or unintentional dissemination of this information to the public, which would destroy LFI's commercial value. (Id.) The Government contends that balancing these considerations against Defendant's need for the requested disclosure yields a balance in favor of the Government. (Id.) Defendant's Response argues that (1) the appeal is effectively an appeal of the Magistrate Judge's first disclosure order from June 18, 2019 and is therefore untimely under Fed. R. Crim. P. 59(a) and (2) the order should be affirmed on the merits. (Doc. 130.)
On April 30, 2020, this Court heard oral argument on the appeal of Magistrate Judge Markovich's disclosure order. (Doc. 139.) At the hearing, the Government argued that it had complied with its disclosure obligations by disclosing FBI reports and analysis, the Dell server, ransomware data, login logs, and email correspondence between LFI and LFI's customers showing that LFI lacked access to its IP assets. (Id.) The Government argues that, notwithstanding the testimony presented during the grand jury proceedings that LFI lacked access to multiple servers as a result of Defendant's alleged extortion, the data and information contained on LFI's other servers (not the Dell server) is irrelevant because the extortion charges are limited to the allegation that Defendant prevented LFI from accessing the Shadow Protect backup system until he was paid. (Id.)
Defendant argues that the data and information from the other servers is relevant to show that LFI actually did have access to its IP that was stored on other servers, even though it could not access Shadow Protect. (Id.) Defendant contends that, while providing LFI with technology support, he loaded the IP that was stored on the Dell server onto LFI's other servers. (Id.) Therefore the IP was accessible on multiple servers—not, as the Government contends, only on the Dell server and, after the Dell server crashed, the Shadow Protect backup system. (Id.) Therefore, Defendant contends, data from the other servers is relevant and material to his defense. (Id.)
The Government argues in response that LFI lacked access to its IP during the relevant time period because it could not access Shadow Protect, and even if it did have access to its IP without Shadow Protect, that is not one of the elements of the charge. (Id.) The Government further argues that the metadata behind the server information either no longer exists or is no longer accessible because the servers have been rebooted since the relevant time frame; therefore there is no record available of what exactly was on each server at that time. (Id.)
The appeal record indicates that the Government has complied with the Magistrate Judge's disclosure order to Defendant's satisfaction, other than its failure to produce or provide Defendant access to mirror images of LFI's other servers. Thus, the issue before the Court at this juncture is whether the other servers must be disclosed to protect Defendant's constitutional rights.
II. Applicable Law and Discussion
As a preliminary matter, the Court finds that the Government's appeal is timely pursuant to Fed. R. Crim. P. 59(a). Magistrate Judge Markovich issued the underlying Order on February 24, 2020. (Doc. 128.) The Government appealed the Order on February 26, 2020. (Doc. 129.) Although Defendant contends that the February 24, 2020 Order was effectively identical to the first disclosure order issued on June 18, 2019, the Court finds that the February 24 Order clarified the Government's disclosure responsibilities and was appealable as a non-dispositive order pursuant to Fed. R. Crim. P. 59(a), which provides 14 days for a party to object to a magistrate judge's non-dispositive order. The Government filed its appeal within 14 days, and it was therefore timely.
Defendant is charged with violating a provision of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030(a)(7)(C), which makes it a crime to, "with intent to extort from any person any money or other thing of value, transmit[] in interstate or foreign commerce any communication containing any. . . demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion." 18 U.S.C. § 1030(a)(7)(C). The statute defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information." 18 U.S.C. § 1030(e)(8); see also Pulte Homes, Inc. v. Laborers' Int'l Union of N. Am., 648 F.3d 295, 301 (6th Cir. 2011) (applying ordinary meaning to "impairment," "integrity," and "availability" and concluding that "a transmission that diminishes a plaintiff's ability to use data or a system" causes damage under the CFAA.) In Pulte, the Court found that "the transmissions diminished Pulte's ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending at least some e-mails." 648 F.3d at 301. The extended unavailability of data is sufficient to show damage. NovelPoster v. Javitch Canfield Grp., 140 F. Supp. 3d 954, 962 (N.D. Cal. 2014).
Fed. R. Crim. P. 16(a)(1)(E) provides that a criminal defendant is entitled to discovery of documents and tangible things that are within the government's possession, custody, or control if the requested information is "material to preparing the defense." Documents and tangible things are in the government's possession if the prosecutor "has knowledge of and access to the documents sought by the defendant." United States v. Stever, 603 F.3d 747, 752 (9th Cir. 2010).
"Rule 16 permits discovery that is relevant to the development of a possible defense." United States v. Muniz-Jaquez, 718 F.3d 1180, 1183-4 (9th Cir. 2013). "Information that is not exculpatory or impeaching may still be relevant to developing a possible defense." Id. at 1183. In fact, inculpatory evidence may be relevant. Id. However, "[a] defendant must make a threshold showing of materiality, which requires a presentation of facts which would tend to show that the Government is in possession of information helpful to the defense." Id. at 1183.
Based upon the record before it, the Court finds that the mirror images of LFI's additional servers are relevant and material to Defendant's theory of the case. Defendant has presented facts, including his assertion that he loaded the IP that was stored on the Dell server onto LFI's other servers, that tend to show that the mirror images of the additional servers may be helpful to his defense. The Court finds that the mirror images of the additional servers may be relevant to prove whether LFI suffered "damage" within the meaning of 18 U.S.C. § 1030(a)(7)(C), such that the availability or integrity of its IP or other data was impaired as a result of the alleged extortion. Therefore, even if Defendant were not requesting disclosure of the mirror images, the Government would be required to disclose them in order to prove the elements of the charge.
The Government has represented to the Court that the server data as it existed at the time of the alleged extortion is irretrievable. If the Government is unable or unwilling to produce mirror images of the additional servers, it shall inform the Court and the Court will address that issue separately.
Accordingly,
IT IS ORDERED that the Government's Appeal (Doc. 129) is denied. . . . . . . . . . . . . . . . . . . . .
IT IS FURTHER ORDERED that Magistrate Judge Markovich's Order (Doc. 128) is affirmed. The Government shall disclose mirror images of the additional servers to Defendant.
Dated this 29th day of May, 2020.
/s/_________
Honorable Rosemary Márquez
United States District Judge