Understanding eDiscovery in Criminal Cases, Part Three: eDiscovery Best Practices

But first, a note about a new feature we’re adding to eDiscovery Daily: Our new eDiscovery Tech Tip of the Week! Each week, usually on Friday, we’ll plan to discuss a best practice concept or technical feature that can be helpful to many of you out there. When possible, we will include a video that hopefully illustrates and illuminates the concept. If a picture is worth a thousand words, a video is worth many thousand words, right?

Anyway, this week’s eDiscovery Tech Tip of the Week is about Early Data Assessment. Early in a case, to make informed decisions regarding the case and your ESI collection, it’s important to understand as much as possible about that collection. Just understanding how many gigabytes is in the collection isn’t enough as the number of files per gigabyte can vary widely, depending on the types of files contained within the collection (a while back, I conducted a little experiment on the blog to demonstrate this). The number of files can considerably affect the estimate for discovery, especially in review. Early data assessment can provide insight into your data to help better estimate the cost of litigation, audit, or investigation and help in case planning decisions, including whether to litigate or settle the case.

To see an example of how Early Data Assessment is conducted using our CloudNine platform, click here (requires BrightTalk account, which is free).

Anyway, Tom’s overview is split into five parts, so we’ll cover each part separately. The first two parts were published Monday and Wednesday, here’s part three.

Issues Managing ESI Data in Criminal Cases

a. How Data is Acquired

The government will usually get its ESI by consent or warrant. Typically, when the federal government seeks data in criminal cases (and most states have a similar procedure), it requests a search and seizure warrant by filing an application or affidavit sworn before a judge. The application, as provided in Rule 41, identifies the location of the property to be searched and seized, and includes facts that support probable cause (a reasonable belief that a crime has been committed and evidence of such may be at the site) as to why the government needs (and should get) the property.

The judge then issues a search and seizure warrant from the application. Note that unless the judge authorizes delayed notice, a copy of the warrant and a receipt for the property taken must be given to the person or left at the premises. Law enforcement then conducts the authorized search and seizes the property per the warrant and are required to provide the court with an inventory of what was seized.

F.R. Crim. P. Rule 41 then establishes a two-step process when ESI is involved. The first step is the seizure and then a subsequent review of the ESI which must be consistent with the warrant. There is no time frame established for this review since it may take a substantial amount of time, especially with encrypted drives.

The government provides the defense with an inventory return form, which describes the physical storage media seized or copied. Anything not on the inventory can be challenged if it is introduced in evidence.

Additionally, F. R. Crim. P. Rule 16 allows the defense to discover any ESI that the government has in its possession that is material to its case or that the government intends to use at trial.

Regarding third parties, the court may issue a subpoena under F. R. Crim. P. Rule 17 for a third party to produce records at trial or at another time and place. This is typically a bank or cell phone carrier but can be any non-party thought to be in possession of relevant information. The court may then allow the defense to inspect all or part of the ESI.

b.Common Data Types

Data in criminal cases is typically far less diverse than the civil field. Email tends to be the most prominent data type followed by a variety of other standard text reports, memos, etc. Email will most often be produced in native format (more on that below) and other documents tend to be rendered in PDF. This material can be easily searched using a number of low-cost text search programs or even the search capability found in the programs themselves.

Likewise, several data types which have received much attention in the press do not present serious technical challenges. The first, IoT devices, have been much discussed but not yet been a major data factor. In the Fitbit case which gained some notoriety, the data was used as one piece of evidence in a chain of evidence contradicting the defendant’s statements regarding his whereabouts. It was not a large piece of evidence, presented no authentication problems and was easily introduced and used.

Even more often discussed was State v. Bates, an Arkansas case where police attempted to obtain data from an Amazon Echo in a murder investigation. But in that case, the charges were dropped, and the prosecutors never had to actually deal with the issue.

Likewise, GPS location data is a data type that has been dealt with for many years. On board computer systems in automobiles, Exif data in digital photos, GPS coordinates in Google maps are all examples of this type of data which has been used as evidence for years. The only difference now is that it may exist in cloud-based systems. But either way, like IoT data, it is easily available via subpoena and when produced by the government either in spreadsheets or native format raw data it is easily handled and searched.

There are, however, two data types which can be problematic. The first is forensic images of computers and cell phones. These are often produced in the format of the forensic software which copied the device and will necessitate that the defense has a similar software which can open the forensic image. Although readily available these programs are expensive and may require some technical expertise to manipulate since they must be used to open up to the image and then begin examining the contents of the drive that was imaged. (To be clear on this, a forensic image of a hard drive or cell phone contains ALL the data on the device. It must be opened up and then the useful data …email, text messages, phone log records, etc … must be viewed for relevance and searched using a separate software tool.)

The second is audio and or video files from wiretaps, body wires, surveillance video, etc. Some of these can be opened with a standard software program but very often they are in a proprietary format which must be converted to usable data. This data is typically large and will require a high volume of storage space.

In addition to format and conversion issues, programs to search audio or video files are extremely expensive. The Federal Defenders have utilized a contractor who builds a sortable spreadsheet of metadata information with hyperlinks to the raw data. Searches can then be done on the spreadsheet with a filter by telephone numbers, dates, the written summary, whether the inception was classified as pertinent or not, etc. with a jump to the recording but this is not a full-text search and since it is not web based, also requires a separate copy of each spreadsheet and raw files for each person doing a search and review.

c. Data Exchange Formats

As mentioned above, certain data types have been a typical source of production between parties in Federal criminal cases. But as noted above in the Introduction, a Department of Justice/Administrative Office Joint Working Group on Electronic Technology (JETWG) has developed a recommended ESI protocol for use in federal criminal cases.

Entitled “Recommendations for Electronically Stored Information Discovery Production in Federal Criminal Cases,” it is the product of a collaborative effort between the two institutions and it has the DOJ leadership’s full support.

The primary purpose of the ESI protocol is to facilitate more predictable, cost-effective, and efficient management of electronic discovery and a reduction in the number of disputes relating to ESI. The protocol provides a mechanism, through a meet and confer process, to address problems a receiving party might have with an ESI production early in a case, and to discuss the form of the discovery that the party receives. The participants on both sides of JETWG are intimately familiar with the day-to-day challenges attorneys face in criminal cases, and the protocol reflects a pragmatic approach to the problems both prosecutors and defense attorneys face when dealing with electronic discovery.

JETWG negotiated and drafted the protocols over an 18-month period. The joint working group has representatives from the Federal Defender Offices, CJA Panel, Office of Defender Services, and DOJ, with liaisons from the United States Judiciary.

The Recommendations consist of four parts:

1. An Introduction containing ten underlying principles, with hyperlinks to related recommendations and strategies;
2. The Recommendations themselves;
3. Strategies and Commentary that address issues in more detail and provide specific advice on discovery exchange challenges; and
4. An ESI Discovery Production Checklist.

Note that the ten underlying principles can be found at pages 3 and 4 of the document and basically mirror the intent of FRCP 1, which reads as follows: Rule 1. Scope and Purpose These rules govern the procedure in all civil actions and proceedings in the United States district courts, except as stated in Rule 81. They should be construed, administered, and employed by the court and the parties to secure the just, speedy, and inexpensive determination of every action and proceeding.

In general, the agreement is designed to encourage early discussion of electronic discovery issues through “meet and confers,” the exchange of data in industry standard or reasonably usable formats, notice to the court of potential discovery issues, and resolution of disputes without court involvement where possible.

d. Time Issues Specific to Criminal ESI

Although the Federal Criminal Rules have no detailed requirements for an ESI specific Meet and Confer as does the FRCP, F. R. Crim. P. Rule 17.1 does provide for pre-trial conferences to promote a fair and expeditious trial. And as mentioned above, the JETWG Recommendations for Electronically Stored Information Discovery Production in Federal Criminal Cases do provide for such a meeting.

Despite these rules, evidence in criminal matters is not always produced well in advance of trial. Prosecutors can’t disclose all discovery on the eve of trial, but on the other hand, they don’t have to divulge it all well in advance of trial. Discovery can unfold gradually with copies of police reports appearing as early as the first court appearance, but expert reports not being given until shortly before trial. And much more leeway is given with witnesses who are under protection for personal safety concerns so that if their evidence involves ESI, it can prove problematic for the defense.

We’ll publish Part 4 – Working with Social Media as Evidence – on Monday.

So, what do you think? Do you handle criminal cases and have a lot of eDiscovery? Read more about it in this eDiscovery in Criminal Cases series and see how it may impact you and your organization.

[View source.]