Category Archives: Best Practices

June 27, 2012 · 2:50 PM

Authenticating Internet Web Pages as Evidence: a New Approach

By John Patzakis and Brent Botta

In recent posts, we have addressed the issue of evidentiary authentication of social media data. (See previous entries here and here). General Internet site data available through standard web browsing, instead of social media data provided by APIs or user credentials, presents slightly different but just as compelling challenges.

The Internet provides torrential amounts of evidence potentially relevant to litigation matters, with courts routinely facing proffers of data preserved from various websites. This evidence must be authenticated in all cases, and the authentication standard is no different for website data or chat room evidence than for any other. Under Federal Rule of Evidence 901(a), “The requirement of authentication … is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” United States v. Simpson, 152 F.3d 1241, 1249 (10th Cir. 1998).

Ideally, a proponent of the evidence can rely on uncontroverted direct testimony from the creator of the web page in question. In many cases, however, that option is not available. In such situations, the testimony of the viewer/collector of the Internet evidence “in combination with circumstantial indicia of authenticity (such as the dates and web addresses), would support a finding” that the website documents are what the proponent asserts. Perfect 10, Inc. v. Cybernet Ventures, Inc. (C.D.Cal.2002) 213 F.Supp.2d 1146, 1154. (emphasis added) (See also, Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, 546 (D.Md. May 4, 2007) (citing Perfect 10, and referencing MD5 hash values as an additional element of potential “circumstantial indicia” for authentication of electronic evidence).

One of the many benefits of X1 Social Discovery is its ability to preserve and display all the available “circumstantial indicia” – to borrow the Perfect 10 court’s term — to the user in order to present the best case possible for the authenticity of Internet-based evidence collected with the software. This includes collecting all available metadata and generating a MD5 checksum or “hash value” of the preserved data.

But html web pages pose unique authentication challenges and merely generating an MD5 checksum of the entire web page, or just the web page source file, provides limited value because web pages are constantly changing due to their very fluid and dynamic nature. In fact, a web page collected from the Internet in immediate succession would very likely calculate two different MD5 checksums. This is because web pages typically feature links to many external items that are dynamically loaded upon each page view. These external links take the form of cascading style sheets (CSS), graphical images, JavaScripts and other supporting files. This linked content can be stored on another server in the same domain, but is often located somewhere else on the Internet.

When the Web browser loads a web page, it consolidates all these items into one viewable page for the user. Since the Web page source file contains only the links to the files to be loaded, the MD5 checksum of the source file can remain unchanged even if the content of the linked files become completely different.  Therefore, the content of the linked items must be considered in the authenticity of the Web page. X1 Social Discovery addresses these challenges by first generating an MD5 checksum log representing each item that constitutes the Web page, including the main Web page’s source. Then an MD5 representing the content of all the items contained within the web page is generated and preserved.

To further complicate Web collections, entire sections of a Web page are often not visible to the viewer. These hidden areas serve various purposes, including metatagging for Internet search engine optimization. The servers that host Websites can either store static Web pages or dynamically created pages that usually change each time a user visits the Website, even though the actual content may appear unchanged.

In order to address this additional challenge, X1 Social Discovery utilizes two different MD5 fields for each item that makes a Web page.  The first is the acquisition hash that is from the actual collected information.  The second is the content hash.  The content hash is based on the actual “BODY” of a Web page and ignores the hidden metadata.  By taking this approach, the content hash will show if the user viewable content has actually changed, not just a hidden metadata tag provided by the server. To illustrate, below is a screenshot from the metadata view of X1 Social Discovery for website capture evidence, reflecting the generation of MD5 checksums for individual objects on a single webpage:

The time stamp of the capture and url of the web page is also documented in the case. By generating hash values of all individual objects within the web page, the examiner is better able to pinpoint any changes that may have occurred in subsequent captures. Additionally, if there is specific item appearing on the web page, such as an incriminating image, then is it is important to have an individual MD5 checksum of that key piece of evidence. Finally, any document file found on a captured web page, such as a pdf, Powerpoint, or Word document, will also be individually collected by X1 Social Discovery with corresponding acquisition and content hash values generated.

We believe this approach to authentication of website evidence is unique in its detail and presents a new standard. This authentication process supports the equally innovative automated and integrated web collection capabilities of X1 Social Discovery, which is the only solution of its kind to collect website evidence both through a one-off capture or full crawling, including on a scheduled basis, and have that information instantly reviewable in native file format through a federated search that includes multiple pieces of social media and website evidence in a single case. In all, X1 Social Discovery is a powerful solution to effectively collect from social media and general websites across the web for both relevant content and all available “circumstantial indicia.”

Leave a comment

Filed under Authentication, Best Practices, Preservation & Collection

Tagged as , , , , , , , , , , , , , , , , , , , , , , , ,

June 19, 2012 · 7:00 AM

Case Study: The Importance of Integrated Social Media and Website Crawling Collection

One of the benefits of the very strong market adoption of our X1 Social Discovery software is that we receive a significant amount of invaluable and excellent customer feedback from very seasoned eDiscovery and law enforcement professionals. Many of these experts report that a good number of their social media investigation and collection cases also require general website collection. For instance, a person on Facebook promoting infringing technology may also be posting relevant information to industry web bulletin boards or maintaining their own website. It is thus important that a social media eDiscovery and investigation process feature integrated web collection and social media support.

For an effective process, website data should be collected, searched and reviewed alongside social media collections in the same interface. The collected website data should not be a mere image capture or pdf, but a full HTML (native file) collection, to ensure preservation of all metadata and other source information as well as to enable instant and full search and effective evidentiary authentication. All of the evidence should be searched with one pass, reviewed, tagged and, if needed, exported to an attorney review platform from a single workflow.

To illustrate what this looks like in the field, we recorded an 8 minute demonstration based in part upon a real life example reported to us by one of our customers. This case study, performed by our CTO Brent Botta, involves the collection of social media data as well as message board posts on the web. Importantly, this evidence is consolidated into a unified workflow to be searched in one single pass.

The investigation features X1 Social Discovery as the platform, which now features automated and integrated web crawling capabilities in addition to its renowned functionality for the collection and analysis of Facebook and Twitter content. We believe this is the only solution of its kind to collect website evidence both through a one-off capture or full crawling, including on a scheduled basis, and have that information instantly reviewable in native file format through a federated search that includes multiple pieces of social media and website evidence in a single case. Up to millions of web captures and social media items are searched instantly with the patented X1 search, tagged and exported from a single interface.

Like social media content, web pages bring their own unique but important challenges for evidentiary authentication. In the next week, we will be posting on best practices for the collection and authentication of web pages as evidence, so stay tuned!

Leave a comment

Filed under Best Practices, Preservation & Collection

Tagged as , , , , , , , , , , , , , , ,

June 4, 2012 · 5:31 PM

Judge Peck: Cloud For Enterprises Not Cost-Effective Without Efficient eDiscovery Process

Hon. Andrew J. Peck
United States Magistrate Judge

Federal Court Magistrate Judge Andrew Peck of the New York Southern District is known for several important decisions affecting the eDiscovery field including the ongoing  Monique da Silva Moore v. Publicis Group SA, et al, case where he issued a landmark order authorizing the use of predictive coding, otherwise known as technology assisted review. His Da Silva Moore ruling is clearly an important development, but also very noteworthy are Judge Peck’s recent public comments on eDiscovery in the cloud.

eDiscovery attorney Patrick Burke, a friend and former colleague at Guidance Software, reports on his blog some interesting comments asserted on the May 22 Judges panel session at the 2012 CEIC conference. UK eDiscovery expert Chris Dale also blogged about the session, where Judge Peck noted that data stored in the cloud is considered accessible data under the Federal Rules of Civil Procedure (see, FRCP Rule 26(b)(2)(B)) and thus treated no differently by the courts in terms of eDiscovery preservation and production requirements as data stored within a traditional network. This brought the following cautionary tale about the costs associated with not having a systematic process for eDiscovery:

Judge Peck told the story of a Chief Information Security Officer who had authority over e-discovery within his multi-billion dollar company who, when told that the company could enjoy significant savings by moving to “the cloud”, questioned whether the cloud provider could accommodate their needs to adapt cloud storage with the organization’s e-discovery preservation requirements. The cloud provider said it could but at such an increased cost that the company would enjoy no savings at all if it migrated to the cloud.

In previous posts on this blog, we outlined how significant cost-benefits associated with cloud migration can be negated when eDiscovery search and retrieval of that data is required.  If an organization maintains two terabytes of documents in the Amazon or other IaaS cloud deployments, how do they quickly access, search, triage and collect that data in its existing cloud environment if a critical eDiscovery or compliance search requirement suddenly arises?  This is precisely the reason why we developed X1 Rapid Discovery, version 4. X1RD is a proven and now truly cloud-deployable eDiscovery and enterprise search solution enabling our customers to quickly identify, search, and collect distributed data wherever it resides in the Infrastructure as a Service (IaaS) cloud or within the enterprise. While it is now trendy for eDiscovery software providers to re-brand their software as cloud solutions, X1RD is now uniquely deployable anywhere, anytime in the IaaS cloud within minutes. X1RD also features the ability to leverage the parallel processing power of the cloud to scale up and scale down as needed. In fact, X1RD is the first pure eDiscovery solution (not including a hosted email archive tool) to meet the technical requirements and be accepted into the Amazon AWS ISV program.

As far as the major cloud providers, the ones who choose to solve this eDiscovery challenge (along with effective enterprise search) with best practices technology will not only drive significant managed services revenue but will enjoy a substantial competitive advantage over other cloud services providers.

1 Comment

Filed under Best Practices, Case Law, Cloud Data, Enterprise eDiscovery, IaaS, Preservation & Collection

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 22, 2012 · 12:14 PM

Surging Wage and Hour Class Action Suits and the Importance of Social Media Evidence

Wage and hour class action suits are rising dramatically. According to the USA Today, Plaintiffs filed 7,006 federal court wage-and-hour suits in 2011, many of them class actions, nearly quadruple the 2000 total. Many of these suits involve claims of misclassifying employees as exempt from overtime, especially salespersons and temporary professional employees. Additionally, these claims involve allegations of non-exempt employees being required to work off hours through the use of mobile devices, webmail and social media.  As such, social media evidence is playing an important role in the litigation of wage and hour claims on multiple levels.

As one recent example, a federal court in the Northern District of California earlier this month imposed monetary sanctions of nearly $16,000 and disqualified the lead plaintiff as the class representative in a wage and hour class action for failing to disclose relevant Facebook evidence. In Calvert v. Red Robin International, the lead plaintiff proved to be very active on Facebook, using the site to communicate with other claimants and to recruit potential plaintiffs into the class. The plaintiff and his lawyers failed to disclose this evidence, which the defendant’s law firm ultimately obtained through their own diligent investigation efforts. Such disqualifications and monetary sanctions against the lead plaintiff can prove to be important tactical victories in cases such as these.

Calvert is just one of many recent wage and hour cases that we have seen where social media has played a critical role. For instance, our customers have recently reported successfully using X1 Social Discovery in wage and hour claims, including, for example, to collect Linkedin and Facebook evidence that contradicted Plaintiffs claims that they were non-exempt employees. In addition to this customer use example and the case of Calvert v. Red Robin International, there are numerous other scenarios where the search and collection of social media evidence can be essential to the litigation of wage and hour cases, highlighting the importance of best practices technology to diligently represent your clients’ interests.

Leave a comment

Filed under Best Practices, Case Law

Tagged as , , , , , , , , , , , , , , , , , , , , ,

May 8, 2012 · 9:14 AM

Social Media Case Law Update: Volume of Cases Accelerating

Recently our survey of published case law from 2010 and 2011 identified 689 cases involving social media evidence for that time period.  While these results exceeded our expectations, that pace is actually rapidly accelerating in 2012. For this past April alone, a quick tally identifies 61 cases where social media evidence played a key role. We will have a mid-year report in a few months, but it appears that the volume of cases has about doubled year over year. Keep in mind that the survey group only involves published cases on Westlaw. With less than one percent of total cases resulting in published opinions, and considering this data set does not take into account internal or compliance investigations or non-filed criminal cases, we can safely assume that there were tens of thousands more legal matters involving social media evidence that were adjudicated or otherwise resolved in April 2012.

The following are brief synopses of three of the more notable social media cases from April:

Blandv. Roberts, 2012 WL 1428198 (E.D.  VA, Apr. 24, 2012)  

This case is notable in that it extensively litigated the implications of “liking” specific items on Facebook.  In this situation the Hampton, Virginia Sheriff’s Office employed Bland and his co-workers, under Sheriff B.J.  Roberts. Roberts faced a contested election and Bland and his cohorts backed the challenger Jim Adams, going so far as to “like” Adam’s Facebook page. As it turned out, the plaintiffs “liked” the wrong horse. Roberts won the election, and he subsequently fired Bland and the other Adams-backers. The Sheriff justified the terminations on cost-cutting grounds, but plaintiffs argued that their termination violated their First Amendment rights, as Roberts was aware that the plaintiffs’ “liked” Adam’s Facebook page, which plaintiff’s asserted to be protected speech. The court ultimately determined that “merely ‘liking’ a Facebook page is insufficient speech to merit constitutional protection and thus the termination was lawful.

From our perspective, the ultimate outcome of Bland v. Roberts is not so much the point as is plaintiffs’ subtle activity on Facebook representing substantive facts of the case.  The act of liking a Facebook entry can be an important piece of evidence in a wide variety of litigation and investigation scenarios. Just to identify a few possible examples, it can constitute evidence toward a party’s knowledge of a particular fact, or the extent of trademark infringement or publication of defamatory material, or identify relevant witnesses in a case. This case illustrates why it is important to collect and preserve all available information on Facebook and other social media sites in a thorough manner with best-practices technology specifically designed for litigation purposes.

People v. Harris, 2012 WL 1381238 (N.Y. Crim. Ct. Apr. 20, 2012)

In this case, the defendant faced charges of disorderly conduct after marching onto the Brooklyn Bridge as a participant in the Occupy Wall Street protests.  The New York District Attorney’s Office subpoenaed Twitter, Inc., seeking user information and Tweets from a particular time period for the Twitter account @destructuremal—the account allegedly used by the defendant.  The defendant filed a motion to quash the subpoena.

In denying the defendant’s motion, the court relied heavily on the public nature of Twitter and its terms of service, which establish that users have no expectation of privacy and no proprietary interest in their Tweets. The court noted that the terms of service state that by submitting a post or displaying content, a user has granted Twitter “a worldwide, non-exclusive, royalty-free license to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).”  Thus, the court reasoned, “defendant’s inability to preclude Twitter’s use of his Tweets demonstrates a lack of proprietary interest” in them.  In assessing the Plaintiff’s privacy rights, the court again relied on Twitter’s Terms of Service, which clearly inform users that their information will be viewable by others and which specifically state that “[w]hat you say on Twitter may be viewed all around the world instantly … [t]his license is you authorizing us to make your Tweets available to the rest of the world and to let others do the same.”

Loporcaro v. City of New York and Perfetto Contracting Company,  35 Misc.3d 1209(A), (N.Y. Sup. Ct. Apr. 9, 2012)

This is yet another serious personal injury claim where the claimant’s public Facebook postings contradicted their assertions of serious injury. Plaintiff claimed permanent disability from two knee injuries while on the job as a firefighter, seeking redress against Perfetto Contracting Company, Inc., alleging defective road conditions caused his injury. However, his public Facebook postings suggested that he continued to maintain an active lifestyle. This prompted the court to grant the defense’s motion to compel production of the Plaintiff’s full Facebook account, ruling as follows:

“When a person creates a Facebook account, he or she may be found to have consented to the possibility that personal information might be shared with others, notwithstanding his or her privacy settings, as there is no guarantee that the pictures and information posted thereon, whether personal or not, will not be further broadcast and made available to other members of the public. Clearly, our present discovery statutes do not allow that the contents of such accounts should be treated differently from the rules applied to any other discovery material, and it is impossible to determine at this juncture whether any such disclosures may prove relevant to rebut plaintiffs’ claims regarding, e.g., the permanent effects of the subject injury. Since it appears that plaintiff has voluntarily posted at least some information about himself on Facebook which may contradict the claims made by him in the present action, he cannot claim that these postings are now somehow privileged or immune from discovery.”

Earlier this year we covered the case of Tompkins vs. Detroit Metropolitan Airport, which also highlighted the importance of systematic search of public Facebook as standard procedure for nearly every type of criminal and civil litigation investigation.

We will have an update in about four weeks for the social case law published in May, so stay tuned.

4 Comments

Filed under Best Practices, Case Law

Tagged as , , , , , , , , , , , , , , , ,