Monday, June 13, 2011

Discovery and Redaction

As Wikipedia notes, in law “discovery” is the pretrial process “in which each party . . . can obtain evidence from the opposing party”. The Wikipedia entry deals with discovery in civil cases, but discovery also occurs in criminal cases.

This post deals with discovery issues that arose in a federal criminal case: U.S. v. Tummins, 2011 WL 2078107 (U.S. District Court for the Middle District of Tennessee 2011). Discovery in federal cases is governed by Rule 16 of the Federal Rules of Criminal Procedure, which you can find here. Rule 16(a) deals with the government’s obligation to disclose, while Rule 16(b) deals with the defendant’s obligation to do so.

On January 13, 2010, Jeremy Tummins was indicted for receiving and possessing child pornography in violation of 18 U.S. Code § 2252A. U.S. v. Tummins, supra. The charges “resulted from a search warrant executed by the Dickson County Sheriff’s Office” in May, 2009, “during which two computers . . . were seized from” his home. U.S. v. Tummins, supra. The opinion doesn’t say this, but I’m inferring that at some point after Tummins was indicted his defense attorney began preparing for trial, which would have involved seeking discovery of evidence in the government’s possession.

Because the parties apparently could not resolve certain discovery issues on their own, Tummins filed a motion asking the court to compel the prosecution to “produce for inspection and copying seven enumerated items.” U.S. v. Tummins, supra. (If you look at Rule 16(d)(2) of Rule 16, you’ll see that a court can compel discovery.) In the rest of this post, we’ll examine the requests and how the court dealt with them.

The first item was “an index of all the files on both computers including all their metadata.” U.S. v. Tummins, supra. The government’s response was that “to the extent it possessed such an index,” it was included with the report of Detective Levasseur -- the government’s forensic computer examiner – that had already been given to the defense. But the prosecution also agreed to created such an index and provide it to Tummins, so the court granted Tummins’ motion with regard to this item. U.S. v. Tummins, supra.

The second item was “an index of all files determined to be child pornography including all the metadata `as well as how it was determined to be child pornography.’” U.S. v. Tummins, supra. The government again responded that (i) it had already provided this as an attachment to Levasseur’s report, which the defense had received and (ii) it had created an index of suspected child pornography and would provide the defense with this index. U.S. v. Tummins, supra. The judge therefore granted that part of Tummins’ motion but denied the request for “``how it was determined to be child pornography’” because he found that request exceeded what was required by Rule 16(a)(1)(E). U.S. v. Tummins, supra.

The third item was for “[c]omplete and up to date logs, including any logs or records created during the initial online portion of Levasseur's investigation; logs to all activity conducted within the Forensic Tool Kit software along with any other software used during the examination of the computers”. U.S. v. Tummins, supra. The prosecution conceded that such logs existed and were in its possession, but argued that they were not discoverable under Rule 16(a)(1)(E) and/or were protected from discovery under Rule 16(a)(2). U.S. v. Tummins, supra. The judge agreed, and denied this part of Tummins’ motion. U.S. v. Tummins, supra.

The fourth item was a “list of ALL software used during the initial online investigation and during the entire examination of both the computers, including name, version information, manufacturer and licensing information”. U.S. v. Tummins, supra. The prosecution said that (i) to the extent it had such a list, Tummins had already received it via Levasseur’s report and the affidavit used to obtain the search warrant and/or (ii) the information was not discoverable under Rule 16(a)(1)(E). U.S. v. Tummins, supra. The judge agreed and therefore denied this part of Tummins’ motion. U.S. v. Tummins, supra.

The fifth item was “[f]ully functional copies of the same versions of GnuWatch and Peer Spectre software that were used by Levasseur for independent testifying and verification” and the sixth was a “copy of the SHA1 database of child pornography images used during this investigation”, along with information as to where the database was obtained, who maintains it, “how often it’s updated and how it’s distributed”, the criteria used to add files to the database and how files are removed from it. U.S. v. Tummins, supra. The prosecution argued (i) that Tummins hadn’t shown that any of this was discoverable under rule 16(a)(1)(E) and/or (ii) “that it cannot provide fully functional versions of the requested software because these programs connect to law enforcement databases containing nonpublic information, and, similarly, that the SHA1 database is a law enforcement database.” U.S. v. Tummins, supra. The judge found that Tummins hadn’t shown that any of this material was discoverable under the rule, and so denied Tummins’ motion with regard to these items. U.S. v. Tummins, supra.

The seventh item – which is the one I find most interesting – was “a copy of the hard drive with the alleged child pornography redacted.” U.S. v. Tummins, supra. The prosecution argued that “production of the requested forensic copy of the hard drive” was prohibited by 18 U.S. Code § 3509(m), which I’ve discussed in other posts. U.S. v. Tummins, supra. Basically, § 3509(m) says the government must maintain custody of “any property or material that constitutes child pornography” and that is involved in a criminal proceeding. 18 U.S. Code § 3509(m)(1).

Tummins, though, was seeking “a forensic copy of the computer hard drives from which all files containing child pornography have been redacted”, which would seem to take the request outside the scope of § 3509. The prosecution, though, said it was “technically impossible to be absolutely certain that all traces of child pornography have been removed from a forensic copy of these computer hard drives,” which meant § 3509(m) did apply and did prevent the government from complying. U.S. v. Tummins, supra.

The judge held an evidentiary hearing on this issue, at which Tummins presented testimony from his computer forensic expert: “James KempVanEe. KempVanEe is an employee of LogicForce Consulting, LLC, and serves as the company's Digital Forensic Lab Manager.” U.S. v. Tummins, supra. The prosecution conceded KempVanEe was qualified to testify on these issues. U.S. v. Tummins, supra. He testified that using a

forensic copy of the hard drives, a computer program known as EnCase could be used to overwrite the file contents of the 23 files identified by the Government's computer forensic expert as containing child pornography while leaving the remainder of the file information intact. This process would replace the allegedly pornographic images in these 23 files with zeros such that the allegedly pornographic images would no longer exist on this forensic copy, but all remaining computer data would remain intact for analysis by KempVanEe on behalf of [Tummins].

This would allow [him] to determine such things as when and how the files allegedly containing child pornography were imported on this computer, the search terms that may have been used to locate and download these images, the dates on which these images were viewed and the time duration of any such viewings. According to KempVanEe, all such information would be material to a defense of this case.

U.S. v. Tummins, supra.

When he was cross-examined, KempVanEe “conceded that it is `possible’ that files containing fragments of images of children might reside in `unallocated space’ of the hard drive if it existed there.” U.S. v. Tummins, supra. He also said the prosecution expert “listed no file allegedly containing child pornography as having come out of unallocated space on these hard drives.” U.S. v. Tummins, supra. He also testified that the restrictions the government imposed on defense computer examiners pursuant to § 3509(m) would effectively prevent him “and his employer from serving as a computer forensic expert witness” on Tummins’ behalf. U.S. v. Tummins, supra. Finally, a Secret Service Agent who is a qualified “computer forensic recovery specialist” but who was not familiar with the facts of this case testified that “the only way to guarantee that no child pornography gets out is for the Government to maintain control of the hard drives.” U.S. v. Tummins, supra.

The judge noted that all this raised two issues: whether it was a “realistic possibility” that child pornography would remain on the redacted hard drives and whether, if that was a possibility, the government had provided “ample opportunity” for Tummins’ expert to inspect, view and analyze the drives at a government facility. U.S. v. Tummins, supra.

He found that the evidence in the case failed to answer “the first question precisely”, but ultimately inferred that “the likelihood of child pornography remaining on a hard drive copy following redaction of the file contents of those files identified as child pornography would be relatively low.” U.S. v. Tummins, supra. He also found that “the restrictions imposed by the Government do not satisfy the requirements of § 3509(m)(2)(B) requiring the Government to provide `ample opportunity for inspection, viewing, and examination at a Government facility.’” U.S. v. Tummins, supra.

The electronic data to be examined approximates 750 gigabytes, which requires 19 hours of continuous computer run time to index when examined by the Government expert. . . . [A] defense expert necessarily would be required to leave his hardware and software running unattended and inaccessible in Government offices, except during normal business hours, for the duration of an analysis that could take at least two weeks KempVanEe has clearly testified that his employer, which owns the hardware and software KempVanEe proposes to use to conduct his forensic analysis of these hard drives, is unwilling to allow its equipment to remain inaccessible and unattended in a Government facility.

U.S. v. Tummins, supra.

The judge therefore granted Tummins’ motion to compel the prosecution to provide him with redacted copies of the hard drives within 14 days of the entry of the judge’s order. U.S. v. Tummins, supra. He also ordered that the hard drives (i) “be maintained in a secure location in the custody of [Tummins’] forensic computer expert, and access to any data contained on [them] shall be limited to the expert and the defense attorney”; and (ii) be returned to the government upon completion of the defense expert’s examination of them. U.S. v. Tummins, supra.

No comments: