Wednesday, January 16, 2013

Child Pornography, the Expert Witness and Daubert

This post examines a recent opinion issued in a pending child pornography case.  All I know about the facts in the case is that “[o]n On August 8, 2012, . . . Bryan James Gardner was indicted on one count of possession of child pornography” in violation of 18 U.S. Code § 2252A(a)(5)(B) and “one count of distribution of child pornography” in violation of 18 U.S. Code § 2252A(a)(2). U.S. v. Gardner, 2012 WL 5285376 (U.S.District Court for the District of Utah 2012). 

One of the opinions in the case notes that Gardner is accused of “possessing child pornography images on the Gardner family computer . . . and distributing child pornography images by uploading images to the social networking Internet using a Verizon wireless . . . Internet access device.” U.S. v. Gardner, 2012 WL 6680395 (U.S. District Court for the District of Utah 2012) (hereinafter U.S. v. Gardner, supra). 

As of earlier this month, the case was set to go to trial on January 14 of this year.  U.S. v. Gardner, 2013 WL 53752 (U.S. District Court for the District of Utah 2013). 

In preparing for trial, Gardner filed several motions that were directed at keeping certain evidence out and also “notified the United States that [at trial] he intends to rely on the testimony of Steven Moshlak, whom Gardner has designated as an expert in computer forensics.” U.S. v. Gardner, supra.  While the prosecution did not “ challenge Moshlak's qualifications as a computer forensics expert,” it did “challenge, under Federal Rule of Evidence 702 and Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993), Moshlak's application of the methodology used and the reliability and relevancy of the opinions he offers in his report.”  U.S. v. Gardner, supra.

The Federal Rules of Evidence govern the admissibility of evidence in federal trials, and Rule 702 deals with the admissibility of expert evidence, providing as follows:

A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:
(a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
(b) the testimony is based on sufficient facts or data;
(c) the testimony is the product of reliable principles and methods; and
(d) the expert has reliably applied the principles and methods to the facts of the case.

As Wikipedia explains, the Supreme Court’s decision in the Daubert case changed the existing standard for admitting expert testimony in federal cases to one that has been incorporated into Rule 702.  The Daubert Court held that expert testimony is admissible if it involves scientific knowledge that will assist the trier of fact and if the trial judge has determined that the reasoning or methodology underlying the testimony is scientifically valid and can properly be applied to the facts in issue.  (If you would like to check out the prior standard, you can find a description of it in Wikipedia’s entry on Daubert.)

The district court judge held a Daubert hearing on Moshlak’s proffered testimony and ultimately held that he would be allowed to testify “as an expert witness at trial but his testimony will be limited to a narrower set of conclusions than was proffered in his report.”  U.S. v. Gardner, supra.  That brings us to results of the Daubert hearing.  The opinion explains that Moshlak reviewed the “same forensic images” of two hard drives

that were seized and reviewed by the United States's investigators and computer forensics experts. The hard drives were taken from the Gardner family computer (one was seized from the Gardner home and the other was seized at PC Laptops, where the drive was being repaired at the time the search warrant was executed). The computer investigation concerning Count 1 centers on the contents of the hidden thumbs.db file, as well as the email The investigation concerning Count 2 focuses on the social networking, two email addresses ( and, the (referred to as `Image Source), and a wi-fi device.

Moshlak primarily used the . . . Forensic Toolkit (FTK) to do his review. That is the same program used by the Government's computer forensics experts. . . . [T]he Government does not challenge the soundness of the FTK methodology.

Moshlak also reviewed discovery materials provided by the Government to Gardner, and apparently did his own research and investigation . . . (for example, by contacting Verizon about the type of modem allegedly used by Mr. Gardner). . . .

U.S. v. Gardner, supra.  

The “end result” of his investigation and analysis was his “`Computer Expert Witness Report’” and an addendum to the report.  U.S. v. Gardner, supra.  The report “sets forth roughly fourteen conclusions”, which the government challenged for the reasons noted above.  U.S. v. Gardner, supra.  I am not going to go through the judge’s ruling on all fourteen, but I will summarize her holdings on what I see as the more important and/or interesting issues.

Conclusion #1:  Multiple users inside and outside the household accessed the Gardner family computer.

Moshlak presumes there were multiple users of the computer . . . based on the existence of computer directories and files bearing different names and containing resumés of individuals other than Gardner. Even though the United States agrees that several members of the Gardner family had access to the computer . . ., the court will not allow Moshlak to testify about his conclusion as it is presently worded. As written, his conclusion is not an expert conclusion based on scientific, technical, or other specialized knowledge. 

Whether more than one person, and, if so, who, used the computer, is a fact question for the jury to decide. Moshlak’s proffered testimony would usurp the role of the jury.  Moshlak, however, will be allowed to testify that during his review of the Gardner family computer, he observed files, directories, and documents with names other than Bryan Gardner. He may not extrapolate further.

U.S. v. Gardner, supra. 

Conclusion #2:  “HP Owner” was the generic user name assigned to anyone accessing the family computer

This conclusion is relevant. But the court is concerned with the phrasing used by Moshlak. The court will allow Moshlak to state his opinion, but only if it is framed in a way that more accurately reflects the nature of the fact (and to the extent it is not cumulative). That is, rather than stating that the `HP_Owner’ was not associated with Gardner, Moshlak may point out that the `HP_Owner’ name was not associated with or assigned to any particular individual using the computer.

U.S. v. Gardner, supra. 

Conclusion #3: No Relative Identifiers (RIDs) or Security Identification Descriptors (SIDs) were associated with Gardner on the family computer

The analysis of Conclusion 2 also applies here. The court finds the lack of RIDs and SIDs to be somewhat relevant. However, Moshlak may not present his opinion in the matter phrased in his report. He may point out to the jury that there are no RIDs or SIDs associated with anyone on the Gardner family computer. This is more accurate than the artificial spin he places on the lack of RIDs and SIDs in an effort to eliminate Gardner as a possible user of the family computer.

U.S. v. Gardner, supra. 

Conclusion #5:  The [RegionalComputer Forensic Laboratory] report did not identify any actors and so the report, as well as the analysis of Government agents who generated the report, is insufficient.

The court agrees with the United States that this conclusion is not relevant, not based on scientific, technical or other specialized knowledge, and is not based on sufficient facts or data. The RCFL computer forensics examiners do not do investigative work. Moshlak's conclusion assumes they are required to do so in order to do their jobs effectively. But the type of investigation to which Moshlak is referring was not part of the RCFL experts' scope of work. 

Moreover, Moshlak has no specialized expertise regarding the job of a government computer forensic examiner. As the United States notes, the Department of Justice guide for law enforcement is not sufficient data for Moshlak to speculate about what individuals involved with this case should have done. The court excludes any testimony of this nature.

U.S. v. Gardner, supra. 

Conclusion #6(B): The image modification dates in the thumbs.db file suggest that Gardner could not have downloaded or viewed the images because the dates coincide with the dates Mr. Gardner was in prison.

Based on a long colloquy during the Daubert hearing, Moshlak admitted that the modification dates in the thumbs.db file do not have any bearing on whether Gardner downloaded or viewed the images on the Gardner family computer. . . .Accordingly, this conclusion is excluded as unhelpful to the jury.

U.S. v. Gardner, supra. 

Conclusion #7: The thumbs.db is a hidden file in the Gardner family computer that cannot be accessed without specialized computer knowledge and tools.

This conclusion is not relevant. The Government does not contend that Gardner accessed the thumbs.db file to store or view child pornography images. The conclusion, while accurate, would not be helpful to the jury. In fact, it would be confusing. It suggests that Gardner could not have done what the Indictment alleges because he does not have specialized knowledge or tools to access the thumbs.db file. This testimony is excluded.

U.S. v. Gardner, supra. 

Conclusion #9: Yahoo Companion toolbar has a button for that allows anyone to access the email account.

The United States contends that although `[t]he fact that kidpower12345 is in Yahoo Companion is not disputed, the conclusion about how it works is not based on sufficient facts or reliable methodologies. . . .The court agrees.

As part of his conclusion, Moshlak testified that `anybody that goes ahead and activates a Web browser has the ability to go ahead and log in as kidpower12345[.]’ . . . Moshlak provided no factual basis for such a conclusion or any reason for the court to believe that he has expertise regarding the Yahoo Companion toolbar or that he can explain why he reached this conclusion. 

Because Moshlak's Conclusion 9 was unsupported, it is excluded at this time. The court will reconsider this ruling if the defense is able to provide the court with a more thorough analysis and a complete record in support.

U.S. v. Gardner, supra. 

Conclusion #10(B): Conclusions based on IP Addresses

In his report, Mr. Moshlak states,

No traceroute data analysis was provided, as to the network which was used, in determining if a nexus between [Gardner] and his USB modem could be established. In review of the material provided [sic] shows no Verizon Access Manager connectivity, but does show QWEST as a potential provider of services. In addition an IP address analysis was performed based upon the Username logons and user names provided [by] Ning, and the IP address data that was provided in this case, with the user logon, related to a number of different areas in the nation. A number of these IP addresses resolved to various other parts of the nation, including [over twenty locations within the United States]. . . .

[Gardner] has failed to show that Moshlak's IP address analysis was based on sufficient facts or data. The source of information and the nature of the conclusion are both in question. The IP address analysis and conclusions do not make sense. 

On the stand, Moshlak himself admitted that he did not know how someone could log-in over 300 times on a particular date or from multiple locations throughout the country. He said, `something tells me something isn't right. We ought to go back and take a look at it.’ Unless and until the defense can come up with a more thorough analysis and explanation for the conclusion, Moshlak's testimony in this area is excluded.

U.S. v. Gardner, supra. 

Conclusion #13: There were viruses on the Gardner family computer.

During testimony, Moshlak admitted under cross-examination that the viruses could not have created the images of child pornography in the thumbs.db folder. Absent any evidence (other than the speculation offered by [Gardner]) that a third party hacked into the Gardner family computer to download the offending images, Moshlak's conclusion is, at best, not relevant, and would confuse the jury.

U.S. v. Gardner, supra. 

The judge therefore granted the prosecution’s motion to exclude Moshlak’s expert testimony in part and denied it in part.  U.S. v. Gardner, supra.    

No comments: