This post is a follow-up to a post I did last year: Obstruction of Justice, DriveScrubber and Emails. You can read more about the case
in the story you can find here.
After Andrew Katakis was tried on charges of bid-rigging and
obstruction of justice, the jury found him guilty of obstruction of justice but
the U.S. District Court Judge who presided at the trial vacated the conviction
and granted Katakis’ motion for a judgment of acquittal. U.S. v. Katakis, 2015 WL 5090792 (U.S. Court of Appeals for the 9th Circuit 2015). The judge granted the
motion because he found the evidence presented at trial “was insufficient
to show that Katakis actually deleted electronic records or files.” U.S. v. Katakis, supra.
The Court of Appeals began its opinion by noting that “proving
Katakis moved emails from an email client's inbox to the deleted items folder
does not demonstrate Katakis actually concealed those emails within the meaning
of [18 U.S. Code] § 1519”. U.S. v. Katakis, supra. It then explained that this prosecution arose from an investigation by
federal
authorities into a scheme to rig bids at foreclosure auctions in 2008 and 2009.
By 2010, the investigation focused on Andrew Katakis as one of the primary real
estate investors helming the conspiracy. On September 1, 2010, Katakis received
a letter from his bank informing him that federal investigators had subpoenaed
his bank records. On September 3, 2010, Katakis purchased, downloaded, and
installed a program called DriveScrubber 3 (`DriveScrubber’) onto his home
computer, a Dell (`Katakis's Dell’).
DriveScrubber is a program designed to
wipe hard drives clean of all information. DriveScrubber may be used to
overwrite all of the information in a hard drive's unallocated or `free’
space. Free space is the portion of the hard drive that is not allocated
for the use of the computer's programs or operating system; items that are
deleted by a user may `fall’ into the free space. There, the deleted item is
not actually removed from the computer right away; the space it occupies on the
hard drive has simply been made available to be overwritten. Instead of waiting
for another file to overwrite the deleted file by chance, DriveScrubber
actively overwrites all data in the unallocated space of a hard drive,
permanently erasing any files that had fallen into the free space. Once a file
is overwritten by DriveScrubber, it is impossible to retrieve it.
U.S. v. Katakis,
supra.
The Court of Appeals goes on to explain that
Katakis's business partner and alleged
co-conspirator, Steve Swanger, kept two computers at their office: an ASUS (`Swanger's
ASUS’), and a Dell (`Swanger's Dell’). Swanger's Dell was used primarily for
emailing with Katakis, and Swanger's ASUS was used for general internet
searching. On Saturday, September 4, 2010, Katakis summoned Swanger to their
business office. Katakis told Swanger that he wanted to install a `scrubber
program’ on their computers and that there was `nothing wrong with us cleaning
our computers.’ Swanger observed Katakis use Swanger's ASUS and perform a
search for emails involving members of the bid-rigging conspiracy. At 4:40 pm,
Katakis installed DriveScrubber on the Swanger ASUS. This copy of DriveScrubber
was different from the one installed on Katakis's Dell. Swanger did
not observe any deletions on the ASUS; he only observed Katakis `clicking and
moving things around.’
Katakis then moved to Swanger's Dell
and installed DriveScrubber at 4:47 pm. The Swanger Dell had 4,000 emails on
it, as Swanger was not in the habit of regularly deleting his emails. Swanger
kept hard copies of some important emails, because he feared Katakis might try
and wipe clean the hard drives some day. Swanger observed Katakis checking
boxes on various emails and unchecking those emails that Katakis believed that
Swanger needed. Katakis gave up sorting the emails after about five minutes and
pressed the delete key. After seeing that it would take a long time for the
emails to be deleted, Katakis went home. When he returned to the office on
Monday, Swanger noticed that almost all of the emails on his Dell had been deleted
from his email inbox.
At 5:37 pm on September 4, 2010, the
same copy of DriveScrubber that was installed on Katakis's Dell was installed
on the office's mail server (`GD Mail Server’). The server managed all email
sent or received in the office through the Microsoft Outlook program. The GD
Mail Server was operated by a program called Exchange. Katakis had the
authority to install programs on the GD Mail Server and knew that DriveScrubber
had been installed on it.
U.S. v. Katakis,
supra.
The prosecution began when the
Government seized the four computers in
the course of its investigation into the bid-rigging scheme. When examining
Swanger's Dell, the Government discovered ten incriminating emails that
implicated Katakis in the conspiracy. Katakis was either a sender or recipient
of all ten emails. Swanger was also either the sender or recipient of all ten
emails.
The emails were discovered in the
deleted items folder in Swanger's email client. Metadata attached to the emails
showed that the emails had passed through the GD Mail Server and that Katakis
had received and opened all of them. Special Agent Scott Medlin conducted a
forensic analysis of the other three computers. Because Katakis's Dell,
Swanger's ASUS, and the GD Mail Server were all part of the email network
shared with Swanger's Dell, Medlin expected to find traces of the ten emails on
these computers. Medlin was unable to locate any trace of the ten
incriminating emails, but did not think that enough time had passed for all traces
of the emails to be removed by the gradual automatic overwriting process,
leading him to believe that Katakis had destroyed them using DriveScrubber.
U.S. v. Katakis,
supra.
The court then explains that based on the
discrepancy between the presence of the
ten incriminating emails on Swanger's Dell but not on the other computers, the
Government sought and obtained an indictment charging Katakis with obstruction
of justice, in violation of 18 U.S. Code § 1519. The indictment alleged
that Katakis `deleted and caused others to delete electronic records and
documents. KATAKIS also installed and used and caused others to use a software
program that overwrote deleted electronic records and documents so that they could
not be viewed or recovered.’ Notably, the indictment failed to charge attempt,
thus committing the Government to prove actual deletion.
U.S. v. Katakis,
supra.
The court went on to explain that the prosecution went to
trial on the theory that Katakis
ran the DriveScrubber program on his
Dell, Swanger's ASUS, and the GD Mail Server, to erase all traces of the ten
incriminating emails. The Government's key witness was Medlin, who testified as
an expert. Medlin testified that Katakis `double-deleted’ emails; that is, he
deleted them once from the mail client and then again when he emptied the
deleted items folder. After they were double deleted, the emails fell into the
free space, where Medlin opined that they were irretrievably overwritten by
DriveScrubber.
Katakis called Don Vilfer as a rebuttal
expert. Vilfer testified that Medlin's theory of what happened to
double-deleted emails was incorrect, based on how the Exchange program on the
GD Mail Server worked. According to Vilfer, a double-deleted email would not
fall into the free space, as Medlin testified, but would remain within the
portion of the hard drive allocated for the Exchange database. The crux of
Vilfer's testimony was that, given how the Exchange program operated, it would
be impossible for DriveScrubber to overwrite any double-deleted emails,
including the ten incriminating emails that were at the heart of the
Government's case. Vilfer further noted that the Exchange program itself
removed double-deleted emails after a certain period of time, usually fourteen
days. Vilfer testified that he was able to recover thousands of double-deleted
emails, but he could not find the ten incriminating emails. Vilfer agreed with
Medlin that it was suspicious that there were no traces of the ten
incriminating emails on any computer other than Swanger's Dell. However, he
explained that absence by opining that the ten incriminating emails (including
metadata) had been fabricated. The defense sought to draw an inference that
Swanger fabricated the ten incriminating emails and the metadata indicating
Katakis had seen them in order to implicate Katakis.
In rebuttal, Medlin admitted that
Vilfer's testimony was correct: it was impossible for DriveScrubber to have
deleted the ten incriminating emails. Medlin testified that his opinion was unchanged,
because DriveScrubber could have deleted transmission logs associated with the
ten incriminating emails. Vilfer testified in response that deleting the
transmission logs would not have deleted the emails themselves.
U.S. v. Katakis,
supra.
Finally, the court explained that
[b]y the time of its closing argument,
the Government's primary theory of the case had collapsed. In closing, the
Government offered two theories of liability to the jury. First, the Government
argued a purely circumstantial case. The ten incriminating emails were present
on Swanger's Dell, and both experts testified that they would have expected to
find them on the other computers. The only logical inference, the Government
reasoned, was that Katakis had somehow deleted them.
Second, the Government relied on
Swanger's testimony for an alternative theory of liability. Under this theory,
DriveScrubber was only relevant to prove intent. If the jury believed Swanger's
testimony that Katakis hit the delete key and sent emails on Swanger's Dell to
the deleted items folder, this was legally sufficient to convict Katakis of
obstruction of justice. The Government alluded to an additional theory of
liability in its rebuttal, arguing that Katakis used DriveScrubber to delete
remnants of the emails (the transmission logs).
U.S. v. Katakis,
supra.
The Court of Appeals then began its analysis of Katakis’
argument on appeal by explaining that he was convicted of obstruction of justice
in violation
of 18 U.S. Code § 1519. That statute provides:
`Whoever knowingly alters, destroys,
mutilates, conceals, covers up, falsifies, or makes a false entry in any
record, document, or tangible object with the intent to impede, obstruct, or
influence the investigation or proper administration of any matter within the
jurisdiction of any department or agency of the United States ... or
contemplation of any such matter or case, shall be fined under this title,
imprisoned not more than 20 years, or both.’
. . . Section `1519 was intended to prohibit,
in particular, corporate document-shredding to hide evidence of financial
wrongdoing.’ Yates v. U.S., 135 S.Ct. 1074 (2015). In order to prove a violation
of § 1519, the Government must show that the defendant (1) knowingly
committed one of the enumerated acts in the statute, such as destroying or
concealing; (2) towards `any record, document, or tangible object’; (3) with
the intent to obstruct an actual or contemplated investigation by the United
States of a matter within its jurisdiction.
U.S. v. Katakis,
supra.
The court went on to note that
[w]e have only one question regarding
the sufficiency of the evidence before us: whether the Government carried its
burden to show actual destruction or concealment. There is no dispute that
there was sufficient evidence for a rational juror to conclude that the Government
satisfied the third element, that Katakis intended that his actions would
obstruct the investigation into the bid-rigging scheme. A rational juror also
could have concluded that Katakis knew or believed that his actions could
destroy or conceal the ten incriminating emails. However, the Government failed
to charge Katakis with attempted obstruction in the indictment. Therefore, in
order to secure a conviction, the Government was required to prove that Katakis
actually destroyed or concealed `electronic records and documents.’
U.S. v. Katakis,
supra.
It therefore found that given
Medlin's retraction, there was no
evidence upon which a reasonable juror could conclude Katakis used
DriveScrubber to irretrievably overwrite (that is, destroy or conceal) the ten
incriminating emails from the free space of any of the computers. The theory
that the Government presented in its case-in-chief cannot support Katakis's
conviction.
Nevertheless, the Government contends
the district court erred, because there are three other theories of liability
that the jury could have credited that satisfy the elements of the statute: (1)
Katakis used DriveScrubber to delete the transmission logs belonging to the ten
incriminating emails; (2) Katakis double deleted emails on his Dell, Swanger's
ASUS, and the GD Mail Server; or (3) Katakis single-deleted emails on Swanger's
Dell, moving those emails from the inbox to the deleted items folder. For the
reasons set out below, we agree with the district court that the evidence was
insufficient to convict Katakis of obstruction of justice on any of these
theories.
U.S. v. Katakis,
supra.
The court began its analysis with the DriveScrubber theory,
noting that it relied on
[t]estimony given by Medlin during
rebuttal to the effect that, although Katakis could not have deleted the ten
incriminating emails themselves, he could have deleted transmissions logs
generated by the emails. Forced to retract his testimony that the
ten incriminating emails could have been deleted by DriveScrubber, Medlin
testified that he did not retract his opinion that Katakis used DriveScrubber
to destroy electronic records, because he likely used DriveScribber to
overwrite transmission logs generated by the emails.
Medlin testified that transmission logs
are generated daily by the Exchange system. These logs resided outside the
Exchange database (so they were separate from the emails themselves), and would
`remain’ in the program for a period of time before falling off into the free
space to be made available for the DriveScrubber program to overwrite. Medlin
could not testify as to how long it took for the transmission logs to fall into
free space; he noted that there was a default time programmed into the Exchange
database (although he did not recall what the default was), but that time could
be changed by the system administrator. On cross-examination, Medlin
admitted he did not perform an investigation into whether a default time
was even set on the Exchange database. Medlin also testified that he did not
perform any investigation as to whether any user had entered a command causing
the Exchange database to “clean up” the transmission logs and let them enter
free space.
Although the Government is entitled to
every reasonable inference from the evidence, a conviction may not be based on
mere speculation. U.S. v. Nevils,
598 F.3d 1158 (U.S. Court of Appeals for the 9th Circuit 20100. `[A]
reasonable inference is one that is supported by a chain of logic, rather than
mere speculation dressed up in the guise of evidence.’ U.S. v. Del
Toro–Barboza, 673 F.3d 1136 (U.S. Court of Appeals for the 9th Circuit
2012) (quoting Juan H. v. Allen, 408 F.3d 1262 (U.S. Court of
Appeals for the 9th Circuit 2005)). The logical chain supporting the
Government's theory is as follows: (1) Katakis downloaded and installed
DriveScrubber, which, along with Swanger's testimony, demonstrates his intent
to destroy incriminating emails and other electronic records; (2) DriveScrubber
could only destroy the emails if they were in the free space; (3) the
transmission logs enter the free space through one of two ways, either at the
default time or through user action; (4) both agents testified that they
expected to find email remnants, including transmission logs, on the computers;
and (5) no email remnants were found. From this chain of logic, the Government
contends a reasonable juror could have concluded that Katakis destroyed the
logs using DriveScrubber.
However, the Government's chain of
logic misses an important link: there is no evidence whatsoever that the
transmission logs were made available, in any manner, for DriveScrubber to
overwrite. The Government invited the jury to speculate as to whether the
transmission logs entered the free space; the Government's own expert could not
testify that they ever did. The transmission logs theory was developed entirely
in rebuttal in an attempt to save the Government's case. Make no mistake, the
Government's original plan failed. Indeed, the full theory presented here did
not crystallize as an argument until this appeal.
The Government did not argue in its
closing that deletion of the transmission logs could, under § 1519,
constitute the destruction of electronic records; instead, the Government
asserted in its rebuttal that the absence of the logs was evidence
DriveScrubber was run to delete the emails. In light of the way that this case
was tried, it is not surprising that the Government's transmission log theory
was half-baked. Medlin admitted he never even investigated the possibility that
the transmission logs were removed to the free space where they could have been
deleted by DriveScrubber.
In the absence of that evidence, the
jury was left to speculate not only regarding how the transmission logs entered
the free space but if they ever did so. There was nothing preventing the
Government from having Medlin investigate this question and provide evidence,
even circumstantial evidence, from which the jury could make the desired
inference. However, that evidence was entirely lacking in this case. In the
absence of that critical link in the logical chain of inference, the evidence
was not sufficient to convict Katakis on this theory.
U.S. v. Katakis,
supra.
The court then took up the “double deletion” theory, noting
that it was based on the premise that “a rational juror could have found Katakis double deleted emails on all of the computers except Swanger's Dell,
and if he did so with the requisite intent, he violated the statute.” U.S. v. Katakis, supra. The court explained that it would “assume,
without deciding, that double deletion would constitute the requisite
concealment or destruction element of § 1519”, but went on to note that “even
with that assumption, no reasonable juror could have found on this record that
the Government carried its burden to show that double deletion actually
occurred.” U.S. v. Katakis, supra.
The Court of Appeals also pointed out that the prosecution
did not present any “direct evidence of double deletion” but, instead, asked
the jury to infer that such deletion occurred from certain circumstantial
evidence. U.S. v. Katakis, supra. It explained that the only evidence of double
deletion came from a
single fact: that the ten incriminating
emails were not found on Katakis's Dell, Swanger's ASUS, or the GD Mail Server.
Both experts testified that they expected to find the emails on those
computers. In their absence, the Government argues that a rational juror would
be entitled to conclude that Katakis double deleted the emails. However, the
Government never provided the jury with any mechanism that would explain how
Katakis removed the emails from the three computers, given that, as both
experts ultimately agreed, double deletion on the email client does not send an
email to the free space, where DriveScrubber could have destroyed it.
U.S. v. Katakis,
supra.
It then explained that this was not a case
where a government theory competed with
a defense theory. Instead, the Government in this case presented no
theory at all to explain to the jury how the emails were destroyed, a
fact that was critical to the chain of inferences required to find beyond a
reasonable doubt that Katakis double deleted the emails.
U.S. v. Katakis, supra
(emphasis in the original).
The court then rejected the government’s final theory –
the single deletion theory, which was based on Swanger’s testimony. U.S. v. Katakis, supra. It explained that Swanger testified
that he observed
Katakis press the delete key after screening emails on Swanger's Dell. The
Government argued in closing that all the jury needed to find in order to
convict Katakis was that he pressed the delete key, thereby moving the emails
from the inbox on Swanger's Dell to the deleted items folder.
The evidence was sufficient for the
Government to prove the fact underlying this legal theory; all the jury had to
do was credit Swanger's testimony. `It is well established that the
uncorroborated testimony of a single witness may be sufficient to sustain a
conviction.’ U.S. v. Dodge, 538 F.2d 770 (U.S. Court of Appeals for the 8th Circuit 1976). Further, the ten incriminating emails were discovered in the
deleted items folder of Swanger's Dell, raising at least a colorable inference
that Katakis deleted them. The district court recognized that the evidence was
sufficient to prove the fact that Katakis single deleted the emails. However,
the district court held that single deletion was not sufficient to give rise to
liability under § 1519. We agree.
U.S. v. Katakis,
supra.
And, finally, the Court of Appeals went on to explain that
[o]ur conclusion that the evidence was
insufficient to convict Katakis for single deleting emails rests upon the
unique factual circumstance that pressing the delete key in this context serves
only to move an email from one file folder to another. Section 1519 was
drafted to prevent corporate document shredding. The digital context threatens
to expand § 1519 and its potentially harsh punishment well beyond its
intended reach. We are hesitant to expand the reach of § 1519, in part
because the Government barely developed the facts necessary to support the
single-deletion theory at trial and we are left without many of the facts that
might prove actual concealment.
As with the other theories raised on
appeal, the single-deletion theory was an afterthought, a comment the
Government made at closing and now urges was sufficient to warrant a potential
twenty-year sentence. Accordingly, we cannot endorse the Government's reading
of the statute. Actual concealment must do more than merely inconvenience a
reasonable investigator—there must be some likelihood the item will not be
found. That low bar is not met in this case.
U.S. v. Katakis,
supra.
It therefore affirmed the District Court Judge’s order
granting Katakis a judgment of acquittal.
U.S. v. Katakis, supra.
Great case to illustrate how a simple software utility (there are far more complex ones) can bring about charges.
ReplyDelete