The Tangled Web Mail We Weave and Leave

7-24-2008 National:

It is an understatement to observe that the focus, if not the obsession, of e-discovery production today is the production of e-mail.

In the prototypical e-discovery matter a company has an e-mail server and workstations (desktop or laptop computers) and company e-mail, i.e. the kind with the e-mail address, "employee@company.com," will be found on both. Web-based e-mail, however, provides a second generic source of e-mail. Anyone with an AOL, Yahoo, Gmail, Comcast or other common e-mail account -- virtually everyone -- is familiar with Web-based e-mail. This article explores the problems with requesting, preserving and producing Web-based e-mail.

WHERE E-MAIL IS KEPT

In principle, Web-based e-mail works just slightly differently from "company" e-mail, where the company possesses the e-mail server. For both, incoming e-mail is sent to the server by the sender, through his or her server, and then accessed by the recipient. Outgoing "company" e-mail is sent by the sender to the server and from there to the recipient's server, where the recipient accesses it, while with outgoing Web-based e-mail the sender accesses the Web server across the Internet and sends e-mail from the Web-based server.

There are other differences between company-based and Web-based e-mail server setups. Looking to the Microsoft model as a typical company-based e-mail setup, the workstation has on it an e-mail application, such as "Outlook," which is designed to compose and save (at user initiative) both outgoing and incoming e-mail to the workstation. Outlook works with an Exchange Server, where outgoing and incoming e-mail also reside. Whether e-mail is saved to the server, the workstation or both, and whether the workstation and server are "synced" so that a deletion in one is a deletion in the other, for example, are all choices which the company's IT department will make.

By contrast, some Web-based e-mail applications are designed to allow the user "local" storage to the hard drive while others have no such feature. As for server-based storage, again, this varies from Internet service provider to provider, and there may be restrictions as to how much may be stored on the ISP's server and for how long.

One final twist is that Web-based e-mails are, unbeknownst to the average user, "cached" -- that is, automatically saved -- on the hard drive of the user's workstation. The user has no access to these e-mails, but a forensic analyst can easily recover them using computer forensic tools.

Both company and Web-based e-mails can have duplicate e-mails automatically forwarded. Often company e-mails are forwarded to e-mail archives, kept by the company or by third-party vendors. Web-based e-mails can be forwarded for the same purpose, but usually are "lower-end" operations, i.e. the forwarding is to a user's designated mailbox as opposed to a commercial archiving operation.

Here are checklists of e-mail locations in both types of systems:

Company e-mail:

Server;

Workstation;

Forwarded locations (e.g., archive).


Web-based e-mail:

Server;

Workstation;

Web-cache;

Forwarded locations (e.g., user mailbox).


TECHNICAL AND LEGAL ISSUES

Several issues arise regarding the preservation of Web mail. For cached Web mail on a workstation's hard drive, whether such Web mail must be preserved or produced will be the subject of dispute under Federal Rule of Civil Procedure 26(b)(2)(B), which allows a party not to produce responsive electronically stored information if it is not "reasonably accessible" because of "undue burden or cost." To preserve a hard drive's cached Web mail, the producing party must make (or have a vendor make) a bitstream, forensic image of the drive, that is, an exact copy of every bit of data on the drive, and then extract the Web mail from that forensic image. The cost of doing that will vary with the vendor, and that cost will be weighed against potential benefits when a court decides any Rule 26(b)(2)(B) motion, so the devil here, as in most places, is in the details.

For Web mail stored on a server, the preserving party will have to identify and have disabled any automatic deletion features of the storage offered by the ISP, such as overwriting when the user runs out of available storage space or deletion after a certain period of time. A standing committee report on Federal Rule of Civil Procedure 37(e), states that "good faith" in preserving data for litigation "may require that a party intervene to modify or suspend certain features of the routine operation of a computer system to prevent the loss of information."

Another approach to preserving stored Web mail, whether stored on the ISP's server or in another user's e-mail box, is to gain access to the e-mail through the user's name and password, export all of the e-mail to an external drive (usually a vendor will do this), and then "verify" that drive by obtaining a "hash value" for it. A hash value is a unique alphanumeric string created by using the media being "hashed" as a variable in a complex algorithm (the forensic image referred to above would also be verified by comparing the hash values of the original drive and the image). Creating a hash value for the extracted Web mail is a means of verifying that from the point it was extracted it was preserved pristinely.

If preservation of Web mail is not purely historical, and so requires ongoing preservation, a good solution is to configure the client's account(s) to forward copies to another site, as users often do, except that for these purposes the forwarded site would archive the data. Both tasks could be accomplished internally, as the client's IT department or a vendor could create archive accounts.

If the client is an individual or small business without an IT department, Web mail is typically used because small businesses may not have the Outlook/Exchange e-mail architecture. For those clients, it would be best to have a vendor archive the data, so as to avoid the suspicion that the client has tampered with the archive. That suspicion can arise in a larger company as well, but the larger the business and the greater the production of e-discovery is a standard operating procedure for that business, the less likely suspicion will arise.

A litigant seeking to discover Web mail may say, "Why do I care about the producing party extracting their own Web mail? Why would even want such a thing? I'd rather go to the source itself -- the ISP (AOL, Yahoo) -- with a subpoena."

There are two problems with this approach.

The first is that the ISP may not have as many e-mails as the party itself does. By the time a requesting party realizes it needs to make its request, months if not years have passed between when the e-mails were generated and the date of the request. ISPs do not keep e-mail for months or years; indeed, it is because of this issue that for years law enforcement has sought (so far unsuccessfully) federal legislation to require ISPs to keep e-mails for prolonged periods (such legislation is not popular with ISPs, who would have to purchase many more servers to hold those e-mails). The requesting party often has a much better chance of getting e-mails from the producing party than from the producing party's ISP.

Second, it is not clear that the requesting party has the legal authority to compel the ISP to produce the e-mails. The Electronic Communications Privacy Act, 18 U.S.C. §§2701-03, governs how federal, state and local law enforcement may obtain e-mail from an ISP. ECPA makes it a third-degree felony for an ISP to release information or for a person to obtain information from an ISP except as provided for in the law. Under ECPA, law enforcement may obtain information from an ISP, including e-mails, by following any of several different paths, depending upon the nature of the information. ECPA makes no provision for private parties to obtain information from ISPs. The recent trend has been for courts to hold that because ECPA has no explicit provision for a civil litigant -- as opposed to law enforcement -- to obtain information from an ISP, civil litigants are affirmatively precluded from obtaining such information. State and federal courts making such rulings include those in In re Subpoena Duces Tecum to AOL LLC, No. 2008 WL 1956266 (E.D. Va. April 18, 2008) and O'Grady v. Superior Court, 44 Cal. Rptr. 3d 72 (Cal. Ct. App. 2006). But in Gonzales v. Google Inc., 234 F.R.D. 674 (N.D. Cal. 2006), a judge in the Northern District of California reviewed Google's challenge to a civil subpoena by referring to the standards in the Federal Rules of Civil Procedure without so much as mentioning ECPA. While none of these opinions is the last word regarding the issue of whether ECPA's silence concerning civil litigants is a bar to their obtaining information from ISPs, or whether that silence is there simply because ECPA was meant to address law enforcement and not to disrupt the subpoena power already in place under the federal rules and elsewhere, the opinions at a minimum present obstacles for the requesting party to overcome if seeking e-mail from an ISP.

Finally, when determining whether to produce Web mail, counsel must understand for what purpose the client has used that Web-based e-mail. It cannot be overemphasized that it is counsel's duty, and not the client's, to produce discovery. This principle was underscored earlier this year in Qualcomm Inc. v. Broadcom Corp., 2008 U.S. Dist. LEXIS 911 (S.D. Calif. Jan. 7, 2008). When a client has Web mail in the workplace, whether alone or alongside company-based e-mail, the client will often claim that the Web mail, or perhaps certain Web mail accounts, is "personal" and not business-related, and so should not be collected or reviewed. Often the client's claim that the Web mail is personal and has no business-related materials on it is accurate, but whether the client is accurate, mistaken or somewhere in between, the legal question is whether counsel can decide not to review e-mails solely based upon the client's representation that the e-mail account was used only for personal reasons. Counsel must consider not, or at least not only, how much resistance the client puts up to reviewing that "personal" e-mail, but how such an answer would look in court. The answer may look dubious from the start, since it is easy for a producing party to hide responsive e-mails by claiming they are "personal," it is relatively easy for counsel to review those "personal" e-mails in question and the court will most likely not care that the client does not want them reviewed. Furthermore, the requesting party need produce only one e-mail from the client's "personal" account for the court to become very angry very quickly. If, relying upon the client's representations, the producing party has not preserved the e-mails and, several months or years later the "smoking gun" e-mail from the personal account surfaces, chances are the producing party will not at that later date be able to produce all or even most of what it could have produced had the "personal" account been preserved. Producing counsel, then, must counter the client's antipathy to preservation and review with the "parade of horribles" that can arise from not preserving.

Web-based e-mail can be a fruitful source of e-discovery. To think intelligently about seeking and producing Web mail, all parties must understand the limitations, both legal and technical, in storing Web mail, the places it can be found, and the means of producing it. ..News Source.. by Leonard Deutchman, Pennsylvania Law Weekly