eDiscovery Daily Blog

Craig Ball of Craig D. Ball, PC: eDiscovery Trends 2018

This is the fifth of the 2018 Legaltech New York (LTNY) Thought Leader Interview series.  eDiscovery Daily interviewed several thought leaders at LTNY this year (and some afterward) to get their observations regarding trends at the show and generally within the eDiscovery industry.

Today’s thought leader is Craig Ball.  A frequent court appointed special master in electronic evidence, Craig is a prolific contributor to continuing legal and professional education programs throughout the United States, having delivered over 2,000 presentations and papers.  Craig’s articles on forensic technology and electronic discovery frequently appear in the national media and he teaches E-Discovery and Digital Evidence at the University of Texas School of Law.  He currently blogs on eDiscovery topics at ballinyourcourt.com.

You’ve written about mobile devices and collecting from them (and other difficult sources of ESI) and you and I are participating on a panel at the University of Florida Law School on the topic.  Where do you think the legal profession is today in trying to deal with that issue, and what advice do you have for them?

One of these days I hope to come to one of these interviews brimming with optimism and excited about where the legal profession is heading for electronic evidence.  This is not that day.  I read eDiscovery Daily this morning as I always do, and you featured several of the educational sessions here at LegalTech.  You discussed a session about new sources; but, if you look at the session’s topics, it’s about “how do we avoid getting information from these sources?”  How do we advance rationales within our company and the courts to avoid looking where the information lies?  This has been the relentless corporate approach to eDiscovery.  How do we implement “defensible, repeatable” methodologies that functionally free us from the obligation to find, preserve and produce the truly probative evidence in litigation?  There’s been a shift in responsibility for finding inculpatory evidence to the realm termed “cybersecurity,” where it can be more tightly, and ahem, curated.

Corporations and their counsel want to take the most revealing ESI “off the table” for negotiation, so it will not be seen by an eager associate who might say, “this really makes the other side’s case, and we have an ethical duty to produce it.”  They don’t want to face those ethical conundrums.  Better to simply not see that stuff.  As information migrates to cloud sources, as information migrates to an internet of things, as mobile becomes the be-all and end-all of interaction with the web, the cloud, and all our own information, it’s about arguing, “how do we avoid looking to those revealing sources?”

Not to beat a dead horse, but in the description of the session featured, they talk about smart devices and blockchain. I don’t understand why they lump blockchain in with IoT?  It just seems like the planners say, “let’s find the hottest buzz words and throw them in the description.”  They talk about graph databases.  I’m not even sure most people know what graph databases are or how they possibly relate to eDiscovery.  More jargon.  More efforts to avoid addressing the enduring lack of competency in the core disciplines of eDiscovery.

They ask, “Are there limits in the use in legal matters of the internet of things?”  They’re not saying “let’s focus on what’s there and how it will help us make our case; why it will help us find the next Volkswagen defeat device fraud, or the next Wells Fargo opening millions of illegal accounts.”   They’re saying “let’s find a way to limit use of these sources in legal matters, even before we even know what the data can prove.” They seek a way to look away.

They ask, “How do we mitigate the privacy risk of using this information in a legal dispute?”  It’s worthwhile to talk about privacy, it’s certainly very European of us to talk about privacy; but, let’s figure out what we’re dealing with first.

They ask, “From a proportionality standpoint, how does counsel determine whether the burdens of collecting from these data resources, or even just preserving them, are justified by the value of the information?”  I’m sure that when they get together, they’ll have many valuable things to say, so it’s not a slam on these presenters.   My concern is the tenor of how it’s being presented. ‘Let us show you ways not to deal with this. Let us show you ways to avoid new evidence.’

I remember when email was not deemed discoverable. Seriously.  Corporations fought the idea that e-mail was a ‘corporate record’ that could be discovered and that litigants were bound to preserve.  What’s gone around has come around. There are new sources that are being used with greater frequency today than email, and double digit trade-offs between email usage, as it goes down, and messaging and collaborative tools, as they go up by double digit percentages each year.  Yet, we hew to the shopworn and familiar.

We focus on email and 20th century sources–Word documents, PowerPoint presentations, Excel Spreadsheets–when 21st century sources tell better stories: cloud-based sources, collaborative sources and all the messaging tools and apps.  That’s where candor went.  That’s where evidence lives, and where the bodies are buried.  Above all, it’s in mobile.  Mobile’s been my crusade for the last two years. Walk around on the streets of New York, on the Legaltech show floor–go anywhere people go.  They spend fully half their days looking at their mobile device. Mobile serves as their principal means to access online resources, business resources, and communicate.  Mobile has eclipsed everything else.

At the same time, mobile is making measurements and sensing movements and actions.   We are interacting by gesture thousands of times per day.  That’s where the evidence of human behavior exists; yet, we choose to look away.  I want to believe that the law will come back around to the evidence and return to caring about the truth.  But not now.  Everything is defensive today. Corporations have won – the judges are being trained by corporate lobbying organizations. Corporations have changed the federal rules and everything is about clearing the corporate path.  Whether I will live long enough to see that pendulum swing back as it swung back from trusts in the time of Teddy Roosevelt and from abusive labor practices after the Triangle Shirtwaist fire, I don’t know.  Then as now, corporations ran the world, and people got crushed under the wheels.

Corporations are chartered by the states and should exist for the public good.  Is that what we are seeing?  That corporations can now practice their own religions, are deemed to have a right of free speech, is deeply troubling to me.  We’ve lost our minds.  This, too, shall pass. Just not in the time of Donald.

I think regulation is part of what we must come to respect once more. The eDiscovery industry grew as much out of the culture of regulation as out of a culture of litigation. The culture of litigation is reviled and waning, save among the privileged who can afford to turn to the courts.  Less than 1% of cases are tried. That slide has principally occurred over the last 15 years. Talk to any civil trial lawyer and they’ll tell you they never go to trial.   Nobody goes to trial. Even for trial lawyers who prepare for trial, the cases are overwhelmingly disposed of before verdict and before jury selection.

It’s a game of chicken, but the actual entrusting of decisions to judges and triers of fact doesn’t happen anymore. Go down to the court house–go down to Foley Square here in New York–and walk around the courthouses. Other than the disposition of criminal matters and domestic relations cases, you won’t see the kinds of cases we once tried.

Some judges admit that they are leaving the bench because cases aren’t tried. They trained to preside over trials.  Civil trials were the fun part of their jobs, and they’re gone. So, we’ll instead see new evidence come through the doors of the criminal courts. For once, it’s not the cops that are behind; it’s the criminal justice system that will first exploit mobile evidence, internet of things and social networking to prove guilt or innocence.  That’s going to be exciting, and it’s happening now.  In the civil justice system, you will hear smart people say stupid things like, “We’ve got eDiscovery down. We’ve figured eDiscovery out.” It’s laughable to me because the same people saying, “We’ve figured out eDiscovery” really mean, ‘we found a bill of goods we can sell to the courts, and we’ve succeeded in neutering judges in their ability to look behind what we do.  We will not be challenged, and when we are challenged, we will simply pay those savvy opponents to go away.”

The squeaky wheels will get the grease, but stiff arming the rest–the litigants who don’t fight for the good evidence–will be so profitable that greasing the occasional wheel works.

So, when anybody tells you we’ve moved on to blockchain, or cybersecurity or artificial intelligence or whatever the buzz word of the moment might be, they are essentially saying, we’ve “licked” eDiscovery.  “We’ve got a defensible process for eDiscovery.  We are not about quality. We don’t care if our process gets the most relevant and probative evidence; all we care about is moving this pile to those piles as cheaply as we can.”

Now, that’s fine for the vendor community. You know what’s expected. You can market to that expectation using the right buzz words. But when everything is just the same, when you’ve completely commoditized what you do, differentiation disappears and people think about bringing it in house, seeking the cheapest “solution.”  Now, vendors bid against themselves as commoditized work goes in house and competitors promote cheaper ways to do the same thing.  Margins collapse.  Consolidation follows.  But, quality is never a part of the conversation. Don’t look at the man behind the curtain: mobile devices.  IOT.  Social networking.  Just take the e-mail instead.

One of the things you’ve written about is that mobile collection doesn’t necessarily require a big forensic collection process. Could you talk a little bit about that and what you think lawyers out there need to know about how it’s not the behemoth it’s portrayed to be?

Thank you for asking me question because you couldn’t have asked about something I more want to talk about and clarify.  Let’s lay a little ground work on that question. First, eDiscovery has never routinely encompassed forensics. Forensics was a deeper dive.  We understood that eDiscovery dealt with existing information from sources deemed readily accessible.  E-discovery didn’t routinely implicate log files, internet cache and system artifacts.. That’s the deep dive stuff. So, if we hew to that sensible dichotomy as we approach new sources, it helps us. What’s readily accessible, and what requires specialized tools and expertise? Most of what we care about on mobile is accessible and requires no expertise.  Shocking!

Phones are probably the most widely used form of sophisticated technology in the world. There are more phones than people. Unlike computer operating systems, Phone operating systems have largely succeeded in locking down data. When you delete something on a phone, it is harder to resurrect that data using forensics than it is to recover a comparable volume of data on a personal computer. One reason for that is phone data is routinely encrypted, and phones universally use solid-state media for storage, whereas most computers still employ electromagnetic “spinning” hard drives for mass storage. Mechanical and solid state media yield different outcomes in computer forensics.

To make a long story short, computer forensics still works pretty well in the realm of the desktop and laptop computer; but, computer forensics has been rendered ineffective in certain respects on the phone.  That’s why, in cases like the San Bernardino terrorist attack or the Mandalay Bay shooter, the FBI is hamstrung in its ability to get information from phones.  That data is encrypted, and the encryption keys are, in turn, encrypted. It’s just harder to do PC-style forensics on a phone. So, we needn’t turn to forensics, because, one, we don’t need to a deep dive in discovery, and, two, those deep dives are often unavailing and expensive: major proportionality issues.

The final factor is the most crucial and that’s, “Can you separate the user from the phone?”  Most people will decline to give up custody of their phones for any significant period of time.  It’s a huge hurdle.  I literally could not call my children without my phone. I do not know their numbers. They are in my phone. That’s true of most people. I would have enormous difficulty finding people without my phone, and there is no other way to contact me but my iPhone. I’ve dropped my landlines.  So, if I am in business, say, I’m a sales rep, to deprive me of my phone is to deprive me of my family and my living. It’s not happening without a fight.

In a setting where we sought to collect phones, three out of ten were wiped when turned in.  Nobody said, “I wiped my phone.” They said, “I tried to enter my password which I had forgotten, and it went back to factory settings.” Three out of ten. That’s extraordinary.  That’s the lengths people will go.

So, if you don’t have to dispossess them of their phones, if you can allow them to remain the custodians of the data being preserved, all that tension goes away.  Too, it costs essentially nothing for people to use the standard backup mechanisms, especially for the iPhone. Cost and scalability aren’t issues because the preservation tools are available without cost, anywhere, for any platform. If you want iTunes for Windows, you’ve got it. If you want iTunes for Apple, you’ve certainly got it – it comes installed on the machine for heavens sakes!! Speed is not an issue because a backup using these tools can be completed in under an hour. As long as you don’t disconnect the phone from the cable, you can continue to use it, making and receiving calls, etc. To me, this is a no-brainer.  You have scalability. Speed.  Low cost.  Ease-of-use.  You have ready availability of software with good security and little support burden. You need not buy a mobile forensics platform and pay thousands of dollars every year to update and upgrade it with every change in the mobile operating system. The always up-to-date compatibility is handled by Apple, by Samsung, by Google, etc.

So, where is the undue burden? Where is the disproportionality? The hard issues are ones of processing, review and production: How will we divide up what’s relevant and business-related?  How do we protect personal, private and confidential communications including financial, medical and family communications?  These aren’t trivial challenges; but, we can’t begin to address them if we don’t routinely preserve relevant mobile content in ways that are quick, scalable, and cheap. That’s what I’ve put out there. I’m not claiming it’s the only way or even the best way; it’s just one simple way that works.

A final point which I think crucial is the controversy surrounding custodial directed preservation. We don’t want the foxes guarding the hen house. But, the appeal of the preservation method I’ve put forward is that if people are doing it themselves acting as custodian of the preserved data, they won’t feel the same compulsion to alter or destroy data.  Too, the methods used don’t really allow them to be selective in what’s backed up.  It’s a monolithic acquisition.  They don’t really have a way to go in and prevent certain information from being collected in the same manner that targeted collection allows people to game the system. If you entrust people to gather their own information, they would be selective about how they shield certain information.  They may look at something and say, “Oooh. That joke I sent around was funny at the time, but after “MeToo,” I don’t want that seen.” So, they will seek to eliminate it.

But with phones, it’s harder to prune data in backup, and that’s good. It puts everyone in a better position.  If it’s already locked in a box, and zipped in a collection of particular date and size, you don’t have the tools or techniques to go in and perform surgery on that collection. It’s a much harder decision for someone to say, “I know I confirmed for counsel six months ago, that I’ve done this, and I gave them the hash value.” Or, “I gave them the metadata values of the zip file that was created. Now, I’m going to make that disappear completely.”

But what they’re not going to be able to do is selectively recreate the past.  Now, you put people in the bind of saying, “I’m going to destroy evidence in a very deliberate fashion, in a way that it will be readily apparent that it was done with the intent to deprive people of information in discovery.” That makes far less likely to occur.  It enables amended Rule 37(e) of the Federal Rules to do the job of guarding against spoliation instead of shielding those who destroy evidence to evade responsibility.

That “all or nothing” is something custodians will accept because they don’t have to give up their phones.  They aren’t threatened in the same way.  If the custodian holds the data, they don’t face that threshold issue of, “Well, I’ve got some stuff in there that’s personal and I don’t want to share.” Instead, employers can say, “No, we’re not taking it from you. All we want you to do is lock it down, put it in a zip file now, and just tell us enough about it, so we can identify it when we need it.” That process means that when and if you come back for it, it’s not likely to have gone away.  It’s also not likely to change after the fact. So, you know you have it when the time comes to negotiate a mechanism whereby you can selectively process it to separate that responsive and discoverable content. We have a lot of work to do on those processes. We’re not doing that work and developing those tools and mechanisms because, right now, the information is not routinely preserved.

Ultimately, there will be real-time eDiscovery preservation of iPhones, presumably to iCloud.  But, I don’t go that way now for several reasons. One is because an iCloud backup is not as complete as a local iTunes backup.  To speed online backup, much content is relegated to other sources.  That’s not ideal.

But, again, perfect is not our standard. We should instead consider the alternative. If somebody says to me, “I’m going to do an iCloud backup,” I’m not going to object.  Instead, I’ll’ ask, “What are you going to do otherwise?” If the answer is, “We’re just going to let the evidence go away. We’re not going to preserve it at all.” I would rather take what I can get, versus the certainty of nothing. “No preservation” isn’t the inevitable alternative to the lack of a perfect preservation mechanism. Right now, “nothing” is generally what’s done.   We need to end that. We’ve got preservation mechanisms that are, what I would call “good enough” for eDiscovery. They’re not a full forensics collection. My forensics colleagues get very heated on this topic. They want a full physical collection of the phone. I understand why; you can get more a lot revealing information that way. But, we cannot  live in a world where the only way information we need for litigation can be defensibly preserved is by hiring forensics experts.  We can’t afford that.

A forensic examiner would say “get it all, it has to be all”.  But, once you take off your forensics examiner hat and put on your eDiscovery specialist hat, you realize that there’s an accessible complement of information that is well-suited to eDiscovery. It’s what we would get with a targeted collection of active data. That’s what we do every day with eDiscovery. If anyone in eDiscovery said, “We must do a forensic examination on every computer we collect,” they’d be hooted out of the room.  No one would hire them, and no corporation would stand for that. Two of the rare times I’ve ever seen that done were in the Bernard Madoff and Enron cases. There was full forensic collection of every device. But, generally, we can’t afford that.

What would you like our readers to know about what you’re doing?

Teaching eDiscovery has come to be my principal focus.  I like developing hands-on IT and forensics exercises allowing students to understand and enjoy how the technology and the law come together.  I believe that a lack of an accessible and engaging information technology curriculum for lawyers, paired with a paucity of technically-adept instructors, are key reasons why there is such anxiety and anger attendant to eDiscovery.  Until we instill a modicum of IT fluency, we cannot expect or demand competency in eDiscovery.  We have yet to teach the teachers, let alone the students.  I hope to help.

Thanks, Craig, for participating in the interview!

Also, we’re getting ever closer to the University of Florida E-Discovery Conference, which will be held this Thursday, March 29.  As always, the conference will be conducted in Gainesville, FL on the University of Florida Levin College of Law campus (as well as being livestreamed), with CLE-accredited sessions all day from 8am to 5:30pm ET.  I (Doug) am on a panel discussion at 9am ET in a session titled Getting Critical Information From The Tough Locations – Cloud, IOT, Social Media, And Smartphones! with Craig, Kelly Twigger, with Judge Amanda Arnold Sansone.  Click here to register for the conference – it’s only $199 for the entire day in person and only $99 for livestream attendance.  Don’t miss it!

As always, please share any comments you might have or if you’d like to know more about a particular topic!

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.