CHAPTER 2
The Proliferation of Data Available for Discovery

James P. Martin and Harry Cendrowski

The same technologies that make cloud computing possible (i.e., the pervasive availability of high-speed wide-area network connections for devices of all kinds) have also enabled the capture of data related to virtually every aspect of our lives. Smart devices are in communication with central data repositories exchanging information about our personal habits and preferences, where we go, and what we do. E-mail and other communication are available at our fingertips, no matter where we are, and a host of social media applications keep us in constant communication with friends and business contacts; this data is also correlated in databases designed to help marketers serve us with advertising intended to be specific to our needs.

The industry and technologies that capture and collate this expansive set of personal information is often referred to as Big Data. Big Data vendors promise enhanced customer interactions, more specifically, the ability to more accurately target potential buyers at the moment they are considering a purchase; this is their stated reason for collecting all that data. Device and operating system manufacturers design their systems to capture and share data with Big Data, and, in turn, utilize big data to refine their offerings. Advertising revenue driven by Big Data is the engine that makes many of the services available in the cloud “free” of cost.

From a litigation and investigation perspective, there is more data available about a subject than at any previous time in history. Much of the data captured would be of direct interest to investigators or parties to litigation depending on the particular legal issue at hand. Cases emerge every day in which attorneys and investigators apply an innovative investigative analysis to data to create a picture of the subject or to support theories about events leading up to the case. Today, investigators and attorneys need to understand the types of data available about subjects, and how to access such data.

Data can reside on a local device, for example, a personal computer, tablet, or smartphone, or it can reside in the hands of a third-party service provider, like Google, or other third party. Technically, accessing data on a local device is relatively easy, and accepted forensic procedures are defined to allow such data to be used in a legal forum. From a legal perspective, accessing data on a local device can become complicated depending on specific circumstances of the case and the device; many of the nuances of such discovery are covered in detail in this book.

For civil litigation, discovery often hinges on ownership or control of a device. Some devices have clear ownership: for example, a company-owned computer installed at an employee’s workstation. Many companies have computer use policies that clarify the ownership of the device and all data included on the device. Under current laws and regulations in the United States, a company should have little trouble examining the device for relevant data and using that discovery for litigation purposes.

On the other hand, some companies allow employees to bring a personal tablet or smartphone to the workplace, and allow them to be used for business purposes. This has become known as Bring Your Own Device (or BYOD), and it tends to muddy the discovery process. Courts are still deciding whether the company has a right to access the device without the owner’s permission, and to what extent such data can be used. Divorce cases frequently involve the family computer, one that is used by both parties to the litigation, and may contain financial information about the family unit, or each party individually. Under many circumstances, either party would be able to access the device and obtain the underlying data; however, in certain circumstances, access may become complicated.

On the criminal side, examination of a device may fall under criminal search and seizure procedures that may not yet be universally applied. If a suspect is arrested, do the police have a right to examine the contents of a smartphone found in his possession? What about computer drives or flash drives? Some law enforcement agencies have claimed a digital device is a “container” that is subject to search the same as a suitcase or purse. Courts have differed on the interpretation, with some jurisdictions requiring an additional search warrant and some that allow the search.

Accessing hosted applications, including e-mail systems, social media sites, and cloud computing solutions, is often driven by identification of the “subscriber” who would have control over the account. The subscriber is often the person who can authorize disclosure of the contents of the systems, and courts differ on the procedures for compelled disclosure. Discovery of data hosted by third-party service providers is generally covered by the restrictions of the Stored Communications Act (SCA) of 1986, which prohibits a service provider from releasing information to a third party. Accessing data held by a third-party provider is frequently the subject of litigation, and courts frequently differ about the type of data protected by the SCA and procedures to access that data.

An Example of Third-Party Data: Google Search Engine

Google is not exclusive in their data-gathering activities; these are highlighted here as an illustration of the extensive types of information captured.

The Google search engine records and collates every search a user has ever performed when logged into Google services, irrespective of the device with which the search was initiated or the Google service that was used. Google services include web search, image search, news search, Gmail (both personal and corporate), YouTube, and Maps, among others. Once a user signs into Google services on a device, Google starts tracking search activity. Let’s say a user signs into their personal Gmail account at work, and performs some web searches using Google. Then they go to lunch and use Google maps to find the restaurant. Both searches will be recorded in the search history for that Google account. Google also accesses and stores information directly from the mobile device, including call information and location data.

Google describes collecting such information in terms of providing a better experience, like providing advertising specific to your interests or finding the people who matter most to you online. The extent of data collected by Google is expansive, and is described in their privacy policy:

• Information we get from your use of our services. We may collect information about the services that you use and how you use them, like when you visit a website that uses our advertising services or you view and interact with our ads and content. This information includes:
  • Device information
  • We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate your device identifiers or phone number with your Google Account.
  • Log information
  • When you use our services or view content provided by Google, we may automatically collect and store certain information in server logs. This may include:
    • Details of how you used our service, such as your search queries.
    • Telephone log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information, and types of calls.
    • Internet protocol address.
    • Device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request, and referral URL.
    • Cookies that may uniquely identify your browser or your Google Account.
  • Location information
  • When you use a location-enabled Google service, we may collect and process information about your actual location, like GPS signals sent by a mobile device. We may also use various technologies to determine location, such as sensor data from your device that may, for example, provide information on nearby Wi-Fi access points and cell towers.
  • Local storage
  • We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.
  • Cookies and anonymous identifiers
  • We use various technologies to collect and store information when you visit a Google service, and this may include sending one or more cookies or anonymous identifiers to your device. We also use cookies and anonymous identifiers when you interact with services we offer to our partners, such as advertising services or Google features that may appear on other sites.1

A user’s Google search history is available at www.google.com/history; the user must sign in with their Google credentials to view their account. Once in the account, specific items may be flagged and removed by the user.

Consideration of Data Points in Discovery

In a data-driven world, discovery procedures must be updated to consider data points from new sources. They should also be flexible, based on the particular circumstances. The age-old concept of “modus...