They’re talking about changing the federal e-discovery rules to lessen the fear and loathing attendant to preservation of ESI.

The unstated impetus is that federal judges can’t be trusted to weigh preservation and mete out sanctions in ways fairly attuned to facts and culpability. The proposed amendments seek to wrest the gavels from cranky judges whose 20/20 hindsight and outsize expectations operate to impose an impossible, perilous standard nationwide.  Or so goes the rhetoric.

It’s a crock.  We give federal judges a job for life, but can’t trust them to do that job wisely and well?!?  Did we not learn anything from the debacle of mandatory sentencing guidelines?

The proposed changes are driven by the second silent goal of sparing litigants (really their technologically challenged counsel) the chore of knowing enough about electronic evidence and information technology to make defensible decisions about preservation.  “Don’t make us learn anything,” they plead, “just make rules specific enough to protect us from not knowing.” The rub with grafting such specificity onto e-discovery is that information technology moves far more swiftly than rule making, such that amendments like those proposed principally benefit those who can’t or won’t keep up.

Case in point:  One proposed amendment would create a presumption that certain data is excluded from the preservation duty, to wit:

(A) Deleted, slack, fragmented or unallocated data on hard drives;
(B) Random access memory (RAM) or other ephemeral data;
(C) On-line access data such as temporary internet files;
(D) Data in metadata fields that are frequently updated, such as last opened dates;
(E) Information whose retrieval cannot be accomplished without substantial
additional programming, or without transferring it into another form before
search and retrieval can be achieved;
(F) Backup data that substantially duplicate [sic] more accessible data available
elsewhere;
(G) Physically damaged media;
(H) Legacy data remaining from obsolete systems that is unintelligible on successor systems [and otherwise inaccessible to the person]; or
(I) Other forms of electronically stored information that require extraordinary affirmative measures not utilized in the ordinary course of business.

Starting with the word, “deleted,” it’s clear that this list is driven by an outdated understanding of information systems.  “Deleted” in 2011 bears only a passing resemblance to “deleted” circa 2001.  A decade ago, recovering deleted data entailed expense, expertise and effort.  Back then, you needed someone like me–a forensic examiner–to resurrect deleted data with specialized tools and techniques, or an IT specialist to laboriously restore backup media.

Today, operating systems, like Vista and Windows 7, preserve data even after it’s been deleted, stomped on and ignominiously ejected from the Recycle Bin.  Its restoration is now an instantaneous, no cost, three-mouse-click task.  [For details, see my recent post on this called “The Shadow Knows“].  Deleted never meant gone; but now, it doesn’t even mean difficult to get back.

A revised definition of “deleted” applies to e-mail, too.  The last release of the ubiquitous enterprise e-mail application, Microsoft Exchange Server, builds the ability to recover double deleted data (i.e., messages purged from the user’s Deleted Items folder) right into the application, as the Recoverable Items feature.

More-and-more, information is only ‘deleted’ in the same sense we might say the world ‘disappears’ when you close your eyes.  It’s all still right there–all you have to do is look.

There are other problems with the proposed amendment, born of loose language and an outdated perspective on ESI:

  1. The proposed language gives a “get out of jail free” card to “fragmented” data on hard drives, apparently unaware that “fragmented data” is a term of art for storage of data in non-contiguous clusters.  Much active, accessible, responsive data on hard drives is fragmented.  It’s no more difficult to access fragmented data than de-fragmented data; users do it every day without knowing whether the file they’ve opened was fragmented or not.  No doubt the Committee was trying to describe digital forensic artifacts accessible only through data recovery techniques.  That’s one of the problems with getting very specific:  You’ve got to get your terms right, and insure they mean what you intend.
  2. Another outdated notion is the special dispensation made for loss of random access memory (RAM).  There was a time when it was generally understood that RAM meant volatile, ephemeral storage.  But today, thumb drives are RAM; and soon, all laptops will use RAM (SSDs or solid state drives) in place of mechanical hard drives, much as your iPhone and iPad use RAM for non-volatile storage.  Ephemeral?  Hardly!
  3. Temporary internet files?  Okay, I grant they are evidence in only a narrow range of cases; but such cache content isn’t all that “temporary,” nor is it less accessible than other files.  But because it’s ESI we prefer didn’t exist, we pretend it’s different so we’re not obliged to fashion a more rigorous rationale for why we ignore it.  As more and more evidence resides in the Cloud and on social networking sites, is it sensible to summarily dismiss records of online activity as spurious and inconsequential?
  4. When you exclude “metadata in fields that are frequently updated,” how does that foster predictability and defensibility?  Referencing “last opened dates” is little help; not only because no such metadata field by that name exists (they probably meant the last accessed date), but also because the currency and function of the last accessed date changed significantly with Windows Vista.  The last accessed date doesn’t signify the same events it tracked ten years ago.  Here again, precision matters: if you’re going to make rules for information technology, then use the language information technologists use.
  5. How frequently must a metadata value be updated in order for it to be okay to discard?  Does the rule apply with equal force to application metadata (which is embedded in a file and may record communications between collaborators) as it does to system metadata (which is all stored outside the file)?  Should the rapidity of change trump the relevancy and reliability of the information?  Shouldn’t the feasibility and ease of preservation matter most?
  6. The disconnect between the intent and the expression of the amendment comes into sharp relief in the exception carved out for, “Information whose retrieval cannot be accomplished without…transferring it into another form before search and retrieval can be achieved.”  That’s all ESI.  How do we access ESI without converting physical to logical and encoded to decoded content?  That’s what computers do.  How do we text search efficiently without the creation of indices?  How do we retrieve without transfer between media?  How do we review without converting bytes into pixels or droplets?  Yes, I’m almost getting metaphysical here; but if the goal is clarity and predictability, why employ language that is so susceptible to a multitude of interpretations…unless ambiguity is intentional?
  7. Finally, we come to the general exclusion for legacy data and backup data.  Once these sources are gone, it’s easy (leastwise irrefutable) to claim they were merely cumulative.  Too, it’s easy to migrate between systems during the preservation interval, rendering data inaccessible because the proposed rule change doesn’t impose a concomitant duty to maintain accessibility.

This would all be so disheartening were it not for the glimmer of hope inspired by a footnote to the list of ESI excepted from preservation.  It reads, “This specific listing is taken from submissions to the Advisory Committee. Besides asking whether it is sensible and complete, one might also ask whether a list this specific is likely to remain current for years.”

Years?!?  Heck, it’s not current now.  As to sensible, it’s barely comprehensible.  But, the footnote gives me hope that the Committee is asking the right questions and this misbegotten mess won’t make it into the FRCP.  I have good friends on the Committee working on these proposed amendments; whip smart, fair minded folks, to boot.  So, I have reason to trust they’ll ultimately get it right by bringing as much caution to this round of ESI rulemaking as they brought to the last.

My take: We don’t need more specific ESI rules.  We need to become competent implementing the good ones we’ve got.

Advertisements