INFO[rmation fo]RENSICS

I have seen many references to the Aguilar v. Immigration & Customs Enforcement Div. of U.S. Dep’t of Homeland Sec. case, specifically to the judgement filed in November 2008.  All of the accounts I have read seem to simply be focused on the fact that metadata should be preserved.  While this is great for certain forensic companies that have a product to hawk, it is in no way the most interesting discussion about metadata in this case.

In fact the “need” to preserve and produce metadata has been addressed in such cases as:

Shirley WILLIAMS, et al. v. SPRINT/UNITED MANAGEMENT COMPANY, 2005, and

Ryan v. Gifford, 2007

Both of which address the need to produce and preserve intact metadata.

In reading through Aguilar  I find the extended definitions of metadata and the issue of timing of the request to be the most interesting aspect.

This case stemmed from allegations of unlawful search and seizure.  Plaintiffs filed their initial discovery request in Feb. 2008.  Their request failed to address manner of production – specifically metadata.  In late March the plaintiffs filed a more specific request for certain documents to be produced in TIFF format with separate files documenting metadata fields and text, while others were to be produced in native format (spreadsheets and databases).

In mid-July the defendants objected.  As it turned out they were already well into assembling the requested documents in searchable PDF format.

In ruling on the case Judge Frank Maas takes time to define the different types of metadata using the Sedona Principles:

• Substantive metadata – Created upon generation of a file by an application and reflective of changes made by a user.
• System metadata – Information created by the user or the organizations IT structure.
• Embedded metadata – Information not visible that becomes part of a native file.

He then refers to Federal Rules of Civil Procedure and states:

“Metadata is not addressed directly in the Federal Rules of Civil Procedure but is subject to the general rules of discovery.  Metadata thus is discoverable if it is relevant to the claim or defense of any party and is not privileged.”

He adds:

“[f]or good cause, the court may order discovery of any matter [including metadata] relevant to the subject matter involved in the action.”

He goes on to note that metadata is subject to the balancing test introduced by Rule 26(b)(2)(c) that would require a court to weigh probative value against burden.

This is all pretty standard stuff, and seems to be where a lot of the various forensic firms have stopped in their analysis of this case.  Too bad!  All of this has already been established in other cases (for instance the two I noted above).  There IS more, though, and it is interesting.

The judge states that metadata “has become the ‘new black,’ with parties increasingly seeking production in every case, regardless of size or complexity.”  And then he notes the time difference between the plaintiffs initial request (which did not specify manner of production) and when they actually specified the requirement for metadata.  By this time the defendants “collection efforts were largely complete” and didn’t include the metadata.  Because of this he observes that the plaintiff is essentially requesting a second production and faces an increased burden.

Even this ruling, though, has been well established in many cases – and Judge Maas cites a number of them in his decision.

The real interesting part that seems to be missed in most of the write-ups is what Judge Maas does with this “build-up”.

Relating to the emails to be produced a second time with metadata he rules that since the defendants had previously indicated a willingness to produce the emails with metadata intact that they would be ordered to produce emails that had not already been identified (about 300) with metadata.  It is interesting to me as a forensic examiner that the judge notes that “forwarding” emails kills the original metadata – someone noticed!

In addressing the Back up tapes Judge Maas applies the balance principle in Rule 26(b)(2)(B) and rules against the plaintiff.

Judge Maas addresses “Word processing documents and Powerpoint Presentations” by acknowledging the value of metadata in these documents to establishing timelines, but rejected the plaintiffs argument that metadata is required to efficiently search the documents.  He acknowledges that the probative value of metadata related to these documents outweighs the burden of production.  With this he ordered the defendants to produce the Word and Powerpoint documents with metadata intact with the provision that the plaintiff would bear the cost of production.

Regarding spreadsheets Judge Maas makes an interesting observation.  He states “the relevance of metadata depends upon complexity and purpose.”  While the spreadsheets in question did have formulas, they computed a simple sum and were not complex.  Stating that the plaintiffs had no evidence or reason to think fraudulent manipulation had occurred he found that the arguments of the plaintiff had no “relevance to claims or defenses in this case.”  Regardless, since the defendants had expressed a willingness to produce the spreadsheets in native format prior he ordered their production.

The last type of metadata addressed by Judge Maas relates to the defendants databases.  Previously the parties had agreed to review one of the databases in a live demonstration.  The plaintiff had demurred for lack of an expert to assist in the review.  The judge ruled that lack of an expert was no longer a cause for extension and ordered a date by which the plaintiffs must complete the review.

It is the many facets of metadata addressed that make this case interesting and useful.  I have no idea why others are focusing solely on the “need” to preserve and produce metadata, we already knew that.  Judge Maas has provided us with a fascinating study in metadata that goes beyond need.