Header graphic for print
Electronic Discovery Law Blog Legal issues, news, and best practices relating to the discovery of electronically stored information.

Court Orders Imaging to Ensure Preservation of Self-Proclaimed Hacker’s ESI

Posted in CASE SUMMARIES

Battelle Energy Alliance, LLC v. Southfork Sec., Inc., No. 4:13-cv-00442-BLW, 2013 WL 5637747 (D. Idaho Oct. 15, 2013); Battelle Energy Alliance, LLC v. Southfork Sec., Inc., — F. Supp. 2d —, 2013 WL 5818559 (D. Idaho Oct. 29, 2013)

Plaintiff sought an ex parte temporary restraining order requiring Defendants to disable their website and remove information related to allegedly infringing software and also sought to create a forensic image of one defendant’s hard drive(s) to ensure preservation.  The court granted Plaintiff’s application, relying in part on Defendants’ self-identification as hackers.  Upon learning the at-issue source code had already been released, however, the court denied Plaintiff’s motion for a preliminary injunction and partially dissolved the TRO, but continued to retain images of the hard drives.

Plaintiff is the management and operating contractor at the Idaho National Laboratory—“a federal governmental facility owned by the United States Department of Energy”—and was responsible for the development of software intended to protect the nation’s energy infrastructure from cyber attacks.  A former employee (and an individual defendant in this case) who had worked on the software developed a similar and allegedly infringing “open source” version for public dissemination which he marketed on his company’s website.  Also on Defendants’ website was the declaration, “We like hacking things and we don’t want to stop.”  Seeking to stop Defendants’ dissemination of the at-issue source code, Plaintiff sought an ex parte TRO.  Plaintiff also sought to preserve the contents of its former employee’s hard drive(s) by creating a forensic image.

Sparing the details in this summary, the court determined that Plaintiff met the high standard and was entitled to a TRO.  The court then turned to the ex parte nature of Plaintiff’s request.  When seeking a TRO without notice to the adverse party where notice could have been given, a moving party must show that “notice to the defendant would render fruitless the further prosecution of the action.”  In the present case, Plaintiff argued that if given notice of the lawsuit, Defendants would release the source code and destroy evidence.

The court was persuaded to issue the ex parte TRO based in part upon Defendants’ own statement online that the open source software would be released “shortly.”  The court also noted Defendants’ self-identification as “hackers” and that the former employee (and individual defendant) had previously “defied” Plaintiff’s instructions to refrain from dissemination of demonstration videos of Plaintiff’s software on the internet.

To establish that Defendants would destroy evidence, Plaintiff was required to show that “defendants have ‘a history of disposing of evidence or violating court orders or that persons similar to the adverse party have such a history.”  Accordingly, Plaintiff submitted the affidavit of an employee who testified that in his 23 years of experience it was “very common” for former employees accused of stealing data to “simply delete the data when they are confronted with an investigation, rather than admit wrongdoing.”  Additionally, the court once again focused on Defendants’ claimed hacker status:

In addition, the defendants have identified themselves as hackers, as discussed above. A well-known characteristic of hackers is that they cover their tracks.  Padmanabhan, Hacking for Lulz, 15 Vand. J. Ent. & Tech. L. 191, 197–98 (Fall 2012) (discussing how “hackers (1) log in to computers remotely, and (2) use fictitious Internet protocol (IP) addresses to conceal their identities”); Martin, Vicarious and Contributory Liability for Internet Host Providers, 27 Wis. Int’l L.J. 363, 408 (Summer 2009) (discussing how “hackers will likely become wiser and learn new and more effective ways to conceal their activities.”)  This makes it likely that defendant Thuen will delete material on the hard drive of his computer that could be relevant to this case.  Battelle has therefore shown under Reno Air that “persons similar to” the defendant—a former employee who allegedly stole data and is a self-described computer hacker—have a history of disposing of evidence.

The court then considered Plaintiff’s request for forensic imaging:

The Court has struggled over the issue of allowing the copying of the hard drive.  This is a serious invasion of privacy and is certainly not a standard remedy, as the discussion of the case law above demonstrates.  The tipping point for the Court comes from evidence that the defendants—in their own words—are hackers.  By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act.  And concealment likely involves the destruction of evidence on the hard drive of Thuen’s computer.  For these reasons, the Court finds this is one of the very rare cases that justifies seizure and copying of the hard drive.

Thus, the court ordered that the former employee turn over his hard drive(s) to Plaintiff’s expert for imaging and that the image(s) be delivered to the court for safekeeping.  Plaintiff was prohibited from viewing the image(s) prior to delivery.

Two weeks later, upon learning that the source code had already been released in the open source format (before the TRO was granted), the court issued a second memorandum decision and order denying Plaintiff’s request for a preliminary injunction and dissolving the TRO to the extent it prohibited the source code’s distribution.  The court indicated, however, that it would continue to retain the images of Defendant’s computer(s).