Friday, September 11, 2015

Bid-Rigging, Obstruction of Justice and Drive-Scrubber

This post is a follow-up to a post I did last year:  Obstruction of Justice, DriveScrubber and Emails.  You can read more about the case in the story you can find here.
After Andrew Katakis was tried on charges of bid-rigging and obstruction of justice, the jury found him guilty of obstruction of justice but the U.S. District Court Judge who presided at the trial vacated the conviction and granted Katakis’ motion for a judgment of acquittal. U.S. v. Katakis, 2015 WL 5090792 (U.S. Court of Appeals for the 9th Circuit 2015). The judge granted the motion because he found the evidence presented at trial “was insufficient to show that Katakis actually deleted electronic records or files.” U.S. v. Katakis, supra.  
The Court of Appeals began its opinion by noting that “proving Katakis moved emails from an email client's inbox to the deleted items folder does not demonstrate Katakis actually concealed those emails within the meaning of [18 U.S. Code] § 1519”.  U.S. v. Katakis, supra.  It then explained that this prosecution arose from an investigation by
federal authorities into a scheme to rig bids at foreclosure auctions in 2008 and 2009. By 2010, the investigation focused on Andrew Katakis as one of the primary real estate investors helming the conspiracy. On September 1, 2010, Katakis received a letter from his bank informing him that federal investigators had subpoenaed his bank records. On September 3, 2010, Katakis purchased, downloaded, and installed a program called DriveScrubber 3 (`DriveScrubber’) onto his home computer, a Dell (`Katakis's Dell’).

DriveScrubber is a program designed to wipe hard drives clean of all information. DriveScrubber may be used to overwrite all of the information in a hard drive's unallocated or `free’ space. Free space is the portion of the hard drive that is not allocated for the use of the computer's programs or operating system; items that are deleted by a user may `fall’ into the free space. There, the deleted item is not actually removed from the computer right away; the space it occupies on the hard drive has simply been made available to be overwritten. Instead of waiting for another file to overwrite the deleted file by chance, DriveScrubber actively overwrites all data in the unallocated space of a hard drive, permanently erasing any files that had fallen into the free space. Once a file is overwritten by DriveScrubber, it is impossible to retrieve it.
U.S. v. Katakis, supra.  
The Court of Appeals goes on to explain that
Katakis's business partner and alleged co-conspirator, Steve Swanger, kept two computers at their office: an ASUS (`Swanger's ASUS’), and a Dell (`Swanger's Dell’). Swanger's Dell was used primarily for emailing with Katakis, and Swanger's ASUS was used for general internet searching. On Saturday, September 4, 2010, Katakis summoned Swanger to their business office. Katakis told Swanger that he wanted to install a `scrubber program’ on their computers and that there was `nothing wrong with us cleaning our computers.’ Swanger observed Katakis use Swanger's ASUS and perform a search for emails involving members of the bid-rigging conspiracy. At 4:40 pm, Katakis installed DriveScrubber on the Swanger ASUS. This copy of DriveScrubber was different from the one installed on Katakis's Dell. Swanger did not observe any deletions on the ASUS; he only observed Katakis `clicking and moving things around.’

Katakis then moved to Swanger's Dell and installed DriveScrubber at 4:47 pm. The Swanger Dell had 4,000 emails on it, as Swanger was not in the habit of regularly deleting his emails. Swanger kept hard copies of some important emails, because he feared Katakis might try and wipe clean the hard drives some day. Swanger observed Katakis checking boxes on various emails and unchecking those emails that Katakis believed that Swanger needed. Katakis gave up sorting the emails after about five minutes and pressed the delete key. After seeing that it would take a long time for the emails to be deleted, Katakis went home. When he returned to the office on Monday, Swanger noticed that almost all of the emails on his Dell had been deleted from his email inbox.

At 5:37 pm on September 4, 2010, the same copy of DriveScrubber that was installed on Katakis's Dell was installed on the office's mail server (`GD Mail Server’). The server managed all email sent or received in the office through the Microsoft Outlook program. The GD Mail Server was operated by a program called Exchange. Katakis had the authority to install programs on the GD Mail Server and knew that DriveScrubber had been installed on it.
U.S. v. Katakis, supra.  
The prosecution began when the
Government seized the four computers in the course of its investigation into the bid-rigging scheme. When examining Swanger's Dell, the Government discovered ten incriminating emails that implicated Katakis in the conspiracy. Katakis was either a sender or recipient of all ten emails. Swanger was also either the sender or recipient of all ten emails.

The emails were discovered in the deleted items folder in Swanger's email client. Metadata attached to the emails showed that the emails had passed through the GD Mail Server and that Katakis had received and opened all of them. Special Agent Scott Medlin conducted a forensic analysis of the other three computers. Because Katakis's Dell, Swanger's ASUS, and the GD Mail Server were all part of the email network shared with Swanger's Dell, Medlin expected to find traces of the ten emails on these computers. Medlin was unable to locate any trace of the ten incriminating emails, but did not think that enough time had passed for all traces of the emails to be removed by the gradual automatic overwriting process, leading him to believe that Katakis had destroyed them using DriveScrubber.
U.S. v. Katakis, supra.  
The court then explains that based on the
discrepancy between the presence of the ten incriminating emails on Swanger's Dell but not on the other computers, the Government sought and obtained an indictment charging Katakis with obstruction of justice, in violation of 18 U.S. Code § 1519. The indictment alleged that Katakis `deleted and caused others to delete electronic records and documents. KATAKIS also installed and used and caused others to use a software program that overwrote deleted electronic records and documents so that they could not be viewed or recovered.’ Notably, the indictment failed to charge attempt, thus committing the Government to prove actual deletion.
U.S. v. Katakis, supra.  
The court went on to explain that the prosecution went to trial on the theory that Katakis
ran the DriveScrubber program on his Dell, Swanger's ASUS, and the GD Mail Server, to erase all traces of the ten incriminating emails. The Government's key witness was Medlin, who testified as an expert. Medlin testified that Katakis `double-deleted’ emails; that is, he deleted them once from the mail client and then again when he emptied the deleted items folder. After they were double deleted, the emails fell into the free space, where Medlin opined that they were irretrievably overwritten by DriveScrubber.

Katakis called Don Vilfer as a rebuttal expert. Vilfer testified that Medlin's theory of what happened to double-deleted emails was incorrect, based on how the Exchange program on the GD Mail Server worked. According to Vilfer, a double-deleted email would not fall into the free space, as Medlin testified, but would remain within the portion of the hard drive allocated for the Exchange database. The crux of Vilfer's testimony was that, given how the Exchange program operated, it would be impossible for DriveScrubber to overwrite any double-deleted emails, including the ten incriminating emails that were at the heart of the Government's case. Vilfer further noted that the Exchange program itself removed double-deleted emails after a certain period of time, usually fourteen days. Vilfer testified that he was able to recover thousands of double-deleted emails, but he could not find the ten incriminating emails. Vilfer agreed with Medlin that it was suspicious that there were no traces of the ten incriminating emails on any computer other than Swanger's Dell. However, he explained that absence by opining that the ten incriminating emails (including metadata) had been fabricated. The defense sought to draw an inference that Swanger fabricated the ten incriminating emails and the metadata indicating Katakis had seen them in order to implicate Katakis.

In rebuttal, Medlin admitted that Vilfer's testimony was correct: it was impossible for DriveScrubber to have deleted the ten incriminating emails. Medlin testified that his opinion was unchanged, because DriveScrubber could have deleted transmission logs associated with the ten incriminating emails. Vilfer testified in response that deleting the transmission logs would not have deleted the emails themselves.
U.S. v. Katakis, supra.  
Finally, the court explained that
[b]y the time of its closing argument, the Government's primary theory of the case had collapsed. In closing, the Government offered two theories of liability to the jury. First, the Government argued a purely circumstantial case. The ten incriminating emails were present on Swanger's Dell, and both experts testified that they would have expected to find them on the other computers. The only logical inference, the Government reasoned, was that Katakis had somehow deleted them.

Second, the Government relied on Swanger's testimony for an alternative theory of liability. Under this theory, DriveScrubber was only relevant to prove intent. If the jury believed Swanger's testimony that Katakis hit the delete key and sent emails on Swanger's Dell to the deleted items folder, this was legally sufficient to convict Katakis of obstruction of justice. The Government alluded to an additional theory of liability in its rebuttal, arguing that Katakis used DriveScrubber to delete remnants of the emails (the transmission logs).
U.S. v. Katakis, supra.  
The Court of Appeals then began its analysis of Katakis’ argument on appeal by explaining that he was convicted of obstruction of justice 
in violation of 18 U.S. Code § 1519. That statute provides:

`Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States ... or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.’

. . . Section `1519 was intended to prohibit, in particular, corporate document-shredding to hide evidence of financial wrongdoing.’ Yates v. U.S., 135 S.Ct. 1074 (2015). In order to prove a violation of § 1519, the Government must show that the defendant (1) knowingly committed one of the enumerated acts in the statute, such as destroying or concealing; (2) towards `any record, document, or tangible object’; (3) with the intent to obstruct an actual or contemplated investigation by the United States of a matter within its jurisdiction.
U.S. v. Katakis, supra.  
The court went on to note that
[w]e have only one question regarding the sufficiency of the evidence before us: whether the Government carried its burden to show actual destruction or concealment. There is no dispute that there was sufficient evidence for a rational juror to conclude that the Government satisfied the third element, that Katakis intended that his actions would obstruct the investigation into the bid-rigging scheme. A rational juror also could have concluded that Katakis knew or believed that his actions could destroy or conceal the ten incriminating emails. However, the Government failed to charge Katakis with attempted obstruction in the indictment. Therefore, in order to secure a conviction, the Government was required to prove that Katakis actually destroyed or concealed `electronic records and documents.’
U.S. v. Katakis, supra.   
It therefore found that given
Medlin's retraction, there was no evidence upon which a reasonable juror could conclude Katakis used DriveScrubber to irretrievably overwrite (that is, destroy or conceal) the ten incriminating emails from the free space of any of the computers. The theory that the Government presented in its case-in-chief cannot support Katakis's conviction.

Nevertheless, the Government contends the district court erred, because there are three other theories of liability that the jury could have credited that satisfy the elements of the statute: (1) Katakis used DriveScrubber to delete the transmission logs belonging to the ten incriminating emails; (2) Katakis double deleted emails on his Dell, Swanger's ASUS, and the GD Mail Server; or (3) Katakis single-deleted emails on Swanger's Dell, moving those emails from the inbox to the deleted items folder. For the reasons set out below, we agree with the district court that the evidence was insufficient to convict Katakis of obstruction of justice on any of these theories.
U.S. v. Katakis, supra.  
The court began its analysis with the DriveScrubber theory, noting that it relied on
[t]estimony given by Medlin during rebuttal to the effect that, although Katakis could not have deleted the ten incriminating emails themselves, he could have deleted transmissions logs generated by the emails. Forced to retract his testimony that the ten incriminating emails could have been deleted by DriveScrubber, Medlin testified that he did not retract his opinion that Katakis used DriveScrubber to destroy electronic records, because he likely used DriveScribber to overwrite transmission logs generated by the emails.

Medlin testified that transmission logs are generated daily by the Exchange system. These logs resided outside the Exchange database (so they were separate from the emails themselves), and would `remain’ in the program for a period of time before falling off into the free space to be made available for the DriveScrubber program to overwrite. Medlin could not testify as to how long it took for the transmission logs to fall into free space; he noted that there was a default time programmed into the Exchange database (although he did not recall what the default was), but that time could be changed by the system administrator. On cross-examination, Medlin admitted he did not perform an investigation into whether a default time was even set on the Exchange database. Medlin also testified that he did not perform any investigation as to whether any user had entered a command causing the Exchange database to “clean up” the transmission logs and let them enter free space.

Although the Government is entitled to every reasonable inference from the evidence, a conviction may not be based on mere speculation. U.S. v. Nevils, 598 F.3d 1158 (U.S. Court of Appeals for the 9th Circuit 20100. `[A] reasonable inference is one that is supported by a chain of logic, rather than mere speculation dressed up in the guise of evidence.’ U.S. v. Del Toro–Barboza, 673 F.3d 1136 (U.S. Court of Appeals for the 9th Circuit 2012) (quoting Juan H. v. Allen, 408 F.3d 1262 (U.S. Court of Appeals for the 9th Circuit 2005)). The logical chain supporting the Government's theory is as follows: (1) Katakis downloaded and installed DriveScrubber, which, along with Swanger's testimony, demonstrates his intent to destroy incriminating emails and other electronic records; (2) DriveScrubber could only destroy the emails if they were in the free space; (3) the transmission logs enter the free space through one of two ways, either at the default time or through user action; (4) both agents testified that they expected to find email remnants, including transmission logs, on the computers; and (5) no email remnants were found. From this chain of logic, the Government contends a reasonable juror could have concluded that Katakis destroyed the logs using DriveScrubber.

However, the Government's chain of logic misses an important link: there is no evidence whatsoever that the transmission logs were made available, in any manner, for DriveScrubber to overwrite. The Government invited the jury to speculate as to whether the transmission logs entered the free space; the Government's own expert could not testify that they ever did. The transmission logs theory was developed entirely in rebuttal in an attempt to save the Government's case. Make no mistake, the Government's original plan failed. Indeed, the full theory presented here did not crystallize as an argument until this appeal.

The Government did not argue in its closing that deletion of the transmission logs could, under § 1519, constitute the destruction of electronic records; instead, the Government asserted in its rebuttal that the absence of the logs was evidence DriveScrubber was run to delete the emails. In light of the way that this case was tried, it is not surprising that the Government's transmission log theory was half-baked. Medlin admitted he never even investigated the possibility that the transmission logs were removed to the free space where they could have been deleted by DriveScrubber.

In the absence of that evidence, the jury was left to speculate not only regarding how the transmission logs entered the free space but if they ever did so. There was nothing preventing the Government from having Medlin investigate this question and provide evidence, even circumstantial evidence, from which the jury could make the desired inference. However, that evidence was entirely lacking in this case. In the absence of that critical link in the logical chain of inference, the evidence was not sufficient to convict Katakis on this theory.
U.S. v. Katakis, supra.  
The court then took up the “double deletion” theory, noting that it was based on the premise that “a rational juror could have found Katakis double deleted emails on all of the computers except Swanger's Dell, and if he did so with the requisite intent, he violated the statute.” U.S. v. Katakis, supra.  The court explained that it would “assume, without deciding, that double deletion would constitute the requisite concealment or destruction element of § 1519”, but went on to note that “even with that assumption, no reasonable juror could have found on this record that the Government carried its burden to show that double deletion actually occurred.” U.S. v. Katakis, supra.  
The Court of Appeals also pointed out that the prosecution did not present any “direct evidence of double deletion” but, instead, asked the jury to infer that such deletion occurred from certain circumstantial evidence. U.S. v. Katakis, supra.  It explained that the only evidence of double deletion came from a
single fact: that the ten incriminating emails were not found on Katakis's Dell, Swanger's ASUS, or the GD Mail Server. Both experts testified that they expected to find the emails on those computers. In their absence, the Government argues that a rational juror would be entitled to conclude that Katakis double deleted the emails. However, the Government never provided the jury with any mechanism that would explain how Katakis removed the emails from the three computers, given that, as both experts ultimately agreed, double deletion on the email client does not send an email to the free space, where DriveScrubber could have destroyed it.
U.S. v. Katakis, supra.  
It then explained that this was not a case
where a government theory competed with a defense theory. Instead, the Government in this case presented no theory at all to explain to the jury how the emails were destroyed, a fact that was critical to the chain of inferences required to find beyond a reasonable doubt that Katakis double deleted the emails.
U.S. v. Katakis, supra (emphasis in the original).
The court then rejected the government’s final theory – the single deletion theory, which was based on Swanger’s testimony. U.S. v. Katakis, supra.  It explained that Swanger testified
that he observed Katakis press the delete key after screening emails on Swanger's Dell. The Government argued in closing that all the jury needed to find in order to convict Katakis was that he pressed the delete key, thereby moving the emails from the inbox on Swanger's Dell to the deleted items folder.

The evidence was sufficient for the Government to prove the fact underlying this legal theory; all the jury had to do was credit Swanger's testimony. `It is well established that the uncorroborated testimony of a single witness may be sufficient to sustain a conviction.’ U.S. v. Dodge, 538 F.2d 770 (U.S. Court of Appeals for the 8th Circuit 1976). Further, the ten incriminating emails were discovered in the deleted items folder of Swanger's Dell, raising at least a colorable inference that Katakis deleted them. The district court recognized that the evidence was sufficient to prove the fact that Katakis single deleted the emails. However, the district court held that single deletion was not sufficient to give rise to liability under § 1519. We agree.
U.S. v. Katakis, supra.  
And, finally, the Court of Appeals went on to explain that
[o]ur conclusion that the evidence was insufficient to convict Katakis for single deleting emails rests upon the unique factual circumstance that pressing the delete key in this context serves only to move an email from one file folder to another. Section 1519 was drafted to prevent corporate document shredding. The digital context threatens to expand § 1519 and its potentially harsh punishment well beyond its intended reach. We are hesitant to expand the reach of § 1519, in part because the Government barely developed the facts necessary to support the single-deletion theory at trial and we are left without many of the facts that might prove actual concealment.

As with the other theories raised on appeal, the single-deletion theory was an afterthought, a comment the Government made at closing and now urges was sufficient to warrant a potential twenty-year sentence. Accordingly, we cannot endorse the Government's reading of the statute. Actual concealment must do more than merely inconvenience a reasonable investigator—there must be some likelihood the item will not be found. That low bar is not met in this case.
U.S. v. Katakis, supra.

It therefore affirmed the District Court Judge’s order granting Katakis a judgment of acquittal.  U.S. v. Katakis, supra.  

1 comment:

Darren Chaker said...

Great case to illustrate how a simple software utility (there are far more complex ones) can bring about charges.