« Cell Phone Data Extraction and E-Discovery | Main | Steganography and E-Discovery: What will Courts and litigators do when spam contains hidden messages? »

Invisible GIFS and Premature Expert Disclosure

Review of document productions in native digital format can result in premature expert disclosure due to invisible GIFS, also known as "web bugs", and other server "pings" if precautionary tactics are not taken.

There is a split of authority between Courts on whether or not native digital files complete with metadata need to be provided in response to e-discovery requests for documents. Some Courts have taken the view that "flattened" but searchable versions of digital documents should be produced such as in TIFF or PDF formats on the theory that most lawyers can review the documents without the need for experts and such formats are a good metaphor for the traditional 8.5 by 11 page. The resulting digital "pages" can be bates stamped and printed for great ease of use at deposition and trial. After all how do you refer to one of a million emails in an Outlook "pst" file at trial unless it is reduced ultimately to a tangible marked page of some sort.

Other Courts have taken the view that such digital documents should be produced as kept in the normal course of business - so for example - rather than converting Outlook "pst" files to PDF the native "pst" files should be produced with metadata intact.

There is a tendency by counsel in some instances to overlawyer by insisting on getting native digital files complete with metadata in document productions even when such "native" productions do not advance the case in any material manner.

However, few courts would likely oppose compelling production of native digital files when issues related to the integrity of the digital files, metadata, foundation, chain of custody, or forensic matters are actually at issue.

But stay alert to the unintended consequences of analyzing a native file document production. For example, if you load native pst email files into the Outlook software on your PC it is quite likely that the other side, if sophisticated, could know who is looking at such native files and when. It all starts with knowing that emails themselves act like mini web pages and image files in such emails, like a clear "one pixel by one pixel" GIF also referred to as an invisible GIF, can link back to servers which capture the IP address of the image manifesting PC.

For example a number of companies periodically send email that contains links to image files located on their servers - the images are in essence fetched when the email manifests in the inbox thus pinging the image host server. In some instances such links to invisible GIF files (or for that matter visible GIF files) let senders know if someone opened the email and will "radar back to the mothership" the viewer's IP address - the date and time are usually logged with it.

Historically such GIF technology allowed email marketers to track the effectiveness of their programs and maintain a database of "good" email addresses.

Others use such GIF technology to know if the recipient opened the email.

Naturally if the entity that produced the documents in their native format included emails with GIF(s) linked to their servers they may be able to track the IP address of the reviewing PC. This of course creates a reverse privacy trap for the e-discovery analyzer whose IP address can be captured by "the other side's" servers and an IP lookup could be done to prematurely discern the expert's organization and thus resulting in possible premature expert disclosure.

There are a number of safeguards that experts can employ to mitigate the invisible GIF problem. The review can be done behind an anonymous proxy server so the IP address reveals nothing of substance. Another approach is to include a robust firewall that would block the fetching of the GIF(s) from the remote server. The ultimate approach is to make sure there is no Internet connection on the e-discovery reviewing computer - this may prevent some of the "linked to" images from appearing in the email and web related content unless found in the cache. Caution should be exercised by those reviewing native digital document productions from inadvertently revealing their IP address and providing premature expert disclosure.

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.