Yottabytes: Storage and Disaster Recovery

Jun 9 2015   9:44AM GMT

Clear Your Browser, Go to Jail

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Thumb drive
USB drive

One of these things is not like the others: Fish. Browser. Backpack. And not knowing the difference could send you to jail.

It’s all part of an unintended consequence of the Sarbanes Oxley Act, writes Amy Howe in SCOTUSblog. “In 2002, Congress passed the Sarbanes-Oxley Act in the wake of the collapse of Enron Corporation, once the world’s largest energy trader,” she explains. “One provision was a response to revelations that Enron and its accountants had destroyed thousands of documents, computer hard drives, and emails that might have shed light on the company and its finances. The law makes it a crime to ‘knowingly . . . destroy any record, document, or tangible object with the intent to impede, obstruct, or influence’ a federal investigation, even if such an investigation has not yet been officially initiated.”

We’re not talking about people deleting terabytes of data. Sarbanes Oxley has been used against individuals for as little as clearing a browser history, writes Juliana deVries in The Nation.

That would be the case of Khairullozhon Matanov, a friend of the Boston Marathon bombers. After he saw them listed as suspects, he went to the police (which, incidentally, he wasn’t required to do), but lied about some aspects of their relationship, according to deVries. “Then Matanov went home and cleared his Internet browser history,” she writes. Eventually, he was charged with four counts of obstruction of justice – three for the lies “and—remarkably—one count for destroying ‘any record, document or tangible object’ with intent to obstruct a federal investigation,” she writes, a charge for which he could serve 20 years. “This last charge was for deleting videos on his computer that may have demonstrated his own terrorist sympathies and for clearing his browser history.”

What makes this sort of expansion of Sarbanes Oxley problematic is that prosecutors do not have to show that the person deleting evidence knew there was an investigation underway, deVries explains. “In other words, a person could theoretically be charged under Sarbanes-Oxley for deleting her dealer’s number from her phone even if she were unaware that the feds were getting a search warrant to find her marijuana,” she writes. “The application of the law to digital data has been particularly far-reaching because this type of information is so easy to delete. Deleting digital data can inadvertently occur in normal computer use, and often does.”

Similarly, David Kernell, who was convicted of breaking into Alaska Governor Sarah Palin’s email account, while she was running for Vice President, was charged with felony destruction of records under Sarbanes-Oxley for clearing his browser cache, uninstalling the browser, deleting images he had downloaded from her email account, and defragged his hard drive, deVries writes. “In January 2012, the US Court of Appeals for the Sixth Circuit found that Kernell’s awareness of a potential investigation into his conduct was enough to uphold the felony charge,” she writes.

Defenders argued that the case had not yet been filed, but the court noted that Kernell specifically mentioned his concern that the FBI would find his records, writes Robyn Hagen in Findlaw. Individuals had also been charged with Sarbanes Oxley violations for destroying computer data when they knew about an investigation.

The federal government, for its part, noted that it had used Sarbanes Oxley “to prosecute the destruction of a wide array of physical evidence—including human bodies, bloodstains, guns, drugs, cash and automobiles—in order to cover up offenses ranging from terrorism and the unreasonable use of lethal police force to violations of environmental and workplace-safety laws,” according to Mark Walsh in ABA Journal, who went on to cite another expert that there is apparently not a federal destruction of evidence statute, which is why Sarbanes Oxley is being used in this way.

But the use of Sarbanes Oxley in the Matanov case, if successful, has all sorts of repercussions. “Think of it another way, outside of the context of terrorism,” explains Susan Zalkind in The Daily Beast. “Imagine your friend, with whom you enjoyed listening to rap music like Notorious B.I.G’s ‘Ten Crack Commandments,’ was arrested in a big crack sting. You don’t sell crack. You didn’t even know your friend sold crack. Maybe he mentioned it, but you thought he was playing around. But you do know federal investigators will now want to talk to you. And, in fact, you want to help. Songs about crack are one thing, but crack itself is a different story, you figure. To keep up appearances, you take down your Biggie poster, delete some of your music, and clear your browser history. The Matanov conviction could set up a precedent whereby you could serve federal time for any of those actions.”

So where do the fish come in? Well, the Supreme Court, watching the creeping Sarbanes Oxleyism of their courts, finally decided that enough was enough, writes Gideon Lichfield in Quartz.  Boat captain John Yates appealed the use of Sarbanes Oxley for his crime of throwing undersized fish overboard, in an attempt to keep from being convicted for having fish that were too small. Fish, the court ruled, could not be a record (despite Justice Kagan’s dissent, where she quoted One Fish Two Fish Red Fish Blue Fish, apparently the first time that Dr. Seuss had been cited in the Supreme Court). For a tangible object to count under Sarbanes Oxley, it must be used to record or preserve information, wrote Justice Ginsburg.

“Most of the justices seem to have very little patience with the feds going after John Yates with a white-collar destruction-of-evidence statute that carries a maximum penalty of 20 years in prison, merely because, as [Supreme Court Justice Antonin] Scalia puts it to the assistant solicitor general a moment later, ‘This captain is throwing a fish overboard,’” writes Dahlia Lithwick in Slate. “Scalia is only just getting started: ‘He could have gotten 20 years. What kind of a sensible prosecution is that? … Who do you have out there that exercises prosecutorial discretion? What kind of a mad prosecutor would try to send this guy up for 20 years?’”

“For as long as this case has dragged on, it has gained attention around the nation as a prime example of prosecutors going to absurd lengths to punish someone for reasons that the rest of us find difficult to understand,” agrees Keith Lee Rupp in an opinion in US News and World Report. “The nation’s criminal defense attorneys say the case is a poster child for the way some federal prosecutors try to scare plea deals out of their targets with threats of outrageous punishments if the matter goes to court. This is not a message the Justice Department should want to be sending, but it is.” (To add insult to injury, by the time charges had been filed, the fish size limits had been changed and Yates’ fish would no longer have been illegal, he notes.)

Zalkind also points out that the prosecutor filing these charges against Matanov is US Attorney Carmen Ortiz, the same person who filed what many say were excessive charges against Internet activist Aaron Swartz. They could have resulted in his serving 32 years in prison, and it is widely believed that this is what led to him committing suicide instead.

The Yates case could be used to free another Boston marathon bomber’s friend, Azamat Tazhayakov, who was convicted – in another case prosecuted by Ortiz — of destroying the marathon bomber’s backpack. Apparently, backpacks, like fish, should also be considered to be too far removed from the notion of a record for Sarbanes Oxley to apply to them, writes the law firm of Blank Rome. “Items of clothing and bags of any sort, including backpacks, briefcases, purses, or messenger bags, are now plainly outside of the statute’s compass,” the firm writes.

Interestingly, there was a thumb drive in the backpack, which would have been enough to convict Tazhayakov under Sarbanes Oxley, but the government did not raise the issue of whether he knew about the thumb drive when presenting its case, writes Mark Joseph Stern in Slate. In fact, if the government had used a simple obstruction of justice charge, he likely would have been convicted, but that could have resulted in only a few years of prison, not 20, he writes.

In the meantime, however, browser histories and other deleted information – indeed, any electronic object, according to Blank Rome — are apparently still fair game. “The Supreme Court did not answer the pressing question of how broadly federal prosecutors are allowed to use Sarbanes-Oxley in the digital age,” deVries writes. “Can you be prosecuted for deleting a potentially incriminating tweet? For uninstalling Firefox? For clearing your browser history? How much of their digital data should citizens have to preserve in case law enforcement wants to take a look?”

8  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Veseloiu

    Very often the browser will refuse to work properly until one clears the cache. this may be the first thing Tech support does or recommends in such cases and this is often done  by clearing everything, (unless one specifically excludes the clearing of history).

    Or the child watches porn (or other unacceptable content) on dad's computer and then clears the cache and the history to hide hid/her tracks

    Or dad goes to some dating sites and then clears history and cache so mum does not find out

    Does this mean one (i.e. the dad... or the child?) may go to jail because falling foul of SOX?

    However morally wrong the mechanism may be, this should have nothing to do with SOX and yet if later some organisation may decide to investigate  for some reason, this could possibly give an over-zealous prosecutor the reasons (s)he needs to charge  under SOX


    100 pointsBadges:
  • Sharon Fisher
    Yes, it does mean that. Especially in the case of deleting porn, because there's already case law on that.
    9,680 pointsBadges:
    It is the old Shotgun approach in action...  Throw everything you can think at the defendant and hope something sticks.  I would never have approved this if I was sitting on a Grand Jury nor on a regular seated Jury.  Common Sense must be used also.  Just because the law permits something by accident, does not mean you should use it.  Too bad the penalty phase can't have an additional sentencing item: For each charge NOT found Guilty, the defendant receives a Two year credit on his sentencing on the Guilty(s) - that might stop some of the shotgun prosecutors. They will start only filing what they are sure they can prove.
    110 pointsBadges:
  • TheRealRaven
    ...this should have nothing to do with SOX...

    No machine that falls under SOX should be capable of allowing a child to view improper content nor even to get past the password screen.
    35,650 pointsBadges:
  • Veseloiu

    "Should" is the keyword here :-)

    Today's kids are so ... capable to get their little metaphoric fingers in all the wrong places.....

    Say dad takes computer home to do some work and then something happens phone call whatever he moves away for 5 mins and forgets to lock the screen...

    OK, VPN, firewalls, content blocking ... all this should protect against such instances, but then we keep discovering that despite all that, somebody somewhere got to the wrong place   :-)

    Anyway, this is pure speculation about a SOX gone way too far 

    100 pointsBadges:
  • TheRealRaven
    Dad quite possibly should 'go to jail' if he takes SOX data home; leaving it unprotected while taking a phone call only compounds the problem. That's a major point of SOX and similar personal/privacy data protections. It's not data you can carry around without appropriate and proper care.

    It's not clear how "SOX gone too far" fits in. It seems to be another way of saying that carelessness is okay as long as you're merely not taking proper cautions rather than being actively malicious. Doesn't that make it pretty difficult to assign accountability?
    35,650 pointsBadges:
  • Ctech
    But then maybe that is still IT's fault...therefore the dept is guilty of not being careful enough...or maybe it is the companies fault for making Dad feel like he has to take work home. If you can blame dad for the moment of indescretion..to the ridiculous outcome of jail time, then all the IT indescretions should come into play and everyone goes to jail for not adequatly protecting the device?
    65 pointsBadges:
  • TheRealRaven
    That's quite possibly true. The person 'going to jail' should be the one who is responsible/accountable. That's how it's supposed to work, anyway. I have no statistics, but I'd expect that it mostly does work that way. In the examples in the article, it seems that none had an accountability connection to anyone but the named individuals.

    Also, even in the supposed extreme cases, e.g., clearing browser cache in order to clear a browser problem, it doesn't seem to be a SOX violation. A violation doesn't exist when there's no "intent to obstruct a federal investigation".  Demonstrating "intent" can be the hardest part of prosecution.
    35,650 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: