Digital forensics examiners constantly confront ethical dilemmas for which they are ill prepared. The profession has endeavored to provide examiners with a framework within which the digital forensics examiner must
not only recognize, classify, and manage ethical dilemmas, but also respect boundaries and honor obligations.
This framework is the code of ethics. This article will continue the discussion from the last issue on the need
for and contours of these codes.
Privacy and Confidentiality Issues
The fact that most examiners work under the aegis of an attorney is a matter of special concern that has
received little attention in the discipline: the attorney who employs the examiner is obliged to serve in a
supervisory capacity and is vicariously responsible for the examiner’s conduct.1 The oft-overlooked inverse of
that rule is that the ethical standards of fidelity and confidentiality that bind the attorney who employs the
examiner also bind the examiner as the attorney’s agent. These obligations generally fall under three categories: the work product doctrine; the attorney-client privilege; and the duty of confidentiality.
1. Work Product Doctrine
The work-product doctrine protects materials prepared in anticipation of litigation from discovery by opposing counsel. 2 The doctrine enhances a lawyer’s ability to render competent counsel, as the United States
Supreme Court observed in Hickman v. Taylor:
[I]t is essential that a lawyer work with a certain degree of privacy, free from unnecessary intrusion by
opposing parties and their counsel. Proper preparation of a client’s case demands that he assemble information, sift what he considers to be the relevant from the irrelevant facts, prepare his legal theories,
and plan his strategy without undue and needless interference. 3
It is therefore imperative that both attorneys and examiners understand the doctrine and how it applies to
digital forensics examinations. Enjoying the privilege of work product immunity is one of several reasons the
expert should be directly retained by the attorney, rather than the attorney’s client.
Some practitioners conflate the work product doctrine with the attorney-client privilege (discussed below).
Although the work product doctrine is broader than the attorney-client privilege, it is not a privilege, but
rather a limited immunity from production, which can be overcome in certain situations. 4 The doctrine
applies in both civil and criminal cases, 5 and protects not only documents and tangible things prepared by
attorneys, but also those prepared by an attorney’s “consultant, suretie, indemnitor, insurer, or agent.” 6 In the
context of such examinations, the work product doctrine also covers the “mental impressions, conclusions,
opinions, or legal theories of a party’s attorney or other representative concerning the litigation.” 7 A prudent
expert should, therefore, take affirmative steps to keep confidential the software and hardware used during
the examination, as well as his or her theories, algorithms, cryptology, notes, tools, processes, methods, search
queries, resource materials, mental impressions, and techniques. And, because the doctrine may be overcome
in limited circumstances, some attorneys may instruct their experts to refrain from memorializing preliminary
findings in writing. 8
In 2010, Fed. R. Civ. P. Rule 26 was amended to give experts’ draft reports the protection of the work
product doctrine, exempting them from mandatory disclosure. The rule expressly provides that the doctrine
applies to “protect drafts of any report or disclosure required under Rule 26(a)[( 2)], regardless of the form in
which the draft is recorded.” 9 The amended rule also applies work product protection to communications
between experts and the counsel who retain them, 10 with three exceptions: 1) communications pertaining to
the expert’s compensation; 2) facts or data that the attorney provided and the expert considered in forming
Professional Ethics in the Digital