Forensic Investigation
Breaking Code Silence’s Investigation
According to BCS’s Complaint, in early March 2022, one of BCS’s board members was making changes to BCS’s website. The board member searched for BCS’s website on Google Search to see how the changes looked. However, when she searched for the website on Google, she could not find it. BCS then launched an improper forensic investigation as to why the website was not appearing on Google Search and failed to preserve the necessary evidence to determine who was responsible for the deindexing.
The first primary investigator was a self-taught webmaster who admitted to having no qualifications relevant to forensic investigations. The second primary investigator was Jesse Jensen.
From Mr. Whiteley’s Motion for Summary Judgment:
“Jensen is a purported “forensic data privacy analyst,” a technology position that Defendants’ expert has never heard of. (Walton Decl., ¶¶35-37; Ex. 48, pp. 31:10-45:3.) Jensen also lacks the qualifications to do a forensic investigation. (Walton Decl., ¶¶35-37.)
Jensen began his investigation on March 11, 2022. (Ex. 48, pp. 90:6-91:4.) Like Beauregard, Jensen looked at the Google Search Console to see that requests to temporarily remove the .Org Domain from Google Search were made on March 8 and 9. (Id., p. 93:8-13.) Jensen also saw that when he signed on to the Google Tools on March 11 (two days after the request was allegedly submitted), Whiteley had ownership access. Based on these facts and, having been told that Defendants were known to be “hostile” to BCS, Jensen concluded that it must have been Defendants who submitted the deindex request. (Id., pp. 100:16-101:10; 154:16-25.)
On March 12, Jensen was able to cause the website to appear on Google Search again. (UMF 53.) Jensen produced a one-page report attaching no evidence and containing no discernable analysis, accusing Defendants of using the Google Search Console to deindex the website. (Walton Decl., ¶¶9, 38-41; Ex. 48, pp. 81:13-82:21; Ex. 65.)
In conducting its “investigation,” BCS failed to take the necessary steps to collect and preserve the digital evidence necessary to determine whether someone accessed a BCS account without authorization and, if so, who. (UMF 5.) While speaking to Google support, Jensen did not even ask who made the deindexing request because he already presumed it was Defendants. (Ex. 48, pp. 100:16-101:10.)”
After his investigation, Jensen produced this one-page report without any additional attached evidence or analysis.
Jensen admitted the following during his deposition:
- Jensen possesses no cybersecurity or forensic certifications
- Jensen never took a class on cybersecurity for either of his degrees
- Jensen never received any formal education on cybersecurity
- Jensen never attended a seminar on cybersecurity
- Jensen never gave any outside presentations on cybersecurity
- Jensen never published any publications on cybersecurity
- Jensen does not belong to any professional organizations related to cybersecurity
- Jensen does not have a background in law or law enforcement related to cybersecurity
- Jensen never has been formerly employed as a forensic investigator
To review Jensen’s deposition on the matter, see Page 31 Line 10 through Page 39 Line 3.
Note: Despite initially identifying Jesse Jensen as a “forensic data privacy expert” in their Complaint and subsequent discovery responses, Breaking Code Silence chose not to designate Jensen as an expert witness or even retain any expert witness in this action.
McNamara and Whiteley’s Forensic Expert
In March 2023, Mrs. McNamara and Mr. Whiteley’s counsel retained Clark Walton, Esq to investigate the allegations in Breaking Code Silence’s complaint. Mr. Walton’s professional experience includes:
- Intelligence Analyst/Cyber Threat Subject Matter Expert for the Central Intelligence Agency (CIA)
- Honors Intern for the Federal Bureau of Investigation (FBI)
- Homeland Security Staff for the White House
- Senior Civil Enforcement Attorney for the North Carolina Department of Justice, Attorney General’s Office
- Assistant District Attorney for the State of North Carolina 26th Prosecutorial District
- Taught courses in Evidence and Cyber Crime at the Charlotte School of Law
- Currently teaches digital forensic coursework at the National Computer Forensics Institute
- Managing Director of Reliance Forensics, LLC
- Conducted or oversaw over 1,750 digital investigations on behalf of legal counsel, corporate entities, and individuals.
In this case, Mr. Walton reviewed evidence provided by Breaking Code Silence as well as conducted an expert review of their systems. He submitted the following declaration in support of Mr. Whiteley’s Motion for Summary Judgment:
Evidentiary Standard
From Whiteley’s Motion for Summary Judgment:
“Thus, BCS’s entire case rests on the belief that (1) only a handful of people had the administrative access necessary to submit a deindex request, and (2) of those people, Defendants are the most likely persons in that group to have done it. As shown in the preceding section, BCS’s argument falls apart because Whiteley did not have administrative permissions at the time of the deindexing. (UMFs 44-45.) However, even if Whiteley did have administrative permissions at the time of the deindexing (which he did not), BCS’s evidence is thinly circumstantial at best and insufficient to overcome summary judgment.”
To quote a motion from a largely cited case (LVRC Holdings LLC vs Brekka):
“18 U.S.C. § 1030(a)(4), requires a plaintiff to present evidence on four elements: (1) defendant has accessed a “protected computer;” (2) has done so without authorization or by exceeding such authorization as was granted; (3) has done so “knowingly” and with “intent to defraud”; and (4) as a result has “further[ed] the intended fraud and obtain[ed] anything of value.” P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC., 428 F.3d 504, 508 (3rd Cir. 2005) (quoting statute). Proving a violation of the CCFA requires a detailed examination of hard evidence, and, as a practical matter, proving civil liability under the CCFA will mirror the standard for proving criminal liability. See id. at 509. In P.C. Yonkers, it was uncontroverted that defendants had accessed plaintiffs’ computer system after leaving plaintiffs’ employment. Id. The Third Circuit, however, affirmed the district court’s decision to deny plaintiffs’ request that defendants be enjoined from using plaintiffs’ trade secrets to operate competing stores because plaintiffs could not prove defendants had obtained anything of value through the unauthorized access. Id. Plaintiffs urged the court to draw inferences of intent and that the defendants obtained valuable information from the mere fact that unauthorized access had been shown. Id. The court rejected that invitation, holding, “the elements of the claims asserted are part of a plaintiff’s burden. That information was taken does not flow logically from mere access.” Id. (emphasis added). Similarly, in this case, plaintiff must prove that it was defendants who used LVRC’s administrative function to access Load’s computer system.”
The Brekka case, widely considered to be one of the leading authorities on the CFAA in the Ninth Circuit, drives this point home. In Brekka, an employee was accused of logging into his employer’s website after his termination. Specifically, two months after the employee’s termination, the company’s marketing consultant saw that someone was logged into the website using the employee’s email address. The consultant was also able to see the IP address of the login as well as the location of the internet service provider from which the access occurred, and noted that the location matched the employee’s known location. Notwithstanding this evidence, the court granted summary judgment finding that the employer failed to raise a genuine issue of material fact. The Brekka court found that the evidence of the employee’s email and password being used was insufficient because someone other than the employee may have used the employee’s email credentials. The court further found that the location of the internet service provider was insufficient because it did not necessarily show where the person accessing the website was physically located.
The parallels between Brekka and the instant case are plain. In Brekka, there was insufficient evidence to survive summary judgment even though the plaintiff was able to definitively show that the unauthorized access was made by someone using the employee’s credentials. Here, BCS cannot even demonstrate that Mr. Whiteley or Mrs. McNamara’s permissions were used to access the Google Search Console and deindex its website, but rather, assumes that Mr. Whiteley or Mrs. McNamara’s permissions were used because Mrs. McNamara and Mr. Whiteley are “known hostiles.” Like the employer in Brekka, BCS has not eliminated the possibility that someone else accessed the Google Search Console. Critically, BCS cannot eliminate the possibility that its own volunteers inadvertently deindexed the website.
Further, unlike Brekka, BCS did not identify the IP address or the internet service provider location which supposedly accessed the Google Console. As Clark Walton observed, BCS has put forward nothing beyond mere speculation.
To quote the Order granting the motion for summary judgment in the Brekka case:
“The moving party bears the initial burden of showing the absence of a genuine issue of material fact. See Celotex, 477 U.S. at 323. The burden then shifts to the nonmoving party to set forth specific facts demonstrating a genuine factual issue for trial. See Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986); Fed. R. Civ. P. 56(e).
All justifiable inferences must be viewed in the light must favorable to the nonmoving party. See Matsushita, 475 U.S. at 587. However, the nonmoving party may not rest upon the mere allegations or denials of his or her pleadings, but he or she must produce specific facts, by affidavit or other evidentiary materials as provided by Rule 56(e), showing there is a genuine issue for trial. See Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 256 (1986). The court need only resolve factual issues of controversy in favor of the non-moving party where the facts specifically averred by that party contradict facts specifically averred by the movant. See Lujan v. Nat’l Wildlife Fed’n., 497 U.S. 871, 888 (1990); see also Anheuser-Busch, Inc. v. Natural Beverage Distribs., 69 F.3d 337, 345 (9th Cir. 1995) (stating that conclusory or speculative testimony is insufficient to raise a genuine issue of fact to defeat summary judgment). Evidence must be concrete and cannot rely on “mere speculation, conjecture, or fantasy. O.S.C. Corp. v. Apple Computer, Inc., 792 F.2d 1464, 1467 (9th Cir. 1986). “[U]ncorroborated and self-serving testimony,” without more, will not create a “genuine issue” of material fact precluding summary judgment. Villiarimo v. Aloha Island Air Inc., 281 F.3d 1054, 1061 (9th Cir. 2002).”