Since his investigation into Russian election meddling began in 2017, Robert Mueller’s team has launched a massive eDiscovery effort: seizing hard drives, exporting emails accounts, and sorting through several terabytes of digital information.
The inquiry could be the most significant document review project ever, and guilty pleas by Michael Cohen and Paul Manafort illustrate the potential power of all this electronic evidence. But the investigation also highlights the risks inherent to archaic eDiscovery approaches, as Mueller now alleges that some of these discovery materials have been leaked in an attempt to undermine his investigation of Concord Management LLC, a Russian catering company accused of aiding social media interference in the U.S. election.
After Leaks, Mueller Moves to Lock Down Discovery
Mueller’s case against Concord has been working its way through the federal courts since last February, but it has caught a recent wave of press due to these explosive new data breach allegations—as well as the defense counsel’s imaginative motion writing (he included a profane quote from Animal House in his last brief).
In an 18-page court filing published last week, which is technically an opposition to Concord’s recent motion to reduce discovery restrictions, the Special Counsel argues that previous “mishandling of non-sensitive discovery” in the case illustrates that sharing “sensitive” documents with Concord executives could pose a national security threat.
The incident Mueller is referring to occurred last October when a Twitter account called @HackingRedstone disseminated links to a website which purported to contain “all the files Mueller [has] about the IRA and Russian collusion.” While a sizeable portion of the “leaked” data was unrelated to the investigation, the rogue site did contain over 900 discoverable documents from the case, and Mueller seems to be suggesting that the defense team, or their client, had something to with the breach.
If Mueller is right and Concord did leak the documents, that could certainly impact the accuracy of his investigation. The reality, however, is that no one is quite sure how those documents got out.
Just reading through Mueller’s filing, it is obvious just how uncertain—or at the very least, evasive—both sides seem to be about the source of the leak. The defense insists they had nothing to do with it, claiming that the discovery vendor they hired reported no unauthorized access to the documents. Meanwhile, Mueller is quick to assign blame, noting that the webpage contained non-DOJ load-files and can be traced back to a Russian IP address. He insinuates that the leak was a deliberate attempt to discredit the Russia investigation by making it seem like his team has fewer than 1000 documents to make their case, but most of his evidence on this count is circumstantial.
Tweety Bird, Putin’s Chef, and “Firewall Counsel”
Although the national security implications of Mueller’s filing are serious, the motion itself is simply the most recent foray in a long-standing conflict over eDiscovery protocol. Mueller’s indictment of Concord Management has been marred by discovery issues since the beginning, largely stemming from a dispute over whether Yevgeniy Prigozhin, the company’s executive who has been dubbed “Putin’s chef,” should be granted access to certain segments of discoverable data.
Back in June, Mueller’s team sought a protective order to block Concord’s American legal team from sharing discovery with outside individuals, including Prigozhin. Although Prigozhin has also been indicted, he has not submitted to the jurisdiction of U.S. courts. Technically speaking, he is a fugitive in this case, and Mueller has used Prigozhin’s non-cooperation to campaign for discovery restriction, arguing that the oligarch’s limited access to documents is “a problem of [his] own making” due to his refusal to appear on U.S. soil.
Finding that Mueller’s team demonstrated “good cause” for restriction, U.S. District Court Judge Dabney Friedrich granted the protective order and appointed a so-called “firewall counsel” to independently review documents and help sort out discovery issues. Under the terms of the order, which is still in effect, Concord’s lawyers are required to get court permission to share discovery with Prigozhin or other outsiders. “Sensitive discovery material” must be stored offline in U.S. offices, and all individuals and entities other than the U.S. defense team are barred from accessing or sharing it without explicit court approval. This “sensitive material” could include “information describing the government’s investigative techniques, identities of people and companies that are cooperating [with the probe], [or] identifying information on individuals in the U.S. who were victims of identity theft.”
Mueller got his way with the protective order, but lucky for those of us following the case (or anyone who enjoys a good courtroom drama, really), the defense team has not taken the judge’s decision lying down. They have since launched an aggressive campaign to loosen the restrictions, alleging that Mueller’s team is being too indiscriminate in their categorization of “sensitive materials”—and they are using creative tactics to plead their case.
Over the course of several motions, Concord’s counsel has made a range of bizarre cultural references, including nods to both Tweety Bird (cited as [Tweetie,1948]) and Casablanca (“Major Strassor [sic] has been shot; Round up the usual suspects”). And most recently, defense attorney Eric Dubelier cited an iconic (and profane) excerpt from Animal House to criticize Mueller’s tactics. "Flounder, you can't spend your whole life worrying about your mistakes! You f**ked up... you trusted us. Hey, make the best of it," read the quote. To which Judge Friedrich replied, “Knock it off.”
Additionally, Concord has accused the Special Counsel of simply “[throwing] a dart at the Federal Reporter” to find a legal basis for ex parte disclosures, disparaged Mueller’s team for withholding a nude selfie from discovery for “national security reasons,” and taken issue with the “firewall counsel,” claiming that American-appointed attorney, who is supposed to be independent from Mueller’s office, is sharing documents and information with investigators. A hearing on that issue is scheduled for March 7.
Discovering—or Trying to—the Source of the Discovery Leak
Protective orders and intense negotiation are typical in high-stakes litigation—though Tweety Bird is not. The exact parameters of document sharing will likely continue to shift as Mueller’s investigation proceeds. But what’s really striking about this case is how the parties have treated the recent breach of discoverable information—and what their responses reveal about their understanding of eDiscovery, more generally.
Although both Mueller and Concord do an admirable job of deflecting responsibility for the leak, no one seems to know what actually happened: how data from one of the most high-profile investigations in recent memory somehow became public. And this is kind of scary.
When pressed for a theory as to how the discoverable documents got out, the defense team straight-up rejects the premise. They don’t even agree that the files came from discovery in the current case. Instead, they suggest that the webpage was just a “scam peddling the stuff that was hacked and dumped many years ago by Shaltai Boltai,” a previous leak from 2014. But as Mueller points out, this “Boltai” hypothesis barely holds water. Although the webpage contained a good number of random memes and spam, it also included specific documents from Mueller’s investigation, some of which did not exist four years ago. Additionally, the file structure mirrored that of earlier productions in the case, which indicates that the leak was not a random occurrence.
These details suggest that the hack was recent and deliberate, and Mueller wastes no time in emphasizing their significance. In his filing, after briefly pointing out similarities between the webpage and the investigation, Mueller jumps straight to culpability, using naming conventions on the website to implicate Concord’s defense team. Apparently, a number of leaked files appeared within a folder labelled “REL001,” which Mueller interprets to mean that those documents “came from a production managed on Relativity,” the behemoth discovery platform. Mueller argues that, because neither the Special Counsel’s Office nor the U.S. Attorney’s Office used Relativity to produce discovery in this case, the presence of such a folder “suggests that the data was not taken from the [U.S. government].”
Q.E.D, right? Well, not so much. For those familiar with eDiscovery, REL documents would be fairly identifiable because they are preceded by the load-file identifier, but the Special Counsel seems to overemphasize the significance of these labels. As many attorneys know, just because a folder contains “REL” files does not necessarily mean those documents were produced out of Relativity, itself. Many document management platforms have pre-loaded templates capable of exporting Relativity load-files. If anything, “REL” files indicate that, at some point, lawyers touched that data. But contrary to the government’s claim, the naming conventions prove very little about the actual source of the leak.
Mitigating the Risk of eDiscovery
In the end, even after 18 pages of speculation, we still have no idea how Mueller’s documents got into the hands of hackers. But we do know that the discovery process was the ultimate source of the leak.
Protective order or no protective order, eDiscovery is risky business. eDiscovery repositories make extremely attractive targets to cybercriminals because they contain a particularly sensitive subset of client data—documents that have been identified as potentially relevant to litigation but not yet purged of confidential material—and because the discovery process involves a lot of sharing and document movement, when data is most exposed. And as documents are passed from client, to firm, to third-party vendor, and eventually to the requesting party, each new touch point presents another opportunity for sensitive data to be compromised.
Luckily in this case, the files that got leaked were “non-sensitive.” But Mueller has gathered millions of documents in his sweeping investigation, and this cache likely contains a number of extremely confidential files—as all discovery repositories do. Just last week, his team obtained warrants to search Roger Stone’s voluminous Apple iCloud account, email, and cell phones. And since all of this information will need to be catalogued, reviewed, and shared, it will soon be exposed to the same potential tampering that led to the October leak.
So, if this new Mueller filing teaches us anything, it’s that attorneys should be limiting the number of hands touching their clients' data. As technology becomes more sophisticated, so do threats against data security. Many law firms, despite the growing ability to handle eDiscovery in house, continue to outsource processing and review to third-party vendors. As a result, confidential information is pinging around cyberspace, being touched by an increasingly large number of individuals, and this constant movement means that sensitive information is more vulnerable than it was a decade ago.
The good news for Mueller (and attorneys of any kind) is that there are proven ways to reduce the risk of being hacked. The most powerful way to avoid a breach of this kind is to reduce this new reliance on vendors and outside firms and protect your data in a closed-loop system like Logikcull—rather than waiting until something goes wrong and simply theorizing about file names.
The full text of Mueller’s filing is available here.