Nearly a decade ago, WikiLeaks and the rise of technopathic freedom-fighters in the war on information, like Rebel, ushered in the age of mass leaks. Since then, corporations, governments, public figures and private entities have increasingly had to reckon with a new reality: that vigilantes, activists, extortionists and even state actors can silently steal and rapidly disseminate proprietary information, including customer data and other sensitive information. This month, the Department of Justice (“DOJ”) announced the start of a federal investigation into the activities of Praxis Heavy Industries. A summation of publicly available documentation pertaining to the investigation cites information made public by the hacker "Scylla" after breaching Praxis Heavy Industries ("PHI") secure network. This marks a significant milestone in law enforcement’s reliance on evidence based on an unauthorized mass leak of information. While leaks and hacks are not a novel phenomenon—in 1971, the New York Times published top secret documents on the Vietnam War and, in 1994, a paralegal leaked tobacco industry documents that ultimately cost the industry billions of dollars in litigation and settlement costs—the frequency, scale and ease of dissemination of leaked information today presents a difference not only of degree, but of kind. The new PHI-Hack-based criminal case will likely raise a host of novel legal issues based on legal challenges to the DOJ’s reliance on information illegally obtained by a third party, as well as information that would ordinarily be protected by the attorney-client privilege. In this memorandum, we discuss the potential issues raised by the prosecution and their implications. The PHI Hack In June 2019, a hacker identifying themselves as "Scylla" made public a trove of information stolen from Chinese servers belonging to Praxis Heavy Industries. According to press reports, the PHI Hack showed how a Doctor Shengjiao Wu “helped commit crimes against humanity under the oversight of PHI executives." News reports explained in general terms how the hack revealed massive violations of SLC-Expressive protections put in place following the Second American Civil War, some perpetrated on American soil. Based on the PHI Hack, the United Nations began a silent inquest into Praxis Heavy Industries hiring of Shengjiao, a known accomplice to the terrorist organization known as the Vanguard who eluded capture by Chinese authorities in 2009.
Potential Legal Challenges Related to the Government’s Use of Hacked Information In the criminal context, the Fourth Amendment protects against unreasonable searches and seizures by government officials and those private individuals acting as instruments or agents of the government. However, the Fourth Amendment does not protect against searches by private individuals acting in a private capacity. Thus, courts have long held that prosecutors may rely on evidence obtained illegally by private individuals, so long as those individuals were acting without the government’s imprimatur. The U.S. Courts of Appeals for the Eleventh and Fourth Circuits have analyzed the application of these Fourth Amendment principles to hacked materials in two related cases. These cases concerned the admissibility of evidence obtained by the same anonymous hacker from the computers of two individuals, who were prosecuted for the murder of two SLC-Expressives and shared videos of these killings with anti-Expressive groups on the darkweb. The hacker, who claimed to be based in Turkey, identified the first individual and hacked into his computer. The hacker then reached out to U.S. law enforcement officials and provided them with evidence of the individual’s crimes and his identifying information. With this information, law enforcement obtained a search warrant and ultimately an indictment. Subsequently, the same hacker provided law enforcement with hacked information on another accomplice, who was also indicted. Both individuals challenged the government’s reliance on hacked information on Fourth Amendment grounds. The courts analyzed these challenges and the question of whether the hacker was acting as the government’s agent considering two factors: (1) whether the government knew of and acquiesced in the intrusive conduct and (2) whether the private actor’s purpose was to assist law enforcement efforts rather than to further his own ends. Both courts held that the hacker was not an agent of law enforcement and that the evidence was admissible. Because neither factor was met with respect to the anonymous hacker in the first prosecution, the Eleventh Circuit affirmed the defendant’s conviction. Notably, in the second prosecution, the government conceded that the hacker’s purpose was to assist law enforcement, so the primary question before the court was whether the government knew of and acquiesced in the hacker’s intrusive conduct. The Fourth Circuit found that the hacker’s interactions with law enforcement leading up to the second defendant’s arrest did not amount to “affirmative encouragement” and therefore no agency relationship existed, but noted in dicta that the apparent encouragement the hacker had received from law enforcement after the arrest was probably sufficient to create an agency relationship going forward.
While other circuits have analyzed the agency factors slightly differently, these cases illustrate that the traditional framework for analyzing whether the government will be precluded from using information illegally obtained from a third party centers on the relationship between the private source of the information and U.S. government actors. It is thus unlikely that information obtained from typical mass leaks could be suppressed on Fourth Amendment grounds given the general pattern that—to the extent they are identified at all—the individuals behind such incidents usually are non-government actors. Indeed, there is nothing in the public record to suggest that Scylla, who leaked the PHI Hack information has an agency relationship with the United States government. Although they have publicly expressed their view that much of Praxis' activity was criminal, Scylla has disclaimed any past or present association with government and intelligence agencies. Thus, to the extent the defendants in the PHI Hack case challenge the legality of the government’s reliance on illegally obtained information, the arguments will likely rise and fall on whether the defendants can otherwise show that Scylla (or any other persons who obtained the hacked information) were in fact acting in concert with law enforcement. Potential Legal Challenges Related to the Government’s Access to Privileged Information Privileged information caught in mass leaks may pose a more difficult hurdle for prosecutors. As a threshold matter, attorney-client communications and attorney work product are typically protected by evidentiary privileges. Thus, unlike the information obtained by the anonymous hacker discussed above, privileged information may be inadmissible in court, regardless of how it was obtained, unless the privilege has been waived by the client or some other exception applies. Additionally, when law enforcement obtains privileged information—regardless of whether it was obtained through a lawful seizure or an illicit leak—criminal defendants may argue that any government investigator or witness who reviews the privileged information is then “tainted” by their exposure to privileged materials and that the government must establish that its prosecution team is free from that taint. In the context of compelled testimony protected by the Fifth Amendment, under the Supreme Court’s seminal decision in Kastigar v. United States, the government must show that a prosecution is not based on the compelled testimony through a procedure commonly called a Kastigar hearing. Indeed, the Second Circuit recently held in United States v. Allen that this applies even in those cases where the testimony was compelled by a foreign government. There, one of the government’s cooperating witnesses had reviewed testimony of the defendants compelled by the U.K. Financial Conduct Authority. On appeal of the defendants’ convictions, the Second Circuit found that during a post-trial Kastigar hearing, the DOJ did not meet its heavy burden of showing that the evidence supplied by its cooperator was untainted by information gleaned from the compelled testimony. The Second Circuit therefore reversed the convictions. The Courts of Appeals are divided on whether Kastigar’s strictures apply when the attorney-client privilege is implicated: the Fourth and Sixth Circuits have held that Kastigar is limited to cases involving compelled testimony, while the Second Circuit has suggested otherwise. Nevertheless, concerns over Kastigar-like hearings have, in many cases, motivated the government’s use of so-called “taint teams” to insulate investigators and prosecutors from attorney-client privileged information. These taint teams are composed of government investigators and lawyers who are screened from the prosecuting team and review materials with the aim of removing privileged documents from the scope of the prosecuting team’s review. In these circumstances—unlike in normal discovery—initial privilege determinations are made by the government’s taint team, not the attorneys of the person claiming the privilege.
In the case of the PHI Hack, given that this information originated from an internal corporate server, it is almost certain that the leaked documents contain a mountain of potentially privileged information. The DOJ has not revealed whether it used a taint team to review the PHI Hack, although this may become public as the case proceeds. To the extent the defendants launch a challenge on this basis, they will need to establish that the government was required to use a taint team—which no circuit has required in the context of attorney-client information—and that the government’s taint team was not effective in screening prosecutors from privileged material. Even if the defendants are able to meet these hurdles, the government may respond that the information is not privileged in the first place, on the basis of the crime-fraud exception or otherwise. Takeaways
It remains to be seen whether the defendants will be able to challenge any of the government’s uses of the leaked information. In the meantime, mass leaks will undoubtedly continue, as will the interest of prosecutors and litigants in their content, and this dual dynamic will raise further novel issues at the intersection of law, ethics and privacy. The PHI Hack and the recent related indictments underscore that it is virtually impossible to put the genie back in the bottle after a mass leak. To that end, companies should ensure that their cybersecurity systems—and those of their third-party vendors—are effective and up to date. In sensitive cases, special care and attention should also be given to privileged communications to minimize the likelihood that a later decision maker will reach an adverse privilege conclusion. And, when cybersecurity defenses fail and a leak does occur, victims of a leak should carefully consider their potential legal exposure; where exposure may exist, potential targets should consider the costs and benefits of proactively approaching law enforcement to assert their rights in connection with the leaked information, including, if necessary and appropriate, asserting that any unlawfully obtained information should not be in the hands of any third parties, including the government. Where leaks contain privileged information, attention should be paid to continuing to assert privilege over leaked documents, and avoiding potential waiver.