eDiscovery Twist: Las Vegas RICO trial spotlights important distinction between Yahoo Mail and Gmail

Employees of the world’s two largest free email providers recently testified back-to-back at a Federal trial in Las Vegas, about their respective policies for email archiving. Google and Yahoo each sent a witness to authenticate disks containing email evidence in a trial that produced the first-ever RICO conviction for an online conspiracy to trade stolen credit card accounts and identities.

Testimony revealed that Google servers retain everything related to Gmail accounts, including email messages deleted by the user.  But a paralegal from Yahoo testified that the company does not retain emails deleted by Yahoo Mail users. (Note: Yahoo’s website advises users who want to recover deleted email that it’s possible to do so for seven days after deletion. Habeas Hard Drive contacted Yahoo for clarification, but the company declined comment.)

The difference between the Yahoo policy and Google’s “we store everything” policy has major implications for anyone conducting discovery. Preservation letters should flag Yahoo Mail users, and should explain that the cost of recovering deleted Yahoo Mail messages could quickly climb way beyond reasonable.

 Common sense suggests that deleted Yahoo emails would be long gone from the company’s servers by the time a request can go through normal channels. The best hope for recovery would be finding the people on the other end of the Yahoo user’s communication. However, those messages — if they could be located and recovered — might yield only fragments of the original communication. Furthermore, gathering evidence from a half-dozen or more computers at different locations presents financial red flags, and chain-of-custody headaches.

There are business reasons for the differing practices at the two email giants, who between them host the lion’s share of free email accounts – more than 500 million worldwide.

But the Google witness, a 3-year employee of the company who identified herself as a custodian of records, was unable to articulate during cross-examination how email archiving furthers the business objectives of Google. She faltered when asked the purpose of the business records – or perhaps was hesitant to confirm what everyone already knows – those business records contribute to detailed profiles of every Google user.

With slightly less time on the job, Yahoo’s paralegal answered the same question by relating the email retention policy to the company goal of creating a positive user experience. After a moment of hesitation, she said the company wants the user to have control of his or her account.

In the trial, a 22-year-old American man was charged with racketeering and conspiracy, stemming from his involvement in the Russian-based black market website carder.su. Prosecutors presented evidence showing defendant David Camez bought counterfeit IDs and stolen credit card numbers, sometimes trading contraband with the providers instead of paying cash. Camez is serving a sentence in the Arizona prison system on state charges. He was transported to Las Vegas Federal District Court for the federal trial.

 Prosecutors introduced evidence that Camez interacted online with a Las Vegas-based Secret Service agent who posed as a vendor of fake drivers licenses. Camez and other users of the carder.su became the focus of a massive investigation that ultimately pushed the carder.su organization further underground, and made the domain inaccessible via standard browsing techniques.

 The scope of illicit business on the carder.su site was far more sweeping than the exchange if drivers licenses and credit cards. It included the sale of bank account credentials yielded by the notorious ZeuS Trojan that’s bedeviled financial institutions and their business customers since 2009.

 The site’s creator is in Russia. The agent who went undercover on carder.su said federal authorities are awaiting approval from Interpol to arrest him and others who operate offshore.

 Prosecutors labored in court to establish that the carder.su site and its online participants were organized criminals because they submitted to protocol set by the site’s administrator, and were admitted to the site’s serious business activity only upon approval from a structured management.

Defense argued that membership was not necessary in order to communicate and do business with others on the site, and that users of carder.su had no particular allegiance to the organization.

Several cooperating witnesses who pled guilty to one or more more racketeering charges testified that they did so to avoid lengthy prison sentences. The witnesses were young American men who came to the attention of federal law enforcement because they were linked to carder.su through online interactions or cash transfers with carder.su vendors. 

Those witnesses admitted in testimony to purchasing fake IDs and credit cards, or card-making equipment. One said he bought fake IDs and sold them to his college friends so they could get into bars.  Another described using counterfeit credit cards to purchase televisions and other goods, which he then sold on the streets of Las Vegas.  Defendant Camez also engaged in resale of goods purchased with bad credit card numbers, according to chat logs in which he boasted about profiting from high-priced items like Apple laptops.

Internal investigators from Visa, MasterCard, Discover Card, and American Express have testified to hundreds of thousands of transactions, and millions of dollars in losses stemming from this one investigation.

The jury convicted Camez after a brief deliberation. He’ll be sentenced next spring.

Update: Published Dec 4th, 2013, updated Dec 9th, 2013 to reflect additional evidence presented by the prosecution, response by Yahoo for clarification of their testimony, and the jury verdict.

One thought on “eDiscovery Twist: Las Vegas RICO trial spotlights important distinction between Yahoo Mail and Gmail

  1. Pingback: Dec 9th 2013, Episode 322, Show Notes |

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s