Last month, 24-year-old Khairullozhon Matanov was sentenced to 30 months in prison for misleading investigators by failing to disclose his contact with the Tsarnaev brothers following the 2013 Boston Marathon bombings and deleting files from his computer. According to the indictment, “Matanov deleted his Google Chrome activity selectively, leaving behind Google Chrome activity from other days during the week of April 15, 2013.”
According to a CBC article, “The cab driver’s case dates back to the morning of April 19, 2013, when he went to a police station in Braintree, Mass., south of Boston, to say he recognized the Tsarnaevs in surveillance photos the FBI had released the night before. Matanov was not accused of playing any role in the attack. He pleaded guilty in March to lying to investigators about how well he knew the Tsarnaevs, including the fact that he bought the brothers dinner hours after the bombings. Matanov said he was unaware of their role in the attack during the meal.”
According to his lawyers, “At the time of these offences, Mr. Matanov was a scared young man. He was not, and is not, a terrorist.”
In an article for The Nation, Juliana DeVries explained the U.S. legal context: “Federal prosecutors charged Matanov for destroying records under the Sarbanes-Oxley Act, a law enacted by Congress in the wake of the Enron scandal. The law was, in part, intended to prohibit corporations under federal investigation from shredding incriminating documents. But since Sarbanes-Oxley was passed in 2002, federal prosecutors have applied the law to a wider range of activities. A police officer in Colorado who falsified a report to cover up a brutality case was convicted under the Act, as was a woman in Illinois who destroyed her boyfriend’s child pornography.”
The Matanov case, and others like it, highlight the application of Sarbanes-Oxley to private individuals and has spawned Internet discussions on whether simply clearing a browser history is a crime in the United States.
The Act reads, “Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
While the Act clearly requires intent, “proper administration of any matter” and “contemplation of any such matter or case” make it extremely broad in scope. DeVries observed that “Prosecutors are able to apply the law broadly because they do not have to show that the person deleting evidence knew there was an investigation underway.”
The Sarbanes-Oxley Act is American legislation, but some Canadian companies are subject to the Act, including those trading on U.S. stock exchanges. Deleting data to intentionally obstruct an investigation is clearly a violation. However, many companies automatically delete data as a matter of policy.
Purging email older than 90 or 180 days is common in the private sector. It reduces data storage requirements, but the primary purpose is that in the event of litigation there is less data to sift through during discovery. It is, in part, choosing not to retain data that could potentially be relevant to future legal actions. Could routinely purging data result in charges? Is automation evidence of intent to destroy evidence, or is it a defence?
Many individuals routinely delete their browser history, cache, and other temporary files on their PC. This data is not intentionally saved by the user, and in some cases is the result of inadvertently typing the wrong URL, clicking a link received in email, or downloading the wrong file. The purpose of a browser history is to help the user visit the same resources again. The browser cache is to speed up subsequent visits to the same site. When is clearing it illegal?
According to DeVries, Matanov was investigated for more than a year. The fact that he selectively deleted his browser history was clearly used against him. Would the outcome have been different if he had cleared the entire browser history, encrypted his hard drive, or wiped and re-installed the operating system instead? Or if his browser automatically deleted the history and cache each time he closed it?
It is conceivable that any email, web site visit, or other data might be relevant to an investigation in the future. Instead of focusing on the browser history, the question should be: Under what conditions does deleting unwanted data constitute a crime?
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…