When does ‘Delete’ Really Mean Delete?

William Kellermann 
William Kellermann
July 27, 2016

In the words of the late, great Browning Marean[i]:  “The “Delete” key is the greatest lie on the keyboard.”  Unfortunately, this maxim was lost on a UK drug trafficker convicted, in part, on emails he thought were deleted from his Yahoo! email account.  In a motion for discovery filed in the federal district court for the Northern District of California, defense lawyers contend Yahoo! produced six months of deleted email, recovered even though Yahoo!’s own policies indicated otherwise.  Russell Knaggs v. Yahoo! Inc., U.S.D.C. ND-Cal., Case #15-MC-80281-MEJ

In the motion, the criminal defendant speculates the email was collected in violation of UK privacy laws, either through real-time interception or some nefarious NSA surveillance program, such as those exposed by Edward Snowden.  As such, the evidence was unlawfully collected and should be suppressed.

Unfortunately for the drug dealer, the source of the mail is likely much more mundane.  Unfortunately for Yahoo!, its explanation was tortured enough that the court ordered limited discovery, and a person-most-knowledgeable deposition.  The focus of the ordered discovery is a determination of the method Yahoo! used to gather the email data to provide to the government.

For anyone who has performed an in-depth analysis of enterprise email systems, to borrow from the words of Dean Wormer in “Animal House,” there is “deleted, double deleted and double-secret deletion.”  To remind the uninitiated, and using Microsoft Exchange and Outlook as a model, the typical deletion process for email goes something like this:

  1. Delete the message in the email reader software (in the Microsoft world, that would be Outlook.)  This step simply moves the message from the “Inbox,” or other folder in which it is held, to the “Deleted Items” folder.
  2. Delete the message from the “Deleted Items” folder.

Viola! The message is gone!  Or is it?  For most people that would be true.  However technologists, IT staff, email administrators, and electronic discovery practitioners know there is more.  Again, in the Microsoft Exchange environment, a copy of the message is retained in the email server “Deleted Items” cache (a/k/a the “Dumpster”) for a period of time.  This allows an administrator to recover mail inadvertently “double-deleted” by a user.  Many other email systems maintain a similar server-side cache of deleted messages for the same reason.  Until the parameters of the cache system are met, the message is recoverable by an administrator.

In the case of Microsoft Exchange, retention is date-driven.  However, other systems may be size-driven – that is content is not deleted from the server cache file until and unless it reaches a certain size.  At that time, older messages are overwritten to make room for newer messages in an updated version of the cache.  Until that time, the messages persist.

Further, most software used to recover, extract, and export messages typically capture, or provide options to capture, every message related to the user account, whether active, deleted, double deleted, archived or retained in the Dumpster.

Of course, further complicating matters, our drug dealer was using the Yahoo! mailbox as a form of message drop where communications were made using drafts of messages never sent.  One dealer would login to the account and create a draft of a message.  The intended recipient would then login to the same account, read the draft and respond, by either overwriting the prior draft or deleting the draft and creating a new draft.  However, as with any good messaging system seeking to save users from themselves, drafts are “auto-saved” periodically.

Yahoo!’s prior responses and the court’s order gets bogged down in a discussion of when and how auto-save works which, while important, ignores the heart of the matter.   Yahoo! never clearly explains how auto-saved drafts might be retained in either “Draft” or “Archive” folders until deleted, double deleted and purged from the server cache or “Dumpster.”

While the outcome of the purported fishing expedition into Yahoo!’s email practices may never be published due to protective orders, it is more likely than not the source of the offending messages will be the digital analog of a time honored, traditional law enforcement investigative method:  Dumpster diving.

[i] Browning Marean, an attorney with DLA Piper, was known to many in the electronic discovery world as the “Godfather of eDiscovery.”  A prolific speaker, writer and general litigation raconteur, he described the litigation electronic discovery process in ways no one else could, then or since.