Armed Conflict Criminal Justice & the Rule of Law Terrorism & Extremism

9/18 Session #6: Snoopers, Hackers, and Starbucks

Wells Bennett
Wednesday, September 18, 2013, 5:10 PM

The prosecutor Edward Ryan cross-examines the Chief Defense Counsel, and moves, after a few initial questions, to her ethical obligations.  Under them, Mayberry must make only a “reasonable effort” to ensure the confidentiality of defense files and communications.  But, Ryan says, "reasonable" means only "reasonable."   The safeguards need not be perfect.  For example, unencrypted email is acceptable for many state bars, he says, and for the American Bar Association.  Mayberry accepts this, but emphasizes that this case's IT system is shot through with problems.

Published by The Lawfare Institute
in Cooperation With

The prosecutor Edward Ryan cross-examines the Chief Defense Counsel, and moves, after a few initial questions, to her ethical obligations.  Under them, Mayberry must make only a “reasonable effort” to ensure the confidentiality of defense files and communications.  But, Ryan says, "reasonable" means only "reasonable."   The safeguards need not be perfect.  For example, unencrypted email is acceptable for many state bars, he says, and for the American Bar Association.  Mayberry accepts this, but emphasizes that this case's IT system is shot through with problems.

Of course addressing those problems is a shared goal of court and counsel.  What must happen to cause Mayberry to lift her email/no network drive” order, which so delays the case and frustrates the daily work of defense lawyers?  The witness says that, to do that, she must be convinced that the IT system provides meaningful protection---and does not, say, routinely disclose communications to persons outside the privilege bubble, and so forth.  And, she agrees with Ryan, the decision to lift the order is hers alone. Apropos, hadn’t Mayberry’s predecessor issued a similar order to hers, regarding legal mail but not computer networks?  He did, Mayberry answers.  And the military commission eventually adopted legal mail rules, ones that superseded prior instructions by Mayberry’s predecessor?   Yes, Mayberry says. Okay then, if that’s true as to legal mail, then will it also prove true, about networks and email?  That is, if the court eventually finds that the network systems process here is reasonable, then will Mayberry rescind her order?  She says she doesn’t know.

The court asks whether Mayberry can instruct her subordinates to use or not use information systems.  The answer is yes, thought he witness thinks the individual attorneys have independent obligations.  Then the military judge wonders---oddly enough---about his authority, vis a vis Mayberry: he might not be able to direct any motion to abate order towards her personally, as the witness is not a party to this criminal case.  This strikes Mayberry as an academic point.  Her office would not ignore any order from the court, ever.  More wondering, this time from Ryan, and this time about history: no IT shortcomings in other service branches have given rise to such insecurity on the part of counsel, or to a judicial order not to use those services' IT systems.  So what’s different here?  For Mayberry, its the repeated, constant episodes of document loss and the disclosure of privileged materials.  Thus her request for a standalone, privileged system---one that would be more secure, Judge Pohl interrupts, than that of any other service.  

Some more from Ryan, who wants to know about replication.  Mayberry agrees that this was meant to help prosecution and defense alike, and further that, of course, the replication goofup was not the product of bad faith.  When asked, she acknowledges the prosecution’s obligation not to invade any privileged defense materials. And she, like Ryan, thinks that the Al-Qosi prosecutor, for example, acted appropriately---by the time the wrongful search came to his attention, that is.  Then Ryan asks about monitoring: doesn’t Mayberry accept that cyber presents a serious and growing threat?  She does.  So is monitoring by the military reasonable, to protect the systems and the nation against cyber attack?  Well, to protect the systems, sure, that’s fine, says Mayberry.  But invading the privilege is a separate issue.  Well, says Ryan you’d agree that the military sometimes acts outside the law?  True or not, the witness still doesn’t think its right to attribute---as DoD monitors evidently did---a bad motive to a defense lawyer, simply because he performing internet research designed to further his client's case.  Mayberry acknowledges that all DoD computers are monitored.  Other than Al-Qosi, Mayberry does not know of any other improper breaches of privileged defense information.  In this respect, Ryan notes that any additional violations could mean motions to sanction the government, or even to dismiss the case.  That’s right, Mayberry says.

Ryan now reads correspondence from Mayberry, in which she initially contemplated issuing her “no email/no network drive”  order, noted the severe effect such an order would have on defense counsel's work, and speculated that the move would irritate the military judge.  She had discussions about this with certain defense teams; to the best of her knowledge, and all agreed with her then-only-hypothetical course of action.  As for her speculation about Judge Pohl’s likely reaction, she testifies now that her sole purpose in issuing the “no email/no network drive” policy was to protect privileged material.  Delay---and judicial annoyance---was a possible consequence of that policy, but not the reason for it.  It was all about keeping defense information safe.

The prosecutor therefore asks about a subject developed on direct, and mentioned (among others) by Nevin and Harrington: communication methods employed by commission defense counsel who have offices throughout the country.  These people must, among other things, use personal computers, public wi-fi, and other things.  But how can that be consistent with the protection of privileged information?  It’s not ideal, Mayberry concedes, but she nevertheless thinks the Department of Defense IT system is still flawed---too much so.  Isn’t the alternative worse, Ryan seems to say, given that it involves public places, cloud emails, and so forth? The witness again: this isn’t a perfect solution.  Imperfection still isn’t working for Ryan, either, judging by his follow-ups.  He says, in so many words: you were supposed to be all worried about unsafe email and network insecurity, but your own policy effectively forced counsel into all kinds of unsafe practices for handling privileged materials.

The court asks about Starbucks WiFi---which is public, and which defense counsel apparently have employed in the past, in order to exchange documents amongst far-flung colleagues.  With that in mind, asks Judge Pohl, how was counsel supposed to communicate in a privileged manner, under her order?  A document could be prepared on an off-network computer, Mayberry explains, and then shared by means of external hard drives.  But, Judge Pohl presses on, how does counsel in Rosslyn email that document to co-counsel in Boise?  A visibly irritated Mayberry wasn’t sure about the optimal alternative, given the hand dealt her by the Defense Department's problem-riddled system.  At any rate, she stresses, she thought that those problems could and would be resolved expeditiously---such that defense could could quickly return to using the DoD network.  And from the beginning, Mayberry has proposed that any person with access to defense data---monitors, lawyers, IT folks, however---must be within the privilege bubble.  But that approach hasn't won the day---yet.  The delay, in other words, isn’t at all attributable to the Chief Defense Counsel.  The witness adds that she alone cannot approve a proposed technical fix to the DoD IT infrastructure.  The witness instead needs approval from above, and thus far she hasn’t gotten it.

Back to Ryan, who asks about the vulnerabilities of open networks which counsel now use.  Mayberry says she really can’t speak to network vulnerability---an answer that causes the prosecutor to pounce.  Didn’t you say you educated about this, before issuing your order and after?  How can that be true, if you can't answer a question about that very issue?   Mayberry says she did try to learn more about network security.  But that's not the point; the point, instead, is that the DoD system had serious problems, ones that directly implicated counsel's ethical obligations.  She thus won’t lift her order, despite Ryan’s suggestion that DoD email is more secure than what he refers to loosely as the “Starbucks Method.”  Speaking of security, is Mayberry aware that only one team has signed the Memorandum of Understanding, regarding the case’s order to protect classified information?  She is, but an objection is raised and sustained, this nipping this line of inquiry in the bud.  Not so for Ryan's next question about email networks in the military. These are apparently shared among defense counsel, and subject to monitoring. Mayberry accepts that, but thinks this case is different. She cites the extraordinary uniqueness of the Guantanamo attorney-client relationship, which sees little face-to-face contact and necessarily relies heavily on email---more so, she implies, than other relationships.  And in any event, every defense shop in the military would benefit from greater security, says Mayberry.  She only means to limit human error to the greatest extent possible; that's what is required by the ethics rules.  Ryan asks about Manning and Hassan and other cases. No special networks or protocols there, right?  Mayberry doesn’t know, but thinks defense counsel will take necessary steps to protect the privilege in every case, in light of the facts.

Hassan is on KSM lawyer David Nevin’s mind.  Did that case see repeated, unlawful disclosures of privileged emails, inexplicably disappearing defense work product, and the like?  We would have heard about it if so, says Mayberry.  On that point, Mayberry isn’t aware of any precedent for what she’s experienced as Chief Defense Counsel here.  But what if Mayberry learned of intrusions like those in this case---would she just sit back and watch?  No, the witness tells Nevin.  She adds, with Nevin’s prompting, a word about federal defenders.  In fact, the latter sometimes have standalone, separate networks and communications systems. Responding to an objection from trial counsel, Nevin underscores the case’s unique attributes: the accused here aren’t servicemen, but are instead accused terrorists, who were held incommunicado for years.  The court sees tension between the "fact specific" line of argument, and the "ethical rules bar this sort of system" line of argument, both of which have been put forth today by Nevin and company.  Thus he asks the attorney about Rule 1.6, and the ethical aspect of the defense complaint: if this is about an ethical bar, then the case’s particular attributes shouldn’t matter.  Again the lawyer insists that this situation is different, if not sui generis---and capital in nature.  The system for such case thus must be wrought so as to inspire the greatest public confidence, and that’s not, to Nevin's eye, at all what it does these days.   Mayberry endorses Nevin's list of distinctions, after the court overrules the prosecution objection at last.  And then Mayberry reiterates: I’m not asking for any new system.  I just want the rules to work.   She adds once more that she didn’t expect the remediation of IT issues to take so long.  That reminds Nevin of other delays in the case, those not related to Mayberry’s directives: think about the accused’s torture, and the case’s indictment and re-indictment.  Surely those had to have slowed things down.

Lastly, the lawyer takes Mayberry back to Starbucks---figuratively.  Hacking an open network is a crime, right?  Right, says Mayberry.  And that creates a disincentive to hack, in places like Starbucks?  Indeed.  Nevin contrasts this with the system that existed within DoD: there was no felony committed when the prosecution received your emails, or when searches of defense folders were conducted, right?  No, says Mayberry, precisely because IT personnel were permitted to access our communications and work product.  Thus Mayberry's proposal---which she reaffirms a third time---to have any such personnel within the defense privilege bubble.  Mayberry, when asked by Nevin, also reminds him that remedial measures are in the works.  They just need to be approved, and implemented.

Other counsel have more for the witness, but their questions will wait until tomorrow.  That leaves us with one housekeeping matter, regarding presence.  Does Ramzi Bin Al-Shibh understand his right to be here, and the consequences of a knowing and voluntary waiver of that right?  He does.  See y’all at 0900.

Wells C. Bennett was Managing Editor of Lawfare and a Fellow in National Security Law at the Brookings Institution. Before coming to Brookings, he was an Associate at Arnold & Porter LLP.

Subscribe to Lawfare