Subpoena BYOD Mobile Law

BYO Online Account | Ownership

2013-05-19T09:16:00.002-07:00

I wish to draw attention to a discussion that appears in comments under a Google Plus post. Quinn Yost attended a SANS at Night presentation I delivered regarding Bring-Your-Own-Device law.

During the presentation, I had suggested that an employer have a contract with each employee saying that if s/he makes substantial use of an online account for work, then the employer has the option to purchase ownership of the account for $10.

Then Quinn raised his hand and observed that the terms of service at LinkedIn forbid transfer of ownership of an account.

Fortunately, Quinn then followed up on his comment. He left a detailed comment at the Google Plus link above. He cited the relevant language from the LinkedIn terms of service. I am grateful that he did that because he helped me learn about the topic.

As you can see in the comments under the link, I offer an alternative to the $10 purchase option. I suggest an agreement with the employee to the effect that the employer is deemed the owner of the account from the time the account was created.

I invite your comments! Is my suggestion practical? Is it fair?

Wearable Computing | Confessions to Legal Infractions

2013-05-06T17:31:00.000-07:00

Technology increases accountability for noncompliance with law. It creates scads of records that can be used to enforce laws.

But such heightened accountability can shock people.

Our society floats in innumerable and confusing laws. And we are not conditioned to being judged under these laws by way of all the records that now accumulate about us.

Scoble’s Excellent Glass Adventure

Consider a technology demonstration by tech pundit Robert Scoble. Scoble is an early tester of Google Glass, a wearable computer. He used Google Glass to video record a short automobile trip as he drove the roads of California.

The video depicted what he, the driver, saw as he steered the vehicle. He narrated as the video recorded events.

He compared the navigation available through Google Glass to the navigation available through a smartphone suction-cup-mounted on his windshield. He explained that he preferred monitoring the phone for navigation because it displayed information at a location that is safer and easier for his eyesight.

Videotaped Confession

Then, while the video recorded, he confessed that he was breaking California traffic law! He said that in California it is illegal to suction-cup anything (his smartphone) to his windshield.

He promptly posted the video on his Google Plus page for the world to view.

Of course Scoble probably does not think it is risky to admit in a public video that he is breaking a “trivial” law. And this incident in itself may not be legally significant in Scoble’s life.

Publication of Evidentiary Minutia

But the incident points up a larger phenomenon in society. More and more of the minutia of our lives is being recorded and published for reviewing by all, including the police, tax auditors, divorce lawyers and bill collectors.

As social media emerged a few years ago, some people naively used it to brag openly about crimes. Early example: A woman in New Zealand bragged on Facebook that she was collecting more welfare than she was entitled to. The authorities saw her Facebook page and convicted her in 2009 of a crime.

Treasure Trove for Legal Adversaries

Technology like Google Glass is poised to increase the quantities of records about us by orders of magnitude.

The technology can deliver a treasure trove for legal adversaries. Were a prosecutor wanting to prove that Scoble has a history of skirting traffic laws, this video would be discoverable by search engine. Were a family lawyer seeking to prove that Scoble is a danger to his children, this video would be corroborating evidence that he prefers playing with his tech gadgets rather than complying with vehicle safety laws.

The big picture: these recording technologies motivate us to be much more guarded in what we say, even when in the quiet of our own automobile.

Some would say technology imposes an unwelcome form of political correctness.

Like Being on the Witness Stand

On the Record

I posted a comment under Scoble’s video saying it is unwise ever to admit in a public recording that you are breaking a law. In other words, when you are recording yourself with Glass, assume you are on the witness stand in a courtroom.

–Benjamin Wright

Cyber Investigations: Managing Risk

2013-05-03T09:15:00.000-07:00

In a fraud investigation, classic practice teaches the investigator to collect evidence first, then interview the subject second. But that practice may be backwards when the evidence is on computers, on mobile devices or out in cloud computing (social media and mobile apps).

In the classic scenario, evidence was physical. It was paper, or it was fingerprints on a file cabinet. The evidence could be destroyed or tampered.

Digital Evidence Changes Dynamics of Investigation

Fraud has changed. More commonly the evidence is now digital.

This change has two implications:

1. The evidence is much harder to eradicate than people think.

People naively think they can delete digital records. But deleted records can be recovered from hard drives and mobile devices like tablets and smart phones. Also, very commonly, the records are copied to lots of places due to backups, synchronization, sharing in social media and so on.

Moreover – and this is a subtle point – the number of relevant records today is far larger than was true in the past. Our mobile phones and computer networks are collecting records of biblical proportions . . . records about whom we talked to, what we said, when it happened, which applications we accessed, what cologne we were wearing and precisely where we were at any given moment (plus more and more and more!).

2. The collection of digital evidence can raise dicey privacy and related issues.

Our society is in shock about the quantities and details of information that technology is now collecting, storing and spreading about us. In reaction we see a confused privacy push-back.

First example: In the past twelve months, several states have enacted (non-uniform) legislation preventing employers from demanding social media log-on credentials from employees.

Second example: Some networks like Facebook publish little-understood terms of service that severely limit the ability of an investigator to collect information about a network user – even so-called “public” information.

Third example: Under broadly-worded Connecticut legislation, if an investigator collects private information, the investigator must “safeguard” it. Connecticut gives no clue what safeguarding requires. (Encryption? Lock and key? Final, absolute, confirmed destruction of all copies of the information?)

Privacy Issues Connote Risk

Privacy issues create risk for the investigator. Hence, when management of a restaurant read the contents of an invitation-only Myspace forum set up by employees, it infringed the privacy of the employees. As a consequence of the privacy violation, a jury held the restaurant owed employees back wages and punitive damages.

Similarly, the administration at Harvard University angered the faculty when it surreptitiously conducted a limited search of the emails of 22 deans (related to an investigation of a data leak).

Response to Risk: Soft Investigative Steps

This change in evidence from physical to digital gives an investigator incentive to work differently. The investigator is often wise to take “soft” investigative steps before aggressively grabbing evidence off of a social network or a mobile device.

These soft steps include:

A. Give the target of the investigation a preservation letter. The letter would warn the target not to destroy evidence and would educate the target that any effort to destroy evidence can probably be detected and punished.

B. Interview the target and transcribe the

Recorded Interview

interview. Present to the target the allegations that have arisen. Explain to the target that lying will dig the target’s hole deeper. Lying can ultimately be uncovered through the many sources of evidence (emails, texts, photos, videos, meta data), brought forward through appropriate procedures such as a subpoena or eDiscovery in a civil lawsuit.

Results of Soft Investigative Steps

If the target of the investigation is guilty and wise s/he will confess.

If the target is innocent, s/he may voluntarily turn over a lot of convincing evidence to refute the allegations.

In any case, taking the soft steps first helps the investigator reduce risk of violating a privacy or stalking law.

–Benjamin Wright

Smartphone Forensic Alibi

2013-04-22T10:18:00.001-07:00

Latest smartphones sport a spectacular array of sensors. That array expands as you consider all the mobile accessories, like heart rate monitors, that can be used with the phones.

Detailed History

These phones, sensors and apps that operate them can collect and record jaw-dropping detail about the user’s personal history, including the following, coupled with time and date:

* geolocation

* ambient temperature

* body temperature

* barometric pressure

* humidity

* interaction with apps like messaging, social media or motor vehicle functions

* hand motion

* speed and direction of movement

* front and back cameras

Record Keeper

* microphone

* compass

* eye movements!

* REM sleep

* more, more, more

All the data collected by mobile devices is often thought, from a forensics perspective, as providing evidence that the user did something wrong. Mobile evidence can be used to prove, for example, that a suspect was at the scene of a crime or that a bully transmitted a threatening message to a victim.

Prove Innocence

But mobile sensors are a forensic two-way street. They might help a user prove a negative . . . prove she did not do something.

In 2011 a motorist persuaded a court to dismiss a speeding ticket in part owing to GPS data from the motorist’s Android phone and tracking app. The data showed the motorist was traveling within the speed limit, contrary to the opinion of a police officer.

Exculpatory Evidence

When data is marshaled intelligently, a cell phone owner may be able to refute an allegation of drug abuse . . . or disprove an accusation of date rape . . . or dispute a claim of marital infidelity.

This growing panoply of forensic data creates an arms race among adversaries. They compete to discover

(A) what the data is,

(B) where it is located (on-board, in app-cloud or synced to other device),

(C) how it can be extracted, and

(D) what it means.

Expert Psychological Opinion

Much hinges on interpretation. Industries of experts and analytical software will blossom to opine on whether the data show the suspect ran from the scene of a crime or merely walked away from an insignificant location.

Forensic psychologists will assess whether a slow, steady decrease in blood pressure denotes a clear conscience . . . or the introduction of a sedative.

–Benjamin Wright

Attorney Wright humbly teaches the law of data security and investigations at the SANS Institute.

Update: Christa Miller reports that social media proved that a murder suspect was innocent.

Big Data Catches Insider Trading

2013-04-13T07:19:00.000-07:00

A subpoena from the Securities and Exchange Commission led to the downfall of a prominent CPA.

A senior auditor at KPMG, Scott London, had been passing secrets about public audit clients (e.g., Herbalife) to his friend, a small, non-professional investor, Bryan Shaw. Mr. London thought the two of them would never get caught because Shaw was investing such small amounts of money. London thought the authorities were able to pursue only the big, professional inside traders.

Mr. London was wrong.

Automated Monitoring Probably Flagged Account

The authorities (SEC, FINRA, Shaw’s brokerage and/or options regulators) spotted unusual trading activity in Shaw’s relatively-small retail investment account. The brokerage suspended Shaw’s account. Then the SEC sent a civil subpoena to Shaw, asking him to explain his activity.

Mr. London thought the authorities could not prove anything. He thought the brokerage would just give Shaw his money and stop doing business with him.

London was wrong.

Subpoena Requires Truth

A subpoena is a legal demand for

Administrative Demand for Evidence

information that the recipient (Mr. Shaw) cannot ignore.

The subpoena frightened Shaw. Shaw could go to jail if he was caught lying in reply to the subpoena.

Shaw hired a lawyer.

The lawyer probably told Shaw:

1. You are in deep trouble. The government is coming after you, and you will be punished.

2. Modern electronic records, like your online trading records, the records on your computer(s) and all of your detailed cell phone activity (calls, dates, times, geolocation, text messages) are available to the government to rat you out.*

3. The only way to get leniency from the government (i.e., reduced punishment) is to cooperate with the government and help it catch a bigger fish. The bigger fish would be London.

Sting Operation

Mr. Shaw told the government the truth. Shaw agreed to help the government catch his friend, Mr. London.

Shaw participated in a classic sting operation. He made a telephone call to London, recorded by the government, discussing insider trading. He arranged a meeting with Mr. London in a parking lot, where he would deliver cash to London in exchange for insider information.

At the meeting, Shaw wore a secret recording device.

Yesterday’s Wall Street Journal features an FBI photo of Mr. Shaw handing an envelope of cash to Mr. London in a parking lot.

Big Data + Subpoena + EDiscovery + Incentives = Big Fish

Mr. London will likely go to jail.

Mr. Shaw will likely get reduced punishment.

–Benjamin Wright

*Note: Such detailed records did not exist a few years ago when CPA London formed his opinion that the authorities could not pursue small-caliber inside traders. London's studied opinion has been rendered obsolete by modern eDiscovery.

How to Confiscate Mobile Device

2013-04-02T09:40:00.002-07:00

Suppose enterprise has a BYOD policy empowering the enterprise to seize employee’s smartphone. Suppose further that enterprise has reason to believe the phone contains important evidence . . . such as stolen trade secret or records of contract negotiations by employee on behalf of enterprise or photos relevant to allegations of a hostile work environment.*

Wise Steps

Enterprise considers confiscating the device and investigating whether it contains the evidence in question. What would be wise steps for the enterprise?

1. Consider engaging an attorney so that confidentiality of the investigation is protected under attorney work product doctrine.

2. Document the reason for believing the device possesses relevant evidence.

3. Consider sending the employee who owns the device a preservation letter, informing employee that she/he should avoid destroying evidence. Remember, whatever evidence may exist on device may also be copied to online accounts controlled by the employee (e.g., cyber locker like Dropbox).

If employee destroys evidence in the face of an investigation and a preservation letter, the act of destruction itself could be grounds for action against the employee.

4. Consider interviewing the employee formally before confiscating the device. In recorded interview, with multiple people involved, ask employee about allegations and evidence. If employee lies during interview, the lying itself might be grounds for taking action against employee.

5. Ask employee if she/he consents to confiscation and inspection of

Evidence Container

device and collection of evidence.

6. If enterprise decides to confiscate device, document justification for the decision and involvement of multiple authorities (e.g., lawyer and higher management).

7. Make detailed records about the process of confiscation (e.g., narrative of when and how confiscation transpired and photos or video of confiscation and condition of device).

8. Give employee written document (receipt) of the confiscation, describing the device (including possibly images), date and time.

9. If enterprise investigator inspects device (including evidence extraction), involve multiple agents and keep detailed records of the inspection (including possibly narrated video of each step of inspection).

10. Take care to comply with any relevant laws, including those that forbid employer from demanding social media log-on credentials.

11. Exercise restraint. If the enterprise refrains from looking at data it does not need, then any argument that the employee's rights were violated is weaker.

12. Inspection might include sophisticated forensic extraction of data and/or just video/affidavit recording of data (text, images, audio) manifest by operation of the device.

13. Consider measures to secure collected data, such as encryption. Encryption is a hassle because it requires the enterprise to maintain a process for storing and finding the decryption key . . . for possibly years into the future.

14. Ensure copy of investigative records are in hands of multiple people (e.g., lawyer and investigator).

15. If child porn is discovered (or even suspected), contact police immediately. (horrible)

16. If device is kept for extended time, document the justification, including notice to employee.

17. Document return of device if and when it happens.

18. When data collected from device is no longer needed, consider destroying the data as a measure to promote privacy. However, privacy interest must balance against anti-spoliation law. Also, if investigation report has spread to multiple places, destruction may be impractical.

–Benjamin Wright

Mr. Wright teaches Law of Data Security and Investigations at SANS Institute.

*Vast records can be stored on a mobile device, including text, audio, email, video, geolocation, meta data showing time that an app was accessed, content of posts to social networking services, documents uploaded to storage lockers.

. . .
Next step: What if the device is a form of wearable computing?

Attorney-Client Confidentiality | Data Security Breach

2013-04-01T16:02:00.000-07:00

As an enterprise comes to suspect that it may have suffered an infosec incident, it may be wise immediately to involve an attorney.

Attorney Work Product Doctrine

The "attorney work product" doctrine provides that the content and results of an investigation -- which is led by an attorney -- are kept confidential from future legal proceedings. The legal proceedings that might follow an infosec incident include lawsuits, as well as investigations by government authorities such as industry regulators (e.g., state healthcare department), state attorneys general and the Federal Trade Commission.

After an attorney has been engaged to lead an infosec incident investigation, the attorney might direct technical investigators to gather evidence, analyze it and report back to the attorney. Often, owning to the attorney's leadership of the investigation, the evidence gathering, analysis and reporting would be

Lips are Sealed

confidential under the "attorney work product" doctrine. See, "Law Firms Tout Cybersecurity Cred," Wall Street Journal, April 1, 2013.

Reduce Exposure to Potential Liability

If the "attorney work product" doctrine does apply to an investigation, then adversaries, like plaintiffs or government, cannot force the enterprise to reveal to them the results of the investigation.

For an enterprise that wishes to minimize its exposure to litigation or liability, the "attorney work product" doctrine can be invaluable.

For example, an enterprise may conclude after thorough investigation that it did not suffer a data breach requiring it to give notice. However, the enterprise may prefer that the content of the investigation not be provided to adversaries who might try to second-guess that conclusion.

See explanation of attorney-client privilege and attorney work product doctrine.

--Benjamin Wright

Taxes, Regulation and E-Commerce Innovation

2013-03-29T12:40:00.002-07:00

A video affirmation can carry legal, cultural and political weight.

Walmart is thinking about empowering customers to deliver purchases to other customers. Customers who have time and transportation would take online purchases to customers who lack time or transportation. The delivery people would be rewarded with discounts and other incentives.

Roadblocks

Walmart’s thinking is an innovative e-commerce idea.

But innovative ideas often encounter legal risks and roadblocks. New ideas upset old norms.

Video Overcomes Roadblocks Better Than Paper and Ink

The video below shows one way to cope with such risks and roadblocks.

Imagine that as Walmart signs up a customer to deliver stuff to other customers, Walmart:

1. Presents to the delivery person contract terms and program rules, written on paper;

2. Asks the delivery person to read and then sign the terms and rules in ink; and

3. Asks the delivery person to make a video like this (where the delivery person is reading a script):

What a Video Affirmation Does

A video affirmation creates compelling evidence. The evidence can be more emotionally impactful than an ink signature on a long paper document.

Here, the video shows the customer really cares about the delivery program. It shows he understands it. It shows he was not tricked into joining it.

It shows the delivery program is part of a positive cultural phenomenon, one that includes cool benefits to the community as a whole.

What Are Some of the Roadblocks?

As e-commerce innovations come along, someone – like a judge, a jury, a government regulator or a tax collector -- might be tempted to decide that the innovation:

a. should be taxed (e.g., unemployment taxes);

b. should be regulated for safety under occupational safety regulations; or

c. should be treated like employment, for purposes of benefits like retirement or healthcare insurance.

However, videos like the one above might motivate a decision-maker to pause . . . to think differently. It might persuade a jury that the innovative delivery program is something most different from traditional employment and should be given special room to flourish.

–Benjamin Wright

Corporate Email Archives: Unwanted Liability or Searchable Asset?

2013-02-24T17:10:00.001-08:00

Some corporate lawyers prefer to delete records as soon as possible. They feel that informal records like email are a liability when the corporation heads into litigation. The records are burdensome to search and turn under eDiscovery.

To support advice that email be deleted quickly, these lawyers will point to FTC v. Lights of America Inc., 2012 WL 695008 (C.D. Cal. Jan. 20, 2012). In that lawsuit, the Federal Trade Commission possessed few email records to turn over in eDiscovery. One reason for the paucity of records was FTC’s default policy to delete email at 45 days.

Upon scrutinizing the policy, the court saw nothing inherently wrong with it. The court could not conclude that FTC should be punished for deleting relevant records.

Litigation Hold

Does a 45-day deletion policy make sense for an enterprise?

As a practical matter, if an enterprise like FTC deletes most email at 45 days, it must have a mechanism for applying litigation hold. Under litigation hold, emails that are likely to be needed in a lawsuit or investigation must be spared from the default 45-day deletion policy.

Corporate Knowledge

For most enterprises litigation hold is difficult. An enterprise may "know" it needs to apply litigation, but not not have the infrastructure in place to understand and act on that knowledge.

It is difficult for knowledge of the need for litigation hold to stroll briskly through the organization and come to the attention of a lawyer who can cause a litigation hold to be implemented. Most enterprises have relatively small legal departments.

The FTC is different. A large percentage of the FTC’s staff is lawyers or professionals with a legal bent. Unlike a corporation that makes widgets or a municipality that delivers city services, the FTC is a law-heavy enterprise. Its very mission is law enforcement.

Thus, FTC is highly sensitive to when litigation hold needs to be applied to records. Further, its culture enables swift implementation of litigation hold. Its staff and culture are also highly attuned to composing formal “records” that tell the legal story FTC wants told. Hence, an aggressive policy of deleting informal email at 45 days can work for the FTC.

Electronic Mail as Corporate Memory

Other enterprises – like private corporations and most other government agencies – must think differently about email. Email is part of corporate memory. Email records what happened, how it happened, and why it happened.

For most enterprises, it is not the key mission of staff to create formal “records” that tell the legal story the enterprise wants told.

For the typical enterprise, informal email records are a functional asset. Electronic message archives, older than 45 days, answer practical and operational questions.

Cal Fire’s Need for Records

Take for example the California Department of Forestry and Firefighting (Cal Fire). It is under investigation for something that previous leadership did in 2004. In 2004 the department started using proceeds from fines imposed on corporations to set up a training and equipment fund. Under California law, such a fund must be approved by the state’s Finance Department.

By 2013, however, Cal Fire could not easily document that the fund had received approval from the Finance Department. So Cal Fire closed the fund and gave the money to the Finance Department. The Finance Department opened an investigation into whether law had been broken. “California Agency Burned by Discovery of Bank Account,” Wall Street Journal, January 26, 2013.

Whether Cal Fire has the records it needs I don’t know. Whether it retains email back to that time, I don’t know. However, when a question like this arises, complete email records from the time in question can be invaluable to an enterprise like Cal Fire. Rarely can people remember old administrative details like whether approval was obtained for an unusual bureaucratic event.

Email as Searchable Diary

Email is a remarkably powerful resource for recording how, when, who and why. Well-archived email is a detailed, easily-searchable, time-and-date-stamped diary of enterprise activity.

Most enterprises are well-meaning, and intend to do what is right. On balance, email archives document the day-to-day efforts of people trying to do the best they can.

–Benjamin Wright

Standard: Data Security Breach Notice

2013-02-17T08:25:00.000-08:00

Department of Health and Human Services has issued the most significant advancement in data breach notification law since California adopted the original Senate Bill 1386 in 2002.

First Standard Was Vague

SB 1386 said the data holder must give notice if it had reason to believe the security of sensitive data had been compromised.

Technologically speaking, SB 1386's standard was vague. It caused many organizations to issue confusing, unnecessary notices that are of no value to the recipients (data subjects).

New Standard Calls for Intelligent Risk Assessment

HHS’s new Omnibus HIPAA Rule states a more realistic and sophisticated standard for whether a healthcare data holder must give notice of a breach.

To paraphrase revised 45 CFR § 164.402, the data holder must:

1. presume that a security incident requires delivery of notice . . .

2. unless a risk assessment shows low probability of data compromise considering the following four factors (in addition to any other relevant factors):

(A) Nature of the data and likelihood it can be used to identify the data subject;

Data Risk

(B) Who accessed the data;

(C) Whether data was "actually acquired or viewed”;

(D) Whether risk to the data has been mitigated.

§ 164.402 motivates the data holder – before giving notice – rigorously to gather all the facts about an incident and then to analyze and evaluate those facts. That process of gathering, analyzing and evaluating is a “risk assessment.” For that risk assessment, § 164.402 gives the data holder four useful factors to consider.

But, rationally, § 164.402 reminds the data holder that there can be other factors to consider.

Does Prior Warning of Risk Reduce the Need to Give Notice?

I argue that another relevant factor is whether the data subject had been warned of the risk of compromise and therefore accepted the risk.

No Knee-Jerk Reaction

Historically, many organizations have treated breach notification as a knee-jerk reaction to security incidents and vulnerabilities.

HHS is now teaching that before sending breach notices, the data holder should engage an intelligent investigation and assessment.

In effect, HHS is -- commendably -- refining the definition of data security breach.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Electric Network Frequency Analysis Authenticates Forensic Records from the Cloud

2012-12-27T08:59:00.000-08:00

Forensic researchers have learned that the electromagnetic hum made by modern power grids leaves a kind of watermark on digital recordings like audio and video recorded with a computer.

This watermark hum subtly, randomly changes over time. Analysis of this Electric Network Frequency (ENF) hum can assist in establishing the time a recording was made and whether pieces of the recording were doctored or spliced together at different times.

Corroborate Recording in Criminal Court

Electromagnetic Watermark

Based on this watermark hum, a criminal court in the UK concluded that an audio recording by police was not manipulated by the police. The police recording stood up in court under analysis by an ENF expert. The expert proved that the recording was what it purported to be: a single continuous recording, not a collection of spliced snippets.

Application to Forensic Recordings in the Cloud

In the age cloud computing, continuous recordings of audio and video are growing more valuable for capturing and preserving digital evidence. The reason is that investigators who gather evidence from “the cloud” often don’t have control over the cloud computers or permission from the people who do have control (i.e., the service providers).

What do I mean by “the cloud?” My definition of the cloud here broadly includes social media like Facebook and LinkedIn, as well as a lot of the web and many mobile apps. Today it is very common for an investigator to gather evidence from (for example) a social network, with no cooperation or permission from the social network provider. This investigator is like an eyewitness. He or she sees and hears (ascertains) some evidence (text, images, video, links, audio) from the cloud; he or she wants to capture the evidence. The evidence the investigator sees or hears can be gone in an instant.

The investigator needs to make a credible record of what he/she witnesses. A way to do that is to make a “screencast” video of what the investigator encounters moment to moment. As the video record is made, the investigator can narrate as a realtime eyewitness, explaining what is happening as it unfolds.

Corroborating Date and Time

In a well-made screencast, the investigator states date and time with the investigator’s voice and moving lips. The investigator corroborates date and time by storing the screencast video in a system (like Sharepoint) that logs the date and time.

Yet, now date and time is corroborated by an additional method. The electromagnet hum of the power grid watermarks the record to help show the record was created as a continuous stream at a particular time.

Please leave your comments below!

–Benjamin Wright

Right to Be Forgotten | Privacy’s Conflicts with Other Interests

2012-12-12T07:48:00.000-08:00

Privacy law and compliance make me humble. Devising practical privacy guidance for an enterprise client is hard.

The reason is that privacy interests envision rights and responsibilities that conflict with other worthy interests.

Shelter from Persecution

Take the so-called right to be forgotten. Thought leaders in Europe argue that as a matter of human rights an individual should be able to force someone, like Facebook or a tax authority, to search through its records and delete data about the individual. The justification for this right is that it shelters the individual from pestering, persecution and embarrassment.

The right carries appeal in this networked age of big data. Which 35-year-old wants employers – or their own children -- to have google access to indiscreet photos they posted to Myspace back in high school?

Absurd Extremes

Yet the right to be forgotten, like many other data privacy principles, seems absurd when taken to extremes.

Should a stupid politician (Anthony Weiner) be able to force Twitter to delete embarrassing photos of himself that he himself transmitted by accident? No, argues Alexander Alvaro, vice president of the European Parliament and an influential voice on privacy. Public interests including freedom of expression seem to outweigh the politician’s interest in his own personal privacy.

Other interests conflict with an absolute right to be forgotten . . .

Conflict: Records as Legal Proof

An organization like a tax authority may have a plethora of sound reasons for retaining records about a person. The organization may need the records to fulfill lawful investigations, or to prove the organization complied with myriad legal requirements relative to the individual (e.g., paid her a refund or granted her an exemption).

Similarly, a commercial business may need records about its customers to ward off lawsuits alleging that it defrauded the customers or failed to account for transactions with the customers.

Imagine the injustice that could ensue if individuals possessed an absolute right to be forgotten. Suppose customers sue an insurance company for cheating them. Under an absolute right to be forgotten, the customers could demand, while the lawsuit is pending, that the company delete the very records that show the company treated them honestly!

Conflict: Far-flung Copies of Data

An absolute right to be forgotten conflicts with the configuration of modern technology and the public’s expectations for the cost and performance of the technology.

Finding Data in the Cloud

Enterprise computers today are not stand-alone devices. They are connected to complex networks. Data are replicated across many media and machines for purposes of speed, efficiency, reliability and backup.

The implication is that for an enterprise to find and delete each and every copy of a photo or statement about a person can be next to impossible.

Conflict Compounded by Overlapping Laws

In our global Internet, the laws applicable to any given transaction or unit of data can come from multiple countries simultaneously. A retailer in Hong Kong can process a transaction with a Canadian customer through a financial system and servers located in Singapore. Tax regulation in Hong Kong may require retention of records for seven years, while a Canadian privacy authority may opine that the customer has the right to force destruction of such records at 18 months.

Which Principle Triumphs?

Obviously, in a conflict any principle of privacy must yield to other, superior principles.

By the same token, privacy advocates argue that principles like freedom of expression and record retention regulations must yield when privacy interests are superior.

This conflict of principles promises to endure even if the right to be forgotten itself is never enshrined into any particular law. Before the right-to-be-forgotten debate started, privacy authorities had already said data must sometimes be deleted when it is no longer needed.

Conflicts Bewilder Data Holding Enterprises

The foregoing conflicts among laws and principles bewilder businesses and government agencies as they develop data policies and manage data systems.

The conflicts apply across innumerable units of data, as the volumes of data swell.

The conflicts can apply with a fine degree of granularity: careful analysis may conclude that one bit of data about John must be deleted while a similar bit of data about Sally must be preserved.

Analysis and debate about which principle (retain or destroy) is superior under different particular situations can go on endlessly. With time, the analysis and debate – keep this unit of data, destroy that unit of data – begins to feel like an all-consuming, ivory tower exercise.

Demonstrated Intent to Be a Good Citizen

What is a data holding enterprise to do? It cannot employ armies of academics to research and debate all sides of every issue applicable to every unit of data.

Unfortunately, however, the conflicts above will not go away. The risk that an enterprise will make the wrong decision – and suffer under law – will persist.

The best an enterprise can do is to strive to be a good citizen, and demonstrate that it is earnestly trying to do what is right, within its limited resources.

A Genuine Process Lowers Risk

The enterprise lowers its risk if it maintains a genuine, on-going process for evaluating and improving its compliance amid the conflicting principles . . . even though it will never achieve perfection.

Such a process can include informed, documented deliberation about decisions on data retention and destruction. Such a process appears more genuine when the enterprise employs people who are qualified to engage in the deliberation and then implement decisions that emerge from the deliberation.

An authentic process evinces an attitude of compliance and good intent, even though the process will be overwhelmed in practice by the magnitude of the conflicts and the ever-growing volumes of data.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Negotiating by Way of The Cloud

2012-11-29T08:25:00.002-08:00

Technology changes how accountability is enforced by legal procedures. The New York Times reports how divorced parents now negotiate joint child custody responsibilities, under court supervision.

In the old days divorced parents had to negotiate by direct telephone or in-person meetings. That was so 20th Century, and emotionally confrontational. But today they communicate by way of remote, asynchronous technologies such as email and online calendars. It can allow them to communicate more calmly.

These electronic tools create detailed, time-stamped records, which are subject to court review if there is a dispute. Gone are the days when the court must hear lengthy testimony about he said/she said or whether this person dialed the required phone number at the appointed time.

Proof of Legal Notice

Email creates a precise record that John legally notified Marsha when Johnny’s soccer game will end. (The email notice is better than certified mail because certified mail only proves that a communication was delivered; it does not prove the content of the communication.)

Dynamics of Online Negotiation

Child custody is just one form of negotiated legal arrangement. Other arrangements include contracts or labor disputes.

Business Deal

Negotiating via computer networks is different from negotiating the old-fashioned ways. As a business lawyer, I learned to negotiate across a table, via telephone or through the postal service from books like Give and Take by Chester Karrass (1993).

Question to the reader: Have you seen a good resource on how to negotiate in the age of Skype, Twitter, text messages and collaboration tools like Microsoft Office 365?

Fax and Email

In the mid-1990s I inserted in my book The Law of Electronic Commerce a chapter on negotiations via electronic communication. In those days electronic communication meant fax and email.

One of the observations I made was that electronic communication tends to segment issues into little chunks.

This is what I meant. In the old days, parties had to invest a lot of time/effort to meet in person. So while in the presence of one another, they needed to cover many or all of the issues.

But people don’t like writing or reading long emails. Their attention spans are too short. So email communication engenders multiple threads, each covering a different issue through short messages.

This lesson will be lost on less talented negotiators. They will write long emails and fail to get all the points across.

Different Dynamics

Online negotiations are not necessarily better or worse than old-fashioned ones. They are just different. Savvy negotiators will understand the different dynamics and capitalize on them for the situation.

So, back to child custody, the parent who understands the nuances of Google Calendar can be at an advantage for getting desired times and outcomes.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations for the SANS Institute.

Security through Obscurity | Homeland Security

2012-11-02T08:38:00.001-07:00

Which one is real?

Critical infrastructure is vulnerable to cyber attacks. SCADA (supervisory control and data acquisition) systems, for example, commonly lack strong defenses against determined hackers.

SCADA systems control and monitor industrial processes like operations in a chemical plant or a water treatment facility.

Other information technology that manages sensitive physical activities, such as medical devices, is vulnerable to abuse.

Attacks Can Lead to Physical Damage

A cyberwarrior might compromise SCADA or other sensitive systems to wreak havoc, release floods of sewage, injure medical patients, cause trains to derail and on and on.

Cybersecurity Legislation or Executive Order

To address these risks, Congress has debated cybersecurity legislation. The Obama Administration has considered an executive order that would apply to many enterprises that do business with the US federal government. A common idea is for the federal government to set baseline security standards that the owners of critical infrastructure must meet. Government would audit for compliance with the standards.

The imposition of security standards includes pitfalls:

a. Standards promote a uniformity among defenders, so that the attackers know what defenses to expect from one place to the next.

b. Standards promote a checklist style of compliance, where defenders focus on satisfying the auditor rather than truly and creatively beating the attacker.

c. Federal standards imply greater influence and control by central government and reduced freedom for property owners to manage their property as they see fit.

d. Upgrading existing systems to meet security standards is expensive.

Why Aren’t There More Successful Attacks?

Question: Although vulnerability of critical infrastructure has been widely discussed for many years, the number of effective attacks in the US has been small. Why? I suspect that the practice of executing an effective attack is harder than the theory.

I suspect that in practice it is quite challenging (not impossible!) for a malicious foreign agent to actually figure out how, surreptitiously, to access and cause real harm in, say, the sewage processing plant of a cattle feedlot in Herford, Texas. I suspect the sewage treatment plant is protected by a fog . . . a fair amount of obscurity. And as the foreign agent – working through the Internet – mucks around with the treatment plant, someone at the feedlot is likely to become suspicious . . . or implement compensating controls . . . or convert the plant to manual control . . . or something.

How does some remote joker know that she is actually accessing the sewage treatment plant at a particular location in Hereford and causing particular physical damage to occur? How does she know that she has not been diverted to a honeypot or a virtual game?

A Role for Government: Misinformation

Instead of imposing national cyber security standards on myriad systems that control physical processes, what do you think of the following idea? I envision the government (through Department of Homeland Security and other agencies) creating a fog of misinformation, honeypots and fake systems on the Internet. It could propagate labyrinths of non-existent SCADA systems, bogus air traffic control systems, decoy medical devices and so on.

My vision is inspired by the US Department of Defense. In the wake of the WikiLeaks disclosure of sensitive documents, DoD is flooding its systems with fake documents. When a system is flooded with fake documents, an attacker (whether inside the department or outside) who steals a document does not know the difference between what is real and what is an illusion.

Dear Reader: What do you think of my idea?

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Gathering Mobile Legal Evidence

2012-10-23T09:14:00.000-07:00

Investigators – like regulators at state boards and commissions – increasingly find evidence by way of mobile delivery. For example, the board that licenses nurses may discover evidence about a registered nurse not on the web, but through a mobile app, such as a game.

Investigators need methods to record online evidence that arrives via mobile device, such as a tablet or smartphone. (When I say "online" evidence, I mean information that is stored in the cloud, but rendered temporarily through a mobile device or mobile application.)

Format of Information Matters

The format and legal impact of information in a mobile context can be different from that in a desktop context.

For example, here is a screenshot of the top of this blog, at it appears through the default browser on an Android LG Optimus phone:

Phone Media

If the user of that phone were looking for the “Privacy Vision” applicable to this blog, the user would have to scroll far to the bottom.

In contrast, here is the appearance of the same blog, as rendered via a desktop browser:

Web Desktop

The display of information is quite different. The Privacy Vision appears down the right-hand column.

These differences in display can influence the effectiveness of legal disclosures to protected parties such as consumers.

Series of Video Demonstrations

My blogs have previously published and explained training videos on how to record evidence rendered through a desktop: See
Police in Social Media,
Chat with a Criminal,
Audit of Online Trading

Investigator as Eyewitness

How could an investigator preserve what he sees as an eyewitness when he perceives legally-relevant evidence through a mobile browser or an app loaded on an iPhone?

This video demonstrates the investigator making a signed affidavit of precisely what he witnessed with his eyes.

This video shows what appears through the mobile browser, and how the browser interacted with the information, at a frozen moment in time. At a different time, the information and the interactivity could be different. The information is volatile and could become unavailable to the investigator at any time. (That is, I could delete this blog at any moment and prevent investigators from [directly] accessing it from that point forward.)

To better read the content captured in the video, click on full-screen mode in lower right-hand corner of the video.

Your Comments?

Dear Reader: What do you think of the video as an evidence collection method? Do you have alternative methods to suggest?

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations for the SANS Institute.

Question: After an investigator confiscates a smartphone, is he wise to use apps and credentials on the phone to access evidence in a social media account or in an online storage locker?

BYOD Policy Part 5 | Ownership of Social Media Content & Account

2012-10-14T16:07:00.002-07:00

State legislatures are enacting employee social media privacy laws fast and furious.

In their wake, they leave confusion. To address the confusion, this post offers sample employment policy language.

Many States, Many Standards

California Assembly Bill 1844 says an employer may not require an employee to “Disclose a username or password for the purpose of accessing personal social media.”

AB 1844 broadly defines “social media” as “electronic content,” including but not limited to email, video and so on. It also broadly defines “social media” as “an electronic service or account.” So, under AB 1844, social media means much more than Facebook and Twitter.

Non-Uniformity of Law

California is just one state. Other states like Illinois and Maryland have enacted legislation on roughly similar topics, but each state uses different words and standards.

This proliferation of non-uniform laws makes it difficult for an employer to craft policy. Many employers have employees who are mobile, spread geographically and operating on the Internet, where jurisdiction is overlapping and confused. Does California law apply? Or is it Illinois law, or Maryland law? What’s more, any policy you write today could tomorrow run afoul of new legislation enacted in Maine, or Alberta . . . or Japan.

Holding Employers Accountable

Social Networking for Business

Law generally expects an employer to supervise or be accountable for what an employee is doing – within the scope of his employment -- whether the employee is doing it by way of an automobile, the postal service, face-to-face communications, or “social media” like email, video, text messages and online accounts.

For example, if an employee, like an executive, uses email, video or Facebook to represent himself as an agent of the employer, the employer could be held accountable for the contracts formed through this media. Further, the employer could need access to the executive’s social media records to show compliance with regulations, or just to know (for purposes of internal control) what the executive told a subordinate to do.

Dividing Personal Media and Work Media?

California’s Senate Bill 1349 protects “personal social media”; the implication is that it does not protect media used for “work” or “business.”

But it is easy for personal media and work media to get mixed up. It is common, for example, for an employee to use a Gmail account for both personal communications and business communications.

How should the employer and employee divide these two kinds of media when they are mixed? The legislature does not explain.

Lawsuits Over Ownership and Control

Employers and employees have fought in court over who owns a social media account. Linda Eagle argued unsuccessfully in federal court that her former employer, Edcomm, violated the federal Computer Fraud and Abuse Act when it locked her out of a LinkedIn account that she had started and had used partially for her own purposes. The court sided with the employer, noting that Ms. Eagle had shared log-on credentials with other Edcomm employees and had transacted some business through the account on behalf of Edcomm.

How to Write BYOD Policy?

This blog features a series of posts on how to write policy for “bring your own device” (BYOD). The series recognizes that the BYOD topic covers more than just “devices”; it also covers service accounts like Gmail and LinkedIn. In other words, the series covers what California AB 1844 defines as “social media.”

The series views BYOD “policy” between employer and employee as embracing more than just policy. It offers language for a contract between the employer and employee.

What do you think of the following sample BYOD clause?

If an employee makes any substantial use of a Service for work, then the employee grants to employer the option to acquire ownership (all of the employee’s right, title and interest) to the Service, at any time, for ten dollars.

This clause attempts to provide a clear resolution to the question of who owns an account when an employee uses the account for business.

Avoid Accessing Personal Content?

Suppose a California employer was to invoke the quoted BYOD policy clause, pay $10, and take control of an account. Would the employer normally be wise to access the employee’s personal content in that account? I’d say no.

However, the employer may need to control the account and access business-related content. The employer might be wise to take steps (such as using a third party to search the account) to find the business content, while ignoring the personal content.

Dear Reader: What do you think of the clause I propose above?

–Benjamin Wright

Mr. Wright teaches the Law of Data Security and Investigations at the SANS Institute.

See other posts in this BYOD series:

Part 1
Part 2
Part 3
Part 4
How to Confiscate Phone or Other Device

When Does an Investigator Become a Stalker?

2012-10-08T11:05:00.000-07:00

New technology like social media or mobile apps can be remarkably valuable to professional investigators. It can uncover surprising evidence about fraud, crime, tax evasion, regulatory infractions and more.

But the powers of tech-driven investigations are enlarging so quickly that investigators are wise to exercise restraint and discretion. Just because you can gather data about a legitimate target does not necessarily mean you should.

Our legal system supports the application of justice in, say, a child custody contest or an audit for compliance with environmental regulations. Yet our legal system also recognizes that an investigation can go too far.

Anti-Stalking Laws

How far is too far? The answer to that question evolves constantly – and swiftly – as technology evolves. Our society struggles. Legislatures like Minnesota’s enact (for instance) broad anti-stalking laws that read like this:

"stalking" means to engage in conduct which the actor knows or has reason to know would cause the victim under the circumstances to feel frightened, threatened, oppressed, persecuted, or intimidated, and causes this reaction on the part of the victim regardless of the relationship between the actor and victim. . . .

A person who stalks another by committing any of the following acts is guilty of a gross misdemeanor: follows, monitors, or pursues another, whether in person or through any available technological or other means . . .

Section 609.749, 2011 Minnesota Statutes

One Domestic Dispute

Court cases interpreting the application of such a law under modern technology are few.

Regulatory Espionage

A Minnesota court convicted Danny Lee Hormann under this law, sentencing him to 30 days in jail. He put spyware on his wife’s mobile phone and on the family computer; he attached a GPS tracking device to his wife’s automobile. Mr. Hormann maintains what he did was morally justified under the circumstances in his household. “A Spy-Gear Arms Race Transforms Modern Divorce,” Wall Street Journal, Oct. 6-7, 2012.

Professional Investigations

Could a professional investigator, working for a private party or government agency, run afoul of a stalking law like Minnesota's? The Minnesota law contains this crucial exception:

Conduct is not a crime under this section if it is performed under terms of a valid license,
to ensure compliance with a court order, or to carry out a specific lawful commercial purpose or employment duty, is authorized or required by a valid contract, or is authorized, required, or protected by state, federal, or tribal law or the state, federal, or tribal constitutions.

Many investigators pursuing legitimate tax collection or bill collection would believe this exception applies to them, and it does . . . up to some point.

Crossing the Line?

But – technologically speaking -- at what point does the investigator go too far? Example: professional investigators today routinely collect evidence from publicly-accessible parts of social networking sites. But they often fail to comply with the terms of service published by Facebook. Those terms say, for instance, “If you collect information from users, you will: obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.”

http://www.facebook.com/legal/terms

The literal words of that sentence are lost on many professional investigators like police officers or plaintiff lawyers – who are advancing otherwise justified investigations.

Transforming an Investigation into a Crime?

Could violation of the published terms of a social networking site or a mobile app cause a legal investigation to transform into illegal stalking or eavesdropping?

I don’t know the answer to that question.

But I do believe the boundary between a legal investigation and an illegal investigation is becoming less distinct and subject to greater debate. Social norms defining what is permissible versus what is creepy are in flux.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Update: Aggressive, intrusive recording by way of a cybernetic system like Google Glass could amount to illegal stalking.

How to Comply with Data Laws | Standard of Behavior

2012-10-01T10:35:00.000-07:00

I am often skeptical of enterprise policies that say the enterprise “must” or “will” do something relative to data, whether it be securing the data, retaining it or managing it in an investigation, such as an e-discovery probe in litigation. I have explained my skepticism, and I have argued that often the better thing to say is that the enterprise will “strive” to do something about data rather than it “must” or “will” do something.

This argument . . . this lesson . . . is central to the Legal 523 course (Law of Data Security and Investigations) I teach for the SANS Institute.

Standard of Performance

Student Feedback

Regarding this lesson, I got feedback from a student. The student is an IT manager at a municipality. He took my Legal 523 course in 2011. Then I saw him at the SANS conference in Las Vegas 2012.

The student approached me and said he was so glad he took the course when he did. In the past year he has been deeply engaged in eDiscovery on account of a rash of lawsuits filed against his municipality. He has been working with outside litigation counsel to respond to many eDiscovery requests, where he leads the technical effort to compile email and other e-records in compliance with the requests.

He told me the Legal 523 course prepared him for understanding eDiscovery and coordinating with lawyers who are not technical experts.

Strive to Comply

In particular, he recounted an episode in which he was working with counsel to comply with an especially demanding eDiscovery requirement. Technically speaking, compliance was going to be difficult within the time frame set by a judge. He and the lawyers were brainstorming about what to say to the judge about compliance.

My former student then suggested that they tell the judge the municipality would “strive” to comply. He said, “The lawyers loved it!” They loved the word strive. He smiled from ear to ear when he told me the story. He was so pleased that, thanks to the course he took, he knew the best way to state a responsible standard of compliance in the tumultuous world of data law.

He knew how to talk data law better than the lawyers did. ;-)

–Benjamin Wright

Context-Aware Computing: Forensics, Privacy

2012-09-01T15:10:00.001-07:00

For enhanced user experience, devices and computers are collecting ever-more elaborate details about our behavior. Consequently, the trove of evidence potentially available to forensics and ediscovery examination swells and swells. And for developers, privacy headaches expand.

Windows’ Records of Latest Behavior

SANS Institute’s Ovie Carroll explains how Microsoft Windows keeps records about such minutiae as which files the user opened recently. The purpose is to please the user. When the user opens a certain file, Windows wants it to appear with the screen location and dimensions that applied the last time the file opened. But to do that Windows must keep a record.

That record could be forensically valuable when trying to prove, for example, the user knew porn was on her USB stick and she had looked at it.

Age of Context

Robert Scoble and Shel Israel are writing a book titled "The Age of Context." In their draft introduction, they write, “There are things coming at you that will change your world. Little things that are swarming around you and know where you are, what you’re doing and what you plan to do next.”

Scoble speaks of emerging technologies like Google Now and Project Glass, which will guide us, figure out what we want, and suggest what we will like, based on myriad fragments of information about what we’ve done, what is around us or how we interact with others. These technologies will work through our smart phones, our eyeglasses, our automobiles, the very clothes we wear.

Records are Legal Evidence

Yet as these technologies collect and process all these fragments, they make records. Law reveres records. It expects them to be preserved, discovered, turned over to resolve audits, lawsuits and investigations.

Consistent with due process, law will require the holders of these records to disclose them under subpoenas. Subpoenas and preservation demands will be pains in the neck for the developers of context-aware applications.

Child Custody Example

In a child custody battle, law will require parents to release records of contextual awareness. From those records, the court may evaluate whether a parent would be a safe, responsible guardian. The records will reveal driving habits (speeding? texting while driving?), places frequented, forms of recreation, yada, yada, yada.

Incriminating Search Engine Queries

Big Data

We don’t need to wait for advanced technologies like Google Now and Project Glass to see examples of this type of forensic/ediscovery investigation today. Investigators of insider trading discovered that, on a suspect’s office computer, the suspect had searched phrases like “illegal insider trading options trace.” A search like that was incriminating because, allegedly,

(a) The suspect purchased stock options based on inside corporate information; and

(b) This search suggests he was researching whether anyone, like the securities authorities, could link an insider like him to the purchase of relevant options.

“Deal Aide at Bristol Is Arrested on Trades,” Wall Street Journal August 3, 2012.

Privacy Steps by App Developers

Developers of context-aware apps and technology are exposed to legal risk. They are wise to:

1. Disclose what sensitive data they collect and what they do with it.

2. Get users to click on terms that approve their collection and use of data.

3. Appoint a chief privacy officer.

4. Avoid collecting and storing sensitive data they don’t need.

Two Example Cases

A. When the US Department of Justice learned that mobile app developers were collecting geolocation data about smart phone users without their knowledge, it opened a criminal investigation. One of the relevant criminal laws was the Computer Fraud and Abuse Act.

B. The Federal Trade Commission and the Federal Communications Commission launched investigations of Carrier IQ after a researcher revealed how much sensitive data Carrier IQ’s software clandestinely collected from smart phones. Carrier IQ soon anointed a chief privacy officer.

–Benjamin Wright

Mr. Wright teaches the law of data security at the SANS Institute.

Centralized Archiving for E-Discovery

2012-08-25T07:54:00.000-07:00

For years I’ve advocated a policy of archiving enterprise email centrally, under the control of the IT department. I wish to refine my position. First, in this note I review my argument for archiving email centrally. Then I discuss whether centralized archiving should apply to records other than email.

Argument for Centralized Archiving of Email

I often cite Disability Rights Council of Greater Wash. v. Washington Metro. Area Transit Auth.

In that case a transit authority suffered because it directed individual employees to preserve certain emails under litigation hold while a lawsuit was pending. The individual employees were inept at preserving the emails; therefore, emails were lost. The court concluded the transit authority had misbehaved. The court forced the authority to engage in an expensive search through backup tapes to recover deleted emails.

United Records

I’ve argued the transit authority would have done itself a favor if it had installed an archiving system. The archiving system would have pulled email records into a central facility under the management of the IT department. It would have avoided relying on individual employees, who are not experts in records management, to manage their legal records.

Email is Suited for Central Archiving

I’ve further argued that email is especially suited for centralized archiving because:

(1) email is a well-defined class of data;

(2) in the modern enterprise, email is a critical, if not the dominate, form of communication among employees and managers;

(3) email tends more often to be relevant to litigation and official investigations compared to all the other data in an enterprise (The reason is that email documents what people are thinking and saying, in chronological order.);

(4) email records tend not to be voluminous compared to all the other data in an enterprise; and

(5) numerous products on the market economically support centralized archiving and searching of email.

In other words, creating a central email archive reduces ediscovery and investigation risk by targeting a key class of records for disciplined retention and searching.

Non-Email Digital Records

But what about all the other electronic records in an enterprise? They too can be needed in litigation, and they can be scattered far and wide. Should they be migrated into a central archive?

That could be a tremendously large archive, which would dwarf an email archive. Creating and maintaining that archive could be a massive undertaking. Generally speaking, such an archive does not make sense.

Search Solution for Distributed Data

John Patzakis at X1 Discovery makes an interesting argument. He argues against pulling all that miscellaneous data into a central place just so you can be prepared for litigation and official investigations.

He argues that if and when an enterprise is required to search that scattered, miscellaneous data, there is no need for it to be in a central place. A technical solution designed for searching diverse data in a big, distributed network (or the cloud) can be deployed to go find the data.

That makes sense to me.

I must note that John’s company sells such a search solution. I have no experience or connection with it.

Other Central Archives

In different enterprises, other select classes of records may be good candidates for central arvhival on account of the long-term legal and regulatory value of the records. In a hospital, such records might be patient records. In an accounting firm, they might be audit work papers.

–Benjamin Wright

Mr. Wright teaches the Law of Data Security and Investigations at the SANS Institute.

Records Are Power

2012-08-21T08:50:00.003-07:00

In this age of super-abundant digital records, if you fail to keep good records yourself, then you risk that your adversary will possess records that will surprise and embarrass you.

Adversary's Surprise Video

Ubiquitous Records

Observe what happened to a Montgomery County police officer in a DUI traffic ticket case. She testified in court that as she approached the defendant's vehicle, the defendant was in the driver's seat. But then the defendant dramatically produced a third-party security video showing that the defendant was in fact in the back seat! The police officer then admitted that she handles lots of cases and she can't remember everything. The defendant won the trial.

Prosecution for Perjury

But the police officer's problems were just beginning. The local prosecutor indicted the officer for perjury. Dan Morse, "Montgomery Officer's Testimony in DUI Case Leads to Perjury Charge," Washington Post, Aug. 22, 2009. Had the officer been keeping more meticulous records of each of her investigations, she could have avoided this trap.

Lesson: Police Need Audio and Video Recorders

A police department is wise to equip officers with voice and video recorders for quick capture of detailed records on-the-spot.

--Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Hunting for the Electronic Terms and Conditions that Apply to You

2012-08-19T07:29:00.000-07:00

Legal terms and conditions have become so easy to publish that a commercial party is wise to hunt around for those of its trading partner. The commercial party may be exposed to – and deemed to have agreed to – terms in a way that fails to draw the attention of management, though the terms are not really hidden.

On the modern Internet, terms like end user license agreements (EULAs) can lurk in innumerable places.

Crowdfunding Widget

I am helping a client that is building a service for crowdfunding. My client wants to promote crowdfunding, recognizing there already exist popular web sites that support crowdfunding deals.

Meeting of the Minds

My client is looking to install widgets published by some of these popular sites, like Kickstarter and IndieGoGo, and my client asked me what the rules are for these widgets. Following is part of the advice I gave the client:

Study Ts & Cs

Client is wise to study any and all terms and conditions at places like Kickstarter and IndieGoGo . . . wherever those Ts&Cs may appear. Some of those terms (including possibly so-called "privacy" and other "policies") will appear as links from the home pages of those sites.

Terms can be complex. Just as an example of how things can work . . . Facebook publishes general terms and conditions for general users, but it publishes special, additional terms and conditions for what it calls developers and operators of "platform applications."

Periodically Look Again for Revised Terms

Client is wise to hunt around for this kind of stuff. Then, client is wise periodically to go look again because services like Kickstarter and IndieGoGo may change their terms or publish them in new places, without necessarily notifying client by email.

Terms and conditions can appear in places other than just links from the home page. Perhaps there are terms on the page where a widget user downloads widget code (or on a page that provides instructions or FAQs for widget users); if terms appear there, they need to be studied.

Perhaps, as you install or configure a widget, terms pop up. Again, client would be wise to study such terms.

Or, terms might be buried in widget code itself, in such a way that a programmer would see them but a dummy like me would never see them.

Record the Terms

When terms are discovered, client is wise to make a record of them.

Transparency is a Plus

Generally speaking, client is wise to be transparent about the Ts&Cs of other people. If their terms are ambiguous, then ask them for clarification.

If client sees some terms that arguably restrict what client is doing, then post your interpretation in an FAQ or blog article and invite comment. Get the issue in the open.

Comments?

–Benjamin Wright

How to Write a Subpoena for Computer Records

2012-08-15T08:20:00.002-07:00

A subpoena is a legally-binding order for the delivery of evidence. One form of subpoena, sometimes known as a subpoena duces tecum, orders the delivery of documents, which generally can include electronic records.

Subpoenas may be authorized under many different statutes (legislation). The rules and procedures vary from statute to statute and from state to state.

Government Authorities

Law enforcement (police, prosecutors, grand juries and some administrative agencies such as the Federal Trade Commission) normally has the power to issue subpoenas in support of its investigations.

The inspectors general in certain government agencies have power to issue subpoenas in support of official investigations internal to those agencies (such as investigations into corruption or incompetence).

Civil Lawsuit - Including Small Claims and Self-Filed Divorce

In a lawsuit, a subpoena can normally be issued under the rules of procedure that govern the lawsuit (whether a civil lawsuit or a criminal prosecution).

Small Claims Court Order

Oftentimes, a subpoena may be issued under the rules of a lawsuit in small claims court or in a self-filed divorce. Hence, the power to cause a subpoena to be issued can be within the reach of a person who has been damaged but who is unable to afford a lawyer. Oftentimes, to cause a subpoena to be issued in small claims, a party would ask the clerk of court to issue the subpoena. The clerk provides to the requesting party the necessary form and rules.

Normally, when the court clerk issues a subpoena at the request of a party in small claims, the clerk would expect the party to write the description of the evidence, such as computer records, being demanded. So the drafting issues discussed below would arise.

Third Party Records

Often, a subpoena may be issued to a third party, that is, someone who is not a plaintiff or defendant in a lawsuit or the target of an investigation. For example, in a lawsuit between two corporations, one of them may subpoena the records on the home computer an individual witness. See Sonomedica v. Mohler, 2009 WL 2371507 (E.D.Va.), which punished witnesses to a business transaction for failing to turn over computer records under a subpoena duces tecum.

How do third parties feel about a demand that they turn over their records in relation to a lawsuit that does not involve them? Often they are unhappy and reluctant to comply. But generally they are required to comply. As the US Supreme Court declared, “there is in fact a public obligation to provide evidence . . . and . . . this obligation persists no matter how financially burdensome it may be.” Hurtado v. U.S., 410 U.S. 578 (1973).

To varying degrees, the rules for a subpoena provide for some (modest) compensation to a person who is required to comply with a subpoena.

Depending on the rules, a subpoena related to litigation must sometimes be issued or approved by an official employed by the court, such as a judge or a clerk of the court. But that is not always the case. Under the rules of civil procedure in Texas, for example, an attorney may issue a subpoena in connection with a lawsuit.

Enforcement

The statutory rules that govern a particular subpoena often provide penalties for failure to comply. The penalties can include a citation for contempt of court, including fines and possibly even jail time. The judge in a case might have wide discretion to impose the penalties she believes appropriate.

Quashing a Subpoena

Often, the recipient of a subpoena can take steps to challenge the validity or scope of a subpoena. This may require the recipient to appear before a judge and explain why the subpoena is invalid or too broad.

Sometimes, the recipient can persuade the court to “quash” the subpoena, which means to invalidate it. Or the recipient may persuade the court to limit it, or scale back the records to which it applies. Among the reasons a court might quash or limit a subpoena are that:

* it fails to comply with the applicable rules;
* it asks for material that is not relevant to the case;
* it places an undue burden on the subpoena recipient; or
* it unduly compromises the confidentiality or other protected interests of a person.

Disincentive for Abuse

Were the issuer of a subpoena, such as an attorney, to abuse the subpoena power, he or she could be subject to sanctions by court or possibly another authority such as the local bar association. Thus, the subpoena issuer has reason to comply with the rules and to make no more than reasonable demands in the words of the subpoena.

Drafting Issues

The person writing a subpoena wants it to cause production of the needed records, while avoiding criticism that the words of the subpoena are incomprehensible or overly broad. This desire can create difficulty for the writer of a subpoena for computer records.

Computer records – whether on a smartphone or scattered throughout the IT system of a corporation – can be very numerous. The relevant records can include not only content – such as the content of electronic records like email – but also metadata. Metadata means records about the records, such as time stamps, audit trails, creation/deletion logs and so on.

Thus, if interpreted literally, a subpoena that demands something like “all records related to” an event could require extraordinary effort and more time than is allotted. A subpoena written in this way may be vulnerable to rejection in court. Even if a court does not outright quash an overly-broad subpoena, the overly-board language in the subpoena may cause delay in compliance. Instead of complying promptly, the recipient may complain to the court that the subpoena is too broad. That complaint might lead to a hearing before the judge, which adds time and expense to the whole process.

Ultimately, the writer wants the subpoena to be upheld as reasonable and proportionate to the matter at hand. The writer wants to ensure he can, if called upon, produce information and arguments to justify what he requests and justify the effort it takes to satisfy the request. If the subpoena writer comes across as overreaching and disproportionate, he may lose favor with the judge.

Writing Concisely and with Specificity

The subpoena should be written clearly and concisely. If the person desiring a subpoena is not a good writer, he should seek help.

Similarly the subpoena writer wants to avoid an allegation that the subpoena would infringe privacy, such as an undue request for records containing medical data.

A subpoena is more likely to efficiently yield desired records if it can speak with specificity. For example, it might demand the “printed contents of all emails between Bob and Sally between the dates of July 14, 2011 and July 19, 2011, with any specific discussion of Sally’s surgery redacted.”

Preservation Letter

Anyone writing a subpoena for computer records should consider an addition document – a preservation letter. A preservation letter is a reminder to the person who holds records relevant to a lawsuit or investigation that those records should be preserved (not destroyed) while the lawsuit or investigation is pending.

As a subpoena writer strives to restrain the scope of what he requests, a preservation letter might justifiably advise the retention of more records, in case they become needed.

A preservation letter would normally not be issued by a judge or a clerk of the court. It would be issued by a party involved in a lawsuit or investigation. (Sometimes a court may issue an order that records be preserved.)

Preserving Computer Records

Computer records can be easy to erase; often computing systems erase records automatically. Sometimes it takes special effort to ensure that computer records (such as records on a smartphone) are retained. A preservation letter puts a party on notice that the records may be needed and therefore effort must be made to prevent destruction.

A proper preservation letter might remind the holder of records that destruction could bring punishment. For example, in Wisconsin it is a crime to conceal or destroy records after the state attorney general subpoenas them. Wis. Stat. §946.60(1) (2004)

Just as with a subpoena, delivery of a preservation letter is not a tactic to be used in a glib or vindictive way. It should not be used to harass a party. Every statement in the letter should be reasonable and logically justified, based on the information possessed by the writer of the letter.

Comments?

Dear Reader: What has been your experience with subpoenas for electronic records?

--Benjamin Wright

Computer Forensics for Legal Professionals?

2012-07-06T07:21:00.000-07:00

What Legal Professionals Need to Know

SANS Institute holds free briefing for legal professionals.

Friday, July 13
6:15pm - 7:15pm
Washington Hilton and Towers
1919 Connecticut Avenue NW
Washington, DC 20009

We are living in a digital world where nearly 95% of all documents created are digitally. The future of success in the courtroom and in litigation of any kind will depend on litigators ability to identify and analyze digital evidence. This presentation will discuss and enlighten you to some of the must know digital evidence artifacts every litigator, paralegal, and information technology auditor must understand to be successful. Awareness of digital evidence artifacts is only half of the puzzle, understanding what these artifacts mean and their potential significance to your case could mean the difference between winning and losing.

Presenter: Ovie Carroll

Ovie Carroll has over 20 years of federal law enforcement experience. Ovie was a special agent for the Air Force Office of Special Investigations (AFOSI) and Chief of the Washington Field Office Computer Investigations and Operations Branch responsible for investigating all national level computer intrusions into USAF computer systems. Following his career with the AFOSI he was the Special Agent in Charge of the Postal Inspector General's computer crimes unit where he was responsible for all computer intrusion investigations and for providing all computer forensic analysis in support of USPS-OIG investigations. Ovie is currently the Director for the Cybercrime Lab at the Department of Justice, Computer Crime and Intellectual Property Section (CCIPS) and an adjunct professor at George Washington University teaching computer crime investigations. In addition to his career fighting computer crime, Ovie has conducted investigations into a variety of offenses including murder, fraud, bribery, theft, gangs and narcotics.

To pre-register, go to https://www.sans.org/sansfire-2012/night.php, scroll down to "Computer Forensics for Legal Professionals?" and enter your contact info.

--Benjamin Wright
Update: I learned a lot from Ovie's presentation.

Equity Crowdfunding | The Transaction Costs

2012-06-26T17:45:00.000-07:00

The JOBS Act is set to enable equity crowdfunding. In equity crowdfunding unsophisticated investors make small investments without the investments being registering with the Securities Exchange Commission or the state securities regulators.

Equity crowdfunding, which will be new to the US, aims to tap the power of online commerce to spur economic growth.

I ponder how the costs of funding a transaction will balance against the value of the transaction.

Legal Costs

First, there are legal costs.

Presumably, the issuer (the company selling equity to investors) will need “legal” help.

It will need a legal entity, like a corporation or an LLC. Some people create entities like that without the help of a lawyer.

The issuer will need one or more contracts and related documents that govern the deal (e.g., you invest $500, and in return you get X shares of common stock in the issuer company subject to specified rules and limitations).

The issuer will need disclosure documentation like a prospectus that describes the issuer, the offering, the market, the risks and other material information so the investor can make an informed decision. Traditionally this kind of documentation is prepared with the help of a lawyer.

Maybe the costs of this legal help can be kept down by (a) imperfect, cookie-cutter forms, (b) software that (imperfectly) enables the issuer to do some or a lot of this on its own, and/or (c) the flood of young lawyers emerging from law school without jobs. I wonder whether young lawyers (many deeply indebted with student loans) will take on this work for low fees, and not worry about malpractice insurance because they are already in debt.

Accounting Costs

Under the JOBS Act, deals over $500,000 require audited financial statements. Deals between $100,000 and $500,00 will require some kind of a review by a public accountant.

Deals under $100,000 do not require involvement by an accountant. Instead, the issuer just releases its most recent tax return (if any) and the issuer’s CEO attests to the issuer’s financial statements.

I am not aware that large numbers of certified public accountants are unemployed, desperate for work. CPAs bear malpractice risk, so they will charge enough to more than justify their malpractice insurance. (Furthermore, before a CPA takes on a crowdfunding deal, the CPA would be wise to review the terms of her malpractice insurance. Theoretically, the risk to a CPA in a small-business crowdfunding deal is larger than in a typical CPA review/audit of a small business. The reason is that in a crowdfunding deal, there is potentially a large number of little investors; a bad deal might economically support a class action lawsuit. Hence, the terms of insurance for a CPA who audits small business may not cover high risk transactions, like crowdfunded deals and initial public offerings.)

I wonder, therefore, whether we will see large numbers of deals for

a. $100,000 or less

or

b. new entities that have financial statements are perfectly clean and therefore easy to audit/review.

Intermediary Costs

Under the JOBS Act, crowdfunding requires an intermediary. The intermediary must be either a registered broker or a registered “crowdfunding portal.” It will be the intermediary’s responsibility to supervise the transaction, and make sure various rules are followed. The intermediary will want enough compensation to justify the work it must do and the risk it must bear.

Maintaining broker registration involves quite a bit of overhead (such as recordkeeping). It remains to be seen what all the overhead of a crowdfunding portal will be.

Both brokers and portals will bear substantial costs in doing such things as running background checks on issuers and securing the privacy of investors.

Banking Costs

Money will have to be processed. For example, if investors use credit cards to pay, then there will be card transaction fees. If a bank is collecting payments into, say, an escrow account, then the bank will expect compensation.

I have not thought all of these issues through. What do you think, dear reader, about the costs?

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.