Spies, Snoops, Snitches & Privacy Law

Megaupload Users | Get Legal Files Back?

2012-01-23T11:07:00.001-08:00

When the US Department of Justice and its allies shut down Megaupload, they affected many kinds of users and many kinds of files. Many of those files are legal. Artists, writers and other content creators used Megaupload for storing, managing, distributing and publishing their original work.

It is unknown precisely what law enforcement has done with the legal files stored in the Megaupload platform.

Privacy Protection Act

US law enforcement must be mindful of Privacy Protection Act ("PPA"), 42 U.S.C. § 2000aa:

“[I]t shall be unlawful for a government officer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication...”

Essentially, the purpose of the law is protect First Amendment free speech, free press materials.

Law Enforcement

Courts interpret PPA to allow police to seize a computer containing PPA-protected material, if there is good reason to believe they are commingled with illegal data.

What is less clear is what police may or must do with PPA-related material after they have lawfully seized it. In Steve Jackson Games, Inc. v. Secret Service, a district court penalized the government for not returning PPA-protected materials promptly after learning they were protected.

Asset Forfeiture Law

Another relevant law is the 2000 Civil Asset Forfeiture Reform Act, which is intended to make it easier for innocent parties to recover their property when seized by the US government. A public-interest expert in holding government to this law is the Institute for Justice. The Institute for Justice should consider taking up the case for innocent Megaupload users.

–Benjamin Wright

Related: Megaupload Raid: The Legitimate Users

Cloud Provider FBI Raid

2012-01-22T09:51:00.000-08:00

As it becomes more common for law enforcement to raid online facilities like Megaupload, it is incumbent
on law enforcement to respond to the needs of innocent users.

A few days ago law enforcement, led by the US Dept of Justice, seized the domain for Megaupload.com,

Domain Redirect

causing traffic to that site to be redirected to a government notice saying the domain had been seized under court order.

Economic Hardship to Bystanders

Megaupload is a very popular service, with many millions of customers worldwide. It is a cyberlocker that allows users to store and share files. Some of those files, perhaps many of them, may violate copyright and other laws. But a great many of those files are not illegal. Users rely on those files for many purposes, including running their law-abiding businesses and lawfully earning a living.

By shutting down the site, law enforcement has caused substantial economic hardship.

Precedence: Liquid Motors Case

US law has previously provided relief to an online service provider's users who are not under investigation.

In Spring 2009, FBI seized servers run by Core IP Networks. Some of the data processed on those servers belonged to Liquid Motors, an innocent company that helps large auto dealerships manage their inventory and Internet marketing. The raid had severely degraded Liquid Motor’s service to its law-abiding customers.

Liquid Motors promptly petitioned a federal court for relief. Although the court believed FBI’s raid was justified, it acknowledged the economic impact on innocent parties. Significantly, the court compelled FBI to work over the weekend to provide Liquid Motors copies of its data and to return a server to Liquid Motors as soon as possible.

Over-Zealous Police Undermine Public Trust

Yes, law enforcement needs to shut down cyber criminals and collect evidence so they can be prosecuted. But law enforcement undermines the community’s trust when it damages innocent bystanders.

Moreover, principles of due process, human rights and property rights call for law enforcement to take proactive measures to minimize collateral damage.

Before executing a raid, law enforcement should evaluate whether its mission truly requires it to take services offline. It should develop techniques for surgically getting what it needs, while avoiding disruption of anything else.

What’s more, law enforcement should develop and execute a plan for returning disrupted services, or returning confiscated data, as soon as possible.

Police Should Strive for Transparency

Law enforcement further should strive for transparency and accountability. It should engage intensively with the community, disclosing as much as it can, as soon as it can. In the case of Megaupload, the vacuum created by law enforcement’s relative silence has lent credence of malicious phishing sites that appear to enable worried users to retrieve their files.

The Department of Justice and its colleagues should be commended undertaking the hard work to responsibly police the Internet. And, I grant you that, for law enforcement to heed the needs of bystanders requires much time and effort. But this is what democracy and rule of law expect of 21st Century law enforcement.

-- Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related: Theories for Relief to Blameless Megaupload Customers

Service of Process via Social Media

2011-11-09T15:52:00.001-08:00

Claims, Orders and Notices

Service of Process is the formal means by which notices of legal action -- such as the initiation of a lawsuit or the issuance of a subpoena -- are given to people who are subject to the notices. Service can relate to matters in court, i.e., judicial proceedings, or it can involve extrajudicial matters, such as notice of action by a government agency.

Traditionally, formal service of legal notice is performed by hand.

Sometimes when the person’s location is unknown, alternative service is permitted. Alternative service can include publishing the notice in the newspaper. In reality, publication of small notices in the newspaper is not very reliable as a way to put most people on notice of something.

Some courts have allowed service via email. A problem with email is that spammers commonly send official-looking emails trying to trick the recipient into clicking on something that will infect the recipient’s computer with malware.

Malware

Therefore, recipients have reason to ignore emails from unknown senders.

Social media like -- Flickr, Yelp, Twitter, Facebook, Youtube and many others -- open new potential avenues for alternative service. The intended recipient might be reachable in many online places.

In Federal US courts, the method used for service of process must be reasonably calculated to notify the recipient of the matter.

Here are factors that can help to establish that service over the Internet was indeed reasonably calculated to put the recipient on notice.

1. Multiple Attempts. Make multiple attempts through multiple channels, including Facebook Wall and chat, relies to Twitter tweets, comments under photos and comments under blog posts or status updates. Social media are opening so many avenues for reaching a person that liberal use of them increases the likelihood of successful delivery.

2. Video Response. If the recipient has posted videos on Youtube, send the notice as “Video Response” to one of the videos. Put the text of the notice directly into the video. This approach holds two advantages:

(a) It normally causes an email to go from Youtube to the recipient seeking approval of video as a response that would appear under the recipient’s video. It does not seem like a spam ploy to send malware.

(b) Video Responses are relatively rare on Youtube, so the Video Response is more likely to attract the curiosity and interest of the recipient.

3. Use Verified Identity. When posting notices, use a verified identity, such as is available through Google Plus. (As the photo shows, Google shows my name has been verified when the viewer places the cursor on the check next to my name.)

Authenticity

4. Use simple text. Put as much information as possible in simple text rather than a link. If the recipient has to click on a link, he may have reason to believe the notice is a hoax trying to trick him into clicking on malware. If necessary, break the full text of the message into multiple postings. Start the notice with a plain statement like, “Benjamin Wright: You have been sued in connection with property located in Carson County, Texas.”

5. Name in subject line. If using email, put the recipient’s name in the subject line. Bulk spammers don’t do that.

6. Expose the notice to search engines. Publish the notice on a web page so it comes up in a general search of the person’s name. People commonly search their own name.

7. Toll Free Number. Give the recipient a toll-free number to get more documents or information. A toll-free number conveys seriousness (less likely a hoax) because the person owning the number pays the toll on calls coming into the number.

8. Monitor Subsequent Activity. After service/notice is attempted through a particular social media account, public activity in the account can be monitored. Commonly people have entwined their lives so tightly with their accounts that they cannot stop using them. Subsequent activity is evidence that the account is being used. Specific activity (photos, videos, comments, geolocation data) can be so unique to the account holder that it can be established that the account was not being used by an impostor and that it was likely the account holder saw the service/notice.

The expansion and diversity of social media open many new opportunities to be creative.

–Benjamin Wright

P.S. In a couple of cases involving unknown hackers, courts have allowed discovery to start before an attempt to serve process. The discovery might include subpoenas to ISPs to discover the identity and location of the hackers.

See: ideas on how to document details of a person’s web presence

How to Record Nonstandard Online Financial Trades

2011-11-05T13:35:00.000-07:00

Audit Evidence & Documentation

Making records of non-standard financial transactions is not easy.

Electronic trading platforms for nonstandard transactions are numerous and diverse. They change constantly. They facilitate trades and auctions in myriad nonstandard financial assets, such as OTC derivatives, bankruptcy claims, privately-held equity, esoteric asset-based securities and so on. An example of such a platform is SecondMarket, which specializes in bringing together buyers and sellers of illiquid assets.

Multiple Media and Services

Capital Markets

The platforms provide information in multiple media, including audio, video, formatted documents, instant messages, structured data and augmented reality. These platforms can present a professional trader a welter of financial disclosures, trade confirmations, legal representations, and contract terms and conditions.

The relevant contract data for a trade may not arrive all through a single platform. A trade executed on one platform may be supported by emails or text messages sent through different services.

Are All Records Linked Together So Someone Can Understand Them Five Years From Now?

After a trade has been executed, how can the terms be documented? If there were a dispute about the trade, will reliable and complete records exist?

Lawyers ask these questions, thinking about legal evidence. Auditors ask these questions, thinking about proof to support financial claims and statements. Tax advisors ask these questions as they analyze tax obligations and prepare for audit.

Although a platform provider like SecondaryMarket may keep some records, the provider cannot be relied upon as the long-term, comprehensive, record repository for investors. The provider might go out of business, and it might not keep all of the records the investor needs for the number of years the investor needs them.

Further, the provider may not keep records to show the precise organization of information, or the order in which communications were exchanged, or the interconnection of messages communicated via different media and services – all of which could be relevant to determining the legal import of a transaction.

Narrated Screencast Video

Here is a method for recording the data a professional sees at a certain point in time, such as half-an-hour after a trade is executed.

It is a screencast video that memorializes what the professional claims he sees, with realtime narration from him explaining how he moves from one item of information to the next.

The screencast is made with screencast-o-matic, a free, Java-based, open-source tool for recording what you see on your screen,

Interactivity and Inter-Connections

The resulting video is a unified package of evidence that captures the interaction and interconnectedness of the web better than a bunch of sceenshots. The video illustrates what happens as each link is clicked.

The final, comprehensive record of the transaction might include this video, together with copies of emails, the disclosure documents that were exchanged and so on. The video is the twine that binds all of these records together into a unit that is comprehensible to someone who may review the transaction in the future.

Cloud Time Stamp

Fixing the time of evidence like this video adds to its credibility. The auditor states the time directly into the video.

To corroborate the vocalized date, the auditor could store the video, soon after he creates it, in a file-management resource that applies a timestamp to it and to any modifications of it.

Thus, if the video, dated by the auditor’s voice as November 5, were uploaded on November 5, but then replaced November 10, there would be a mismatch of dates, suggesting that the video in the resource is not the one originally created by the auditor.

What enterprise-class resources might reliably attach a timestamp to a video? Autonomy is an example of a third-party archive service providing such a timestamp, and Microsoft Sharepoint is an example of in-house resource. Sharepoint maintains rich, detailed metadata (such as time of file upload and time of file modification) that is hard for anyone, even IT staff, to manipulate inconspicuously.*

–Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute.

* Manipulation of all relevant metadata (including metadata in backups) in a complex enterprise resource like Sharepoint is extremely challenging, if not utterly impractical. Thus, the timestamp in that resource corroborates the time stated in the video. A tool like DocAve Auditor accesses and analyzes the trove of metadata in Sharepoint.

Related Articles:

* Online Investigation

* Recording Cyber Adversary

How to Record Debt Collector Web Page

2011-10-24T13:20:00.000-07:00

Coping with Bill Collection

Suppose you want to record your online interaction with an adversary . . . such as a collection agency. Your goal is to capture reliable legal evidence of what you encountered when trying to access or provide information to the adversary’s web site or online app.

In effect, the video you create will record your eyewitness testimony of what you see online at a particular point in time.

You might want to do this, for example, to show that you tried to access a debt collector’s web site, but it was not available, did not work right or gave you misinformation.

Ten Steps

For making your record, here are 10 steps:

1. Write out a step-by-step script of what you going to do and say as you make the recording.

2. Launch your webcam so you can see yourself live on your monitor.

3. Launch your browser or app so you can see that on your monitor at the same time you see the webcam image.

4. Start a screencast recording program, such as screencast-o-matic (free, open-source service), to record what appears on your monitor.

5. As the recording starts, identify yourself and explain the reason for your recording. Explain the technical methods you are using to make the recording. Don’t be afraid to read directly from your script. Your purpose is to record legal evidence, not to make a television news cast.

6. Use your browser or app and carefully explain each step you take.

7. Describe what you see and what it means.

8. Conclude the recording by signing and dating it with your voice. Say words like, “I Ben Wright hereby sign and affirm this screencast as an accurate reflection of my work.”

9. Review the video to ensure it is accurate.

10. Soon after you create the video, store it in an online service such as Microsoft’s Skydrive, which records the date a file like the video was uploaded and last modified.

Example

Here is a hypothetical example.

This demonstration is not the only way to make records of online events. And it does not cover all of the legal and technical issues that might apply to your particular situation.

If you need legal advice for your particular situation, you need to consult a lawyer rather than to rely on this educational blog and video.

This blog post and video intend to spark public discussion about ways to record online activities. What do you think?

–Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute.

Related articles:

* How to Make a Gotcha! Video
* How to video record online chat with legal adversary
* Recording Social Media Legal Evidence

Google+

Exploiting Scandalous Evidence

2011-10-20T18:58:00.000-07:00

Political Exposé

Let’s say you possess incriminating or embarrassing evidence about someone. Maybe it’s video catching a public official in an act of corruption or audio in which an executive admits her corporation violates the law. You know this evidence is sensitive and it serves a public interest. How do you handle it?

Here are options and issues:

1. Ethics. Ask an independent party like an attorney to evaluate the evidence for credibility and to provide input on the ethical use of the evidence.

Surprise Camera

2. Money. Inquire whether you are entitled to protection and compensation under whistleblower law. Invocation of whistleblower law may require turning the evidence over to law enforcement or filing a lawsuit. Federal tax law provides compensation to whistleblowers who provide the IRS reliable evidence about cheating by a particular taxpayer. The False Claims Act provides a bounty to whistleblowers who sue lawbreakers and successfully recover money on behalf of the federal government.

3. Editing. Should you hide or redact information from the evidence before publishing it? Blurring faces or removing other personally identifiable information may be the prudent, responsible thing to do. Masking of graphic details can help portray you as a conscientious citizen, not a gossip monger.

4. Investigate. Should a careful investigation of the facts be undertaken to determine how the evidence was gathered, what the evidence actually depicts or whether the compilation of the evidence violated any laws? When an investigation is led by an attorney, often the methods and the outcome can often be kept confidential under something known as the attorney work-product doctrine.

5. Third Party. Should you use an intermediary to publish the evidence or present it to authorities, while protecting your identity? Both attorneys and police agencies have legal power to maintain confidentiality.

6. News Media. Should you sell the evidence to the news media? Sometimes they do pay for good material.

7. Disclaimers. Consider how to present the evidence to authorities or the public. Does it need explanation and background? Does it need disclaimers?

8. Exoneration. Should you file a lawsuit to cause a court to declare that the evidence was not stolen or created in a way that violates privacy, property or other rights?

Are you an amateur gumshoe? What is your experience dealing with evidence of a scam or hipocrisy?

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute, where he teaches professionals how to use Internet media to deliver legal messages.
Google+

How to Recover Deleted Phone Text and Photos

2011-10-19T19:23:00.000-07:00

Forensics

In a legal dispute, text, photos and other data on a smart phone or tablet can be relevant. Can they be recovered if they have been deleted?

Cellular service carriers (Verizon, AT&T, Sprint, TMobile) keep records of text, photos and transmitted data for periods of time that vary from one provider to the next. However, legally forcing them to turn over user data in a non-criminal case is difficult. The carriers tend to resist subpoenas from civil lawsuits such as divorces, on the grounds that the content of user data is protected by the Electronic Communications Privacy Act.

Customer Cooperation

To a limited degree, recovery from a service provider may be possible if the customer is cooperative. For example, Sprint records transmitted photographs on a web page protected by a customer password. Mobile App providers may similarly keep records of messages, photos or videos on a web page protected by a customer password. In a lawsuit, the customer may be required to cooperate in the recovery of those records under a subpoena or ediscovery demand.

(Cellular carriers have a reputation for not helping customers recover messages unless the customer has a web page for storing those messages as Sprint does for photos.)

Data Forensics

An alternative approach to recovering data is forensics. An adversary in a civil law proceeding (divorce, child custody, bankruptcy or other lawsuit) may be able to demand through the rules of court procedure that the owner of a mobile device take two steps:

Text, Photos, Video

Step 1: Protect data on the device from erasure or further damage. This demand for protection might come in the form of a data preservation letter sent by the adversary’s lawyer.

Step 2: Deliver the device to a forensics expert so he can recover data.

Forensic recovery of data from a mobile device is tricky. Sometimes deleted data can be recovered and sometimes it can’t. Sometimes fragments of a message can be recovered. Recovery capabilities vary from one device to the next.

Documented Authority

When a forensics expert is engaged to recover data from a device, he needs to ensure he has authority from the proper person. He is wise to get the authority in writing.

If someone who is not the owner of the device asks him to recover data, he might be violating an anti-hacking law like the Digital Millennium Copyright Act. When a nonowner asks for data recovery, the expert is wise to ask for a court order.

–Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute.

How to Make a Gotcha! Video

2011-10-16T18:11:00.000-07:00

Phone Evidence

How should a vigilante or a political activist make a video record of illegal activity?

Let’s say you catch the mayor parking her motorcycle in a no-parking zone, arrogantly thinking she won't get a ticket because she is mayor. You pull out your smart phone and record by video. You intend to present the video as evidence to a legal body like the city council. Or you intend to give the video to the local TV news team. Or, you intend to publish the video on youtube.

Here are steps to make the video more credible and worthy of attention:

1. Narrate what you see as you record it, so that the viewer understands what is being displayed. Narration makes video more compelling than a still photograph.

2. Formally sign the video at the end. Point the camera at your face and recite words like, “I Ben Wright hereby sign and affirm this video as an authentic record of what I witnessed.” A video is more believable when an accountable witness takes full responsibility for it. Also, the signature bolster's the video's value in case you are not available in the future to vouch for it, such as in a legal hearing.

3. State the location, the date and the time.

4. Promptly after creating the video upload it to an Internet service that memorializes the date of the video (including the date of any modifications). If the date vocalized by the witness in the video matches with the date on the Internet service, then the two corroborate each other.

As a demonstration, I uploaded the video above to Microsoft’s Skydrive service. I uploaded within minutes after I created the video. This screenshot shows the details that Skydrive records about the video, including time of upload and identity of the user who uploaded.

Cloud Service Metadata

5. Give the video to some friends and ask them to load it to a service like Skydrive that records date and time.

6. Capture GPS information. A geotag on the video corroborates the location stated by the witness in the video.

P.S. Two witnesses are better than one.

–Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute. One topic he covers in that course is whistleblower law.

Related article: How to Exploit a Gotcha Video.

Cyber Defense Law | Botnet | Computer Crime Lawsuit

2011-10-14T13:01:00.000-07:00

Microsoft breaks new legal ground. From a US Federal court, Microsoft has obtained a temporary restraining order (ex parte TRO) that allows Microsoft and its white hat affiliates to take (apparently) aggressive technical measures against the Waledac botnet.http://blogs.technet.com/microsoft_blog/archive/2010/02/25/cracking-down-on-botnets.aspx

The TRO is available for download at http://blog.seattlepi.com/microsoft/archives/195793.asp. The TRO explicitly orders Verisign to lock domains at the registry level and to hold the domains in escrow.

Query whether any of these steps by Verisign would arguably qualify as "hacking" in the absence of the TRO. For discussion purposes, we can define "hacking" as entering a computer without authority -- or exceeding authority within a computer -- and causing damage. Maybe one could say Verisign is "hacking" because, as it locks domains, it:

1. enters computers that it owns or duly controls;

2. exceeds its authority in those computers because it is locks domains that putatively belong to another person; and

3. damages that other person.

Stephen Paluck of Beaverton, Oregon, complains that actions taken under the TRO interrupted service for his domain,debtbgonesite.com, and he's done nothing wrong. Wingfield & Worthen, "Microsoft Battles Cyber Criminals," Wall Street Journal, 26 Feb. 2010.

Microsoft further says, "Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet . . ." The company does not reveal what these additional countermeasures are. Query whether any of these measures would arguably qualify as "hacking" in the absence of the TRO or other legal justification.

PCWorld sheds some light on those additional countermeasures: "Waledac distributes instructions through command-and-control servers that work with a peer-to-peer system. [According to a researcher who worked with Microsoft,] 'We disrupted the peer-to-peer layer to redirect traffic not to botmaster servers but to our servers.'" http://www.pcworld.com/businesscenter/article/190234/microsoft_recruited_top_notch_guns_for_waledac_takedown.html

In my research, I have only found one case [Cartier Int'l, B.V. v. Dipadova, CV 00-06717 (C.D. Cal.) (entered Nov. 7, 2000)] where a judge authorized technical measures -- the disabling of a web page (a legal hack) -- to combat an online threat or menace. Has anyone found any other such case?

On the issue whether any of the technical steps in this Waledac botnet case are causing "damage": Microsoft posted a $54,600 bond so that money would be available to compensate the defendants (presumably these people are mainly botnet herders) if the TRO causes damage to them without justification.

Microsoft is teaching us how to use civil law enforcement measures -- as distinguished from criminal law enforcement -- to respond to malicious Internet behavior like phishing, hacking, cybertheft and identity theft.

Notice that Microsoft is not doing this in the dark. It is working through our open public court system, so that Microsoft is transparent and accountable and all can see what is happening and evaluate it.

–Benjamin Wright - Legal Issues Instructor at the SANS Institute, where he teaches professionals on the law of malware, e-discovery, data security, internal investigations and the Computer Fraud and Abuse Act. http://www.sans.org/ondemand/description.php?tid=3897
[This post was originally published 2010 on Mr. Wright's Google Buzz page.]

3D Printing | Inducing to Violate Intellectual Property

2011-09-26T15:37:00.000-07:00

The vendors of 3D printing software and services must be careful to avoid encouraging users to violate the patent, copyright or trademark of others.

Manipulate an Image

Imagine a software vendor tells kids to:

1. scan a 3D image of their favorite toy vehicle;
2. use the software to manipulate the image to add cool new features, like wings or monster tires; and
3. print a model of the manipulated image.

Printing 3D Objects

The maker of the original toy might have a claim against the software vendor for inducing the kids to violate intellectual property.

Toymakers often claim copyright and trademark protection for their toys. But when kids make reproductions of the toys, they may be violating that protection.

Tort

Widespread encouragement for kids to violate IP may constitute illegal inducement.

Courts have recognized a tort for inducing others to violate intellectual property. Music companies, for example, won a judgment against peer-to-peer network Limewire for inducing users to make unauthorized copies of music. Evidence in the case showed that Limewire intentionally targeted music pirates for membership and use of its service.

Many New Manufacturing Technologies

This tort issue applies not just to 3D printing. It applies to all of the many new technologies that enable localized, custom, computer-driven manufacturing. One such technology is the stonemaker, which makes unique, precision stones on-location at a construction site. The shape and other features of each stone are dictated by software. Imagine a home owner using the stonemaker, and software templates from an "intellectual property pirate" to make stones depicting copyrighted figures, like Disney characters.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related Article: 3D printing fair use

Telemedicine Meets Privacy & Free Speech

2011-09-06T08:10:00.000-07:00

Anonymous, Asynchronous Patients?

Local laws such as state physician licensing rules have limited the adoption of telemedicine. But the practical effect of some limitations is eroding under new technology and patient civil rights (privacy and free speech).

New Telemedicine Technologies

An online patient can retain increasingly sophisticated services from a physician outside the patient’s state, even outside the country.

Online Healthcare

The modern patient has a growing array of channels for interacting with a remote physician (or a team of physicians knit together via social media). Webcams, mobile apps and monitoring devices that work with smartphones are collecting diagnostic data that can be transmitted to a physician anywhere in the world. The patient can easily provide laboratory results to an online physician.

Patient and physician can engage a rich, extended relationship with little or no direct physical contact.

New technologies are coming. 3D printers, for example, will make the creation of custom medical appliances easier for the patient at home.

Telemedicine will marry up with medical tourism, the growing practice of traveling to another country to access medicine or health service that is either forbidden or more expensive in the home country.

Patient Privacy

Does a physician in Japan need to be licensed in Oklahoma to treat an online patient located in Oklahoma? The answer is very possibly yes. However, if the physician – out of respect for privacy – never inquires as to the patient’s location, how can the physician know he needs a license in Oklahoma?

Depending on the services being rendered, the physician need not (for purposes of care) know the identity or location of the patient. The patient can be anonymous, or identified without location.

Patient privacy does matter. Privacy is more than just an excuse to skirt local physician licensing laws. Privacy is a legal and ethical imperative, which is accorded growing importance today. In the case described here the patient and the physician use technology in a way that promotes the socially-desirable goal of patient privacy. The patient is getting treatment in a way that prevents outsiders from knowing about it.

Patient Data Security

Reducing the amount of patient identifying information also promotes data security. Like patient privacy, data security is more than just an excuse for the physician to avoid being licensed in the patient's home location.

Like patient privacy, data security is a legal and ethical imperative, which is rising in priority in this age of computers. Data security is very difficult and expensive for health care providers. Chilling stories about data breaches at health care providers are abundant.

Demanding new laws require healthcare providers to protect patient data. The goals of those laws are achieved when a physician knows the patient only by a pseudonym or user ID and the physician is ignorant of the patient's location. A data breach would not expose information that could identify the patient to the outside world.

Small Target for Local Authorities

If the online physician, licensed and operating from Japan, truly treats patients from around the world, he is probably not much of a target for investigation and enforcement by authorities in Oklahoma.* He is likely not to have many patients in Oklahoma.

That’s not to say Oklahoma law does not apply. It probably does. Also, a Japanese physician who commits malpractice can probably be sued in Oklahoma courts.

Mitigation of Risk

The physician may be able to mitigate his risk with explicit terms of service accepted by the patient: The physician is providing only information, like a second opinion, and assumes the patient will get direct care from a local physician.

Asynchronous Interaction

The physician might further mitigate his risk by interacting with the patient only through recordings, not real-time. By making the interaction non-real-time (asynchronous), the physician emphasizes that his input is merely information, merely a second opinion. And the physician de-emphasizes his responsibility for any emergency (e.g. the patient faints) that could arise if the physician were treating the patient in real-time.

Anonymity and Asynchronicity Influence Regulation

Physician interaction with an anonymous, asynchronous patient is different from traditional medical care.

When physician interacts with anonymous patient only through recordings, the physician-patient relationship becomes less emotional and more abstract, more intellectual. It places more control into the hands of the patient, allowing the patient to shop around for input and opinions. It allows the patient to shop among multiple physicians, or even non-physicians and artificial intelligence systems like IBM's Watson.

The justification for regulation of such interaction is different compared to that for traditional face-to-face medical care.

First Amendment Right to Freedom of Speech

Over regulation of anonymous, recorded interaction will bump against free speech, First Amendment rights. Recorded interaction seems like patient telling a story and listening for a reply. Telling a story and listening for a reply is the essence of free speech. Our society reveres free speech and is reluctant to let government restrain it by regulation.

In other words, when an anonymous patient in Oklahoma is interacting through asynchronous recordings with a physician in Japan, the State of Oklahoma must clear a high burden to prove that it needs to regulate and restrain that interaction. If the State cannot clear that burden, then its physician licensing regulation will violate the First Amendment and be unconstitutional.

What do you think?

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute. (As with all of Mr. Wright's public statements, the purpose of this post is public discussion and not legal advice. If you need legal advice, you should consult your lawyer.)

*The exception is a case like that of Christian Hageseth. He was a physician in Colorado who in association with an online pharmacy prescribed psychiatric medication for a California patient. The physician’s contact with the patient was only an online questionnaire, filled out by the patient. The patient committed suicide. The physician was not licensed to write the prescription even in Colorado. California prosecuted him for practicing in California without a license.

Geolocation Data for Tax Collection

2011-08-01T08:47:00.000-07:00

Smartphones Snitch on Fugitives, Deadbeats, Tax Evaders

Social media like Yfrog, Flickr, Twitter, Instapaper, Foursquare and innumerable others broadcast an astonishing trove of publicly-accessible geolocation data about users.

State Tax Audit

This data can be aggregated so an observer can track people who are, for example, using mobile devices to tweet, “check-in” and publish photo albums of their minute-to-minute lives. Some mobile apps broadcast geolocation data constantly, automatically. A program aptly named “Creepy” demonstrates how to aggregate geolocation data from multiple public sources. It can plot a social media enthusiast’s up-to-the minute movement on a Google map!

Arrest Warrants Executed

Publicly-accessible geolocation data will be a bonanza to law enforcement agents, such as police and tax collectors.

Law enforcement is limited by geographic jurisdiction. It is easier for a government officer to enforce his state’s laws on a subject when the subject is standing within the borders of the state. When the subject is physically located in the state, the local officer can verifiably deliver official papers to the subject, or even detain or arrest her.

Suppose a subject lives in Nevada, but Oregon has a warrant out for her arrest (perhaps for child support or a speeding ticket). It is much easier for the State of Oregon to execute that warrant when the subject visits Oregon.

It is not news that police and tax collectors monitor suspects on social media. But what is news is that social media are now publishing precise, real-time location data about those suspects.

Checking-in to an Airport

Fugitives and tax scofflaws beware! You would be foolish to broadcast your location when you temporarily visit a state that wants you.

If there is a warrant for your arrest in the State of Illinois,* don’t use your iPhone to “check-in” as you transfer through Chicago's O’Hare Airport. Local police may race to Gate B30 to greet you.

If you owe taxes in California, don’t post a geo-tagged photo on Picasa when you arrive at LAX airport in Los Angeles.

I envision tax administrators in hungry states setting up enforcement operations at major airports.

Short-term Income Tax Earnings

Here’s another prediction: State revenue authorities will use geolocation data to support claims that people working temporarily (such as a day or a week) within their borders owe tax on the income they earn during that time. States already look at public sources like newspaper sports pages to assert taxes on high-income earners, like professional athletes, who work temporarily within their borders. But public geolocation data will enable states to expand their enforcement to taxpayers of lower profiles.

–Benjamin Wright

Attorney Wright teaches law of data security and investigations at SANS Institute.

* State of Illinois arrested tax evader, Jacob Sabu, when he arrived at O’Hare Airport.

Who is at Fault for Credit Card Insecurity?

2011-07-27T09:02:00.000-07:00

Investigate the Payment Card Issuers

The Massachusetts Attorney General forced the owner of some local restaurants to pay $110,000 to settle charges that the company maintained inadequate security over credit card data. Malware had infected the company’s computers. The company (Briar Group LLC) had failed to change the default passwords on point of sale devices, and its wireless security was inadequate.

Even Sophisticated Systems are Breached

SME Computer Security

Data security is a difficult, sophisticated job. Briar Group was not well-suited to the job. A company like this relatively small restauranteur is an expert at serving food, not an expert at data security.

The reality is that most any commercial computer system can be breached. Even sophisticated technology companies like Sony and RSA suffer data breaches. RSA is one of the most trusted data security firms in the world! If RSA can get hacked, it is no surprise that Briar Group was hacked.

Investigate Credit Card Issuers Themselves

I am sure that in punishing the Briar Group restaurants the Attorney General had the best intentions. Yet why is it that the Attorney General focuses attention on a modest restaurant company? If that company needs to be investigated and fined, why does the Attorney General not investigate companies that have real influence on credit card security – the issuers of credit cards themselves? Credit cards are abused regularly on account of their weak security. Why should the Attorney General not punish the issuers for using faulty, out-of-date technology?

Why, for example, should the Attorney General not force the issuers to require a text message confirmation for each credit card transaction? (Example: I swipe my card at a point-of-sale device; I promptly get a text message on my phone asking for approval; the transaction does not complete until I text approval to the issuer.)

Alternatively, why should the Attorney General not require card issuers to embed dynamic authentication EMV chips in cards, as is done outside the US?

Continuing to Operate after Breach Discovered?

The Attorney General said that one the justifications for punishing the Briar Group restaurants is that they continued to accept credit cards after they knew their computers were compromised.

But do not card issuers do the same thing? They know that their system is compromised routinely, but they continue to use their old system.

Maybe the argument for issuers to continue to use the flawed credit card system is that even though it is imperfect, it has redeeming qualities. It has many redundant controls, such as the rule that consumers are normally not liable for false transactions on their cards. Further, if issuers immediately stopped using their flawed system, the economy would be harmed. Jobs would be lost.

Could not similar arguments be made in favor of Briar Group? The theft of card data from a restaurant does not automatically mean fraud will occur. Redundant controls (such as transaction monitoring by card issuers) help to protect card holders. Further, if Brian Group had immediately ceased processing cards after it learned it had been breached, it would have been forced to shut down and lay off employees. For Briar Group to have shut down would have caused greater harm than the harm caused by some false credit card transactions (for which individual card holders will not be held liable).

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Update: Why law enforcement should focus attention not on merchants, but on the insecurity that is inherent in credit cards as they are presently designed.

SMS Text Messages | Recovery from Carriers

2011-07-12T07:03:00.000-07:00

Over on the social networking site reddit a topic came up that you may find interesting- the technical ability of telephone carriers to restore txt sms messages.

http://www.reddit.com/r/netsec/comments/iifg8/can_txt_messages_be_subpoenaed_from_carriers/

The default stance of the carriers seems to be “no we can not recovery txt messages” however that seems to be at odds with reality:

Kobe Bryant case.

In Flagg v. City of Detroit, 2008 WL 787061 (E.D. Mich. Mar. 20, 2008) (text messages were subpoenaed from SkyTel, a cell phone provider) although I don’t know the time period on that one.

In a more recent case Verizon restored nearly 5 months of text messages: ZDNet

Do you have any experience or tips in successfully compelling a carrier (AT&T in this instance) to restore messages when subpoenaed? Does it take an order from a judge?

Thanks,

Liam

[The foregoing is the content of a message sent to me by Liam Randall. Liam gave me permission to repost the message . My comment: The rules of procedure for a civil lawsuit provide for "discovery" of relevant records, which can include text messages. In a lawsuit involving a telecom subscriber, the opposing party might invoke the rules of discovery to demand that the subscriber request that the telecom produce whatever records it may possess. If the subscriber does not cooperate with the demand, then the opponent might ask the court to impose sanctions on the subscriber. However, cooperation of the subscriber may not persuade the telcom to do much. --Ben]

[Update. The document posted here apparently shows how long telcos keep different classes of subscriber data. And a discussion here describes the likely result of a subpoena for text messages from a cell phone provider.]

Copyright | 3D Printing Object

2011-07-06T10:17:00.000-07:00

Fair Use | Super 8 Movie Prop

Intellectual property enforcement needs a sense of scale.

An engineer named Todd Blatt created a 3D digital model of a distinctive cube object from the movie Super 8.

Then he made the model available on the 3D printing site Shapeways so that fans could purchase copies of the cube, manufactured on a one-off basis.

Cease and Desist Letter?

Lawyers from the movie studio, Paramount Pictures, issued a cease and desist letter to Mr. Blatt, and he complied. The lawyers believed this odd-ball, one-by-one, relatively expensive method for reproducing the cube violated the studio’s copyright.

Additive Manufacturing Technology

This was over-lawyering. The cease and desist letter did not serve the studio’s best interest. 3D printing is today a novelty. 3D printing is unlikely to reduce the studio’s ability to sell its own reproductions of the cube.

Mr. Blatt’s 3D reproduction comfortably fits within the "fair use" doctrine of copyright law, which allows small-scale copying.

Advice to the Studio

The studio comes off looking like an ogre when it sends this cease and desist letter.

The studio should be flattered that Mr. Blatt would go to the trouble to enable this unusual,
intriguing form of acclamation for the movie. The studio needs enthusiasts like Mr. Blatt. Instead of hitting him with a lawyer’s letter, the studio would be better advised to blog about him, tweet about him on Twitter and publish a video about his inspiring work.

In years to come, as 3D printing drops in cost, 3D reproduction of a movie prop could shrink the market for officially-licensed copies of a prop. But 3D printing is not there today.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Update: Mr. Blatt asked me to elaborate on why I think his 3D reproduction is fair use. (Obviously, none of my public statements are legal advice to Mr. Blatt or anyone else. I'm just stating ideas for public discussion.)

Let's look at the law. 17 USC Section 107:

"the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include:
1. the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
2. the nature of the copyrighted work;
3. the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
4. the effect of the use upon the potential market for or value of the copyrighted work."

My feeling is that Mr. Blatt's work is so limited and restrained that its impact and purpose are more like commentary, education or research than commerce. His work is a wondrous novelty that praises the movie makers. Due to the expense and awkwardness of 3D technology today, the movie makers themselves are very unlikely to try to make a 3D version of the cube in the way that Mr. Blatt did.

The purpose of the fair use doctrine is to enable the kind of cool, provocative exchange of ideas that Mr. Blatt's work exemplifies.

Recording Telephone Calls and Instant Messages

2011-01-15T16:17:00.000-08:00

Recorded Video Calls

Why does spoliation law punish pre-mature destruction of email records, while not also requiring that telephone conversations be recorded and preserved? That question came to me from a student taking the 5-day SANS course I teach (The Law of Data Security and Investigations). Following was my reply to him . . .

My reply ties into the philosophy I express in day 2 of the course, on records management. My answer speaks in broad generalities.

US and Canadian law has evolved in a way that is not necessarily optimal, given recent developments in technology.

Audio Recording

Our law takes the attitude that a "record" is really something important. After a record exists, our law tilts toward wanting the record to stay around, especially if the record holder has reason to believe the record might be needed in a future lawsuit or official investigation. Thus, our law punishes unwarranted destruction of records.

The same holds true in politics. When politicians investigate a scandal, they (and the media) howl if "records were destroyed." Here is a Canadian example. The destruction of records sounds like a "cover up."

Email always creates a written record automatically. Once that written record exists, the law and the politicians tend to think it is like a written letter, a "precious record" that deserves some measure of preservation.

Contrast traditional voice conversations (telephone or face-to-face). They do not automatically create a record of the content of what people say. So there is no "precious record" to retain and to protect from loss.

Furthermore, we have a history of believing that if a record is in fact created of a voice conversation (e.g. tape recording), then privacy is implicated. So we believe that if you are going to record a phone call, you must first get the consent of the other party.

Notice we don't ask for consent to record email, because it is naturally assumed that email will be recorded.

Today, technology is changing. The difference between email and a voice telephone call is blurring. Some instant message systems now automatically record voice and video the same way that they record text. The law has not fully considered this new development. As things like IM become more common, I think we will see confusion in the law about whether instant voice and video records should be retained like email.

--Benjamin Wright

How to Comply with Internet Regulations

2011-01-04T09:43:00.000-08:00

Privacy and Computer Crime Cases | Spirit of the Law

How is a citizen of the Internet to comply with the data laws of the world? By citizen I especially have in mind a reputable enterprise or professional.

A welter of laws from around the globe purport to regulate the citizen's use of computers, collection of data, publishing of information and so on. The laws are often confusing because they conflict, they overlap, they use vague terminology that can be interpreted in ways that make little sense, and they apply to technology that changes faster than lawmakers can assimilate.

Responsible Global Citizen

The laws of multiple countries can apply simultaneously to any given activity on the Internet.

Compounding the problem, new laws on privacy, hacker crimes, data processing and intellectual property are enacted every day.

The laws often speak in strong declaratory statements, which give the impression that they set bright-line rules and boundaries that can be objectively tested. Yet the rules and boundaries become less distinct when they meet practical application.

In all the history of law, nothing is so novel as the Internet. When applying law to particular Internet situations, the authorities struggle. In the pursuit of justice, thoughtful courts and government officials are forced to eschew mechanical readings of data law. They try instead to divine what the spirit of the law says about the situation at hand. They inevitably weigh all the factors in case – even when law does not explicitly call for such an “all the facts and circumstances” analysis. Their analysis adopts surprisingly subjective tone.

Two examples:

Purpose and Context of an Action Relevant to Computer Crime Law

White hat hacker cases are rare, but Moulton v. VC3 is one of them. A business, VC3, sued an IT professional, Scott Moulton, after he did a port scan and a throughput test of VC3’s servers. VC3 and Moulton were contractors for government agencies that were establishing a network connection between themselves. VC3 claimed that Moulton’s port scan and throughput test violated the Computer Fraud and Abuse Act. The CFAA forbids the "intentional[] access[ing] [of] a protected computer without authorization, [that] as a result of such conduct, recklessly causes damage." 18 U.S.C. Section 1030(a)(5)(B).

Moulton alleged he had a justification for doing the port scan and throughput test, within the scope of his work protecting the system of his client, the 911 center at Cherokee County. Moulton was not trying to steal or compromise sensitive data. When VC3 asked him about his scanning, he declared in an email that “he worked for Cherokee County 911 Center and was testing security.”

In construing the words of the CFAA for this particular case, the court took into account more than just the mechanics of Moulton’s conduct. It weighed Moulton’s purpose when he conducted the scan and test. The court said, “The public data stored on Defendant's network was never in jeopardy. Plaintiff Moulton’s actions never threatened the public health and safety.” The court concluded that Moulton did not violate the CFAA. The implication is that if Moulton’s scan and test were intended to advance a larger scheme to steal or damage data, then the court would view them differently and possibly find a violation of the CFAA.

In other words, the purpose and context of an action, which are discerned from all the facts and circumstances, are relevant to whether the CFAA has been violated.

Proportionality in EU Data Protection Law

The European Directive on Data Protection calls for strict limits on the collection and processing of personal data. A wooden reading of the Directive might lead to bizarre results. For example, in my SANS course, I asked this hypothetical question: A magazine subscription marketing company holds data showing the names and postal addresses of subscribers. But this data grows out of date. The “integrity” principle under the EU Directive suggests that the company must keep its data up to date, but to do that the company would have to pester people by contacting them asking them to update their information. Does EU data law require the company to pester people? I asked. A German lawyer (privacy law expert) who was attending the course answered that such a tasteless outcome would not be required because the pestering would be “disproportionate” to the need for integrity.

In other words, I learned from my German friend, a balancing test of proportionality modulates the literal words of European data protection law.

Another European lawyer, Christopher Kuner, argues that proportionality is a central concept in EU data protection law, even though explicit reference in the law to proportionality is limited. “Proportionality in European Data Protection Law And Its Importance for Data Processing by Companies,” Privacy & Security Law Report, Vol. 07, No. 44, 11/10/2008, pp. 1615. Mr. Kuner observes that even though “companies are often used to thinking of data protection compliance in terms of satisfying a well-defined set of statutory requirements,” the principle of proportionality blurs the requirements.

Proportionality calls for analysis of whether the results of a data activity are excessive or necessary. A review of proportionality calls for an analysis of all the facts and circumstances of a case to determine what is a socially-good outcome.

Conclusion: How to Comply

Examples like these show the good Internet citizen that “compliance with law” is often not a cut and dried affair. Compliance involves appeal to subjective notions like good purpose, socially-redeeming motives, or culturally-desirable outcome.

What does this understanding of compliance mean for the Internet citizen in practice? It means compliance often requires more than satisfying a technical IT checklist. It means the citizen is wise to deliberate on the social implications of its activities and strive to document how the activities seek laudable ends.

–Benjamin Wright

A practicing attorney, Mr. Wright teaches

the law of data security and investigations at the SANS Institute.

Web Contract (EULA) Published to World

2010-12-29T06:43:00.001-08:00

Can I publish legal terms on the web and declare them a contract that is binding on spammers who send me spam? Based in part on such contracts, Attorney Dan Balsam of California earns a living by suing spammers and collecting money from them.
http://legal-beagle.typepad.com/wrights_legal_beagle/2010/09/no-trespassing.html
in reference to:

"bound by the terms of the contract"
- Welcome to DanHatesSpam

--Benjamin Wright

Legal Definition of Compromise

2010-12-17T17:17:00.001-08:00

We have many laws requiring organizations to issue notices when data security has been breached. But system compromise is so common that we run the risk of seeing a "data breach" everywhere we look in IT systems. If we see too many breaches, then we flood constituents with confusing, unhelpful notices. http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html

in reference to:

"adversaries are going to go unnoticed on our networks"
- NSA: Assume Attackers Will Compromise Networks - Security - News & Reviews - eWeek.com (view on Google Sidewiki)

--Benjamin Wright

Obstruction of Justice or Harbinger of Transparency?

2010-12-08T18:24:00.001-08:00

Could a mobile phone app be illegal if it warned users of police activity like a speed trap or a drug bust? "Obstruction of Justice" is the crime of intentionally doing something to impede or hamper a law enforcement activity or an official investigation.

South African legal authorities are taking legal action against a Twitter tweeter who warns motorists about speed traps: http://tech.slashdot.org/story/10/09/19/0110246/Criminal-Charges-Against-Speed-Trap-Tweeter

Swiss authorities have outlawed certain GPS devices that alert drivers of speed traps. http://www.techdirt.com/articles/20070212/075138.shtml

The trend is for technology to shed more light and scrutiny on all police activities. Police must learn how to operate in a transparent world. http://hack-igations.blogspot.com/2007/12/people-in-authority-sometimes-abuse.html
in reference to:

"traffic information based on the wisdom of the crowd"
- Free GPS Navigation with Turn by Turn - Waze | (view on Google Sidewiki)

Update: For more on mobile apps that might contribute to the crime of "obstruction of justice," seehttp://technolog.msnbc.msn.com/_news/2011/05/25/6704362-police-on-radio-scanner-apps-thats-not-a-10-4

--Benjamin Wright

Privacy in Business Litigation

2010-12-07T15:58:00.001-08:00

If executives can cleanly separate business use of a smart phone from personal use, they can better avoid subpoenas that demand access to their home and personal systems. http://legal-beagle.typepad.com/wrights_legal_beagle/2009/05/e-mail-records-on-home-computers-and-personal-blackberries.html

in reference to:

"a single phone to run two operating systems"
- VMware to virtualize Android smartphones for business users (view on Google Sidewiki)

--Benjamin Wright

Electronic Record Retention: Global Law

2010-11-23T06:43:00.001-08:00

As Anglo-American notions of anti-corruption and anti-money laundering law spread around the world, enterprises like banks in emerging economies (e.g. Russia) sense greater need to archive and review electronic records like email. http://www.google.com/buzz/benwright214/hgPHAguLJqP/The-process-known-as-e-discovery-in-US-litigation

in reference to:

"Russian authorities should endeavour to increase the number of investigations"
- Mutual Evaluation of the Russian Federation (view on Google Sidewiki)

--Benjamin Wright

Webcam Android Apps

2010-11-09T06:58:00.001-08:00

As more mobile devices like the Streak come to have user-facing cameras, we need apps that allow business users to sign/authenticate their email with video signatures. https://groups.google.com/group/appinventor/browse_thread/thread/5a31c9073a0cdf0f
http://legal-beagle.typepad.com/wrights_legal_beagle/2010/10/video-authentication.html

in reference to:

"front and rear-facing camera enabled for video conferencing and to capture photos"
- Discover the Dell Streak | Dell (view on Google Sidewiki)

--Benjamin Wright

Litigation Hold on Private Data

2010-11-05T06:41:00.001-07:00

The "right to be forgotten" may conflict with laws requiring that evidence be preserved for lawsuits or investigations. Query whether the holders of private data will be able to delete data about consumers when they have some knowledge that the data might be needed for other legal purposes. http://legal-beagle.typepad.com/wrights_legal_beagle/2010/03/plaintiff-policy.html

in reference to:

""right to be forgotten" when their data is no longer needed or they want their data to be deleted"
- Slashdot Your Rights Online Story | EU Commission Says People Have a 'Right To Be Forgotten' Online (view on Google Sidewiki)

--Benjamin Wright

Traditional Investigations Under Pressure

2010-10-16T10:54:00.001-07:00

In the Internet Age, official investigators, like prosecutors in Japan, must change. They must embrace more transparency, and make themselves more accountable to the public. http://legal-beagle.typepad.com/wrights_legal_beagle/2009/11/transparency.html Technology promotes accountability by, for example, enabling witness interviews to be recorded. http://legal-beagle.typepad.com/wrights_legal_beagle/2009/09/exposure.html

in reference to:

"they are sure to face further calls for limits to their power, including demands for interrogations to be recorded to prevent abuse."
- FT.com / Japan - Calls for curbs on Japanese prosecutors (view on Google Sidewiki)

--Benjamin Wright