Once Again Arriving At The Intersection of Law, Technology and the Expectation Of Privacy. Court Rules That Vast Collection of Metadata Is Not Allowed By Patriot Act.

 Were you surprised a couple of years ago when Edward Snowden released documents that showed that the NSA had a program whereby they collected all metadata on all phone calls within the U.S. and stored them in a database for possible future use?  I must confess I probably ho-hummed that one a little bit and continued to expect that pretty much anything I did by phone or on-line could one day be reviewed by someone for some purpose or no purpose at all.  I'm not saying I liked that but like many I have lost faith in any real privacy.

Now, a federal court has said that the unlimited, unrestrained collection of such metadata is beyond the congressional intent expressed in the Patriot Act.  ACLU v. Clapper [the "Clapper Case"]   Setting aside for a moment the notion that "congressional intent" may be an oxymoron, the language of Section 215 of the Patriot Act as it was feed steroids after the attacks of September 11 allowed for: "...an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities."

The first such order to come to light was directed to Verizon and required Verizon to turn over  "on an ongoing daily basis . . . all call detail records or `telephony metadata' created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls."  Note the "wholly within the United States" language.  The Government, in the Clapper Case, declined to either affirm or deny that other major carriers were subject to the same language.  More than likely this means that if you have a cell phone with a major carrier, your call metadata is residing somewhere on a government controlled server.  The Government counters that this is not the content of the conversation nor has it been reviewed.  The Court in Clapper found that even without the content, metadata could reveal that a caller was "...a victim of domestic violence or rape; a veteran; suffering from an addiction of one type or another; contemplating suicide; or reporting a crime. Metadata can reveal civil, political, or religious affiliations; they can also reveal an individual's social status, or whether and when he or she is involved in intimate relationships."

The Patriot Act allows the collection of things that would otherwise be obtained through a grand jury subpoena.  The Court reasoned that the issuance of a grand jury subpoena, while given very broad latitude, had to have some relevance to the matter at hand and since there was no present intention to review the metadata nor any issue to which it was specifically relevant, this exceeded the authority granted.

It should be emphasized that this was merely a statutory interpretation and the Court expressly stated that it was not ruling on the constitutionality of the statute.  A concurring opinion stated that because it was a statutory interpretation, Congress could fix it (albeit with still the Fourth Amendment issue).  So Congress, with all its alacrity, is trying to deal with the issue.  These provisions of the Patriot Act sunset on June 1 and we all know how effectively this Congress deals with deadlines.  In the meantime, keep using that cell phone.


14 Technology Law Things About 2014 That I Should Have Written About Over 14 Days Ago.

It’s been over a fortnight (I love saying fortnight) since 2014 expired and every other blogger has penned a recap of something(s) that occurred during 2014. So, it seems appropriate that this little procrastinating blog would get around to that now. So, without further ado (I’m not sure there was any prior ado), here are fourteen law/technology stories about 2014 that I could find without doing too much research. Some of these are important, some are slightly amusing and some are just to get the number up to fourteen. You can make your own assessment.

1. The first Twitter libel ("Twibel") suit went to trial. A former attorney for Courtney Love sued Ms. Love for tweeting that the attorney was “bought off”. The court decided that was not defamatory. You may remember from your law school days about libel “per se”, i.e. if you wrote that someone had committed a crime or immoral acts, was unable to perform their profession, had a “loathsome” disease or was dishonest in business you could recover without proving actual malice or specific injury. It seems to me that about 75% of all tweets fit this definition.

2. The Supreme Court ruled that police must obtain a warrant before searching a cell phone of someone they arrested. Prior to this, police has maintained that a cellphone was like anything else in the possession of an arrestee (e.g. wallet, address book, pocket litter) and consequently no warrant was needed.

3. A coding error was found in OpenSSL, encryption software that was supposed to keep transactions secure. This error, named “Heartbleed”, caused millions of people, companies and sites to have to change their passwords.

4. Bitcoin and other cryptocurrencies continued to have a rocky ride. Executives of Bitcoin companies were arrested for activities through Silk Road (see number 6 below). One of the companies had received funding from the Winklevoss twins. Dedicated readers of this blog will remember our fondness for the Winklevi.

5. Mt. Gox, the largest Bitcoin exchange, filed for bankruptcy. Mt. Gox had somehow lost 774,000 bitcoins (about 6% of all bitcoins in existence) due to theft, technical problems or perhaps merely leaving them out in the rain. Incidentally, Mt. Gox got its name because its original business was operating an exchange for “Magic The Gathering” cards, hence Magic The Gathering Exchange. I mean, what did you expect?

6. The alleged proprietor of Silk Road, Ross Ulbricht, was scheduled for trial. This former resident of Westlake Hills, Austin, Texas had his communication capabilities curtailed while in jail for fear that witnesses would be rubbed out before they could witness. That’s some Corleone stuff, for sure. Now, Mr. Ulbricht is claiming that he was not the masterdude behind the nefarious doings of the Dread Pirate Roberts, but that it was the CEO of Mt. Gox (see 5 above). If you wrote a script like this, no one would use it because it’s too farfetched. As a sterling example of the advantages of capitalism, several creative business people, including the marketing geniuses at Silk Road 2.0, rushed to fill the void left after the arrest of the Dread Pirate Roberts and to address the need for illicit drugs and murder for hire through the dark web.

7 through 12. The Year In Hacking: (i) The cyber division of the Chinese People’s Liberation Army was charged with hacking into the networks of Westinghouse and U.S. Steel, among others; (ii) Chinese hackers also breached the network of the U.S. Gov’s Office of Personnel Management and targeted information from employees applying for top security clearances; (iii) Sony Pictures was hacked by North Korea (maybe) hackers, which resulted in a movie called “The Interview” getting a lot more publicity that it deserved and Charlize Theron getting paid an amount equal to her male contemporaries, so it wasn’t all bad. How could you not pay one of the most desirable people (have you seen that perfume commercial?!) on the planet anything she asked? (iv) A glitch in Apple’s picture storing service along with weak passwords and not so secure security questions allowed most of us (don’t say you didn’t look, too) to see a lot of celebrity nude selfies; and (v) eBay was hacked and lost the personal records of 233 million users.

13. While technically falling within the realm of hacking, a disturbing tactic became more prominent during 2014. This technique, called cyber-ransom or ransomware, manifests itself by having a hacker obtain control over your network and threatening either to release the information, not allow the owner to use its own network or to destroy all the information in the network unless a ransom is paid. Domino’s pizza in Europe was asked for $40,000 to avoid having information in their network released. The release never happened and it is unclear as to whether Domino’s paid the ransom within 30 minutes. A company named Code Spaces was put out of business when it refused to pay a ransom and a vindictive hacker destroyed so much of its information that it had to close.

14. The Supreme Court of the United States was asked in 2014 to grant certiorari to hear the Google v. Oracle suit involving the ability to copyright interfaces. Recently, SCOTUS has asked the Solicitor General of the U.S. to file a brief regarding the advisability of granting cert. No decision of whether the court will hear this case has occurred yet.

2014 was rife with collisions occurring at the intersection of the law and technology. 2015 is likely to be just as debris strewn.

Update On The Dark Net Rising.

 Yesterday, we chronicled the plight of Silk Road 2, a dark web site whose proprietor was arrested recently.  Today, we find out that this was a part of a much larger bust, labeled "Operation Onymous" by the Feds, Interpol and other cooperating agencies.  The marketing geniuses at the FBI used "onymous" because it was coined as a word in 1775 to mean the opposite of "anonymous".

In any event, apparently 17 people have been arrested and 451 domains of the .onion variety (so called because they are accessed through The Onion Router 'TOR' browser [see paragraph below before clicking on this link]) have been seized including the aforementioned Silk Road 2 and others named Cloud 9, Hydra, Pandora, Blue Sky, Topix, Flugsvamp, Cannabis Road and Black Market.  Some of those that they didn't get are Agora, Evolution and Andromeda.

There have been rumblings that the authorities have found a flaw in TOR that allows them to circumvent its supposed anonymity and that anybody that had downloaded TOR was suspect.  So, now you can decide whether to click on the link above.

Insurance Company Gets Sloppy and Unlucky and a $1.2 Million HIPAA Penalty.

As is often the case, health care regulations and tech law overlap. 

Consider the unfortunate case of Affinity Health Plan, Inc., a not for profit managed care plan company in New York.  Affinity leased some copiers.  When the lease ran out on the copiers, Affinity let the copiers go back to the lessor.  The lessor stored the copiers in a warehouse in New Jersey.  As you may or may not know, digital copiers have a hard drive, much like the one in your laptop.  The copier makes a copy (hence the name) on its hard drive of each document run through the copier.  These copies on the hard drive remain until overwritten by other copies or until erased.  Most copiers don't have a readily available function that wipes the drive.

Now, Affinity either didn't know (probably) or didn't care about the copies on the hard drive and didn't take any action to delete them before turning them back to the lessor.  So, Affinity was either sloppy, negligent or uniformed, doesn't really matter.  What they were also, was really unlucky. 

Consider this further, there is a company called Digital Copier Security that is owned by a Mr. Juntunen.  Digital Copier Security markets a product to erase information from copier hard drives.  Mr. Juntunen of Sacramento and CBS News of New York somehow got together and decided to do a story on information left on copiers.  You can make your own assumptions as to how they got together and who profits from the arrangement.  Mr. Juntunen and CBS News went to a warehouse in New Jersey and purchased four copiers picked out by Mr. Juntunen.  Affinity's copier was one of the copiers selected.  When Mr. Juntunen removed the hard drive from the Affinity copier and printed out the images left there, several hundred pages of medical records were revealed.  CBS News notified Affinity about this and returned the hard drives to Affinity. 

If this copier hadn't been chosen, it is unlikely that anyone would ever have known about this and probably no records would have been revealed to anyone.  However, saddled with this unfortunate and unwelcome information, Affinity was required, under HIPAA/HITECH regulations, to file a breach report.  Affinity's breach report estimated that almost 350,000 people may have been affected by this breach.  A couple of weeks ago, Affinity settled with Health and Human Services.  The settlement required Affinity to pay a fine of $1,215,780, use best efforts to recover the hard drives from all other copiers they had similarly leased and discarded and to take certain other measures to safeguard all electronic protected health information.

To be fair, the other three copiers purchased by CBS all had sensitive information on them.  One was from the Buffalo, N.Y. Police Sex Crimes Division and it had detailed information on domestic violence complaints and a list of wanted sex offenders.  Another machine from the Buffalo Police Department had a list of targets in a major drug raid.  The other machine was from a construction company and had a number of pay records along with social security numbers.

However, Affinity was the only one that was regulated by HIPAA.  Most unfortunate.

Thus, lessons learned: Things that have digital storage devices, e.g. computers, copiers, fax machines, cameras, smart phones, etc. should be covered in a comprehensive policy that requires their storage to be scrubbed before disposal.  You do not want to be unlucky too.

Zappos Gets Zapped. Browsewrap Agreements Are Collateral Damage.

You know Zappos.  That's where you ordered those 5 inch stiletto clear heeled stripper shoes.  And some of you women bought from there too.  Zappos is a part of Amazon and a year or so ago, Zappos suffered a really bad security breach.  Exposed something like 24 million customers' information.  Well, as almost always happens when something like this occurs, our legal comrades descended in droves and many lawsuits ensued (I guess that's a pun).  These were consolidated in a court in Nevada and procedural motions were filed. 

Zappos claimed that class actions were not justified because Zappos' terms of use agreement specified that all claims by customers had to be settled by arbitration.  The result would have been that each individual customer would be required to have his or her claim settled by a separate arbitration and presumably actually appear at the arbitration rather than be represented in a class.  So, instead of one lawsuit with 24 million plaintiffs in a class, it would have required 24 million individual arbitrations with one claimant in each.  This would have been good for the tourism industry in Nevada but not good for the individual claimants (or their class representing attorneys).

Zappos' terms of use agreement stated that by using the web site, the users consented to the terms of the user agreement, which contained the aforementioned arbitration requirement.  While a link to the terms of use was included on each page, it was in the same font and same color as the rest of the page and nothing compelled the user to look at the terms of use nor take any action that indicated assent to the terms of use.  In addition, Zappos reserved the right to amend the terms of use at any time.

Zappos' terms of use agreement has been referred to as a "browse wrap" agreement or a "click through" agreement.  We discussed the differences in a "clickwrap" agreement (which requires some evidence of assent, such as clicking a box) and a browse wrap agreement in a prior post.  We indicated that some courts have upheld these agreements and that the trend might be toward their acceptability but this court says "Not so fast".  The Nevada court held that a requirement to arbitrate is strictly a contractual matter and therefore, to compel the plaintiffs to arbitrate would require a binding agreement between Zappos and the plaintiff.  The court failed to find such a creature in this situation.  They found: "...we cannot conclude that Plaintiffs ever viewed, let alone manifested assent to, the Terms of Use.  The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use.  No reasonable user would have reason to click on the Terms of Use...".  The court also found that because Zappos reserved the right to unilaterally change the Terms of Use, the contract Zappos sought to enforce was "illusory" and therefore unenforceable.

It is possible that if the issue was not the requirement for 24 million folks to arbitrate in Nevada and something less impactful, like whether you could return your stripper heels, the result might have been different.  However, the fact remains that this case makes the enforcement of such browse wrap agreements tenuous and therefore, we should all review our policy regarding how we get people to agree to our terms of use.  It could become very important.

Updates and Breaking News on Gene Patents, PHI in the Cloud, Class Actions on ClickWraps and SEC Disclosures On Cybersecurity.

Some recent developments in the great, wide world of technology include:

(i)  The Supremes, in a unanimous decision (what?) ruled that naturally occurring genes could not be the subject of patent protection.  However, if you can create a gene artificially, you might still qualify.  Therefore, the creative force described in the Hebrew bible, missed his or her chance when on the sixth day, he or she created all those man genes.  Further, the one year bar and the first to file things have cluttered up the claim.  Also, since man was supposedly created in the image of the creator, there's that pesky prior art issue.  See Assn. for Molecular Pathology v. Myriad Genetics, Inc

(ii)  The recently released rules under HIPAA provide that entities that store protected health information ("PHI") for a covered entity are business associates even if the storage provider does not routinely access the information.  [See 45 CFR Parts 160 and 164 IV(3)]On the other hand, a data transmission organization (such as the U.S. Postal Service or internet service providers) that serve as a mere conduit are not business associates even if they do access the information occasionally in order to provide the service.  So, cloud providers of storage of PHI must sign a business associate agreement.  It is not clear how long one must hold on to a piece of information to be a storer as opposed to a transferor or if encrypting the information in storage without the key would serve to exclude the storage provider from the definition of a business associate.

(iii)  In a recent decision by the Seventh Circuit in Harris v. comScore, Inc., the court allowed the certification of a class to stand.  The class was composed of entities that had downloaded comScore's software that gathered information on the user's activities and sent the information back to comScore's servers.  One of the basic allegations of the plaintiff class was that comScore's clickwrap license was ineffective.  We have discussed this before in this post.  The court did not make factual finding as to any issues and this is only a class certification hearing and comScore may have legitimate individual defenses to many of the allegations.  However, comScore will have to deal with this in the context of a class action.

(iv)  The Securities and Exchange Commission has regulations in place regarding a publicly traded company's obligation to disclose its controls for cybersecurity and is now considering increasing the stringency of those rules.  A recent study by Willis Fortune 500 finds that a substantial percentage of  reporting companies fails (in Willis' opinion) to adequately disclose such company's exposure to cybersecurity issues and the impact on the company if an event occurs.  Look for this to increase in importance as the supposed cybersecurity wars increase in intensity.

eFax Scam - Look For This In Your Inbox.

From time to time we try to alert you to scams.  This morning I received an e-mail that looked like this:




Fax Message [Caller-ID: 310-293-1860]

You have received a 2 pages fax at 2013-05-17 10:09:12 .


* The reference number for this fax is min1_did71-9694455268-1026725108-89.


View this fax using your PDF reader.


Click here to view this message


Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

Home Contact Login

Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

This is a phishing expedition.  See here and here.  Since we use an online faxing services here at the firm, and this looks really real, I was ready to click on the link.  In addition, eFax is a legitimate faxing service.  Thankfully, our friends at McAfee warned me off of this.  Apparently, going to the link would load malware or a virus on your system.  Be careful.





Bill Introduced In Texas Legislature To Prohibit Employer From Asking You About Your Social Media Password.

Having solved all the other problems in Texas, including the problem of gun violence (prayer) and the problem of uninsured citizens (cutting Medicaid) the Texas legislature has turned to the burning issue of employers requiring employees to provide access information to employee's private social media accounts.

House Bill 318 has been introduced to make it an "unfair employment practice" if an employer "...requires or requests that an employee or applicant for employment disclose a user name, password, or other means for accessing a personal account of the employee or applicant, including a personal e-mail account or a social networking website account or profile, through an electronic communication device."

This bill still allows "monitoring" employee usage of employer provided media and also allows employer policies prohibiting use of company provided resources for personal use.  It doesn't provide for a specific remedy or a damages cap and it will likely be amended substantially before it passes, if it passes at all.  This would make Texas one of a handful of states that has jumped on this burning issue.  Crisis averted.

We Are In The Midst Of a Hot Cyberwar, Make No Mistake About It. Iran Fires The Latest Salvo (That We Know Of).

In December of last year, several banks' (Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC) websites were inundated by DDoS (distributed denial of service) attacks.  DDoS attacks generally do not seek to penetrate the sites or to obtain information or steal anything but try to overwhelm the capacity of the website to respond to the traffic directed toward them.  The attacks in December were launched by an entity that had access to multiple computers, such as in a data center, and exceeded the capabilities usually found in your standard run of the mill hackers.

Today, the New York Times ran an article that lays the attacks at the doorstep of Iran.  An independent hacker group called Izz ad-Din al-Qassam Cyber Fighters has tried to take credit for the attack, saying it was retaliation for the anti-Muslim movie that prompted riots throughout the Muslim world and which was involved in the Benghazi consulate attack.  Izz ad-Din al-Qassam called it Operation Ababil, referring to Allah sending birds to drop bricks on elephants sent by the King of Yemen to Mecca.  However, U.S. officials think it is the work of Iran and is in retaliation for economic sanctions and the release by the U.S. and/or Israel of the Stuxnet, Flame and DuQu malware. 

Whatever it is, the DDoS attacks spewed 70 gigabits per second at the sites, which included a new wrinkle involving requests for encryption, and which adversely affected the sites' performance.  The attacks used a readily available malware toolkit called Itsoknoproblemobro

It is certain that the attacks that we have heard of are only the tip of the malware iceberg and it is probably as certain that these attacks and counterattacks will continue to escalate.  Warriors on the front lines of these wars will be keyboard commandos and may someday sport the malware marksman ribbon on their dress uniforms.  This is war.

FTC Concludes Investigation Into Google's Search Practices, Finds Nothing Much Wrong There. Hey, Google It If You Don't Believe It!

The Federal Trade Commission has been investigating Google's practices in regard to patent licensing, search results and other matters for about two years.  The FTC sought to determine if Google's practices in these regards were anti-competitive.  The FTC ended their investigation the first week of this year and entered into an agreement with Google in exchange for the FTC agreeing not to pursue the matter further.

Part of the analysis by the FTC was a investigation into whether Google manipulated its search algorithms such that websites that competed with Google's "vertical" results (i.e. sponsored Google sites) were moved down in the search results with concomitant  damages to the click through rate to such competing sites.  The FTC found that even though "...some of Google’s rivals may have lost sales due to an improvement (sic) in Google’s product...(t)he totality of the evidence indicates that, in the main, Google adopted the design changes that the Commission investigated to improve the quality of its search results, and that any negative impact on actual or potential competitors was incidental to that purpose."  The Commission went on to say "...these changes to Google’s search algorithm could reasonably be viewed as improving the overall quality of Google’s search results because the first search page now presented the user with a greater diversity of websites."

Needless to say, not all were enamored with the FTC's actions.  Microsoft, having been kicked around by the FTC for years, bemoaned the actions as "weak"Others found it to be totally justified.

Whatever your view, this is a win for Google and clears up their docket to proceed with their pursuit of world domination.  Not that there's anything wrong with that.

Update: Website Operator Still Has "Complete Immunity" Even When They Are "Appalling"

In another of a series of victories for website operators, a Florida appellate court has found that a website operator enjoys (that truly is the right word) "complete immunity" for anything posted on their website. 

You will remember that we reported on a similar case involving PissedOff.com,

The defendants in the instant  matter operated a similar enterprise called "The Ripoff Report", which similarly encouraged people to post disparaging remarks about people and businesses.  In this situation, a graduate of an addiction treatment facility alleged that the owner was a felon, the facility was dangerous and they disbursed illegal medications.  The proprietor of the site consistently refused to take down the offending post and even when the poster was the subject of an injunction which forbade her to leave the complaint on the site and the poster begged the site to take it down, the website operators refused.

In spite of all this, the court found that Section 420 (how appropriate for today, pot joke to follow) of the Communications Decency Act ..."creates a federal immunity to any cause of action that would make service providers liable for information originating with a third-party user of the service."

This is true even though the court  thoroughly disapproved of the website's business practices (they offered reputation cleanup services for a large fee, much akin to PissedOff.com).

So, you have to do more than just be "appalling" to remove yourself from the CDA's umbrella of protection.

Update: You Can Now Look At Facebook At Work Without Committing A Crime.

About a year ago, we posted on a case that held that misappropriation of computerized informationin violation of a company's computer use policy could be a crime.  The defendant had received stolen confidential information from former coworkers.  The court held that this exceeded the employer's written use policy as as such violated the Computer Fraud and Abuse Act, which criminalizes "exceed(ing) authorized access" and using this to further fraud.

On April 10, 2012, the Ninth Circuit, sitting en banc, reversed, holding that because the pilfering co-workers did have authority to access the information they stole, this did not violate the CFAA.  The Court reasoned that the intention of the legislation was to prohibit hacking and not the kind of day to day activities that most slacker employees engage in (i.e. exceeding their company's policy) by surfing the web.

This doesn't get Mr. Nosal and his friends out of the woods, however, as the government is still able to pursue counts of mail fraud and theft of trade secrets.

Defending Your Sensitive Information Against Hacker Attack.

What’s a lawyer’s worst nightmare? Well, we’ve all awoke in a cold sweat at 3 am and wondered if we had missed a deadline, but near the top is the possibility that all our clients’ confidential information and our confidential and privileged communications with them become public. If we left our office doors and file room inadequately secured and someone extracted our paper files and printed them, we would lose our client’s trust and potential clients would think twice before engaging us.

Now, think what this might mean if a firm represents high profile clients in controversial matters that stir emotions, and the person or persons mucking with the firm’s files is highly motivated, sophisticated, and infamous. However, instead of just paper files, the intruder obtained all the firm’s e-mails and other electronic records. Such is the plight of the law firm of Puckett and Faraj, PC; a multi-office firm specializing in military defense. One of their highest profile clients, Marine Frank Wuterich, was involved in the much publicized incident in Haditha, Iraq in 2005 in which 24 Iraqi civilians were killed. Mr. Wuterich plead guilty to dereliction of duty and his worst penalty could be his demotion to the rank of Private without other significant penalty.

In early February, without warning, the hacktivist group that goes by “Anonymous” hacked into Puckett and Faraj’s website, defaced it and left behind a headline that read: “ANONYMOUS HACKS PUCKETT & FARAJ – EXPOSES 3GB OF PRIVATE EMAILS DETAILING SSGT FRANK WUTERICH WHO MURDERED DOZENS OF UNARMED IRAQI CIVILIANS AT HADITHA”. You can see the entirety of the screen grab here. Anonymous also stole a large number of e-mails, trial exhibits and other confidential information that related to Mr. Wuterich but also to a large number of other clients. Anonymous has made the information available on Pirate Bay.  Gawker has reviewed a small part of the information provided and has found embarrassing and sensitive material relating to defendants and persons unaffiliated with Mr. Wuterich, including the identity of some sexual assault victims.

Texas Lawyer asked us to write an article on this subject and we were glad to do so.  The same article was picked up by Law Technology News.  You can see the articles here and here.

Now, regardless of politics, views on the Iraq war or what a person may believe would be adequate justice for Mr. Wuterich, one of the most honored notions of our society is that everybody should be afforded the opportunity for an adequate defense and that attorneys that provide such defenses are performing a useful societal function. To be swept up in a broad brushed approach to retaliating against perceived injustices and perhaps having their reputation, firm and livelihoods decimated, seems to be undue punishment for such deeds. Also, for other people to have embarrassing and sensitive information divulged is perhaps unintended but nonetheless most unfortunate.


Anonymity On The Internet. What a Concept!

You will recall that we have discussed a few cases regarding anonymity on the internet.  In one, which involved a potential securities scam, the court removed the anonymity from some people that were involved in the alleged scheme. 

In another, the court allowed the anonymity of some detractors of The Art of Living Foundation to continue for a while.  After publishing the post, we received a call from the attorney for The Art of Living Foundation, who indicated that he thought our post was more even handed than some regarding this subject, but he would like to send us a letter from the president of The Art of Living Foundation explaining their position.  We were amenable to that and a copy of that letter follows.  We reproduce it without comment nor endorsement.  When we asked about the progress of the case, the attorney indicated that he felt the judge would rule in a manner that would allow them to obtain the identity of their detractors in the near future.  Any updates from any of the participants would be appreciated.


Move Over Stuxnet, Here Comes DuQu - Son of Stuxnet, Stuxnet 2.0 or Demon Spawn?

The latest addition to the family of badass malware is DuQu.  DuQu was born sometime in the near recent past but only became obvious to the world on September 1, 2011 when the Laboratory of Cryptography and System Security (CrySyS) notified the world of its birth. 

If the proud parents were to issue a birth announcement it would read something like:

"The Stuxnet family is proud to announce its latest variant, DuQu, named after its propensity to create files with DQ as a prefix.  Born: Sometime lately.  Weight: Heavy.  Breadth: Remains to be seen.  The bouncing baby malware shares a good portion of its mother's (Stuxnet) source code.  Its father is undetermined but likely is a good looking roving nation state with sabotage or corporate espionage on its mind, like Mossad or the CIA, who are also related to Stuxnet, so birth anomalies are possible.  DuQu shares its likely father's fondness for stealth and trickery."

Most experts like Symantec would agree with the announcement's statement on DuQu's lineage but Dell's SecureWorks doesn't necessarily buy it.

Stuxnet has been used to infect the Iranian nuclear program by causing the centrifuges used to purify uranium to exceed their design for spinning speed and destroy themselves.  DuQu seems to extract information and send it to an unknown site.  Although not proven, this blog along with others have surmised that the sophistication of Stuxnet, the targets and the amount of programming resources required point to the involvement of a group of people more technically advanced and well funded than the average virus creator.  We also chronicled Stuxnet's move from being merely menacing to becoming a military weapon.

Anti virus groups are moving to address the issues, Microsoft says it will address the zero day defect that DuQu exploits when it gets around to it but proposes an emergency fix and the "whitelisting" folks like CoreTrace say that they've been ahead of this all along.

As this new arrival grows and spreads, the real purpose and the damage it may do can be assessed but if malware continues to be more sophisticated than some of the applications we regularly use, problems will abound.

Lawyers Have An Ethical Duty To Inform Clients That Electronic Communications May Not Be Confidential.

Once again we stand at the intersection of Ethics Street and Technology Avenue and notice that the traffic signals are insufficient to avoid multiple mishaps here.  Florid prose aside, attorneys must understand that certain methods of electronic communications may put them in an ethical problem if they don't warn their client that using such method may harm the confidential nature of the communication.

You will recall that we wrote recently on a court holding that using a computer or network provided by your employer to communicate with your attorney about a potential complaint against the employer could waive the attorney-client privilege.  Now the ABA has issued a formal opinion on the subject and the gist is that the attorney has an affirmative duty to warn the client about such an eventuality.  In Formal Opinion 11-459 issued August 4, 2011 the Committee on Ethics and Professional Responsibility states that if a client communicates with an attorney about "substantive" issues and such communications originate from an employer owned computer, device (e.g. smart phone) or network (even if from a private e-mail address), the attorney must assume that the employer has a right to access such communications and therefore, the attorney has a duty to warn the client about the risk.  Also, if the client does not heed the risk, the attorney should refrain from communicating with the client via the suspect method.

This duty arises as soon as the attorney-client relationship arises and the attorney knows or should know that the client is likely to send or receive attorney-client communications where there is a significant risk that the communications will be read by the employer or another third party.  This would appear to be particularly applicable in disputes with the employer and in matrimonial issues where the other spouse may have access to the device used for communications.  It also can arise from the use of public computers like libraries or hotels or the use of borrowed devices.

So, the question then arises: What is sufficient notice/warning to comply with this requirement?  The opinion doesn't specifically state but does mention that "reasonable" efforts must be made.  Would a standard tag line on your e-mail signature such as the following be enough?

"Anyone communicating to or from this office by means of an electronic device (including computers, smart phones, tablets or others) and using electronic communication (including e-mail, text messages, instant messages, chat rooms, comments on blogs or websites or others) are advised that such communications may not be confidential, particularly in instances where you are transmitting personal information using your employer's devices or networks or where you are using you are using public computers (such as libraries or hotels) or using a public wireless internet connection.  The effect of the loss of confidentiality will be the loss of attorney-client privilege and the possibility that such communications may not be protected from disclosure in any legal procedure in which you are involved.  You are cautioned to act accordingly."

Using such language as a part of your common electronic communication signature may be advisable and probably doesn't hurt but good practice would indicate an additional communication (such as the engagement/fee arrangement letter) in which the client acknowledges that they have received and understand the warning.  Also, we run the danger of having our e-mail signatures become documents in and of themselves that require our clients to have other attorneys review (hyperbole alert).

We would be interested in any measures that other attorneys have instituted to address this issue.

The Seven Things The FTC Thinks You Need To Know About The CAN-SPAM Act.

If you use e-mail as advertising, you could be subject to the CAN-SPAM Act.  The FTC wants you to know how to comply.  Give it a look:


Cookies, COPPA and Contracts

Alliteration abounds.  Reports today concern the EU Directive on the use of cookies, a settlement with a Disney subsidiary for violation of COPPA (Children's Online Privacy Act of 1998) and why paying attention to the construction and organization in the drafting of a contract can be extremely important.

1.  The European Union has issued a directive that will go into effect on May 26 of this year that basically reverses the way cookies are handled.  In the past the regulations required that the user be advised of the way that cookies are used and be given the opportunity to opt out of receiving them.  The new regulations requires the same advising but requires "consent" before cookies can be placed.  This is the so-called "opt in" provision.  The regulations recognize that enforcement of this will be a phased in approach with the most intrusive cookies getting the most attention.  The Information Commissioner's Office has issued advice about how to deal with this.  If your website attracts significant traffic in the European Union, you would be well advised to read the ICO's advice and plan accordingly.

2. COPPA has requirements about what information can be collected from children online and what use can be made of such information.  The Federal Trade Commission accused Playdom, an online game provider, of violating COPPA by collecting information from children without parental consent and by violating its own stated privacy policy.  Playdom is a subsidiary of the Disney company.  The FTC filed a complaint against Playdom that resulted in a consent decree, which among other things, required a $3,000,000 civil penalty.   This is the largest penalty yet assessed for such a violation.

3.  The placement (or misplacement) of a single word recently made a $1,000,000 difference in a Maryland case.  In Weichert Co. of Maryland, Inc. v. Faust, an ex-employee of a real estate firm was sued for violation her obligation of  loyalty and the non-solicitation clause of her employment agreement.  The Court found that she violated the obligation of loyalty but not the non-solicitation clause.  Her contract had an attorneys' fee provision where the prevailing party is entitled to its fees.  The real estate firm prevailed on the breach of the duty of loyalty but the employee prevailed on the issue about non-solicitation.  The attorneys' fee provision was included in the non-solicitation clause and gave fees to the party that prevailed "hereunder".  Since the "hereunder' was in the particular clause, the Court reasoned that it applied only to that clause and not the contract or the relationship as a whole.  Hence, the employee was entitled to her attorneys' fee, which were approximately $1,000,000, even though she had "prevailed" on only half of the issues.  In the lessons learned department for us attorneys, if you intend to make a provision apply to the contract as a whole and not just a specific clause, move the provision into a section of its own or make it very clear that it is applicable to the whole contract.

The Social Network II - The Facebook Legal Saga Continues.

We've all seen the movie.  Mark Zuckerberg versus the Winklevoss twins.  Uber-nerd versus uber-jocks.  Outsider versus the privileged and connected.  In the balance rests the right to violate the privacy of virtually everybody in the "civilized" world.

The movie shows some of the discovery proceedings in the lawsuit filed by the Winklevosses in Massachusetts alleging that Zuckerberg stole the Facebook idea.  Zuckerberg filed a countersuit in California (typical Facebook ploy, see here) against the twins and ConnectU, alleging that ConnectU had hacked into Facebook and stolen information and attempted to steal Facebook users by spamming them.  The California dismissed the action against the Winkelvosses, finding that there was no personal jurisdiction over them. The Court then ordered the parties to mediate to attempt to find a settlement to all their issues.

Then things start to get stranger.  With billions of dollars at stake, the parties mediate for one day, reach a settlement and document it with a one and a third pages of hand written notes with the title: "Term Sheet and Settlement Agreement".  This Agreement envisions the transfer of ConnectU to Facebook in exchange for cash and an interest in Facebook.  Facebook lawyers then present 130 pages of documents to flesh out the Agreement (merely 100 times the volume of the Agreement).  The deal then comes off the tracks for a number of reasons including the Winklevosses asserting that the value of the Facebook stock is less that they were lead to believe.  Facebook files a motion to enforce the Agreement.  The twins alleged that the Agreement is not enforceable because it lacks material terms and was procured by fraud.  The Court finds the Agreement enforceable and the Winklevosses appeal.

Then Ninth Circuit, in a decision released yesterday, upheld the enforcement of the Settlement Agreement.  The Winklevosses had alleged that the Agreement violated Rule 10b-5 of the Securities Act and as such was void.  The Ninth Circuit rejected this argument and found: "The Winklevosses are sophisticated parties who were locked in a contentious struggle over ownership rights in one of the world's fastest-growing companies. They engaged in discovery, which gave them access to a good deal of information about their opponents. They brought half-a-dozen lawyers to the mediation. Howard Winklevoss—father of Cameron and Tyler, former accounting professor at Wharton School of Business and an expert in valuation—also participated."

The Court also held: "The Winklevosses are not the first parties bested by a competitor who then seek to gain through litigation what they were unable to achieve in the marketplace. And the courts might have obliged, had the Winklevosses not settled their dispute and signed a release of all claims against Facebook. With the help of a team of lawyers and a financial advisor, they made a deal that appears quite favorable in light of recent market activity. See Geoffrey A. Fowler & Liz Rappaport, Facebook Deal Raises $1 Billion, Wall St. J., Jan. 22, 2011, at B4 (reporting that investors valued Facebook at $50 billion —3.33 times the value the Winklevosses claim they thought Facebook's shares were worth at the mediation). For whatever reason, they now want to back out. Like the district court, we see no basis for allowing them to do so. At some point, litigation must come to an end. That point has now been reached." (Emphasis added)

So, the poor Winklevoss twins are stuck with a deal that is only worth millions and not billions.  In the lessons learned department, we are struck by the fact that you probably couldn't turn around in the mediation room without tripping on a lawyer or a financial advisor and yet, they ended up with slightly over a page long, hand written document.  That either means you don't need lawyers at all or you really need them to do their job. 

Maybe we'll find the answer in the next sequel, "Social Network III, The Legal Grievance Phase".


Update On the Epsilon E-Mail Hack.

Last week we discussed the very large, very disruptive loss by Epsilon of a number of e-mail addresses and the identities of the companies with whom the e-mail owners did business. 

InfoWorld Tech Watch reports that it appears that the hack relied on the gullibility of Epsilon employees.  So, there was no midnight rappelling from the ceiling through banks of laser beam alarms like you see in the movies, but merely a "social engineering" attack using e-mails targeting Epsilon employees that contained some personal information about the employee and made them think it was from a personal acquaintance. 

The messages included links (bad idea to click links in a message) that took them to a site that downloaded one malware program that disabled the antivirus software, one that logged keystrokes and one that gave hackers remote access to the infected machines.  It also turns out that Epsilon was warned about such attacks several months ago.

In the "lessons learned" department or more appropriately, the "lessons we should already have known" department, it would be prudent for a company with large amounts of customer data (everybody on line?) to train their employees not to respond to personal e-mails at work, recognize the tell tale signs of a social engineering attack and not to click on links in a message the origin of which you do not know.

This is not hard to teach but apparently compliance is difficult.  This lesson will get expensive for Epsilon.

Massive E-Mail Hack. Phishing Season To Begin Early This Year.

On April Fools' Day, Epsilon (one of the largest on-line marketing firms) announced through a terse press release that their "...clients' customer data were exposed by an unauthorized entry..." but that the information obtained had been limited to names and e-mail addresses.  Unfortunately, it was not an April Fools joke.

Some of Epsilon's customers include Citigroup, JP Morgan Chase, Brookstone, Kroger, College Board, Walgreens, TiVo, Capital One, HSN Inc., Visa, Kraft, LL Bean, Best Buy and Verizon.

So, what you need to look out for and alert your clients about is the possibility of increased "phishing" attacks.  We have all had e-mails purporting to be from some bank or other entity and requesting us to go to some website (configured to look like the real entity's website) and enter information and  possibly pick up spyware or viruses.  Since most phishing attacks are just random broadcasts, the fact that these intruders have specific names, e-mail addresses and links to specific entities with whom the targets do business leads to a more pointed attack, which is referred to as "spear phishing".  Because of the more targeted approach, the success rate is likely to be higher.

How do you protect yourself?  PC World has some good advice.  As the PC World articles states, the best way to avoid this is never to go to a website from an unknown e-mail link and don't provide any sensitive information such as password, PIN, etc.  Common sense instructions but please tell your grandma about this.

Stanfield Hiserodt To Present Discussion On Cloud Computing At RISE Tomorrow.

We will be leading a discussion on "Ten Things You Should Know About Cloud Computing Agreements" at Austin RISE Week 2011 tomorrow at 4:00 pm at the PeopleFund offices at 207 Chalmers Avenue in Austin.  If you need something to do during that awkward time between afternoon coffee break and happy hour, come on out and share it with us.

Your Government And Courts At Work.

A few things for your consideration:

1.  The White House's proposed budget includes the authority for the USPTO to charge a surcharge on patent applications.  The proposed budget would provide $2.7 billion for fiscal 2012 with one of the stated objectives to reduce the backlog of 720,000+ applications.

2.  By Executive Order 13565 of February 8, 2011, the White House established two I.P. committees.  One is the Senior Intellectual Property Enforcement Advisory Committee, which will facilitate the formation and implementation of each Joint Strategic Plan, which will be be developed by the other committee established, the Intellectual Property Enforcement Advisory Committee.  As is evidenced by their names (i.e. Senior and not Senior) the Senior Advisory Committee will be comprised of cabinet level members or their designees and the Enforcement Advisory Committee will be comprised of representatives from the USPTO, DOJ, Department of Commerce and others.

3.  Health and Human Services through its Office for Civil Rights has assessed its first ever civil penalty for violation of HIPAA.  The penalty was $4.3 million against Cignet Health of Prince George’s County, Md.  Cignet failed or refused to provide health records to at least 41 patients and then apparently stonewalled the patients and requests from the Office for Civil Rights to the extent that the Office for Civil Rights obtained a default judgment against them.  Cignet also apparently was uncooperative in the investigation into this affair.  The penalty was $1.3 million for failure to provide access to the records and $3.0 million for being uncooperative.

4.  Microsoft was successful in getting a patent infringement suit originally filed in the Eastern District of Texas transferred to the Western District of Washington on the grounds of forum non conveniens.  For some strange reason, there are a lot of patent infringement suits and class actions filed in the Eastern District of Texas.  The plaintiff here, Allvoice, was an U.K. company with an office in the Eastern District of Texas but with no employees there or anywhere in the U.S.  Calls there were transferred to their office in the U..K.  Allvoice was incorporated in Texas but had done so 16 days before the suit was filed.  Forum shop much?  The Circuit Court of Appeals issued a writ of mandamus compelling transfer to Microsoft's home court even though Microsoft had also petitioned to move the case the Southern District of Texas.


Updates: Stuxnet, Bilski, COICA, Arcade Fire (HTML5)

Updates on a few of our earlier posts:


Your ZipCode Is Your Personal Identifiable Information In California.

The Song-Beverly Credit Card Act of 1971 (Credit Card Act) (Civ. Code, § 1747 et seq.) is a California statute that prohibits businesses from requesting that cardholders provide "personal identification information" during credit card transactions, and then recording that information.

Yesterday, the Supreme Court of California reversed prior decisions and included a person's zipcode in the definition of "personal identification information" in a case where Williams-Sonoma asked for such information during a credit card transaction and then used such information to do targeted advertisement.  The Court made this holding while agreeing that a zip code was not unique to any particular person and that many people had the same zip code.

It is likely that the fact that the merchant recorded the information and then used it to deduce the customer's address played a big part in the Court's thinking.  Had the merchant merely requested it and then not recorded and used it, the result may have been different.  Under this reasoning, area codes, cities and counties of residence and other means of identifying the general area of personal residence could also be so classified and this would seem to be somewhat extreme.


Digital Crannies. Six Places Data Hides That Most People Don't Know Exist.

As we have stated before, from time to time, we like to improve the content of this blog by getting input from subject matter experts in relevant fields.

Today, we are glad to include information from our friend Will Ambruzs, an attorney and computer forensics expert at Austin based Flashback Data.  Will graced the pages of this blog before with this post.

We asked Will to give us some inside information about where attorneys or others should look when they are seeking information for investigative or discovery purposes.

Here is what Will said:

Digital Crannies.

Unlike paper, electronically stored information is everywhere. Unfortunately, it’s our experience that most attorneys don’t appreciate exactly how much of it is recoverable from computers. It’s literally a Chinese food menu. Sure, it’s not always important or cost-effective to review all of it, say, for litigation or each time a company fires a bad employee. However, most folks don’t know the menu well enough to even know the sorts of things they can order. The digital world is bigger than General Tso’s Chicken!

Here are 6 random things on the menu you may find interesting:

Email vs. Correspondence
Lawyers commonly want to look at email, but more often than not it turns out that looking at all communication would be more helpful. Because it turns out a bad employee at Company X also did a lot of text messaging at work. And online chatting. And instant messaging. And she also sent messages to clients and coworkers through LinkedIn and Facebook. And she frequently used her internet browser to send webmail through Yahoo! and Gmail. Unfortunately, preserving Outlook files and Exchange mailboxes doesn’t get this material.

Don’t Forget the Phone!
iPhones and Blackberrys have fast become like third kidneys when it comes to conducting business in the 21st century. However, folks tend to overlook them when thinking about electronic storage. The truth is phones can be excellent sources of data, not only because they’re designed to hoard data and sync with just about everything under the sun, but also because the privacy expectations of their users tends to be high.
For example, on a phone, our bad employee probably gets right to the point when communicating. Unlike computers, she’s not typing out heavily-syllabled, Shakespearean text messages with her thumbs. Consequently, remnants of communication are likely to be closer to the first cut of her thoughts, not the second or third.
There’s also a good chance she configured her phone to sync with email accounts at the company. There’s an even better chance she connected the phone each day to her work computer to charge the battery and keep her contacts and calendar synced. If so, there may be a treasure trove of backup files sitting quietly on her work computer. And since each file would represent a snapshot of the data on her phone at a particular time, things that were deleted from her phone many months ago may still exist in one of the backups.

Speaking of iPhone... Dynamic Text
Let’s face it, Apple’s business model is building gadgets that know you better than you know yourself. Apple’s gadgets learn about you, and to do this their gadgets have to store data.
One of the lesser known features of iPhone is its dynamic text database. Dynamic text is basically a repository iPhone uses to keep track of words and phrases you like to use when you type. That way the phone eventually learns to quit autocorrecting Alavert to slavery when, say, you keep texting others that you love Austin, but so do your allergies.
This can be a goldmine. Especially if text messages on the phone have been deleted and can’t be recovered. Reading entries in the dynamic text database that have been chronologically preserved is like listening to a conversation through a wall. It’s muffled, and some common words are omitted, but you get the gist and all the interesting parts are preserved:

wow.hate.Kevin.can.you.believe.arrogance.ugh.how.did.ever.become.Director.wait.until.he.finds.out.copied.all. company.passwords.hahahahaha.sounds.great.yessir.talked.to.James.he’s.leaving.company.with.us.said.downloaded. company’s.client.lists.from.database.no.difficult.yes.took.thumbdrive.with.him.said.will.email.everything.you.from.home. not.work.so.don’t.get.caught.haha.call.if.can.next.few.minutes.something.urgent.tell.you

Internet History
When folks think of a computer, they tend to think of it as a collection of things that live on the computer. For example, the most common data recovery request attorneys make involves: (i) collecting all email and user-created files from a computer, (ii) processing them against an exhibit of keywords, and (iii) producing the responsive material to be reviewed by fellow attorneys.
Candidly, this is probably enough heavy lifting from an “80/20 rule” perspective, especially when processing large data sets. However, it’s created a mindset that gives little regard to activity on a computer. And sometimes that activity is interesting.
For example, say John receives a preservation letter from opposing counsel. Here we see it sitting in John’s My Documents folder. There’s nothing else interesting in the folder. However, looking at John’s activity on the computer, right after he gets the letter we see him go to Google.com and type “how to securely delete data” into the search bar. Then we see 20 minutes of John clicking a bunch of URLs. Uh oh, next he’s on a website selling a product called “Evidence Eliminator v4.0.” And next we see him buying Evidence Eliminator and downloading it. Oh snap – here he is running it! And here’s him poking around later in My Documents to confirm the files are gone.
Wow! You suspected the keyword searches of John’s computer came back a quart low. And while all of this activity may or may not explain it, it’s certainly interesting!

Recent Documents
Speaking of file elimination, another good source of data can be the repositories used by software programs to keep track of recent documents. Microsoft Word has such a repository. So does Windows Media Player. These repositories won’t help you recover a wiped file, but they may help you substantiate that the file existed on the computer at some specific time in the past, or when files were accessed.
Forensic examiners frequently draw from this well in criminal prosecutions involving possession of child pornography. Defendant swears up and down he wasn’t aware of the illicit material. Or, if he was aware, that he looked at it once by accident several years ago and, upon realizing its nature, never looked at it again. Unfortunately, that’s not the same story Windows Media Player tells. It shows Defendant playing contraband files from multiple locations on a regular basis (e.g., from the hard drive, from a thumb drive, from his Blackberry via a USB cable, etc.).

Keeping with the deleted file theme, don’t forget about simple hidden artifacts like Thumbs.db. You ever open a folder in Windows and view the contents as thumbnail images? Thumbs.db is the hidden file used by Windows to store those ‘thumbnail’ images. Importantly, the data in the Thumbs.db file tends to stick around even after someone deletes the actual file. So, while a folder in which you’re interested no longer contains the data you want, you may be able to demonstrate that what’s in there now isn’t what was in there before. (And, if so, what’s missing.)


Indiana Company Sued for $300k for Failing to Notify About Security Breach

First off, thanks to everyone who came to listen to Stanfield Hiserodt speak on Data Privacy and Security at the Innotech Conference last week.  It was a solid turn out and a good discussion. 

In keeping with the theme, we came across this story via Businessweek.com about the Indiana Attorney General's office suing insurance company WellPoint for $300,000.  Apparently, WellPoint allowed sensitive customer information, including health records and credit card data, to sit on an unsecured server for several months.  WellPoint discovered this back in February, but apparently took its sweet time in notifying the affected customers.  They didn't give the required notice until June.

There are currently 45 states with breach notification laws.  If you handle sensitive customer data, make sure you have a plan in place to notify your customers as quickly as possible or you will feel the wrath of the Attorney General. 

InnoTech Conference 2010

The 6th Annual InnoTech Austin Conference is going on today at the Austin Convention Center.  Stanfield Hiserodt will be speaking there this afternoon on Data Security and Privacy Laws.  InnoTech Conference offers IT professionals the chance to interact and discuss the latest technology business solutions.  You should come check it out!

Local Data Privacy Story Starring Yours Truly

We were interviewed for a local story involving data privacy here in Austin.  We were actually misquoted here, though.  There is no legal restriction for these places to store fingerprint data.


"Wait! I deleted that. You can't see that! "- Computer Privacy and Data Recovery in the Age of Computer Forensics

In talking to our clients, our friends and the public at large, there seems to be a lot of confusion, misinformation, urban myths and lore surrounding the amount and kinds of data and material that is deposited on computer drives and that can be retrieved even though the user thinks that he has deleted it or covered it up. And by computer drives, we mean any electronic storage device including computers, flash drives, cell phones, DVRs, etc.

To attempt to get real live reliable answers to some of these questions, we turned to some local subject matter experts, Flashback Data. Flashback Data’s website is here. They were kind enough to lend us the expertise of Will Ambruzs, an attorney who is charge of the Forensics Division of Flashback Data.

ATLB: Will, please describe the services that Flashback Data can provide, particularly to an attorney involved in litigation.

FBD: Probably the best known aspect of forensics is the storytelling. A man dies mysteriously and the forensic examiners conduct two autopsies – one on the corpse, and one on the home computer. Toxicology confirms the man died of ethylene glycol poisoning (antifreeze). Forensic testing of the computer recovers 76 previously deleted Google searches made by his wife over the course of seven weeks for things like “symptoms of ethylene glycol poisoning,” “ethylene glycol toxicity” and “C2H6O2 ingestion and death.” That’s a compelling story.

Other times our involvement is less about developing evidence and more about logistics. For example, we’re commonly retained by attorneys to help identify all the places relevant information is likely to exist in a complex technical landscape, or to develop evidence collection strategies that minimize the impact on their client’s business.

Candidly, there’s quite an air gap between law and technology. At the end of the day, when it comes to electronic evidence, we’re the guys who fill it. Our case managers are attorneys and our forensic examiners are technologists with deep court room experience. We’re not vendors. We take pride in giving our clients access to the highest caliber forensics testing in the industry, and we’re presently the only private sector laboratory in the world accredited for digital forensics by the American Society of Crime Laboratory Directors under their International standard – same as FBI and DEA.

ATLB: That sounds like a lot more stuff than we can cover in one setting. Let’s discuss some general topics about what kind of data can be recovered and from which devices, and then, hopefully follow up with another session where we delve into some of the more complicated problems of forensic discovery and data retrieval.


ATLB: I will give you some topics and you tell me how hard it is to recover this data:
• Internet history from a computer
Internet history is one of the most persistent types of data on the computer. It’s not uncommon for us to recover every URL visited on a computer from the time you first took it out of the box.
• Deleted videos from a DVR
It depends. If the DVR entries were manually deleted, the chance of recovery is high if the device can be forensically imaged before the data is overwritten. Many DVRs are set to overwrite data after a period of time, or when the device is near the limit of its full hard drive capacity. Overwritten data is unrecoverable. By anyone.
• Text messages from a cell phone
Candidly, it depends on the make and model of the phone and how the phone is used. That said, we are still seeing a strong trend of users adopting smartphones like the Blackberry or iPhone. One common thing folks do with smartphones is sync them with a computer. This creates backup files on the computer which, depending on when the backup was created, may contain data that is long gone from the phone. Alternatively, smartphones are essentially small computers, and often their data can be recovered in the same way we recover hard drives.
• Instant messages like gmail chat or AIM
These may be recovered from log files saved to the computer. Difficulty is a function of time. Bottom line is if the data you want gets overwritten with new data, it’s gone.
• Facebook messages or postings
One avenue of recovery is to extract these from internet history. Often this gives us multiple clues as to the content and recipients, and we can use the information to go looking for “shadows” of similar activity. Another thing we can do is attempt to recover the confirmation emails Facebook sends when new entries are made on a user’s wall or new messages are received.
• Twitter tweets on a cell phone or computer
This type of data generally fall into the same category as internet history and internet cache. The content itself will be recoverable for some time (until it is overwritten) and we can extract a fair amount of data simply by looking through the internet history.

• Standard files on a computer hard drive
In answering this, assume that the user has used the commonly available delete function available to the standard user.

FBD: Understanding the recovery of deleted files on a hard drive requires some understanding of how files are stored and referenced. A good analogy once provided to me is that of a school library. If we think of the hard drive as the library, then the files are analogous to the books on the library’s shelves. In a library, a book’s location is referenced in the card catalog. In a Windows environment, a file’s location on the hard drive is referenced in the Master File Table. When we delete a file, we’re not destroying the file’s data. Instead, what happens is the file’s location is marked in the Master File Table as being available to use for new data storage. That’s like pulling a card out of the card catalog and throwing it away – the reference to the book is gone, but the book is still sitting on the shelf (at least until someone takes it down and replaces it with a new book).

Having said all that, “recovering” the deleted file is like walking around the library from shelf to shelf and taking inventory of every book. At some point, we’d learn that there is a book sitting on a shelf in a space that’s supposed to be empty. And we’d find and recover the book.

In addition to above, there are multiple other ways to attempt to recover deleted files, such as through backup copies, temporary copies and/or copies embedded in another data file (e.g., a file attached to an email in an Outlook data file). These are all potential recovery routes.


Continue Reading...

More Sophisticated Spyware Hits Utility Systems - "Stuxnet" Gone Wild

Cyber security experts are scrambling to assess the past effects and the potential of a recently detected malware that has targeted utility systems primarily in the Middle East (beginning in Iran) and the United States. Microsoft has named the Trojan intruder “Stuxnet”.

On a very basic level, here is what Stuxnet does:
1. So far, it has targeted a Siemens system (SCADA) used primarily in the operation and control of electric power plants;
2. It has been carried on USB sticks that, when attached to a computer, automatically executes without any further action by a user, even if the AutoRun function is disabled;
3. The Trojan then seeks out and copies certain database information, including power plant designs;
4. Stuxnet exploits a flaw in the shortcut links files in Windows.

Microsoft has issued a work around that essentially turns off the shortcut function and changes the shortcut icons appearance on the screen.

So, if this only targets utility companies, unless you are a utility company or have one as a client, why should you care? Experts surmise that this was created to carry out industrial espionage but the same technique can be used for other targets. It could be used to target other trade secrets, personal financial information, medical records, etc.

We talked to a local security expert and there are reports that Stuxnet or variants are “in the wild” and could be delivered by a manner other than USB sticks via networks and remote web servers.

McAfee alleges that it has a defense against Stuxnet as does Symantec. As we noted in earlier posts (see here and here), these are examples of blacklisting. CoreTrace has demonstrated effectiveness against the intruder by using the whitelisting capabilities of its product Bouncer. See the YouTube video here:  http://bit.ly/bFCEdc.

This attack seems to be much more targeted and much more sophisticated that most of the prior threats and may herald a new age of malware menace.

So, it’s a dangerous cyber world out there. Use protection.

Virus Protection Using Whitelisting

Last week, we posted an article about some of the ways of protecting a computer or computer network from malicious code.  We discussed primarily methods called "blacklisting" (the more widely used approach) and "whitelisting" (an approach receiving increased attention in recent days).

There is an Austin based company called CoreTrace that features the whitelisting approach.  When we asked, they were kind enough to provide us access to one of their subject matter experts. 

We discussed various aspects of this issue with Greg Valentine, CoreTrace's Director of Technical Sales and Services.  

Pertinent portions of that conversation follow:

ATLB:  CoreTrace’s products are designed to protect computers and networks from viruses, spyware, malware and other harmful stuff. How does it do it and how does that compare to the conventional anti-virus software we regularly see?

Greg:  CoreTrace has a product called “Bouncer”. Bouncer works at the operating system level and allows only the programs or executable code that has been whitelisted by the system administrator through Bouncer to run on that computer. Typical antivirus software works by maintaining a huge database library of virus signatures (which you have to keep up to date) and it attempts to eliminate them by searching a computer’s hard drives, comparing the code it finds on the hard drives to the virus library and then if it finds a match, it eliminates the virus code. There are a few challenges with this type of a defense.
1. This is reactive in nature – By definition, a signature does not exist until someone gets infected.
2. Because it is reactive, antivirus is vulnerable to a ‘zero-day’ attack. This simply means that a ‘bad guy’ can create a new piece of malware and as long as the antivirus companies are not aware of his new virus/worm then they will be blind to it.
3. In order to be protected by antivirus, you must deploy the updated signatures as quickly as possible. This can lead to inadequate testing before pushing out the ‘change’. If the antivirus vendor has made a mistake in their signature update then you could be causing more harm.
a. See McAfee’s recent ‘false positive’ signature update fiasco

ATLB:  You used the term “whitelisting”. What does that mean?

Greg:   At the time it is first installed, Bouncer takes an inventory of the executable programs on the hard drives of the computer and approves each of them to run. It puts them on a “whitelist”, i.e. stuff that is allowed to run. It is called whitelist because the antivirus providers say the stuff in their libraries is on the “blacklist”.

ATLB:  So, if a virus or other malware is present on the machine when Bouncer is first installed, then it will be allowed to run?

Greg:  That’s true, unless it is specifically found and eliminated later. That’s the reason that a good antivirus software should be run before Bouncer is installed or it should be installed in new machines before they are attached to the internet or anywhere else that they could become infected. Should you discover that one of your systems was infected prior to deploying Bouncer, you can rest a little easier at least in the knowledge that the infection will not be able to spread (to any other Bouncer protected computers).

ATLB:  Doesn’t having to authorize every piece of code to run on a system require an inordinately large amount of administrator time?

Greg:  The program takes an inventory of all the programs running on the machine at the time of the installation and thereafter the administrator does not have to be involved. The administrator can ‘pre’-authorize all software from a specific company or with a specific signature and software installed later from that company or with that signature will automatically be whitelisted and allowed to run.

ATLB:  How much computer resources does the CoreTrace system utilize and how does this compare to antivirus software?

Greg:  Our software requires a very small amount of hard disk space for our program. Since it merely prevents unauthorized programs from running, it doesn’t regularly use many computer resources. Antivirus software needs to run on a regular basis to see if any identified malware has been added since the last scan. You may have noticed that when your antivirus software is running its scan, which may last an hour or two, your computer is devoting significant resources to the scan and can have an effect on the capabilities of the computer. Bouncer only needs to check the program as it is launched. This check against the whitelist is extremely fast and does not impact the load time for any whitelisted applications.

ATLB:  How often is your software updated?

Greg:  Except for enhancements and upgrades to the program for operational purposes, our software does not need to be regularly updated. Since our method of operation is to keep anything but authorized programs from executing, we don’t have to continually seek out new viruses and add them to our database. Because of this method, we can never be behind when a new virus comes out, because regardless of the sophistication or newness of the virus signature, it can be deposited on the computer’s hard drive but because it is not authorized, it simply can’t harm the computer or its contents. Compare that to antivirus databases that are required to be updated constantly on a real time basis and must necessarily contain millions of virus signatures and sometimes can only catch a virus after it has infected a number of machines, if the virus doesn’t match their database.

ATLB:  Is there a version for single workstations or computers?

Answer:  Not yet. Right now, our program is only deployed on an enterprise basis.

The Legal Defensibility Era: The Convergence of Security and Legal Risk

With each passing day we are providing more and more personal data to companies through online transactions, social networks, and cloud computing.  Concurrently, there is also a growing framework of laws, regulations and contractual obligations in how companies should treat this information.  These colliding paths are creating what has been dubbed the "The Legal Defensibility Era."  David Navetta of the Information Systems Security Association (ISSA) has written an excellent article outlining this trend and highlighting several important issues that companies must focus on to properly handle data in this new era.

The focus of legal defensibility is understanding how a plaintiff ’s attorney, judge, jury, or regulator will view an organization’s security posture in light of applicable legal requirements.  Under a legal defensibility analysis security choices become legal positions or arguments to be used to persuade legal decision-makers that an organization’s security was legally sound, and increase the likelihood that a judge, jury, or regulator will find a company legally compliant. Ultimately, there may not be a clear “right” or “wrong” answer, but rather a more or less persuasive legal argument/position on security.

To create an effective legal defense, companies should create a security plan with the view that a security incident is a "when" and not an "if."  Companies must create an adequate security policy, abide by that policy, comply with the appropriate laws, regulations, and industry standards; and ensure that its vendors are also handling personal information with the appropriate level of care.   With the advent of cloud based services, the last point is becoming extremely important.  Companies should effectively scrutinize their vendors' security policies and procedures before agreeing to transmit personal information to them.  Focusing on legal defensibility will require more communication and cooperation between a company's IT and legal departments to effectively implement security policies in this new era.  Additionally, for a viewpoint from the security professional side, check out this article


Are Your Emails Protected From Warrantless Searches?


An extremely important fight over fundamental privacy rights is heating up as the Department of Justice is pressuring Yahoo to release certain email records under seal.  Yahoo, who has been supported in this fight by the Electronic Frontier Foundation and other major corporations such as Google, has so far resisted by claiming the government must first obtain a warrant.  The case involves emails from multiple Yahoo user accounts that the government is trying to access.  The DOJ is claiming that under the Stored Communications Act once an email has been read it is no longer protected under the law from warrantless searches, and as such, Yahoo should release them.

The Stored Communications Act, 18 U.S.C. Sec. 2703, reads:

A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant.

The government's argument, which has already been rejected by the 9th Circuit in an earlier case, is that once an email is opened and read, it is no longer in "electronic storage" and thus, not protected by the warrant requirement.  The DOJ is in effect saying that your emails are protected under the SCA as long as you never open them or read them.  Once the emails are read, the government can force email clients to release them if they are relevant to an investigation.

This case, of course, raises important Fourth Amendment issues as well.  After the seminal Fourth Amendment case in 1967,Katz v. US, the government must obtain a warrant to access communications to which the individual has a reasonable expectation of privacy.  There are exceptions to this rule as the DOJ will no doubt argue.  One exception is that an individual loses that expectation of privacy once the communications are turned over to a third party.  It is true that many of our emails are technically turned over to third parties because they are sitting on Yahoo or Google servers.  But the same technicality applies to communications over phone lines or by mail, and courts have consistently held these communications to be private.  Should the government prevail in this case, it would signal a monumental change in privacy rights for one of our most common forms of communication.

UPDATE:  Apparently the DOJ has abruptly halted its pursuit of accessing the Yahoo emails.  However, since there was no ruling from the courts the issue remains open for future cases.

Facebook, Data Privacy, and the EU

Companies that handle or transfer data must be extremely careful that they are abiding by the laws of the jurisdictions that the data passes through.   Data protection issues will only become more prevalent with the increased use of cloud computing, since a company may not even actually know where the data is being stored.  The most contentious arena for this issue is definitely in the EU.  Data passing out of the European Union to other countries creates a headache for companies that must abide by its stringent rules.

Now the EU is cracking down on social sites such as Facebook:

"European regulators are investigating whether the practice of posting photos, videos and other information about people on sites such as Facebook without their consent is a breach of privacy laws

The probes by the German and Swiss privacy watchdogs are still preliminary and would not have immediate consequences elsewhere. However, Weichert said the issue is being discussed with other data protection officials in the 27-nation European Union, which in 2000 declared privacy a fundamental right that companies and governments must respect.

The European stance differs strongly from the self-regulatory, free market approach favored in the United States, where Web companies have flourished by offering users free services if they provide personal information to help advertising target them better, according to Columbia University law professor Eben Moglen."

Continue Reading...