Austin Technology Law Blog : Texas Technology Lawyers & Attorneys for Copyright, Trademarks & Software Licensing in Houston, Dallas & Austin TX

You will recall that we have discussed a few cases regarding anonymity on the internet.  In one, which involved a potential securities scam, the court removed the anonymity from some people that were involved in the alleged scheme. 

In another, the court allowed the anonymity of some detractors of The Art of Living Foundation to continue for a while.  After publishing the post, we received a call from the attorney for The Art of Living Foundation, who indicated that he thought our post was more even handed than some regarding this subject, but he would like to send us a letter from the president of The Art of Living Foundation explaining their position.  We were amenable to that and a copy of that letter follows.  We reproduce it without comment nor endorsement.  When we asked about the progress of the case, the attorney indicated that he felt the judge would rule in a manner that would allow them to obtain the identity of their detractors in the near future.  Any updates from any of the participants would be appreciated.

• Email This
• Print
• Comments
• Trackbacks

The latest addition to the family of badass malware is DuQu.  DuQu was born sometime in the near recent past but only became obvious to the world on September 1, 2011 when the Laboratory of Cryptography and System Security (CrySyS) notified the world of its birth. 

If the proud parents were to issue a birth announcement it would read something like:

"The Stuxnet family is proud to announce its latest variant, DuQu, named after its propensity to create files with DQ as a prefix.  Born: Sometime lately.  Weight: Heavy.  Breadth: Remains to be seen.  The bouncing baby malware shares a good portion of its mother's (Stuxnet) source code.  Its father is undetermined but likely is a good looking roving nation state with sabotage or corporate espionage on its mind, like Mossad or the CIA, who are also related to Stuxnet, so birth anomalies are possible.  DuQu shares its likely father's fondness for stealth and trickery."

Most experts like Symantec would agree with the announcement's statement on DuQu's lineage but Dell's SecureWorks doesn't necessarily buy it.

Stuxnet has been used to infect the Iranian nuclear program by causing the centrifuges used to purify uranium to exceed their design for spinning speed and destroy themselves.  DuQu seems to extract information and send it to an unknown site.  Although not proven, this blog along with others have surmised that the sophistication of Stuxnet, the targets and the amount of programming resources required point to the involvement of a group of people more technically advanced and well funded than the average virus creator.  We also chronicled Stuxnet's move from being merely menacing to becoming a military weapon.

Anti virus groups are moving to address the issues, Microsoft says it will address the zero day defect that DuQu exploits when it gets around to it but proposes an emergency fix and the "whitelisting" folks like CoreTrace say that they've been ahead of this all along.

As this new arrival grows and spreads, the real purpose and the damage it may do can be assessed but if malware continues to be more sophisticated than some of the applications we regularly use, problems will abound.

• Email This
• Print
• Comments
• Trackbacks

Once again we stand at the intersection of Ethics Street and Technology Avenue and notice that the traffic signals are insufficient to avoid multiple mishaps here.  Florid prose aside, attorneys must understand that certain methods of electronic communications may put them in an ethical problem if they don't warn their client that using such method may harm the confidential nature of the communication.

You will recall that we wrote recently on a court holding that using a computer or network provided by your employer to communicate with your attorney about a potential complaint against the employer could waive the attorney-client privilege.  Now the ABA has issued a formal opinion on the subject and the gist is that the attorney has an affirmative duty to warn the client about such an eventuality.  In Formal Opinion 11-459 issued August 4, 2011 the Committee on Ethics and Professional Responsibility states that if a client communicates with an attorney about "substantive" issues and such communications originate from an employer owned computer, device (e.g. smart phone) or network (even if from a private e-mail address), the attorney must assume that the employer has a right to access such communications and therefore, the attorney has a duty to warn the client about the risk.  Also, if the client does not heed the risk, the attorney should refrain from communicating with the client via the suspect method.

This duty arises as soon as the attorney-client relationship arises and the attorney knows or should know that the client is likely to send or receive attorney-client communications where there is a significant risk that the communications will be read by the employer or another third party.  This would appear to be particularly applicable in disputes with the employer and in matrimonial issues where the other spouse may have access to the device used for communications.  It also can arise from the use of public computers like libraries or hotels or the use of borrowed devices.

So, the question then arises: What is sufficient notice/warning to comply with this requirement?  The opinion doesn't specifically state but does mention that "reasonable" efforts must be made.  Would a standard tag line on your e-mail signature such as the following be enough?

"Anyone communicating to or from this office by means of an electronic device (including computers, smart phones, tablets or others) and using electronic communication (including e-mail, text messages, instant messages, chat rooms, comments on blogs or websites or others) are advised that such communications may not be confidential, particularly in instances where you are transmitting personal information using your employer's devices or networks or where you are using you are using public computers (such as libraries or hotels) or using a public wireless internet connection.  The effect of the loss of confidentiality will be the loss of attorney-client privilege and the possibility that such communications may not be protected from disclosure in any legal procedure in which you are involved.  You are cautioned to act accordingly."

Using such language as a part of your common electronic communication signature may be advisable and probably doesn't hurt but good practice would indicate an additional communication (such as the engagement/fee arrangement letter) in which the client acknowledges that they have received and understand the warning.  Also, we run the danger of having our e-mail signatures become documents in and of themselves that require our clients to have other attorneys review (hyperbole alert).

We would be interested in any measures that other attorneys have instituted to address this issue.

• Email This
• Print
• Comments (1)
• Trackbacks

If you use e-mail as advertising, you could be subject to the CAN-SPAM Act.  The FTC wants you to know how to comply.  Give it a look:

• Email This
• Print
• Comments
• Trackbacks

Alliteration abounds.  Reports today concern the EU Directive on the use of cookies, a settlement with a Disney subsidiary for violation of COPPA (Children's Online Privacy Act of 1998) and why paying attention to the construction and organization in the drafting of a contract can be extremely important.

1.  The European Union has issued a directive that will go into effect on May 26 of this year that basically reverses the way cookies are handled.  In the past the regulations required that the user be advised of the way that cookies are used and be given the opportunity to opt out of receiving them.  The new regulations requires the same advising but requires "consent" before cookies can be placed.  This is the so-called "opt in" provision.  The regulations recognize that enforcement of this will be a phased in approach with the most intrusive cookies getting the most attention.  The Information Commissioner's Office has issued advice about how to deal with this.  If your website attracts significant traffic in the European Union, you would be well advised to read the ICO's advice and plan accordingly.

2. COPPA has requirements about what information can be collected from children online and what use can be made of such information.  The Federal Trade Commission accused Playdom, an online game provider, of violating COPPA by collecting information from children without parental consent and by violating its own stated privacy policy.  Playdom is a subsidiary of the Disney company.  The FTC filed a complaint against Playdom that resulted in a consent decree, which among other things, required a $3,000,000 civil penalty.   This is the largest penalty yet assessed for such a violation.

3.  The placement (or misplacement) of a single word recently made a $1,000,000 difference in a Maryland case.  In Weichert Co. of Maryland, Inc. v. Faust, an ex-employee of a real estate firm was sued for violation her obligation of  loyalty and the non-solicitation clause of her employment agreement.  The Court found that she violated the obligation of loyalty but not the non-solicitation clause.  Her contract had an attorneys' fee provision where the prevailing party is entitled to its fees.  The real estate firm prevailed on the breach of the duty of loyalty but the employee prevailed on the issue about non-solicitation.  The attorneys' fee provision was included in the non-solicitation clause and gave fees to the party that prevailed "hereunder".  Since the "hereunder' was in the particular clause, the Court reasoned that it applied only to that clause and not the contract or the relationship as a whole.  Hence, the employee was entitled to her attorneys' fee, which were approximately $1,000,000, even though she had "prevailed" on only half of the issues.  In the lessons learned department for us attorneys, if you intend to make a provision apply to the contract as a whole and not just a specific clause, move the provision into a section of its own or make it very clear that it is applicable to the whole contract.

• Email This
• Print
• Comments
• Trackbacks

We've all seen the movie.  Mark Zuckerberg versus the Winklevoss twins.  Uber-nerd versus uber-jocks.  Outsider versus the privileged and connected.  In the balance rests the right to violate the privacy of virtually everybody in the "civilized" world.

The movie shows some of the discovery proceedings in the lawsuit filed by the Winklevosses in Massachusetts alleging that Zuckerberg stole the Facebook idea.  Zuckerberg filed a countersuit in California (typical Facebook ploy, see here) against the twins and ConnectU, alleging that ConnectU had hacked into Facebook and stolen information and attempted to steal Facebook users by spamming them.  The California dismissed the action against the Winkelvosses, finding that there was no personal jurisdiction over them. The Court then ordered the parties to mediate to attempt to find a settlement to all their issues.

Then things start to get stranger.  With billions of dollars at stake, the parties mediate for one day, reach a settlement and document it with a one and a third pages of hand written notes with the title: "Term Sheet and Settlement Agreement".  This Agreement envisions the transfer of ConnectU to Facebook in exchange for cash and an interest in Facebook.  Facebook lawyers then present 130 pages of documents to flesh out the Agreement (merely 100 times the volume of the Agreement).  The deal then comes off the tracks for a number of reasons including the Winklevosses asserting that the value of the Facebook stock is less that they were lead to believe.  Facebook files a motion to enforce the Agreement.  The twins alleged that the Agreement is not enforceable because it lacks material terms and was procured by fraud.  The Court finds the Agreement enforceable and the Winklevosses appeal.

Then Ninth Circuit, in a decision released yesterday, upheld the enforcement of the Settlement Agreement.  The Winklevosses had alleged that the Agreement violated Rule 10b-5 of the Securities Act and as such was void.  The Ninth Circuit rejected this argument and found: "The Winklevosses are sophisticated parties who were locked in a contentious struggle over ownership rights in one of the world's fastest-growing companies. They engaged in discovery, which gave them access to a good deal of information about their opponents. They brought half-a-dozen lawyers to the mediation. Howard Winklevoss—father of Cameron and Tyler, former accounting professor at Wharton School of Business and an expert in valuation—also participated."

The Court also held: "The Winklevosses are not the first parties bested by a competitor who then seek to gain through litigation what they were unable to achieve in the marketplace. And the courts might have obliged, had the Winklevosses not settled their dispute and signed a release of all claims against Facebook. With the help of a team of lawyers and a financial advisor, they made a deal that appears quite favorable in light of recent market activity. See Geoffrey A. Fowler & Liz Rappaport, Facebook Deal Raises $1 Billion, Wall St. J., Jan. 22, 2011, at B4 (reporting that investors valued Facebook at $50 billion —3.33 times the value the Winklevosses claim they thought Facebook's shares were worth at the mediation). For whatever reason, they now want to back out. Like the district court, we see no basis for allowing them to do so. At some point, litigation must come to an end. That point has now been reached." (Emphasis added)

So, the poor Winklevoss twins are stuck with a deal that is only worth millions and not billions.  In the lessons learned department, we are struck by the fact that you probably couldn't turn around in the mediation room without tripping on a lawyer or a financial advisor and yet, they ended up with slightly over a page long, hand written document.  That either means you don't need lawyers at all or you really need them to do their job. 

Maybe we'll find the answer in the next sequel, "Social Network III, The Legal Grievance Phase".

• Email This
• Print
• Comments
• Trackbacks

Last week we discussed the very large, very disruptive loss by Epsilon of a number of e-mail addresses and the identities of the companies with whom the e-mail owners did business. 

InfoWorld Tech Watch reports that it appears that the hack relied on the gullibility of Epsilon employees.  So, there was no midnight rappelling from the ceiling through banks of laser beam alarms like you see in the movies, but merely a "social engineering" attack using e-mails targeting Epsilon employees that contained some personal information about the employee and made them think it was from a personal acquaintance. 

The messages included links (bad idea to click links in a message) that took them to a site that downloaded one malware program that disabled the antivirus software, one that logged keystrokes and one that gave hackers remote access to the infected machines.  It also turns out that Epsilon was warned about such attacks several months ago.

In the "lessons learned" department or more appropriately, the "lessons we should already have known" department, it would be prudent for a company with large amounts of customer data (everybody on line?) to train their employees not to respond to personal e-mails at work, recognize the tell tale signs of a social engineering attack and not to click on links in a message the origin of which you do not know.

This is not hard to teach but apparently compliance is difficult.  This lesson will get expensive for Epsilon.

• Email This
• Print
• Comments (1)
• Trackbacks

On April Fools' Day, Epsilon (one of the largest on-line marketing firms) announced through a terse press release that their "...clients' customer data were exposed by an unauthorized entry..." but that the information obtained had been limited to names and e-mail addresses.  Unfortunately, it was not an April Fools joke.

Some of Epsilon's customers include Citigroup, JP Morgan Chase, Brookstone, Kroger, College Board, Walgreens, TiVo, Capital One, HSN Inc., Visa, Kraft, LL Bean, Best Buy and Verizon.

So, what you need to look out for and alert your clients about is the possibility of increased "phishing" attacks.  We have all had e-mails purporting to be from some bank or other entity and requesting us to go to some website (configured to look like the real entity's website) and enter information and  possibly pick up spyware or viruses.  Since most phishing attacks are just random broadcasts, the fact that these intruders have specific names, e-mail addresses and links to specific entities with whom the targets do business leads to a more pointed attack, which is referred to as "spear phishing".  Because of the more targeted approach, the success rate is likely to be higher.

How do you protect yourself?  PC World has some good advice.  As the PC World articles states, the best way to avoid this is never to go to a website from an unknown e-mail link and don't provide any sensitive information such as password, PIN, etc.  Common sense instructions but please tell your grandma about this.

• Email This
• Print
• Comments
• Trackbacks

We will be leading a discussion on "Ten Things You Should Know About Cloud Computing Agreements" at Austin RISE Week 2011 tomorrow at 4:00 pm at the PeopleFund offices at 207 Chalmers Avenue in Austin.  If you need something to do during that awkward time between afternoon coffee break and happy hour, come on out and share it with us.

• Email This
• Print
• Comments
• Trackbacks

A few things for your consideration:

1.  The White House's proposed budget includes the authority for the USPTO to charge a surcharge on patent applications.  The proposed budget would provide $2.7 billion for fiscal 2012 with one of the stated objectives to reduce the backlog of 720,000+ applications.

2.  By Executive Order 13565 of February 8, 2011, the White House established two I.P. committees.  One is the Senior Intellectual Property Enforcement Advisory Committee, which will facilitate the formation and implementation of each Joint Strategic Plan, which will be be developed by the other committee established, the Intellectual Property Enforcement Advisory Committee.  As is evidenced by their names (i.e. Senior and not Senior) the Senior Advisory Committee will be comprised of cabinet level members or their designees and the Enforcement Advisory Committee will be comprised of representatives from the USPTO, DOJ, Department of Commerce and others.

3.  Health and Human Services through its Office for Civil Rights has assessed its first ever civil penalty for violation of HIPAA.  The penalty was $4.3 million against Cignet Health of Prince George’s County, Md.  Cignet failed or refused to provide health records to at least 41 patients and then apparently stonewalled the patients and requests from the Office for Civil Rights to the extent that the Office for Civil Rights obtained a default judgment against them.  Cignet also apparently was uncooperative in the investigation into this affair.  The penalty was $1.3 million for failure to provide access to the records and $3.0 million for being uncooperative.

4.  Microsoft was successful in getting a patent infringement suit originally filed in the Eastern District of Texas transferred to the Western District of Washington on the grounds of forum non conveniens.  For some strange reason, there are a lot of patent infringement suits and class actions filed in the Eastern District of Texas.  The plaintiff here, Allvoice, was an U.K. company with an office in the Eastern District of Texas but with no employees there or anywhere in the U.S.  Calls there were transferred to their office in the U..K.  Allvoice was incorporated in Texas but had done so 16 days before the suit was filed.  Forum shop much?  The Circuit Court of Appeals issued a writ of mandamus compelling transfer to Microsoft's home court even though Microsoft had also petitioned to move the case the Southern District of Texas.

• Email This
• Print
• Comments
• Trackbacks

Updates on a few of our earlier posts:

<">

• Stuxnet - the worm that ate Iran, now considered as a cyber-conflict weapon.
• Bilski Patent Case - How are software patents treated?  USPTO releases standards.  Factors favoring patentibility satisfy machine or transformation test or provide evidence that an abstract idea has been practically applied.
• Combating Online Infringements and Counterfeits Act (COICA) - Senate Judiciary Committee holds hearings.
• Arcade Fire - HTML5 pioneer - Wins Grammy that was supposed to go to Eminem or Lady GaGa. 

   

  Film at eleven.

   

• Email This
• Print
• Comments
• Trackbacks

The Song-Beverly Credit Card Act of 1971 (Credit Card Act) (Civ. Code, § 1747 et seq.) is a California statute that prohibits businesses from requesting that cardholders provide "personal identification information" during credit card transactions, and then recording that information.

Yesterday, the Supreme Court of California reversed prior decisions and included a person's zipcode in the definition of "personal identification information" in a case where Williams-Sonoma asked for such information during a credit card transaction and then used such information to do targeted advertisement.  The Court made this holding while agreeing that a zip code was not unique to any particular person and that many people had the same zip code.

It is likely that the fact that the merchant recorded the information and then used it to deduce the customer's address played a big part in the Court's thinking.  Had the merchant merely requested it and then not recorded and used it, the result may have been different.  Under this reasoning, area codes, cities and counties of residence and other means of identifying the general area of personal residence could also be so classified and this would seem to be somewhat extreme.

• Email This
• Print
• Comments (1)
• Trackbacks

As we have stated before, from time to time, we like to improve the content of this blog by getting input from subject matter experts in relevant fields.

Today, we are glad to include information from our friend Will Ambruzs, an attorney and computer forensics expert at Austin based Flashback Data.  Will graced the pages of this blog before with this post.

We asked Will to give us some inside information about where attorneys or others should look when they are seeking information for investigative or discovery purposes.

Here is what Will said:

Digital Crannies.

Unlike paper, electronically stored information is everywhere. Unfortunately, it’s our experience that most attorneys don’t appreciate exactly how much of it is recoverable from computers. It’s literally a Chinese food menu. Sure, it’s not always important or cost-effective to review all of it, say, for litigation or each time a company fires a bad employee. However, most folks don’t know the menu well enough to even know the sorts of things they can order. The digital world is bigger than General Tso’s Chicken!
 

Here are 6 random things on the menu you may find interesting:
 

Email vs. Correspondence
Lawyers commonly want to look at email, but more often than not it turns out that looking at all communication would be more helpful. Because it turns out a bad employee at Company X also did a lot of text messaging at work. And online chatting. And instant messaging. And she also sent messages to clients and coworkers through LinkedIn and Facebook. And she frequently used her internet browser to send webmail through Yahoo! and Gmail. Unfortunately, preserving Outlook files and Exchange mailboxes doesn’t get this material.

Don’t Forget the Phone!
iPhones and Blackberrys have fast become like third kidneys when it comes to conducting business in the 21st century. However, folks tend to overlook them when thinking about electronic storage. The truth is phones can be excellent sources of data, not only because they’re designed to hoard data and sync with just about everything under the sun, but also because the privacy expectations of their users tends to be high.
For example, on a phone, our bad employee probably gets right to the point when communicating. Unlike computers, she’s not typing out heavily-syllabled, Shakespearean text messages with her thumbs. Consequently, remnants of communication are likely to be closer to the first cut of her thoughts, not the second or third.
There’s also a good chance she configured her phone to sync with email accounts at the company. There’s an even better chance she connected the phone each day to her work computer to charge the battery and keep her contacts and calendar synced. If so, there may be a treasure trove of backup files sitting quietly on her work computer. And since each file would represent a snapshot of the data on her phone at a particular time, things that were deleted from her phone many months ago may still exist in one of the backups.

Speaking of iPhone... Dynamic Text
Let’s face it, Apple’s business model is building gadgets that know you better than you know yourself. Apple’s gadgets learn about you, and to do this their gadgets have to store data.
One of the lesser known features of iPhone is its dynamic text database. Dynamic text is basically a repository iPhone uses to keep track of words and phrases you like to use when you type. That way the phone eventually learns to quit autocorrecting Alavert to slavery when, say, you keep texting others that you love Austin, but so do your allergies.
This can be a goldmine. Especially if text messages on the phone have been deleted and can’t be recovered. Reading entries in the dynamic text database that have been chronologically preserved is like listening to a conversation through a wall. It’s muffled, and some common words are omitted, but you get the gist and all the interesting parts are preserved:

wow.hate.Kevin.can.you.believe.arrogance.ugh.how.did.ever.become.Director.wait.until.he.finds.out.copied.all. company.passwords.hahahahaha.sounds.great.yessir.talked.to.James.he’s.leaving.company.with.us.said.downloaded. company’s.client.lists.from.database.no.difficult.yes.took.thumbdrive.with.him.said.will.email.everything.you.from.home. not.work.so.don’t.get.caught.haha.call.if.can.next.few.minutes.something.urgent.tell.you

Internet History
When folks think of a computer, they tend to think of it as a collection of things that live on the computer. For example, the most common data recovery request attorneys make involves: (i) collecting all email and user-created files from a computer, (ii) processing them against an exhibit of keywords, and (iii) producing the responsive material to be reviewed by fellow attorneys.
Candidly, this is probably enough heavy lifting from an “80/20 rule” perspective, especially when processing large data sets. However, it’s created a mindset that gives little regard to activity on a computer. And sometimes that activity is interesting.
For example, say John receives a preservation letter from opposing counsel. Here we see it sitting in John’s My Documents folder. There’s nothing else interesting in the folder. However, looking at John’s activity on the computer, right after he gets the letter we see him go to Google.com and type “how to securely delete data” into the search bar. Then we see 20 minutes of John clicking a bunch of URLs. Uh oh, next he’s on a website selling a product called “Evidence Eliminator v4.0.” And next we see him buying Evidence Eliminator and downloading it. Oh snap – here he is running it! And here’s him poking around later in My Documents to confirm the files are gone.
Wow! You suspected the keyword searches of John’s computer came back a quart low. And while all of this activity may or may not explain it, it’s certainly interesting!

Recent Documents
Speaking of file elimination, another good source of data can be the repositories used by software programs to keep track of recent documents. Microsoft Word has such a repository. So does Windows Media Player. These repositories won’t help you recover a wiped file, but they may help you substantiate that the file existed on the computer at some specific time in the past, or when files were accessed.
Forensic examiners frequently draw from this well in criminal prosecutions involving possession of child pornography. Defendant swears up and down he wasn’t aware of the illicit material. Or, if he was aware, that he looked at it once by accident several years ago and, upon realizing its nature, never looked at it again. Unfortunately, that’s not the same story Windows Media Player tells. It shows Defendant playing contraband files from multiple locations on a regular basis (e.g., from the hard drive, from a thumb drive, from his Blackberry via a USB cable, etc.).
 

Thumbs.db
Keeping with the deleted file theme, don’t forget about simple hidden artifacts like Thumbs.db. You ever open a folder in Windows and view the contents as thumbnail images? Thumbs.db is the hidden file used by Windows to store those ‘thumbnail’ images. Importantly, the data in the Thumbs.db file tends to stick around even after someone deletes the actual file. So, while a folder in which you’re interested no longer contains the data you want, you may be able to demonstrate that what’s in there now isn’t what was in there before. (And, if so, what’s missing.)
 

• Email This
• Print
• Comments
• Trackbacks

Two recent cases highlight the problems that courts have with the confluence of technology and the Fourth Amendment prohibition against unreasonable search and seizures.

The Sixth Circuit Court of Appeals held that compelling a defendant's internet service provider to turn over the defendant's e-mails without a warrant violated the Fourth Amendment.

The Supreme Court of California held that the search of a smart phone that was on a defendant's body when arrested could be searched without a warrant.

The Sixth Circuit Case involved the makers of Enzyte, a herbal supplement that employed a very annoying "Smiling Bob" and a plethora of thinly disguised puns and props to indicate that the supplement would increase the size, durability and apparently the appearance of your external genitalia.  Imagine our surprise when the makers and distributors were accused of deception, fraud and a number of other transgressions, including money laundering.  During the investigation, the government compelled an internet service provider to release e-mails more than 180 days old without getting a warrant.  The government relied on a provision in The Stored Communications Act 18 U.S.C. §§ 2701 et seq., which allowed for such shenanigans when the e-mails were of such an age.

The Sixth Circuit held that the defendants still had a reasonable expectation of privacy in such old e-mails and held that portion of the Stored Communications Act as unconstitutional.  The court likened the internet service provider to the post office or the phone company and noted that interception of a letter or a phone call could not be done without a probable cause warrant.  The court said an e-mail was entitled to the same stature.

The California case involved an accused seller of Ecstasy, the amphetamine fuel of choice for all night "raves" or for extended sexual encounters.  In this case, the defendant Diaz attempted to sell Ecstasy to a police informant.  A sale was made, an arrest ensued and Mr. Diaz's cell phone was taken from his person.  An hour and a half later, back at the station, an investigator looked at text messages on the phone and found the text: "6 4 80".  This apparently means that the defendant offered to sell six tablets for $80.  The defendant was shown the text and promptly confessed.

Upon appeal, the defendant claimed that the phone was searched without a warrant and therefore the text and the subsequent confession should be excluded.  Courts faced with similar issues in the past have held that the search of the person and the immediate area incident to a lawful arrest without a warrant is acceptable in order to check for weapons or check for evidence that might be lost.  The California court held that the cell phone “was an item [of personal property] on [defendant‟s] person at the time of his arrest and during the administrative processing at the police station" and was therefore “immediately associated with [defendant‟s] person and that the warrantless search of the cell phone therefore was valid".

In a dissenting opinion, justices stated that the nature of the cell phone i.e. that it basically amounts to a pocket held computer should warrant (pun intended) a distinction between such devices and weapons, paint chips and crumpled cigarette packages, items that had been approved for search in cases on which the majority relied.  The majority cited cases that stated explicitly that the validity of a warrantless search does not depend on the character of the searched item.

It is unlikely that the result would have been the same if a the defendant had been holding a laptop at the time of arrest and a subsequent warrantless search was made of the laptop.  This ruling probably deserves some further consideration and refinement.  Stay tuned.

• Email This
• Print
• Comments
• Trackbacks

First off, thanks to everyone who came to listen to Stanfield Hiserodt speak on Data Privacy and Security at the Innotech Conference last week.  It was a solid turn out and a good discussion. 

In keeping with the theme, we came across this story via Businessweek.com about the Indiana Attorney General's office suing insurance company WellPoint for $300,000.  Apparently, WellPoint allowed sensitive customer information, including health records and credit card data, to sit on an unsecured server for several months.  WellPoint discovered this back in February, but apparently took its sweet time in notifying the affected customers.  They didn't give the required notice until June.

There are currently 45 states with breach notification laws.  If you handle sensitive customer data, make sure you have a plan in place to notify your customers as quickly as possible or you will feel the wrath of the Attorney General. 

• Email This
• Print
• Comments
• Trackbacks

The 6th Annual InnoTech Austin Conference is going on today at the Austin Convention Center.  Stanfield Hiserodt will be speaking there this afternoon on Data Security and Privacy Laws.  InnoTech Conference offers IT professionals the chance to interact and discuss the latest technology business solutions.  You should come check it out!

• Email This
• Print
• Comments
• Trackbacks

We were interviewed for a local story involving data privacy here in Austin.  We were actually misquoted here, though.  There is no legal restriction for these places to store fingerprint data.

• Email This
• Print
• Comments
• Trackbacks

In talking to our clients, our friends and the public at large, there seems to be a lot of confusion, misinformation, urban myths and lore surrounding the amount and kinds of data and material that is deposited on computer drives and that can be retrieved even though the user thinks that he has deleted it or covered it up. And by computer drives, we mean any electronic storage device including computers, flash drives, cell phones, DVRs, etc.

To attempt to get real live reliable answers to some of these questions, we turned to some local subject matter experts, Flashback Data. Flashback Data’s website is here. They were kind enough to lend us the expertise of Will Ambruzs, an attorney who is charge of the Forensics Division of Flashback Data.

ATLB: Will, please describe the services that Flashback Data can provide, particularly to an attorney involved in litigation.

FBD: Probably the best known aspect of forensics is the storytelling. A man dies mysteriously and the forensic examiners conduct two autopsies – one on the corpse, and one on the home computer. Toxicology confirms the man died of ethylene glycol poisoning (antifreeze). Forensic testing of the computer recovers 76 previously deleted Google searches made by his wife over the course of seven weeks for things like “symptoms of ethylene glycol poisoning,” “ethylene glycol toxicity” and “C2H6O2 ingestion and death.” That’s a compelling story.

Other times our involvement is less about developing evidence and more about logistics. For example, we’re commonly retained by attorneys to help identify all the places relevant information is likely to exist in a complex technical landscape, or to develop evidence collection strategies that minimize the impact on their client’s business.

Candidly, there’s quite an air gap between law and technology. At the end of the day, when it comes to electronic evidence, we’re the guys who fill it. Our case managers are attorneys and our forensic examiners are technologists with deep court room experience. We’re not vendors. We take pride in giving our clients access to the highest caliber forensics testing in the industry, and we’re presently the only private sector laboratory in the world accredited for digital forensics by the American Society of Crime Laboratory Directors under their International standard – same as FBI and DEA.

ATLB: That sounds like a lot more stuff than we can cover in one setting. Let’s discuss some general topics about what kind of data can be recovered and from which devices, and then, hopefully follow up with another session where we delve into some of the more complicated problems of forensic discovery and data retrieval.

FBD: OK

ATLB: I will give you some topics and you tell me how hard it is to recover this data:
• Internet history from a computer
Internet history is one of the most persistent types of data on the computer. It’s not uncommon for us to recover every URL visited on a computer from the time you first took it out of the box.
• Deleted videos from a DVR
It depends. If the DVR entries were manually deleted, the chance of recovery is high if the device can be forensically imaged before the data is overwritten. Many DVRs are set to overwrite data after a period of time, or when the device is near the limit of its full hard drive capacity. Overwritten data is unrecoverable. By anyone.
• Text messages from a cell phone
Candidly, it depends on the make and model of the phone and how the phone is used. That said, we are still seeing a strong trend of users adopting smartphones like the Blackberry or iPhone. One common thing folks do with smartphones is sync them with a computer. This creates backup files on the computer which, depending on when the backup was created, may contain data that is long gone from the phone. Alternatively, smartphones are essentially small computers, and often their data can be recovered in the same way we recover hard drives.
• Instant messages like gmail chat or AIM
These may be recovered from log files saved to the computer. Difficulty is a function of time. Bottom line is if the data you want gets overwritten with new data, it’s gone.
• Facebook messages or postings
One avenue of recovery is to extract these from internet history. Often this gives us multiple clues as to the content and recipients, and we can use the information to go looking for “shadows” of similar activity. Another thing we can do is attempt to recover the confirmation emails Facebook sends when new entries are made on a user’s wall or new messages are received.
• Twitter tweets on a cell phone or computer
This type of data generally fall into the same category as internet history and internet cache. The content itself will be recoverable for some time (until it is overwritten) and we can extract a fair amount of data simply by looking through the internet history.

• Standard files on a computer hard drive
In answering this, assume that the user has used the commonly available delete function available to the standard user.

FBD: Understanding the recovery of deleted files on a hard drive requires some understanding of how files are stored and referenced. A good analogy once provided to me is that of a school library. If we think of the hard drive as the library, then the files are analogous to the books on the library’s shelves. In a library, a book’s location is referenced in the card catalog. In a Windows environment, a file’s location on the hard drive is referenced in the Master File Table. When we delete a file, we’re not destroying the file’s data. Instead, what happens is the file’s location is marked in the Master File Table as being available to use for new data storage. That’s like pulling a card out of the card catalog and throwing it away – the reference to the book is gone, but the book is still sitting on the shelf (at least until someone takes it down and replaces it with a new book).

Having said all that, “recovering” the deleted file is like walking around the library from shelf to shelf and taking inventory of every book. At some point, we’d learn that there is a book sitting on a shelf in a space that’s supposed to be empty. And we’d find and recover the book.

In addition to above, there are multiple other ways to attempt to recover deleted files, such as through backup copies, temporary copies and/or copies embedded in another data file (e.g., a file attached to an email in an Outlook data file). These are all potential recovery routes.

• Email This
• Print
• Comments
• Trackbacks

Cyber security experts are scrambling to assess the past effects and the potential of a recently detected malware that has targeted utility systems primarily in the Middle East (beginning in Iran) and the United States. Microsoft has named the Trojan intruder “Stuxnet”.

On a very basic level, here is what Stuxnet does:
1. So far, it has targeted a Siemens system (SCADA) used primarily in the operation and control of electric power plants;
2. It has been carried on USB sticks that, when attached to a computer, automatically executes without any further action by a user, even if the AutoRun function is disabled;
3. The Trojan then seeks out and copies certain database information, including power plant designs;
4. Stuxnet exploits a flaw in the shortcut links files in Windows.

Microsoft has issued a work around that essentially turns off the shortcut function and changes the shortcut icons appearance on the screen.

So, if this only targets utility companies, unless you are a utility company or have one as a client, why should you care? Experts surmise that this was created to carry out industrial espionage but the same technique can be used for other targets. It could be used to target other trade secrets, personal financial information, medical records, etc.

We talked to a local security expert and there are reports that Stuxnet or variants are “in the wild” and could be delivered by a manner other than USB sticks via networks and remote web servers.

McAfee alleges that it has a defense against Stuxnet as does Symantec. As we noted in earlier posts (see here and here), these are examples of blacklisting. CoreTrace has demonstrated effectiveness against the intruder by using the whitelisting capabilities of its product Bouncer. See the YouTube video here:  http://bit.ly/bFCEdc.

This attack seems to be much more targeted and much more sophisticated that most of the prior threats and may herald a new age of malware menace.

So, it’s a dangerous cyber world out there. Use protection.
 

• Email This
• Print
• Comments (2)
• Trackbacks

Last week, we posted an article about some of the ways of protecting a computer or computer network from malicious code.  We discussed primarily methods called "blacklisting" (the more widely used approach) and "whitelisting" (an approach receiving increased attention in recent days).

There is an Austin based company called CoreTrace that features the whitelisting approach.  When we asked, they were kind enough to provide us access to one of their subject matter experts. 

We discussed various aspects of this issue with Greg Valentine, CoreTrace's Director of Technical Sales and Services.  

Pertinent portions of that conversation follow:

ATLB:  CoreTrace’s products are designed to protect computers and networks from viruses, spyware, malware and other harmful stuff. How does it do it and how does that compare to the conventional anti-virus software we regularly see?

Greg:  CoreTrace has a product called “Bouncer”. Bouncer works at the operating system level and allows only the programs or executable code that has been whitelisted by the system administrator through Bouncer to run on that computer. Typical antivirus software works by maintaining a huge database library of virus signatures (which you have to keep up to date) and it attempts to eliminate them by searching a computer’s hard drives, comparing the code it finds on the hard drives to the virus library and then if it finds a match, it eliminates the virus code. There are a few challenges with this type of a defense.
1. This is reactive in nature – By definition, a signature does not exist until someone gets infected.
2. Because it is reactive, antivirus is vulnerable to a ‘zero-day’ attack. This simply means that a ‘bad guy’ can create a new piece of malware and as long as the antivirus companies are not aware of his new virus/worm then they will be blind to it.
3. In order to be protected by antivirus, you must deploy the updated signatures as quickly as possible. This can lead to inadequate testing before pushing out the ‘change’. If the antivirus vendor has made a mistake in their signature update then you could be causing more harm.
a. See McAfee’s recent ‘false positive’ signature update fiasco

ATLB:  You used the term “whitelisting”. What does that mean?

Greg:   At the time it is first installed, Bouncer takes an inventory of the executable programs on the hard drives of the computer and approves each of them to run. It puts them on a “whitelist”, i.e. stuff that is allowed to run. It is called whitelist because the antivirus providers say the stuff in their libraries is on the “blacklist”.

ATLB:  So, if a virus or other malware is present on the machine when Bouncer is first installed, then it will be allowed to run?

Greg:  That’s true, unless it is specifically found and eliminated later. That’s the reason that a good antivirus software should be run before Bouncer is installed or it should be installed in new machines before they are attached to the internet or anywhere else that they could become infected. Should you discover that one of your systems was infected prior to deploying Bouncer, you can rest a little easier at least in the knowledge that the infection will not be able to spread (to any other Bouncer protected computers).

ATLB:  Doesn’t having to authorize every piece of code to run on a system require an inordinately large amount of administrator time?

Greg:  The program takes an inventory of all the programs running on the machine at the time of the installation and thereafter the administrator does not have to be involved. The administrator can ‘pre’-authorize all software from a specific company or with a specific signature and software installed later from that company or with that signature will automatically be whitelisted and allowed to run.

ATLB:  How much computer resources does the CoreTrace system utilize and how does this compare to antivirus software?

Greg:  Our software requires a very small amount of hard disk space for our program. Since it merely prevents unauthorized programs from running, it doesn’t regularly use many computer resources. Antivirus software needs to run on a regular basis to see if any identified malware has been added since the last scan. You may have noticed that when your antivirus software is running its scan, which may last an hour or two, your computer is devoting significant resources to the scan and can have an effect on the capabilities of the computer. Bouncer only needs to check the program as it is launched. This check against the whitelist is extremely fast and does not impact the load time for any whitelisted applications.

ATLB:  How often is your software updated?

Greg:  Except for enhancements and upgrades to the program for operational purposes, our software does not need to be regularly updated. Since our method of operation is to keep anything but authorized programs from executing, we don’t have to continually seek out new viruses and add them to our database. Because of this method, we can never be behind when a new virus comes out, because regardless of the sophistication or newness of the virus signature, it can be deposited on the computer’s hard drive but because it is not authorized, it simply can’t harm the computer or its contents. Compare that to antivirus databases that are required to be updated constantly on a real time basis and must necessarily contain millions of virus signatures and sometimes can only catch a virus after it has infected a number of machines, if the virus doesn’t match their database.

ATLB:  Is there a version for single workstations or computers?

Answer:  Not yet. Right now, our program is only deployed on an enterprise basis.
 

• Email This
• Print
• Comments
• Trackbacks

With each passing day we are providing more and more personal data to companies through online transactions, social networks, and cloud computing.  Concurrently, there is also a growing framework of laws, regulations and contractual obligations in how companies should treat this information.  These colliding paths are creating what has been dubbed the "The Legal Defensibility Era."  David Navetta of the Information Systems Security Association (ISSA) has written an excellent article outlining this trend and highlighting several important issues that companies must focus on to properly handle data in this new era.

The focus of legal defensibility is understanding how a plaintiff ’s attorney, judge, jury, or regulator will view an organization’s security posture in light of applicable legal requirements.  Under a legal defensibility analysis security choices become legal positions or arguments to be used to persuade legal decision-makers that an organization’s security was legally sound, and increase the likelihood that a judge, jury, or regulator will find a company legally compliant. Ultimately, there may not be a clear “right” or “wrong” answer, but rather a more or less persuasive legal argument/position on security.

To create an effective legal defense, companies should create a security plan with the view that a security incident is a "when" and not an "if."  Companies must create an adequate security policy, abide by that policy, comply with the appropriate laws, regulations, and industry standards; and ensure that its vendors are also handling personal information with the appropriate level of care.   With the advent of cloud based services, the last point is becoming extremely important.  Companies should effectively scrutinize their vendors' security policies and procedures before agreeing to transmit personal information to them.  Focusing on legal defensibility will require more communication and cooperation between a company's IT and legal departments to effectively implement security policies in this new era.  Additionally, for a viewpoint from the security professional side, check out this article. 

• Email This
• Print
• Comments
• Trackbacks

An extremely important fight over fundamental privacy rights is heating up as the Department of Justice is pressuring Yahoo to release certain email records under seal.  Yahoo, who has been supported in this fight by the Electronic Frontier Foundation and other major corporations such as Google, has so far resisted by claiming the government must first obtain a warrant.  The case involves emails from multiple Yahoo user accounts that the government is trying to access.  The DOJ is claiming that under the Stored Communications Act once an email has been read it is no longer protected under the law from warrantless searches, and as such, Yahoo should release them.

The Stored Communications Act, 18 U.S.C. Sec. 2703, reads:

A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant.

The government's argument, which has already been rejected by the 9th Circuit in an earlier case, is that once an email is opened and read, it is no longer in "electronic storage" and thus, not protected by the warrant requirement.  The DOJ is in effect saying that your emails are protected under the SCA as long as you never open them or read them.  Once the emails are read, the government can force email clients to release them if they are relevant to an investigation.

This case, of course, raises important Fourth Amendment issues as well.  After the seminal Fourth Amendment case in 1967,Katz v. US, the government must obtain a warrant to access communications to which the individual has a reasonable expectation of privacy.  There are exceptions to this rule as the DOJ will no doubt argue.  One exception is that an individual loses that expectation of privacy once the communications are turned over to a third party.  It is true that many of our emails are technically turned over to third parties because they are sitting on Yahoo or Google servers.  But the same technicality applies to communications over phone lines or by mail, and courts have consistently held these communications to be private.  Should the government prevail in this case, it would signal a monumental change in privacy rights for one of our most common forms of communication.

UPDATE:  Apparently the DOJ has abruptly halted its pursuit of accessing the Yahoo emails.  However, since there was no ruling from the courts the issue remains open for future cases.

• Email This
• Print
• Comments
• Trackbacks

Companies that handle or transfer data must be extremely careful that they are abiding by the laws of the jurisdictions that the data passes through.   Data protection issues will only become more prevalent with the increased use of cloud computing, since a company may not even actually know where the data is being stored.  The most contentious arena for this issue is definitely in the EU.  Data passing out of the European Union to other countries creates a headache for companies that must abide by its stringent rules.

Now the EU is cracking down on social sites such as Facebook:

"European regulators are investigating whether the practice of posting photos, videos and other information about people on sites such as Facebook without their consent is a breach of privacy laws. 

The probes by the German and Swiss privacy watchdogs are still preliminary and would not have immediate consequences elsewhere. However, Weichert said the issue is being discussed with other data protection officials in the 27-nation European Union, which in 2000 declared privacy a fundamental right that companies and governments must respect.

The European stance differs strongly from the self-regulatory, free market approach favored in the United States, where Web companies have flourished by offering users free services if they provide personal information to help advertising target them better, according to Columbia University law professor Eben Moglen."

• Email This
• Print
• Comments
• Trackbacks