Header graphic for print

E-Discovery Reporter

How Much Data has the U.S. Government Pulled with PRISM?

By Andrew Hinkes on Posted in E-Privacy, General, Smartphones, Social Media

This month, the privacy-minded among us received two consecutive seismic shocks. First was the revelation of the Verizon FISA order, which I have discussed extensively. Second, and perhaps even more egregiously, the Federal Government admitted to the existence and operation (over the past 7 years!) of a previously undisclosed massive program to obtain data created and stored by major internet and technology companies called PRISM, which, like the Verizon order was enabled by a confidential order of a FISA court.  Some affected companies, like Twitter, initially resisted cooperation, but most of the affected technology platforms complied without a fight.

PRISM’s stated purpose was to monitor potentially valuable foreign communications that may pass through servers located in the U.S., but as reported by Gizmodo, it appears that in practice its scope was far greater, and included domestic purposes as well. So, how extensively have we been monitored by PRISM?

The answer may (or may not, depending on your world view) shock you.  According to published reports, Apple said it had received between 4,000 and 5,000 requests, covering between 9,000 and 10,000 accounts or devices in the last half of 2012.   Others among the other high profile internet companies who have participated in PRISM, Facebook disclosed that it received between 9,000 and 10,000 requests during that same time, targeting between 18,000 and 19,000 accounts. Microsoft claims it received between 6,000 and 7,000 criminal and security warrants, subpoenas and orders affecting as many as 32,000 customer accounts.

These published figures only illustrate the number of requests and affected accounts. What these numbers do not tell you is (a) how much data, (b) of what type, and (c) over what time intervals was disclosed. Among the affected internet companies, only Apple and Google have made any significant further disclosures. According to an Apple press release, Apple did not provide iMessage or Facetime conversations, which Apple claims is protected by end-to-end encryption, and Apple does not “store data related to customers’ location, Map searches or Siri requests in any identifiable form.” Apple’s disclosure is the only one (to date) that actually explained what kinds of data was disclosed.

Google has been more proactive about PRISM than most.  In a letter to the NSA and Attorney General Holder, Google requested the NSA’s consent to publish the “aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope.” Google is still waiting for a response. The number of requests to Google appear smaller according to their statement about disclosures and their transparency report.

Google seems to be emphasizing transparency and openness in the process, which is what I think is the right approach. As I previously discussed, the prospect of legal challenges to FISA warrants by affected consumers are pretty weak, so barring a change in the law (call your Senator!) more disclosure and transparency should be the goal.

Apple’s New iPhone Kill Switch: Too Little Too Late?

By Andrew Hinkes on Posted in E-Privacy, General, Smartphones

Among the most ballyhooed new product offerings announced by Apple during June 10, 2013’s Worldwide Developers Conference is the “Activation Lock,” which is a new “kill switch” for Apple’s mobile devices. Activation Lock will be a feature found in the latest version of Apple’s operating system, iOS 7, expected to be released this fall, which aims to prevent “apple picking,” or the growing trend of smartphone theft.

Activation Lock works by disabling the iPhone if the user tries to turn off the “Find My iPhone” app without inputting the authorized iPhone user’s password. Also, if an iPhone thief tries to wipe the phone, they will still have to input the user’s password, which essentially bricks, or renders the iPhone useless.

Apple picking is a growing problem, inconveniencing users, impacting law enforcement, and costing taxpayers money. One source reported that about 1.6 million Americans had their smartphones stolen last year. The problem is so endemic that several special purpose law enforcement units have been created exclusively to target cell phone theft.

This is clearly a step in the right direction by Apple, but should be viewed as the start, not the finish. Apple’s security over the iPhone is still humorously basic, and Apple’s devices, even when wiped, retain significant amounts of user data. Even charging an iPhone is no longer safe.

So, what security measures should Apple look into? Here’s this iPhone user’s wish list:

First, Apple could set the iPhone to disable data throughput via the external port while the iPhone is locked — prior hacks took advantage of the data throughput to circumvent password protection.

Second, Apple could provide its users with the option to fully, irreversibly, and permanently wipe data (of their choosing) when resetting their device.  This would prevent a purchaser on the resale market from finding your vacation pictures, text messages or important work memos.

Finally, Apple should allow a user to select what metadata is encoded in any offloaded media, so that photographs, say, of your children at their school, will not automatically be encoded with the date, time and GPS coordinates.

What is “Legal tender” and why Samsung didn’t really pay Apple $1 Billion in Nickels

By Andrew Hinkes on Posted in General, Smartphones

In an amusing and perhaps cautionary tale for transactional lawyers everywhere, it is reported that Samsung satisfied a $1 billion dollar fine assessed in favor of Apple by sending 30 trucks filled with 5 cent coins to Apple’s headquarters  The language of the fine, negotiated by attorneys, did not specify the way the fine was to be paid, and Samsung apparently trolled Apple by delivering the money in 30 trucks filled with nickels.

Well, except, no, not quite.

As reported by the Guardian, it would take more than 30 trucks- one of our more math minded contemporaries calculated that it would take  2,755 trucks filled with nickels to pay off the fine.

Finally, if Samsung had the chutzpah to actually try this stunt, Apple could legally refuse to accept the tender.  Although the Coinage Act of 1965, specifically Section 31 U.S.C. 5103, entitled “Legal tender,” states: “United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues,” the US Treasury Department advises that “[t]here is, however, no Federal statute mandating that a private business, a person or an organization must accept currency or coins as for payment for goods and/or services. Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise.”  Challenges to this law have often fallen short. A Utah man recently learned this the hard way; his attempt to pay a $25 bill by dumping 2500 pennies all over a desk and the floor at a doctor’s office resulted in a disorderly conduct charge, and full exoneration of the doctor’s office from accepting his chosen form of payment.

The story apparently originated on the Spanish language web site El Deforma, which is akin to the Onion. If you fell for this one, don’t worry. North Korea’s been trolled too.

Video Interview: Discussing the NSA/Verizon Phone Record Scandal with LXBN TV

By Andrew Hinkes on Posted in E-Privacy, Smartphones

Following up on my recent post on the matter, I had the opportunity to speak with Colin O’Keefe of LXBN regarding the recent report that the National Security Agency had obtained phone records for all Verizon customers over a three-month span. In the interview, I explain the details of what happened and why a successful legal challenge is unlikely.

Yes, it’s true: The NSA and FBI are collecting Verizon telephone records using a Secret Court

By Andrew Hinkes on Posted in E-Privacy, Smartphones

Yesterday, the Guardian broke the story – Verizon Wireless was subject to a Court Order that required it to turn over its cell phone customers’ data.  No doubt, Verizon Wireless customers responded to this news with panic and alarm. Worse of all, this order was kept secret, as it was issued by the United States Foreign Intelligence Surveillance Court.  What the heck is that? And how was this kept a secret from Verizon’s customers?

The United States Foreign Intelligence Surveillance Court was established in 1978 by the Foreign Intelligence Surveillance Act of 1978 (FISA). The stated objective of this court is to oversee requests for surveillance warrants against suspected foreign intelligence agents inside the United States by federal law enforcement agencies (primarily the F.B.I.). This court acts as a grand jury as opposed to trial court; typically the federal government is the only party to its proceedings. Its primary purpose is to determine whether the government has proven the emergency necessary to issue an electronic surveillance warrant, known as a FISA warrant. These requests are rarely denied – through the end of 2004, 18761 warrants were granted while either 4 or 5 were denied, but later granted after modification, says Josh Marshall of Talking Points Memo. As indicated on the first page of the Order, the case number for this Order is 13-80. Based on the structures of typical court orders, that means that this petition is the 80th received application for a FISA warrant in 2013.

So what is Verizon turning over? The order compels Verizon to give the Federal Government the telephone numbers of both parties to a call, location data, call duration, unique identifiers of the telephones used, and the time and duration of all calls. Although the contents of the conversation itself are not turned over, the order allows the government to know who any individual spoke with, for how long and where they were when they spoke. And of course, the data collected by the Order is not limited to Verizon customers- if a Verizon customer calls the mobile phone of an ATT or Sprint customer, that information is logged and produced to the Federal government as well. So, this surveillance extends beyond Verizon customers.

So… why weren’t Verizon customers told? The Court Order forbids it!

What can a Verizon customer do? Typically, challenges to orders like the one issued in this case fail. A challenge by lawyers for human rights groups and Amnesty International who frequently communicate with persons abroad failed in ACLU v. NSA, 493 F.3d 644 (6th Cir. 2007), wherein the Court concluded that people calling people subject to a similar order lacked standing to challenge the order.  Attempts by parties subject to a FISA warrant to obtain the materials provided to the United States Foreign Intelligence Surveillance Court in support of the Federal Government’s petition for a FISA warrant have also failed. See US v. Abu-Jihaad, 630 F.3d 102 (2d Cir. 2010).  And as a recent US Supreme Court case concluded, parties will rarely have standing to challenge a FISA warrant.  In Clapper v. Amnesty International 11-1025, (Feb 26, 2013) the Supreme Court severely restricted the potential of a FISA warrant ever being challenged. In Clapper v. Amnesty International, the Court stated that a party may have standing to challenge a FISA warrant only where the party has actual knowledge as opposed to a “highly speculative fear” that their communications were intercepted using an actual FISA warrant. Some commentators at the time called the Clapper opinion a “Catch 22” noting that  “It’s a secret program that is hard to get information about, and yet the court is seeming to require plaintiffs to get that absolute certainty before they can challenge the constitutionality of the surveillance.” Under normal circumstances, the Clapper opinion would shut the door on any FISA challenge.

But, there is a glimmer of hope. Because the order was leaked, the knowledge of surveillance pursuant to a FISA warrant is everywhere. Even under the restrictive holding of Clapper v. Amnesty International, it seems Verizon customers now have the certainty needed to contest the Order. Will there be a challenge? Stay tuned…

Top 12 Tips to Develop a BYOD Policy

By Andrew Hinkes on Posted in E-Privacy, Smartphones

It is increasingly common to see personal mobile devices such as smart phones, tablets and mass storage/entertainment devices in the workplace. Employees often prefer to have a single device to manage their whole life — both personal and work data included. BYOD, or bring your own device, policies are the current tool to allow companies to manage the risk inherent in the intersection of personal and business data on an employee-owned device. How can your company ensure that it respects personal data, protects company assets and has effective control without overstepping?  Here is a top 12 list of tips and tricks to develop an effective and defensible, but not overreaching, BYOD policy:

1. Review your current security protocols.  A great place to start is a review of your current data security decisions. Does your enterprise allow for remote access to email or any server applications?  Business decision makers and high-level IT decision makers should discuss the pros and cons of which type of data to make available to mobile BYOD users.  Special attention should be paid to which types of employees will be using their own devices and what data they actually need in the conduct of their work while on their mobile devices. As in most things, “oversharing” is discouraged.

2. Establish what devices will be supported.  BYOD does not mean “support my device.”  Discussions should be had with IT and policy makers, as both cost and security considerations come into play. Typically, “jailbroken,” “rooted,” or hacked devices should not be supported because the modifications to the devices will weaken the security of the device and may expose corporate data to higher risk.

3. Establish what apps will be permitted.  This is where security holes originate. Especially problematic are applications for social media browsing, replacement email applications and remote-access software. Be mindful of reports of security holes and applications that allow for mass storage and/or output, as those apps may facilitate corporate espionage.

4. Enforce a tight security policy over devices and data.  Passwords, lock screens and PINS are critical. This is where many users will find they are not as enamored with BYOD as at first blush.  Data security policies may include the mandatory installation of software to remotely manage the company data on the machine, which could cause some users to reject BYOD.  Remember – not everyone loves the idea of complex passwords or a potential remote wipe of their personal data.

5. Have an exit strategy for users and their devices –- What happens when an employee leaves?  Don’t forget about what will happen when employees with devices on your BYOD platform leave the company.  How do you enforce the removal of access tokens, e-mail access, data and other proprietary applications and information?

5. a. What happens when Employees Lose (or Sell) their Devices?  What happens when an employee’s device is stolen?  A common policy and technology strategy is to enable remote wiping of a device’s data and require it as a condition of program participation.  If an employee reports a stolen or misplaced device, company IT can use software to automatically wipe all data off of their device to protect company assets.  This may require an investment in remote wiping technology and building this into the security policy. However, this also requires employee training to report lost/stolen/sold devices and may require more maintenance by IT staff than current policies mandate.

6. Integrate your BYOD plan with your acceptable use policy.  Clearly explain in writing what is and is not acceptable use on the employee-owned machine that will be holding company data. Discussions about an acceptable use policy are required to protect company data and shield the company from liability. Remember that written, enforced policies will protect the company in litigation.

7. Clarify in your BYOD policy who owns what data.  The question of who owns data on an employee’s personal device is murkier than expected, especially when a phone is lost or stolen and data is wiped pursuant to an implemented company data use plan. A “wipe” typically removes everything from the phone’s data stores, including the company and personal data. This can also remove apps and content paid for by the user, not the company, some of which may be irreplaceable. Does the company have the right to wipe devices put on the company network?  Is there a backup system in place that captures employee data? A data use policy that includes mandatory company data backup (which may be conducted via automated process) and encourages employee backup of personal data, can provide the company with cover for unfortunate wipe events that may result in loss of personal data.

8. Establish and enforce data use policies.  The policies and their enforcement will provide litigation cover to your company and help guide employee conduct.  All data on an employee device is potentially subject to discovery in a civil, criminal, or regulatory action.  Thus, in a suit against the company, the employee’s personal device (and ALL of the data on that device) could be reviewed by another party. This includes social media and private information on the machine.  Employees must be aware of this and consent in writing.  As a full device examination could be a potentially embarrassing situation for both the company and the employee alike, employees need to understand and be trained on this issue as part of the BYOD policy before participating.

9. Policies must be in writing and employee signed affirmations are mandatory.  This is the most critical step. Anyone participating in BYOD must sign a terms of use acknowledgment after receiving training on the company usage policies.  Those who will not agree to follow the polices may not participate.  The company should monitor use to determine if any employees’ usage habits are in violation of the BYOD policies.

10. Mobile device management software can save time and money.  Software that can provide secure client applications, like email and web browsers, remote application distribution, configuration, monitoring, and remote wipe capability, can simplify administration of BYOD. The decision to use mobile device management software may inform which devices are supported. Again, this is joint decision to be made between IT, operations and legal/risk departments.

11. Train and promote.  Train your employees to make sure they understand how to correctly use their applications, make the most of their mobile capabilities, and watch for suspicious activity.  To avoid “data creep” – that is, the movement of company data out of the company trusted network via mobile device users inadvertent or more nefarious activity – mandate training on acceptable usage, saving and portability procedures. Again, properly implemented and enforced policies can create defenses and affirmative defenses in data espionage or trade secret litigation.

12. Encrypt data.  In the event that a device is stolen, or a dishonest employee attempts to offload company data off the device, encryption can provide an extra level of security.  Apps that download and store data on the device should protect that data. If your company is regulated, does international business, or includes PII, encryption is a must.

 

Instagram now can sell your photos – and you can’t do anything about it.

By Andrew Hinkes on Posted in E-Privacy, Social Media

In a move sure to startle its user base (if they are paying attention), Instagram revised its privacy and terms of use policies to allow Instagram to sell your pictures. Without your consent. Oh, and you don’t get paid for the use of your photos.  As reported by Cnet, the Huffington Post, the San Francisco Chronicle and others, these changes to Instagram go into effect on January 16, 2013.

Instagram happens to be one of the most used apps of 2012; smartphone users used Instagram even more than Twitter. However, the sweeping changes to the app should give even the most casual users pause.  If the prospect of the sale of your photos of your grandchild, teen or favorite cannoli is not enough to worry you, consider that the changes to Instagram’s terms of service also will allow the service to use your data, including your phone number, geographic location, and your photos to target you for ads within the Instagram app.  And those ads will not be clearly marked as ads- which means you may be unwittingly exposing yourself to Madison Avenue and its glory while trying to take snaps of your new ironic t-shirt or extended family retreat at the Grand Canyon.  Finally, Instagram, recently acquired by Facebook, plans to share your pictures with Facebook- again, whether you like it or not.

Some have said these changes make Instagram is as evil as the NRA. But really aside from the annoyance of advertisements, what impact can these changes have on your life? Plenty. First, there is the matter of consent. As noted by Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation, there is no prior consent; “its asking people to agree to unspecified future commercial use of their photos.” That makes it challenging for someone to give informed consent to that deal.”

Second is the matter of control. After January 16, 2013, you will have no control over the use of your photos on Instagram. That means your local restaurant can use your photo of your cousin enjoying their signature dish in their advertising without your consent or providing you with any compensation. Or, a porn site can use a photo of your 17-year old daughter and her friends at the beach in their advertising.  The possibilities are endless and alarming.

As one may expect, Instagram appears to be trying to insulate itself from liability for publicizing your “private” photos by inserting language indicating that it “will not be liable for any use or disclosure of content” and that “Instagram will not be liable for any use or disclosure of any content you provide.” So what can you do to avoid the dilution of what is likely your favorite app?  How do you protect the privacy of your family and friends? Although decisions related to privacy are ultimately every user’s choice, Wired has a step-by-step guide to downloading your Instagram photos and closing your account. Snap at your own risk.

UPDATE – Instragram backs off

Apparently I’m not the only one who noticed that Instagram was about to make a meaningful change. Instagram users apparently were running in droves away from the service; photo export services like Instaport.Me and Instabackup, saw surges in downloads and use as Instagram users ran from the service.  Virtually every major news outlet covered the story, and Instagram shortly thereafter pulled an “about face” now claiming that users’ pictures would not be sold without consent.  

So we can all breathe easily, right? Maybe.  Although reflective of the “power of the people” this episode highlights the tension between businesses and their profits versus the expectations of users.  As noted by Eric Goldman, an associate professor at the Santa Clara University School of Law, “The interest of the site is never 100 percent aligned with the users, and the divergence inevitably leads to friction… It’s unavoidable.”  

What is the “moral” of this episode?  When using services such as Facebook, apps or other technology that holds information about you, remember that your data is not ultimately under your control.

That Awkward Moment When Your Employer Takes Over Your LinkedIn Profile…

By Andrew Hinkes on Posted in Social Media

Most users of social media consider their pages or profiles to be “theirs” in the sense that they have exclusive control over the content of their pages. If someone doesn’t like it, tough. You have first amendment rights to free expression, right? But what happens if your employer takes over your LinkedIn profile, freezes you out of it by changing your password and changes your data after you’ve been fired?  In a decision issued by the Eastern District of Pennsylvania federal court, Eagle v. Morgan, 2012 WL 4739436 (E.D. Pa. Oct. 4, 2012),  an employee (Dr. Eagle) shared her access credentials for her LinkedIn profile with her assistant so her assistant could help update the page.  In this case, Dr. Eagle used her LinkedIn account to promote her employer’s banking education services; to foster her reputation as a businesswoman; to reconnect with family, friends, and colleagues; and to build social and professional relationships. After the business was acquired, the new owner eventually terminated Dr. Eagle and immediately took over Dr. Eagle’s LinkedIn account, changing the account’s login credentials and changing the name and photo of the account to reflect Dr. Eagle’s replacement, all using the previously disclosed access credential. Dr. Eagle sued her former employee claiming a violation of the Computer Fraud and Abuse Act,

Like the Computer Fraud and Abuse Act is part of the 1986 Electronic Communications Privacy Act (ECPA) which I’ve mentioned before, the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, et seq., which was enacted in 1984, is showing its age. The law was originally intended to punish computer hacking but the rapid advance in technology leading to today’s ubiquitous use of computers is pushing courts to awkwardly apply its legal framework to present-day business problems.

Most actionable violations of the CFAA require a potential violator to “exceed[s] authorized access” on a computer system, which is defined in 18 U.S.C. 1030(e)(6) as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  The employer contested, in this case, whether Dr. Eagle suffered any damages by her LinkedIn page’s takeover.  The Court agreed with the employer, dismissing the CFAA claim, noting that the CFAA does not provide relief for loss of potential business opportunities, or damage to reputation and relationships with clients.

Notably, there is prior case precedent to find that this exact type of unauthorized access in this case would be a loss which is compensable under the CFAA, upon a showing of damages. In United States v. Middleton, 231 F.3d 1207 (9th Cir. 2000), the Ninth Circuit opined that, “[i]n determining the amount of losses, [one] may consider what measures were reasonably necessary to restore the data, program, system, or information that [one] finds was damaged or what measures were reasonably necessary to rescue the data, program, system, or information from further damage.”  Perhaps if Dr. Eagle had provided evidence that she was damaged by having her contacts misappropriated and the damages incurred in waiting 22 weeks to obtain full control of her LinkedIn page, her case may have been decided differently.

Commentators, such as Eric Goldman wonder whether this boils down to whether Dr. Eagle’s account was a corporate account or a personal one.  There were some peculiar facts at play in this case- the Company at issue had a policy of LinkedIn accounts being maintained for the Company’s benefit, and Dr. Eagle had disclosed her password to her assistant.

What can you take away from this case? First, if you want to keep something private, do not share your password with anyone, ever. Any voluntary disclosure will likely be argued to be a waiver of any confidentiality and/or your exclusive control over that data.  Second, read your employer’s policy manuals. Ok, go read them again. Who owns the data you post on social network sites about your employer?  In this case, the employer had a policy that provided that when an employee left the company, the company would “own” the LinkedIn account  and could “mine” the information and contact traffic for the company’s benefit, as long as it did not accomplish identity theft to do so.  Know what rights you did and did not agree to give away before you inadvertently start building your empire for the benefit of your employer.

Congress Punts Your Email Privacy – the ECPA Abides

By Andrew Hinkes on Posted in E-Privacy

The United States Congress once again delayed enacting wholesale reforms to protect data held in the cloud, leaving that data subject to outdated laws which provide insufficient protection. The Senate Judiciary Committee agreed to table the first meaningful rewrite of the 1986 Electronic Communications Privacy Act (ECPA) since its inception.

The proposed revisions would have required the government to obtain a probable-cause warrant before requesting data held in the cloud. The current version of the ECPA allows a governmental entity to acquire stored content from a remote storage provider (such as an ISP, a cloud computing service, or an internet enabled storage device) provided it has been stored on a server controlled by a third party for more than 180 days, without an showing of probable cause. The current standard is the use of an administrative subpoena, reciting that the government has “reasonable grounds to believe” the information sought would be useful in an investigation. Even more troubling, it has been reported that the Justice Department considers opened read email left in your inbox to be outside of the protections provided by the ECPA.

A broad group of technology focused civil rights groups , including the Electronic Frontier Foundation, Center for Democracy and Technology, and Electronic Privacy Information Center,  argue that reforms are needed because the protections provided by the ECPA are simply too antiquated.  Technology has so quickly and drastically changed since 1986, they argue, that while the ECPA was appropriate for 1986 technology and society’s use of technology in 1986, our collective reliance upon advanced and inexpensive electronic storage has changed the landscape and now requires additional protection. In 1986 technology, data remained on servers just long enough for users to connect and download their data to their local machine. Now, we all store gigabytes and gigabytes of data, including personal financial information, on cloud computing systems with the expectations that, in certain instances, our data will remain accessible indefinitely. Despite this obvious change, Congress has so far done nothing.

So what’s the bottom line? Without this reform, the Government can obtain your email, or cloud computing-stored data more easily than any other search, including of your home, your vehicle or your hard copy records of the exact same information. This distinction only exists because Congress has dragged its collective feet instead of modernizing the law to protect your Constitutional rights.