Bitcoin Services Agreement | What Terms Should a Customer Demand?

Many wallets and platforms like Coinbase provide services to Bitcoin and other cryptocurrency customers. Typically a service provider requires customers to agree to the provider’s standard terms of service. And typically individual and small business customers lack leverage to negotiate these terms.

However, some customers do have leverage. Customers may have leverage because they bring a large volume of business to the provider, or they have teamed up with other customers to negotiate as a group. Alternatively they possess the patience to shop among service providers to find the most favorable legal terms.

What Terms Protect the Customer’s Interest?

The following are some (not all) of the terms that customers may desire but that are not commonly offered to small customers:

1. A Clear Statement of What Services Are Being Provided to the Customer


Technology services providers are known for being vague about what services they are providing the customer. Some Bitcoin service providers are equally vague. For example Coinbase’s standard User Agreement says, “Coinbase securely stores 100% of all bitcoin associated with your Coinbase Account in a combination of online and offline storage.” However, the agreement itself does not define “storage.”
bitcoin ownership
Legally, what does
"storage" of bitcoin entail?
It may be that here “storage” means Coinbase is managing the credentials that control the credit of bitcoin to the address pertaining to customer in the Bitcoin blockchain. But Coinbase’s Agreement does not say that. Further, it does not say the customer is entitled to those credentials and any value associated with them. It does not say that the Blockchain address belongs to customer.

What does the User Agreement say that the customer is entitled to? The User Agreement does little more than imply that all the customer is entitled to (at most) “FEES PAID TO COINBASE BY YOU IN THE PRECEDING THREE (3) MONTHS.” See Section 9.1. That’s it.

Coinbase’s User Agreement seems to say nothing about the customer being able to obtain the customer’s blockchain credentials or the blockchain credit pertaining to the customer. Maybe that is because the customer is not entitled to those things. But if that is the case, I’ll bet many customers would be surprised. The customer may think he has 10 bitcoin, but in fact all he has is the right to obtain from Coinbase a return the past three months of fees (at most). Those fees could be worth much less than 10 bitcoin.

2. Effort to Overcome Force Majeure


Service providers often insist on a “Force Majeure” clause in their agreements. And that may be fair as far as the customer is concerned.
Fire
What if fire strikes?
“Force Majeure” means superior force. Typically a Force Majeure clause says the service provider is excused from performing services in the face of a superior force such as war, natural disaster and the like.

video
However, the customer prefers that the Force Majeure clause not allow the provider simply to close shop in the event of adversity. For example if the customer is a merchant, and the service provider ceases operation on account of an earthquake, then the customer is in a lurch. So the customer wishes for the provider to work to overcome the adversity.

The customer might insist that the agreement provide:
  • the service provider will promptly notify the customer of the force majeure event and then regularly update the customer about the status of the event; and
  • the service provider will use commercially-reasonable efforts to overcome the event. (In other words the provider will take reasonable disaster recovery measures and will strive to return to normal service quickly.)

3. Response to Subpoena or Court Order for Information

The service provider holds sensitive information about the customer. That information might include address data, transaction history, blockchain credentials, investment details and more. The information might be relevant to divorce, tax collection, private lawsuits, bill collection, child support obligations and many other disputes.

Adversaries to the customer might try any number of legal means to get the information from service provider. They might try a civil subpoena, a tax summons, a police raid or a grand jury subpoena. An official order demanding information might issue from most any legal jurisdiction in the world (e.g., Uganda or Canada), regardless of the geographic location of the customer or the service provider.

The legal validity of a subpoena or other demand for information can be open to dispute. It is possible that an adversary would issue a subpoena that is unjustified or overly-broad. What is worse, sometimes Internet service providers (especially smaller ones that lack a large legal staff) can be overly generous in responding to a subpoena and turn over more information than is required. (See Theofel vs. Farey-Jones, 341 F.3d 978, 981 (9th Cir. 2003), in which an ISP disclosed too much of a business customer’s email to the customer’s lawsuit opponent.)

Accordingly, a customer desires terms like these: If someone makes a legal demand for records about the customer, then . . .


  • service provider will promptly give a copy of the demand to the customer. (Under rare circumstances the service provider is forbidden by law from informing the customer that US law enforcement is seeking information about the customer.)
  • service provider will wait to comply with the demand until the applicable deadline. Often a subpoena will give the service provider, say, two weeks to comply. If the service provider waits to the end of the two weeks, that gives the customer time to study the subpoena and react to it. The customer might for instance believe the subpoena is invalid or overly-broad; so the customer might appeal to a court to “quash” the subpoena or reduce its scope. (See details about quashing a subpoena in a US court.)


Similarly customer desires that service provider enter a non-disclosure agreement (“NDA”). Under common NDA terms the service provider would not disclose or use customer records without permission (except as required by law). The customer does not want the service provider to give customer’s information to customer’s competitors. Neither does the customer want service provider itself to use customer’s trading data to compete with customer.

4. Cooperation with Audits, Investigations or Requests for Information


Just as a customer is reluctant to let adversaries access the customer’s information held by the service provider, the customer desires assurance that the customer itself can access its own information and details about how transactions are processed.

A customer desires an agreement that under no circumstances will service provider:


  • place a lien on customer’s data [A lien is a legal measure that impairs a person's freedom to sell or transfer its property, such as its data.]; or
  • deny customer access to his/her data.


Sometimes technology service providers take the position that in a dispute with the customer, the provider can withhold data or deny service. For example the vendor of a cloud-based electronic patient record recently denied a medical practice in Maine access to its own patient records!

But from the perspective of the customer, the service provider holds unfair advantage if it can hold data hostage in the event of a dispute. The customer argues that if there is a dispute the service provider should not hold data hostage; instead, service provider can sue the customer and enforce the results of the lawsuit through normal legal procedures.

The customer may have both a commercial need and an ethical need to access its records. What would be an example of an “ethical” need for records? Suppose the customer was a law firm. The law firm might be controlling bitcoin on behalf of a client in settlement of a dispute. The law firm is obligated under its professional code of ethics to ensure it has access to the relevant records.

What’s more the customer may need assurance that the customer’s auditors can confirm and understand transactions. Relevant auditors might include financial auditors, tax auditors and security/internal control auditors. Hence the customer might insist that the service provider:


  • maintain adequate documentation about how its system works; and
  • cooperate with customer’s auditors.


For its part, service provider might insist that it be compensated if its staff must spend time responding to audit requests.

In regards to the security/internal control auditors looking out for the interests of customers: the service provider may find it is impractical to respond to all customer audit requests one-by-one. Therefore the service provider might itself hire a single auditor to conduct an audit for the benefit of all of its customers under a standard like Statement on Standards for Attestation Engagements (SSAE) No. 16 published by the American Institute of Certified Public Accountants (AICPA).

These Ideas Apply Beyond Cryptocurrencies.

The foregoing terms are not unique to Bitcoin. They might serve the needs of customers of many kinds of technology and e-commerce services.

If I’ve made any mistakes, please let me know so I can correct myself.

By: Benjamin Wright

[The foregoing is not legal advice for any particular situation. If you need legal advice, you should retain and consult a lawyer.]

Related: How to interpret a contract for payment by Bitcoin.

How to Write, Interpret, Enforce a Contract for Bitcoin

Stated Terms and Conditions Influence Legal Result.

Suppose John offers to sell a valuable widget to Betty in exchange for Betty agreeing to “pay 5 bitcoin” and Betty accepts the offer. They agree by recorded audio:

 [In regards to audio contract, see footnote below.]

Then suppose John delivers the widget to Betty, but Betty fails to deliver the bitcoin.

What are John’s legal rights?

Mutual Consideration Supports Contract.


Under US law it appears John and Betty have formed a legally enforceable contract. The parties made mutual promises for valuable consideration. The widget is valuable, and the bitcoin is valuable under current market conditions.

But the novelty of Bitcoin could make the precise outcome of a lawsuit by John against Betty hard to predict.

The “Money” that Is Not Money.


Although some people use the word “currency” to describe the phenomenon popularly known as Bitcoin, Bitcoin might not actually be a “currency.”  Unlike dollars, it has not been deemed in US law as legal tender that can be used to extinguish a debt.

Further, the Internal Revenue Service views bitcoin as property – which is subject to capital gains taxes – rather than currency -- which normally is not subject to capital gains taxes.

What Are the Remedies for Breach of a Virtual Money Contract?


So if John sues Betty for breach of contract, it seems he could succeed in showing he is the victim of a breach and he is entitled to remedy under contract law.

But it could take some effort for a court to understand the contract.

Bitcoin is a specific example of a general idea. The general idea is trading by way of a distributed cryptographic ledger. In Bitcoin the distributed ledger is called the "block chain."

If a distributed ledger is competently designed and implemented, it inherently follows the rules programmed into its software. As people use the software, they adopt "customs" of trade that can be understood without a lot of explanation by contract for each trade. For example, by Bitcoin custom the term "to pay" five bitcoin arguably means to modify the block chain to indicate as follows:

1. debit five bitcoin from the payer's address identified in the block chain; and

2. credit five bitcoin to the payee’s address identified in the block chain.

Industry Custom May Resolve Some Ambiguity.


Thus, John and Betty’s contract say she will “pay” 5 bitcoin to John. The custom around Bitcoin suggests that Betty is required to interact with the block chain to debit 5 bitcoin relative to her address and credit 5 relative to his address.

However, bitcoin and similar technology are evolving so quickly that clear custom may not have had time to coalesce. A full review of the interaction with block chain around the world may show confusion or ambiguity about what is customary and what is not customary. (See story about a failed Bitcoin transaction.)

In contract practice, if there might be confusion about custom, the draftsman of the contract can employ words to reduce the confusion. He might for instance write out a long statement of steps that Betty will follow to cause and confirm a 5 bitcoin credit to appear relative to John’s address.

Alternatively, he might refer to an authoritative statement of Bitcoin custom. He might say in the contract, “This contract will be interpreted under Bitcoin custom as articulated in https://en.bitcoin.it/wiki/Main_Page ." That sentence might resolve many questions about custom, but probably not all questions.

What Should Happen in a Court of Law?


However, neither block chain software nor Bitcoin custom explain what should happen in a court of law if a party fails to execute a trade (e.g., Betty fails to “pay” the five bitcoin).

The software and the custom fail to explain what the consequences should be if Betty does not control the agreed amount of bitcoin at the time in question. Is she required to purchase five bitcoin and then transfer it to John?

Or can she satisfy her obligation by delivering to John a quantity of pork bellies (a valuable commodity) equal in value to five bitcoin? That particular outcome does not seem right because we have no evidence that John is easily able to accept pork bellies.

What Should Be the Remedy for Breach of Contract?


If a court forced Betty to render to John 5 bitcoin using the block chain process, that outcome could be called “specific performance” under contract law. Specific performance means Betty must literally do what the contract says.  But commonly US courts disfavor specific performance.

Specific performance requires the court to understand what is going on.

In order for a court clearly to understand specific performance in Bitcoin, the court might need to digest quite a bit of testimony from experts. The experts would have to explain to the court how the block chain works and so on. That would be a lot of work for the court.

Courts Prefer Money Judgment Rather Than Specific Performance.


Instead, a court is likely to prefer to give to John a “judgment” for an amount of legal-tender-money equal to the value that Betty failed to deliver to John. A judgment is a ruling that enables John to take legal action relative to Betty and her property.

This judgment is the contract law remedy for Betty's breach of contract; it is an official statement that Betty owes a debt to John.

This kind of remedy is called a “money judgment.” A money judgment is easier for a US court to understand and oversee.

In the US legal system, money judgments are rendered and enforced all the time. Our system has managed money judgments for centuries.

In contrast, to require Betty specifically to execute some performance relative to the so-called “block chain” would be – for a court – a new and complex exercise.

Money Judgment Means Greenback Dollars.


Typically, in a US court, the amount of money in a judgment would be stated in US dollars. If John does obtain a court judgment, he can use regular  court procedures to enforce the judgment. Enforcement can include an array of actions by John, including placing and foreclosing a lien on Betty’s property, like

  • her house, 
  • her car, 
  • her bank account which is denominated in dollars or euros, 
  • her pork bellies, 
  • her intellectual property such as a patent, . . . or 
  • (theoretically) her bitcoin.

But typically the calculation of satisfaction of the judgment would be made in dollars.
legal tender
Court Judgment
Calculated in US Dollars.

For example, if John’s judgment is in the amount of $2500, then the value of his lien on Betty’s house would be up to $2500. When Betty sells her house, John would be entitled to $2500 of the proceeds.

Typically Betty could satisfy the judgment by paying John the requisite number of dollars.

But What If John Wants Specific Performance?


Let’s say John is really serious, at the outset of the contract, about wanting 5 bitcoin, rather than dollars. He could write the contract to state in detail something like the following:

(A) Betty represents that she controls a Bitcoin address with at least 5 bitcoin of credit.

(B) Betty will execute specific steps to credit 5 bitcoin to the Bitcoin address identified by John.

(C) If Betty fails to follow the steps, then John “will suffer irreparably harm and significant injury the degree of which may be difficult to ascertain.”

(D) John is entitled to an order from court requiring Betty specifically to execute the steps articulated under (B) above.
bitcoin symbol

Written Contract Details Add Certainty.


The contract as stated in the audio above leaves open to interpretation questions like:

  • when Betty must pay the bitcoin;
  • whether interest will accumulate if Betty fails to pay on time;
  • which jurisdiction’s law governs the transaction (e.g., Texas . . . or Alberta);
  • whether the party enforcing the contract in court receives compensation for the cost of enforcement, such as attorneys’ fees;
  • how the widget will be tendered or delivered.


Details like these can be specified in a well-written contract, and can help John with his enforcement.

Analysis of Example Agreement


Let’s look at a well-known contract that refers to Bitcoin practice, Coinbase’s User Agreement. Coinbase is a well-known Bitcoin wallet and platform.

Section 2.4 of the agreement says,  “Coinbase securely stores 100% of all bitcoin associated with your Coinbase Account in a combination of online and offline storage.”

What does that sentence mean? The words “store” and “storage” are metaphors for complex, and possibly ambiguous ideas. They mean something other than simply:

(a) keeping physical objects in a three dimensional place (e.g., keeping in a box a sheet of paper bearing the words “one bitcoin”); or

(b) the retention of specific data that expresses bitcoin (Example: It’s not like storing the content of a distinct Excel spreadsheet – which says, “Ben has 6 bitcoin” -- on a hard drive.)

If a customer wanted to reduce the ambiguity of those words “store” and “storage,” then the customer could insist that the agreement provide much more detail. Alternatively the customer might insist that the agreement say that terms like “store” and “storage” will be interpreted under Bitcoin custom as articulated at a place like https://en.bitcoin.it/wiki/Main_Page .

So a general message to readers is that a contract for bitcoin can be written with details that help to reduce risk and misunderstanding. A talented draftsman uses judgment to know how much detail is enough and how much is too much.

This is an intriguing topic, and I’d like to talk about it. Please comment. If I’ve made any mistakes, please let me know.

By: Benjamin Wright

You might also like:



*Footnote: Under the Statute of Frauds, this contract might need to be evidenced by a “signed writing” to be enforceable. An audio recording can constitute a “signed writing.” Ellis Canning v. Bernstein, 348 F. Supp. 1212 (D. Colo. 1972).

How to Talk Publicly about Data Security Breach

Major data security breaches are becoming more common. Among the many that have unfolded in 2014 are Target stores and Community Health Systems (the second-largest for-profit U.S. hospital chain).

Now Home Depot, another major retailer, is in the throes of a substantial payment card breach, apparently involving both credit cards and debit cards.

Home Depot is making some limited public statements. The Home Depot story is only beginning.
Press Releases Matter
Home Depot’s public communications will influence the final outcome of this data breach in terms of law, reputation and customer relations.

I teach a technology law course at the SANS Institute. A key topic is how to communicate publicly about information security, including data breaches and other infosec incidents. In that course students and I review the (in)famous TJX breach (2007). We compare the experience at TJX with the lessons from Target and Sony Playstation Network (2011 breach).

Now, early September 2014, Home Depot’s crisis is playing out. So . . . as of the live delivery of the SANS course October 2014, we will also compare Home Depot’s public and legal response.

The title of the course I teach is Law of Data Security and Investigations. The course is unique in the world.

The goal of the course is to equip professionals with the skill and knowledge necessary to respond to future events in computer security and investigations.

By: Attorney Benjamin Wright

How to Record Evidence from a Mobile Device

Dual-camera video recording on a smart phone can be very handy for a professional investigator such as a financial auditor or a forensics expert.

believable memory
Video Affidavit
The video below demonstrates how an investigator can use a dual-camera video (on a smartphone) to record evidence displayed on a second mobile device. In this case the second mobile device is an e-ink reader.

The video evidence shows how the e-ink reader works as it renders data from the cloud. The “data from the cloud” in this case is just the content from one of my web sites. The e-ink reader features an odd web browser; it blinks as the user scrolls. The point of the demonstration is that the video records exactly:

  1. how the e-ink reader worked (or didn't work) at the time of investigation; and
  2. what information rendered from "the cloud" on the e-ink reader's browser client.




This video is the latest in a series of videos and blog posts I publish to demonstrate how to capture and preserve legal and audit evidence from social media or the Internet of Things.

A Legal Affidavit Confirms Validity by Placing Investigator's Professional Reputation on the Line.


My publications showcase the idea that evidence is more legally useful if it is formally “signed” in realtime by the investigator via webcam or microphone. The realtime signature by the investigator makes the whole record a kind of affidavit. The affidavit could be powerful in court years later when the investigator might not be available to testify about what he witnessed at the time of investigation.

The realtime signature of a record by an ethical and responsible investigator lends credibility and authenticity to the record.

What’s new about this video is that it uses the dual-camera recording capability of an advanced Android phone. The phone I used was an HTC One M8.

Investigator Records His Face, Lips and Voice.


In the video above, the investigator appears in the small window at the top. As the investigator uses the back-facing camera to record what appears on the e-reader, he records himself with the front-facing camera. The recording of the investigator himself serves two purposes:

1. It narrates the evidence. It explains to the future viewer, such as a jury, what is happening as he manipulates the evidence source -- that is, the browser app on the e-ink reader.

2. It authenticates the whole compilation of video evidence. The investigator says, "I hereby sign and affirm this video . . . ". That is a legal signature, binding on the investigator. It is probative to a viewer such as a court who tries to evaluate the credibility of the video as evidence later.

Video of Forensic Examiner Reveals Too Much?

Some professional investigators are hesitant to create video of themselves or the labs in which they collect and assess evidence. They worry they may inadvertently capture a record of their identity, behavior or surroundings that might be misused by an adversary, such as a defense attorney who cross examines an investigator in a criminal trial and tries to discredit the investigator's work or the investigator's ethics.

For example, a video might inadvertently show a can of soda in the lab; food and drink are often forbidden by policy in a forensics lab because they can contaminate evidence. The appearance of the can could raise questions about the competence of the investigator's lab and the ethics of an investigator who has testified that she adheres to high standards of quality.
lab contamination
Unexpected evidence of policy
violation in forensics lab!
If the investigator is concerned that video of his/her face reveals too much, then the investigator might record only audio of his/her vocal narration of the video of what s/he observes. See an example of that idea: http://legal-beagle.typepad.com/security/2011/10/cops.html

I Publish Many Blog Posts on Video-Recorded Legal and Accounting Evidence.


For more detail on these ideas, including analysis and evaluation of alternative forensic tools, please see:


I am keen to hear your comments.

P.S. Although the video above shows how to capture evidence flashing on a computing device (that is, the e-reader), it could also be applied to the recording of physical objects such as papers or a crime scene. The investigator could use the back-facing camera on her phone to record "the evidence," while simultaneously using the front-facing camera to record her face as she vocally describes and authenticates what she witnesses with her visual, auditory, tactile and olfactory senses.

What is the Legal Definition of a Virtual Currency?

The way we use language affects legal outcomes. Language is causing legal controversy around so-called “Bitcoin” and “virtual currencies.” Let’s assess the language applicable to the phenomenon popularly known as “Bitcoin.”

What Would a New York BitLicense Cover?


The New York Department of Financial Services proposes to license and regulate virtual currency businesses under a program commonly known as “BitLicense.”  Some people welcome this proposal as an advance for Bitcoin. Others denounce it as a threat to privacy and freedom because it requires a virtual currency business to collect much identifying information about customers.


What exactly does the proposed regulation cover? Section 200.2 Definitions includes this first sentence:

“(m) Virtual Currency means any type of digital unit that is used as a medium of exchange or a form of digitally stored value or that is incorporated into payment system technology.”

How to Interpret the Definition “Virtual Currency”?


The quoted sentence of Section 200.2(m) is a definition of cosmic breadth. Let’s parse it.

First, it covers digital stuff. But in 2014 a lot of stuff is “digital.”

Second, it covers a “unit.” But it does not define the word “unit.” The word “unit” is so broad, especially when we are talking about digital stuff, it more or less covers anything. The word “unit” could mean a number, a word, a song or most any other digital expression.

If the word “unit” includes any expression of any idea, then the draft BitLicense (strangely) starts to raise First Amendment freedom-of-speech issues.

Third, Section 200.2(m) is limited to a digital unit . . .

1. that is used as . . .

A. a medium of exchange; or 

B. a form of digitally stored value;

OR 

2. that is incorporated into payment system technology.

Wow. That embraces a lot of territory.

Is an Ordinary Electronic Contract a Virtual Currency?


Let’s consider an example.

Suppose Bob sends a message via Gmail to Sally that says, “I promise to pay $100 for a widget.” And Sally replies, “OK.” That email is (more or less) a legally-enforceable contract.

Under contract law, Sally could then via Gmail assign her rights of contract with Bob to Jack in exchange for a gadget. Further, Jack could hold on to the rights for a while (because they are valuable), storing the emails in Gmail.

Finally, using Gmail, Jack could assign his rights to Maria in exchange for a whats-it.

Thus, arguably, the $100-for-a-widget contract is covered by Section 200.2(m). The contract is – at least arguably – a virtual currency because it is “a digital unit that is used as a medium of exchange or a form of digitally stored value.” It is a set of valuable, stored rights that went digitally from Bob to Sally to Jack to Maria.

Would Google Need a BitLicense?


Furthermore, if Bob, Sally, Jack or Maria has a New York connection, then the operator of Gmail, i.e., Google, would arguably be engaged in a “Virtual Currency Business Activity” for which Google must have a license. Section 200.2(n) of the draft BitLicense regulation defines “Virtual Currency Business Activity” as “the conduct of any one of the following types of activities . . . : (1) receiving Virtual Currency for transmission or transmitting the same; (2) securing, storing, holding, or maintaining custody or control of Virtual Currency on behalf of others”.

Hmm. So a plain reading of the draft regulation results in Google needing a BitLicense. How strange.

Expansive Language is Common in Cyber Law.


It is not unusual in the Internet age for lawmakers to write laws of such immeasurable scope that they arguably lead to strange interpretations.

The state of Connecticut for instance proclaims: “Any person in possession of personal information of another person shall safeguard the data . . . containing the information from misuse by third parties . . .”  Connecticut goes on to define “personal information” as pretty much any data that could be connected to a particular human. Arguably, “personal information” could include any statement, photo, mouse-click or metadata roughly connected to a person.

But to expect absolutely everyone to protect absolutely every iota of personal information of any other person seems a strange and impractical result. Arguably for example it expects great-grandmother to secure the personal information (photos, names, comments, metadata and so on) about her friends that her computer automatically collects in her browser’s cache as she logs onto Facebook.

Enforcement Limited to the Spirit of the Law?


Now, an advocate for New York’s proposed BitLicense regulation might argue it is not the spirit of the law to regulate the provision of email services like Gmail. The spirit of the law is to regulate some other activity that is hard to define.

Likewise an advocate for Connecticut’s data privacy law might argue it is not the spirit of the law to cover every speck of data in the cache of great-grandmother’s browser.

Other computer laws that use expansive words are interpreted according to their spirit. The federal Computer Fraud and Abuse Act for example hinges on "access" to a computer. In 2014 the expansive word “access” to a computer leaves much room for interpretation. In difficult cases authorities interpreting the word “access” strive to find and apply the spirit behind the CFAA.

However, leaving e-commerce laws -- like the proposed BitLicense regulation -- to be interpreted according to their spirit rather than their actual words is problematic.  Imprecisely-worded e-commerce laws (albeit well-meaning) cause confusion.*[See Footnote]

What is the Legal Definition of “Bitcoin”?


So how do the words of the draft BitLicense regulation apply to Bitcoin (or Dogecoin)?

The phenomenon popularly called “Bitcoin” might be described by lots of words. The phenomenon is new and rapidly evolving. It was not created by government. The phenomenon is not necessarily locked into words like “currency,” “unit,” “medium,” “exchange,” “value,” “transmission” or “storage.” Even though some people use words like that in relation to the phenomenon, that does not mean those words are binding on all people who observe and dance with the phenomenon.

Disclaim the Regulated Concepts?


When law like the draft BitLicense regulation relies on spirit rather than precise words to define the novel technology it is regulating, people have room to define their activity relative to that law.

For instance, people and businesses who observe and converse within the “Bitcoin” phenomenon could declare words like these:

We are engaged in a computing relationship. The relationship is evolving. It has not settled into maturity. We declare that said relationship does not involve any “currency,” “unit,” “medium,” “exchange,” “value,” “transmission” or “storage” as those words are enforceably used by the New York Department of Financial Services. We further declare that our computing relationship . . . our communication . . . disclaims the following words and the spirit behind them: "currency," "unit," "medium," "exchange," "value," "transmission" or "storage" as those words are enforceably used by the New York Department of Financial Services. We compute and communicate in the spirit of free speech, but we don’t engage in the activities regulated by the Department of Financial Services.

No Guarantee


Would a declaration like the foregoing guarantee that law will abstain from enforcing the draft BitLicense regulation against people? No.

However, a declaration like that does no harm.

What’s more, for some people a declaration like that could be constructive, especially given that the draft BitLicense regulation (if adopted) is subject to strange interpretation.

Further, those people would be safer from enforcement if they avoid tricking, deceiving or defrauding anyone.

What do you think?

By: Benjamin Wright

==
Notice: Statements like the above by Benjamin Wright are just public discussion; rely upon them at your own risk. They are not legal advice for any particular situation. If you need legal advice, you should consult a lawyer who has explicitly agreed to provide you advice.

*Footnote: In the mid-1990s Utah adopted legislation to promote cryptographic e-commerce by licensing public-key-infrastructure certification authorities. The legislation was ill-conceived and caused much confusion. Utah eventually repealed the legislation.

Mr. Wright submitted the foregoing as a formal comment to the NYDFS.

Updates

1. More analysis of the definition of "Virtual Currency" under NYDFS's proposed BitLicense regulation.

2. Valid questions raised by the imprecise language in draft BitLicense regulation.

Related: How to interpret a contract for payment by Bitcoin.

How to Prove Bitcoin Evidence

Evidence is fundamental to the use and regulation of cryptocurrencies like Bitcoin. This blog post demonstrates one way to collect and preserve evidence about cryptocurrency transactions, technology and businesses.

Bitcoin evidence might be used as follows:

  • in a court of law to enforce a contract for sale of a product purchased with Bitcoin
  • by a tax authority to calculate tax (The IRS says Bitcoin is property on which capital gains taxes must be paid.)
  • by an accountant to audit the financial condition of a company that owns Bitcoin
  • by a regulator to monitor a Bitcoin exchange (The New York Department of Financial Services proposes to license and regulate virtual currency businesses under a program popularly known as BitLicense.)
  • by a compliance officer at a licensed Bitcoin business to show she checked the function of Bitcoin software at a specified time


Example Evidence in Failed Transaction


Cryptocoinsnews recently reported how evidence was captured and shared regarding a failed purchase purchase of goods paid with Bitcoin. The author says he tried, unsuccessfully, to make a purchase at Tiger Direct, which uses Bitpay to accept
Bitcoin payments. In connection with the author’s research of the failed transaction, “BitPay has sent [the author] the screenshot showing the proper amount paid . . .” In other words Bitpay proffered the screenshot that it made as probative evidence of Bitpay's proper performance in the transaction.



A Screencast Video Is Sometimes Better than a Screenshot.


A screenshot is a common form of evidence for online data and transactions. Screenshots are commonly relied upon in court and in financial audits. They are commonly retained as archives of online events, including contracts or statements of account.

But a problem with a screenshot is that it misses the interactivity of software or an online event. It misses audio feedback. If an investigator wants evidence that after he clicks X then Y happens, he can try to make multiple screenshots and explain them in a written report. But compiling multiple screenshots into a detailed written report is awkward and time-consuming.

A screencast video (including audio), on the other hand, can be worth 10,000 words. Here is a screencast video of a hypothetical review by a compliance officer of a web-based Bitcoin wallet. Notice the audio beeps and the brief notices that blink in the upper right-hand corner and then go away; these would be hard to represent with screenshots stitched into a written report.
 
(I use the demo wallet at Blockchain.info, which is described as “Free. Open Source.”)

Video Freezes Evidence at a Point in Time.


Software and other technology change constantly. This video documents precisely what the investigator sees at a particular time. It also records the audio “beeps” he hears, and it shows precisely when he heard them.

Could the investigator forge or manipulate this video record? Yes, just as investigators can forge other evidence like screenshots or old-fashioned paper documents.

The value of the screencast video evidence depends on the reputation of the investigator.

I have previously analyzed video evidence like this.

The credibility of the video could be enhanced if it were created and signed by more than one investigator.

The statement of date and time by the investigator via webcam makes it more difficult for anyone to manipulate the video, especially if date and time are corroborated by an outside source, such as email to which the video is attached or a cloud service to which the video is uploaded.

For instance, the Youtube (i.e., cloud computing) page for the video above shows the video was uploaded July 17, 2014. I (the Youtube subscriber who controls the page) am not able to manipulate that date. Thus, if six months from now I wanted to create a fake video and claim the date was July 17, 2014, I could not use Youtube to corroborate the date for the fake video.

Legal Signature Supports Authenticity.


A crucial aspect of the video is the webcam signature of the investigator at the end. The webcam-recorded words “I Ben Wright hereby sign and affirm this video as my official work,” make clear the investigator is putting his professional reputation on the line. He is going so far as to record his face and moving lips as he speaks the words. He is making a form of legal affidavit.

The signature potentially opens him to legal and professional punishment if he is lying or cheating. (If he is licensed like a certified public accountant, he could lose his license. He could jeopardize his ability to ever get professional employment again in the future.)

This signed video record could even be valuable years later when the investigator is no longer available or willing to vouch for it. His employer (in the hypothetical video the employer is Acme Virtual Currency Brokerage) may need his evidence long after he leaves employment.

Deeper Evidence Might Be Available.

The video above of course records the function of a wallet at the level of user interface. This record may be adequate for many audits and regulatory reviews. But sometimes deeper evidence may be necessary. Records of logs, ledgers, journals, meta-data, audit trails, and the like may be necessary . . . assuming the investigator has access to them, as well as the time and expertise to make use of them.

In any case, the application of a legal signature by the investigator who collects and authenticates such evidence can contribute to the long-term credibility of the evidence. Often a webcam signature (stating date and time) would be practical, reliable and persuasive to legal authorities like juries.

What do you think?

--
Related: How to verify online forensic evidence.

How to Find Legal Evidence in Backups

Copies of legal and audit evidence are spreading everywhere. The “syncing” of digital devices and services is revolutionizing the forensic collection of electronic evidence.

Discoverable evidence is no longer confined to islands like an email archive or a hard drive. The evidence is multiplying. It is being copied and copied again. It is backed up here, it is automatically shared there, and it is accessible some other place.

Hence, if relevant text messages have been deleted from a phone, they may still be recoverable from a synced backup on:

  • PC hard drive 
  • enterprise email account
  • cloud storage account like Dropbox or Gdrive (cloud storage often enables automated copying to multiple devices; something copied to Gdrive may automatically be copied to your home PC hard drive and the hard drive of your personal laptop)
  • wearable device like a smart watch
  • dedicated local storage device (a “cloud in your home”)
  • television in the living room
  • soon . . . your Internet-of-Things refrigerator!

Can You Remember All the Services Enabled on Your Smartphone?


Today, when a consumer or a business professional sets up a new device like an Android phone, they are encouraged to sync their
contacts and photos with cloud services and with other devices. Many people do not deeply understand what this means.

Recently I witnessed the surprise of an iPhone user who lost her phone and bought a new one. All of her details, like photos and settings emerged like magic on the new phone. Why? Because they were backed up in the iCloud . . . even though she did not realize they were stored there.

Many modern cell phones automatically back up data to the cloud so that the data can be restored if the user "resets" the phone. See this image from an HTC One phone.

Such cloud backup service is a relatively new development in the smartphone universe. The full implications of this service can vary from one situation to the next and from time to time. Can texts be recovered from this backup? Photos? Log-on credentials for mobile apps like Snapchat? Contents of mobile apps, which may themselves contain sensitive messages, images, geolocation data etc., etc.?

An investigator may need to research and play around with a service to learn what evidence can be recovered from it in any given situation. The investigative process is unpredictable and labor-intensive. Therefore it may be expensive if you are paying an investigator to work by the hour.

The backup functionality can be complex, and hard for even a reasonably educated person to understand. I have been working with a new HTC One phone (July 2014). I've enabled automatic backup, but I am still puzzled about precisely what the backup does. I see this explanation on HTC's web site:



It says my data is at my "Dropbox storage" . . . but I am not aware that I have ever set up a Dropbox account. So far I've not been able to ascertain whether I can access this "Dropbox storage" by any means other than "resetting" the phone . . . or possibly duplicating the contents of the phone onto a different HTC phone.

(I am guessing that somewhere in the setup of the phone and the setup of the backup function HTC created a Dropbox account for me . . . but that is just a guess. I did not notice this happening. I have not noticed a "welcome" message from Dropbox.)

Many people come to this blog seeking to get texts and photos from a telecommunications carrier like AT&T. However, the carriers are often uncooperative. The better path for recovering data may be from the cloud backup, such as HTC's Dropbox storage or Apple's iCloud.

Did You Automate and Then Forget?


Some cloud services encourage you to make automatic backups because they want you to become dependent on them. Microsoft’s OneDrive gave me three extra free gigabytes of space if I’d set up the CameraRoll on my Windows laptop to upload its contents automatically to OneDrive. Microsoft is hoping I will upload so much (perhaps without thinking about it) that I will need to purchase additional storage.

HTC and Apple provide backup as an incentive for the customer to come back to them when the customer purchases a new device.

Many users will forget about their various backups. Therefore, if they were asked in a legal deposition or interrogatory whether they had backups they’d honestly say no. However, a diligent investigator could find the backup(s).

Does Investigator Need Training?


An effective investigator does not necessarily need special equipment or high technical skills to find the backed up data. Instead, the investigator needs patience and an inquisitive disposition. Computer devices like tablets and online services like OneDrive are emerging and changing constantly. No one can know everything about them. However, their features and behaviors can be researched and intuited by a persistent investigator.

With that said, a trained investigator will know how to order and document his work so it can more readily be established as reliable in court. In a criminal prosecution, a court may expect proof of the “chain of custody” for the evidence. Further, the work of a licensed and/or certified investigator may be perceived as more credible.

What’s more, sometimes special forensic tools are critical to recovering data. For example, a forensic specialist reports he recently used forensic tools to recover deleted email by accessing the “shadow” copy maintained for disaster recovery on the hard drive of a Windows PC.

Is the User Given Good Legal Disclosure?


When a user syncs a device with something else, there’s never a sensational notice like this: “Warning. By syncing your phone, you are creating backup records of photos and text messages that can be discovered by the police or your ex-spouse in a legal investigation.” Users are often presented lengthy (boring) terms and conditions, but few users scroll screen-after-screen on their mobile devices to read and absorb the
implications of the terms. As the adjacent photo shows, the terms may say that nonspecific, neutral-sounding “content” will be stored, but rarely do users cogitate over that word.

When a user sets up syncing, they may create a password that they then forget. Sometimes the only practical way to access the synced backup records is by using the device from which the records originally came. For instance, an app on a phone may be causing records to be stored on a social media or cloud site. The only practical way for the investigator to get credentials for logging onto the site might be to use the app as it is installed and configured on the phone.

With appropriate authority, a talented investigator can reset passwords and recover forgotten accounts. Authority might come from, for example, user consent, a court order or a BYOD agreement between the user and her employer. 

iCloud and iPhoto Pitfalls


Apple's iCloud is notorious for storing records in ways that confuse iPhone or iPad users. This confusion has contributed to a scandal around nude celebrity photos.  Remarkably, a user (like a celebrity) can delete photos from his/her iPhone but not realize they are still stored in iCloud, waiting to be discovered by an investigator . . . or a hacker.
Like pink stain in
"The Cat In The Hat Comes Back,"
data won't disappear.
Further, even if the user has figured out how to delete the photos from iPhone/iPad and iCloud, they can still be backed up in iPhoto on the user's Mac desktop or laptop. Getting rid of all the data requires extraordinary diligence!

By: Benjamin Wright

Professional Standard of Responsibility for Data Security

The CEO of retail merchant Target lost his job owing in part to a data security breach. The Chief Information Officer lost his job too. Target is a turning point in the history of data breaches. It is changing the way enterprises approach data security.
Target breach is legal milestone
Lessons from Target

Insecurity Is a Fact of Life


To prevent data from leaking out is very hard – in fact, super hard – for an enterprise to achieve. To explain that point, journalist Quinn Norton publishes an article titled “Everything Is Broken.”  Although she speaks in terms I would not use (she says computers are “broken”; I say our expectations for computer security are unrealistic), I subscribe to her basic message: typical computers and software are inherently insecure. They are riddled with holes. They were not designed, they were not created, they are not deployed like M1 tanks.

Encryption Exemplifies Security's Unachievability

Take encryption. The public discussion about security often assumes that “encryption” is an achievable solution to much of the data security problem. But sustained use of encryption in a functioning enterprise – or by a reasonably careful individual – is a nightmare that is rarely acknowledged. To quote Norton: “Managing all the encryption and decryption keys you need to keep your data safe across multiple devices, sites, and accounts is theoretically possible, in the same way performing an appendectomy on yourself is theoretically possible.”

She goes on to explain that so often encryption programs can be circumvented because – for example -- they sit on top of code written in the C programming language, which is often written by sloppy developers who fail to use secure coding practices. Secure coding in C requires a lot of discipline. According to knowledgeable expert, "C is unforgiving if you are lax in secure coding practices."

An example of a C programming vulnerability is the catastrophic Heartbleed bug that attracted so much attention when news of it broke April 2014. Security guru Bruce Schneier said that on a scale of 1 to 10, Heatbleed is an 11 in its magnitude!

Think about Schneier’s comment from a public policy perspective. Heartbleed had been sitting out there for years, unknown to the community, as loophole in commercially-popular encryption (OpenSSL). But the public policy conversation assumes “encryption” is good, practical, achievable.

Norton argues there are more Heartbleeds out there; the community just hasn’t identified them yet.

Another recent controversy demonstrates how impractical encryption can be. For years, many smart people have relied on TrueCrypt to encrypt records. Then suddenly TrueCrypt's developers announced the program is insecure and everything encrypted with it needs to be re-encrypted with something else. Even though the community is debating whether TrueCrypt is in fact insecure, the controversy compounds the nightmare for many enterprises that in good faith have devoted resources to encryption.

When we consider encryption as solution, we must acknowledge that the practical application of encryption is destined to fall short.

Breaches Are Normal


In data security, everyone makes mistakes, even the best experts. RSA itself – the gold standard among infosec vendors – suffered a major security breach in 2011. Hackers used spear phishing against RSA employees to compromise the company’s SecurID authentication tokens. (csoonline.com “The 15 worst data security breaches of the 21st Century,” February 15, 2012)

What about the National Security Agency? It is reputed to employ the best computer security team in the world. It devotes a massive budget to computer security. But it suffered a cataclysmic breach. Edward Snowden stole the NSA blind.

No one is immune to data security breaches, even when they have very qualified people working for them and they devote tremendous resources to the problem.

Data security is a highly adversarial contest, similar to high-stakes litigation. The enterprise faces very smart, capable and persistent adversaries, like Mr. Snowden or like talented opposing counsel.

Losing the data security contest is normal, just as losing a lawsuit is normal and losing a football game is normal.

CISO Emerges as a Peer to General Counsel


It is in this harsh, unpredictable environment that enterprises like Target must manage sensitive data like payment cards and healthcare records.

For an enterprise, managing data security has become like managing legal rights and liability. The enterprise will never get close to perfection. It will never know whether it made all the correct decisions. But it can devote professional attention to the problem.

Historically the infosec team at the enterprise was composed of technical staff under direction of the Chief Information Officer. Infosec guys often complained that their guidance did not get the needed respect. They’ve had a reputation for writing long, highly prescriptive security policies that say this “will” be done and that “must” be installed. Even though their policies often would not be followed, they felt it necessary to use unrealistic, compulsory policy language just to be heard. They spoke in simplistic, black and white terms.

The historical practice out of the infosec team is markedly different from the practice out of general counsel’s office.  Business lawyers eschew directives like you "must" do this and you "will" do that.  Often such absolute mandates are too simplistic to address the challenges the enterprise faces. Rarely do lawyers say something like, “The enterprise must file this lawsuit because the enterprise is guaranteed to win a bunch of money in the lawsuit.”

But when lawyers talk, executives listen. Corporate lawyers are esteemed, pretty-well paid professionals. General counsel is an executive.

Though lawyers can speak in soft tones, their “advice” and “recommendations” carry weight. Their advice and recommendations are perceived as having serious impact, even if the advice and recommendations are not always followed or not perfectly followed.

Seeking Higher-Caliber Security Advice


The world is changing. Target is rumored to be shopping for a Chief Information Security Officer who will not be a subordinate of the CIO.  Rather, the CISO will be a peer of the CIO. According to Business Insider, this elevation of the CISO (and therefore the elevation of the infosec team) is an emerging trend among enterprises. “This Week In Payments News: Target Undecided On Who Will Be In Charge Of Stopping Hackers,” May 25, 2014.

Here is my interpretation of the trend: Management of data security has become mission critical for the modern enterprise. But management of security involves tradeoffs and unknowns akin to those applicable to the management of legal rights and liability.

The modern enterprise seeks sage leadership on data security. The enterprise will never achieve perfection; it will never know whether its decisions were the best. But the enterprise wants to get the kind of guidance from its security staff that it gets from its legal staff.

The implication is that the modern enterprise is seeking sharper, better-qualified security staff, and it is willing to pay higher salaries to get it. The modern enterprise is in the hunt for a more professional infosec team, lead by an executive-level CISO.

Legal Motivations for Professional Attention


When a patient visits a doctor, there is no guarantee the patient will get well. When a client retains a lawyer, there is no guarantee the client will win its lawsuit or achieve a desirable legal outcome.

The risk of an unhappy outcome is recognized in professional malpractice law.

So long as the doctor or lawyer exercises diligence and care, the professional is not liable for malpractice, even though the outcome is undesirable. Law motivates the professional to work and even be creative and take educated risks, but it recognizes that the task at hand can be unwinnable. It leaves much room for imperfection, mistakes in judgment and plain old bad luck.

I argue similar motivation should apply to data security in an enterprise. The enterprise should be motivated to seek qualified security expertise. But very commonly a diligent application of that expertise will fail to a greater or lesser degree. Qualified people will make mistakes. The possibilities for error and surprise are infinite.

Moreover, data leakage is like a serious disease. Often it is simply not curable. Law should motivate good work, but it should not punish a failure to cure.

Hence I argue that the law of data security should not hold an enterprise liable for a data leak if the enterprise meaningfully employs qualified staff.

I don’t anticipate infosec staff will be licensed like doctors or lawyers anytime soon. But I do think law can recognize the difference between qualified, vigilant staff and the absence of the same. And the law should recognize that even with qualified, vigilant staff, bad outcomes are normal, par for the course.

==
By: Benjamin Wright, attorney and teacher of Law of Data Security and Investigations at the SANS Institute.

Update:

Target's new CISO will report to the CIO. However, I'll bet that the new CISO will be treated as a trusted professional whose recommendations are given weight.

Related:

1. Floods of data breach notices

2.  Putting a Professional Standard of Care into Infosec Practice

How to Conduct a Private Internet Investigation

The online universe brims over with data and evidence about firms, people and events. But effective access to it can require hiring a private researcher or private investigator. In some cases a lawyer should be the first professional consulted.

Trend: Evidence Exists, But It is Hidden


A growing trend is that the data you want is hidden from easy public access. There are three reasons for this trend:

1. Right to Be Forgotten. The first reason is the recent ruling in the European Union that search engines like Google and Bing must respect the “right to be forgotten” and remove links to some data about a person when the person requests. The data -- which might relate to an old debt or crime -- may still be publicly accessible on a web site, but easy-to-use search engines (Google/Bing) can’t point to it. It exists in the so-called "Deep Web."

2. Closed Apps and Sites. A second reason for this trend is the rise of apps and web sites that disallow indexing by Google/Bing. Most Facebook content, for example, is not indexed by Google.  Much of the content collected by a mobile app – like the health apps published by Noom -- is not indexed by Google.

Many services not indexed by Google do collect loads of valuable information and make it available to subscribers/customers, whether paying or otherwise.

3. Inhospitable Terms of Service. This is the third reason for the trend that data is inaccessible. Legal terms of service that impede investigation are becoming more common. For example, Facebook’s terms say, “If you collect information from users, you will: obtain their consent . . .”

Huh? Those terms seem to say that before you get “public” Facebook info about the target of an investigation you must get the target’s consent. But you may not to do that because you don’t want the target to know you are investigating.

Although terms like this can be subject to interpretation, they can restrict the collection of data or limit its use as evidence in court.

A Professional Can Uncover Scattered Recorded Evidence


The upshot of the foregoing trend is that recorded information is becoming more fragmented, even as it becomes much, much more plentiful. It is scattered around. Finding it and making sense of it can require the payment of fees and the expenditure of much labor – more money and more labor than was perceived to be true a few years ago when Google/Bing seemed like the universal gateway to the web.

This means professional researchers and investigators are becoming more valuable. Professionals have training and experience. Better ones are creative. They have access to and know how to use many databases and search services, including less-conventional ones like Tineye, an image search engine, or Yandex, a Russian search engine, and fee-based databases like Proquest Obituaries or Ancestry.com.

They are skilled in searching the Deep Web using tools like Biznar, though no one knows how to use every online investigative tool.

Skilled investigators know how – or can quickly learn how -- to use Worldcam   to find recent Instagram photos near a certain location. Or they can find and apply new tools, such as Ready or Not, which maps
Map Location of Recent Social Updates by the Target of Investigation!
a person’s recent physical location based on where they were at the time they broadcast a tweet or Instagram post.

New search tools emerge every day!


Good research might involve a lot of trial and error. For instance, suppose a researcher is collecting information about Courtney. The researcher sees that Courtney talks on Facebook about using the Noom Weight Loss Coach mobile app. The researcher might look up the Noom app, subscribe to it and pay for premium service so as to have access to user forums, where – maybe or maybe not – Courtney would have posted something relevant.

The number of mobile apps is endless; apps come and go like Texas weather.

Sometimes, when a professional gathers research, s/he must be licensed as a private investigator. For example, Texas law broadly requires independent businesses that collect sensitive information to be licensed as a PI.*

An Attorney’s Role in Five Parts


When seeking information, the services of attorney may be helpful.

For one, an attorney may possess the necessary skills and license to conduct the investigation himself.

Two: An attorney’s interpretation of terms of service or end user license agreements (EULAs) may be necessary. Terms of service can be confusing or ambiguous. Competent interpretation of the terms may direct an investigation to pursue one course of action (e.g., just taking written notes about what the investigator encounters on a site) while avoiding another course of action (e.g., making copies of material the investigator encounters on the site).

An attorney might recommend a non-obvious method for an investigation to obtain permission before proceeding.

Similarly an attorney can analyze the ethical implications of pursuing one investigative path versus another path. For instance, one path may smack of unethical deception (e.g., pretending to be a former classmate); whereas, an alternative path of investigation may be just as effective but involve no deception.

Attorney Can Invoke Powerful Confidentiality


Moreover, an attorney may be able to cloak the investigation in confidentiality. The “attorney work product doctrine” says that when an attorney does work in preparation for a dispute the attorney’s work is confidential and cannot be discovered by legal means such as a deposition or subpoena.

The work product doctrine is powerful. It is a sibling to “attorney-client privilege” which protects the confidentiality of communications like email or phone calls between a lawyer and his client.

The work product doctrine can protect the attorney’s notes, his research and investigations he preforms or directs others to perform. Thus, if the doctrine applies, the attorney can direct a private investigator to gather evidence from social media or online databases, and the investigation itself would remain legally confidential. This means that an adversary, such as a tax authority or an ex-spouse, could not legally force disclosure of the existence and mechanics of the investigation.

In practice, when an investigation is undertaken, many kinds of potential legal disputes could be present. The potential disputes could cover, for instance:

  • defamation
  • heirship
  • divorce
  • child custody
  • control of a corporation
  • property ownership
  • employment discrimination
  • tax evasion
  • much more

Attorney’s Analysis Can Guide Investigation


Here’s a fourth reason for engaging a lawyer. A savvy attorney can analyze and articulate the need for and purpose of an investigation. A well-reasoned mission-statement for an investigation can help guide the scope and methods of the investigation. It can determine what evidence is required and what is not.

An attorney might rationally document that an investigation is needed, for example, for the purposes of

  • personal safety, or
  • defense of property in a manner that is proportionate to the threat, or
  • confirmation of compliance with law

The attorney might then know which private investigators are best suited for the job.

Fifth role of attorney: A sharp lawyer may be able to develop a strategy for collecting hard-to-get evidence in a way that will stand up in court.

What are your comments?

==

*Footnote: Texas Occupation Code Section 1702.104 reads: "(a) A person acts as an investigations company [which must be licensed] if the person: (1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to . . . the cause or responsibility for . . . loss, accident, damage, or injury to a person or to property. . . . (b) For purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public." Arguably one way that online data may not be available to the public is that terms of service forbid access to it. 

Therefore online data that you want as evidence for lawsuit may appear to be public.  But if terms of service restrict the collection of it for purposes of a lawsuit, then you may need help from a licensed professional to collect it.

 

Related: PI License for Computer Forensics Expert

How to Obtain a Subpoena . . . or Results Equivalent to One

You want legal evidence – such as a photo, a text message, a utility log or a surveillance video -- that is in the hands of some other person.* A subpoena might be a legal way to get that evidence.

But to reach your goal, you may have many alternatives. You are wise to consider alternatives, possibly with the advice of legal counsel. Creative, analytical thinking may be more effective than you expect.

The proliferation of digital devices, and the networking of computers, give rise to a cornucopia of data and evidence about any given event:

  • burglary
  • traffic accident
  • breach of contract
  • sale of property
  • extramarital affair
  • bribery
  • act of good Samaritan

This expanding cornucopia may be richer and more detailed than you image. Simply put, there is always more data, always more evidence.


A Simple Letter Might Work


Traditionally a subpoena uses demanding, adversarial language to request information. But that type of language can be counterproductive and can make people cautious and defensive.

One option might be just to write a polite letter requesting the evidence . . . or information about the evidence. For example, the sheriff in Howard County, Indiana, used a polite letter to get information about a fugitive from the operator of the online game World of Warcraft. The letter was not a legally enforceable order. It was an explanation for why the sheriff needed the information about a particular WoW user. The WoW operator responded with a letter providing details about the geographic location of the fugitive in question.

You, the reader may not be a sheriff or a government officer. However, if you have a good justification you may be able to persuade an authority to write a letter on your behalf. That authority might be your local sheriff. Or it might be a politician, such as your state representative in your state legislature.

Although large Internet Service Providers like Facebook can be uncooperative and bureaucratic with requests for information, smaller service providers may be different. For instance, today many mobile apps are operated by small companies. A sympathetic appeal to them for help can sometimes work.

Appeal to a Foreign Official


Surprisingly, the person who might issue a letter on your behalf (if not an official order or demand) is a foreign government official. The Internet has changed the way many government officials view their responsibilities. Legal jurisdiction is not perceived to be as territorial as it once was. For instance the Canadian Privacy Commission is known for taking action against data brokers located outside of Canada . . . when they are handling data about Canadian citizens incorrectly. Thus a US citizen might be able to get help from a Canadian official if the US citizen can show a Canadian connection to the problem.

Subpoena By Way of Bankruptcy


A legal process that enables issuance of a subpoena may not be pleasant. Example: Douglas Himmelfarb has long believed he owns a valuable painting by famous artist Mark Rothko. He has been working for years to prove the painting's authenticity.

15 years ago Himmelfarb learned that Rothko’s family may possess a photograph that would lend credence to the claim of authenticity. Himmelfarb could not persuade the family to release a copy of the photograph.

Then, unfortunately, Himmelfarb went into bankruptcy. An interesting by-product of bankruptcy proceedings is legal power to issue subpoenas for the purpose of ascertaining the value of assets, such as this painting. A bankruptcy subpoena at long last forced the Rothko family to release a copy of the photograph to the court (though the family’s lawyer included with it a written warning that it should not be assigned undue weight in evaluating whether the painting is authentic). “Is This Rothko Real?” Wall Street Journal, April 25, 2014.

How to Write a Subpoena


Please refer to my earlier blog post on how to write a subpoena for computer records. It contains numerous suggestions on how to obtain a subpoena, such as through a police investigation or proceedings in small claims court.

Analyze Your Interest and Your Public Appeal


When you want information from another person, think carefully about why you want it and why you are entitled to help. It may actually be that you have a property interest in the information, or a moral right to it because it affects your safety or privacy or it belonged to deceased relative.

A well-articulated statement of your interest may go farther than you expect. Companies and institutions are sensitive to public perception. A well-formulated campaign on Twitter, on Kickstarter (a crowfunded public petition) and/or on a blog can persuade a larger organization that it should, in the interest of its community, cooperate with a fact-gathering effort.

For example: Facebook released a one-minute "Look Back Video," composed of posts by a deceased user, after the user's father posted a compelling plea on Youtube. (The father, John Berlin, could not access his son's account.)

You Never Know What the Owner of Information Might Do.


The owner may decide, for example, to reveal the information to a neutral third party, who can assess it and report to the public.  It may reveal some information, with sensitive parts redacted. It may decide to reveal only meta data about the information, such as
digital record-keeper
Internet of Things


  • when the information was collected, 
  • how it was collected (smart grid meter? surveillance microphone? navigation system on-board a moving vehicle),
  • what format it exists in (spreadsheet? mp3? video?),
  • whether it has been deleted 
  • and so on.


The information owner very possibly does not even realize what evidence it possesses or the significance of the evidence!

When a firm or a responsible person is faced with a public request for help that appeals to the sympathies of popular opinion, surprising things can happen. You might point out that generosity on the part of the other party might lead to positive publicity and a positive public image.

A similar public appeal might nudge a government entity – like a state attorney general, a school board or a county commission – to open an investigation that would cause a subpoena to be issued. It might cause a public hearing to be scheduled, which could require a party holding information to appear and explain the status of the information and explain why the information is being withheld.

It might cause a local TV station to broadcast a news report.

Ask the Public for Help


Interested members of the public will tell you secrets you don’t know. They might for instance explain to you that the information you seek is backed up in a place you can access.

I recently helped a client who believed certain government employees were harassing him. We blogged about the harassment. This publicity caught the attention of allies, who gave us tips on how to get more information.


====
*Footnote: A dramatic example of third-party evidence is a surveillance video that surprised Los Angeles prosecutors in a criminal drug trial against Guillermo Alarcon, Jr. Unbeknownst to police officers a camera on an apartment building recorded their arrest of Alarcon. Management at the building was sympathetic to Alarcon and gave the video to his defense lawyer, without telling police. Then at trial Alarcon's defense lawyer produced the video, Perry Mason-style, after the police officers delivered sworn testimony that was inconsistent with the video.  The charges against Alarcon were dismissed. The police officers were convicted of perjury.

Related: Retain Licensed Professional to Follow Online Footprints