Computer Investigator Arguably Crosses Line | Breaks Eavesdropping Law?

In computer investigations, the difference between legal and not legal can be subtle. Our computer crime laws are written so broadly that they leave much to subjective interpretation.

Technology is changing so quickly that bright-line rules about what is permitted and what is not are rare.

Legal compliance requires computer investigators to exercise good judgment. Smart investigators will take proactive steps to increase the probability that their actions will be interpreted as legal and ethical.

Justified Investigation May Have Gone Too Far.

A case in point involved Absolute Software. A school installed Absolute Software’s tracking software on its laptop. Thief stole laptop, sold it to an intermediary, who sold it for $60 to an unsuspecting party, Susan Clements-Jeffrey. Ms. Clements-Jeffrey used the laptop at home to engage sexually explicit text and webcam conversations with her boyfriend over the Internet.

By Legal Standards Technology is Advancing at a Blistering Pace.

Let’s pause and reflect before we dig deeper into the facts of this case. In 2014 it does not seem like a technological feat that two ordinary computer users could use webcams to engage in private, sexually explicit conversation. Webcams have come as standard equipment on low-cost laptops for about five years now.

But the computer crime laws that (as we will see) apply to this case date back to the 1980s. In the 1980s, nobody knew what a “webcam” was; no one even knew what the “world wide web” was!

Furthermore, the handful of years in which webcams
have been available to the masses is just a flash in time by legal measures. There has been little opportunity for meaty legal cases – like this one – to tell us how computer crime laws should be interpreted in the “Age of the Webcam.”

Investigation Starts with Justified Objective.

Let’s go back to the facts of the Clements-Jeffrey case. Absolute Software was paid by the school to track down the stolen laptop. Absolute’s software pre-installed on the laptop was capable of invasively, surreptitiously collecting loads of evidence from the laptop – IP address, keystrokes, electronic mail, webcam images and so on.

This is Like Science Fiction, From the Perspective of the People Who Wrote Computer Crime Laws!

Again, I pause in my recitation of the facts in this case to reflect. In 2014 many people have heard of spy software, keystroke loggers and the like. But ladies and gentlemen this technology is bizarre from the perspective of the mid-1980s. In the 1980s the use of this kind of powerful surveillance to resolve petty crimes happened only in a few science fiction novels.

Thus, as we try to interpret these old laws for relatively new technology, surprises are inevitable.

Do the Right Thing: Give Evidence to the Police.

Absolute went to work collecting evidence after the school reported the laptop was missing. In the course of this work, Absolute collected IP address and sexually explicit content and images from the laptop, as Ms. Clements-Jeffrey used it.

Absolute did not publish this evidence on Facebook. No. It turned the evidence over the local police. That’s good behavior on the part of Absolute, right?

However, when the police arrived at Ms. Clements-Jeffrey’s residence to further the investigation and recover the laptop, they allegedly made remarks about the evidence that embarrassed her. That may not have been perfectly professional behavior on the part of the officers, but allegedly it happened. Police officers are human and fallible.

Ultimately the police investigation determined that Ms. Clements-Jeffrey was innocent. She genuinely did not realize the laptop was stolen.

Civil Lawsuit Filed Against Absolute Software.

But then Ms. Clements-Jeffrey and her boyfriend sued Absolute Software in civil court, claiming the software company and its investigator violated their privacy under eavesdropping laws such as the Stored Communications Act (which is part of the Electronic Communications Privacy Act of 1986).*

The crux of the argument was whether Absolute Software – a legitimate investigator – went too far.  Arguably it was OK for Absolute to collect IP address and give that to police. But arguably when it saw the sexually explicit material it should have stopped looking and stop recording.

Now, in Absolute’s defense, it could be argued that a good investigation needs more than IP address. IP address by itself does not tell the police very much. If Absolute gave the local police no more than IP address, the police may drop the investigation because there is too much more work to do to ascertain who has the laptop and what the circumstances are.

Hence, this case takes us to a gray area of law, involving technology that has not been around very long. Few if any good prior cases tell Absolute what it should or should not be doing here.

Gray in Law Is Often Resolved by Juries.

The judge ruled that a trial before a jury was needed.  The judge said a jury that hears all the facts might reasonably conclude that Absolute had violated eavesdropping law and therefore owed money to the woman and her boyfriend. But, on the other hand, the jury might conclude that Absolute did the right thing under these difficult circumstances and therefore owes no money. Who knows?

This ruling was a problem for a business like Absolute. The ruling is not a conclusion that Absolute violated the law, but it sets the stage for a lengthy, expensive and uncomfortable trial for the company. The publicity around such a trial would probably be damaging for a company like Absolute.

Often when companies are faced with the prospect of such a trial they settle quietly and pay money to the plaintiffs. In such a settlement, there is no final decision or admission that the company was wrong, but the company pays money.

What Proactive Steps Could Reduce Risk?

Unfortunately modern, ethical investigators face conundrums like this case every day. These conundrums are a symptom of our fast-paced world of technology.

For these conundrums, I have no perfect solutions. But companies like Absolute can take proactive steps to reduce risk, such as:

1. Place physical and virtual warnings on protected computers explaining that they are under surveillance and that users consent to such surveillance and consent to all data being turned over to police.

2. Train investigators to exercise good judgment. Good judgment is like beauty; it is in the eyes of the beholder. But wise cyber-investigators should be aware that risk lies around every corner. If they encounter sensational evidence that is not absolutely critical to the investigation, they are wise to back away from it and/or redact it.

3. Good investigators work in teams. They deliberate among themselves about difficult questions, and they document their deliberation. Documented deliberation can reduce the risk of bad judgment and can help to make decisions more defensible.

4. Good judgment may dictate that an investigator warn authorities about privacy and controversy. For example, Absolute Software could have told the police the following, in writing: "In the course of our investigation, we inadvertently encountered very sensitive, sexually explicit communications (which are not necessarily illegal) on  the part of the suspect and another, apparently innocent party. At this time, out of respect for privacy of people who have not yet been proven to be guilty of anything, we refrain from including records of these explicit communications in the evidence we are now delivering to the police."

*The ECPA/Stored Communications Act are criminal laws that forbid computer eavesdropping. Often they are enforced by a government prosecutor in criminal courts. However, like some other computer crime laws in the US, they can also be enforced by an aggrieved citizen (the "plaintiff") in a lawsuit in civil court seeking money damages from the perpetrator (the "defendant").

P.S. See more tips for how investigators can stay within the bounds of privacy law.

How to Apply Transparency to Assure Privacy

Microsoft (temporarily) adopted a policy of transparency to address a privacy issue. Transparency can indeed help show that an institution is handling privacy responsibly, even though Microsoft decided it was not enough in this particular case.

Cloud Provider Searches Customer Content!

Here is the story behind Microsoft's temporary, special policy of transparency.
Court documents revealed that Microsoft searched the content of a Hotmail account belonging to a Microsoft customer. The customer was an independent blogger who did not work for Microsoft. (Hotmail is a webmail service also known as, owned and operated by Microsoft.) Microsoft searched the account as part of an investigation into the alleged theft of Microsoft trade secrets by a now-former Microsoft employee. The trade secrets in question were software code.
Microsoft's decision to search a customer account raises privacy worries. Microsoft is a cloud computing service provider. Hotmail is one of Microsoft's cloud offerings, just as OneDrive is one of Microsoft's cloud offerings. When customers use Microsoft's cloud services, they store data like email and files with Microsoft and they expect Microsoft to provide some degree of protection for the data.
Microsoft said it had legal permission to search the Hotmail account because the terms agreed by the customer permit Microsoft to conduct searches to protect Microsoft rights and intellectual property.

Microsoft as Intellectual Property Search Monster?

But as a long-time Microsoft customer, I myself am squeamish about Microsoft searching my cloud-stored content for evidence of intellectual property infringement (or some other violation of Microsoft's rights). I have been using Microsoft products and services for almost three decades. In all those years I have clicked on and agreed to hundreds if not thousands of Microsoft End User License Agreements (EULAs) and terms of service. Those long-winded EULAs have come to me when I have
* opened/initiated/installed fresh versions of Microsoft desktop software (Windows, Office, Money, Windows Defender, Streets and Trips, etc., etc.);
* installed updates;
*visited Microsoft web sites, such as to download clipart; and
* opened accounts to use services, such as Windows Live Messenger, which is now retired.
Even though I am a tech lawyer, I have not read and remembered every word of every one of those complex agreements. (Have you?)
Over all the years, I have indeed tried to comply with Microsoft's agreements, and I still try to this day. But I must say that sometimes those agreements have confused and surprised me. As the years have gone by, Microsoft has published subtly different EULAs for similar products (e.g., Office Home and Business Edition, Office Starter Edition, Office Web Apps Edition, Office Blah-Blah-Blah Edition).
In addition to using Microsoft desktop products, I use its cloud services like and OneDrive. I store data and files in those services.
By contract to which I have agreed, Microsoft has reserved the right to search my content for evidence that I have violated Microsoft's legal rights or intellectual property. OK. A deal is a deal. I agreed to let Microsoft search through my files and documents for that purpose.
However, I'd be disappointed if Microsoft conducted a dragnet through my documents looking for evidence that I violated a long-forgotten EULA (forgotten by me). For all I know, some spreadsheet I created in 2005 (and haven't touched since) contains a tell-tale sign that I did not comply precisely with the EULA for an October 2004 update to Office 2003, a product I have not used in years.
If Microsoft did engage in that kind of dragnet, customers like me would be motivated take our cloud computing business elsewhere. We'd be motivated to move our old archives like that spreadsheet to competitors like Dropbox or Google Drive.

Microsoft Wants to Re-assure Its Cloud Storage Customers.

Microsoft seems to understand the problem I have just described. Microsoft does want to keep good customers like me in its cloud computing tent.
Therefore, shortly after Microsoft articulated the (probably valid) legal grounds for its search of the blogger's Hotmail account, Microsoft made an additional public announcement. The announcement had two components:
1. Microsoft said that before it searched the contents of a customer's cloud account, it would seek an opinion from a former US federal judge. This former judge (presumably under the pay of Microsoft) would opine hypothetically on whether Microsoft possessed enough evidence of wrongdoing to justify a court order that the account be searched. If the former judge did so opine, then Microsoft would reserve the right to search the account.
2. Microsoft committed to a form of transparency.
It said it would periodically report to the public about any incidents in which Microsoft actually executed on a search of a customer's cloud account.
Microsoft to Change Policy on User Data,”Wall Street Journal, March 21, 2014.

What Benefit Does Transparency Provide?

I think Microsoft committed to the transparency report because it would help set its cloud customers' mind at ease. Customers might suspect the former judge would have a conflict of interest when s/he evaluates Microsoft's evidence; Microsoft is paying the former judge.
Microsoft probably believed that the number of instances in which it actually searched customer accounts would be few. (It is rare that the Microsoft-controlled cloud account of a non-Microsoft employee would hold information about trade secrets stolen by a Microsoft employee.) Microsoft probably believed that it would voluntarily refrain from conducting the kind of dragnet through old spreadsheets that I described above.
Hence, Microsoft's reasoning was that over time customers would feel assured because they could see that in practice Microsoft was not abusing its powers and not violating the normal expectations of customers.
I agree with Microsoft that transparency can help to achieve privacy. Transparency can be a form of check and balance, albeit imperfect.
Transparency can help to inform the public whether an institution is behaving responsibly.
Transparency (in this case the commitment to periodic disclosures) can open an institution to criticism. If it discloses, for example, that it searched a customer account looking for a spreadsheet that violates an October 2004 EULA update, then
a) People would complain in public; and
b) Many customers would be spooked and would take their cloud business to competitors.
What keeps an institution honest about its commitment to transparency? Part of the answer is leaks and whistleblowers. If Microsoft says it will make periodic reports – and then fails to report a relevant case of searching – it is taking a big risk. As Edward Snowden and other leakers have proven, Microsoft's secret can leak out. A leak showing that Microsoft defaulted on its commitment to transparency could be devastating to Microsoft's reputation.

Was This Commitment to Transparency Enough?

All of the foregoing is not to say that Microsoft's commitment to transparency was enough to satisfy customers.
At this time I do not judge whether Microsoft's commitment to transparency is “enough.” But as I weigh what Microsoft did to reassure customers, I note that general counsel at Microsoft's competitor Google declares that Google has never investigated a leak of Google intellectual property by searching the content of a customer's Gmail account. Further, says Google counsel, “it’s hard for me to imagine circumstances where we would investigate a leak in that way.”
Ouch. A statement like that from a competitor makes Microsoft uncomfortable.

Microsoft Quickly Changed Course.

Shortly after Microsoft announced its policy of former-judge-plus-transparency, it changed course again. Microsoft declared: “if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required.” 

Let's Draw Larger Lessons about Privacy and Transparency.

Whether Microsoft's short-lived commitment to transparency was good enough is a moot question. Microsoft said that rather than relying on the former-judge-plus-transparency model, it would instead rely on law enforcement.
However, Microsoft's thought process can be helpful to institutions and policy makers who strive to handle sensitive data responsibly.
Microsoft wanted to assure its customers. So it committed to seeking the input of a respected third party – a former judge. But it realized this commitment needed more. It therefore committed to transparency. A commitment to transparency is in fact a substantive control in favor of a civil right like data privacy.
An institution like Microsoft will never know for sure whether controls and commitments will satisfy the public or satisfy ethical obligations. But a genuine observation of transparency can help over time. Candid disclosure of the facts, including embarrassing facts, can help to win trust.
As nonprofits, corporations and government entities search for the right ways to manage data, transparency can aid the search. But transparency does not work by itself. Other controls and commitments are needed, such as honesty, deliberation, accountability and more.

What do you think?

How Much Digital Evidence Is Enough?

Alternatively, how credible are the electronic facts uncovered by a forensic expert?

The short answer is nobody really knows.

Bitcoin is a Morass of Evidence.

Bitcoin investigators are digging through mountains of digital evidence to assess fraud, deception, ownership, security breaches and the identity of Bitcoin's inventor(s).  They find algorithms, digital signatures,
snippets of meta data, and messages that purport to come from significant e-mail addresses. "For the Bitcoin Sleuths, Curiouser and Curiouser," Wall Street Journal, March 8 - 9, 2014.  To what extent do these snippets of evidence prove anything? Which evidence is authentic and which is not?

Stay tuned, as the debate among the investigators over-boils.

Intriguingly, Bitcoin's self-appointed investigators find (and publish) a spreadsheet that some claim to be evidence of fraud at a Bitcoin exchange named Mt. Gox, which has filed for bankruptcy in US court.

What Constitutes Probative Evidence of Something?

The larger question is this: To what extent can evidence from text messages or electronic mail or documents stored on a hard drive be believed?

Electronic evidence can be forged; it can be tampered.

But the same was true for paper or other physical evidence on which law has relied for centuries.  Also, testimony from witnesses – a mainstay source of courtroom evidence -- can be faulty.

Evidence Is in the Eyes of the Beholder.

Many legal authorities evaluate evidence.  Different courts evaluate evidence under different standards.  Commonly, a criminal court evaluates evidence under the standard of "proof beyond a reasonable doubt."  That is a high standard.

By contrast, in many civil courts the standard is "preponderance of the evidence."  That is a lower standard.

Yet courts of law are not the only authorities that evaluate evidence.  Other example authorities include an auditor, a prosecutor, a regulatory agency, or simply the court of public opinion. In the Bitcoin investigations, the "authority" who evaluates evidence may be the world-wide community of Bitcoin users, investors and enthusiasts.

Ultimately All Authorities Are Human, and Fallible.

Commonly the evidence available to an authority is imperfect and incomplete.  The authority commonly determines that some evidence is more credible than contrary evidence. This determination might be made on the basis of logic, science, intuition, best guess or the authority's interpretation of what an expert tried to say.

The Outcome of Evidence Disputes is Often More Art Than Science.

It is hard to predict in advance what evidence a legal authority will believe and not believe.  Often, in a criminal court for instance, the primary authority for evaluating evidence is a humble jury of 6 or 12 common people.

Judges, juries and other authorities often do not have much technical expertise.  When it comes to computer evidence, often they must rely upon testimony and guidance from experts.

However, when evaluating complex evidence, even experts can disagree.  Smart forensic experts can see the same evidence and evaluate it differently.

The Quality of Advocacy Counts.

Also, a factor in determining the credibility of electronic evidence is the quality of the lawyer (that is, the advocate) who advances a particular interpretation of the evidence.  A talented lawyer will, depending on the lawyer's objective:

  • explain evidence well, or
  • raise doubts about the evidence, or 
  • cause the evidence to be excluded from consideration altogether.  
A less-talented lawyer will not be able to explain the evidence or will leave the fact-finding authority confused about it.

Is the Expert Qualified Enough and Humble Enough?

Increasingly, legal and financial evidence comes from new electronic sources such as social media, mobile devices, cloud computing and virtual currency communities.  Our ability to fully understand this evidence lags behind.  For this type of evidence, nuances and misunderstanding are common. The need for qualified forensic investigators swells.

A good investigative expert understands how to weigh evidence and how to separate strong evidence from weak evidence.  Such an expert is able to separate emotions from logic.  Such an expert is also able to set his or her ego aside and acknowledge when he or she does not know something or have enough data to state an opinion.

For an example of a case where an expert should have been more humble, see Stephen Mason's critique of a police officer's testimony regarding pornography on a teacher's computer: State of Connecticut v. Julie Amero (Mason argues court failed to understand how malware works; was too ready to believe faulty police work).

The training, experience and reputation of an investigator are all relevant to assigning weight to any conclusions drawn by the investigator from the evidence.

Another factor that is relevant in understanding evidence is whether the investigator is biased.  Bias can come from background, conflict of interest or professional disposition.

Look for Corroboration.

One technique for improving the quality of evidence is to corroborate it.  Corroboration means getting similar evidence from more than one source.  For example, if the time stamp for a photograph on a smart phone is approximately the same as the time stamp connected to the same photograph in Facebook, then evidence of the time of the photograph is stronger.

Cross-examination Compels Accuracy.

In the courtroom, a powerful technique to evaluate evidence is cross-examination.  Cross-examination is a time-honored process for forcing a witness -- such as a digital forensics expert -- to explain himself carefully and to admit any of his shortcomings.

In cross-examination an expert witness must answer hostile questions under oath; if she lies, she could be punished (e.g., fine, loss of license, jail-time, embarrassment).

However, cross-examination of a computer expert can fall short because very few lawyers know how to execute it masterfully. Very few top-flight trial lawyers possess a deep understanding of computer forensics and technology.

Evidence Floats in the Cloud.

Sometimes, such as in cloud computing, the investigator does not have direct access to the hardware that stores digital evidence.  The investigator is only able to see the evidence temporarily, through a software client such as a web browser or a mobile app.  Use of that evidence may require eye witness memory and testimony by the investigator.  In such a case, the investigator may be wise to print what she sees or record it as a video.  See discussion of example videos:

Legal Fact-finding Is a Form of Theater (and That's Not Necessarily Bad or Wrong).

Digital forensic dispute guru Craig Ball publishes a priceless guide for forensic experts who testify as witnesses in court. His guide and his experiences teach a profound lesson about the use of computer forensics in law.

The lesson is that the process for articulating and evaluating the true facts in a case can influence the outcome as much as the facts themselves.

In other words, the following factors in combination can have a heavy impact on the final interpretation of electronic evidence by a judge, a jury or other legal authority:

  • the skill of the lawyers, 
  • the demeanor of the expert witness, 
  • the clothes the expert wears in the witness stand (!), 
  • the expert’s advance preparation, and 
  • many other aspects of courtroom theater and procedure
Justice is Not Inexpensive.

All of the above leads to a philosophical observation: Our justice system is underpinned by checks and balances called due process of law. These checks and balances try to prevent the abuses of civil and property rights and to prevent hasty rushes to judgment.

Owing to these checks and balances, getting to the truth in our justice system is hard work and imprecise work. It requires a lot of resources -- such as the time of people like judges, juries, courtroom staff, lawyers, experts and so on.

Getting to the truth is commonly expensive. It commonly costs the government a lot of money to run a trial, especially a jury trial.

Skilled lawyers and skilled experts are expensive. They are scarce commodities.

A non-lawyer can sometimes believe that the truth in his/her own case is abundantly obvious. I've encountered people who believe the legal system can, will and should just swiftly force out all of the evidence from the computers (deleted records, metadata, yada yada) and declare what the truth is . . . just like a 60-minute TV drama.

That belief is naive.

Attorney Confidentiality in Cloud Computing

No Trespassing Banners May Be Effective

Are attorney records stored in the cloud accorded confidentiality by law?

I don’t have the final answer to that question, but I do have some ideas to promote confidentiality.

The confidentiality of attorney records is normally based on two legal doctrines – attorney-client privilege and attorney work product.

Evidence That Maybe Attorney Records Are Not Being Accorded Confidentiality

Four recent developments raise questions about the confidentiality of the digital records belonging to lawyers.

  • Item One: According to rumor, national intelligence agencies have tapped into law firm records and communications.  Allegedly a document leaked by Edward Snowden shows that the Australian Signals Directorate, in cooperation with the US National Security Agency, spied on a US law firm (rumored to be Mayer Brown) that was advising the government of Indonesia in trade negotiations.   Allegedly government received legal advice in support of its spying on the firm.*
  • Item Two: FBI has informed some US law firms that they have been hacked by bad guys. Some have speculated that the reason the US government possesses this knowledge is that the US government itself was also spying on the law firms.*
  • Item Three: A whiff of uncertainty has emerged about whether lawyers are wise to store records in the cloud. One school of thought argues that the cloud provider is a third party (that is, not the lawyer and not the client). This school argues that by placing the records in the hands of the third party, and arguably allowing the third party to monitor the records in some way, the lawyer has waived confidentiality rights.
  • Item Four: Microsoft -- the cloud service provider for Hotmail (a.k.a. -- surreptitiously searched the contents of a Hotmail account belonging an independent blogger who did not work for Microsoft. Microsoft did not see prior approval from a court or other government authority. Microsoft believed its action as service provider was justified by evidence that the blogger's Hotmail account was connected with infringement of Microsoft's intellectual property.
Human Rights

Can Banners Effectively Increase Confidentiality?

Given these presumably disturbing developments, is there anything lawyers can do?  I propose lawyers mark their records with banners and notices of confidentiality.

It is inexpensive to post legal banners and notices to assert zones of confidentiality.  Although there is no guarantee that law will respect banners and notices, there is no guarantee that it will not respect them. So I publicly publish the following declaration on my OneDrive page. (OneDrive is a Microsoft cloud computing service for storing files.)

Publish This Claim With Cloud-Stored Records


Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are subject to confidentiality protections associated with attorney work and communications. The laws of many countries recognize such protections. Wright insists that you recognize those protections with respect to his records and communication.

Video Version May Carry More Rhetorical Weight

On my OneDrive account I publicly publish a video version of the same claim.

Post this Notice at Data Center

What could the owner of a cloud or hosting service do to bolster the legal protections afforded to lawyer or client data stored in the service?  One idea is to post a legal notice.

Below is a notice that could be posted physically at the service’s data center and on administrative log-on screens connecting to the center. One of the goals of this notice is to persuade any American authority that it should, under American law and policy, respect the property and privacy rights associated with the data. This effort in persuasion might apply, for example, to

  • a court-issued subpoena
  • a duly-authorized tax summons
  • a physical police raid 
  • a surreptitious online government break-in

[begin notice]

This data center hosts data that is the property of other organizations.  Most of this data is sensitive.   Much of it is protected by privileges associated with attorney work on behalf of clients.  Much of it relates to private, personally-identifiable information about individuals.  The laws of United States and the laws of many other countries respect rights and privileges related to property, attorney work and individual privacy.

The United States observes the rule of law. As evidenced by the US Constitution and many other American laws, privacy is a fundamental human right in the United States.

Mismanagement of the data in this data center can cause great damage.  Anyone – including a government official – tampering with or hindering the lawful use of this data is advised to act with care and diligence. 

Anyone who, by legal authority, seeks to access or impede data in this center is advised that through the use of skill and diligence, his or her lawful mission can be accomplished without infringing the rights of bystanders, such as non-involved customers and individuals.
[end notice]

A law firm might post similar notices on its internal computers.

Dear reader: what do you think about this topic?

–Benjamin Wright

*I don't know beans about what national intelligence agencies do or don't do. I am not passing judgment on any particular event. But modern developments in technology and surveillance do justify a larger discussion of confidentiality law.

Postscript: The form legal language I publish above is not copyrighted. It is just form legal boilerplate based on stock legal verbiage. It is worthy of public use and discussion. Anyone may use it. But if you need legal advice or services, you should hire a lawyer.

Legal Evidence from Dedicated Computers

The Internet of Things is populating our world with a multitude of embedded devices, SCADA systems and other little computers.  The video below demonstrates a reliable way to record what a little computer displays at a moment in time, so that a legal authority like a jury can evaluate the recording as evidence months or years later.

How to Preserve Audit or Criminal Evidence

For an official investigator, the collection and preservation of evidence from tiny, dedicated computing devices and sensors can be troublesome.  These devices -- which might include for instance the Nest thermostat or a smart-grid power meter mounted on the side of a house – are multiplying like rabbits.

As a professional investigator – such as a police officer or a forensic auditor – encounters one of these Internet-of-Things devices, she may lack a convenient way to tap into it and extract data from it.  Even though the maker of the device may have a tool that can do that, the investigator may not have the time and resources necessary to research the tool, purchase the tool, wait for it to be delivered, learn how to use it and so on.

Further, the circumstances of the investigation may not justify the investigator attempting to confiscate the device and physically remove it to a secure location.  In fact, the process of moving the device may itself damage evidence or inflict undue hardship on people (like the residents of an apartment complex) who rely on the device to function.

However, it is possible the device sports some kind of visual
Digital Readout
display that shows valuable evidence.  This evidence needs to be recorded.  Tomorrow the evidence may vanish.

In some cases, a trustworthy video record of the data presented on the visual display may serve the investigator’s needs.

Video Demonstrates a Legal Affidavit

The video below is simplistic.  It records the functions of a mere calculator (No.  It’s not linked to the Internet).   But the video does teach techniques for memorializing the data presented on a visual display at a unique place and time.

The same techniques could apply to data manifested as sounds coming from a speaker on the device under examination.

The techniques taught in the video above are in keeping with techniques I have been explaining in other contexts, such as:

In the calculator video above, the investigator plays the role of eyewitness.  He sees something, he records what his eyes see, he narrates the recording, and then he puts his reputation behind the recording.  On camera, he says, “I Ben Wright hereby sign and affirm this recording as my official work.”  In effect he creates a legal affidavit to support his fallible memory.

Affidavit Inhibits Misrepresentation

Can he lie?  Yes.  Can he fabricate the data on the video?  Yes.

However, his professional reputation is on the line.  Suppose the investigator creates this video – which includes his voice, his face and his moving lips.  And suppose later a worthy adversary, like a defense lawyer, proves that his video is a fraud.  The investigator can lose his job; he can lose his license; he can lose his professional credentials.

Thus, the affidavit language in the video fosters truthfulness.

Another way to make the video more credible is to corroborate the date and time stated by the investigator with his voice on video.

I Learn from You!

I wish to hear from you, the reader.  Is this video useful to modern audits, inspections and investigations?  If not, please tell me how to improve my techniques.  Please point me to material that does a better job of mining the Internet of Things for credible legal and accounting evidence.

Professional Ethics in a Technological Age | Public Speaker

Technology is teaching all professionals – and their firms – to think differently.  Technology like text messages, social media and so-called “big data” focus greater scrutiny on professional decisions than was true in years gone by.

Ethical accountability works differently today than it did in the Twentieth Century!

As a public speaker, I am often invited to address professional events under groups like CPA societies, local internal auditors’ associations and local ARMA International chapters (records managers).   A popular topic is ethics.
Right Versus Wrong
 For instance, I spent four hours on the topic when addressing the 2013 annual meeting of Alaska’s Society of Certified Public Accountants.

Many diverse professionals are eager to hear fresh perspectives on ethics because they are required to obtain annual continuing professional education (CPE) credits specifically on the ethical codes that apply to them.

Stories Teach Practical Lessons

I have compiled stories about professionals and business enterprises being surprised about how ethics are applied in this new era of innumerable electronic records.  The many records we create and broadcast in our networked world can be used either to prove that we performed unethically . . . or to disprove allegations of unethical behavior.

Well-educated professionals today are alert to the practical lessons that recent stories have taught about how to stay in compliance with ethics principles as technology changes.  Technology will continue to change, so professionals must be thinking ahead about what will be expected of them in years to come.

Particularly surprising stories center around the ability of digital forensics to recover metadata, or hidden or deleted data – from laptops, mobile phones or obscure corners of the Internet “cloud.”

Electronic Privacy Questions Confound the Ethical Investigator

As technology has advanced, society has become increasingly alarmed about privacy.  Wearable computers (such as lapel-mounted video cameras) and search engines – to name just two examples -- enable individuals to be monitored in ways that are creepy and unprecedented.

Accordingly, digital privacy raises thorny questions for professionals, such as human resources managers, who conduct official, legally-justified investigations into the behavior of individuals such as employees.

SANS Legal 523 Course Teaches Methods to Manage Risk

A good portion of the education in the course I teach at the SANS Institute is devoted to ethics.  The course teaches modern professionals, such as lawyers or forensics investigators, methods for reducing the risk that their work will appear ethically questionable when the work is reviewed by a third party such as a prosecutor or professional licensing board.

Very often a professional can reduce risk by following a rational, deliberative process to analyze and react to ethical pitfalls.  As explained in the SANS law-and-investigations course, detailed, written notes and documentation can help to prove that the professional or his/her firm did in fact follow such a rational, deliberative process.

Please Ask a Question

I thrive on new stories.  They give me material for my blog and my public training presentations.

If you the reader are aware of a good story about ethics in the context of computers, please leave a comment below.  Please tell me the story or point me to it.  Alternatively, use the comment box below to ask a question about business ethics in the Twenty-First Century.

Internet of Things Impacts Hourly Pay

As the Internet of Things invades the workplace, employers must be mindful of the overtime provisions of the Fair Labor Standards Act, as well as the hourly-payment clauses of employment agreements or collective bargaining agreements.

Likewise, employees themselves should be alert to the implications of the Internet of Things.

Generally speaking the FLSA says hourly employees are entitled to overtime pay when they work more than 40 hours per week.

New Time Clocks 

Traditionally a time clock was the crucial device for measuring how many hours an
employee worked.  With a punch-card time clock, calculating the number hours worked was straightforward.

But home computers and bring-your-own-devices (like smartphones) have become new sources of evidence as to when an employee works and does not work.  If the boss pesters an employee with text messages at home, those are time-stamped message records can be evidence of the employee working extra hours for which hourly and possibly overtime compensation is due.

The Proliferation of Time-Stamped Records

Enter the Internet of Things.  Now many new devices are invading the workplace, like dropcams, wearable computers, embedded systems and a menagerie of automotive gadgets.  These devices can record torrents of time-stamped data, showing when an employee was working . . . or doing something other than work.

This data could be invaluable in an investigation regarding how many hours an employee worked, or did not work.

In any given case, the evidence might cut either for the employer or for the employee.  Some evidence might prove that the employee worked more than 40 hours and was entitled to overtime.

On the other hand, the employer might cite GPS, GoPro-video or other electronic evidence to prove when the employee was goofing off or moonlighting while claiming to log hours for the employer.

E-Discovery Battles

We can anticipate contests to find and evaluate all this evidence.  In employee-employer lawsuits or investigations by employee advocates (e.g., labor union or labor department) adversaries will joust over these kinds of issues:

  • ascertain all of the places and devices where records exist
  • capture the relevant evidence, which might involve forensic recovery of hidden records
  • interpret the evidence and calculate work-time (and play-time) from it

These contests will open opportunities for forensic consultants who understand the Internet of Things and the welter of records it creates.  The Internet of Things is spawning a multitude of oddball devices that collect and store data in non-uniform ways.

It will be hard for forensic experts to keep pace with all of the devices, all the interfaces that apply to them and all of the formats in which they store data.  Their work in the IoT will be labor-intensive and therefore can remunerate them well.

Many Contests

A contest over hours worked is just one example of the innumerable eDiscovery contests that will sprout in the Internet of Things.  Lawsuits, criminal prosecutions, accounting scandals and tax audits will all draw evidence from the emerging army of little devices known as the Internet of Things.

E-Discovery's Impact in Absence of Litigation

E-discovery started transforming disputes and litigation about 15 years ago.  The transformation continues.

E-discovery's effect reaches beyond litigation or government investigations.

E-Discovery Imposes Costs During Litigation

Today many complain about the costs of ediscovery when litigation is pending:

1.  Litigation Hold.  Some enterprises like Exxon Mobil Corp. expend great effort retaining electronic records under litigation hold, even though few if any of those records will actually be produced to an adversary in the course of a lawsuit.

2.  Find, Assess and Produce.  In the course of a lawsuit, some litigants spend fortunes digging through email and other e-records, evaluating them, culling them and producing the required ones

See “Meet the New Pack Rats,” Wall St. Journal, November 25, 2013.

E-Discovery Causes Reactions Outside Litigation

Yet the risk of ediscovery causes reactions even when litigation has not started and may never start.

Lawyer Reviews Email Pre-Dispute

These days it is common for a lawyer to help an enterprise client review an issue that theoretically could go to a lawsuit.  Inevitably that review will include reading the client’s internal emails.

In most any enterprise today tremendous details are documented in email.  That is just how an enterprise works, whether it be nonprofit, corporation or government agency.  Email is universal.  In the business world, everybody uses email to talk and to speculate.

Thus, as the lawyer reviews the issue with the client, she knows that if litigation were to arise (it has not yet), then the emails she is reading would come out.  At this point, to try to delete every copy of these email records might look like spoliation.*

Business people do not know how to write emails the way cagey lawyers write emails.  Commonly business people write emails that are very candid . . . maybe too candid.

But worse, business people can state legal conclusions in email (e.g., “we committed fraud”) that are inaccurate!  Business people will talk as though they know law and all of the facts, when in truth they do not.  And thus they create “smoking gun” records that would be hard to refute in court, even though the records are flat wrong.

So when the lawyer sees these inaccurate email statements of legal conclusion, she reacts.  She may determine that the client needs to

  • apologize, or 
  • correct the record, or 
  • take an aggressive stance relative to a potential adversary so as to reduce the possibility that the adversary would ever sue and discover the smoking gun

Cease and Desist Letter Now Includes Records Preservation Clause

When a lawyer sees an adversary doing something (e.g., breaching a contact) that hurts the lawyer’s client, often he will write a “cease and desist” letter to the adversary.  A cease and desist letter says, “stop doing what you are doing; otherwise we may seek legal recourse.”

These days a cease and desist letter may contain a new jab.  It may also contain a records preservation clause.  (Compare records preservation letter.)   A records preservation clause can imply quite a bit of trouble for the recipient of the letter.  The clause says, “Now that we have raised the threat that we might sue you if you don’t cease your errant behavior, we remind you that you should keep all records regarding this topic.  If you don’t keep those records and we sue you, then you might be punished for spoliation.”

In 2014 keeping all the records on anything can be lots of work and hassle.  The records could include email, but also spreadsheets,
text messages, internal social media discussions and more.  In practice many enterprises are not very talented at keeping such records.

The difficulty of keeping records after you’ve been warned to keep them creates risk.

This risk is one reason I tend to recommend that organizations keep generous, searchable email archives.

*Spoliation means wrongful destruction of legally-significant evidence.

How to Write a Contract

Whether one needs a contract for consulting services, software development or a Bitcoin transaction, the basics of contract drafting are the same.

The writing of a legal contract is an acquired skill.

Although many contract forms (templates) are published on the web or in books, the words in forms often do not reflect the skill that is needed to write a workable contract.

Contract Forms Can Be Either a Virtue or a Vice

A published contract form can help remind a skilled lawyer what issues need to be covered in this type of contract or that. But very commonly an effective contract requires more than covering issues.  An effective contract requires careful articulation of principles in a way that is unique to the needs of the client or clients.

Very commonly, what a business person thinks she wants in a contract is different from what she really needs.  Many business people have only limited experience observing the world of legal agreements; they don’t realize how fluid and flexible contract law can be.  They rigidly think they need a document similar to something they’ve seen before, but they actually need something different, something custom to their specific transaction.

Electronic Communication Fuels New Business Relationships

The modes for writing, amending and performing commercial contracts have changed markedly since the 1980s.  Now with email, text messages, web pages and the like, ongoing contractual relationships can be managed with communications, language and negotiations that are quite different from what was possible with traditional paper-and-ink contracts.

Electronic messages can – when appropriate – enable a more fluid contractual relationship, which evolves with time and changing circumstances.

Avoid Unnecessary Words

Sometimes Rigid Formality Is Best

When I was a young lawyer working for a large law firm, I was taught to write contracts in a rather formal, stilted style.  That style is not always wrong.  But over the years I have learned there can be different drafting styles, suitable for different settings and personalities.

Some clients need careful, scholarly draftsmanship that makes sure a contract can be enforced against an adversary in court.  (When I say "scholarly" I mean the contract words need to be backed up with specialized legal knowledge that comes from research or experience -- such as knowledge of the local law on the enforcement of a non-compete clause against a former employee.)

But other clients do not need that.  They need something else instead.  They need a contract that emphasizes mutual cooperation and trust.  They need a roadmap for collaboration . . . not a weapon to be deployed in the courtroom.

A Story about Honor and Trust

For example, I once helped write a contact where one party was cooperative, but refused to take any legal liability whatsoever.  After discussion, the party on the other side realized that trust and cooperation were the essence of the deal.  He realized he had no interest in ever enforcing legal liability against the first party.  Therefore, we were able to write a contract that committed the first party only as a matter of honor and reputation but not as a matter of legal liability or obligation.

In the same vein, a new kind of contract, know as a vested agreement, stresses joint pursuit of objectives rather than antagonistic give-and-take (I win; you lose).

Succinct Writing Promotes Comprehension

Many contracts are too long and wordy.  The reason is that the contract drafter did not take the time to distill the key ideas into direct, simple words.  As a consequence, the parties can be dissuaded from reading and understanding their own contract before they sign it.

Further, the parties can be confused about what they have actually agreed, and a dispute can lead to protracted litigation or arbitration.  The court or arbitrator cannot discern unambiguously what the contract means.  The judge, the jury or the arbitrator must guess as to the original intent of the parties.

I was an English major in college.  The book The Elements of Style by Struck & White taught to write tight.

Skepticism Avoids Ambiguity

An experienced writer of contracts learns to look at sentences skeptically.  For example, the experienced writer would look askance at the sentence: There will be a payment of $500 on December 26, 2013.

That sentence may be accurate, but it might be open to ambiguity or misinterpretation.  The sentence does not say who will make the payment or who will receive the payment.

Now, the person who wrote the sentence might believe it is implied from the context of the contract who will pay and who will receive.  But sometimes to rely on implications can invite too much risk of dispute.

Commonly a meticulous, experienced writer of contracts will prefer to replace the sentence above with something like:  Taylor will pay Courtney $500 on December 26, 2013.

However, effective elimination of ambiguity is a skill that involves learned judgment.  Sometimes, on some issues, ambiguity is needed to help move a testy relationship forward.

Alternatively, sometimes on some issues, the ambiguity is so insignificant that it is better to make a brief, arguably ambiguous statement than it is to compose a longer statement, which makes the contract longer-winded. 

What is your opinion or experience?

–Benjamin Wright

Attorney Wright is author of The Law of Electronic Commerce.

Pilot Authenticates Drone Video Evidence

Auditors and official investigators are using remote control cameras and sensors to collect evidence.  The cameras and sensors might be mounted on drones, robots or other vehicles.

How can the trustworthiness of image, video or other sensory evidence be established?

The video below demonstrates a technique for promoting trustworthiness.  It shows the investigator (e.g., a property appraiser) narrating the evidence feed as it arrives in real time.  His narration describes what is happening so that a future judge or jury can understand and evaluate the evidence.

Simulation of Accountability

The video below is just a simulation.  It purports to show live video from a drone flying over Dallas.  However, in truth the simulation merely shows image snippets from Google Maps. (I grin sheepishly as someone who's so lazy that he does this by simulation rather than by acquiring and learning to pilot a real drone.)

In the video, notice that the investigator identifies himself and takes responsibility for the evidence.  He shows his face and records his oral narration of events in a screencast.  The screencast unites two windows – one window showing the simulated video from the drone and a second window showing the realtime webcam image of the investigator.

Scripted Words of Evidence

The investigator closes the screencast with a spoken script.  The script effectively causes the investigator to create a legal, signed affidavit.  Under the affidavit the investigator puts his professional reputation on the line, signing and affirming the screencast video as accurate evidence.  Under the script, he states date and time with his voice and his moving lips; date and time can be corroborated when the investigator uploads the video to a cloud service (like webmail or Dropbox or Sharepoint) that is outside his control.

Similar Evidence from Cloud Computing

I have previously published screencast videos like this for recording evidence that arrives from cloud computing, such as social media on the web or legal records (e.g., text messages) stored via mobile apps.

Signed Flight Report by Pilot

This process could be used for more than surveillance.  For instance, the pilot of a drone or a robot might make and sign a video like this as proof of his flight or mission.  Alternatively, a physician might memorialize 
  • a telemedicine physical examination of a patient, or 
  • the transcript of a surgery performed by robot but supervised step-by-step by the physician.


Here's another example:  A civil engineer could use a drone or other unmanned vehicle to survey a bridge.  The vehicle could fly, swim and crawl under, over and around the bridge, recording the appearance of the bridge and measuring attributes like rust or cracks in the structure.*  Then the engineer could close the video/sensor record with an oral, webcam attestation that she certifies the record as her professional work.  Thus the engineer would support the final report with her licensed-professional qualifications and reputation.  Her webcam attestation might be analogous to a professional seal applied to paper drawings or blueprints.

What are your comments on this technique for preserving evidence?

* Footnote:  Under one scenario, the engineer might remotely cause the robot vehicle to probe the bridge physically.  For instance, while watching via real-time video, the engineer might direct the
Control Drill
bot to drill into the bridge material and test for corrosion or structural integrity.  As the engineer performs this procedure, she would narrate each step, and professionally interpret the results of each step, via webcam.