Megaupload Users | Get Legal Files Back?

When the US Department of Justice and its allies shut down Megaupload, they affected many kinds of users and many kinds of files.  Many of those files are legal.  Artists, writers and other content creators used Megaupload for storing, managing, distributing and publishing their original work.

It is unknown precisely what law enforcement has done with the legal files stored in the Megaupload platform.

Privacy Protection Act

US law enforcement must be mindful of Privacy Protection Act ("PPA"), 42 U.S.C. § 2000aa:

“[I]t shall be unlawful for a government officer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication...”

Essentially, the purpose of the law is protect First Amendment free speech, free press materials.

Law Enforcement
Courts interpret PPA to allow police to seize a computer containing PPA-protected material, if there is good reason to believe they are commingled with illegal data.

What is less clear is what police may or must do with PPA-related material after they have lawfully seized it.  In Steve Jackson Games, Inc. v. Secret Service, a district court penalized the government for not returning  PPA-protected materials promptly after learning they were protected.

Asset Forfeiture Law

Another relevant law is the 2000 Civil Asset Forfeiture Reform Act, which is intended to make it easier for innocent parties to recover their property when seized by the US government.  A public-interest expert in holding government to this law is the Institute for Justice.  The Institute for Justice should consider taking up the case for innocent Megaupload users.



Related: Megaupload Raid: The Legitimate Users
0 comments

Cloud Provider FBI Raid

As it becomes more common for law enforcement to raid online facilities like Megaupload, it is incumbent
on law enforcement to respond to the needs of innocent users.

A few days ago law enforcement, led by the US Dept of Justice, seized the domain for Megaupload.com,
Domain Redirect
causing traffic to that site to be redirected to a government notice saying the domain had been seized under court order.

Economic Hardship to Bystanders

Megaupload is a very popular service, with many millions of customers worldwide.  It is a cyberlocker that allows users to store and share files.  Some of those files, perhaps many of them, may violate copyright and other laws.  But a great many of those files are not illegal.  Users rely on those files for many purposes, including running their law-abiding businesses and lawfully earning a living.


By shutting down the site, law enforcement has caused substantial economic hardship.



Precedence:  Liquid Motors Case

US law has previously provided relief to an online service provider's users who are not under investigation.

In Spring 2009, FBI seized servers run by Core IP Networks.  Some of the data processed on those servers belonged to Liquid Motors, an innocent company that helps large auto dealerships manage their inventory and Internet marketing. The raid had severely degraded Liquid Motor’s service to its law-abiding customers.

Liquid Motors promptly petitioned a federal court for relief.  Although the court believed FBI’s raid was justified, it acknowledged the economic impact on innocent parties.  Significantly, the court compelled FBI to work over the weekend to provide Liquid Motors copies of its data and to return a server to Liquid Motors as soon as possible.

Over-Zealous Police Undermine Public Trust

Yes, law enforcement needs to shut down cyber criminals and collect evidence so they can be prosecuted.  But law enforcement undermines the community’s trust when it damages innocent bystanders.

Moreover, principles of due process, human rights and property rights call for law enforcement to take proactive measures to minimize collateral damage.

Before executing a raid, law enforcement should evaluate whether its mission truly requires it to take services offline.  It should develop techniques for surgically getting what it needs, while avoiding disruption of anything else.

What’s more, law enforcement should develop and execute a plan for returning disrupted services, or returning confiscated data, as soon as possible.

Police Should Strive for Transparency

Law enforcement further should strive for transparency and accountability.  It should engage intensively with the community, disclosing as much as it can, as soon as it can.  In the case of Megaupload, the vacuum created by law enforcement’s relative silence has lent credence of malicious phishing sites that appear to enable worried users to retrieve their files.

The Department of Justice and its colleagues should be commended undertaking the hard work to responsibly police the Internet.  And, I grant you that, for law enforcement to heed the needs of bystanders requires much time and effort. But this is what democracy and rule of law expect of 21st Century law enforcement.

--

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related:  Theories for Relief to Blameless Megaupload Customers
0 comments

Service of Process via Social Media

Claims, Orders and Notices

Service of Process is the formal means by which notices of legal action -- such as the initiation of a lawsuit or the issuance of a subpoena -- are given to people who are subject to the notices.   Service can relate to matters in court, i.e., judicial proceedings, or it can involve extrajudicial matters, such as notice of action by a government agency.

Traditionally, formal service of legal notice is performed by hand.

Sometimes when the person’s location is unknown, alternative service is permitted.  Alternative service can include publishing the notice in the newspaper.  In reality, publication of small notices in the newspaper is not very reliable as a way to put most people on notice of something.

Some courts have allowed service via email.  A problem with email is that spammers commonly send official-looking emails trying to trick the recipient into clicking on something that will infect the recipient’s computer with malware.
Malware

Therefore, recipients have reason to ignore emails from unknown senders.

Social media like -- Flickr, Yelp, Twitter, Facebook, Youtube and many others -- open new potential avenues for alternative service.  The intended recipient might be reachable in many online places.

In Federal US courts, the method used for service of process must be reasonably calculated to notify the recipient of the matter.

Here are factors that can help to establish that service over the Internet was indeed reasonably calculated to put the recipient on notice.

1.  Multiple Attempts.  Make multiple attempts through multiple channels, including Facebook Wall and chat, relies to Twitter tweets, comments under photos and comments under blog posts or status updates.  Social media are opening so many avenues for reaching a person that liberal use of them increases the likelihood of successful delivery.

2.  Video Response.  If the recipient has posted videos on Youtube, send the notice as “Video Response” to one of the videos.  Put the text of the notice directly into the video.  This approach holds two advantages:

(a) It normally causes an email to go from Youtube to the recipient seeking approval of video as a response that would appear under the recipient’s video.  It does not seem like a spam ploy to send malware.

(b) Video Responses are relatively rare on Youtube, so the Video Response is more likely to attract the curiosity and interest of the recipient.


video


3.  Use Verified Identity.  When posting notices, use a verified identity, such as is available through Google Plus. (As the photo shows, Google shows my name has been verified when the viewer places the cursor on the check next to my name.)

Authenticity


4. Use simple text.  Put as much information as possible in simple text rather than a link.  If the recipient has to click on a link, he may have reason to believe the notice is a hoax trying to trick him into clicking on malware.  If necessary, break the full text of the message into multiple postings.  Start the notice with a plain statement like, “Benjamin Wright: You have been sued in connection with property located in Carson County, Texas.”

5.  Name in subject line.  If using email, put the recipient’s name in the  subject line.  Bulk spammers don’t do that.

6.  Expose the notice to search engines.  Publish the notice on a web page so it comes up in a general search of the person’s name.  People commonly search their own name.

7.  Toll Free Number.  Give the recipient a toll-free number to get more documents or information.  A toll-free number conveys seriousness (less likely a hoax) because the person owning the number pays the toll on calls coming into the number.

8.  Monitor Subsequent Activity.  After service/notice is attempted through a particular social media account, public activity in the account can be monitored.  Commonly people have entwined their lives so tightly with their accounts that they cannot stop using them.  Subsequent activity is evidence that the account is being used. Specific activity (photos, videos, comments, geolocation data) can be so unique to the account holder that it can be established that the account was not being used by an impostor and that it was likely the account holder saw the service/notice.

The expansion and diversity of social media open many new opportunities to be creative.



P.S. In a couple of cases involving unknown hackers, courts have allowed discovery to start before an attempt to serve process.  The discovery might include subpoenas to ISPs to discover the identity and location of the hackers.

See: ideas on how to document details of a person’s web presence
0 comments

How to Record Nonstandard Online Financial Trades


Audit Evidence & Documentation

Making records of non-standard financial transactions is not easy.

Electronic trading platforms for nonstandard transactions are numerous and diverse.  They change constantly.  They facilitate trades and auctions in myriad nonstandard financial assets, such as OTC derivatives, bankruptcy claims, privately-held equity, esoteric asset-based securities and so on.  An example of such a platform is SecondMarket, which specializes in bringing together buyers and sellers of illiquid assets.

Multiple Media and Services

Capital Markets
The platforms provide information in multiple media, including audio, video, formatted documents, instant messages, structured data and augmented reality.  These platforms can present a professional trader a welter of financial disclosures, trade confirmations, legal representations, and contract terms and conditions.

The relevant contract data for a trade may not arrive all through a single platform.  A trade executed on one platform may be supported by emails or text messages sent through different services.

Are All Records Linked Together So Someone Can Understand Them Five Years From Now?

After a trade has been executed, how can the terms be documented?  If there were a dispute about the trade, will reliable and complete records exist?

Lawyers ask these questions, thinking about legal evidence.  Auditors ask these questions, thinking about proof to support financial claims and statements.   Tax advisors ask these questions as they analyze tax obligations and prepare for audit.

Although a platform provider like SecondaryMarket may keep some records, the provider cannot be relied upon as the long-term, comprehensive, record repository for investors.  The provider might go out of business, and it might not keep all of the records the investor needs for the number of years the investor needs them.

Further, the provider may not keep records to show the precise organization of information, or the order in which communications were exchanged, or the interconnection of messages communicated via different media and services – all of which could be relevant to determining the legal import of a transaction.

Narrated Screencast Video

Here is a method for recording the data a professional sees at a certain point in time, such as half-an-hour after a trade is executed.



It is a screencast video that memorializes what the professional claims he sees, with realtime narration from him explaining how he moves from one item of information to the next.

The screencast is made with screencast-o-matic, a free, Java-based, open-source tool for recording what you see on your screen,

Interactivity and Inter-Connections

The resulting video is a unified package of evidence that captures the interaction and interconnectedness of the web better than a bunch of sceenshots.  The video illustrates what happens as each link is clicked.

The final, comprehensive record of the transaction might include this video, together with copies of emails, the disclosure documents that were exchanged and so on.  The video is the twine that binds all of these records together into a unit that is comprehensible to someone who may review the transaction in the future.


Cloud Time Stamp

Fixing the time of evidence like this video adds to its credibility.  The auditor states the time directly into the video.

To corroborate the vocalized date, the auditor could store the video, soon after he creates it, in a file-management resource that applies a timestamp to it and to any modifications of it.

Thus, if the video, dated by the auditor’s voice as November 5, were uploaded on November 5, but then replaced November 10, there would be a mismatch of dates, suggesting that the video in the resource is not the one originally created by the auditor.

What enterprise-class resources might reliably attach a timestamp to a video?  Autonomy is an example of  a third-party archive service providing such a timestamp, and Microsoft Sharepoint is an example of in-house resource.  Sharepoint maintains rich, detailed metadata (such as time of file upload and time of file modification) that is hard for anyone, even IT staff, to manipulate inconspicuously.*



Attorney Wright teaches the law of data security and investigations at the SANS Institute.

* Manipulation of all relevant metadata (including metadata in backups) in a complex enterprise resource like Sharepoint is extremely challenging, if not utterly impractical.  Thus, the timestamp in that resource corroborates the time stated in the video.  A tool like DocAve Auditor accesses and analyzes the trove of metadata in Sharepoint.

Related Articles:

* Online Investigation

* Recording Cyber Adversary
0 comments

How to Record Debt Collector Web Page


Coping with Bill Collection

Suppose you want to record your online interaction with an adversary . . . such as a collection agency.  Your goal is to capture reliable legal evidence of what you encountered when trying to access or provide information to the adversary’s web site or online app.

In effect, the video you create will record your eyewitness testimony of what you see online at a particular point in time.

You might want to do this, for example, to show that you tried to access a debt collector’s web site, but it was not available, did not work right or gave you misinformation.

Ten Steps

For making your record, here are 10 steps:

1.  Write out a step-by-step script of what you going to do and say as you make the recording.

2.  Launch your webcam so you can see yourself live on your monitor.

3.  Launch your browser or app so you can see that on your monitor at the same time you see the webcam image.

4.  Start a screencast recording program, such as screencast-o-matic (free, open-source service), to record what appears on your monitor.

5.  As the recording starts, identify yourself and explain the reason for your recording.  Explain the technical methods you are using to make the recording.  Don’t be afraid to read directly from your script.  Your purpose is to record legal evidence, not to make a television news cast.

6.  Use your browser or app and carefully explain each step you take.

7.  Describe what you see and what it means.

8.  Conclude the recording by signing and dating it with your voice.  Say words like, “I Ben Wright hereby sign and affirm this screencast as an accurate reflection of my work.”

9.  Review the video to ensure it is accurate.

10.  Soon after you create the video, store it in an online service such as Microsoft’s Skydrive, which records the date a file like the video was uploaded and last modified.

Example

Here is a hypothetical example.



This demonstration is not the only way to make records of online events.  And it does not cover all of the legal and technical issues that might apply to your particular situation.

If you need legal advice for your particular situation, you need to consult a lawyer rather than to rely on this educational blog and video.

This blog post and video intend to spark public discussion about ways to record online activities.  What do you think?



–Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute.

Related articles:

*  How to Make a Gotcha! Video
* How to video record online chat with legal adversary
* Recording Social Media Legal Evidence

Google+
1 comments

Exploiting Scandalous Evidence


Political Exposé

Let’s say you possess incriminating or embarrassing evidence about someone.  Maybe it’s video catching a public official in an act of corruption or audio in which an executive admits her corporation violates the law.  You know this evidence is sensitive and it serves a public interest.  How do you handle it?

Here are options and issues:

1.  Ethics. Ask an independent party like an attorney to evaluate the evidence for credibility and to provide input on the ethical use of the evidence.

Surprise Camera
2.  Money.  Inquire whether you are entitled to protection and compensation under whistleblower law.  Invocation of whistleblower law may require turning the evidence over to law enforcement or filing a lawsuit.  Federal tax law provides compensation to whistleblowers who provide the IRS reliable evidence about cheating by a particular taxpayer.  The False Claims Act provides a bounty to whistleblowers who sue lawbreakers and successfully recover money on behalf of the federal government.

3.  Editing.  Should you hide or redact information from the evidence before publishing it?  Blurring faces or removing other personally identifiable information may be the prudent, responsible thing to do.  Masking of graphic details can help portray you as a conscientious citizen, not a gossip monger.

4.  Investigate.  Should a careful investigation of the facts be undertaken to determine how the evidence was gathered, what the evidence actually depicts or whether the compilation of the evidence violated any laws?  When an investigation is led by an attorney, often the methods and the outcome can often be kept confidential under something known as the attorney work-product doctrine.

5.  Third Party.  Should you use an intermediary to publish the evidence or present it to authorities, while protecting your identity?  Both attorneys and police agencies have legal power to maintain confidentiality.

6.  News Media.  Should you sell the evidence to the news media?  Sometimes they do pay for good material.

7.  Disclaimers.  Consider how to present the evidence to authorities or the public.  Does it need explanation and background?  Does it need disclaimers?

8.  Exoneration.  Should you file a lawsuit to cause a court to declare that the evidence was not stolen or created in a way that violates privacy, property or other rights?

Are you an amateur gumshoe? What is your experience dealing with evidence of a scam or hipocrisy?

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute, where he teaches professionals how to use Internet media to deliver legal messages.
Google+
0 comments

How to Recover Deleted Phone Text and Photos


Forensics

In a legal dispute, text, photos and other data on a smart phone or tablet can be relevant.  Can they be recovered if they have been deleted?

Cellular service carriers (Verizon, AT&T, Sprint, TMobile) keep records of text, photos and transmitted data for periods of time that vary from one provider to the next.  However, legally forcing them to turn over user data in a non-criminal case is difficult.  The carriers tend to resist subpoenas from civil lawsuits such as divorces, on the grounds that the content of user data is protected by the Electronic Communications Privacy Act.

Customer Cooperation

To a limited degree, recovery from a service provider may be possible if the customer is cooperative.  For example, Sprint records transmitted photographs on a web page protected by a customer password.  Mobile App providers may similarly keep records of messages, photos or videos on a web page protected by a customer password.  In a lawsuit, the customer may be required to cooperate in the recovery of those records under a subpoena or ediscovery demand.

(Cellular carriers have a reputation for not helping customers recover messages unless the customer has a web page for storing those messages as Sprint does for photos.)

Data Forensics

An alternative approach to recovering data is forensics.  An adversary in a civil law proceeding (divorce, child custody, bankruptcy or other lawsuit) may be able to demand through the rules of court procedure that the owner of a mobile device take two steps:

Text, Photos, Video
Step 1: Protect data on the device from erasure or further damage.  This demand for protection might come in the form of a data preservation letter sent by the adversary’s lawyer.

Step 2: Deliver the device to a forensics expert so he can recover data.

Forensic recovery of data from a mobile device is tricky.  Sometimes deleted data can be recovered and sometimes it can’t.  Sometimes fragments of a message can be recovered.  Recovery capabilities vary from one device to the next.

Documented Authority

When a forensics expert is engaged to recover data from a device, he needs to ensure he has authority from the proper person.  He is wise to get the authority in writing.

If someone who is not the owner of the device asks him to recover data, he might be violating an anti-hacking law like the Digital Millennium Copyright Act.  When a nonowner asks for data recovery, the expert is wise to ask for a court order.

–Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute.
2 comments

How to Make a Gotcha! Video

Phone Evidence

How should a vigilante or a political activist make a video record of illegal activity?

Let’s say you catch the mayor parking her motorcycle in a no-parking zone, arrogantly thinking she won't get a ticket because she is mayor.  You pull out your smart phone and record by video.  You intend to present the video as evidence to a legal body like the city council.  Or you intend to give the video to the local TV news team.  Or, you intend to publish the video on youtube.

Here are steps to make the video more credible and worthy of attention:

1.  Narrate what you see as you record it, so that the viewer understands what is being displayed.  Narration makes video more compelling than a still photograph.

2.  Formally sign the video at the end.  Point the camera at your face and recite words like, “I Ben Wright hereby sign and affirm this video as an authentic record of what I witnessed.”  A video is more believable when an accountable witness takes full responsibility for it.  Also, the signature bolster's the video's value in case you are not available in the future to vouch for it, such as in a legal hearing.

3.  State the location, the date and the time.


4.  Promptly after creating the video upload it to an Internet service that memorializes the date of the video (including the date of any modifications).  If the date vocalized by the witness in the video matches with the date on the Internet service, then the two corroborate each other.

As a demonstration, I uploaded the video above to Microsoft’s Skydrive service.  I uploaded within minutes after I created the video.  This screenshot shows the details that Skydrive records about the video, including time of upload and identity of the user who uploaded.

Cloud Service Metadata


5.  Give the video to some friends and ask them to load it to a service like Skydrive that records date and time.

6.  Capture GPS information.  A geotag on the video corroborates the location stated by the witness in the video.

P.S.  Two witnesses are better than one.



Attorney Wright teaches the law of data security and investigations at the SANS Institute.  One topic he covers in that course is whistleblower law.

Related article:  How to Exploit a Gotcha Video.
0 comments

Cyber Defense Law | Botnet | Computer Crime Lawsuit

Microsoft breaks new legal ground. From a US Federal court, Microsoft has obtained a temporary restraining order (ex parte TRO) that allows Microsoft and its white hat affiliates to take (apparently) aggressive technical measures against the Waledac botnet.http://blogs.technet.com/microsoft_blog/archive/2010/02/25/cracking-down-on-botnets.aspx


The TRO is available for download at http://blog.seattlepi.com/microsoft/archives/195793.asp. The TRO explicitly orders Verisign to lock domains at the registry level and to hold the domains in escrow.

Query whether any of these steps by Verisign would arguably qualify as "hacking" in the absence of the TRO. For discussion purposes, we can define "hacking" as entering a computer without authority -- or exceeding authority within a computer -- and causing damage. Maybe one could say Verisign is "hacking" because, as it locks domains, it:

1. enters computers that it owns or duly controls;

2. exceeds its authority in those computers because it is locks domains that putatively belong to another person; and

3. damages that other person.

Stephen Paluck of Beaverton, Oregon, complains that actions taken under the TRO interrupted service for his domain,debtbgonesite.com, and he's done nothing wrong. Wingfield & Worthen, "Microsoft Battles Cyber Criminals," Wall Street Journal, 26 Feb. 2010.

Microsoft further says, "Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet . . ." The company does not reveal what these additional countermeasures are. Query whether any of these measures would arguably qualify as "hacking" in the absence of the TRO or other legal justification.

PCWorld sheds some light on those additional countermeasures: "Waledac distributes instructions through command-and-control servers that work with a peer-to-peer system. [According to a researcher who worked with Microsoft,] 'We disrupted the peer-to-peer layer to redirect traffic not to botmaster servers but to our servers.'" http://www.pcworld.com/businesscenter/article/190234/microsoft_recruited_top_notch_guns_for_waledac_takedown.html

In my research, I have only found one case [Cartier Int'l, B.V. v. Dipadova, CV 00-06717 (C.D. Cal.) (entered Nov. 7, 2000)] where a judge authorized technical measures -- the disabling of a web page (a legal hack) -- to combat an online threat or menace. Has anyone found any other such case?

On the issue whether any of the technical steps in this Waledac botnet case are causing "damage": Microsoft posted a $54,600 bond so that money would be available to compensate the defendants (presumably these people are mainly botnet herders) if the TRO causes damage to them without justification.

Microsoft is teaching us how to use civil law enforcement measures -- as distinguished from criminal law enforcement -- to respond to malicious Internet behavior like phishing, hacking, cybertheft and identity theft.

Notice that Microsoft is not doing this in the dark. It is working through our open public court system, so that Microsoft is transparent and accountable and all can see what is happening and evaluate it.

–Benjamin Wright - Legal Issues Instructor at the SANS Institute, where he teaches professionals on the law of malware, e-discovery, data security, internal investigations and the Computer Fraud and Abuse Act. http://www.sans.org/ondemand/description.php?tid=3897
[This post was originally published 2010 on Mr. Wright's Google Buzz page.]
0 comments

3D Printing | Inducing to Violate Intellectual Property


The vendors of 3D printing software and services must be careful to avoid encouraging users to violate the patent, copyright or trademark of others.

Manipulate an Image

Imagine a software vendor tells kids to:

1. scan a 3D image of their favorite toy vehicle;
2. use the software to manipulate the image to add cool new features, like wings or monster tires; and
3. print a model of the manipulated image.

Printing 3D Objects
The maker of the original toy might have a claim against the software vendor for inducing the kids to violate intellectual property.

Toymakers often claim copyright and trademark protection for their toys.   But when kids make reproductions of the toys, they may be violating that protection.

Tort

Widespread encouragement for kids to violate IP may constitute illegal inducement.

Courts have recognized a tort for inducing others to violate intellectual property.  Music companies, for example, won a judgment against peer-to-peer network Limewire for inducing users to make unauthorized copies of music.  Evidence in the case showed that Limewire intentionally targeted music pirates for membership and use of its service.

Many New Manufacturing Technologies

This tort issue applies not just to 3D printing.  It applies to all of the many new technologies that enable localized, custom, computer-driven manufacturing.  One such technology is the stonemaker, which makes unique, precision stones on-location at a construction site.  The shape and other features of each stone are dictated by software.  Imagine a home owner using the stonemaker, and software templates from an "intellectual property pirate" to make stones depicting copyrighted figures, like Disney characters.



Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related Article: 3D printing fair use
0 comments
Subscribe to: Posts (Atom)