How to Respect Privacy in a Social Media Investigation


Privacy Impact Assessment

Social networks like Facebook hold so much information about our thoughts, our behavior, our friendships that official investigations naturally seek to uncover it.

Privacy on the Ascendancy

But powerful voices are championing greater respect for the privacy of data collected by technology.

The White House has published a Consumer Privacy Bill of Rights, broadly declaring, “Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.”  Although this document focuses on the rights of consumers, it is consistent with rising expectations that the privacy of individuals be respected at a time when technology is enabling an unprecedented accumulation of personal data.

Free From Unreasonable Search
The US Supreme Court recently ruled, for the first time under the Fourth Amendment, that citizens have a right to privacy when in public.  United States v. Jones held that police must obtain a search warrant in order to track the public movements of a suspect with a GPS device.

Prudent Investigator

Note to all investigators: Prudence dictates that you explicitly consider privacy when seeking data through technology, such as social media.  But what does that mean in practice?

The investigator needs evidence that she thoughtfully weighed privacy concerns as she designed and executed her investigation.  This evidence can be provided in a “privacy impact assessment.”  A privacy impact assessment is a written statement, stored in the investigator’s file, showing rational deliberation about the effect of the investigation on the privacy of the target of the investigation, as well as on the privacy of bystanders.

A persuasive privacy impact assessment will articulate the justification for the investigation and evaluate alternative methods for getting the needed information. It will assess methods for minimizing the impositions on privacy, while pursuing the legitimate goals of the investigation.  It will display a conscious weighing of factors, so as to balance need against cost.

Demonstrate Serious Contemplation

A privacy impact assessment need not necessarily be a lengthy document.  For less substantial investigations, it might be only a paragraph.

But it needs to be thorough enough to demonstrate that the investigator diligently contemplated the facts and methods of the case.  It might specify, for example, steps to limit the quantity of data collected, the number of people who have access to the investigation file, and the length of time data is stored before it is destroyed.

The impact assessment will be more persuasive if the investigator consults a colleague or superior in the course of drafting it.

Which Investigations?

What kinds of investigations do I have in mind?  Many.  I’m thinking about subpoenas . . . safety inspections . . .e-discovery in civil litigation . . . inquiries by prospective employers . . .  evidence collection in family law disputes . . . probes by disciplinary officials at schools and colleges . . . audits by government tax or regulatory officials . . . and more.



Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related:  Complying with the Internet's tsunami of laws
0 comments

Unexpected Electronic Contract

Text, Chat, Social, Video Records

Electronic media seep casually into B2B and B2G contracts.

US Defense Department contracts are known for formality.  That is why Mabus v. General Dynamics C4 Systems, Inc. (US Ct of Appeals, Federal Circuit 2/4/11) teaches important lessons about electronic commerce.

Facts of the Case

A contract between the government and a defense contractor said that orders under the contract could not be transmitted by electronic media.  However, in practice, the government and the contractor used email for these orders all the time.

Instant Message as
Written Agreement
A dispute arose over certain orders that had been transmitted by email. The contractor argued that email was not allowed under the terms of the contract, so the orders were ineffective.

However, the court ruled that email was an effective medium for sending the orders.  The court’s rationale was that the contractor was prevented from denying the effectiveness of the orders under an esoteric doctrine, “equitable estoppel.” The court’s reasoning ignited controversy among blogger experts.

But regardless of the court’s reasoning, the case teaches lessons of general applicability.

Lesson #1

The Mabus case reminds us that today we interact with trading partners through an ever-growing array of recorded media.  Messages through text, chat, mobile apps and social networks feel informal, even trivial . . .  but they are recorded.

Lesson #2

Courts tend to accord the same weight to an electronic business message as they do to a formal, paper letter signed with a handwritten ink autograph.

Contracting parties should therefore treat all electronic messages seriously.   This is why I’ve been teaching how to make legal records of important text and cell phone messages.

0 comments

How to Record a Text Message

Get Evidence from Phone

See an incriminating or other important text message you want to record?

Here is training on how to preserve a text message (or a photo or video) for legal, tax or other serious purposes.  The training includes a step-by-step, 12-minute video, plus opportunity for interactive comments, questions and answers.

DYI

This video is intended for a general, do-it-yourself audience.

Capture Cheater | Cyberstalker
Evidence
This video uses as an example a cyberbullying incident.  But it could apply to any of the following involving communication via text, SMS or mobile app:

  • a business transaction, 
  • a marital dispute
  • romantic infidelity
  • domestic violence
  • employment discrimination
  • hostile work environment
  • alibi to a crime

How It Works

The cost for access is $8.99.

After you pay, you will get a private web address (URL) for viewing the video and leaving comments/questions.  You can return to the URL as many times as you wish.

By clicking on the Buy Now button below, (1) you agree not to share the private URL with other people, and (2) you agree not to distribute a copy of the video or comments/questions to other people.  If you wish for other people to access the service, you agree to send them to this page so they can pay for access.

This DYI, continuing education service is not a substitute for legal, technical or other professional advice. There is no guarantee it will enable you to reach the legal or tax result you want. The service provides general education and not specific advice for any particular situation; it does not necessarily cover every legal or technical issue that could apply throughout the world.

Many lawyers do not have a lot of experience with evidence on mobile devices, so this education service may be just as useful to lawyers as it is to anyone else.

Note:  This service is about recording a text message (or video or pictures or other evidence) you can see on the screen of a cell phone or other mobile device, such as an iPad or Android tablet.  It is not about messages that have been deleted, and it is not about how to recover messages from a cell phone carrier or other service provider.

Have Questions?

If you have questions before purchasing, please leave a comment below.

Reviewers

Bloggers and journalists:  If you would like free access to the service for purposes of review, please let me know.

-- 
1 comments

Megaupload Users | Get Legal Files Back?

When the US Department of Justice and its allies shut down Megaupload, they affected many kinds of users and many kinds of files.  Many of those files are legal.  Artists, writers and other content creators used Megaupload for storing, managing, distributing and publishing their original work.

It is unknown precisely what law enforcement has done with the legal files stored in the Megaupload platform.

Privacy Protection Act

US law enforcement must be mindful of Privacy Protection Act ("PPA"), 42 U.S.C. § 2000aa:

“[I]t shall be unlawful for a government officer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication...”

Essentially, the purpose of the law is protect First Amendment free speech, free press materials.

Law Enforcement
Courts interpret PPA to allow police to seize a computer containing PPA-protected material, if there is good reason to believe they are commingled with illegal data.

What is less clear is what police may or must do with PPA-related material after they have lawfully seized it.  In Steve Jackson Games, Inc. v. Secret Service, a district court penalized the government for not returning  PPA-protected materials promptly after learning they were protected.

Asset Forfeiture Law

Another relevant law is the 2000 Civil Asset Forfeiture Reform Act, which is intended to make it easier for innocent parties to recover their property when seized by the US government.  A public-interest expert in holding government to this law is the Institute for Justice.  The Institute for Justice should consider taking up the case for innocent Megaupload users.



Related: Megaupload Raid: The Legitimate Users
1 comments

Cloud Provider FBI Raid

As it becomes more common for law enforcement to raid online facilities like Megaupload, it is incumbent
on law enforcement to respond to the needs of innocent users.

A few days ago law enforcement, led by the US Dept of Justice, seized the domain for Megaupload.com,
Domain Redirect
causing traffic to that site to be redirected to a government notice saying the domain had been seized under court order.

Economic Hardship to Bystanders

Megaupload is a very popular service, with many millions of customers worldwide.  It is a cyberlocker that allows users to store and share files.  Some of those files, perhaps many of them, may violate copyright and other laws.  But a great many of those files are not illegal.  Users rely on those files for many purposes, including running their law-abiding businesses and lawfully earning a living.


By shutting down the site, law enforcement has caused substantial economic hardship.  Instead of showing concern about the interests of innocent users, the Department of Justice emphasized that Megaupload had warned its users they could lose data.



Precedence:  Liquid Motors Case

US law has previously provided relief to an online service provider's users who are not under investigation.

In Spring 2009, FBI seized servers run by Core IP Networks.  Some of the data processed on those servers belonged to Liquid Motors, an innocent company that helps large auto dealerships manage their inventory and Internet marketing. The raid had severely degraded Liquid Motor’s service to its law-abiding customers.

Liquid Motors promptly petitioned a federal court for relief.  Although the court believed FBI’s raid was justified, it acknowledged the economic impact on innocent parties.  Significantly, the court compelled FBI to work over the weekend to provide Liquid Motors copies of its data and to return a server to Liquid Motors as soon as possible.

Over-Zealous Police Undermine Public Trust

Yes, law enforcement needs to shut down cyber criminals and collect evidence so they can be prosecuted.  But law enforcement undermines the community’s trust when it damages innocent bystanders.

Moreover, principles of due process, human rights and property rights call for law enforcement to take proactive measures to minimize collateral damage.

Before executing a raid, law enforcement should evaluate whether its mission truly requires it to take services offline.  It should develop techniques for surgically getting what it needs, while avoiding disruption of anything else.

What’s more, law enforcement should develop and execute a plan for returning disrupted services, or returning confiscated data, as soon as possible.

Police Should Strive for Transparency

Law enforcement further should strive for transparency and accountability.  It should engage intensively with the community, disclosing as much as it can, as soon as it can.  In the case of Megaupload, the vacuum created by law enforcement’s relative silence has lent credence of malicious phishing sites that appear to enable worried users to retrieve their files.

The Department of Justice and its colleagues should be commended undertaking the hard work to responsibly police the Internet.  And, I grant you that, for law enforcement to heed the needs of bystanders requires much time and effort. But this is what democracy and rule of law expect of 21st Century law enforcement.

--

Update:  In coordination with one of the hosting services that supported Megaupload, the Electronic Frontier Foundation is investigating whether users can now retrieve their files.  See Megaretrieval

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related:  Theories for Relief to Blameless Megaupload Customers
1 comments

Service of Process via Social Media

Claims, Orders and Notices

Service of Process is the formal means by which notices of legal action -- such as the initiation of a lawsuit or the issuance of a subpoena -- are given to people who are subject to the notices.   Service can relate to matters in court, i.e., judicial proceedings, or it can involve extrajudicial matters, such as notice of action by a government agency.

Traditionally, formal service of legal notice is performed by hand.

Sometimes when the person’s location is unknown, alternative service is permitted.  Alternative service can include publishing the notice in the newspaper.  In reality, publication of small notices in the newspaper is not very reliable as a way to put most people on notice of something.


Service Via Email Looks Like Spam

Some courts have allowed service via email.  A problem with email is that spammers commonly send official-looking emails trying to trick the recipient into clicking on something that will infect the recipient’s computer with malware.
Malware

Therefore, recipients have reason to ignore emails from unknown senders.


The Advantages of Social Media

Social media like -- Flickr, Yelp, Twitter, Facebook, Youtube, Google+ and many others -- open new potential avenues for alternative service.  The intended recipient might be reachable in many online places.

In Federal US courts, the method used for service of process must be reasonably calculated to notify the recipient of the matter.

Here are factors that can help to establish that service over the Internet was indeed reasonably calculated to put the recipient on notice.

1.  Multiple Attempts.  Make multiple attempts through multiple channels, including Facebook Wall and chat, relies to Twitter tweets, comments under photos and comments under blog posts or status updates.  Social media are opening so many avenues for reaching a person that liberal use of them increases the likelihood of successful delivery.

2.  Video Response.  If the recipient has posted videos on Youtube, send the notice as “Video Response” to one of the videos.  Put the text of the notice directly into the video.  This approach holds two advantages:

(a) It normally causes an email to go from Youtube to the recipient seeking approval of video as a response that would appear under the recipient’s video.  It does not seem like a spam ploy to send malware.

(b) Video Responses are relatively rare on Youtube, so the Video Response is more likely to attract the curiosity and interest of the recipient.


video


3.  Use Verified Identity.  When posting notices, use a verified identity, such as is available through Google Plus. (As the photo shows, Google shows my name has been verified when the viewer places the cursor on the check next to my name.)

Authenticity


4. Use simple text.  Put as much information as possible in simple text rather than a link.  If the recipient has to click on a link, he may have reason to believe the notice is a hoax trying to trick him into clicking on malware.  If necessary, break the full text of the message into multiple postings.  Start the notice with a plain statement like, “Benjamin Wright: You have been sued in connection with property located in Carson County, Texas.”

5.  Name in subject line.  If using email, put the recipient’s name in the  subject line.  Bulk spammers don’t do that.

6.  Expose the notice to search engines.  Publish the notice on a web page so it comes up in a general search of the person’s name.  People commonly search their own name.

7.  Toll Free Number.  Give the recipient a toll-free number to get more documents or information.  A toll-free number conveys seriousness (less likely a hoax) because the person owning the number pays the toll on calls coming into the number.

8.  Monitor Subsequent Activity.  After service/notice is attempted through a particular social media account, public activity in the account can be monitored.  Commonly people have entwined their lives so tightly with their accounts that they cannot stop using them.  Subsequent activity is evidence that the account is being used. Specific activity (photos, videos, comments, geolocation data) can be so unique to the account holder that it can be established that the account was not being used by an impostor and that it was likely the account holder saw the service/notice.

The expansion and diversity of social media open many new opportunities to be creative.

Social media are opening new frontiers for the collection of evidence and the execution of legal actions in debt collection and asset recovery cases.



P.S. In a couple of cases involving unknown hackers, courts have allowed discovery to start before an attempt to serve process.  The discovery might include subpoenas to ISPs to discover the identity and location of the hackers.

P.S.S. British court authorizes service of legal documents via Facebook. See discussion of whether the Internet is making it easier to start litigation.

See: ideas on how to document details of a person’s web presence
0 comments

How to Record Nonstandard Online Financial Trades


Audit Evidence & Documentation

Making records of non-standard financial transactions is not easy.

Electronic trading platforms for nonstandard transactions are numerous and diverse.  They change constantly.  They facilitate trades and auctions in myriad nonstandard financial assets, such as OTC derivatives, bankruptcy claims, privately-held equity, esoteric asset-based securities and so on.  An example of such a platform is SecondMarket, which specializes in bringing together buyers and sellers of illiquid assets.

Multiple Media and Services

Capital Markets
The platforms provide information in multiple media, including audio, video, formatted documents, instant messages, structured data and augmented reality.  These platforms can present a professional trader a welter of financial disclosures, trade confirmations, legal representations, and contract terms and conditions.

The relevant contract data for a trade may not arrive all through a single platform.  A trade executed on one platform may be supported by emails or text messages sent through different services.

Are All Records Linked Together So Someone Can Understand Them Five Years From Now?

After a trade has been executed, how can the terms be documented?  If there were a dispute about the trade, will reliable and complete records exist?

Lawyers ask these questions, thinking about legal evidence.  Auditors ask these questions, thinking about proof to support financial claims and statements.   Tax advisors ask these questions as they analyze tax obligations and prepare for audit.

Although a platform provider like SecondaryMarket may keep some records, the provider cannot be relied upon as the long-term, comprehensive, record repository for investors.  The provider might go out of business, and it might not keep all of the records the investor needs for the number of years the investor needs them.

Further, the provider may not keep records to show the precise organization of information, or the order in which communications were exchanged, or the interconnection of messages communicated via different media and services – all of which could be relevant to determining the legal import of a transaction.

Narrated Screencast Video

Here is a method for recording the data a professional sees at a certain point in time, such as half-an-hour after a trade is executed.



It is a screencast video that memorializes what the professional claims he sees, with realtime narration from him explaining how he moves from one item of information to the next.

The screencast is made with screencast-o-matic, a free, Java-based, open-source tool for recording what you see on your screen,

Interactivity and Inter-Connections

The resulting video is a unified package of evidence that captures the interaction and interconnectedness of the web better than a bunch of sceenshots.  The video illustrates what happens as each link is clicked.

The final, comprehensive record of the transaction might include this video, together with copies of emails, the disclosure documents that were exchanged and so on.  The video is the twine that binds all of these records together into a unit that is comprehensible to someone who may review the transaction in the future.


Cloud Time Stamp

Fixing the time of evidence like this video adds to its credibility.  The auditor states the time directly into the video.

To corroborate the vocalized date, the auditor could store the video, soon after he creates it, in a file-management resource that applies a timestamp to it and to any modifications of it.

Thus, if the video, dated by the auditor’s voice as November 5, were uploaded on November 5, but then replaced November 10, there would be a mismatch of dates, suggesting that the video in the resource is not the one originally created by the auditor.

What enterprise-class resources might reliably attach a timestamp to a video?  Autonomy is an example of  a third-party archive service providing such a timestamp, and Microsoft Sharepoint is an example of in-house resource.  Sharepoint maintains rich, detailed metadata (such as time of file upload and time of file modification) that is hard for anyone, even IT staff, to manipulate inconspicuously.*



Attorney Wright teaches the law of data security and investigations at the SANS Institute.

* Manipulation of all relevant metadata (including metadata in backups) in a complex enterprise resource like Sharepoint is extremely challenging, if not utterly impractical.  Thus, the timestamp in that resource corroborates the time stated in the video.  A tool like DocAve Auditor accesses and analyzes the trove of metadata in Sharepoint.

Related Articles:

* Online Investigation

* Recording Cyber Adversary
0 comments

How to Record Debt Collector Web Page


Coping with Bill Collection

Suppose you want to record your online interaction with an adversary . . . such as a collection agency.  Your goal is to capture reliable legal evidence of what you encountered when trying to access or provide information to the adversary’s web site or online app.

In effect, the video you create will record your eyewitness testimony of what you see online at a particular point in time.

You might want to do this, for example, to show that you tried to access a debt collector’s web site, but it was not available, did not work right or gave you misinformation.

Ten Steps

For making your record, here are 10 steps:

1.  Write out a step-by-step script of what you going to do and say as you make the recording.

2.  Launch your webcam so you can see yourself live on your monitor.

3.  Launch your browser or app so you can see that on your monitor at the same time you see the webcam image.

4.  Start a screencast recording program, such as screencast-o-matic (free, open-source service), to record what appears on your monitor.

5.  As the recording starts, identify yourself and explain the reason for your recording.  Explain the technical methods you are using to make the recording.  Don’t be afraid to read directly from your script.  Your purpose is to record legal evidence, not to make a television news cast.

6.  Use your browser or app and carefully explain each step you take.

7.  Describe what you see and what it means.

8.  Conclude the recording by signing and dating it with your voice.  Say words like, “I Ben Wright hereby sign and affirm this screencast as an accurate reflection of my work.”

9.  Review the video to ensure it is accurate.

10.  Soon after you create the video, store it in an online service such as Microsoft’s Skydrive, which records the date a file like the video was uploaded and last modified.

Example

Here is a hypothetical example.



This demonstration is not the only way to make records of online events.  And it does not cover all of the legal and technical issues that might apply to your particular situation.

If you need legal advice for your particular situation, you need to consult a lawyer rather than to rely on this educational blog and video.

This blog post and video intend to spark public discussion about ways to record online activities.  What do you think?



–Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute.

Related articles:

*  How to Make a Gotcha! Video
* How to video record online chat with legal adversary
* Recording Social Media Legal Evidence

Google+
1 comments

Exploiting Scandalous Evidence


Political Exposé

Let’s say you possess incriminating or embarrassing evidence about someone.  Maybe it’s a spycam video catching a public official in an act of corruption or audio in which an executive admits her corporation violates the law.  You know this evidence is sensitive and it serves a public interest.  How do you handle it?

Here are options and issues:

1.  Ethics. Ask an independent party like an attorney to evaluate the evidence for credibility and to provide input on the ethical use of the evidence.

Surprise Camera
2.  Money.  Inquire whether you are entitled to protection and compensation under whistleblower law.  Invocation of whistleblower law may require turning the evidence over to law enforcement or filing a lawsuit.  Federal tax law provides compensation to whistleblowers who provide the IRS reliable evidence about cheating by a particular taxpayer.  The False Claims Act provides a bounty to whistleblowers who sue lawbreakers and successfully recover money on behalf of the federal government.

3.  Editing.  Should you hide or redact information from the evidence before publishing it?  Blurring faces or removing other personally identifiable information may be the prudent, responsible thing to do.  Masking of graphic details can help portray you as a conscientious citizen, not a gossip monger.

4.  Investigate.  Should a careful investigation of the facts be undertaken to determine how the evidence was gathered, what the evidence actually depicts or whether the compilation of the evidence violated any laws?  When an investigation is led by an attorney, often the methods and the outcome can often be kept confidential under something known as the attorney work-product doctrine.

5.  Third Party.  Should you use an intermediary to publish the evidence or present it to authorities, while protecting your identity?  Both attorneys and police agencies have legal power to maintain confidentiality.

6.  News Media.  Should you sell the evidence to the news media?  Sometimes they do pay for good material.

7.  Disclaimers.  Consider how to present the evidence to authorities or the public.  Does it need explanation and background?  Does it need disclaimers?

8.  Exoneration.  Should you file a lawsuit to cause a court to declare that the evidence was not stolen or created in a way that violates privacy, property or other rights?

Are you an amateur gumshoe? What is your experience dealing with evidence of a scam or hipocrisy?

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute, where he teaches professionals how to use Internet media to deliver legal messages.
Google+
0 comments

How to Recover Deleted Phone Text and Photos


Forensics

In a legal dispute, text, photos and other data on a smart phone or tablet can be relevant.  Can they be recovered if they have been deleted?

Cellular service carriers (Verizon, AT&T, Sprint, TMobile) keep records of text, photos and transmitted data for periods of time that vary from one provider to the next.  However, legally forcing them to turn over user data in a non-criminal case is difficult.  The carriers tend to resist subpoenas from civil lawsuits such as divorces, on the grounds that the content of user data is protected by the Electronic Communications Privacy Act.

Customer Cooperation

To a limited degree, recovery from a service provider may be possible if the customer is cooperative.  For example, Sprint records transmitted photographs on a web page protected by a customer password.  Mobile App providers may similarly keep records of messages, photos or videos on a web page protected by a customer password.  In a lawsuit, the customer may be required to cooperate in the recovery of those records under a subpoena or ediscovery demand.

(Cellular carriers have a reputation for not helping customers recover messages unless the customer has a web page for storing those messages as Sprint does for photos.)

Data Forensics

An alternative approach to recovering data is forensics.  An adversary in a civil law proceeding (divorce, child custody, bankruptcy or other lawsuit) may be able to demand through the rules of court procedure that the owner of a mobile device take two steps:

Text, Photos, Video
Step 1: Protect data on the device from erasure or further damage.  This demand for protection might come in the form of a data preservation letter sent by the adversary’s lawyer.

Step 2: Deliver the device to a forensics expert so he can recover data.

Forensic recovery of data from a mobile device is tricky.  Sometimes deleted data can be recovered and sometimes it can’t.  Sometimes fragments of a message can be recovered.  Recovery capabilities vary from one device to the next.

NEW:  I have published a do-it-yourself, how-to video on recording individual text and SMS messages.

Documented Authority

When a forensics expert is engaged to recover data from a device, he needs to ensure he has authority from the proper person.  He is wise to get the authority in writing.

If someone who is not the owner of the device asks him to recover data, he might be violating an anti-hacking law like the Digital Millennium Copyright Act.  When a nonowner asks for data recovery, the expert is wise to ask for a court order.

–Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute.
2 comments
Subscribe to: Posts (Atom)