Context-Aware Computing: Forensics, Privacy

For enhanced user experience, devices and computers are collecting ever-more elaborate details about our behavior.  Consequently, the trove of evidence potentially available to forensics and ediscovery examination swells and swells.  And for developers, privacy headaches expand.

Windows’ Records of Latest Behavior

SANS Institute’s Ovie Carroll explains how Microsoft Windows keeps records about such minutiae as which files the user opened recently.  The purpose is to please the user.  When the user opens a certain file, Windows wants it to appear with the screen location and dimensions that applied the last time the file opened.  But to do that Windows must keep a record.

That record could be forensically valuable when trying to prove, for example, the user knew porn was on her USB stick and she had looked at it.

Age of Context

Robert Scoble and Shel Israel are writing a book titled "The Age of Context."  In their draft introduction, they write, “There are things coming at you that will change your world.  Little things that are swarming around you and know where you are, what you’re doing and what you plan to do next.”

Scoble speaks of emerging technologies like Google Now and Project Glass, which will guide us, figure out what we want, and suggest what we will like, based on myriad fragments of information about what we’ve done, what is around us or how we interact with others.  These technologies will work through our smart phones, our eyeglasses, our automobiles, the very clothes we wear.

Records are Legal Evidence

Yet as these technologies collect and process all these fragments, they make records.  Law reveres records.  It expects them to be preserved, discovered, turned over to resolve audits, lawsuits and investigations.

Consistent with due process, law will require the holders of these records to disclose them under subpoenas.  Subpoenas and preservation demands will be pains in the neck for the developers of context-aware applications.

Child Custody Example

In a child custody battle, law will require parents to release records of contextual awareness.  From those records, the court may evaluate whether a parent would be a safe, responsible guardian.  The records will reveal driving habits (speeding? texting while driving?), places frequented, forms of recreation, yada, yada, yada.

Incriminating Search Engine Queries

We don’t need to wait for advanced technologies like Google Now and Project Glass to see examples of this type of forensic/ediscovery investigation today.  Investigators of insider trading discovered that, on a suspect’s office computer, the suspect had searched phrases like “illegal insider trading options trace.”  A search like that was incriminating because, allegedly,

(a) The suspect purchased stock options based on inside corporate information; and

(b) This search suggests he was researching whether anyone, like the securities authorities, could link an insider like him to the purchase of relevant options.

“Deal Aide at Bristol Is Arrested on Trades,” Wall Street Journal August 3, 2012.

Privacy Steps by App Developers

Developers of context-aware apps and technology are exposed to legal risk.  They are wise to:

1.  Disclose what sensitive data they collect and what they do with it.

2.  Get users to click on terms that approve their collection and use of data.

3.  Appoint a chief privacy officer.

4.  Avoid collecting and storing sensitive data they don’t need.

Two Example Cases

A.  When the US Department of Justice learned that mobile app developers were collecting geolocation data about smart phone users without their knowledge, it opened a criminal investigation.  One of the relevant criminal laws was the Computer Fraud and Abuse Act.

B.  The Federal Trade Commission and the Federal Communications Commission launched investigations of Carrier IQ after a researcher revealed how much sensitive data Carrier IQ’s software clandestinely collected from smart phones.  Carrier IQ soon anointed a chief privacy officer.



Mr. Wright teaches the law of data security at the SANS Institute.

No comments:

Post a Comment