Remember the guy who got put in jail for contempt for forgetting his hard disk drive encryption passwords? He’s still in there, and doesn’t have any prospects for getting out anytime soon.
Francis Rawls, a former sergeant in the 16th district of the Philadelphia Police Department, was accused of having child pornography on two encrypted Macintosh hard drives, which were seized in March, 2015. He was ordered by a judge in August, 2015, to provide the passcode to decrypt the drives, but he claims to not remember it. He was put in jail for contempt of court. Prosecutors claim Rawls is “forgetting” his password on purpose to keep from being charged with possessing child pornography, which could put him in prison for 20 years.
Earlier this year, Rawls appealed the ruling, and it was denied. More recently, he attempted to be let out of prison by claiming that there was an 18-month limit on how long someone could be jailed for contempt of court. In addition, in the meantime, he hopes that the case will eventually go to the Supreme Court.
Prosecutors said, though, that his claims weren’t valid because the precedent he was citing had to do with someone who was a witness, and Rawls wasn’t a witness. In fact, prosecutors have defined the case very narrowly in a way that doesn’t give him a lot of protection. “After the government had seized the contemnor’s computers and was unable to decrypt several of the hard drives, it filed a motion with Judge Rueter under the All Writs Act, 28 U.S.C. § 1651, for an order directing Rawls to produce a decrypted copy of the hard drives,” notes a recent briefing. “The procedural posture is significant. The government did not proceed before the grand jury. It did not subpoena him as a witness.”
As you may recall, the whole legal issue of whether people can be compelled to give up their passwords is still being fought in the courts. Courts have been deciding back and forth on the issue for several years now, with some ruling that a phone password is more like the combination to a safe than a physical object such as a key. It matters because something that is the expression of one’s mind, like the combination to a safe, is protected under your Fifth Amendment rights not to incriminate yourself. A physical key, something you possess, is something you can be forced to produce.
In this particular case, prosecutors are claiming that the Fifth Amendment doesn’t apply because it is a “foregone conclusion” that the hard disk drives contain child pornography. That’s because, even though they can’t read the files, they know what the encryption scheme hashes them to. And the hashes of those files apparently are equivalent to the hashes of other common child pornography files.
The appeals court earlier this year also found that the Fifth Amendment doesn’t apply because Rawls didn’t use that defense in the first place, when he showed up to decrypt the hard disk drives and then said he couldn’t remember the passwords. “[B]y failing to appeal the original All Writs Act order or to raise the Fifth Amendment as a defense to the contempt proceeding, he had procedurally defaulted on his Fifth Amendment challenge,” prosecutors write.
Not to mention, prosecutors – who made a point of defining the term “chutzpah” in their briefing and applying it to Rawls – set a new definition for “disingenuous” themselves, by saying it wouldn’t really be “testifying” against himself, because they weren’t really asking for Rawls’ passwords. They were just asking him to type them in. “The government deliberately chose not to call Rawls as a ‘witness’ to minimize Fifth Amendment issues,” prosecutors write. Those Fifth Amendment “issues” being his ability to use it to protect himself. “Thus, the government did not seek to compel him to produce his password. Rather, it sought to compel him to perform a physical act.” That “physical act” being typing in his passwords.
Right. I’m not robbing you, because I’m not asking for your money. I’m just asking you to take it out of your wallet and put it on the table, which happens to be within my reach.
(Though I do have to thank prosecutors for teaching me a new word: “contumacious” – stubbornly or willfully disobedient to authority.)
Prosecutors also implied that 18 months for contempt was nothing, citing other cases where people had been jailed for five years and seven years for contempt. And because Rawl has already lost in appeals court, they are not sanguine that the case will ever make it to the Supreme Court, they add.
Earlier this month, Judge Cynthia Rufe agreed with prosecutors, citing the finding of the previous appeal as the reason. “The ruling of the Court of Appeals compels the conclusion that Mr. Rawls is not a witness to a proceeding as contemplated by § 1826, and that the 18-month limitation therefore does not apply to this matter,” she writes. “This matter exists before the Court solely because Mr. Rawls has prevented the search warrant from being fully executed.”
Consequently, Rawls stays in jail, though prosecutors said they should check in on him now and then to see if, after two years of largely solitary confinement, he suddenly remembers his passwords. “Theoretically, he could be held in jail for contempt forever … until he’s dead,” Dan Terzian, a lawyer from Duane Morris, tells Olivia Solon in The Guardian.
The moral of the story? Don’t forget your password. You could go to jail.
Hurricanes in the Southeast in September aren’t a surprise, or shouldn’t be. That said, having two hit the region within a matter of a few days, as well as having another potential one waiting in the wings, tested the mettle of operators. But all told, damage to data centers appeared minimal thus far.
Some data center regions have been hit pretty seriously by hurricanes, most notably Hurricane Sandy in 2012. Hitting New York City, the home of many high-tech firms, the storm took out many data centers that were below ground level. Power failures resulted in bucket brigades of diesel fuel being taken up stairs to the data centers on higher ground. And even thunderstorms have taken out cloud data centers such as Amazon Web Services in Virginia in 2012.
But Harvey and Irma don’t appear to have done massive damage to data centers thus far. Four major Internet providers in Houston stayed up, though the data centers themselves were inaccessible due to flooding, reports Yevgeniy Sverdlik in Data Center Knowledge. The biggest problem was due to fears that they would run out of diesel fuel, he reports, though at least during the thick of the storm they hadn’t even lost utility power. Other sources also indicated that Houston data centers were by and large unaffected.
Some staff stayed in Houston data centers for days. “The facilities had showers and were stocked with food, cots, video games, and books,” Sverdlik writes in a different Data Center Knowledge piece. “Stocking up on sleeping cots and supplies is a customary part of data center operators’ emergency preparedness plans.” In previous disasters, data centers have warned that the most critical resource is people and making sure that they’re safe, and a number of data centers had to put up some of their people when their homes were uninhabitable, he writes.
For Irma, Miami was particularly critical because it serves as a hub linking the U.S. with Latin America, Sverdlik writes in another Data Center Knowledge piece. However, most of the networks using that facility had alternate paths, he added. The building, like many Florida data centers, was rated for Category V winds and was 32 feet over sea level. While reports are still coming in, Florida data centers appeared to also pretty much stay up, though some were on backup power and generators for a time.
Either way, Verizon declared a “Force Majeure event” – essentially, an Act of God — for Hurricanes Harvey and Irma that let it off the hook any delay or inability by Verizon or its vendors to provide services.
Even for companies that aren’t located in regions affected by hurricanes, these events were a useful wake-up call to update disaster recovery plans. In addition, the fortuitously timed DCD>Colo+Cloud conference, in Dallas on September 26, is planning to expand its coverage of disaster recovery and resiliency topics.
Incidentally, in a bravo-for-little-ironies department, Nirvanix — the company that was notorious for sending out press releases during a natural disaster encouraging everyone to use its products — went out of business in 2013.
If you really want to make sure that nobody’s going to be able to read your data, the late author Terry Pratchett just showed you how it’s done: Per his instructions, his executor just ran over his hard disk drives with a steamroller.
“Pratchett’s hard drive was crushed by a vintage John Fowler & Co steamroller named Lord Jericho at the Great Dorset Steam Fair, ahead of the opening of a new exhibition about the author’s life and work,” reports The Guardian.
Pratchett, who died in March, 2015, at 66 from Alzheimer’s disease, reportedly told author Neil Gaiman of his wish, who revealed it in an August 2015 interview with the Times of London. “The fantasy author Terry Pratchett wanted his unfinished work to be run over with a steamroller, according to his close friend, the writer Neil Gaiman,” the paper reported at the time. “Gaiman, the award-winning author of The Sandman and Coraline, reveals that Pratchett, his confidant of 30 years, told him that he wanted ‘whatever he was working on at the time of his death to be taken out along with his computers, to be put in the middle of a road and for a steamroller to steamroll over them all.’”
Rob Wilkins, who carried out the instructions in the will, manages the Pratchett estate, and tweeted from an official Twitter account that he was “about to fulfill my obligation to Terry” along with a picture of an intact computer hard drive – following up with a tweet that showed the hard drive in pieces, the Guardian reports. The pieces will also become part of the exhibit.
Richard Henry, an official at The Salisbury Museum, where the exhibition will be held, told NPR that the task actually wasn’t easy. “It’s surprisingly difficult to find somebody to run over a hard drive with a steamroller. I think a few people thought we were kidding when I first started putting out feelers to see if it was possible or not.”
Even the steamroller didn’t destroy the hard disk drive, Henry continued. “The steamroller totally annihilated the stone blocks underneath but the hard drive survived better than expected so we put it in a stone crusher afterwards which I think probably finally did it in,” he told the BBC.
Why not just erase the hard disk drive, which reportedly had ten unfinished works on it? Because as any number of criminals have found out to their sorrow, “deleting” a file doesn’t really delete it — just the pointer to the file gets deleted. Much of the data in the file is still on the hard disk drive and can be scraped off by a diligent forensic analyst. Even deleting the file multiple times, rewriting the disk, and so on might not fully eliminate the data.
This is not to say that there weren’t plenty of people who were sad that Wilkins had been so thorough. (Including Gaiman, who said in the August 2015 interview that he was “ridiculously glad” the destruction had not yet happened.) In his lifetime, Pratchett wrote more than 70 books, selling more than 85 million copies worldwide, and no doubt many of his eager fans would have loved to see even an incomplete work.
But the author did not want his unpublished works to be completed by someone else and released, Henry told the BBC. In fact, Wilkins told the BBC in 2015 that what Pratchett really wanted was to have a device connected to his heartbeat so when his heart stopped it would wipe the contents of his hard drive.
Assuming, of course, that the hard disk drive that was crushed was actually the one that Pratchett had used. After all, he had Alzheimer’s; maybe he didn’t know what he was asking for? Maybe someone made a copy of it in the two years after Pratchett died. (Why it took two years before it was destroyed, no one has said.) We can always still hope. “It’s not impossible that some further fragment might surface in years to come, and this will all turn out to have been an elaborate joke on Pratchett’s part,” writes Stephanie Merritt in the Guardian. “I wouldn’t put it past him.”
“Mr. Pratchett is hardly the first author to request that his unpublished work be destroyed or hidden from public view,” reports Sophie Haigney in the New York Times. “Franz Kafka wanted his diaries, manuscripts and letters burned. Eugene O’Neill wanted the publication and performance of ‘Long Day’s Journey Into Night’ to be delayed until 25 years after his death. Vladimir Nabokov left instructions that fragments of a manuscript be destroyed. In all of these cases, though, the requests were ignored, and the unpublished work came to light.” Edward Albee has left a similar request but it isn’t clear whether it will be honored, she adds.
If you don’t happen to have a steamroller handy, other methods for ensuring the destruction of a hard disk drive include a sledgehammer, a .45, or taking it apart and destroying the disks inside.
Periodically, I like to pass on what Backblaze is reporting about the hard drives that make up its cloud backup service. This is for two reasons. First, Backblaze uses a truly massive number of hard drives, and so they come up with a lot of statistically significant results. Second, the company is absolutely nerdy about big data and hard drive statistics, and does quarterly and annual reports on its experiences that are a great example of how a company could do this sort of report about any hardware it happened to have.
Backblaze just came out with its second quarter report, but because I haven’t written about its individual hard drive statistics for more than a year, I’ll also catch you up on the last couple of quarters as well.
The company is now up to 83,151 hard drives altogether. In the first quarter, it added more than 10,000 hard drives in total, and in the second quarter, it added 635 new hard drives in total – some due to failure but many of them due to migrating to larger, higher density (as well as newer) hard drives. For example, Backblaze has been migrating its 3 TB hard drives to 8 TB — which, the company said, more than doubles its storage capacity in the same footprint while only increasing its electrical use a little bit.
In addition to upgrading the hard drives themselves, Backblaze is also creating much larger collections of hard drives. Instead of using its “pods” of 45 hard drives, the company has been using “vaults” made up of up to 20 even bigger “pods,” each of which hold up to 60 hard drives. With the increased size of hard drives it’s now using, each “vault” can now store up to 14.4 petabytes of data.
Another interesting thing that Backblaze has been doing lately is testing enterprise-grade hard drives. As you may recall, the company became well known for building its storage system with commodity consumer hard drives rather than the monolithic gigantic storage devices made by companies such as EMC. That was cheaper, especially when it became time to upgrade, and was more granular. But the company has been criticized over the years for using consumer hard drives rather than enterprise hard drives, which some people (including the vendors whose hard drives weren’t very reliable in the Backblaze setup) said would be better suited for the way Backblaze used its drives.
So Backblaze has been testing enterprise hard drives, and surprisingly found that they were actually more prone to failure than consumer ones, as well as generally being more expensive. On the other hand, the company apparently found a batch of Seagate 8 TB enterprise hard drives on sale, and at that price they were worth getting, so the company is using some of them. While they are still showing a slightly higher failure rate, the company cautions us not to jump to conclusions, indicating that it might simply be burn-in failures because of how new they are (which the company calls the “bathtub curve”).
“The enterprise drives have 363,282 drives hours and an annualized failure rate of 1.61%,” writes Andy Klein, director of product marketing for Backblaze. “If we look back at our data, we find that as of Q3 2016, the 8 TB consumer drives had 422,263 drive hours with an annualized failure rate of 1.60%. That means that when both drive models had a similar number of drive hours, they had nearly the same annualized failure rate.”
In other developments, it may surprise you, but Backblaze doesn’t always leap to a new, more dense hard drive model as soon as it comes out; since it’s using a commodity model, it waits until the cost per megabyte for the more dense models is equivalent to that of the less dense models it’s already using, and then tests them. Consequently, the company is just now starting to test 12 TB hard drives. “In the next week or so, we’ll be installing 12 TB hard drives in a Backblaze Vault,” Klein writes. “Each 60-drive Storage Pod in the Vault would have 720 TB of storage available and a 20-pod Backblaze Vault would have 14.4 petabytes of raw storage.”
As it is, Backblaze spends 23 percent of its revenue on hardware, 90 percent of which is devoted to pods and vaults. The rest of the 47 percent of revenue devoted to costs includes space for the hard drives, electricity to run them and keep them cool, personnel to keep them happy and functioning, bandwidth to transfer data, and so on. The company’s remaining 53 percent of revenue is devoted to the operational expenses of keeping it running, such as developing new features, marketing, sales, office rent, and other administrative costs.
Disclaimer: I am a Backblaze customer.
In the criminal justice system, cases sometimes rise and fall based on incredible arcane and trivial bits of the law.
Such is the case with Spokeo. As you may recall, it all has to do with Spokeo, a data aggregator, getting some data wrong, and the guy in question, Thomas Robins, suing them for it. The importance of the case was less a matter of the effect on the particular guy, and more a matter of what legal precedent would be set, based on court rulings. Hypothetically, it could have meant that people would be able to sue based on simple errors of procedure that happened to violate a law. That would have made the lawyers happy, but not many other people.
The Spokeo case went all the way to the Supreme Court, which ruled in May that the Ninth Circuit Court hadn’t done the job right in the first place and sent it back to them for a do-over. And apparently the Ninth Circuit wanted to be very thorough this time, because it took them more than a year to essentially cut-and-paste from the Supreme Court’s ruling.
Specifically, the Court directed the Ninth to determine two things about the case:
- Whether it was particular. “There was no dispute that Robins had satisfied the particularity requirement of injury in fact,” writes James McKenna of Jackson Lewis, in National Law Review. “The injury he alleged was based on the violation of his own statutory rights and was due to the inaccurate information about him.”
- Whether it was concrete. “A concrete injury must be ‘real’ and not ‘abstract,’” McKenna writes. “There are three aspects of concreteness. First, it is not synonymous with being tangible. A concrete injury need not be tangible. Intangible injuries, such as the abridgment of free speech rights, can be concrete.” Second, while Congress implementing a law is important, just because a law provides the right to sue doesn’t mean they can, he writes. “Third, the risk of real harm’ can constitute a concrete injury, even if the harm may be difficult to prove or measure,” he adds.
Where the Ninth had erred, the Supreme Court ruled, was by not considering those two points separately in the first place, especially the concreteness one.
To a certain extent, this seems like failing the calculus test because, even though you got the right answer, you didn’t show your work. But for attorneys, it’s all about showing your work and crossing all the Ts and dotting all the Is.
So, the Ninth Circuit came back earlier this month to say, yes, it was, too, concrete. “The Ninth Circuit looked to whether the FCRA [Fair Credit Reporting Act] was established to protect consumers’ concrete interests (as opposed to their purely procedural rights),” write Hanley Chew and Eric Ball in Mondaq. The Ninth Circuit went on to point out that both the Supreme Court and Congress have indicated in the past that having incorrect data in a database is a Bad Thing, going on to quote the Ninth Circuit ruling. “’The relevant point is that Congress has chosen to protect against a harm that is at least closely similar in kind to others that have traditionally served as the basis for lawsuit.’ Thus, informed by both Congress and historical practice, the Ninth Circuit held that Congress enacted the FCRA to protect consumers’ concrete interest in accurate credit reporting,” they continue.
Did that settle the case and Robins gets what he wants? No! It simply rules that he has standing, meaning it kicks the can back down the road to the District Court, and he can proceed with his case. “The District Court for the Central District of California originally dismissed the case, holding Robins failed to allege any injury-in-fact and, therefore, did not have Article III standing,” explains David Anthony in InsideARM. “The Ninth Circuit reversed, holding the alleged violation of Robins’ statutory rights alone was sufficient to satisfy Article III’s requirements, regardless of whether the plaintiff can show a separate actual injury.”
Keep in mind that Robins is suing Spokeo not for making him sound worse, but for making him sound better. “The report erroneously said Robins was married with children and that he was older, better educated, wealthier and more accomplished than he actually was,” write three attorneys from Sidney Austin LLP in Mondaq.
The Ninth Circuit also took pains in its ruling to say that, just because the data was wrong in Robins’ case, didn’t mean that everybody who finds an error in their personal information in a database gets to sue. “The Ninth Circuit emphasized the case-specific nature of its hybrid approach, ‘caution[ing] that [its] conclusion on Robins’s allegations does not mean that every inaccuracy in these categories of information (age, marital status, economic standing, etc.) will necessarily establish concrete injury under FCRA,’” write four attorneys from K&L Gates in the National Law Review. “This is because “[t]here may be times that a violation leads to a seemingly trivial inaccuracy in such information (for example, misreporting a person’s age by a day or a person’s wealth by a dollar).”
And that’s the good news for Spokeo, and every other company that collects data on people: Having to determine just how much and what sort of bad data is acceptable – the data equivalent of the allowed number of insect parts in a jar of peanut butter – will make it harder for people to file class-action suits against data aggregators, the company told Perry Cooper of Class Action Litigation Report.
Even without the Ninth Circuit’s do-over, numerous – on the order of three a day – rulings are now referencing the Spokeo case. The problem now is that even after the Ninth Circuit decision, some questions still remain — which means this case could go back to the Supreme Court again. “The Ninth Circuit did not provide broad guidance about whether and under what circumstances a single inaccuracy in a credit report, a certain type of inaccuracy or another combination of inaccuracies would be sufficient to constitute a concrete injury,” write the Sidney Austin attorneys. “The court made clear that de minimis violations may not confer standing, but other than holding that Robins’s alleged facts were enough to confer standing, it did not provide clear guidance on where the line falls between sufficient and insufficient injuries.”
As you may recall, in February we covered the question of how many search warrants the government could legally expect to serve on Facebook at once, given that the company felt that the 381 it had received was too many.
“For example, could the government get a warrant for everyone who posted on Facebook that they had attended the Women’s March so it could arrest them or put them in some sort of database?” we asked presciently.
Little did we know.
As it turns out, the Department of Justice is asking the web hosting company Dreamhost to provide information about every visitor to a particular website, www.disruptj20.org, which was intended to help organize protests at the inauguration of President Donald Trump. Some 230 people, including six journalists, were arrested. (“J20” referred to January 20, the date of the inauguration.) But the DoJ is asking for information on all 1.3 million visitors to the website.
And it is asking for a lot of information: “names, addresses, telephone numbers and other identifiers, e-mail addresses, business information, the length of service (including start date), means and source of payment for services (including any credit card or bank account number), and information about any domain name registration,” as well as the content each person viewed.
In other words, even if you simply visited the website once, didn’t post any information, and didn’t attend any protests, the government would now have your information. Incidentally, disruptj20 did not keep logs of this data itself, but Dreamhost did, according to NPR.
So, just by virtue of researching this story, I’m now on this list. Twice.
“No plausible explanation exists for a search warrant of this breadth, other than to cast a digital dragnet as broadly as possible,” writes Mark Rumold of the Electronic Frontier Foundation, which is helping Dreamhost with its defense. “But the Fourth Amendment was designed to prohibit fishing expeditions like this. Those concerns are especially relevant here, where DOJ is investigating a website that served as a hub for the planning and exercise of First Amendment-protected activities.” The organization is also helping Facebook fight a similar request for information, but doesn’t even know whether it’s also about the inauguration, because of a gag order.
Dreamhost, which spilled the beans on all this on August 14 , is fighting the warrant on First and Fourth Amendment grounds, saying it is “overbroad.”
A hearing is scheduled for Friday.
Interestingly, the DoJ sent out its warrant on July 12. For an event on January 20? It doesn’t necessarily mean that the DoJ attorneys are slow, though they have been fighting with Dreamhost about this data since a week after the inauguration. The Electronic Communications Privacy Act Stored Communications Act changes the rules at 180 days. “Under the ECPA, emails on a server for more than 180 days is considered ‘abandoned’ by users and can be accessed through a subpoena instead of a search warrant,” explains Ryan Reilly in the Huffington Post. To what degree that is actually a factor here is hard to tell, because many of the outlets reporting on this aren’t technical enough to say. But it’s interesting timing.
The DoJ made its initial request, a subpoena and an order to preserve records, on January 27. However, Dreamhost, perhaps disingenuously, didn’t understand what the government was actually asking for. “Within three weeks of service of the subpoena, DreamHost produced its records responsive to these categories,” the company writes. “In its correspondence accompanying the production, DreamHost’s General Counsel made clear that he understood the subpoena was directed to records regarding the registrant, and not records regarding third party visitors to the website.”
Dreamhost also points out in its response that the request is more like a subpoena than a search warrant, because “it requires DreamHost itself to execute the warrant and provide the responsive records to the government.” The company also notes that the information the government is asking for is really more like evidence of a violation than a violation itself, despite how the warrant is worded.
It also isn’t clear exactly what the DoJ is trying to find out, or if it’s simply going on a fishing expedition, because that part of the warrant is sealed. But assuming it gets away with this request, it is making its requests for Microsoft data overseas look like child’s play. If companies can be forced to provide this much data about every single visitor to its customers’ websites, no matter how innocent, this could have a seriously chilling effect on, well, everything.
Be careful with e-discovery: You might discover something you didn’t intend.
That’s what one attorney recently learned when collecting data for a legal case. “The 1.4 gigabytes of files that Wells Fargo’s lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them,” write Serge Kovaleski and Stacy Cowley in the New York Times – data from some 50,000 customers altogether.
Typically, such personally identifiable information is redacted, or removed, from e-discovery data sent to the opposing counsel, Kovaleski and Cowley explain.
Initially, the attorney blamed the software vendor (of course), which wasn’t named but appeared to include both software and service. But as it turns out, the attorney hadn’t realized how much data the e-discovery request had obtained, writes Christine Simmons in Law.com. Using the software, the attorney reviewed “what I thought was the complete search results” and marked some documents as privileged and confidential, and then coordinated with the vendor to withhold from production anything she tagged as privileged and confidential, Simmons writes.
“What I did not realize was that there were documents that I had not reviewed,” the attorney tells Simmons, adding that her view showed only a set limit of documents at one time. There also appeared to be some confusion about who actually performed the redacting of the documents, and whether any of the data was redacted, according to court documents (which are a thing of beauty, and you really should read them to get the full effect).
Moreover, the files were handed over to opposing counsel with no protective orders and no written confidentiality agreement in place. Consequently, it would be perfectly legal for counsel “to release most of the material or include it in their legal filings, which would then become part of the public record,” Kovaleski and Cowley write.
And it didn’t end there. Because Wells Fargo had released the personally identifiable information, it then became a data breach and was subject to all the laws governing data breaches. Sending the data without redactions or confidentiality agreements violates “various privacy protection laws, Financial Industry Regulatory Authority Inc. guidance and U.S. Securities and Exchange Commission regulations, according to opposing counsel in court documents,” she writes. The attorney who had sent the files to the other attorney asked that the data be returned, but at that point it became evidence in the data breach case.
Wells Fargo and its attorney have been using various legal maneuvers to get the opposing counsel to return the data, as well as destroy any copies it had made of it, Simmons writes. The attorney also noted, however, that the CD was encrypted, and that she’d written “Confidential” on the envelope. Thank goodness.
Regardless, Wells now needs to follow standard data breach protocols, such as notifying the customers that their data has been improperly released, Kovaleski and Cowley write. “And some of the accounts are listed as having a foreign owner, which would potentially trigger a separate set of overseas regulations, such as Europe’s stricter privacy statutes,” they add.
Such data breaches could happen more often as e-discovery becomes more common and more voluminous, Simmons warns.
When Apple and Google released cellphones with encryption being the default, law enforcement had kittens, with dire warnings about terrorism and child pornography if there wasn’t a back door into it. And governments all over the world, including the U.S., have insisted that data shouldn’t be encrypted unless a back door was available, in case evil people were hiding evidence of their nefarious deeds.
But so far, law enforcement hasn’t complained about IBM’s new Mainframe Z, announced earlier this month. “IBM has launched a new mainframe system capable of running more than 12 billion encrypted transactions per day, in a bid to wade further into the financial cybersecurity market,” writes Ryan Browne for CNBC. “IBM claimed that its new mainframe can encrypt data at a rate 18 times faster than other platforms. The mainframe will be used initially as an encryption engine for IBM’s cloud computing technology and blockchain (distributed ledger technology) services.”
IBM didn’t say when the system would be available, though it said the technology was already in use at six of its own blockchain service centers, and at least one article indicated that the system was would be available in mid-September. The company already supports 87 percent of all credit card transactions, totaling nearly $8 trillion worth of payments each year, Browne writes. The system is intended to “enable companies to comply with new data protection laws, such as the European Union’s General Data Protection Regulation (GDPR) and the U.S.’s Federal Financial Institutions Examination Council (FFIEC) guidance on the use of encryption in the financial services industry,” he adds. “The GDPR holds that businesses should encrypt personal data to prevent a compromise of confidentiality, while the FFIEC’s guidance states that management should ‘implement the type and level of encryption commensurate with the sensitivity of the information.’”
But by announcing the system, IBM is also drawing a line in the sand and siding with Apple, writes Brian Fung in the Washington Post. “IBM fully supports the need for governments to protect their citizens from evolving threats,” he reports the company said in a statement on the issue. “Weakening encryption technology, however, is not the answer. Encryption is simply too prevalent and necessary in modern society.”
Maybe law enforcement thinks that hackers and terrorists can’t afford mainframes like this one, which according to Fung is supposed to cost $500,000 a pop? But companies like Microsoft can, and the U.S. government has been fighting with Microsoft for several years to gain access to data that it stores overseas. What if Microsoft said fine, here’s the data – but it’s encrypted, so good luck?
Indeed, with some governments wanting to outlaw encryption altogether, is IBM going to be allowed to sell the equipment in those countries? Will people in those countries be allowed to use it? Is IBM releasing the system in hopes that it will be grandfathered in should countries implement anti-encryption laws?
Experts also point out that IBM statements about the encrypted data being more safe from hackers isn’t necessarily true. Commenters to the Washington Post article noted that only the data at rest would be encrypted, while data within an application would still be decrypted and vulnerable. In addition, hackers don’t have to be able to read data to wreak havoc, noted another. “I do not need to know what is in your data for a ‘WannaCry’ attack to work,” writes JoeFromBoston. “Even if YOU have encrypted your data, if I encrypt your encrypted data a second time, you are still in big trouble.”
So far, no comment from the FBI or other law enforcement organizations.
The laws governing search and seizure of data on a person’s cellphone continue to evolve – and next fall, they’re likely to evolve some more, as a critical case goes to the Supreme Court. At the heart of the case is the distinction between content and metadata.
Let’s say you send someone an email message. The body of the message is the content. But all the information about the message – to whom you sent it, when you sent it, where you were when you sent it, and so on – is metadata, or data about the message. In a number of cases, courts, prosecutors, and law enforcement have made the distinction between the two, saying that while a search warrant is required to see the content, the metadata is fair game.
Now, one of those issues – in particular, the location data of your cellphone – is actually going to be argued in front of the Supreme Court, which is likely to settle the issue once and for all.
It’s all due to a case called Carpenter. Two guys in Detroit were accused of robbery, and the Federal Bureau of Investigation (FBI) used their cellphones to prove that they were nearby a number of the incidents. To do this, the FBI went to the suspects’ cellphone providers and obtained a lot of data about the suspects’ locations – more than 12,000 for one guy, and almost 24,000 for the other guy. The defense attorneys for the guys are saying that the phones revealed so much personal data about the guys that a warrant should have been required for the search.
Moreover, these two guys aren’t the only ones who had their phones searched for location data; according to providers such as AT&T, this happens thousands of times a year.
You might think, “Wait. Didn’t the Supreme Court decide this already?” Well, sort of. In June, 2014, in a case known as Riley, the Supreme Court ruled that law enforcement officials needed a warrant to search someone’s cell phone. However, this case is different, because Riley covered searching the content of a cellphone, while Carpenter covers searching the metadata.
A number of organizations – including such odd bedfellows as the American Civil Liberties Union (ACLU), the Electronic Frontier Foundation, and the conservative Cato Institute — have filed friend-of-the-court briefs hoping to protect metadata, saying that giving law enforcement access to a person’s location files amounts to unlawful search and that a warrant should be involved.
“The Fourth Amendment was designed precisely to protect the kinds of intimate details that police seized without a warrant in Carpenter,” writes the ACLU. “For example, an analysis of Carpenter’s whereabouts suggests that he slept away from home on December 22, 2010, in what appears to be an aberration. The location data also shows that in the early afternoon on a number of Sundays, Carpenter made or received calls from the cell tower sectors nearest to his church. His cell phone records do not routinely show him in that area on other days of the week, implying that he was worshipping at those times. Together, the data reveals a granular accounting of Carpenter’s locations and movements over the four-month period.”
“Although the case is formally about cell-site records, it’s really about where to draw lines in terms of what network surveillance triggers the Fourth Amendment and how the Fourth Amendment applies,” argues Orin Kerr of the Volokh Conspiracy, in the Washington Post. “The justices can’t answer how the Fourth Amendment applies to cell-site records without providing a framework for how the Fourth Amendment applies to many other forms of surveillance, such as visual surveillance, obtaining traditional phone records, obtaining e-mail transactional records, obtaining credit card records and the like.”
Not everyone agrees. “Carpenter v. United States is part of the ACLU’s campaign to hobble police and shield wrongdoers — both terrorists and common criminals — from the latest technologies available to law enforcement,” writes Betsy McCaughey in the New York Post, while muttering darkly about terrorists. “But how else could agents find out whether he was near the robbed stores?” (Fortunately, “but law enforcement didn’t have any other way to get the information” isn’t typically an acceptable excuse for violating the Constitution.) There is also some concern that such a ruling could limit the use of location data by marketers.
A particular nuance in this case is the notion of third-party doctrine, Kerr explains. In other words, law enforcement didn’t get the metadata directly from the suspects’ cellphones, but from a third party – their service providers. Third-party records require only “reasonable suspicion” that a person was involved in a crime, not “probable cause,” which requires a warrant, writes Peter Henning in the New York Times.
What’s important about this case is it will determine whether metadata from a third party will also require a search warrant, Kerr explains. For example, the third-party doctrine is frequently cited by the government in support of the legality of NSA collection of metadata, writes Emma Kohse in the Lawfare blog.
Another nuance is that the Supreme Court has already ruled that collection of data from a GPS tracker required a warrant, but law enforcement has argued that the cellphone tower location data obtained in Carpenter was less specific than the data from a GPS tracker, so it didn’t require the same level of protection, Henning adds.
In the meantime, there’s not much you can do to avoid this other than turning off your phone. Moreover, this isn’t even data collection that you can stop by turning off or deleting location tracking, because it’s the cell tower data collected by your provider. So it will be interesting to see how the Supreme Court – with its newly appointed justice Neil Gorsuch – will rule.
You’ve heard about phishing. Now we’ve got one with actual bait: a mailed USB card called a web key.
As one techie describes it, “Here is the prototype for the next big wave of security breaches.”
According to TJ Gamble, founder and CEO of ecommerce company jamerson.com, Blue Cross/Blue Shield is sending out letters that include something like a business card or a credit card with a built-in USB drive. The letter urges recipients to insert the device into their computers to find out all the wonderful things that Blue Cross could do for them.
In a LinkedIn post elaborating on the Tweet, and in his video, Gamble hastened to clarify that he wasn’t accusing Blue Cross of anything nefarious. “I am not accusing BCBS of creating software that is less than aboveboard,” he writes. “However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software. The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them whether they are official or forged.”
In other words, it would be like phishing – except instead of getting email from what appears to be Google or Facebook, you’re getting actual physical mail from what appears to be a trusted source like Blue Cross. Instead, it could have a potentially nasty payload that could install malware, steal your data, reprogram your device, destroy your laptop, or set it on fire. Moreover, the mailing apparently targeted human resources professionals, who might not know about the security risks involved, Gamble notes.
On the other hand, if someone gets caught sending them out, it’s presumably mail fraud, a Federal crime. And due to this risk, as well as the cost of producing the devices in the first place – 50 cents to a dollar each, he estimates — Gamble writes that he wouldn’t expect to see the general public start receiving these. “However, it definitely provides some ideas for going after high-value targets,” he warns – a variation known as “spear phishing.”
Blue Cross defenders commenting on Gamble’s piece point out that the company is hardly the first to use such Web key devices, linking to a Pinterest board of examples. (For what it’s worth, I’ve never seen the things before.) On the other hand, commenters also noted that malware or other payloads could be inserted anywhere along the supply chain for the devices, including where they were built, and in any event it was dangerous to train users to start inserting these devices.
In any event, the advice remains the same: Don’t poke strange USB sticks into your devices.