Yottabytes: Storage and Disaster Recovery


February 10, 2017  11:58 PM

How Many Facebook Search Warrants Are OK?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Facebook, government, privacy

It’s no secret that insurance companies, fraud departments, attorneys, and so on scout Facebook and other social media sites looking for evidence of malfeasance. And when such people do so by means of a warrant rather than simply Facebook-stalking someone, more power to them. But how many Facebook search warrants of stored data should such a perusal allow?

That’s the crux behind an ongoing case in New York, where Manhattan District Attorney Cyrus Vance Jr. filed 381 separate search warrants in 2013 for the Facebook records of police and fire department personnel who were suspected of fraudulently claiming disability from 9/11 and retiring.

Facebook complied, because it had to. As it happens, more than 130 people were convicted of fraudulently claiming Social Security disability, 62 of whom were on the list of 381. And prosecutors rightly pointed out that these people were ripping off New York taxpayers. “Resulting guilty pleas and convictions returned $25 million to the U.S. Social Security Administration,” writes Marlene Kennedy in Courthouse News.

“More than 100 people have already been convicted in the ruse,” writes Julia Marsh in the New York Post. “They claimed they were too sick to work in order to get the benefits — then posted photos of themselves on social media platforms like Facebook jet-skiing and sport-fishing.”

But at the same time, Facebook wants to nip this sort of bulk request in the bud. “The ‘carbon-copy’ warrants for 381 accounts placed Facebook in the awkward position of ‘being conscripted’ by law enforcement to invade the privacy of its users and turn over everything in their accounts,” Kennedy writes.

The company had several issues:

  • The warrants were unlimited. A number of civil liberties organizations that filed amicus briefs with the court pointed this out. “The groups noted that of the accounts sought by Vance’s office, the holders of 319 of them were eventually never charged in connection with the disability benefit investigation,” writes Joel Stashenko in the New York Law Journal. “Yet, the civil liberties’ groups argued, the information about the account holders’ private messages, chat history, photographs, lists of friends, religious or political affiliations and other confidential information was subject to review by prosecutors without the account holders’ permission.”
  • There were a lot of them. Facebook’s argument wasn’t that fulfilling all those requests was a lot of work, though it probably was, but simply that it was overbroad. “The ultimate chilling effect would be a similar request for all of the electronic accounts of every resident of New York City,” Kennedy writes. And it’s not like Facebook regularly turns down this sort of request — for the first half of 2016, it received more than 23,000 law-enforcement requests involving nearly 39,000 user accounts and produced some data for almost 81 percent of them, she adds.
  • They were warrants, rather than subpoenas. “Vance’s office applied for the warrants under the federal Stored Communications Act, which governs the disclosure of electronic records held by third-party internet service providers,” Kennedy writes. “Facebook’s failed attempt to quash hinged on attempt to characterize the warrants as more akin to subpoenas.” The difference is that subpoenas can be challenged, while warrants can’t, she adds.
  • Facebook wasn’t allowed to fight the warrants, because the Appellate Division’s First Department decided it didn’t have “standing,” or the legal right to object. Only the individuals – all 381 of them – had standing to object, meaning they each would have had to lawyer up and go through the ordeal of fighting the search warrant.
  • Facebook wasn’t allowed to tell the people that the government was requesting their records. This sort of gag order isn’t unusual; there have been a number of times when companies were not allowed to say that a government agency had requested their records. (In fact, in a number of cases, companies have created what’s called a “warrant canary”on their website, where they note that the government has never asked for their records – and then, at some point, the sentence disappears and watchers can see that such a request must have occurred.) If Facebook had told the people, they would have deleted the records, Vance said.

All of this is critical because people – not just Facebook – are concerned about what it could mean for the future. For example, could the government get a warrant for everyone who posted on Facebook that they had attended the Women’s March so it could arrest them or put them in some sort of database? Could the government get a warrant for everyone who had posted something to Facebook indicating they were Muslim? In this day and age, one never knows.

Testimony on the suit was taken earlier this month to the New York Court of Appeals, with a decision expected to be rendered by the six-judge panel near the end of March, Stashenko writes.

January 31, 2017  2:29 PM

Rettenmaier Case Questions Geek Squad Role in Search

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security

As you may recall, in May we wrote about laws being enacted in Utah to require computer technicians to report child pornography they encounter in the course of their jobs to law enforcement authorities. Some computer technicians, as it turns out, were already doing that; the issue was whether it should be required by law. The Rettenmaier case is taking the question even further.

Reportedly, the FBI has cultivated eight “confidential human sources” in Best Buy’s Geek Squad over a four-year period, according to a judge’s order, with all of them receiving some payment, according to Tom Jackman in the Washington Post. The Geek Squad employees in question were specifically in Best Buy’s data recovery services in Brooks, Ky.

What makes this a problem? “Best Buy searching a computer is legal — the customer authorized it, and the law does not prohibit private searches,” Jackman explains. “But if Best Buy serves as an arm of the government, then a warrant or specific consent is needed.” And the fact that the FBI has cultivated the ongoing relationships and that there is a two-way conversation between the organization and the technicians makes it look more like the Geek Squad is serving as an arm of the government.

For its part, Best Buy contended that the organization had no such policy, that they’re only allowed to turn in pornography they find in the course of their jobs rather than going hunting for it, that it was inappropriate for technicians to be accepting payments, Jackman writes. “Any circumstances in which an employee received payment from the FBI is the result of extremely poor individual judgment, is not something we tolerate and is certainly not a part of our normal business behavior,” a Best Buy spokesman said in a statement.

The case started in November 2011, when Mark Rettenmaier, a gynecological oncologist in Orange County, Calif., took his HP Pavilion desktop to the Best Buy in Mission Viejo, Calif., because it wouldn’t boot up, Jackman explains. “The technicians at the store told him he had a faulty hard drive. If he wanted to retain information from the hard drive, he would need the Geek Squad’s data recovery services in Kentucky,” he writes.

In the process, Rettenmaier signed a form acknowledging that any child pornography found would be turned over to law enforcement authorities, which prosecutors said waived his right to a Fourth Amendment claim.

As it turns out, a Best Buy Geek Squad technician who had been paid by the FBI two months before did indeed find a piece of child pornography on the system – but in unallocated space, meaning the technician required special software to look for it. “In addition, a federal appeals court has ruled that pornography found on unallocated space is insufficient to prove that the user possessed it, since information about when it was accessed, altered or deleted is no longer available,” Jackman writes, because such a file could be put into a computer against the owner’s will or before they owned the system.

On the basis of the file, the FBI got a search warrant and seized Rettenmaier’s cell phone, on which the FBI reportedly found more than 800 other such files, writes Jeremiah Dobruck in the Los Angeles Times. However, in requesting the search warrant, the FBI did not tell the judge that the picture was found in unallocated space, which might have made it more difficult to get the warrant, writes R. Scott Moxley in OC Weekly. There’s also an issue about whether the file would even be considered child pornography at all, Moxley writes in a different OC Weekly article (which also includes some interesting reporting on testimony about just how easily porn can be injected into a computer).

Dobruck notes that taking payments from a law enforcement organization doesn’t necessarily make them an agent of the government. In fact, two Geek Squad employees who said they had received payments also said they had donated the money to charity, writes Andrea Eldredge in the Record Searchlight.

“The problem, from a privacy perspective, is that such rewards create incentives for technicians to start searching people’s perspective rather than just fix them,” writes Jeff John Roberts in Fortune. “Also troubling is that any arrangement between the FBI computer repair services like Best Buy could expand and that, in the future, employees could begin tipping of the agency about other things they find on people’s devices.”

The current status of the case? The judge took two days of testimony earlier this month, after which Rettenmaier’s attorneys had 45 days to file briefs, after which the judge will rule on whether any evidence should be excluded, writes Hannah Fry in the Los Angeles Times.

It should go without saying that child pornography is a heinous crime. But in a day and age where people are concerned about the rule of law and the increased surveillance in our society, it will be interesting to see the outcome of this case. Not to mention, it’s worth keeping in mind if you’re planning to send your hard disk in for repair.


January 26, 2017  10:00 PM

Remember ‘Safe Harbor’? Never Mind

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Safe Harbor, Security

As you may recall, in July the United States and the European Union finally came to an agreement modifying the “Safe Harbor” provisions, which allows companies in the countries to exchange personal data about citizens without having to go through laborious agreements.

The agreement had been in jeopardy since the previous fall, when the European Court of Justice found that, in reaction to the Edward Snowden revelations, the United States did not ensure adequate protection of personal data against surveillance by public authorities for European citizens. Without the Safe Harbor provision, companies that wanted to exchange data between the U.S. and the E.U. about European citizens – such as Google wanting browsing history – would have to individually negotiate elaborate legal agreements. As many as 1500 companies were involved, writes A.J. Dellinger in the International Business Times. So revising it to the Court’s satisfaction was really important.

It took President Donald Trump less than a week to put it in jeopardy again.

On Wednesday, Trump signed an executive order ostensibly to “enhance public safety in the interior of the United States.” But that order also included a provision noting that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” Some experts believe that will mean the E.U. will suspend the agreement.

“While the action may not have been specifically targeting the agreement with the EU, it very well may apply to it by excluding ‘persons who are not United States citizens or lawful permanent residents,’” Dellinger writes. “The phrase would apply to European citizens whose data is traveling across the Atlantic. The executive order puts the U.S. at risk of being sanctioned by the EU for violating its privacy laws and could lead to the suspension of the agreement entirely—a possibility that would be especially troubling for tech companies based in the U.S. who do business overseas.”

It’s also an issue with Canada, writes Michael Geist, a Canadian law professor, in his personal blog. “The decision requires an immediate review by the Privacy Commissioner of Canada on the effect of Canadian personal information and data sharing agreements and a potential re-assessment of what personal information is made available to U.S. agencies,” he recommends.

In response to the executive order, a number of legal professionals are raising the alarm, but it isn’t yet clear what can be done to rescind or modify the executive order to remove the offending paragraph.

In fact, some people in the E.U. had already felt that the protections in the revised Safe Harbor provision were inadequate, and were filing lawsuits, meaning that the Safe Harbor provision was already being threatened without Trump’s action, writes Hogan Lovells in Lexology. “In reality, the future of the Privacy Shield will be linked to the direction of travel of the new Trump administration and the extent to which the assurances given by the previous government on data access controls will stand,” he wrote presciently earlier this week.


January 23, 2017  12:27 PM

Trump, Obama Archives Set Up

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, social media

If you’re a politics fan and have some time on your hands, there’s some new rabbit holes to go down that give you a great opportunity to compare two Presidents.

First, the Internet Archive has set up an archive of more than 500 hours of Trump footage dating back almost ten years. Think that what he’s saying doesn’t mesh with what he’s said before? Afraid he’s going to pull a 1984 and say we’ve always been at war with Eastasia? Well, the Internet Archive has saved it all.

“The Trump Archive launches today with 700+ televised speeches, interviews, debates, and other news broadcasts related to President-elect Donald Trump, created using the Internet Archive’s TV News Archive,” writes Nancy Watzman in the Internet Archive blog. “A work in progress, the growing collection now includes more than 520 hours of Trump video. The earliest excerpt dates from December 2009, and the collection continues through the present. It includes more than 500 video statements fact checked by FactCheck.orgPolitiFact, and The Washington Post’s Fact Checker covering such controversial topics as immigrationTrump’s tax returnsHillary Clinton’s emails, and health care.”

What’s more, it’s all freely available. “Reporters, researchers, Wikipedians, and the general public are invited to quote, compare and contrast televised statements made by Trump,” Watzman writes, offering suggestions such as using clips in articles and videos and creating supercuts on topics like Trump’s perspectives of the US press. Moreover, she asked technical people to “help us enhance search and discovery by collaborating in experiments to apply artificial intelligence-driven facial recognition, voice identification, and other video content analysis approaches.”

Doesn’t that sound fun.

This is just a start, Watzman notes. “We’ll explore the idea of creating curated collections for Trump’s nominees to head federal agencies; members of Congress of both parties (for example, perhaps the Senate and House majority and minority leadership); Supreme Court nominees, and so on.”

The whole effort is similar to Politwoops, an effort that started in 2012 to keep track of politicians’ deleted Tweets – including those of President-Elect Trump.

At the same time, much of the content created under President Barack Obama’s administration has also been archived. “The Obama White House website – which includes press articles, blog posts, videos, and photos – will be available at ObamaWhiteHouse.gov, a site maintained by the National Archives and Records Administration (NARA), beginning on January 20, 2017,” according to a post on the aforementioned site. “If you are looking for a post or page on the Obama administration’s WhiteHouse.gov from 2009 through 2017, you can find it by changing the URL to ObamaWhiteHouse.gov.”

Given that President Trump’s administration is already removing content from the White House web pages, this is likely to be useful going forward.

That link also lists all the social media archives from the Obama administration, as well as new social media links for many former White House officials. “From tweets to snaps, all of the material we’ve published online will be preserved with NARA just as previous administrations have done with records ranging from handwritten notes to faxes to emails,” wrote Kori Schulman, Special Assistant to the President and Deputy Chief Digital Officer, in October, explaining how the digital transition would work. “Second, wherever possible, we are working to ensure these materials continue to be accessible on the platforms where they were created, allowing for real time access to the content we’ve developed.

While this is a laudable goal, they kind of had to, writes Lisa Vaas in Naked Security. “The White House didn’t have much choice, given that accessibility of federal government communications is required by the Freedom of Information Act (FOIA),” she writes. “All those tweets and Facebook posts need to be retained and available to the public on request, in a ‘future-proof’ format.” In other words, the material will continue to be available even if one of the platforms goes belly-up, she writes (as, for example, Vine already has).

In addition, there is also a searchable archive of social media posts spanning eight platforms, writes Alex Byer in Politico. While timing was certainly a factor, notes Ian Bogost at The Atlantic, Obama certainly embraced social media.

As well as giving heartsick Democrats something to cry over during the dark days moving forward, the archive will also be studied by researchers, such as the University of Texas School of Information.

Like it or not, social media and the Internet will be an indelible part of the Presidency going forward, just as radio and television were.


January 10, 2017  6:14 PM

If It’s January, It’s Gotta be a Storage Trends Story

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Flash, hyperconverged, Storage, Tape

This is January, and you know what that means: Trend stories. Specifically, storage trends.

Yes, for some reason a completely arbitrary line on a calendar turns everyone into prognosticators. Actually, the reason is pretty simple: Nobody announces anything in December and early January, and we’ve got to write about something.

Actually, with the consolidation and commoditization of the storage and e-discovery industries, there haven’t been as many predictions and retrospectives as there used to be. Other than worrying about what the Donald Trump administration is going to do, of course.

That’s what was interesting about a recent report from Kroll Ontrack about 2017 storage and security trends. While it was largely based on what the staff was seeing its own business, it still provided a useful snapshot as to what was going on.

The use of flash/solid state drives is increasing. Hold the presses. But Kroll’s evidence for this was interesting: “We have seen a 239 percent increase in the number of hybrid drives needing data recovery since 2014,” the company reports. That’s certainly one indication of, if nothing else, the reliability of such drives – or, perhaps, the lack of it.

The downside of hyper-converged storage. Vendors have been pushing hyper-converged storage and networking recently, billing it as easier to use. While that’s true, it comes with a downside: Vendor lock-in. And Kroll is running into similar issues.

“We are seeing that recovery from these complex systems often requires a custom solution because data is fully integrated into the unit making it difficult to gain sector-level access to the disks,” Kroll reports. Moreover, because hyper-converged devices are simpler, simpler people are using them, which runs into problems. “Organizations are employing less specialized individuals to operate hyper-converged storage systems – employees who may not have the depth of knowledge needed to solve more complex problems,” the company writes. “This presents new challenges when backups need to be verified or when data loss occurs.”

Tape is still around. In a separate survey of 819 IT administrators, Kroll found that many of them still haven’t gotten tape backup working right. “Nearly half of the companies surveyed (49 percent) confirmed they run two or three different backup solutions, with an additional seven percent running four or more parallel solutions,” the company reports. “Nearly one third (27 percent) of all participating companies reported they do not have clear insight into what specific information is stored on their legacy tapes.” In addition, more than half of respondents (56 percent) of respondents said they use different versions of their backup solutions (for example, different versions of the same backup format at each company site).

Consequently, the cost of keeping legacy data accessible, depending on company size, ranges from $10,000 to over $1 million annually. The primary costs are due to storage (70%), maintenance (69%), staff (52%), security (42%), and licenses (38%). And in an ominous sign, up to 40 percent of companies said they intend to terminate their maintenance contracts due to cost.

Security is hard. Kroll notes that stories of ransomware and associated data loss were rampant in 2016. “Hospitals, corporations, individuals and government entities were all exposed or lost data in these attacks,” the company writes. “Wearable technology is especially vulnerable as there can be little to no real security on your device.” For that reason, Kroll predicts a wider use of encryption – assuming a Trump administration will allow us to use it.

Here’s to 2017 and our new Soviet overlords.


December 31, 2016  11:46 PM

Amazon Echo Warrant Seeks Recordings

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, legal, voice

Prosecutors investigating a murder have submitted a warrant to Amazon, trying to get data that the suspect’s Amazon Echo smart home assistant might have recorded at the time.

If you don’t have an Echo (introduced in November, 2014) or similar device, it works like this: Unless the mike is shut off, the device is constantly “on,” listening for its name. Once it hears it, it records a snippet of audio so that the statement can be sent to the cloud, analyzed by servers, and then responded to.

In this particular case, on November 22, 2015, James Bates had several people over to watch a football game, including Victor Collins. Collins’ body was found in the hot tub the next day, and Bates was accused of killing him. Bates’ next hearing is scheduled for March 17.

But because Bates owns an Amazon Echo, and reportedly was using it the night of the murder to play music, prosecutors wanted to know if it had heard anything. “The search warrant, signed by a judge in August, requests all ‘audio recordings, transcribed records, text records and other data’ from Bates’ Echo speaker,” writes Jill Bleed for the Associated Press. “So far, authorities have obtained only basic subscriber and account information.”

Not to say the recordings might not be there. “Amazon keeps all of the recordings of you asking Alexa to play WNYC or of you setting a timer for 20 minutes. You can jump into the Alexa companion app and hear all of your requests again if you want to see just how bored you sound when talking to your home voice robot,” writes Jake Swearingen in New York. “I’ve heard from a professor who works in voice research that Amazon deletes all voice data after six months — but Amazon has no stated policy about how long it holds onto that data. Still, if any of this has you feeling uneasy about your Amazon Echo, you can always head to amazon.com/myx, find your Echo, and delete out all of your old voice recordings.”

This isn’t the first time the subject of what listening devices can hear has come up. A couple of years back, when voice-activated devices first started becoming more widely available, some people started freaking out that their voice-activated TVs might be “listening” to them. Some people were also concerned about children’s toys that had intelligent recording devices in them.

Nobody appears to be suggesting that the suspect asked, “Alexa, how do I hide a body?” or anything along those lines. It appears that prosecutors hope that someone giving Alexa a command might have caused the system to record some background noises relevant to the case. “Police did not specify what data they expected to find on Bates’s Echo — nor is it clear what the device could have captured that would have been relevant to the case,” writes Amy Wang in the Washington Post. “Only if someone happened to have triggered his device with its wake word would it have begun recording any audio. Even then, it seems unlikely that audio would be conclusive evidence of an alleged murder.”

And, frankly, it’s possible that prosecutors don’t exactly understand how Amazon Echo works, and are assuming that it’s always on and always recording, Wang writes. “At least part of the search warrant indicated police may not have had a full understanding of how the Echo worked,” she writes. “That allegation — that the Echo is possibly recording at all times without the “wake word” being issued — is incorrect, according to an Amazon spokesperson. The device is constantly listening but not recording, and nothing is streamed to or stored in the cloud without the wake word being detected.”

The search warrant gives some evidence of this, “The Amazon Echo device is constantly listening for the ‘wake’ command of ‘Alexa’ or ‘Amazon,’ and records any command, inquiry, or verbal gesture given after that point, or possibly at all times without the ‘wake word’ being issued,” notes the report.

Amazon, for its part, appears to regard the whole thing as a fishing expedition, and has thus far refused to comply with the warrant. “In a statement, Amazon said it ‘objects to overbroad or otherwise inappropriate demands as a matter of course,’” writes Kathryn Varn in the Tampa Bay Times.

One thing is clear: This isn’t over. “As we connect more things to the Internet in our houses, these devices will become involved in more crime investigations,” predicts Alina Selyukh, a tech blogger for National Public Radio. She points out, for example, that prosecutors used information from a smart meter to note that Bates had used a lot of water that evening, potentially to wash away evidence of a murder.

Moreover, it’s not out of the question that manufacturers of devices such as the Amazon Echo could become obliged to making, keeping, and providing such audio records to law enforcement.

And the case could also become a precedent for the Internet of Things. “’The Arkansas slaying could be a test case for how evidence rules apply to information from home appliances connected to the internet such as water meters, thermostats and lighting systems, said Nuala O’Connor, president of the Center for Democracy & Technology, a nonprofit group that works on privacy and civil-liberties issues,” Bleed writes.


December 30, 2016  10:19 AM

‘Rogue One’ Data Storage — a Cautionary Tale

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Encryption, Storage, User interface design

The problem with being a storage nerd is it makes it pretty difficult to enjoy the movies. In this day and age, too many movie plots hinge on computers and data, and moviemakers typically aren’t geeks, so it’s way too easy to lose your suspension of disbelief based on bonehead errors.

Take Rogue One. And yes, here be spoilers; as a good nerd, I saw it opening night, but waited til after Christmas to write this so that most reasonable people had already seen it.

Sneakernet is alive and well. Yes, here we are in a galaxy far, far away, with space travel and holograms and planet destroyers, and we still are exchanging data using tape cartridges, CD-ROMs, USB sticks, and watching a meter as we upload data? And tape cartridges have a handy-dandy loop on them so you can hook them to your belt? Not to mention the fact that, although all the plans are in electronic data storage, there’s no way to gain access to the file other than flying out to that base.

Encryption isn’t a thing? Okay, maybe the reason you couldn’t gain access to the file other than by flying out to the base was for physical security. I’ll buy that. But then they have that entire library stored out there, with all the seeekrit plans for the Death Star, in unencrypted files? See what happens, FBI, when you outlaw encryption?

Data centers powered by renewable energy. Perhaps the Scarif data center was also protected by a moat. With a waterfall. But perhaps the waterfall was there to power the library using renewable energy. It’s nice to know that even the Empire wants to be green.

User interfaces still need work.  Okay, it’s not “It’s Unix! I know this!” but apparently all the user interface designers got killed off early in the war because all the technology seems incredibly hard to use. That tape library is pretty snazzy – but there’s no instructions or intuitive interface, and access to the tapes needs to be done manually? And uploading data means you need to walk out on a catwalk to manually adjust the satellite dish? Or hook up a manual data transmission with a big, fat (yet, still incredibly flexible) cable that nonetheless requires you to walk out to a control panel to flip a master switch? (And has a port that just anybody can walk up and plug said cable into?)  Not to mention, how screwed are you if, while using those instructionless mechanical hands, you happen to drop the tape cartridge down twenty stories?

We still don’t have a good system for filenames. Admittedly, Erso couldn’t call the blueprints Secret_Plan_to_Destroy_Death_Star, but really, we’re reduced to having Jyn read the filenames manually until she finds the one that’s her nickname? So if Jyn hadn’t been around, the Alliance never would have stumbled on the plan? Knowing a secret about the designer worked to find the back door in Wargames, but shouldn’t we have advanced beyond that by now?

Back doors don’t work. If nothing else, perhaps Rogue One will point out to law enforcement and the federal government why encryption back doors are a bad idea. Erso’s back door allows a couple of rebels with bombs and teeny planes to destroy an $852 quadrillion investment. At least it’s reassuring to find out, after almost 40 years, that someone had created that flaw in the design on purpose.

We still don’t have backups? Rebels are at the Scarif archive? No problem, says Governor Tarkin; we’ll just blow it up – a decision that caused no small amount of hand-wringing among librarians. “Did the Empire have a data backup plan?” worries Gabriel McKee, librarian for collections and services for New York University’s Institute for the Study of the Ancient World, who still hasn’t gotten over the destruction of the library at Alexandria. “What else was stored there, and was any of that data backed up elsewhere? Did Tarkin have authorization to, for lack of a better word, deaccession the entire archive? And could anything of Scarif’s archive have survived such apocalyptic weeding?”

If nothing else, perhaps Rogue One can be used as a cautionary tale of how not to set up a storage archive.


December 22, 2016  2:07 PM

Scientists Copy Data to Save It From Trump

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, Storage

Co-founder of the Electronic Frontier Foundation John Gilmore was known for his saying, “The Internet interprets censorship as damage and routes around it.” With Donald Trump’s election as President, the Internet is getting a little help.

Concerned that a Trump administration might delete decades of weather data in an effort to make it more difficult to demonstrate climate change, scientists are reportedly frantically making copies of weather databases in Canada, writes Brady Dennis in the Washington Post.

“Something that seemed a little paranoid to me before all of a sudden seems potentially realistic, or at least something you’d want to hedge against,” Nick Santos, an environmental researcher at the University of California at Davis who started copying government climate data onto a nongovernment server after the election — where it will remain available to the public – told Dennis. “Doing this can only be a good thing. Hopefully they leave everything in place. But if not, we’re planning for that.”

Paranoid? Maybe not, writes Weston Williams in the Christian Science Monitor. “This would not be the first time access to climate research was restricted by a US president,” he writes. “During President George W. Bush’s administration, many Environmental Protection Agency libraries were shut down, and there were multiple accusations that government publications on climate change had been edited to change their meaning.”

With Trump, activities such as the appointment of climate change deniers, the attempt to find climate change supporters in federal agencies, and the suggestion that NASA should no longer do weather research leads scientists to believe that a Trump administration could try to alter or dismantle parts of the federal government’s repository of data on everything from rising sea levels to the number of wildfires in the country, Dennis writes.

“To be clear, neither Trump nor his transition team have said the new administration plans to manipulate or curtail publicly available data,” Dennis notes. “The transition team did not respond to a request for comment. But some scientists aren’t taking any chances.”

It all started with a Twitter crowdsourcing request from meteorologist Eric Holthaus, Dennis writes. “What are the most important .gov climate assets? Scientists: Do you have a US .gov climate database that you don’t want to see disappear?”

Within hours, responses flooded in from around the country – enough that Holthaus created a Google spreadsheet to keep track of them all. In addition, investors offered money, attorneys offered legal help, and database specialists offered expertise and storage, Dennis writes. There’s now a GitHub repository as well.

“Within two days, more than 50 key data sets had been identified, and six of them have already been archived on publicly available nongovernment servers,” reports Holthaus. “Complementary efforts at the University of Pennsylvania and the University of Toronto are merging resources to attempt to avoid duplication of effort, and the Penn Program in the Environmental Humanities put the data refuge online Tuesday afternoon. On Twitter, the most common response to the project was, ‘I can’t believe it’s come to this.’”

In some cases, they’re even making a party out of it. At the University of Toronto, researchers held a “guerrilla archiving” event to catalogue key federal environmental data ahead of Trump’s inauguration, Dennis writes.

Presidential Transition

The work is associated with the End of Term Presidential Harvest 2016, an effort by the Internet Archive to ensure that useful federal government data isn’t lost during the transition between Presidents. “With the arrival of any new president, vast troves of information on government websites are at risk of vanishing within days,” writes Jim Dwyer in the New York Times. “The fragility of digital federal records, reports and research is astounding.

The Presidential Harvest project – “a volunteer, collaborative effort by a small group of university, government and nonprofit libraries to find and save valuable pages now on federal websites,” Dwyer  writes – began before the 2008 elections and returned in 2012.

Moreover, the Internet Archive, which purports to make a copy of everything on the Internet, is also hoping to set up a copy of itself in Canada lest something happen to its American data, writes Michael Hiltzik in the Los Angeles Times. The Internet Archive  includes copies of 279 billion web pages, 2.2 million films and videos, 2.5 million audio recordings and 3 million digital books, as well as software and television programs, he writes.

“The Internet Archive has stepped up its plans to back up its entire data hoard in Canada, out of reach of what might be efforts under a Trump administration to block public access to the material,” Hiltzik writes. Internet Archive founder and chairman Brewster Kahle is seeking donations to cover the estimated $5-million cost of the project by Jan. 20, Inauguration Day, he adds. Kahle is doing this because he is concerned by some of the things Trump said while campaigning.

On the other hand, the EFF is calling for the opposite tactic: The computer civil liberties organization ran a full-page ad in Wired encouraging sysadmins to, among other things, delete log files so they couldn’t be used in the future against people. “EFF’s open letter outlines four major ways the technology community can help: using encryption for every user transaction; practicing routine deletion of data logs; revealing publicly any government request to improperly monitor users or censor speech; and joining the fight for user rights in court, in Congress, and beyond,” the organization explains in a press release. “President-Elect Trump has promised to increase surveillance, undermine security, and suppress the freedom of the press. But he needs your servers to do this. Join us in securing civil liberties in the digital world, before it’s too late.”


December 11, 2016  11:05 PM

Amazon Snowmobile Issues Need Solving

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Amazon, Glacier, Storage

Amazon has upped the ante on that old question of the bandwidth of a station wagon full of backup tapes hurtling down the highway: For one thing, instead of a station wagon, it’s a semi.

The data storage device hauled by the semi is a 45-foot shipping container called Snowmobile, and it could let people send up to 100 petabytes of data to Amazon Web Services – much, much faster than it would take to upload it. A petabyte is 1 million gigabytes. The data can be stored in either Amazon’s regular S3 service, or its “Glacier” cold storage service, which is less expensive.

The notion of doing the initial upload of data to a cloud service by shipping a physical hard drive isn’t new; the major cloud vendors have all supported this for a while. This is, in fact, considered an upgrade to Amazon’s “Snowball” service, which uses a mere 80TB suitcase.

But a semi? That’s new.

Amazon plans to drive Snowmobiles to its customers’ offices, extract their data, then cruise to an Amazon facility where the information can be transferred to the cloud-computing network in far less time than it would for so much data to travel over the web,” write Jay Greene and Laura Stevens in the Wall Street Journal. “Ten Snowmobiles would reduce the time it takes to move an exabyte from on-premises storage to Amazon’s cloud to a little less than six months, from about 26 years using a high-speed internet connection, by the company’s calculations.”

Amazon announced the new service at its annual customer conference. It is actually already available and costs half a cent per gigabyte per month of use, or about $500,000 a month to use its full capacity, Greene and Stevens write.

Physically, Snowmobile attaches to your network and appears as a local, NFS-mounted volume, writes Jeff Barr, AWS chief evangelist, in a blog post (which includes all sorts of awesome Legos showing how it works). “Snowmobile is a ruggedized, tamper-resistant shipping container 45 feet long, 9.6 feet high, and 8 feet wide,” he adds. “It is water-resistant, climate-controlled, and can be parked in a covered or uncovered area adjacent to your existing data center. Each Snowmobile consumes about 350 kW of AC power; if you don’t have sufficient capacity on site we can arrange for a generator.”

So how do you attach it to your network? “Each Snowmobile includes a [fiber] network cable connected to a high-speed switch capable of supporting 1 Tb/second of data transfer spread across multiple 40 Gb/second connections,” Barr writes, adding that you can use your company’s existing backup or archiving tools. “Assuming that your existing network can transfer data at that rate, you can fill a Snowmobile in about 10 days.”

Of course, the question of security comes up. You don’t want your company’s entire data record to be hijacked by some guy with a CDL. “Snowmobile uses multiple layers of security designed to protect your data including dedicated security personnel, GPS tracking, alarm monitoring, 24/7 video surveillance, and an optional escort security vehicle while in transit,” writes Amazon. “All data is encrypted with 256-bit encryption keys managed through the AWS Key Management Service (KMS) and designed to ensure both security and full chain-of-custody of your data.”

Exactly when and where this encryption is done isn’t said; can you load encrypted data onto Snowmobile, so that even Amazon doesn’t know what it is, or is it Amazon that encrypts the data, meaning the company has access to the data at some point?

There’s also the matter of securing the trucks themselves while in transit, writes Daniel Stoller in Bloomberg. “Researchers recently said that trucks, much like the ones Amazon would use, are prone to the same kind of hacking attacks that have disabled some connected cars,” he writes. “The researchers showed that there is a real possibility of ‘safety critical attacks that include the ability to accelerate a truck in motion, disable the driver’s ability to accelerate and disable the vehicle’s engine brake.’”

That also raises the question of what happens to the Snowmobiles full of data after it’s uploaded. How do you wipe a Snowmobile, how long does it take, and what assurance do you have that Amazon actually does this? Assuming it does; Amazon doesn’t talk about it.

The question also arises, why bother transferring the data at all? Why not just truck it to Amazon, plug it in, and leave it? Though having all the data on a physical device would sort of defeat the purpose of having it in the cloud.

Getting the data back out again may be more of an issue (a problem Amazon has also had with Glacier. “The initial launch is aimed at data import (on-premises to AWS),” Barr writes, though he adds, “We do know that some of our customers are interested in data export, with a particular focus on disaster recovery (DR) use cases.”

It will be interesting to see whether other cloud vendors, such as Google and Microsoft, follow suit, or if Amazon will have the long-haul data-trucking field to itself.


November 30, 2016  6:34 PM

Microsoft-DoJ Irish Data Case Headed for Supremes

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, law, Microsoft, privacy, Security

As you may recall, in July the Second Circuit Court of Appeals ruled that Microsoft did indeed not have to turn over data it owned that was stored in Ireland, in response to a Department of Justice (DoJ) search warrant. At the time, supporters were glad but said it was possible that the DoJ would appeal the decision, which would mean it would go to the Supreme Court.

That has indeed happened, as of October. Sort of.

Technically, the appeal is to the Second Circuit Court of Appeals, and asks for an en banc hearing. In other words, the DoJ wants to present the information to everybody, not just a subset of judges, in hopes that they can find enough judges to agree with them. In practice, though, the Second Circuit rarely grants en banc hearings, and the previous ruling was unanimous anyway, so even if they did grant it, the verdict would likely be the same, writes Jeff John Roberts in Fortune.

The upshot, then, is that the case is likely to go to the Supreme Court.

This all gets pretty down in the weeds. “In filing for the appeal to the US Supreme Court, the DoJ has claimed that the Court of Appeals misinterpreted the law as to when companies are obliged to disclose data stored on servers in foreign jurisdictions,” writes William Fry in Lexology. “The Court of Appeals ruled that in order to rebut the presumption against extra-territoriality of legislation, the statute under which the warrant was issued (the Stored Communications Act) would have to contain an ‘affirmative indication’ of an intention to apply outside the US. The court determined that enforcement of the warrant constituted an unlawful extra-territorial application of the Stored Communications Act.”

In other words, because the Stored Communications Act didn’t specifically mention international communications, it shouldn’t apply, the Second Circuit ruled.

What some in the U.S. would like to do is, instead of making law through the court system, make it through legislation that specifically addresses the issue of international data searches, Fry writes. And that is indeed the mechanism the appeals court suggested in July. The Congressional sponsors of the ICPA have also written to the DoJ asking it to work with them on fine-turning the ICPA legislation.

The ICPA is an updated version of the Electronic Communications Privacy Act, which dates from the 1980s, and includes such things as a free pass to search for data as long as it’s more than six months old, writes Eric Peters in InsideSources. “The International Communications Privacy Act has been written to deal with ECPA’s shortcomings — including rescinding the ‘180-day loophole’ for data mining without a warrant — and to tamp down the international kerfuffle over whose laws apply,” he writes, calling on the current lame-duck Congress to pass the bill before the next session.

There hasn’t been much indication of this happening, and it seems unlikely that the incoming Congress and Administration are likely to do much about protecting users from government data search.

If the case does end up in the Supreme Court, that’s a whole new kettle of fish. Recall that, at least for the time being, there are only eight justices. What that means is, if they have a tied decision, it would apply only to this single case, not as a precedent.  On the other hand, now that the election is over and the Senate is staying in Republican hands, it’s conceivable that there could be a ninth Justice by October, when the new Supreme Court year starts. In any event, Fortune’s Roberts believes that the Supreme Court would agree to hear the case because of its importance.

Another nuance is that different Internet companies have different policies for how they store their data, with some of them stashing it wherever’s convenient at the moment, anywhere in the world, and some of them choosing a location in or out of the country where the user resides. The Second Circuit’s decision makes it difficult for the DoJ to follow any procedure to get that data, writes Orin Kerr in the Washington Post. “ I didn’t expect that major domestic providers would respond to a ruling that they can’t be compelled to disclose foreign-stored emails pursuant to a warrant by refusing to disclose foreign-stored contents voluntarily when the target was domestic and the only reason that particular e-mail was foreign-stored at that instant was the fluid nature of the network’s architecture,” he writes.

In case this is all a blur to you, Microsoft reportedly had email messages from one of its customers stored on a server in Ireland. The DoJ wanted access to those email messages while pursuing an unspecified case, claiming that since the email messages were controlled by Microsoft, an American country, the DoJ had jurisdiction over them even though they were stored in Ireland.

This viewpoint was fraught for a number of reasons, as I described in July.

  • Because so many computer companies are American, it would mean an awful lot of data worldwide would be subject to access by the U.S. government.
  • Computer companies worried that worldwide customers would stop using them because they were afraid they’d get their data accessed.
  • Having the data subject to U.S. access could mean that the company – Microsoft in this case, but any company – could be violating data privacy laws in force at the second country. (For that reason, dozens of companies and civil liberties organizations – as well as the government of Ireland itself — filed amicus curiae briefs supporting Microsoft.)
  • If this precedent was set with the U.S., all the other countries in the world could declare that, in that case, all their data laws could apply to any company doing business in their countries, which could be an incredibly complicated, contradictory mess.

For its part, the DoJ  said that if users could stash their data overseas, it would make it hard for the DoJ to catch bad guys. While there were other methods that would give the U.S. government the ability to request the data stored in the foreign country, the DoJ said they were hard to do,

At this point, it’s up to the Second Circuit – and after that, the Supremes.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: