Yottabytes: Storage and Disaster Recovery


July 22, 2017  10:22 AM

Supremes to Decide Cellphone Location Data Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security, smartphone

The laws governing search and seizure of data on a person’s cellphone continue to evolve – and next fall, they’re likely to evolve some more, as a critical case goes to the Supreme Court. At the heart of the case is the distinction between content and metadata.

Let’s say you send someone an email message. The body of the message is the content. But all the information about the message – to whom you sent it, when you sent it, where you were when you sent it, and so on – is metadata, or data about the message. In a number of cases, courts, prosecutors, and law enforcement have made the distinction between the two, saying that while a search warrant is required to see the content, the metadata is fair game.

Now, one of those issues – in particular, the location data of your cellphone – is actually going to be argued in front of the Supreme Court, which is likely to settle the issue once and for all.

It’s all due to a case called Carpenter. Two guys in Detroit were accused of robbery, and the Federal Bureau of Investigation (FBI) used their cellphones to prove that they were nearby a number of the incidents. To do this, the FBI went to the suspects’ cellphone providers and obtained a lot of data about the suspects’ locations – more than 12,000 for one guy, and almost 24,000 for the other guy. The defense attorneys for the guys are saying that the phones revealed so much personal data about the guys that a warrant should have been required for the search.

Moreover, these two guys aren’t the only ones who had their phones searched for location data; according to providers such as AT&T, this happens thousands of times a year.

You might think, “Wait. Didn’t the Supreme Court decide this already?” Well, sort of. In June, 2014, in a case known as Riley, the Supreme Court ruled that  law enforcement officials needed a warrant to search someone’s cell phone. However, this case is different, because Riley covered searching the content of a cellphone, while Carpenter covers searching the metadata.

A number of organizations – including such odd bedfellows as the American Civil Liberties Union (ACLU), the Electronic Frontier Foundation, and the conservative Cato Institute — have filed friend-of-the-court briefs hoping to protect metadata, saying that giving law enforcement access to a person’s location files amounts to unlawful search and that a warrant should be involved.

“The Fourth Amendment was designed precisely to protect the kinds of intimate details that police seized without a warrant in Carpenter,” writes the ACLU. “For example, an analysis of Carpenter’s whereabouts suggests that he slept away from home on December 22, 2010, in what appears to be an aberration. The location data also shows that in the early afternoon on a number of Sundays, Carpenter made or received calls from the cell tower sectors nearest to his church. His cell phone records do not routinely show him in that area on other days of the week, implying that he was worshipping at those times. Together, the data reveals a granular accounting of Carpenter’s locations and movements over the four-month period.”

“Although the case is formally about cell-site records, it’s really about where to draw lines in terms of what network surveillance triggers the Fourth Amendment and how the Fourth Amendment applies,” argues Orin Kerr of the Volokh Conspiracy, in the Washington Post. “The justices can’t answer how the Fourth Amendment applies to cell-site records without providing a framework for how the Fourth Amendment applies to many other forms of surveillance, such as visual surveillance, obtaining traditional phone records, obtaining e-mail transactional records, obtaining credit card records and the like.”

Not everyone agrees. “Carpenter v. United States is part of the ACLU’s campaign to hobble police and shield wrongdoers — both terrorists and common criminals — from the latest technologies available to law enforcement,” writes Betsy McCaughey in the New York Post, while muttering darkly about terrorists. “But how else could agents find out whether he was near the robbed stores?” (Fortunately, “but law enforcement didn’t have any other way to get the information” isn’t typically an acceptable excuse for violating the Constitution.) There is also some concern that such a ruling could limit the use of location data by marketers.

A particular nuance in this case is the notion of third-party doctrine, Kerr explains. In other words, law enforcement didn’t get the metadata directly from the suspects’ cellphones, but from a third party – their service providers. Third-party records require only “reasonable suspicion” that a person was involved in a crime, not “probable cause,” which requires a warrant, writes Peter Henning in the New York Times.

What’s important about this case is it will determine whether metadata from a third party will also require a search warrant, Kerr explains. For example, the third-party doctrine is frequently cited by the government in support of the legality of NSA collection of metadata, writes Emma Kohse in the Lawfare blog.

Another nuance is that the Supreme Court has already ruled that collection of data from a GPS tracker required a warrant, but law enforcement has argued that the cellphone tower location data obtained in Carpenter was less specific than the data from a GPS tracker, so it didn’t require the same level of protection, Henning adds.

In the meantime, there’s not much you can do to avoid this other than turning off your phone. Moreover, this isn’t even data collection that you can stop by turning off or deleting location tracking, because it’s the cell tower data collected by your provider. So it will be interesting to see how the Supreme Court – with its newly appointed justice Neil Gorsuch – will rule.

July 13, 2017  9:06 PM

Beware! USB Web Key In the Mail

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Security, Storage, USB

You’ve heard about phishing. Now we’ve got one with actual bait: a mailed USB card called a web key.

As one techie describes it, “Here is the prototype for the next big wave of security breaches.”

According to TJ Gamble, founder and CEO of ecommerce company jamerson.com, Blue Cross/Blue Shield is sending out letters that include something like a business card or a credit card with a built-in USB drive. The letter urges recipients to insert the device into their computers to find out all the wonderful things that Blue Cross could do for them.

Gamble Tweeted a picture of one of the letters, showing the USB drive, known as a “web key.” He also put together a YouTube video going into more detail.

In a LinkedIn post elaborating on the Tweet, and in his video, Gamble hastened to clarify that he wasn’t accusing Blue Cross of anything nefarious. “I am not accusing BCBS of creating software that is less than aboveboard,” he writes. “However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software. The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them whether they are official or forged.”

In other words, it would be like phishing – except instead of getting email from what appears to be Google or Facebook, you’re getting actual physical mail from what appears to be a trusted source like Blue Cross. Instead, it could have a potentially nasty payload that could install malware, steal your data, reprogram your device, destroy your laptop, or set it on fire. Moreover, the mailing apparently targeted human resources professionals, who might not know about the security risks involved, Gamble notes.

On the other hand, if someone gets caught sending them out, it’s presumably mail fraud, a Federal crime. And due to this risk, as well as the cost of producing the devices in the first place – 50 cents to a dollar each, he estimates — Gamble writes that he wouldn’t expect to see the general public start receiving these. “However, it definitely provides some ideas for going after high-value targets,” he warns – a variation known as “spear phishing.”

Blue Cross defenders commenting on Gamble’s piece point out that the company is hardly the first to use such Web key devices, linking to a Pinterest board of examples. (For what it’s worth, I’ve never seen the things before.) On the other hand, commenters also noted that malware or other payloads could be inserted anywhere along the supply chain for the devices, including where they were built, and in any event it was dangerous to train users to start inserting these devices.

In any event, the advice remains the same: Don’t poke strange USB sticks into your devices.


June 30, 2017  8:48 AM

Microsoft-DoJ Case Headed to the Supremes

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, Microsoft, privacy, Security

Experts who have been saying for a while now that the Microsoft-Department of Justice case would eventually end up before the Supreme Court are finally being proven right: the DoJ requested earlier this month that the Court handle the case.

As you may recall, the case, which started in 2014,  involved whether Microsoft must release data stored on one of its servers to a U.S. government agency, even though the data in question is outside the U.S., setting the stage for a massive worldwide confrontation on just who has the right to have access to data where. Most recently, in January the Second Circuit Court of Appeals denied a rehearing of the case, which left the Supreme Court as the only option.

Now, at the very last minute – and after two extensions – the DoJ has decided it wants to take the case to the Supreme Court to be decided once and for all.

Microsoft, as well as the other technology companies that have been anxiously watching the proceedings and filing amicus briefs, were surprised, because they had thought that the federal government had agreed with some lower courts that the real solution was a legislative one. This would most likely involve updating the 1986 Electronic Communications Privacy Act and the Stored Privacy Act on which the case was based.

Indeed, Sen. Orrin Hatch (R-Utah) (who is, incidentally, third in line to become President), put forth legislation last year, the International Communications Privacy Act, where it has languished since then. A legislative solution could solve a number of current problems, including making it easier to request such data from foreign governments.

In addition, a new law, the General Data Protection Regulation, governing this issue is also scheduled to take effect in Europe next year. “In less than one year, a new European data protection law will go into effect,” writes Brad Smith, Microsoft’s president and chief legal officer, in a blog post. “Under that law – called the General Data Protection Regulation – it would be illegal for a company to bring customer data from Europe into the U.S. in response to a unilateral U.S. search warrant.” Depending on how the Supreme Court rules, a vendor could find itself violating international law by following American law, or vice versa, he warns.

And the whole thing is predicated on treating digital data – by virtue of its accessibility – differently from other, physical, types of evidence, writes Karlin Lillington in the Irish Times. “If the desired evidence were concrete (say, paper documents) rather than digital, US authorities would have to use existing international law-enforcement agreements,” she writes.

A favorable Supreme Court ruling sets a dangerous precedent for the cloud computing industry, Lillington continues. “If the US government has the right to directly seize internationally-held data, then other countries will of course, expect the same right to in effect conduct international digital raids for American or other nations’ data, in the US or around the world, with near-impunity,” she writes. “This raises obvious data-protection, data-privacy, and surveillance concerns. It also completely undermines the whole concept of cloud computing – the movement and storing of data by organizations in international jurisdictions – and suggests businesses would have to run stand-alone operations and data centers in every geography in which they operate.”

Part of the problem is that while Microsoft has been prevailing legally, a similar, later case with Google was won by the government. In April, a federal magistrate judge in San Francisco denied Google’s attempt to quash a warrant seeking data stored abroad, writes Ben Hancock in Law.com. “It was at least the third such decision involving Google in as many months, and another magistrate judge in Florida in early April forced Yahoo to hand over data in a similar ruling.” Google, like Microsoft, prefers a legislative solution.

However, Google has also been using a different legal argument from the one Microsoft has been using, Hancock writes. “Microsoft argued that if authorities in New York wanted the email data in Ireland, all they had to do was go through a treaty process with Irish authorities,” he writes. “By contrast, Google has essentially argued—in part because of its practice of ‘sharing’ [he means “sharding” – he’s a lawyer, not an engineer] data into pieces spread across servers around the globe, for the purpose of network efficiency—that data stored outside the United States cannot be accessed by U.S. authorities or by authorities in any other jurisdiction.”

If the Supreme Court decides to hear the case, how the Court might rule is undetermined, particularly since there are a couple of new factors. First, the Court has a new member, so it can’t tie and not have its ruling used as a precedent. Second, the new member, Neil Gorsuch, is reportedly very conservative, even activist, according to the Los Angeles Times. Third, the rumor is that swing justice Anthony Kennedy is going to retire before the next session. All of these factors apparently make the government think it is more likely to prevail in this case, rather than waiting on the legislative solution — no matter the consequences.


June 28, 2017  6:40 AM

Micron Shuts Down Lexar

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Memory, Micron, Storage

New Micron CEO Sanjay Mehrotra, cofounder of SanDisk, who took over just in April, is apparently wasting no time: The company has shut down its Lexar primarily consumer division and is looking for ways to sell it.

“Micron Technology today announced that it is discontinuing its Lexar retail removable media storage business,” writes consumer products group vice president Jay Hawkins in a blog post. “The decision was made as part of the company’s ongoing efforts to focus on its increasing opportunities in higher value markets and channels.” Micron is “exploring opportunities” to sell all or part of the Lexar business, he continues.

Hawkins also didn’t say whether layoffs would be involved, though he did thank the Lexar team for its contributions. If Micron is pulling out of consumer products, one wonders how much longer he’ll be around, too.

Micron bought Lexar in 2006 but continued operating it as a separate division from the rest of the company, which sells its products to vendors. Lexar – which still has its own web pages up – was announcing new products as recently as February and March.

Interestingly, Lexar vice president and general manager Wes Brewer had written almost exactly a year ago about the use of storage in drones. With drones’ soaring popularity (sorry), it’s surprising that Lexar couldn’t find a way to make a go out of storage for the devices, nor that Micron would try to use Lexar as a way to get into that lucrative market.

Perhaps coincidentally, Micron is expected to announce its earnings on Thursday. Could it be that they’re going to be bad news and the company wants to either distract everyone or else make it clear that it’s addressing the issue?

And yet the majority of stock analysts believe that the company will beat its earnings projections. Micron stock has also been on a pretty steady upturn since FQ4’16, according to Estimize.

Analysts expect Micron Technology, Inc to report a revenue of $5.41 billion, good for 86.6% YoY growth and 16% sequential growth,” writes Kumar Abhishek  for Amigobulls. “On the earnings side, analysts expect Micron to report a non-GAAP EPS of $1.5, far higher than $0.02 loss per share the company had reported in the comparable quarter last year. Analysts estimates are in line with the company guidance for this quarter.”

“The third quarter is expected by analysts and by Micron management to be its most profitable quarter since 2013 and guidance for Q4 looks poised to be even better, almost exclusively on the back of a rebounding DRAM pricing environment,” predicts Kumquat Research in Seeking Alpha.

The company reported modest second-quarter fiscal 2017 results,” writes Zacks Equity Research.  “The top and bottom lines increased on a year-over-year basis, primarily due to pricing improvement in DRAM and NAND sales volume. We believe that the improving prices for DRAM and NAND chips make investors confident about Micron’s growth. Per various sources, the prices for these specific chips have improved primarily due to a better product mix optimization and higher-than-expected demand for PCs, servers and mobiles. We believe that any increase in prices will have a favorable impact on the company’s top line and the benefit is likely to flow down to the bottom line. The benefit from improved pricing was well reflected in the company’s last quarterly results. We anticipate these benefits to reflect in the to-be-reported quarter as well. Additionally, we are positive about the company’s strategy of enhancing its operating capabilities through acquisitions which are likely to boost its top-line performance.”

On the other hand, none of these rosy articles (even this gigantic one) don’t even mention Lexar, instead focusing on Micron’s DRAM business. So perhaps the company is intending to focus only on its most profitable line. Let’s hope it doesn’t regret putting all of its chips into one basket.


June 19, 2017  12:04 PM

Pence AOL Email Costs State $100K

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Email, government, privacy, Security

Here’s another reason why politicians shouldn’t use private email accounts to conduct official business: It can cost your state $100,000.

This is reportedly what the state of Indiana is spending to hire people to deal with the backlog of Freedom of Information Act (FOIA) requests for former governor, now vice president, Mike Pence after it was ascertained that he used an AOL.com email address for official business.

“Emails released to IndyStar in response to a public records request show Pence communicated via his personal AOL account with top advisers on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe,” wrote Tony Cook for the Indianapolis Star when Pence’s AOL account was revealed in March.

In May, a number of papers reported on the FOIA backlog. “The administration of Pence’s successor as governor, Eric Holcomb, entered a one-year contract last month with a Shelbyville firm, McNeely Stephenson, to handle the ‘unusually high’ number of requests, records show,” writes the Associated Press. “More than 50 such requests are pending.”

“A portion of the requests are generic and ask for emails related to state business sent or received by Pence,” write Cook and Kaitlin Lange in the Indianapolis Star, adding that the paper has two outstanding requests of its own. “Others have asked for emails from Pence’s personal account relating to the 2016 election, voter fraud and RFRA. Among those making requests were national reporters from the New York Times and Rewire, a publication that covers reproductive health issues.”

Interestingly, Lange and Cook report that the $100,000 is to be divided, with $30,000 to be paid in 2017 and the remaining $70,000 in 2018, indicating that the law firm doesn’t expect to respond to the requests soon. On the other hand, if the years are fiscal years rather than calendar years, fiscal 2018 would start on July 1, 2017, and that time period would be less surprising.

It is not clear why Pence chose to use a personal email account for some messages, such as whether he was trying to hide the messages from Indiana citizens, or simply used whatever email address was convenient. The official response was, “Similar to previous governors, during his time as Governor of Indiana, Mike Pence maintained a state email account and a personal email account. As Governor, Mr. Pence fully complied with Indiana law regarding email use and retention. Government emails involving his state and personal accounts are being archived by the state consistent with Indiana law, and are being managed according to Indiana’s Access to Public Records Act.”

At that time, the office released 29 pages of email messages from Pence’s AOL account, but declined to release an unspecified number of others “because the state considers them confidential and too sensitive to release to the public,” Cook writes.

Yes, the messages too confidential and sensitive to release to his constituents were sent using AOL. Oh, and it got hacked. “Pence’s account was actually compromised last summer by a scammer who sent an email to his contacts claiming Pence and his wife were stranded in the Philippines and in urgent need of money,” Cook writes. After that, Pence reportedly set up a different AOL account.

Aside from the security aspect, the private email account also raises troubling issues of government transparency, Cook writes. “Advocates for open government expressed concerns about transparency because personal emails aren’t immediately captured on state servers that are searched in response to public records requests.”

And while Indiana state officials are advised to copy or forward their email messages involving state business to their government accounts to ensure the record is preserved on state servers, there is no indication that Pence took any such steps to preserve his AOL emails until he was leaving the governor’s office, Cook adds, when he sent his staff with 13 cartons of printed email messages to the Indiana Statehouse to be archived. The law firm is trying to get digital access to the messages to speed up the public records response process, according to the AP.

As you may recall, Pence criticized Democratic presidential candidate Hillary Clinton for using a private email server for all of her email messages. “Pence fiercely criticized Clinton throughout the 2016 presidential campaign, accusing her of trying to keep her emails out of public reach and exposing classified information to potential hackers,” Cook writes.

 But that’s different, Pence said.There’s no comparison whatsoever between Hillary Clinton’s practice — having a private server, misusing classified information, destroying emails when they were requested by the Congress,” he responded in March to the Indianapolis Star article. “We have fully complied with Indiana’s laws. We had outside counsel review all of my previous email records to identify any that ever mentioned or referenced state business.”

Pence supporters also say that sending all messages through a private email server that one controls is not the same thing as sending some messages through a commercial email provider. One can argue the relative benefits and weaknesses of the two systems.

Good news, though: Pence has reportedly stopped using AOL since taking office as vice president.


June 13, 2017  2:29 PM

Amazon Unlimited Storage Goes Away

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Amazon, cloud, Storage

Sorry, kids. Amazon has decided to eliminate its unlimited storage plan.

Announced in March, 2015, the plan gave subscribers unlimited storage for $60 a year. While there’s been a lot of storage price wars over the past few years, it was hard to beat unlimited.

Now, however, for $60 you get a terabyte. “If you currently have a paid Unlimited Storage subscription, you can continue to use your current subscription until the plan expires,” Amazon said. “At the end of your current plan, you will automatically be entered into a 1 TB plan if you have 1TB or less of content, unless you’ve disabled auto-renew on your current subscription.” (Which means, if you didn’t use your unlimited storage very much, you might want to check your plan and see how much money you can save now.)

If you already have more than a terabyte stored, Amazon will give you options for other pricing plans – basically, an additional $60 per terabyte per year, up to a limit of 30 terabytes. “If you have more than 1 TB of content stored, or if you’ve disabled auto-renew, you will not be automatically renewed. You will have the opportunity to select a new plan that covers your content needs by visiting Manage Storage.” You have six months (180 days) of being over quota before Amazon starts zapping your files, last first, to bring you under the limit.

It’s not like unlimited Amazon storage was necessarily great shakes anyway. People who used it when it was first announced two years ago reported on Reddit that it was slow and had an awkward interface. Hmm, almost as though they didn’t want to make it too easy to use for fear people would use it too much. Note that cloud storage companies that want to encourage people to use a lot of storage have been offering services where you could send in a hard disk drive, eliminating the upload delay problem.

Other companies that have tried to promise “unlimited” storage have also had to back down. Microsoft announced unlimited storage for OneDrive in 2014, backing off from it a year later.

The issue is that when people get the opportunity to do anything unlimited, the really heavy users come out of the woodwork, Jared Newman wrote in Fast Company in 2015. “Drawing on its knowledge of how people used traditionally priced, tiered storage services, the company had assumed it would see a fairly even distribution between lighter and heavier users,” he wrote. “Combined with ‘de-duplication’ technology that prevents redundant data from being stored more than once in the cloud, Bitcasa figured it could keep costs down and stay in the black. But after launch, the sheer demand from heavy storage users blew up those assumptions.”

Gleb Budman, CEO of BackBlaze at the time, told Newman that people consume five to 10 times more data when presented with an unlimited plan. And Microsoft reported that some of its customers were using up to 75 terabytes, he wrote.

“One particularly messy issue for storage providers is that they can’t weed out legitimate high-volume uses from those that violate their terms of service,” Newman pointed out. “If a user with an unlimited consumer-grade plan is backing up their business servers or running a homegrown streaming video service, the provider should be able to shut that down. But doing so would involve looking at the actual files, which would be a breach of privacy and may not even be possible if the data is encrypted.”

It isn’t clear whether the problem here is that people were abusing it; Amazon didn’t say why it had decided to discontinue the service. Some analysts, in fact, believe that this was Amazon’s plan all along – to attract people with low storage prices and then hope they’ll stay when the prices went up. “Remember, this is the consumer market; and while more technically advanced users may utilize a multi-cloud strategy, moving from one cloud to another is a daunting task for most, and one that most people will balk at. Imagine a customer who has 1.5TB stored on Amazon Drive, their propensity to move all that data, and any links, pointers, etc. that pointed to that data, is very small,” writes Neuralytix. “They are more likely to pay the extra $60/year to allow the data to remain at Amazon. Neuralytix believes that this was Amazon’s intent from the beginning, and we believe that they have executed their plan very well.”

In the meantime, all U.S. customers receive 5 GB of free storage for use with Amazon Drive and Prime Photos, and Prime members continue to receive unlimited photo storage as a benefit of their Prime membership, Amazon said. Also, photos taken with and uploaded to Amazon Drive from a Fire Phone or eligible Fire tablet are stored for free in an Amazon Drive, and Kindle personal documents stored in your Amazon Drive using Send to Kindle tools and services do not count against your Amazon Drive storage limit, the company added.


May 31, 2017  10:54 PM

E-Discovery Proportionality is Now a Thing

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
ediscovery

There isn’t often much that’s new and different about e-discovery lately, but a lot of legal people are excited about a new word: proportionality.

Basically, proportionality means asking for a reasonable amount of electronic documents in the context of the legal case you’re fighting – the don’t-use-a-sledgehammer-to-swat-a-fly theory. And, expectedly, the reason it’s coming up is that in some legal cases, people weren’t being proportional, and as we’re reaching the 18-month anniversary of implementing the proportionality rule, judges are calling them on it.

Of course you remember that proportionality came up during the most recent revision to the Federal Rules for Civil Procedure, which were modified in 2006 to support electronic discovery and enhanced in 2015, taking effect on December 1. Proportionality had actually been a thing in regular paper discovery, but of course when it’s so easy to say “Give me every piece of email for the past 20 years,” it was much more critical in the age of e-discovery, when it was being used for fishing expeditions. But it’s taken until now for the legal profession and the courts to really start sinking their teeth into the whole proportionality thing.

“Within days of its enactment, amended Rule 26(b)(1) began being utilized and referenced in opinions,” write H. Chrisopher Boehning and Daniel Tahl in the New York Law Journal. “Dozens of courts have cited to the amended Rule and many have conducted a proportionality analysis,” they write. “One court even noted that ‘proportionality has become the new black, in discovery litigation, with parties invoking the objection with increasing frequency.’ Some of these early decisions underscore that judges are now focused on proportionality when deciding whether to grant or deny motions to compel discovery.”

Boehning and Tahl went on to describe three recent cases where judges had thrown out e-discovery requests for being overly broad – or, in other words, not proportional. For example, in one case, judges found that complying with an e-discovery request could involve a search of “as many as a million pages” and a review of potentially “200,000 pages” to result in a small number of documents, the court writes.

At the same time, simply saying that a request is not proportional is not a Get Out of Jail Free card for defendants, writes Michael Miles for the American Bar Association. “Defense counsel must be prepared to demonstrate why it is not proportional,” he writes. “This will require a thorough understanding of both the claims asserted—to show how the discovery at issue is not significant to resolving the case—and the available sources of information to potentially offer less burdensome alternatives. A plaintiff may not be entitled to a full search of all electronically stored information where a simple interrogatory would suffice.”

Instead, courts are supposed to take six factors into consideration when deciding whether an e-discovery request is proportional, according to Kristien Jones in the National Law Review.

  1. How much will getting the information cost, compared with how valuable it is to the case?
  2. The information should come from the easiest place.
  3. If the party’s own actions are what’s making the request burdensome, that should count against them.
  4. There needs to be actual evidence that the data is needed, not just assertions.
  5. There’s more to determining whether something is burdensome than money – staff and IT is also a factor.
  6. Parties should consider using automated tools to make the job easier.

Meanwhile, get ready: there’s a new batch of e-discovery rules planned for this December.


May 31, 2017  12:37 PM

Another Breakthrough in Microsoft DNA Storage

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Microsoft

Following up on its announcement last fall, Microsoft plans to develop a DNA storage appliance by the end of the decade.

The company had said last fall that it had succeeded in saving 200 megabytes of data in DNA. While this wasn’t a new concept, the amount was a new capacity record.

Now, Microsoft has said it formalized a goal of having an operational storage system based on DNA – about the size of a large, 1970s-era Xerox copier — working inside a data center toward the end of this decade, writes Antonio Regalado in MIT Technology Review.

The biggest advantage in DNA storage over disk and tape storage used today is its density, Regalado writes. “DNA can hold 1,000,000,000,000,000,000 (aka a quintillion) bytes of information in a cubic millimeter,” he writes. “Formatted in DNA, every movie ever made would fit inside a volume smaller than a sugar cube.” Or, in another interesting analogy, “the system could, in principle, store every bit of datum ever recorded by humans in a container about the size and weight of a couple of pickup trucks,” writes Robert Service in Science, or 215 petabytes in a gram of DNA. Capacity is particularly an issue because developers are running out of ways to make traditional storage more dense.

That 215-petabyte capacity was based on another enhancement in DNA storage announced earlier this year, the “DNA fountain,” which breaks apart the data into pieces and includes tags to reassemble it, Service writes. That method would be similar to how TCP/IP and other communications protocols send computer data reliably. At that time, though, researchers said it would be another five to seven years before it could be practicably used.

DNA storage’s biggest disadvantage is its cost. “Converting digital bits into DNA code (made up of chains of nucleotides labeled A, G, C, and T) remains laborious and expensive because of the chemical process used to manufacture DNA strands,” Regalado writes. “According to Microsoft, the cost of DNA storage needs to fall by a factor of 10,000 before it becomes widely adopted. While many experts say that’s unlikely, Microsoft believes such advances could occur if the computer industry demands them.”

After all, a 10-megabyte hard drive used to cost as much as my first PC. So it’s not out of the question.

Another problem with DNA storage is the amount of time it takes to write to storage. Right now, writing data into DNA happens at about only 400 bytes per second, which Microsoft says needs to increase to 100 megabytes per second, Regalado writes. The good news is, the speed of reading DNA storage data only has to double before it is practical, he adds. Consequently, the use case for DNA storage would likely be archival records for legal or regulatory reasons, such as police body-cam video or medical records, or files that would be prohibitively large stored in more conventional methods, such as high-definition video, he explains.

Whether it’s three years or five to seven years, or even further, it’s going to be interesting to see how this develops, especially since the idea of commercial DNA storage was ludicrous enough for BackBlaze to use it as its April Fool’s story this year. Who knows, perhaps it could figure out a way to reproduce itself. Could the summer blockbuster movie on the concept  be far behind?


May 25, 2017  11:15 PM

Reporters Say Trump is Deleting Data

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Data, government, Security

As you may recall, no sooner was Donald Trump elected President than people began saving copies of government data that they feared he might delete, such as years of data about the environment. Now here we are, four months later, and it turns out there did indeed appear to be some cause for worry: While the data may not be gone, it’s no longer possible to gain access to some of it, and isn’t that just about the same thing?

Access to some data disappeared literally on Inauguration Day, though White House spokespeople said at the time that it had to do with reorganizing websites. Since then, however, other data has vanished.

For example, on the eve of the Peoples Climate March in April, the Environmental Protection Agency announced that “its website would be ‘undergoing changes’ to better represent the new direction the agency is taking, triggering the removal of several agency websites containing detailed climate data and scientific information,” write Chris Mooney and Juliet Eilperin in the Washington Post (where it received more than 1,000 comments). “One of the websites that appeared to be gone had been cited to challenge statements made by the EPA’s new administrator, Scott Pruitt. Another provided detailed information on the previous administration’s Clean Power Plan, including fact sheets about greenhouse gas emissions on the state and local levels and how different demographic groups were affected by such emissions.”

The changes were to remove “outdated language” from the website, explained an agency spokesman. Other examples of missing data were an explanation of climate change that had been on the website for more than two decades, and the influence of human activity on climate change, Mooney and Eilperin write, though they add that an archive of the previous data was still available. A description of the Obama era Clean Power Plan was also no longer on the site.

In an indication of how jumpy people are about the issue, a message on the EPA’s Open Data Web service saying that the site wouldn’t be available, due to the government shutdown, was taken by many to mean that the data was going away altogether, writes Andrew Griffin in the Independent UK. “Since this story was first published, EPA officials have denied that the website will be taken offline and that it may continue to operate throughout the government shutdown,” he writes. (Congress ended up passing a continuation that prevented a shutdown in the first place.) “The pop-up and claims by a contractor that the site was being turned off permanently were based on confusion about the government shutdown, they suggested.”

Whether the data is gone or merely inaccessible, ThinkProgress is dealing with the situation by filing a series of Freedom of Information Act (FOIA) requests intended to force the government to make the data accessible again, writes Joshua Eaton of the organization. “We’ve already filed Freedom of Information Act requests for six disappeared websites,” he writes. “And we’ve already scored a victory: In response to requests by ThinkProgress and others, the Environmental Protection Agency posted a snapshot of its website as it existed on January 19.”

Other examples of missing data for which ThinkProgress is filing FOIAs include the Department of Energy’s online phonebook, an inventory of data.gov data when almost 40,000 datasets appeared to vanish for three months, and Bureau of Land Management ecological assessments, Eaton writes. The site MuckRock tracks FOIA requests, including Eaton’s. “Other data taken down from federal websites include regulatory enforcement actions, like fined abuses at dog and horse breeding operations and workplace injuries cited by the Occupational Health and Safety Administration,” writes The Week. “The Barack Obama and George W. Bush administrations had regularly publicized fines levied against companies to encourage workplace safety, but business groups opposed such ‘naming and shaming’ disclosures.”

Some of the FOIA requests have deadlines of mid-June. It will be interesting to see what sort of responses they get – or if they’ll have a new set of FOIA requests to keep them company. In addition, the site DataRefuge continues to make and store copies of government datasets.


May 13, 2017  11:40 PM

Another Judge Rules on Smartphone Encryption

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Encryption, Security, smartphone

Courts are still trying to decide if law enforcement can make you unlock your smartphone, with some ruling one way and some ruling the other. In the most recent case, they ruled that you have to. And, for once, it wasn’t a case involving child pornography or terrorism.

As you may recall, the whole issue boils down to how a device is encrypted. Traditionally, courts have ruled that you can be compelled to give up something you have, such as your fingerprint, which is used to encrypt your phone, but you cannot be compelled to give up something you know, such as a password. That’s because simply admitting you have the correct password on a particular encrypted phone or other storage device could be considered self-incrimination.

In this particular case, Hencha Voigt and co-defendant Wesley Victor were accused of threatening to release sex videos stolen from a phone belonging to a Miami socialite known as YesJulz, writes David Ovalle in the Miami Herald. After the phone was stolen, YesJulz received a series of text messages demanding money. After consulting with police, YesJulz set up a fake meeting with the extortionists, and the two were arrested. At the time, they had four phones with them, the contents of which prosecutors want to examine, he continues.

What makes this case unusual is that there is actually settled case law about it in Florida. A December appeals court decision allowed police in Sarasota to force a suspected voyeur, allegedly caught at a mall trying to take photos up women’s skirts, to give up his iPhone pass code, Ovalle writes. The judge who ruled on the Voigt case had to follow that precedent, he said.

Attorneys for the two contend that law enforcement is asking for the passcode so it can go on a fishing expedition, writes Eric Levenson for CNN. “They’re asking for the passcode so they can keep on searching what’s on the phone — which may be incriminating my client — and then use that against her,” Kertch Conze, Voigt’s attorney, told CNN, he writes. Technically, though, that isn’t allowed – law enforcement needs to have a reasonable suspicion that the information they’re looking for is on the encrypted device, Levenson explains.

The judge, Miami-Dade Circuit Judge Charles Johnson, explicitly referred to the thing-you-have-vs.-thing-you-know debate by saying that for him, turning over a password is like turning over a key to a safety deposit box – in other words, a thing you have, which you can be forced to surrender, rather than a thing you know, according to the BBC.

Attorneys for the defendants may have telegraphed their strategy going forward by noting that they would need to talk to the clients to see whether they remembered the passcode. On the other hand, in another case, last year one U.S. defendant was arrested for claiming not to remember the password to an encrypted device, and other defendants have been jailed in the UK.

Meanwhile, the case law on either side of the argument keeps piling up, meaning that, eventually, the whole thing is liable to end up in the lap of the Supreme Court – especially now that we have a full complement of Supreme Court judges, meaning that whatever they decide can be used as a precedent in the future. “No question in my mind that the U.S. Supreme Court will need to decide the issue eventually,” Mark Rumold, a lawyer with the Electronic Frontier Foundation, told Ovalle. “To me, it’s not so much a question of if, but when.”


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: