Another day, another missing unencrypted portable hard disk drive.
In this particular case, it was from the athletic department at California State University, Fresno (which athletic fans typically refer to as Fresno State University, despite the fact that Fresno is not a state). The school lost a portable hard drive containing data about 15,000 people, “including names, addresses, phone numbers, birth dates, credit card numbers, driver’s license numbers and full or last four digits of Social Security numbers,” after a theft from the athletic department over the Christmas holiday that wasn’t detected until January 12. The data included former student athletes, sports-camp attendees and Athletic Corporation employees and were mostly from 2003 to 2014, the university said, adding that only about 300 of the people were still associated with the university.
This leads to the usual series of questions.
- Why wasn’t the data encrypted? That’s a lot of personally identifiable information. So what kept the university from encrypting the data?
- For that matter, why did the university collect 12 years of that data about 15,000 people all together in the first place? If the majority of these people are no longer with the university, wouldn’t it be a good idea to get rid of that data?
- And if that data had to be collected, why in the world was it on a portable hard disk drive? “Having sensitive information on an external hard drive is a breach waiting to happen,” writes Bailey Miller in YourCentralValley.com.
- Reportedly, 18 laptops were stolen from the department at the same time. Didn’t those laptops have hard disk drives as well? What sort of data is on those? Were they encrypted? Or were they all Chromebooks that connected to the university data via the cloud? Given how often laptops and hard disk drives seem to walk away, wouldn’t it actually make sense to use a Chromebook or some similar system?
- Why did it take almost two months from the time the theft was detected until letting the potential victims know? “Notification of affected individuals began this week as soon as University officials could verify the extent of the breach and the names and contact information of those affected, and the proper notification process.” Okay, but *why* does it take that long? Don’t criminals usually try to use such numbers right away before the victims know they’re missing?
- Why did it take so long to discover that the portable hard disk drive was one of the items stolen, if the theft happened over the Christmas break? Interestingly, the school’s announcement said only that the hard disk drive was “reported missing” on January 12, not that it was stolen then. When was it actually stolen, anyway? A different notification indicated that the theft was during the last week of the year. So it took more than two weeks just to realize it was missing?
- That different notification also adds that “health-insurance numbers and personal health information” could also have been part of that data. Why was that fact left out of the other notification? How much do people have to worry about having their health information compromised or their health insurance used by someone else?
- How do they know exactly what data was on that hard disk drive? If it’s simply a dump of the university database, aren’t those people wondering why the university has that data? (One story noted that the CIO had to go through a million files to determine what data was on the drive.)
- Oh, so “there is no reason to believe that the hard drive was stolen for the information it contained” and that the thieves didn’t know what was on it. WELL, GUESS THEY KNOW NOW, DON’T THEY? Yes, there’s reasons why these thefts have to be promoted the way they are, and security through obscurity doesn’t work, but these announcements do seem counterproductive sometimes.
- Even if the thieves didn’t steal the hard drive for the data, wouldn’t they check the hard drive to see what goodies might be on it before fencing it, even if they were only looking for a bootlegged copy of Girls Gone Wild? “There’s this implication that the information was not or will not be accessed because the hard drive wasn’t stolen for the information,” writes AlertBoot, a security vendor, in its blog. “How faulty is that logic? Let us assume that some guy boosts a car because he’s going to sell it to a chop shop. Are you telling me that he’s not going to maybe take a peek in the glove compartment box or the trunk because he stole the car for its hardware, and not its content? Possibly lift up the armrest to access the center console? Steal the quarters in the ashtray?”
- “To help reduce the possibility of similar incidents from happening in the future, Fresno State is reinforcing its procedures with its employees regarding the proper storage of confidential information and the importance of protecting portable electronic devices.” You think? Like, maybe not using portable electronic devices at all? And encrypting them if for some reason they’re necessary?
- Victims are being offered the usual free year of credit monitoring. Ever wonder whether credit monitoring companies stage these thefts to help keep themselves in business?
It is not looking good for Microsoft after the first day of hearings at the Supreme Court for the case regarding whether the company has to turn over to law enforcement data that is stored on a server in Ireland.
So far, the debate appears to hinge on whether to rule on the case, or wait for Congress to update the law and not have to rule on it at all. “Justices Ruth Bader Ginsburg and Sotomayor both asked why they shouldn’t just let the lower court opinion (in Microsoft’s favor) stand and allow the case to be decided by congressional action,” writes Andrew Keane Woods, in Lawfare, in one of the best analyses of the day’s arguments. “This makes some intuitive sense: If the Stored Communications Act (SCA) is so hard to apply to a global cloud, let Congress update it. And Congress is trying.” But it hasn’t done it yet, and Congress hasn’t been too good about finishing things it’s started this year.
On the other hand, Chief Justice John Roberts appears to have a good idea for a business model. “Nothing would keep Microsoft ‘from storing United States communications, every one of them, either in Canada or Mexico or anywhere else, and then telling their customers: Don’t worry if the government wants to get access to your communications; they won’t be able to,” without getting help from a from foreign government, Roberts told Microsoft lawyer Joshua Rosenkranz, according to Bloomberg.
Congratulations, Justice Roberts. You just invented Swiss Banks for data.
If you’re really a glutton for this stuff, the full transcript is available, and there’s some pretty neat stuff in it. For example, there’s this government argument: “Suppose that a defendant in federal court were convicted and ordered to pay a fine and the defendant said, I can’t do that with my domestic assets. They’re all located abroad. I am fairly confident that the courts would say the obligation falls on you. How you raise the money is your concern. It’s not an extraterritorial application of the statute to say bring the money home and pay the fine. And that’s the same that we’re asking to happen with the warrant.” The thing is, it’s not the mere possession of the data that’s the issue but the fact that the data could be used to send someone to jail – a point that nobody seemed to make.
There was also an interesting discussion about the distinction between a subpoena and a warrant, and how one of the main distinctions was how the subject of a subpoena could go to court and object to it while the subject of a warrant couldn’t. “A warrant allows the government to just come right in. If we had a warrant, and we could get a Rule 41 ordinary warrant if we wanted to, we would go to Microsoft headquarters and ask the gentleman sitting at the keyboard to step aside and sit down and do the work ourselves.”
Justice Alito also brought up an interesting point: “If this person is not Irish and Ireland played no part in your decision to store the information there and there’s nothing that Ireland could do about it if you chose tomorrow to move it someplace else, it is a little difficult for me to see what Ireland’s interest is in this.” On the other hand, Microsoft’s attorney noted, “We protect information stored within the United States and we don’t actually care whose information it is because we have laws that guard the information for everyone.”
The primary concern appears to be less about the person who has their data on an Irish server in the first place, and more on what the repercussions might be based on the Supremes’ decision. “Countries around the world are watching this case because it could be used as a precedent—privacy advocates have called it a dangerous precedent—for the state to exert extraterritorial control over the internet,” Woods writes. “If the U.S. can do it, the thought goes, then other states will do it.” The problem with that argument, he writes, is that there are already plenty of examples of foreign governments doing just that.
And then there’s this thing of beauty:
“There is not an international problem.This is largely a mirage that Microsoft is seeking to create. For the 20 or so – “
JUSTICE SOTOMAYOR: “You mean all those amici who have written complaining about how this would conflict with so much foreign law. We’ve got a bunch of amici briefs telling us how much this conflicts.”
The justices are expected to rule by June, which should be one humdinger of a month at this rate.
Spokeo, Spokeo, wherefore art thou Spokeo? We’ll be seeing that name a lot more in the next few months after the Supreme Court turned down the opportunity to hear the case a second time.
As you may recall, in June*** 2016, the Supreme Court was due to rule on a case involving the stored data of Spokeo, a data aggregation company that provides data about individuals. A man sued the company for having incorrect data about him, and the case made it all the way to the Supreme Court. Owners of databases were concerned that a ruling against them would mean that anybody could sue them for anything they happened to have wrong, while individuals were concerned that a ruling in favor of Spokeo could essentially shut down the practice of class-action suits.
The Supreme Court sidestepped the issue by saying that the lower court hadn’t proved actual damages in the first place, so sent it back to that lower court. After taking a year to think about it, the lower court decided that damages had actually happened, and sent it back to the Supreme Court.
In the meantime, using the precedents that already existed, all sorts of courts were making all sorts of decisions based on Spokeo,
All caught up now?
In response to all this, a number of companies –including Spokeo itself — pleaded with the Supreme Court to take it up again and make a real decision this time. Spokeo’s argument also had to do with asking the Supreme Court to decide on the nature of harm to the plaintiff. Is somebody really harmed if a company puts more than five digits of their account number on their bill, even if it is theoretically possible that, yes, an identity thief could end up hacking their credit card number that way?
But earlier this year, the Supreme Court decided it wouldn’t re-hear the case, meaning that all those lawsuits based on Spokeo were likely to continue.
You’d think that the lawyers would be happy about this. After all, the Spokeo case is turning into the Attorneys Full Employment Act of 2018. But they are not. In fact, a number of amicus briefs were filed to the Supreme Court asking them to rehear the case. “The decision to pass on revisiting Spokeo was in spite of Spokeo receiving support from several outside parties for its review bid. In six separate amicus briefs filed on January 5, 2018, TransUnion LLC, the U.S. Chamber of Commerce, the National Association of Professional Background Screeners, a group of real estate trade associations, the Consumer Data Industry Association and the Retail Litigation Center,” notes Lexology.
The result is that many of the cases are going to continue, attorneys warned. “The issue presented here arises virtually every single day in courts across the country, as plaintiffs bring putative class actions alleging violations of federal and state statutes authorizing statutory damages without any claimed harm beyond the statutory violation,” write Spokeo’s lawyers in their brief to the Supreme Court. “Spokeo I has been cited in over a thousand decisions since May 2016—with over six hundred discussing this Court’s opinion in detail.”
Plus, the courts aren’t all agreeing. “Given this massive number of cases, it is no surprise that courts have reached conflicting results for virtually identical claims—meaning that jurisdiction continues to vary court by court and statute by statute,” notes the brief. “As one set of commentators summarized, ‘[w]e have found numerous cases that are essentially indistinguishable on the facts presented, yet courts have reached opposite results.’”
Other lawyers agreed. “Although the 2016 Spokeo decision had created a pathway for the lower courts to stem the tidal wave of claims under the Fair Credit Reporting Act (FCRA), the Fair Debt Collection Practice Act (FDCPA) and the Telephone Communications Protection Act (TCPA) where the plaintiffs had inconsequential, if any, damages, the Supreme Court failed to provide substantive guidance in its 2016 decision as to when a case should be dismissed for lack of injury. Consequently, the lower courts approached this issue in different, sometimes inconsistent, ways.
Indeed, in just the last few weeks, there have been several other cases based on Spokeo that have progressed in one way or another. In one case, “A district judge in the Southern District of Florida recently dismissed a FACTA class action on Spokeo grounds even though he had previously approved a near-$600,000 settlement in the same case” where a company was being sued for, yes, displaying more than five digits of an account number on the paperwork.
Similarly, another case had to do with someone’s entire credit card number being displayed on a ticket, but in that particular case, the court ruled that the person couldn’t sue because there was no evidence any actual harm had been committed, writes The Recorder. “Today we answer a question that would certainly sound exotic to our nation’s founders: Is receiving an overly revealing credit card receipt—unseen by others and unused by identity thieves—a sufficient injury to confer Article III standing?” wrote Judge M. Margaret McKeown. “We need not answer whether a tree falling in the forest makes a sound when no one is there to hear it. But when this receipt fell into Bassett’s hands in a parking garage and no identity thief was there to snatch it, it did not make an injury.”
On the bright side, cases like these may actually get people to start reading things like terms-of-service agreements, if only to look for things they might be able to sue under.
We talked a couple of months ago about the best places to store bitcoin and other cryptocurrencies and their advantages and disadvantages. It turns out there’s another nuance: Cryptocurrencies and e-discovery.
It makes sense. The whole point of cryptocurrency – at least, one of them – is to have anonymous currency that can’t be traced back to you. So, naturally, all sorts of nefarious people are finding that an advantage. “Because of the way cryptocurrency systems protect the anonymity of their participants, they have become ideal vehicles for money laundering, tax fraud and illicit purchases,” writes Eric Pesale for the Logikcull blog.
So what’s an attorney to do?
“Litigators could compel an opposing party to submit a hard drive image of the user’s cryptocurrency ‘wallet,’” write attorneys Nkosi Shields and Ryan A. Walton from the firm of BakerHostetler, in Mondaq. “From this wallet, one could pinpoint files useful for identifying suspicious activity during the discovery process.” This is especially true if the wallet uses an open-source framework such as Bitcoin-QT, which stores the entire user’s transaction history within the app, Pesale writes. “If this is the case, a lawyer or investigator working from a hard drive image of the wallet could locate and extract files related to certain suspect transactions and cryptocurrency data activity,” he explains.
In fact, there can be traces in many devices, Pesale writes. “Any devices the user used to connect to Bitcoin’s network could contain important evidence in the devices’ volatile memory,” he writes. “Other useful evidence can be found by examining the user’s transactions in the cryptocurrency’s public blockchain ledger or by subpoenaing the user’s encrypted cryptocurrency credentials, though government attorneys trying this strategy during a criminal case could face Fifth Amendment issues similar to those involving encrypted hard drives and passwords.”
Other researchers are looking at ways to de-anonymize blockchain itself, Shields and Walton write. “By clustering different bitcoin addresses, one can assign common ownership to a user’s pseudonym(s),” they write. “International law enforcement agencies, including the Federal Bureau of Investigation, have made significant strides in piercing the anonymity of cryptocurrency transactions, leading to several notable prosecutions, including actions brought against BTC-E, a prominent virtual currency exchange believed to have been involved in international money laundering.”
Indeed, Noel Edlin writes in Law Technology Today that blockchain’s very design makes it easy for attorneys to use it in cases. “The very virtue that makes them attractive as a decentralized currency also makes attorneys leery: transactional transparency,” he writes. “There is no way to hide bitcoin transactions, because the bitcoin ledger is available to all. Every transaction conducted using bitcoins is tracked, meaning that through the internet, bitcoin transactions can be identified and monitored, although savvy users of cryptocurrencies will argue they are just as anonymous as cash.”
Pesale notes, though, that blockchain might not be admissible as evidence even if law enforcement organizations were able to compile it. “California attorney James Ching has explored the possibility that blockchain evidence could be inadmissible hearsay, falling outside of Federal Rule of Evidence 803’s exception for business records,” he explains.
Cryptocurrencies have also seen their anonymity challenged in the courts, Shields and Walton write. “In 2016, the Internal Revenue Service (IRS) issued a ‘John Doe’ summons in an effort to investigate potential investors who may have underreported or failed to report income from gains while trading cryptocurrencies.”
However, that use is controversial, Pesale writes. “These summonses, which are issued only upon receiving court approval, allow the IRS to investigate the tax liability of unidentified individual, or group of, taxpayers upon an initial finding of a tax compliance problem,” he writes. “They are often used to uncover anonymous tax shelter beneficiaries or owners of tax-exempt bonds. Although John Doe summonses are not supposed to be issued to conduct ‘fishing expeditions,’ the way the IRS has been using them in relation to cryptocurrency transactions is spurring controversy.” For example, one of its mass warrants has received a lawsuit, while the IRS also received a Sternly Worded Letter, he writes.
In any event, attorneys of all stripes need to be familiar with cryptocurrencies, writes Carolyn Elefant in Above the Law, as they’re even becoming common in divorces and wills.
As you may recall, a number of police departments, upon implementing body cameras, have found that the cameras themselves are only the half of it. The real problem is storing all the data the cameras collect.
Some jurisdictions have found a solution to this problem: Just delete all that pesky data.
“Idaho Code requires counties to retain all records, including digital files of video and audio recordings from body worn cameras, for a minimum of two years,” notes the text of one bill under discussion in the Idaho Legislature. “Given the cost associated with management and storage of the digital media files associated with body worn cameras, many counties are currently unable to retain digital media recordings for the minimum requirement of two years. This legislation will add language to define digital recordings and a set minimum retention requirement for specified digital media files based upon the evidentiary value of the digital media file. These amendments will encourage counties to invest in digital recording devices by making the retention of county law enforcement records more achievable under county budgets.”
So, keep it if it’s evidence of a crime, but otherwise it can be discarded after 60 days, according to the proposed legislation. (That’s for bodycams. Cameras attached to a building can have their data deleted after 14 days.)
Idaho isn’t alone. In Michigan, data only needs to be kept 30 days, as of research dated last October by the National Council of State Legislatures (NCSL). Nebraska only requires 90 days, as does Miami-Dade. Washington also requires 90 days. Illinois also requires 90 days, which has led some towns to drop bodycams altogether. Missouri specifies 30 days (and Kansas City has done an exhaustive study on the storage costs of the program). Nevada can be as little as 15 days.
“Short video retention periods can limit the number of people who come forward with complaints,” writes Mike Shoro in the Las Vegas Review-Journal. “A short retention period doesn’t account for people who might not be ready to file a complaint within the allotted time frame.” Short periods might also mean that footage gets deleted even though people have requested it, because of the slowness of the requesting process.
In contrast, Indiana requires 190 days for localities and 280 days for state agencies. Georgia and Oregon require it to be kept at least 180 days, as does Albany, New York. Minnesota requires 90 days but has all sorts of exceptions. California has 60 days but again has all sorts of exceptions. New York City actually extended its retention period from six months to one year. (This is all according to the NCSL data (unless otherwise referenced), and of course things may have changed since October.) In comparison, Virginia law, for example, requires evidence to be held for at least 10 years, and sometimes 99 years.
And on the other hand, some organizations consider deletion of bodycam footage a good thing. “The Leadership Conference, together with a broad coalition of civil rights, privacy, and media rights groups, developed shared Civil Rights Principles on Body Worn Cameras,” writes the organization of its “Police Body Worn Camera Scorecard,” which on a civil rights basis prefers that law enforcement organizations delete data within six months and criticizes organizations that keep it longer than six months or don’t have a policy, out of concern that the devices will be used for community surveillance. For its part, the American Civil Liberties Union calls for recordings to be maintained for six months.
It’s been a while since we had a good Companies Behaving Badly with people’s data story, but here we are: “Charles River Medical Associates says it lost a portable hard drive believed to contain personal information and x-ray images of everyone who received a bone density scan at its Framingham [Massachusetts] radiology lab within the past eight years,” writes Jonathan Dame in the Worcester Telegraph. “That is 9,387 people.”
What is it with medical facilities and losing data, anyway? Why are medical professionals always traipsing around with data and losing it? “Dammit, Jim, I’m a doctor, not a security professional!”
And this is in Framingham, the birthplace of IDG and Computerworld. You’d think they’d know better, through osmosis or something.
The interesting thing about this one is it isn’t someone who left a laptop in a cab or lost a thumb drive. The hard drive just turned up missing.
Oh, and it’s been missing since November – actually, maybe before that, because the data only got backed up once a month and the last time it was backed up was October — but it took them until early January to notify anybody because they were looking for it. “We determined a week and a half or so ago that … it was definitely lost,” the executive director of the clinic told Dame. “It’s hard to speculate on what could have happened to it.”
Don’t be silly. It’s easy to speculate on what could have happened to it.
- Someone stole it for the data.
- Someone stole it for the hardware.
- Someone stole it for their kid.
- Someone has a backbone fetish.
- Someone stole it because there was data on it they didn’t want people to see, ranging from a potential case of medical malpractice to some medical condition they wanted to keep private. Didn’t you people ever watch House?
- Someone thought it would make a good doorstop.
- Someone accidentally damaged it and figured it would be better if it “disappeared.”
That’s just two minutes of speculation, and I was hardly trying.
Needless to say, the drive was not encrypted.
In case you’re wondering why someone needed the bone density scans of 9,387 people in the first place, apparently the disk drive was the backup, performed every month. So give them credit for that: They did backups.
(“Back” ups. Of spinal pictures. LOL.)
The good news is that, while the missing hard drive contained thousands of X-ray images of people’s spines, it did not have insurance information or Social Security numbers, Dame writes, quoting the letter that the facility was required to write to the U.S. Department of Health and Human Services, as well as to local media.
In the letter, Charles River Medical Associates warned patients to take precautionary steps “to guard against any potential negative impact from this unfortunate incident,” including monitoring credit reports.
How someone was going to get into someone’s credit account by waving an X-ray of a spine around, the facility didn’t say. Biometrics are big these days, but one usually hears about retinal scans or fingerprints rather than backbone pictures. Better safe than sorry, I suppose.
The company assures us that it will no longer use unencrypted portable storage devices to store medical records, and it’s “undertaking a broader review of its security protocols,” Dame writes. Perhaps they can find an IDG person to advise them. In the future, while it’s commendable that the organization does backups, it might want to think about backing the data up to the cloud, where it can’t go on walkabout. And, maybe, encrypt it?
We’ve written before about fitness trackers such as Fitbits and the potential interesting challenges they create for electronic discovery. But here’s a new one.
Strava, the company that produces a variety of these devices, published a map aggregating the data of its users over a period of two years, showing just how widespread the devices are. Awesome. Maps are cool. The problem is, in certain areas, those maps also did a swell job of delineating soldier movements due to military personnel wearing those devices.
“In war zones and deserts in countries such as Iraq and Syria, the heat map becomes almost entirely dark — except for scattered pinpricks of activity,” writes Liz Sly in the Washington Post. “Zooming in on those areas brings into focus the locations and outlines of known U.S. military bases, as well as of other unknown and potentially sensitive sites — presumably because American soldiers and other personnel are using fitness trackers as they move around.”
Needless to say, the military is having kittens. “The U.S.-led coalition against the Islamic State said on Monday it is revising its guidelines on the use of all wireless and technological devices on military facilities as a result of the revelations,” Sly writes. “The existing rules on the privacy settings to be applied to devices such as fitness trackers are being ‘refined’ and commanders at bases are being urged to enforce existing rules governing their use, according to a statement from the Central Command press office in Kuwait.”
The company said it was reviewing its policies and reminding people how to set security and so on with their devices.
Incidentally, the map is still up. Not only that, but the letter from CEO James Quarles wringing his hands about how seriously Strava is taking the situation includes a link to the map.
This was all discovered by a 20-year-old Australian student on summer vacation who was playing with maps and who Tweeted out his discoveries. After he gave them the idea, a number of other people checked out other interesting locations around the globe. The kid has probably also ensured his future success. “His discovery would not hurt his career prospects,” the New York Times understated.
As Sly points out, it’s not like locals don’t know where military bases are. Even if the vast expanses of space surrounded by barbed wire and people with guns didn’t clue you in, after all, there’s always Google Earth. The problem with the Fitbit map is that it also shows the routes that the military personnel take within the base, as well as outside it. As they say, if you don’t want people to know where you are, then you need to change your routes periodically.
Security considerations aside, this is a beautiful example of the power of metadata. Remember when various government organizations have requested metadata about email and messages, and justify it by saying, oh, it’s okay because we’re not asking for personal information, and people say, no, actually, it’s still a problem? This is what those people meant. Do we know data about individual soldiers? No. Do we know where they are in real time? No. But we can still see patterns in the data, and just those patterns are enough to provide a great deal of information about troop movements as a whole, even if it’s not identifiable down to the individual soldier.
“Lines of activity extending out of bases and back may indicate patrol routes,” Sly writes. “The map of Afghanistan appears as a spider web of lines connecting bases, showing supply routes, as does northeast Syria, where the United States maintains a network of mostly unpublicized bases. Concentrations of light inside a base may indicate where troops live, eat or work, suggesting possible targets for enemies.”
And in the bravo-for-life’s-little-ironies department, in many cases the devices were actually apparently given to soldiers by the military. In the British military, overweight soldiers were given Fitbits in 2016, while on the U.S. side, the Pentagon has encouraged the use of Fitbits among military personnel and in 2013 distributed 2,500 of them as part of a pilot program to battle obesity, Sly writes. (And in a really ironic moment, check out this April Fool’s Day press release from the U.S. Army from just last year.)
The wheels of justice continue to grind in the Microsoft Ireland data servers case, with the simultaneous submission of 23 amicus briefs signed by almost 300 people worldwide to the Supreme Court, which is expected to hear the case next month.
As you may recall, the case, which started in 2014, involved whether Microsoft must release data stored on one of its servers to a U.S. government agency, even though the data in question is outside the U.S. In January 2017, the Second Circuit Court of Appeals denied a rehearing of the case, which left the Supreme Court as the only option. At the very last minute – and after two extensions – the Department of Justice decided in June to go for it, and in October the Supreme Court agreed to hear the case. (Here’s a good description of it.)
The justices will hear oral arguments in late February, but in the meantime, a whole lot of people from a whole lot of countries, a number of Microsoft’s competitors, a slew of advocacy organizations, and a heap of computer science professors have lawyered up and sent in amicus briefs. Fortunately a lot of them worked together so the Supremes won’t have to read 300 separate briefs.
As Microsoft had suggested last June, several of the briefs from European Union (EU) countries referenced the General Data Protection Regulation (GPDR), a new law governing this issue that is scheduled to take effect in Europe in May. In fact, one of them was submitted on behalf of the guy who was responsible for the GPDR (who is, actually, on Twitter and is discussing the case there).
“In one of many amicus briefs filed Thursday on behalf of Microsoft, attorneys at White & Case wrote for European Parliament members, including Jan Philipp Albrecht, and former EU Justice Commissioner Viviane Reding,” writes Ben Hancock in The Recorder. “Albrecht helped shepherd the GDPR in the European Parliament to its ultimate adoption in 2016, and has been outspoken on digital privacy issues. He is the vice chairman of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and also sits on the legislature’s Special Committee on Terrorism.” A total of 10 EU members signed that brief.
Ultimately, the solution is not the Supreme Court or any other court, but rewriting the Electronic Communications Privacy Act (ECPA) to better reflect the realities of this century, say advocates. “The blame should be placed not either party to this case, but rather on the outdated ECPA in clear need of reform,” writes Casey Given in the Washington Examiner. “Congress must act to clarify the rules of the road with regard to consumer privacy and government powers in the age of the internet.”
In particular, Given calls for a rewrite of the ECPA called the International Communications Privacy Act, which would let law enforcement request a warrant for content on remote servers and give the foreign government at play the chance to object should the warrant violate their privacy laws, he writes.
Taking a laptop across the border? There’s good news and bad news.
As you may recall, since 2009 there has been an ongoing struggle with how much right the U.S. government has to search laptops that people are carrying into the U.S., without a warrant, or even any particular reason other than that they feel like it. Plus, “border” has actually been defined to mean “within 100 miles of the border,” which literally covers a lot of territory.
Now, the agency has released an updated written directive that clarifies how passwords and cloud data should be handled, according to the Associated Press. “The new rules make clear that agents are only allowed to inspect information physically present on a device — and not information stored remotely, such as on the cloud,” the AP writes. “To prevent officers from accessing information they shouldn’t, they are now required to request that travelers turn off their devices’ network connectivity, or disable it themselves.” Passwords provided to Customs and Border Protection (CBP) must be deleted or destroyed immediately following a search.
The department also defined two levels of search.
- Basic searches: officers can look through passengers’ contacts, photos and other material without reasonable suspicion of criminal behavior
- Advanced searches: devices are connected to external equipment so their contents can be reviewed or stored, which requires the approval of a supervisor and “reasonable suspicion of activity in violation” of the law or “a national security concern,” such as a person’s presence on a terror watch list
On the other hand, “if someone refuses to unlock a device, the device can be detained by CBP,” writes Geneva Sands for ABC News. “U.S. citizens will always be allowed to enter the U.S., but their phones could be held back — generally for no more than five days,” though people have reported having their devices seized for up to seven months. “For non-citizens, refusal to open a device could lead to denied entry. If incriminating information is found, CBP officers could refer the case to an investigative agency, like the FBI, or for non-citizens, deny them entry into the U.S.”
“The New Directive does not specifically allege that travellers have a positive obligation to provide a passcode or other means of access to USCBP during a border search; it merely states that USCBP officers may request access and then detain the device for further examination if the traveller does not provide it,” writes Henry Chang of Blaney McMurtry LLP in Lexology. “This is likely because the law is still not clear regarding whether travellers actually have a legal obligation to provide passcodes or other means of access during a border search.” In addition, “nothing precludes USCBP from detaining an electronic device for a much longer period by alleging that ‘extenuating circumstances’ exist,” he adds. “The threat of having their electronic device seized, even temporarily, could compel some travellers to cooperate. The New Directive also does not address the issue of how long USCBP may delay the entry of a traveller in connection with the search of their electronic devices. The threat of an extended delay, which may cause the traveller to miss their flight, could also compel some travellers to cooperate.”
What brought this all on? The ACLU filed a lawsuit last year against the Department of Homeland Security on behalf of 11 travelers whose smartphones and laptops were searched at the border, the AP writes. Other organizations, such as the Electronic Frontier Foundation (EFF), have been pushing for a test case that would extend the Riley decision – which requires law enforcement officials to have a warrant to search someone’s cell phone — to laptops at the border. In December, the U.S. government filed a motion to dismiss the case. The ACLU is preparing its response for late January, according to Bart Jansen in USA Today.
“It is positive that CBP’s policy would at least require officers to have some level of suspicion before copying and using electronic methods to search a traveler’s electronic device,” said Neema Singh Guliani, legislative counsel at the ACLU. “However, this policy still falls far short of what the Constitution requires — a search warrant based on probable cause. The policy would still enable officers at the border to manually sift through a traveler’s photos, emails, documents, and other information stored on a device without individualized suspicion of any kind. Additionally, it fails to make clear that travelers should not be under any obligation to provide passcodes or other assistance to officers seeking to access their private information. Congress should continue to press CBP to improve its policy.”
A bill is actually under consideration to require a warrant to search the devices of Americans at the border, write Charlie Savage and Ron Nixon in the New York Times, but it is unlikely to pass in this political climate, they add.
In other news, CBP announced some numbers. Its border agents inspected 30,200 phones and other electronic devices in fiscal year 2017, which ended in September — a nearly 60 percent spike from 2016, when 19,051 devices were searched,” according to the AP. It’s even a bigger spike from previous years: the New York Times reported that inspection of electronic devices rose from 4764 in 2015 to 23,000 in 2016, while according to the Los Angeles Times, just 8,053 travelers had their devices searched in the 2015 fiscal year. That’s compared with 6,500 between 2008 and 2010, according to the American Civil Liberties Union. U.S. border agents also searched the electronic devices of 59 percent more international travelers in fiscal year 2017 than the previous year, including U.S. citizens and foreigners, adds the Los Angeles Times. Nonetheless, the agency said the searches represented just a tiny fraction — 0.007 percent of arriving international travelers — out of more than 397 million, the AP wrote.
(Yes, I’m aware some of the numbers don’t match up. Perhaps they’ve changed over time? Or some are fiscal year, which ends on September 30, and some are calendar year? Either way, lotta devices.)
In particular, this is a concern to attorneys, who worry about violations of attorney-client privilege. The New Directive does have some additional guidelines in this area, Chang writes.
You could call it Schrodinger’s Email System: Email messages aren’t lost; there just isn’t any way to gain access to them.
That’s the situation the state of Rhode Island has been facing since 2015, which came to light earlier this month due to a public records request. Before then, state agencies had been using a combination of Novell Groupwise and Microsoft Exchange email servers, and decided to consolidate them into a single Office 365 email system.
A laudable goal, in general. The problem is that Microsoft and Novell never did play very well together, and by 2014 Novell was essentially not around anymore, with Micro Focus buying Groupwise. (In fact, you can still buy it today.) The upshot is that the vendor working with Rhode Island to help migrate the email systems – Microsoft Consulting Services – warned the state that it could lose up to 5 percent of the email messages in the process, according to an article in the Providence Journal, which broke the story.
Hence the Schrodinger’s email nature of the new system. “Department of Administration spokeswoman Brenna McCabe told The Journal, ‘We did not lose the emails,’” writes Katherine Gregg. “But she acknowledged, ‘They are [now] in a format that is not easily searchable … [And] it would take significant resources to put the data in an accessible, searchable format.’” So if you can’t search or gain access to the email messages, does it matter whether they’re “lost” or not? What would be different if they were considered “lost”?
The situation came to light when software entrepreneur and two-time candidate for governor Ken Block filed a public records request. He was reportedly performing a computer analysis of the potential for voter fraud in Rhode Island for a nonprofit organization co-founded by President Donald Trump’s former chief strategist Stephen Bannon, Gregg writes. “As part of his continuing inquiry, Block asked the elections board for communications — dating back to Jan. 1, 2003 — from the state to local boards of canvassers about ‘voter registration … voter identification policies and processes.’”
That was when Block learned about the inaccessible email messages, which he presumably passed on to the Journal. “There were significant problems with the syncing process, as the two systems are wholly incompatible with each other,” Richard Thornton, the campaign-finance director for the state Board of Elections, told Block. “There may, or may not be, additional email communications responsive to your request, but for which the State of RI has no capacity to retrieve presently.”
This is not to unduly pick on Rhode Island. Back in the day, people used proprietary email systems because that’s what there was, and different agencies used different email systems because that’s how they were typically acquired. While the state happened to bet on the wrong horse, technologically speaking, it hadn’t made a bad choice in picking Groupwise. If anything, one could criticize the state for not upgrading sooner, but there was a recession in there as well. Chances are, a number of other states are in the same pickle. One could also criticize the state for not having reduced the size of its email system before the migration, but again that’s hardly a problem confined to Rhode Island.
Plus Block appears to be going off the deep end about it a little bit. The state has not yet responded with how many email messages are missing – if it even can – but it isn’t at all clear that “most” email messages before 2015 are unrecoverable, as he told the Journal. He also complained about the cost of retrieving the email messages, but to be fair he’s asking for a large amount of email going back fifteen years on what could be little more than a fishing expedition in that the vast majority of studies have found that voter fraud is a minuscule problem.
Similarly, Block criticized Thornton for saying the state had moved to the new system “for more efficient backup of data, a more standardized approach for records retention and a secure disaster recovery solution” in light of the problem. “”Wow. How does that square with Thornton’s email?” he told the Journal. But obviously it was because of just this sort of situation that the state did make the move to a single email vendor.
Realistically, how many people can lay their hands on email that they sent in 2003? My Gmail account goes back to April 7, 2004, and I was one of the early adopters. While I may have .pst files around from Outlook systems I was using before then, what are the chances I could actually find a way to read them?
It’s an example of the sort of problem typically referred to as the “digital dark ages” brought on as organizations – particularly governments – went digital. But due to the proprietary nature of the hardware and software people used, plus technology’s inexorable march on, much of this old data may no longer be readable by future generations.
This is why organizations are encouraged to migrate their archives to up-to-date hardware and software every couple of years, to ensure the data can still be read going forward.