Another year, another Gartner Magic Quadrant for e-discovery, and guess what? Nothing’s changed.
- All the vendors in the “leaders” quadrant are the same: AccessData, Exterro, FTI Technology, Guidance Software, HP Autonomy, kCura, Kroll Ontrack, Recommind and Symantec.
- No vendors have been added.
- Only one vendor (Driven) has been dropped.
- HP Autonomy is still the “most visionary,” though Symantec has dropped down considerably from last year in terms of “ability to execute.” Best execution this year? Kroll Ontrack.
The company also sort of dissed its own 2011 prediction that the e-discovery market would see a wave of consolidation, eliminating up to 25 percent of the vendors, by 2014. “The level of mergers and acquisitions (M&As) for software vendors has slowed, and only a couple of noticeable acquisitions took place in 2013,” Gartner writes. “The overall e-discovery market is in a state of ‘wait and see’ mode after being overhyped through 2012.” Gartner also listed all the e-discovery acquisitions that have occurred since 2001; it’s a considerably long list.
Where consolidation is going to occur, Gartner says, echoing what it said last year, is in legal service firms. “The remaining legal service firms will take one of two routes by becoming either large firms that are ‘one-stop shops’ but not technology developers, or large firms that are one-stop shops with proprietary technology for all aspects,” the compny writes. “Although there is room for regional and specialist players, they are part of the market that is consolidating and shrinking fastest. The larger players will need international presence in the form of data centers and local legal personnel to be competitive as the market opens up geographically.” This also ties in with Gartner’s prediction that growth will come more from outside the U.S. as other countries learn more about this thing called e-discovery.
This year’s report does include writeups on seven vendors that otherwise didn’t qualify to be included in the Magic Quadrant, so it will be interesting to see how they progress in the coming year.
Gartner also notes two events that drove interest in e-discovery this year: the U.S. National Security Agency’s surveillance program (PRISM) and the Target hack, which has led users to be more interested in incidence- or event-triggered processes.
And what happened with Symantec? Gartner cites three issues: lack of growth or new releases because of the acquisition of Clearwell (and that was in 2011! they haven’t swallowed that puppy yet?), performance and scalability issues, and the departure of Symantec’s CEO.
Otherwise, though, the report is pretty much of a snore. Predicted growth in the market? 15 percent, after 15 percent the year before and 14 percent the year before that. Gartner forecasts that revenue will grow from $1.8 billion in 2014 to $3.1 billion in 2018, after predicting last year that it would grow from $1.7 billion in 2013 to $2.9 billion in 2017.
(Also, the obligatory being-in-the-leaders-quadrant-doesn’t-necessarily-mean-you’re-better. The other three quadrants — Challenger, Visionary, and Niche — just means that the vendor or product was considered to be somewhat lacking in either vision or ability to execute, or both. But for many use cases, those vendors and products are perfectly adequate, and perhaps, being number two, they try harder.)
Gartner did, however, indicate that next year would be different, honest. “A new set of changes on Federal Rules of Civil Procedure (FRCP) were proposed in early 2013 and have caught much debate in the U.S.,” the report notes. “Among these proposed changes, the ones most relevant to e-discovery are proportionality and sanction on willful evidence spoliations. These changes, once approved, will trigger a wave of disruption in the e-discovery practice and, in turn, on the e-discovery technology market.”
It’s not often that the actions of the Supreme Court wander into our purview over here, but we were in luck this month, with not one but two cases having relevance to cloud storage. In one case, cloud storage users gained protections, while in the other, they lost them and perhaps will put themselves at risk.
First was Riley vs. California, in which the court ruled that law enforcement officials needed a warrant to search someone’s cell phone. The connection with cloud storage? “The data a user views on many modern cell phones may not in fact be stored on the device itself. Treating a cell phone as a container whose contents may be searched incident to an arrest is a bit strained as an initial matter, ” writes Chief Justice John Roberts in the majority decision. “Cell phone users often may not know whether particular information is stored on the device or in the cloud, and it generally makes little difference. Moreover, the same type of data may be stored locally on the device for one user and in the cloud for another.”
Allowing the search would be like finding a key in a suspect’s pocket and arguing that it gave law enforcement the right to search his house, Roberts writes.
So that’s the good news.
Next, the court ruled against Aereo, the Internet company that helps subscribers gain access to live broadcast television on Internet-enabled devices. While this is certainly a bummer for Aereo itself, it also has the potential to be a bummer for people who legitimately store content in the cloud, legal experts write.
“The Aereo case puts the cloud at risk because when broadcasters have complained about Aereo, their complaints also describe cloud computing,” wrote Matt Schruers, VP, Law & Policy at the Computer & Communications Industry Association, which submitted a brief in support of Aereo, earlier this year in his “Aereo primer. “It isn’t that broadcasters necessarily bear malice toward cloud computing; it is just that when broadcasters complain about how Aereo works, their complaints describe cloud-enabled access to content. The cloud is caught in the crossfire.”
Numerous industry organizations, besides his own, also submitted briefs in this case expressing concern about how the decision could affect cloud storage, Schruers added. “If multiple people store their own, unique, lawfully acquired copy of the latest hit single in the cloud, and then play it to themselves over the Internet, that too sounds like the broadcasters’ version of a public performance,” he explained. “The anti-Aereo rationale doesn’t distinguish between Aereo and the cloud.” Even DVRs — which broadcasters sell themselves and which served as the precedent for this case — could be at risk, Aereo CEO Chet Kanojia told Time.
Essentially, Schruers wrote in a separate piece, broadcasters were arguing that although Aereo was intended to be a private service, which was allowed, it was actually a public service, because it could have been set up that way, just because it was using the Internet. “The boundary between public performances and private performances determines what copyright does and does not regulate,” he explained. “It’s why you don’t need a license to sing in the shower, but you do to sing on stage. It’s why you don’t need a license to put your music collection in the cloud, but you do if you want to launch a commercial streaming service.”
Ironically, where experts had praised the court’s understanding of the technological nuances in Riley, they dissed it in Aereo, saying the court called it cable because it looked like it to them, regardless of the technological underpinnings.
Opinions vary on the ruling’s effect on cloud storage. Broadcasters argued that cloud-storage companies shouldn’t be affected because those businesses store content that the users upload themselves and that there is a “fundamental difference” when customers upload their own files, Bloomberg writes. The Supreme Court itself noted, written by Justice Stephen Breyer, “We agree that Congress, while intending the Transmit Clause to apply broadly to cable companies and their equivalents, did not intend to discourage or to control the emergence or use of different kinds of technologies. But we do not believe that our limited holding today will have that effect.”
“The majority says it won’t affect new technologies because they said so,” writes Ali Sternburg, Public Policy & Regulatory Counsel at the Computer & Communications Industry Association, in Disruptive Competition. “That is not a convincing argument.” And Scalia notes that in his dissent, she writes. “He specifically calls out the majority’s ‘because I said so’ argument about the cloud, saying: ‘The Court vows that its ruling will not affect cloud-storage providers and cable television systems, see ante, at 16-17, but it cannot deliver on that promise given the imprecision of its results-driven rule.'”
Moreover, the majority opinion doesn’t distinguish between primary and secondary infringement, meaning that cloud storage companies could find themselves blamed for copyright infringement their users are doing, notes the Wall Street Journal.
Ultimately, what may be needed to decide this is…another Supreme Court case. In fact, the majority opinion practically invites it, writes Bloomberg. “The ruling said that questions involving cloud computing — the business of storing content on remote servers and delivering it over the Internet — should ‘await a case in which they are squarely presented.’ That leaves technology companies with few clues to guess whether their services would pass legal muster if challenged.”
Stay tuned…as it were.
We’ve talked before about “Taking Out the Trash Day.” Well, the White House had a dilly of a trash day last Friday when it announced that the IRS had lost a lot of email associated with the investigation of whether the agency was targeting conservative groups for tax exemption audits.
Lois Lerner, director of exempt organizations for the IRS, has been the point person of the investigation because of its focus in tax-exempt organiztions. Consequently, the Congressional committee performing the investigation wanted to see her email. As it turned out, she had a hard drive crash in 2011 that took out much of the email for the period under investigation and which happened not long after the question of whether the IRS was targeting such organizations first came up.
Naturally, the right wing leapt on this as a deliberate attempt to obfuscate the truth, with a number of people equating it to Rosemary Woods and the Watergate 18-minute gap. But as more of the story came out, it appeared that this was more a case of never attributing to malice what can be explained by incompetence, especially as it developed on Tuesday that hard drive crashes that took out the email affected a number of employees, not just Lerner. (Not to mention other agencies, including the office of the President.)
So here’s an outline of the problem.
1. The IRS gave employees only 500 mb for their Microsoft Outlook mailboxes, which it says is enough to store about 6,000 messages. (Think this is bad? Before July 2011, it was 150 mb.) This works out to about 80,000 characters per message, which seems like a lot, but likely includes headers, copies of previous messages, and so on; perhaps the IRS should have invested in compression or dedupe technology? Incidentally, the IRS has 90,000 employees and a total of 170 terabytes of stored email. While employees could in theory ask for a larger mailbox, they were told that it was not the practice.
“Is this plausible? Unfortunately, yes. I have worked for organizations that used these sorts of restrictions on hard drive space,” writes Megan McArdle in Bloomberg View. “However, it’s also moronic IT policy.”
2. When employees archived their email to get the mailbox sizes below 500 mb, it was, first of all, saved only to their own computers and, second of all, no longer backed up. So the only copies of the archived email were on the employee computers.
3. While backups of mailboxes were performed, the IRS started recycling the tapes after six months. As of May 2013, however, the IRS stopped this.
The upshot is that when Lerner’s hard drive crashed in 2011 — for which the IRS provided contemperaneous documentation (which was really hysterical, by the way) — her archived email, which was the only copy, went with it. The IRS recovered some copies of messages that Lerner had sent to other IRS employees by using their mailboxes and their copies, but that didn’t help recover any messages she sent outside the IRS.
Observers are also pointing out that email messages considered to be official records were supposed to be printed out and placed in a file, and are asking why this wasn’t done in Lerner’s case.
The other interesting aspect of the IRS email system is that the IRS can’t search its entire email system for appropriate records — it has to examine each person’s mailbox and hard drive individually. Plus, even then, it can’t just search for the messages it needs; it has to collect all the email and then select relevant messages from it. This certainly made the whole process a lot more arduous and expensive.
“The only reason it has to waste thousands of man-hours manually searching the hard drives of other employees is that it first decided to waste thousands of man-hours manually deleting e-mails or storing them on local hard drives where they wouldn’t be backed up,” McArdle writes.
And that’s just the start. House Oversight Committee Chairman Darrell Issa has subpoenaed a huge list of storage devices and messages as well as, essentially, anyone in the government who has ever emailed Lerner about anything.
One expects an RFP for a new email system for the IRS — not to mention a lot more storage — in the near future. “In 2014, every government agency should be storing every e-mail that goes in or out in an easily accessible format,” McArdle writes. “That they weren’t bothering suggests that the IRS does not expect to deliver the kind of accountability that it routinely demands of taxpayers. That’s potentially a much bigger problem than anything Lois Lerner stands accused of — and it should be rectified, government-wide, with all due speed.”
Ironically, the IRS noted that it would have cost $10 million to upgrade its computer systems to save all employee email messages forever. The cost of the investigation so far to track down the existing copies of Lerner’s email? $10 million. “At an agency with an annual IT budget of $1.8 billion,” McArdle writes.
I know I’ll never forget where I was when I first heard that the Standing Committee had unanimously approved amendments to the Federal Rules of Civil Procedure as modified by the Advisory Committee. Seriously, though, it offers the potential to make a big difference in electronic discovery.
You remember, no doubt, that the Federal Rules of Civil Procedure (FRCP) were changed in 2006 to more easily accommodate electronic records – setting up procedures for the two sides in a civil case to be able to communicate with each other about what sort of electronic records they could expect. At the same time, they were set up so that opposing sides couldn’t demand literally millions of records from each other in a fishing expedition, or that one side couldn’t respond to a demand for records with so many of them that it would be essentially impossible – not to mention expensive – to research them all. Also, they were intended to ensure that companies facing a civil lawsuit couldn’t delete incriminating records and then be able to claim they weren’t available.
That said, after several years of use, legal experts had suggested modifications to the FRCP so that it would better perform what it was originally intended to do. A number of amendments were developed to streamline the preliminary steps of the legal process by as much as half. Several other amendments reduced the number and length of depositions, requiring more specificity in objections, and required that participants consider proportionality — basically, be reasonable in their e-discovery demands.
The legal world has been talking about these potential amendments for a long time. The Standing Committee on Rules of Practice and Procedure released a report for publication on June 3, 2013, that included amendments to the FRCP. They were then released on August 15, 2013, for a six-month comment period – that is, until February 15, 2014.
Not surprisingly, lawyers being what they are, they commented. A lot. One single rule, on the failure to preserve electronically stored information, generated 2,345 comments, and ended up being rewritten itself by the Advisory Committee (the last step before Standing Committee approval) at its April meeting, to make it simpler and to determine how much to blame a company that “accidentally” deleted relevant documents.
So what happens now that the Standing Committee has approved the amendments? “The proposed amendments will be submitted to the Judicial Conference [in September 2014] with a recommendation for approval, who in turn submits the proposals to the Supreme Court,” Raymond Ripple and Rachel Caldwell wrote in October, 2013 in Inside Counsel. “If approved by the Supreme Court, Congress has seven months to approve or reject the new rules.” They could take effect by December 1 — of next year.
Don’t want to rush these things, you know.
We’ve written before about the notion of “data sovereignty,” or the issue of which country’s laws should govern data: Where it’s located? The nationality of the company that owns it? The nationality of the company that hosts it? These are questions that took on new significance in light of Edward Snowden and the revelations of NSA surveillance and which led companies in some countries to avoid having their data stored in the U.S.
A recent court decision has made the issue even more complicated and is putting U.S. companies in the position of trying to follow mutually exclusive laws from multiple countries.
In the case, Microsoft had received a U.S. government search warrant (we don’t know which agency; court records are all sealed) regarding data about one of its web-based email users. Microsoft ascertained that the data for that user was stored on a server in Dublin, Ireland, and said the U.S. didn’t have jurisdiction over that server. But Magistrate Judge James Francis, in the Southern District of New York, has ruled that Microsoft has to provide the data anyway.
“This was true for “traditional” warrants but not for those seeking online content, which are governed by federal law under the Stored Communications Act,” explains the BBC. “He said the warrant should be treated more like a subpoena for documents. Anyone issued with a subpoena by the US must provide the information sought, no matter where it was held, he said.” Francis also said, basically, that part of the reason for his ruling is that it would be too hard for the U.S. to negotiate with all those foreign countries.
So what makes this bad?
It means any company, worldwide, that uses a company with a U.S. presence to store its data — Microsoft, Google, Amazon, and so on — could find its data subject to U.S. laws. In some cases, these laws conflict with privacy and data protection laws in other countries.
If nothing else, non-U.S. companies that are concerned about this may be much less likely to use U.S. companies to store their data, which isn’t good for those companies’ business. “If the U.S. cloud industry was worried before about lack of confidence of foreign customers, this judgment just upped the ante very considerably,” Caspar Bowden, an independent privacy researcher, told the U.K. paper The Guardian.
“This startling ruling could have a significant impact on not only the use of free email services like Hotmail and Gmail, but also all cloud-based services like Office 365, Google Apps, and even cloud providers like Amazon,” agree three attorneys from Drinker Biddle & Reath LLP in a response published in the National Law Review.
What could be interesting — if by interesting we actually mean “scary and really bad” — is if other countries decide that, given this as a precedent, their various laws about data — such as the recent “right to be forgotten” — should also apply to the U.S. Ultimately, it could mean a hodgepodge of data control Balkanization that could result, as the saying goes, in the end of the Internet as we know it.
Microsoft, in particular, is screwed, legal experts conceded. Well, they didn’t say “screwed.” Being legal experts, they said it more nicely. “Microsoft appears to face the unpalatable choice of either breaching European data transfer laws or failing to comply with a US court order,” writes Rob Corbet, a partner at Arthur Cox, in Data Protection Ireland.
Microsoft said it intends to appeal the case and, in fact, indicated that it had expected to all along, just to get this issue decided. “When we filed this challenge we knew the path would need to start with a magistrate judge, and that we’d eventually have the opportunity to bring the issue to a U.S. district court judge and probably to a federal court of appeals,” writes David Howard, Microsoft’s corporate vice president and deputy general counsel. “This is the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States.”
For a while now, we’ve been reporting how cloud storage vendors such as Google and Microsoft have been dropping their prices, and wondering when Dropbox — which is rumored to be working on an IPO — was planning to follow suit. This week we learned: It ain’t.
“We’re not cutting prices right now,” Drew Houston, CEO of Dropbox told Re/code’s Liz Gannes and Walt Mossberg at the organization’s Code Conference, writes Re/code. Instead, the company is planning to compete not by cutting prices but by offering a better product with more features. What a concept.
Which features? “One is a photo sharing app called Carousel,” writes Re/code. “Another is a yet-to-launch collaboration tool built atop Microsoft Office called Project Harmony; Houston said it should be out by end of year.”
It will be interesting to see whether new applications will encourage more people to pony up money, or if cloud storage will stay a commodity and people will simply go for what’s cheapest. If the latter is the case, Dropbox is in for a problem. Companies like Microsoft and Google can afford to have their other revenue streams support cheap online storage, but for Dropbox, cloud storage is all it has.
On the other hand, this week Dropbox announced, sort of, that it was up to 300 million users, after having hit 200 million users in November 2013 and 100 million in November 2012, according to The Next Web. This wasn’t terribly surprising; the company had announced in April that it had 275 million users.
The question, though, is how many of Dropbox’ users actually pay for the service. Users get up to 2 gigabytes of storage for free, plus bonuses for referring friends and so on. Mark Rogowsky of Forbes did an interesting analysis last fall that, tl; dr, boiled down to this: “That leaves the company with at most 2 million paying customers, or barely over 1% of the total customer base. Given that it mentions having ‘4 million businesses,’ the likelihood is that the actual conversion ratio of ordinary folks is worse than this.”
In other words, if Dropbox were to drop its prices, it may cost it most of the little revenue it has — not a good idea when one is contemplating an IPO in an uncertain market (as Box has already discovered).
It’s been an interesting month for Box. Heck, it’s been an interesting year.
- June 2013 — OpenText files suit against Box
- December 2013 — Box raises $100 million in series F funding, giving it a total valuation of $2 billion
- January 2014 — Box secretly files for an IPO
- January 2014 — First OpenText/Box hearing
- March 2014 — Box formally files for IPO to raise $250 million
- March 2014 — OpenText claims $268 million in damages
- May 2014 — Box postpones its IPO, citing unfavorable market conditions
- May 2014 — GE announces agreement to implement Box for up to 300,000 customers, for unknown revenue
Now, according to Silicon Valley Business Journal, the Box IPO may be on again, thanks to stronger-than-expected IPO results for Zendesk. In fact, it could be announced soon after the Memorial Day holiday, writes SVBJ’s Cromwell Schubarth. Quartz also predicted that Box would do its IPO around Memorial Day, while Bloomberg expects it to happen in June.
Box was criticized for losing money, particularly on marketing, after postponing its IPO (though the company said it didn’t really count as a postponement, because it had never set a date in the first place). On the other hand, it’s not really fair to blame Box for the postponement; Schubarth notes that as many as a dozen other companies — and that’s just the ones with public IPOs — are in a similar predicament.
The GE deal, coming just one day after the IPO postponement, provided a much-needed shot in the arm for the company. Makes you wonder why Box even postponed the IPO in the first place, knowing this was coming down the pike, though as the Wall Street Journal pointed out, several other technology IPOs raised less money than they expected.
If Box does end up going IPO in June — let alone late May — it’s going to be the capper to quite the year.
You’d think the bad guys — let alone the good guys, and it’s not always easy in Captain America: The Winter Soldier to know which is which — would have figured it out by now: Lock down the damn USB slots already.
You’d especially think they’d have figured this out given that the same plot point was used in Iron Man 2. Admittedly, Captain America might not have had a chance to watch Independence Day yet — it wasn’t scribbled down in his little notebook of Things to Catch Up On, though Star Wars was — but Iron Man 2 is in the same universe. Didn’t Tony Stark ever mention, “By the way…” to Nick Fury when setting up his supersecret organization? “You know, you’ve got this security hole here big enough to drive a tank through. Might want to look into that.”
The conveniently-located-thumb-drive plot was even used around the same time in the penultimate episode of this season’s Agents of SHIELD television program. But it seems like that program in general doesn’t have a real good grasp of storage technology, confusing, as it does, the difference between hacking and decrypting.
Anyway, in case you haven’t seen the movie (and yes, there’s spoilers here), here’s what happens. Captain America and Black Widow are rescuing a S.H.I.E.L.D ship, and in the process Black Widow casually plugs a USB drive into the ship to download all its files. Needless to say, Captain America is kind of perturbed by this — not by the security flaw, but by the fact that nobody had told him she was going to do this, and she was on his team.
The thumb drive then plays a prominent role throughout the movie, being hidden and getting lost in various odd places, and then gets used, in all places, in both an Apple store and to boot up a mainframe. Because all mainframes came with drivers for a USB drive, and of course file structures between Apple computers and mainframes are compatible. And as with Agents of SHIELD, there was a lot of handwaving around the notion of whether the flash drive was encrypted and how to get it decrypted.
I wasn’t the only one who had trouble with this part. “And this magical thumb drive that sets all this would-be intrigue into motion is a helluva head scratcher,” writes Sean Erickson in Trash Art Movies. “There’s just no getting around that fact when it comes down to this thumb drive that Nick Fury and his supercomputers can’t figure out but Black Widow and a display MacBook at the Apple Store can, you’re making the bad guys far dumber than they should be.”
“Why was Fury locked out of decrypting the thumb drive on his own authority?” concurs Jed Hartman. “Why was the data (that ended up on the thumb drive) on that SHIELD ship in the first place?” “Most everything about that thumb drive baffled me,” agreed one commenter. “I don’t know how that was supposed to help them read the data (even if you assume that a 1970s computer was equipped with a USB port).”
Needless to say, plugging in the thumb drive also gave the bad guys location and time information for targeting the heroes with one humungous cruise missile, which should also serve as a lesson about why plugging thumb drives into strange USB slots might be a Bad Idea.
(Incidentally, if you’re looking for a thumb drive to keep handy just in case you need to steal files from a supersecret quasigovernmental agency, you can actually get one that looks like Captain America. $9 on Amazon. No word on whether it’s explosion-proof like the one in the movie.)
Now, we know that movies aren’t necessarily the best place to pick up good habits — did you see the unsafe way those guys drive? Oddly, few other reviewers seemed to have the same issues I did with the flash drive aspect. But one does hope to achieve willing suspension of disbelief, even if we’re talking about a world with secret military bases and a massive government surveillance project.
Hmm. Maybe it’s not so unrealistic after all.
A few months back, when the New York Times wrote an article on how many government agencies were still using 3 1/2-inch disks, I wrote about it, saying, “Thank goodness it’s at least 3 1/2-inch disks, and not 5 1/4-inch (which, incidentally, were designed to be the size of a cocktail napkin because they were invented in a bar), or, Lord preserve us, 8-inch disks.”
Little did I know.
It turns out there actually is still a part of the U.S. government that operates on 8-inch floppy disks: Our missile defense system. Lord preserve us, indeed.
“But the equipment is ancient,” reads the transcript. “This, for example, is one of the computers that would receive a launch order from the president. It uses floppy disks! The really old, big ones.” Deputy Dana Meyers, 23, dutifully reported that she had never seen one before working in the missile silo.
This is not to say that using the 8-inch disks was a bad thing, Stahl reported. “I’ll tell you, those older systems provide us some — I will say huge safety when it comes to some cyber issues that we currently have in the world,” explained ICBM forces commander Major General Jack Weinstein to her, adding that the systems were not on the Internet. “A few years ago we did a complete analysis of our entire network. Cyber engineers found out that the system is extremely safe and extremely secure on the way it’s developed.”
Naturally, the grizzled denizens of the Internet were overtaken by a wave of nostalgia that made the one they had about 3 1/2-inch disks seem puny, such as the nearly 500 comments posted to the Slashdot posting of a story about the episode.
In addition, they argued about the veracity of Weinstein’s claim, with some of them agreeing because the systems couldn’t be penetrated by a USB, nor could the disks easily be stolen or read. Others said Weinstein was just using a sophisticated version of the security-through-obscurity argument. The phrase “if it ain’t broke, don’t fix it” also cropped up a number of times.
If Sony quit making 3 1/2-inch disks in 2010, one wonders how the federal government continues to find 8-inch floppy disks — unless, of course, as one poster suggested, they “have a six acre warehouse full of eight inch floppy disks that’s fully climate controlled and guarded by snipers and dogs.”
Turns out, however, that 8-inch disks are readily available on eBay; they seem to go for about $15-$25 a box.
The Office of the Privacy Commissioner of Canada had to admit last week that it had, uh, lost an unencrypted hard drive containing the personal data of up to 800 current and former federal employees from as far back as 2002.
“I believe this falls under category of #youhadonejob,” Tweeted Forrester analyst Cheryl McKinnon, who’s based in Ottawa.
“The office lost an unencrypted hard drive containing employee names, official ID numbers, salary information and details on overtime while moving headquarters in mid-February,” wrote Graham Lanktree in the Canadian newspaper The Star. “Those affected are current or former employees of the Office of the Privacy Commissioner and the Office of the Information Commissioner.”
180 current employees have been informed; another 800 former employees remain to be informed. Well, unless they read about it in the newspaper, apparently.
“IT staff first noticed the drive was missing in mid-March when they had trouble setting up their servers after the move from Ottawa to Gatineau, Que., on Feb. 14,” Lanktree wrote. “It wasn’t until April 9 that they realized the drive contained personal information.”
One does wonder. The agency moved in mid-February, didn’t try to set up the servers til mid-March, and it was almost mid-April before it knew what was on the drive? How did the agency move, load up the back of somebody’s Suburban over a weekend?
The other interesting aspect is that the data, which was only supposed to go back seven years, actually dated back to 2002, which is more like 12 years.
The good news, the agency assures staffers, is that the data is in such a raw form that “only someone with the right software and technical expertise can read it,” Lanktree wrote.
You know, somebody like Simson Garfinkel, who used to hang out on eBay buying up discarded hard drives to see what sort of information he could collect. (For research purposes only. He studies this stuff for a living.)
An internal investigation was supposed to return its findings by April 25 — like, maybe, was the thing lost or stolen or what? — but the Star hasn’t done any followup articles and the office has no information on its website yet.
On the other hand, this all transpired a month after the office investigated a loss of a similar hard drive from Employment and Social Development Canada with the personal information of 583,000 student loan recipients.
The official report on that loss is quite hair-raising, noting that “the hard drive was left for periods of time (weeks) without being stored in a locked filing cabinet. Even when stored in the cabinet, the cabinet was not always locked and other employees involved in the data migration project were aware of the location of the keys” and “The access log report for the period of August 2012 — November 2012 revealed that over 200 different employees had access to the CSLP controlled area. ESDC’s review confirmed that all individuals had approved access” and “The information contained on the hard drive was not encrypted and was not protected by a secure password.”
Seriously, though, the investigative report is a thing of bureaucratic beauty, and one can only hope that the agency’s report on its own loss is as thorough. Incidentally, they never found out what happened with the student loan hard drive, either.
That loss “underscores the need to ensure that formal privacy and security policies are more than simply words on paper, an investigation has found,” according to the agency — which apparently needs to take its own words to heart, eh?