Yottabytes: Storage and Disaster Recovery

June 27, 2015  12:18 AM

If Your Smart Devices Hear Something, Will They Turn You In?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, samsung, Security, Smartphones, Voice recognition

An increasing number of devices around us can now be controlled by voice. Our phones. Our speakers. Our televisions. Even our houses.

But for voice control to work, it means the devices have to listen. And some people are starting to worry about what sort of information the devices might be storing in the process, and what the ramifications could be.

Listening machines trigger all three aspects of the surveillance holy trinity,” writes Ethan Zuckerman, director of the Center for Civic Media at MIT and the principal research scientist at MIT’s Media Lab, in The Atlantic. He describes that trinity as follows:

  1. They’re pervasive, starting to appear in all aspects of our lives.
  2. They’re persistent, capable of keeping records of what we’ve said indefinitely.
  3. They process the data they collect, seeking to understand what people are saying and acting on what they’re able to understand.

But it’s more than that, Zuckerman writes. What responsibility might listening devices end up having? “If a robot observes spousal abuse, should it call the police?” he writes. “If the robot is designed to be friend and confidant to everyone in the house, but was paid for by the mother, should we expect it to rat out one of the kids for smoking marijuana?”

Similarly, Zuckerman talks about “Hello Barbie,” introduced in February at the annual Toy Fair to approbation when it was learned that it not only listened to kids, but actually recorded their speech (and could be listened to by parents). (A similar toy, a listening and talking dinosaur, blew away its Kickstarter funding after appearing at the same show, though it doesn’t record audio, though parents can read a text log of what their kids tell it.)

“’Hello Barbie’ transmits the recordings over the Internet to cloud servers,” explains the Campaign for a Commercial-Free Childhood. “Mattel’s technology partner ToyTalk processes the audio with voice-recognition software.Mattel says it will use this information to “push data” back to children through Barbie’s built-in speaker.”

People then worried about things like whether Mattel would use the information to market to kids. “Hi, Susie! I know you like decorating. Did you know I could have my own house?”

But it could be worse. Keep in mind that people who work with children, such as doctors and teachers, are required by law to notify authorities if they suspect abuse or neglect. If a kid confides to Hello Barbie that they’re being abused by a parent, or if Barbie hears something suspicious, should Barbie call the cops?

“Information recorded by the doll could be sent to authorities, governments and other entities if ‘required to,’” warns Vigilant Citizen.

Vendors of products intended for adults could run into the same problem. “Do we want a world in which we confide in our phones?” Zuckerman writes. “And how should companies be forced to handle the data generated by these new interactions?” Attendees at a recent conference he attended on listening machines even suggested that robots might someday have “robot privilege” that protects people from having their household devices subpoenaed.

One could argue that nobody – so far as we know, of course – has said that Google should contact the cops if somebody searches for “how to make poisons” or “how to hide a body.” And if that doesn’t happen, then why would anyone suggest that a listening device, whether it’s a phone or a Barbie, should take steps if it hears something suspicious?

That said, certainly there’ve been cases where law enforcement believes that security and encryption systems should have “back doors” built into them. It isn’t hard to imagine law enforcement believing that Siri should start a recording going – accessible only by police, of course – when she hears something she thinks “sounds suspicious” (like a gunshot, maybe?) Somehow that seems a lot more likely than “robot privilege.” And certainly there have been concerns about this in connection with webcams.

And as Amazon starts licensing the technology its Echo personal assistant uses to other vendors, we might find a lot more things around the house are listening to us. This is all happening at the same time there’s discussions of things like smart dust that can scatter minuscule microphones everywhere to listen to people.

“Smart TVs sit in your living room or bedroom, and can have microphones, cameras, and access to your TV-watching habits—which can produce incredibly personal data,” Parker Higgins, from the Electronic Frontier Foundation, wrote after the Samsung “listening television” issue. “If security researchers can’t examine the software these devices run, and developers can’t work on alternatives or modifications, then users are bound by whatever terms their manufacturers want to put forward, and must trust that they’ve been implemented as promised. Given that these devices are networked and can often be updated remotely, user privacy is at the mercy of not just the manufacturer, but anybody who can convince, coerce, or compromise it, to modify the software or collect additional information.”

It’s enough to make you clam up.

June 17, 2015  5:30 PM

How Geeks Spend Their Summer Vacation: Playing With Old Storage

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
IBM, Mainframe, PC, Storage

You know that you’re getting old when you start finding stuff you actually used in museums.

I was reminded of this on a recent trip to Seattle, where we visited the Living Computer Museum. Like the Experience Music Project, but not nearly so flashy, it’s funded by Microsoft co-founder Paul Allen. While, predictably, it talks a lot about all the value that Microsoft provided to computer history – as well as pictures of Allen and Bill Gates in high school, looking cute as the dickens — it also features hunks and hunks of big iron ranging from IBM to DEC to Xerox to even Apples.

(Incidentally, after donating $1.5 billion to various charitable causes, as well as his various indulgences like museums, yachts, and sports teams, Allen is still the #51 richest guy in the world, according to Forbes.)

To tell you something about the museum, this is the go-to place for Hollywood when they need old-looking hardware for the movies and television, such as the IBM 360/91 control panel used in Tomorrowland and the IBM 1052 printer keyboard used in Mad Men.

Naturally, with all that old hardware around, there has to be a lot of old storage devices around to go with it. And if you’re looking for a place to wave your cane and mutter about kids these days not appreciating what they have, this is a great place.

While sticking a 16 GB microSD card into your camera to take a picture of it, you can look at paper tape, which stored about 10 bytes per inch, or a punch card, which stored 80 characters per card (about the size of a business envelope). Or you can move on to big storage, like the 10 platters that made up a 25-pound disk pack to store 200 megabytes in a 1974 DEC storage device.

The museum also includes a display showing the various types of portable storage, ranging from DECTape to floppies to tape cartridges and of course thumb drives.

Best of all, this is an actual interactive computer museum, where most of the equipment actually works. You, too, can see what it is like to actually type a punch card, hold a facsimile of the paper tape with the first copy of BASIC that Allen and Bill Gates wrote, and hug a megabyte – which at the museum is in approximately a 6’ x 6’ cabinet.

Aside from the storage history, the museum is a fun place anyway. There’s all the old minicomputers, dating back to a PDP-7 (one of only five in the world, they say, and reportedly the only one still working). There’s even a Xerox Alto, basically the forerunner to all the graphic user interface devices we use today. Sadly, there isn’t much IBM hardware, because IBM typically leased its devices and repurposed the hardware when people were done with it. There’s not much in the way of HP hardware, either, though apparently they’re working on restoring one. And you can even get a remote login for the DEC hardware.

There’s also a batch of PCs loaded with vintage games and other game controllers, and this appears to be where they expect a lot of people will spend their time. If you, too, want to play a copy of the Oregon Trail just like you did when you were a kid, or if it’s been years since you played Rogue, this is the place for you.

If you go, don’t pass up the opportunity for a tour, where they explain the provenance of all the hardware and what people were able to do with it. The museum also goes to a fair amount of effort to include women in its displays and descriptions, such as pointing out how women were usually the ones hired as keypunch operators because of their accuracy – but not paid as well for their expertise. (You can also see my pictures, and understand why I’m a writer and not a photographer.)

Incidentally, if you happen to have one kicking around the garage, they’re in the market for a Cray.

June 9, 2015  9:44 AM

Clear Your Browser, Go to Jail

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
ediscovery, legal, Thumb drive, USB drive

One of these things is not like the others: Fish. Browser. Backpack. And not knowing the difference could send you to jail.

It’s all part of an unintended consequence of the Sarbanes Oxley Act, writes Amy Howe in SCOTUSblog. “In 2002, Congress passed the Sarbanes-Oxley Act in the wake of the collapse of Enron Corporation, once the world’s largest energy trader,” she explains. “One provision was a response to revelations that Enron and its accountants had destroyed thousands of documents, computer hard drives, and emails that might have shed light on the company and its finances. The law makes it a crime to ‘knowingly . . . destroy any record, document, or tangible object with the intent to impede, obstruct, or influence’ a federal investigation, even if such an investigation has not yet been officially initiated.”

We’re not talking about people deleting terabytes of data. Sarbanes Oxley has been used against individuals for as little as clearing a browser history, writes Juliana deVries in The Nation.

That would be the case of Khairullozhon Matanov, a friend of the Boston Marathon bombers. After he saw them listed as suspects, he went to the police (which, incidentally, he wasn’t required to do), but lied about some aspects of their relationship, according to deVries. “Then Matanov went home and cleared his Internet browser history,” she writes. Eventually, he was charged with four counts of obstruction of justice – three for the lies “and—remarkably—one count for destroying ‘any record, document or tangible object’ with intent to obstruct a federal investigation,” she writes, a charge for which he could serve 20 years. “This last charge was for deleting videos on his computer that may have demonstrated his own terrorist sympathies and for clearing his browser history.”

What makes this sort of expansion of Sarbanes Oxley problematic is that prosecutors do not have to show that the person deleting evidence knew there was an investigation underway, deVries explains. “In other words, a person could theoretically be charged under Sarbanes-Oxley for deleting her dealer’s number from her phone even if she were unaware that the feds were getting a search warrant to find her marijuana,” she writes. “The application of the law to digital data has been particularly far-reaching because this type of information is so easy to delete. Deleting digital data can inadvertently occur in normal computer use, and often does.”

Similarly, David Kernell, who was convicted of breaking into Alaska Governor Sarah Palin’s email account, while she was running for Vice President, was charged with felony destruction of records under Sarbanes-Oxley for clearing his browser cache, uninstalling the browser, deleting images he had downloaded from her email account, and defragged his hard drive, deVries writes. “In January 2012, the US Court of Appeals for the Sixth Circuit found that Kernell’s awareness of a potential investigation into his conduct was enough to uphold the felony charge,” she writes.

Defenders argued that the case had not yet been filed, but the court noted that Kernell specifically mentioned his concern that the FBI would find his records, writes Robyn Hagen in Findlaw. Individuals had also been charged with Sarbanes Oxley violations for destroying computer data when they knew about an investigation.

The federal government, for its part, noted that it had used Sarbanes Oxley “to prosecute the destruction of a wide array of physical evidence—including human bodies, bloodstains, guns, drugs, cash and automobiles—in order to cover up offenses ranging from terrorism and the unreasonable use of lethal police force to violations of environmental and workplace-safety laws,” according to Mark Walsh in ABA Journal, who went on to cite another expert that there is apparently not a federal destruction of evidence statute, which is why Sarbanes Oxley is being used in this way.

But the use of Sarbanes Oxley in the Matanov case, if successful, has all sorts of repercussions. “Think of it another way, outside of the context of terrorism,” explains Susan Zalkind in The Daily Beast. “Imagine your friend, with whom you enjoyed listening to rap music like Notorious B.I.G’s ‘Ten Crack Commandments,’ was arrested in a big crack sting. You don’t sell crack. You didn’t even know your friend sold crack. Maybe he mentioned it, but you thought he was playing around. But you do know federal investigators will now want to talk to you. And, in fact, you want to help. Songs about crack are one thing, but crack itself is a different story, you figure. To keep up appearances, you take down your Biggie poster, delete some of your music, and clear your browser history. The Matanov conviction could set up a precedent whereby you could serve federal time for any of those actions.”

So where do the fish come in? Well, the Supreme Court, watching the creeping Sarbanes Oxleyism of their courts, finally decided that enough was enough, writes Gideon Lichfield in Quartz.  Boat captain John Yates appealed the use of Sarbanes Oxley for his crime of throwing undersized fish overboard, in an attempt to keep from being convicted for having fish that were too small. Fish, the court ruled, could not be a record (despite Justice Kagan’s dissent, where she quoted One Fish Two Fish Red Fish Blue Fish, apparently the first time that Dr. Seuss had been cited in the Supreme Court). For a tangible object to count under Sarbanes Oxley, it must be used to record or preserve information, wrote Justice Ginsburg.

“Most of the justices seem to have very little patience with the feds going after John Yates with a white-collar destruction-of-evidence statute that carries a maximum penalty of 20 years in prison, merely because, as [Supreme Court Justice Antonin] Scalia puts it to the assistant solicitor general a moment later, ‘This captain is throwing a fish overboard,’” writes Dahlia Lithwick in Slate. “Scalia is only just getting started: ‘He could have gotten 20 years. What kind of a sensible prosecution is that? … Who do you have out there that exercises prosecutorial discretion? What kind of a mad prosecutor would try to send this guy up for 20 years?’”

“For as long as this case has dragged on, it has gained attention around the nation as a prime example of prosecutors going to absurd lengths to punish someone for reasons that the rest of us find difficult to understand,” agrees Keith Lee Rupp in an opinion in US News and World Report. “The nation’s criminal defense attorneys say the case is a poster child for the way some federal prosecutors try to scare plea deals out of their targets with threats of outrageous punishments if the matter goes to court. This is not a message the Justice Department should want to be sending, but it is.” (To add insult to injury, by the time charges had been filed, the fish size limits had been changed and Yates’ fish would no longer have been illegal, he notes.)

Zalkind also points out that the prosecutor filing these charges against Matanov is US Attorney Carmen Ortiz, the same person who filed what many say were excessive charges against Internet activist Aaron Swartz. They could have resulted in his serving 32 years in prison, and it is widely believed that this is what led to him committing suicide instead.

The Yates case could be used to free another Boston marathon bomber’s friend, Azamat Tazhayakov, who was convicted – in another case prosecuted by Ortiz — of destroying the marathon bomber’s backpack. Apparently, backpacks, like fish, should also be considered to be too far removed from the notion of a record for Sarbanes Oxley to apply to them, writes the law firm of Blank Rome. “Items of clothing and bags of any sort, including backpacks, briefcases, purses, or messenger bags, are now plainly outside of the statute’s compass,” the firm writes.

Interestingly, there was a thumb drive in the backpack, which would have been enough to convict Tazhayakov under Sarbanes Oxley, but the government did not raise the issue of whether he knew about the thumb drive when presenting its case, writes Mark Joseph Stern in Slate. In fact, if the government had used a simple obstruction of justice charge, he likely would have been convicted, but that could have resulted in only a few years of prison, not 20, he writes.

In the meantime, however, browser histories and other deleted information – indeed, any electronic object, according to Blank Rome — are apparently still fair game. “The Supreme Court did not answer the pressing question of how broadly federal prosecutors are allowed to use Sarbanes-Oxley in the digital age,” deVries writes. “Can you be prosecuted for deleting a potentially incriminating tweet? For uninstalling Firefox? For clearing your browser history? How much of their digital data should citizens have to preserve in case law enforcement wants to take a look?”

May 31, 2015  10:57 PM

How the Clinton Email Release Process Will Work: Slowly

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

As you may recall from a previous episode of “Politicians Behaving Badly With Email,” in March it was revealed that Hillary Clinton used her own server for email when she was Secretary of State. Due to the partisan lens through which everything she does is judged, that was either completely normal behavior or a heinous crime against the American people, depending on whom you ask.

Now, the email messages are starting to be released, and there’s still partisan controversy.

The State Department started the ball rolling by saying that the 55,000 pages of email messages that Clinton had turned in to the department in December wouldn’t be released to the public until January 2016. Why? Because, according to the Washington Post, the email messages were submitted to the State Department on paper in 12 file boxes, meaning that they needed to be scanned (which was complicated by the fact that some of them were double-sided) and OCRed.

Oh, and each page had a separate barcode sheet, which also had to be scanned.

In addition, metadata needed to be added manually. And not all of it, at that; just “to,” “from,” “cc,” “bcc,” “date sent,” and “subject” fields, according to the Post.

Altogether, the process just of converting the paper documents back into electronic ones took 12 full-time State Department employees five weeks, plus assistance from other employees, for a total of 2400 staff hours, the Post reports. (And apparently the department didn’t even start scanning until two months ago.)

Finally, any department associated with the message needed to approve its release. In addition, the Office of the Legal Adviser also needs to review the material before release. The Post notes that this isn’t specific to Clinton, and that any material released by the State Department has to go through this same arduous review process. “The State Department outlined a 15-step process involving sign-offs by at least three different offices internally and an unknown number of other agencies, each of which will undoubtedly impose its own review procedure on the missives,” it writes.

And that was *before* current Secretary of State John Kerry broke his leg (which, no doubt, some partisan observers will claim was all a plot to slow down the process further).

To some people, the fact that the email messages had been submitted on paper rather than electronically was proof of nefarious intent. Others, however, have pointed out that according to law, Clinton was *required* to turn in the messages on paper – an indication, perhaps, of the sort of antiquated thinking that led her to run a private email server in the first place – and the State Department itself confirmed that material for such reviews was typically turned in on paper.

Whether you believe that by turning the messages in on paper she’s following the law or trying to hide something, there’s two other factors. First, printing the messages out means that some metadata about the messages is going to be missing, even though some of it is being manually added. Second, observers claim that it would be easier for Clinton and her staff to unobtrusively remove messages from a stack of paper than from a file.

Meanwhile, U.S. District Judge Rudolph Contreras rejected the State Department’s initial offer to turn over all the email by mid-January, and instead suggested that the department turn over some every month. The first batch of messages was released on May 22, with the next batch due to be released on June 30, and so on.

“By June 30, the department must release 7 percent of the emails, totaling 2,100 messages; then release 2,400 more by the end of July; 3,000 more in August; 3,600 in September; 4,200 in October; 4,500 in November; 4,800 in December; and the final 5,400 or so in January,” writes the Washington Times.

According to the New York Times, if the schedule is followed, all the messages will be made will be public by Jan. 29, 2016 — three days before the Iowa caucuses.

May 27, 2015  4:09 PM

Gasp! Drama in the Gartner E-Discovery Magic Quadrant!

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
E-discovery, ediscovery, Gartner

Along with all the other signs of summer, we can always count on Gartner to release its e-discovery Magic Quadrant about this time of year. But unlike the past few years, where the results were practically unchanged year-over-year, this year features drama.

  • AccessData, Kroll and Symantec (which Gartner telegraphed last year) have been dropped from the Leaders quadrant to the Challengers quadrant, due to a lack of vision.
  • Guidance has been dropped from the Leaders quadrant to the Visionaries quadrant, due to a lack of ability to execute.
  • Nuix and Zylab have been added to the Leaders quadrant.
  • Driven, which was dropped altogether last year, is back. Gartner didn’t say why.
  • Microsoft was also added.
  • EMC, Integreon, KPMG, and Stroz Friedberg have been dropped altogether.

Gartner also included write-ups, though no quadrant placement, on several other new vendors for having innovative technology or delivery or both: cicayda, Everlaw, Logikcull, and Zapproved.

(Also, the obligatory being-in-the-leaders-quadrant-doesn’t-necessarily-mean-you’re-better. The other three quadrants — Challenger, Visionary, and Niche — simply mean that the vendor or product was considered to be somewhat lacking in either vision or ability to execute, or both. But for many use cases, those vendors and products are perfectly adequate, and perhaps, being number two, they try harder.)

The company also seems to indicate that, while the demand for e-discovery technology and services continues to grow, it seems to be slacking, though it didn’t come out and say so. In previous years, Gartner predicted 15 percent growth, 15 percent the year before, and 14 percent the year before that. Also last year, Gartner forecast that revenue would grow from $1.8 billion in 2014 to $3.1 billion in 2018, after predicting the previous year that it would grow from $1.7 billion in 2013 to $2.9 billion in 2017. This year, Gartner estimates that the enterprise e-discovery software marketplace was $1.8 billion in total software revenue worldwide in 2014, an increase of only 10.6 percent from 2013, for a five-year compound annual growth rate of 12 percent.

Gartner pointed to several changes in the market affecting this year’s Magic Quadrant:

  • Migration to Office 365: “Organizations are in the process of migrating email and documents into Office 365 and need to take a step back on what that means to their established e-discovery process and technology application.”
  • New data sources and increasing concerns about data sovereignty, such as what to do with social, Web, and Internet of Things data.
  • The desire for more agile and less expensive approaches to e-discovery. “Many organizations have realized that the traditional project-based approach to e-discovery are, in many ways, becoming unsustainable,” Gartner writes. “This awareness motivates organizations to seek newer and innovative technologies that support lower cost and faster performance.”
  • Pricing structure continues to be simplified, particularly due to pressure from newer, cloud-native vendors.
  • Support for SaaS and the cloud (though Gartner notes, “Although many offerings are labeled as ‘SaaS,’ caution should be given because some of them are really hosted rather than true SaaS”). Gartner also warns that “The legal guidance and requirements on how to treat cloud data (social, website, Web email and IoT content) within the e-discovery context is lacking.”

Gartner is also predicting another round of market shake-up, noting that Microsoft has entered the market by acquiring Equivio, that kCura expanded its Relativity platform to add collection and processing, and that startups such as Everlaw and Zapproved are gaining customers. However, the company stopped short of making predictions about acquisitions, after backing off last year from its 2011 prediction that the e-discovery market would see a wave of consolidation, eliminating up to 25 percent of the vendors, by 2014.

May 12, 2015  11:25 PM

Warrant Required for Border Laptop Searches, Judge Rules

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
laptop, privacy, Security

Is a laptop more like a purse or a butt? Be prepared to explain your answer.

Since August 2009, civil libertarians have objected to a Department of Homeland Security that enables U.S. Customs and Border Patrol agents to search laptops and other electronic devices at the U.S. border, for large values of “at” – that is, within 100 miles of the border

100 miles might not sound like much, but according to the American Civil Liberties Union (ACLU), as of 2006, more than two-thirds of the U.S. population lived within 100 miles of the border. Altogether, it meant that anyone in that area with a laptop could have that laptop seized without a warrant, at any time, taken to a lab anywhere in the U.S., have its data copied, and searched for as long as Customs deemed necessary. And despite their objections, the policy has largely been upheld.

But earlier this month, a judge ruled that – following the lead of the Supreme Court ruling on the Riley case, which stated that law enforcement officials needed a warrant to search someone’s cell phone – customs officials needed to have probable cause before it could search someone’s laptop.

Let alone take it 150 miles, make an exact copy of its hard disk, and go on a fishing expedition through it at their leisure.

Why? Because the potential amount of personal data in a laptop makes such a search more like a strip search than searching a handbag, writes Judge Amy Berman Jackson of the U.S. District Court of the District of Columbia. Her ruling allows defendant Jae Shik Kim to suppress evidence the government found after seizing his laptop at Los Angeles International Airport.

“Border patrol agents with the Department of Homeland Security suspected Kim of illegally selling aircraft parts to Iran and seized his computer before allowing him to board a flight home to Korea in December 2012,” writes Lauren Williams in ThinkProgress. “The government cloned Kim’s hard drive, shipped it off to a forensic lab in San Francisco, and searched it for keywords, uncovering a series of ‘incriminating emails’ that formed the basis for the government’s case against Kim.”

That constituted unreasonable search and seizure, Jackson writes. “Given the vast storage capacity of even the most basic laptops, and the capacity of computers to retain metadata and even deleted material, one cannot treat an electronic storage device like a handbag simply because you can put things in it and then carry it onto a plane,” she writes. Quoting another such case, she writes, “A forensic search is far more invasive than any other property search that I have come across and, although it lacks the discomfort or embarrassment that accompanies a body-cavity search, it has the potential to be even more revealing.”

Hence the purse-or-butt question.

Needless to say, Kim’s attorneys hailed the ruling. “The government claimed that because Mr. Kim’s laptop was seized at the border, it was free to search the computer without having any suspicion that he was presently engaged in criminal activity, the same way the government is free to search a piece of luggage or a cargo container,” writes Kim’s attorneys. “Yet anyone who owns a laptop, smartphone, tablet, or any other personal mobile device, knows that the breadth and depth of private information stored within these gadgets are intimately tied to our identities and should be entitled to a heightened level of privacy.”

Similarly, civil libertarians are elated at the ruling, though for the time being it applies only to Jackson’s court, until an appeals court either affirms it or overturns it. “Our laptops and cellphones carry such a sensitive array of details of our lives, they cry out for more robust regulation under the Fourth Amendment,” Nate Wessler, a First Amendment and privacy attorney for the American Civil Liberties Union in New York, told ThinkProgress.

However, some legal beagles are concerned that the ruling won’t stand, because it doesn’t provide enough of a standard guide for when laptops can and can’t be searched, which the Supreme Court called for in Riley. “Judge Jackson’s totality-of-the-circumstances test seems like the kind of ‘ad hoc, case-by-case’ approach that the Supreme Court warned against in Riley,” writes Orin Kerr in the Volokh Conspiracy. In addition, it depends on whether the “reasonable suspicion” standard should be applied to the person or to the laptop, he writes.

Some of Jackson’s arguments about warrants could actually dissuade law enforcement from getting warrants in the first place, Kerr warns. He notes, though, that there simply isn’t any case law regarding when warrants are required.

“Once the computer is seized at the border and an image is made, what are the temporal limits on searching the image?” Kerr writes. “Do the agents have to do a warrantless search quickly, but then get a warrant after a certain period of time passes? Or can they keep searching for as long as they want? If there’s a time limit, what framework governs what that time limit is? Right now, we have no idea.”

May 6, 2015  4:27 PM

Pass the Popcorn: HP, Autonomy Going to Court

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Autonomy, HP

In another installment of Law and Order, HP-Autonomy Unit, court documents have been released that HP intends to use to back up its $5.1 billion lawsuit against Autonomy for fraud, based on what it says were artificially inflated revenues and sales. The company filed its lawsuit on March 30 and is filing documents now in preparation for actually having the case heard.

Needless to say, Autonomy isn’t taking this lying down. And, one has to say that, at least in the court of rhetoric rather than the court of law, Autonomy is winning. “We utterly refute the allegations made against us,” responded the former management of Autonomy, on a website managed by former CEO Mike Lynch intended to provide Autonomy’s side of the story. “HP has waged a three-year smear campaign riddled with half-truths and obfuscation. They have intentionally made the claims as complex and convoluted as possible.”

The lawsuit is “a continuation of HP’s transparent effort to generate one-sided publicity for its specious claims and false statements, avoid disclosure and engagement on the merits, bury HP’s own malfeasance, and insulate its directors and officers from liability,” thundered Autonomy’s attorneys. The response also went on to point out that the U.K.’s Serious Fraud Office had closed its investigation, saying there was insufficient evidence to convict Autonomy of fraud.

In addition, Lynch and the former management of Autonomy said in March, after HP filed its lawsuit, that it was also filing a £100 million lawsuit against HP, for “false and negligent statements.”

What the case boils down to will be a scintillating discussion of differing accounting methods between the U.S. and the U.K. “Much will depend on how these accounting differences between the U.S. and the U.K. are interpreted and applied in court,” writes Arik Hesseldahl in Re/code, a piece that includes complete copies of both HP’s and Autonomy’s court documents. “U.S. companies follow an accounting system known as Generally Accepted Accounting Practices, while U.K. companies adhere to a system known as International Financial Reporting Standards. The difference between them is important because GAAP rules establish clear practices for how revenue for software sales can be recognized, while IFRS rules treat software differently. Lynch has previously argued that at least some of HP’s allegations can be explained by the differences in accounting standards.”

Fortunately, the rhetoric and some aspects of the allegations make this far more interesting than the typical argument over accounting standards. “Dr. Mike Lynch used a deal with a Premiership football club to exaggerate growth of the software group, and offered to buy a Porsche for one of his salesmen if he sold hardware that made the company appear more dynamic than it actually was, Hewlett Packard has claimed,” writes This is Money, a U.K. financial site. “He also fired a US manager who raised questions over the company’s accounting policies, the documents allege.” Lynch says it was Autonomy’s chairman, not he, who fired the manager, and that it wasn’t unusual in the industry for salespeople to receive incentives.

As you may recall, this all started after HP’s monstrous $10 billion acquisition of Autonomy in 2011, for which nearly everyone agreed it overpaid. HP then took an $8 billion writedown on the deal, and since then the companies have been throwing lawyers at each other, in light of what some found to be, um, unconventional business practices on the part of Autonomy.

For its part, HP was sued by shareholders, and it’s racing the clock, writes Julie Bort in Business Insider. “HP was slammed with shareholder lawsuits, here and in the UK.,” she writes. “And HP has been jumping through some pretty serious hoops trying to settle them before it splits into two companies in the fall.” The U.S. Justice Department and Securities and Exchange Commission are also still investigating, writes Bloomberg Business.

Legal experts told the New York Times that the cases brought by both HP and Lynch will not be heard before early next year.

April 30, 2015  3:43 PM

Politicians: Before You Scrub Your Twitter History, Read This

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
social media, Storage

The Internet is forever, they say. While this isn’t entirely true – Google “link rot” sometime – there seems to be no end of Internet youthful indiscretions that come to the light of day once their young perpetrators achieve majority and go on to do something useful with their lives.

You may recall earlier this year one of those young victims — Jeb Bush political action committee’s newly hired CTO, Ethan Czahor, who resigned scant days after his appointment when his Twitter history came to light.

Now, Czahor’s trying to help people avoid the mistakes he made. Not by, say, suggesting that people be more circumspect in what they post to social media, but by giving them a tool to help them find potentially offensive material, starting with Twitter, Facebook, and Instagram. The tool is called Clear – which is a really terrible name; try to Google it sometime – and at the moment it runs just on iOS.

It’s not that it’s been impossible for people to scrub their social media history before. It’s simply that the tool makes it easier to find material that some might see as potentially damaging. For example, if you didn’t know that it was impolitic to refer to women as sluts, this tool could helpfully let you know that.

“The app works by flagging postings that contain watchwords: the obvious four letter ones, as well as ‘gay,’ ‘Americans’ and ‘black,’” notes Time reporter Zeke Miller (who goes on to add that the tool scored him with a record low -2404). “Posts are also subjected to sentiment analysis, using IBM’s Watson supercomputer, to try to flag additional negative messages. The app’s algorithms are far from perfect, but it errs on the side of caution.”

(How in the world did Czahor get access to Watson?)

The software flags potentially problematic messages, and then lets you to decide whether to delete them. It can also only be used by people with access to the accounts, not by opponents, Miller adds. Future versions of the software could also work on email messages, personal blogs, and search results.

“There are caveats, of course,” warns Lisa Vaas in Naked Security. “There’s nothing to stop people from grabbing screen captures of postings, nor does this tool promise to reach into digital archives to erase anything.” Nonetheless, apparently the app is pretty popular; still in beta, it had a waiting list of more than 5,000 people earlier this month.

So what’s the problem?

Specifically in the case of politicians, we’ve written before about our concern when public servants are deleting the people’s business. And this is just another example of that. While we applaud Czahor’s ingenuity in making lemonade out of this particular lemon, and while we agree that yes, people should be allowed to move on with their lives without some particular online albatross hanging around their neck, there’s the we’ve-always-been-at-war-with-Eurasia aspect that’s concerning. How much do we want politicians to be able to change history, even their own?

Fortunately, we’re not the only ones who feel that way, which is why we feel honor-bound to let politicians know about something before they run off sanitizing their Twitter streams wholesale. In 2012, the Sunlight Foundation, a nonprofit dedicated to open government, started up a web page called Politwoops. The organization followed politicians and, as a public service, retweeted any Tweets they deleted and reposted the Tweets to a webpage, most recent first.

So here’s the thing. Politicians, pay attention: Any Tweets that get deleted not only get saved, but get posted to the Internet. So not only are the Tweets still there – albeit not in Twitter — but they will have new attention called to them. This is particularly true if it looks like somebody is deleting things in a big way in preparation for running for a higher office, as the Sunlight Foundation runs a weekly blog post with anything interesting that came up. In fact, it takes a point of pride in doing so.  “As a tweet ages and falls from the recent stream, it’s easier to quietly scrub those statements without getting attention — unless you’re a politician in Politwoops,” crows the organization.

David Weigel of Bloomberg notes, for example, that the Clear tool wouldn’t even have helped Czahor, who had already deleted the Tweets. “It would not have prevented Czahor himself from being caught out by Buzzfeed, which employed a reporter who knew how to find deleted info,” he writes. “It might make negative information tougher to Google or stumble upon, but it would not conceal it from a dogged investigator.”

While you’re Googling things, try Googling “Streisand Effect.”

April 28, 2015  1:22 PM

No Escape From the Black Hole of a Police Database

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
police, privacy, Security

Remember back in elementary school? How often were you cowed into socially acceptable behavior by the threat that something would go on your permanent record?

You ain’t seen nothin’.

Increasingly, police are using technology to fight and prevent crime. Which is laudable, of course. But some of this stuff is starting to veer into Minority Report territory – you know, the 2002 Tom Cruise movie where people get arrested before they even commit the crime.

Police are using technology like social media to collect information about who people – such as gang members – might know, as well as people’s sentiments about such activities. “It is not hard to see why New York authorities are so enthusiastic about using social media in their investigations,” writes The New York World. “Unlike with a traditional wiretap, which requires a warrant, police can access public social media accounts easily — and even probe private accounts using a fake identity — with no need for a warrant.”

This information is then all put into a gang database, where it can be retrieved when needed. Once the data is stored in the database, it sits there. Forever. (Just watch a show like Blacklist or Hawaii Five-O sometime.) “For the kid listed in a gang database, it can be unclear how to get out of it,” writes Meredith Broussard in Atlantic. “In the database world, unless someone has permission to delete or amend a database record, no such change is possible. Credit agencies are required to forgive financial sins after 7 years. Police are not—at least, not consistently.” Only 12 states have policies that specifically address gang databases, only a few of them mention regular purging of information, and some specifically say that a person cannot even find out if they have a record in the database, she adds.

For example, GitHub offers six different free, open-source database applications that anyone can download and use – but none of them contains an expiration date, any regulations about purging, or any kind of guidance on ethical use, Broussard writes.

Here’s some other examples:

  • Police in Brooklyn and Harlem use social media to create a database of suspected gang members who were burglarizing stores.
  • Cincinnati police created a database to track down gang members. “Collaborating with the University of Cincinnati’sInstitute of Crime Science, the police created databases of information scraped from social networks, existing police records and phone records, then used software to analyze the data and establish links between suspects,” writes CNN.
  • Department of Motor Vehicles databases of people’s drivers license photos are being used to help identify suspects through facial recognition – not just of mugshots, but of ordinary citizens. In 2013, 37 states used ­facial-recognition technology in their driver’s-license registries, while at least 26 of those allowed state, local or federal law enforcement agencies to search — or request searches — of photo databases in an attempt to learn the identities of people considered relevant to investigations, the Washington Post
  • Some Ohio police officers were caught using police databases for personal use, to look up information about somebody – sometimes to commit crimes against them.

Moreover, some people are concerned about the constitutional aspects of these databases. Just because you know somebody, does that mean you should be considered a suspect? “Is being ‘friends’ with someone on Facebook enough to establish the links of a criminal network?” asks The New York World.

In addition, the names of minority youth are much more likely to be collected in such databases than are white youth.

“Gang databases may also interfere with an individual’s First Amendment Freedom of Association,” writes Rebecca Rader Brown in Journal of Law & Social Problems. “Since a person may be documented for affiliating with other known or suspected gang members, he may be targeted as a suspect before committing any criminal act. Using a ‘guilt by association’ standard can have the effect of sweeping entire neighborhoods into a gang database. This effect is felt disproportionately by minority populations due to geographic targeting of anti-gang efforts. In certain localities, police tend to document minorities for behaviors that, if observed among members of the majority population, are considered innocuous.”

Plus, doesn’t having someone’s name in a database called “Suspects” interfere with the presumption of innocence? “An observational study in Arizona showed that police were more aggressive with documented gang members, using excessive force more often than with individuals not documented in a gang database,” Broussard writes. “Listing a teen in a database as a gang affiliate could bias future prosecutions against them. A district attorney or cop looking for a suspect could automatically assume that the kid who’s listed in the gang database is more likely to be involved than the kid who isn’t.”

Finally, there’s just something very Big Brotherish about the prospects of such databases. “That prospect has sparked fears that the databases authorities are building could someday be used for monitoring political rallies, sporting events or even busy downtown areas,” writes the Post. “Whatever the security benefits — especially at a time when terrorism remains a serious threat — the mass accumulation of location data on individuals could chill free speech or the right to assemble, civil libertarians say.”

Steps are underway to address some of these issues, such as having people’s records or social media histories wiped after a few years, or when they become adults. It’s also being suggested that police should be better trained in some of the ethical and constitutional aspects of these databases.

April 14, 2015  5:28 PM

Incredibly Geeky Storage Case Could Decide the Future of Patent Law

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
legal, Storage

Okay, granted, “It has come to the attention of Carnegie Mellon University (“CMU”) that in recent months there has been an upsurge of interest on the part of industry in correlation-sensitive adaptive sequence detectors for signal-dependent noise and their application in data storage and retrieval using magnetic media” isn’t the most gripping of beginnings. But it gets better.

That scintillating paragraph comes from a 2003 letter that CMU wrote to Marvell Semiconductor, expressing interest in licensing its patents to the company. Marvell demurred, CMU sued in 2009 and won, and Marvell appealed. Now, almost 12 years after that first letter, the two parties are getting together again, this time presenting oral arguments to the appeals court.

The patent itself is really, really technical. It’s about not just storage, but storage chips, used by companies such as Seagate, and has to do with identifying and removing “noise” that crops up with increasingly dense disk drives.  “The patented technology significantly improves the ability of detectors to more accurately detect data stored on hard disk drives,” describes CMU in its FAQ on the case. “Marvell constantly uses the CMU invention, which it called a ‘Kavcic detector,’ during the ‘sales cycle’ process that the company must follow to design, simulate, develop, test and sell more than 200 different chip models (and more than 2.34 billion individual chips) containing the infringing hard disk drive read channels.”

Now, nobody’s accusing CMU of being a patent troll here. The university legitimately came up with the invention and patented it. Organizations such as the Electronic Frontier Foundation, which make a point of filing friend-of-the-court briefs when they believe a patent is overbroad, hasn’t done so in this case; at worst, the organization believes that the award was too big. (The award was 50 cents per chip, which CMU has since said is probably what it would have charged the company as a royalty. Marvell earned an average revenue of $4.42 per chip and made an average operating profit of $2.16 for each of the more than 2 billion chips it sold, according to CMU.)

The whole thing is exacerbated because the jury found that Marvell was not just infringing, which it could have done by accident, but willfully infringing – that is, writes CMU, it was infringing “deliberately, intentionally, and with knowledge of the patent.”

Or, as some people might call it, “stealing.” CMU’s 2003 letter to Marvell was more than a year and a half after Marvell employees were referring in email to the technology, in the context of it being patented by CMU.

What difference does this make? Because willful infringement, as opposed to just regular infringement, can result in triple damages. In other words, CMU could – and did – ask for additional damages, resulting in a $287 million boosting of the award from $1.17 billion to $1.54 billion.

CMU is also concerned that Marvell, which is a public company that had more than $2 billion in cash as of 2013, is distributing that cash to its stockholders with stock buybacks and dividend payments without setting aside any money to pay the judgment. Also, Marvell is organized under the laws of Bermuda, and Bermuda and the U.S. don’t have a treaty to enforce judgments, according to Marvell’s SEC records. “It is clear that Marvell has the corporate machinery in place to efficiently (and conveniently) reduce its cash and short-term investment holdings during the time that it will take to resolve post-trial motions and any appeals in this case,” CMU writes.

Marvell’s side of it is that CMU sent out similar letters in 2003 to a total of 10 companies, and that none of them took CMU up on its offer. It also claimed prior art (which the jury denied), that CMU should have filed its lawsuit sooner than 2009 and was just waiting around to see if Marvell would be successful, and that the chips were primarily made and used outside the U.S.

In other words, the company said that the CMU technology was only used to design the chips, and that it wasn’t fair to then claim a royalty on every chip made using that design. A number of major technology companies, including Dell, Google, HP, Microsoft, and SAS signed a friend-of-the-court brief on this aspect of the case.

“Under the damages theory adopted below, any patent practiced domestically in the research and development of a product can result in a damages award reflecting every unit of that product produced and sold worldwide, including units that never entered the United States,” notes another friend-of-the-court brief, signed by law professors. “The practical effect of that damages theory is to confer a worldwide patent right, contrary both to established precedent and sound innovation policy.”

Marvell’s primary argument, however, is simply that the award is so darn big. The company noted that CMU offered to license the patent to Intel for just a flat fee of $200,000, and now is being awarded more than $1 billion. “In short, the largest extant judgment in patent history, resting on hypothetical per-unit royalties on worldwide sales, was awarded for infringement of two patents that no one has ever paid a penny in per-unit royalties to license in the commercial marketplace,” the company writes.

One legal expert, Steven Goldman, who listened to the opening arguments believes that, while Marvell will still be ruled to have infringed on the patents, the judgment will be set aside, and perhaps even a new trial called for, regarding the award aspect. (For that matter, he believed the same thing before the oral arguments.) Other legal experts seemed to feel similarly.

In any event, the result of the case will be significant, Goldman writes. “From an economic and practical view, the outcome of this appeal is of great importance for technology and other companies based in the United States who may engage in R & D in the USA but manufacture and sell their products in jurisdictions outside of the United States assuming that they are not subject to patents filed only in the United States,” he writes. “For the parties to the appeal, the outcome of the appeal is of enormous financial significance.”

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: