It isn’t the first time that the Apple-Samsung case has come up in an electronic discovery context, but in the bravo-for-life’s-little-ironies department, Google was criticized by a judge for saying search is too hard.
“U.S. Magistrate Judge Paul S. Grewal in San Jose, Calif., ordered Google within two days to disclose what terms it’s using to find documents Apple has requested in pretrial information sharing, and to tell Apple which Google employees those documents came from,” writes Bloomberg Business Week. “Google had argued the collection of information would be too burdensome.”
“The court cannot help but note the irony that Google, a pioneer in searching the Internet, is arguing that it would be unduly burdened by producing a list of how it searched its own files,” Grewal wrote in a footnote to his order.
Apple took the step of asking the judge to intervene because it believed the search terms Google was using in response to Apple’s document production requests weren’t inclusive enough, and so left things out.
“Apple believes Google purposely uses suboptimal search terms,” writes the FossPatents blog. “For example, Apple claims to know that Google uses a different term internally for what Apple calls ‘slide to unlock.’ As a result, searches for ‘slide to unlock’ wouldn’t deliver too many documents in which Google employees discussed this patented technology. ”
(Why is Google involved in the Samsung case in the first place? Because all of the products said to be infringing run the Android operating system that Google developed.)
Apple was also criticized by the judge for not being more cooperative, such as by telling Google what documents it thought were missing. As you may recall, the 2006 rules for electronic discovery require the different sides in a legal suit to work together and agree on how they will search for documents.
There is, of course, more to the story.
“Warren, a lawyer for Google who is also representing Samsung, explained to the judge that turning over the requested information Apple is seeking could lead to ‘future discovery that we don’t think they’re entitled to’ and give the company ‘ideas about how to proceed that they wouldn’t have had,'” writes BGR.
Good story though.
It’s ironic that EMC’s EMC World party is featuring Bruno Mars, whose most recent hit, “When I Was Your Man,” features the singer lamenting the loss of his girlfriend because he took her for granted. Billed as the “Customer Appreciation Event,” the party is the culmination of almost a week in Las Vegas where EMC is attempting to demonstrate to its customers that it does, too, notice that other things are going on in the storage industry besides bigger and bigger, more expensive boxes to hold data.
EMC is sort of the IBM of the storage industry — big, not necessarily terribly exciting or innovative, but continuing to be a major player because, remember big? Just like IBM can suddenly decide to make a particular technology front-page news by throwing a billion dollars at it, like it did with flash a few weeks ago, EMC can make a big deal about storage virtualization, software-defined storage, mobile, cloud, and so on simply by virtue of being EMC, even though other storage vendors have been doing it for years.
There’s other places to read about the specific announcements so I won’t go into them, other than to observe that EMC is saying you will be able to use them to have your own Facebook-like data center. Except the whole point of the Facebook’s data center storage is that it uses commodity hardware, and if you’re using commodity hardware, then what do you need EMC for anyway? I know, I know, it’s a metaphor, never mind.
Befitting the conference’s theme of “transformation,” EMC seemed to be spending an awful lot of time explaining the various reorganizations it’s had over the past few years, starting when CEO Joe Tucci decided he was going to retire, then changed his mind, followed by a lot of musical chairs between EMC and VMware, and culminating in the recent announcement of Pivotal, which rearranges yet more pieces of EMC and VMware.
At the same time, the company also spent a lot of time talking about the “third platform” — a conglomeration of mobile, big data, cloud, and so on, after the first platform of mainframes and the second platform of client/server. After all, if EMC can make mobile and the cloud sound like just another generational version of mainframes, it sounds more like they’ll continue to be the logical alternative, right?
And of course EMC is going to do all it can to promote big data. Like Cowboy Curtis, who knows that “big feet” means “big boots,” EMC knows that big data means big hardware to put it on, and nobody does it bigger than EMC.
Ironically, this was all happening against a backdrop of EMC announcing it was laying off more than 1,000 people, with VMware laying off another 800. The company said it was always doing this and that by the end of the year it would actually have more people than it started with. Okay. But seriously? After all the investment in hiring and training those people, the company sees no other way but to do a forklift upgrade of its employees?
On second thought, for EMC, maybe that isn’t so surprising after all.
In any event, EMC has to at least go through the motions of being up on what users are interested in, lest it sound too much like another Bruno Mars number, “The Lazy Song” [mildly NSFW]:
Today I don’t feel like doing anything
I just wanna lay in my bed
Don’t feel like picking up my phone, so leave a message at the tone
‘Cause today I swear I’m not doing anything
I’ll be lounging on the couch just chilling in my Snuggie
Click to MTV so they can teach me how to dougie
‘Cause in my castle I’m the freaking man
In another case of governments behaving badly with personal data, the state of Utah has learned that a data breach a year ago is likely to be even more costly than originally estimated – and that’s after the initial estimate was itself increased by almost 30 times.
“In late March 2012, hackers broke into a Medicaid server that a technician had placed online without changing the factory password and downloaded the personal information of 780,000 Utahns,” writes the Salt Lake City Tribune. (To put that in perspective, that’s one out of every six Utahns.) “Some were on Medicaid, but also affected were the privately insured, uninsured and retirees on Medicare whose providers had sent their data to Medicaid in the hopes of billing the low-income program.” Of those, 280,000 people had their Social Security numbers exposed, which puts them at particular risk.
Initially, it was thought that only 24,000 people had had their information put at risk. Stephen Fletcher, executive director of the state’s Department of Technical Services lost his job over the incident.
“Utah’s Medicaid Management Information System, which receives eligibility inquiries and billing information from providers, was not protected by a firewall as it was upgrading on March 10, when hackers in Eastern Europe first gained access to the state server,” wrote the Deseret News last May. “That server was also installed by an independent contractor more than a year ago, which is not typical protocol for the department, [new DTS director Mark] VanOrden said. A process to ensure that new servers are monitored and a risk assessment performed prior to use was not followed, and factory-issued default passwords were still in effect on the server, which is also not ‘routine.’ The final ‘mistake,’ he said, is that information stayed on the server for too long and while it was there, it was not encrypted, leaving it vulnerable to hackers who began downloading the sensitive information March 30.”
A year later, the state is now saying that the damage is estimated to be $9 million, with $3.4 million coming from the department. It includes $467,000 to hire an ombudsman, staff a hotline, run ads and hold community meetings to notify victims; $1.9 million to provide two years of credit monitoring for those whose Social Security numbers were compromised; $741,000 on a legal consultant and forensic security audit; and $300,000 to create an Office of Health Information and Data Security. The state also spent $1.2 million on a review of state servers and $4.4 million to increase security, according to the Associated Press.
In addition, state residents and businesses face potential fraud of up to $406 million, according to new estimates from Javelin Strategy & Research, which examined the Utah breach. “Based on Javelin’s calculations, 122,000 cases of fraud will occur as a result of this breach, with each incident resulting in $3,327.87 of loss,” wrote the company – which admittedly has a vested interest in making the case look as bad as possible. ”Each Utahn whose info is misused as a result of this data theft will incur $770.49 in out of pocket costs and spend 20 hours resolving these cases.” The company estimates that victims of data theft now have a 1 in 4 chance – up from 1 in 9 – have having their information using fraudulently.
Unfortunately, this is not uncommon. “According to information posted by the Privacy Rights Clearinghouse, of the 203 data breaches reported so far this year in the US, 103 involved either government or healthcare information,” Mary Jander of Internet Evolution wrote last year. “Of that subset, 16 cases were the result of hacking.”
As in a similar case in South Carolina last fall, Utah said it didn’t encrypt the data because the federal government didn’t require it. After the South Carolina incident, politicians from the Republican party – normally the party of small government that is against federal mandates – called for the federal government to require encryption of PII by state governments, apparently not trusting state governments to connect the dots themselves. Like South Carolina, Utah is also a Republican state, but thus far its politicians have limited themselves to a state bill that requires more notifications – but also not requiring encryption.
Jingming Zhang is one unlucky SOB. After five years of research, as he was working on the thesis required for his PhD in chemistry from Rutgers University, the laptop containing all of his data was reportedly stolen from an unlocked lab in the college.
Zhang wrote a note and put up flyers about the theft, which was picked up by ABC News and which a friend of his posted to his Facebook page, and which was then posted to Reddit and many other websites beyond that. He offered $1000 to the thieves for the data, telling them exactly where on the disk they could find it, giving them the password, and telling them they could keep the computer already; he just wanted to graduate.
Now, in honor of the “Everything Wrong With … in X Minutes” CinemaSins YouTube movie spoofs (and they’re hysterical), here’s everything wrong with this story.
- “Zhang’s laptop had been in an unlocked room in Wright-Rieman, which houses laboratories.” People can walk into Rutgers University lab rooms and walk out with laptops? Doesn’t campus security worry about thieves stealing other equipment, student records, dangerous chemicals, and so on?
- “Rutgers is an open campus,” said [Rutgers Police Lt. Paul ] Fischer. “It’s not like a small liberal arts college where it’s gated in. So, even if the buildings are secured, people can piggyback in.” This is the reaction of the security guy, whose job it supposedly is to keep the campus secure? Oh well, people can walk in and take things?
- Campus security doesn’t have security cameras, even in laboratories where people are working with chemicals and on laptops?
- Does Rutgers really want their security guy on national television telling everyone how easy it is to steal things from the campus?
- Just how many things get stolen from Rutgers, anyway?
- If it’s so easy to steal things from Rutgers, wouldn’t it be a good idea for the campus police to tell this to the students, before students lose five years of research?
- “Fischer said that he wouldn’t suggest offering monetary rewards in the future” because it can invite fraud. Okay. What should the student have done differently (other than your barn-door suggestion that he hang on to his laptop next time)? Can’t he get the student to withdraw the reward if it’s such a bad idea?
- Is the Rutgers security guy working with this student to ensure he doesn’t agree to meet someone, get bopped on the head, and also be out $1000? Or to otherwise protect him from fraud?
- Does the Rutgers security guy think that having the theft nationally publicized on ABC News is a smart move? And on Facebook? And on Reddit?
- Shouldn’t the Rutgers security guy suggest to Facebook that maybe it would be a good idea to redact the student’s personal information from the posting, which has more than 33,000 shares?
- Is the Rutgers security guy maybe checking Craigslist? And eBay?
- Doesn’t the chemistry department have a server to which students can save their data? Hell, I went to Boise State and we had that.
- If it’s this easy to steal things from campus, and there’s no provision for students to back up their data on campus, and nobody warns students their work is that vulnerable, and the student may have to start his research over, doesn’t he have the basis of a nice lawsuit?
- Just what sort of chemical research is this student doing, anyway? Do we need to worry about a new kind of poison gas or IED springing up in New Jersey?
- How competitive is the chemistry research program at Rutgers? Is it possible the thief is someone in his department who’s fighting with him for grants or something?
- What are the chances that the student isn’t actually ready for his thesis defense and this is his way of procrastinating until the laptop is “found”?
- This student’s been going to Rutgers for five years and he didn’t know the buildings are insecure?
- “…from where his computer was taken sometime between 10 a.m. and 5:15 p.m.” This student leaves his laptop unattended in an unlocked room from 10 am to 5:15 pm and is surprised that it’s gone? Are we sure that Lost & Found didn’t pick it up?
- We’ve got a student smart enough to be getting a PhD in chemistry but not smart enough to keep from leaving his laptop in an unlocked room?
- Or to copy his data to a DVD?
- To a thumb drive?
- To a cloud storage service?
- To an external hard disk?
- To email it to himself?
- To do a backup? “’A lot of people are asking me why I didn’t back up my data,” Jim told the Daily Dot. “I think the reason is that I am pretty busy recently and this kind of thing never happened to me before.’”
- “The posters contained very specific instructions and details regarding his dilemma, including his laptop’s password.” Well, that certainly makes it easier for the thieves to use the laptop.
- Where is the student getting the $1000, anyway? And how did he come up with that figure?
- The posts also included his phone number. If the thieves even wanted to call, would they be able to make it through the blizzard of harassing phone calls he must be getting by now?
- He has also suffered several scamming attempts. “’There are a few people sending me messages saying they have my laptop and asking for money, but when I asked for proof, they cannot give anything to me,’ he said.” You think?
- Really, should this student even be allowed to be messing with chemicals in the first place?
- Does the student think that the thief is stupid enough to show up to a meeting to exchange the data and money?
- Or to pick it up at a mailbox?
- How exactly does the student think this is going to work? The thief will send him the data and trust him to send the money? He’ll send the money and trust the thief to send him the data? The thief will hand him the data and hang around while he checks it?
- Even if he gets the data back, how is he going to know that the thief didn’t change some of the data just to mess with him?
- How many backup companies are offering to pay all the student’s expenses in return for his doing an ad for them?
You know how every time you go to a new doctor, you have to sign this form (does anybody read it?) that talks about your rights to privacy for your medical records? Vendors of medical services have their own requirements to live up to, and Box has announced that it is complying with those regulations, in hopes that it will become more widely used as a file transfer medium in the healthcare industry.
“Compliance with the Health Insurance Portability and Accountability Act means that Box provides file redundancy to prevent data loss in a disaster, restrictions on employees’ access to documents, a breach-notification policy, data encryption and other features, ” writes GigaOm’s Jordan Novet.
In addition, the company now has ten new healthcare applications. Box is doing this by partnering with a number of other vendors. According to Jasmine Pennic at HIT Consultant Media, those applications are:
- Clinical documentation: Drchrono, a cloud and web-based HER application accessible from iPads and iPhones; and Umbie DentalCare, a dental care web-based practice management system for dentists available on the desktop and tablet.
- Care coordination: TigerText, an encrypted SaaS platform for secure text messaging in a clinical setting; Doximity, an online professional network designed for U.S. physicians; and mMedigram, a secure group messaging app for the hospital environment; PostureScreen Mobile, posture analysis screening and evaluation software for mobile devices.
- Interoperability: MedViewer, a DICOM viewer for viewing, communicating and sharing medical images on iPhone and iPad; iPaxera PACS Viewer, a PACS viewing app designed for iPad, iPhone and iPod; and Medi-Copy, which provides Release of Information (ROI) request services and creates electronic copies of patient medical records.
- Access to care: HealthTap, which provides users with personalized health information and free online and mobile answers from physicians.
Box is also supporting the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act, and is investing in drchrono.
Compliance requirements include the following, writes Patrick Ouellette in Health IT Security.
- Data encryption occurs in transit and at rest
- Restricted physical access to production servers
- Strict logical system access controls
- Data file access granted by customers
- Audit trail of account activities on both user and content
- Formally defined and tested breach notification policy
- Training of employees on security policies and controls
- Employee access to customer data files are highly restricted
- Redundant data center facilities to mitigate disaster situations
Support for HIPAA and HITECH could also help the cloud storage company improve its reputation for security and privacy overall; various incidents have sometimes led to such services, rightly or wrongly, being seen as insecure. In particular, noted GigaOm, it may make Box more attractive to enterprise users, as well as for a planned initial public offering.
Moreover, HIPAA support could also make it easier for healthcare providers to implement BYOD, writes Ouellette. “Clinicians would now be able to set up secure cloud folders for a patient’s medical records or collaborate on a patient’s diagnosis with the Box mobile application in a compliant manner,” he writes.
HIPAA requirements can be pretty arduous; for example, the Boise-based WhiteCloud Analytics healthcare analytics software company, had to have a separate set of doors, through which one can enter only by being buzzed in, due to HIPAA requirements.
Chances are, this isn’t the first such announcement. Now that Box has come up with the idea, one can expect that other cloud storage vendors — like Dropbox, Microsoft’s Skydrive, Google’s Drive, and so on — will soon follow suit. Microsoft’s Office 365 already supports HIPAA and in fact the company has also announced improvements in its HIPAA support.
You’d think that, when planning a new data center, “Not Underwater” would be a primary criterion, but apparently that’s not true.
At least, that’s the observation GigaOm’s Barb Darrow recently made of a Digital Realty survey of managers’ data center plans. “Despite the angst that superstorm Sandy and Hurricane Irene caused data center providers and their customers in the New York metro area over the last two years, businesses still want to expand their data center capacity in that low-lying, suddenly storm-surge-prone area,” she writes.
Apparently the familiar is more comfortable than the unknown. According to the survey, two-thirds of respondents would rather see the data center in the city where they work, and target locations, other than New York were Los Angeles (earthquakes and fires), Dallas (tornadoes), Chicago (blizzards), the San Francisco Bay Area (earthquakes again), and Phoenix.
“Of course, when two 100-year storms hit the same area within two years of each other, you might start evaluating new locations,” Darrow writes. “Then the question becomes what areas are not susceptible to natural disasters,” echoing what she wrote at the end of last year about Fidelity Investments setting up a data center in the far-from-water, far-from-earthquakes, yet tornado-prone Omaha, Neb.
And recall that last June, just a little ol’ thunderstorm took out Amazon Web Services.
The most important reasons given for data center expansion, Digital Realty notes, are (in order of priority) the need for increased security, energy efficiency, new applications/services, and more space. It isn’t clear whether “Not Being Under Water,” “Not Being on Fire,” or other variations on “Not Being Destroyed” were choices. (To be fair, when respondents were asked to provide multiple reasons for expanding data centers, “disaster recovery/Sarbanes-Oxley” came in second after “security.”)
The other interesting factor that cropped up was the data sovereignty issue. As you may recall, this is becoming more of a thing as an increasing number of countries, including the U.S., claim some degree of access to data stored on their shores, regardless of the data’s country of origin or the residence of the company that owns it.
“Geopolitical location of data” was extremely important to 50 percent of respondees, though it was slightly beaten out by data authenticity and security, physical security, control over the facility, and the total cost of the technology. “The two factors in data sovereignty (data authenticity/security and geopolitical/legal location) are the most important considerations for 29% of the respondents,” Digital Realty noted.
Physical security — that is, Not Being Underwater, Not Being on Fire, and Not Being Destroyed — was apparently a consideration for only 14 percent of respondees.
Got your party scheduled? The traditional foods made? Your gift list ready? Sunday is World Backup Day!
Now in its third year, the event — deliberately scheduled for the day before April Fool’s Day, to ensure your data is backed up in the case of a prank gone awry — is intended to encourage people to make sure their data is backed up, much like the days that daylight saving time starts and ends get piggybacked by Change the Batteries in Your Smoke Detector Day.
Last year, I didn’t find out til afterwards, but this year, I found out in plenty of time to celebrate it properly.
As of Thursday, almost 4500 people had pledged to observe the day, which not only includes making backups of your own data and checking your restores, but also alerting your friends and family.
Vendors such as Carbonite and Kroll also released surveys associated with backups. The Carbonite study found that 30% of small businesses believe their backup plan is insufficient, 45% said their organization had experienced data loss, and 14% were never able to restore their lost business information.
Small businesses often lack a formal disaster recovery plan is because they do not have the budget, the survey showed, but there’s an average cost of about $9,000 for a small business to recover their data after a failure, Carbonite said.
Surveying its own users, Kroll Data Recovery found that of the 81% who do have backups now, 53% use an external hard drive, while 15% used tape and 15% used online or cloud backup services. And while 60% of its customers did have a backup running at the time of the data loss, it wasn’t current or was operating incorrectly, Kroll warned.
World Backup Day now also has posters and t-shirts, as well as a Tumblr. In addition, the event asks people to take pictures of themselves celebrating. “Be sure to take pictures or videos of you promoting World Backup Day!” reads the website. “Just send them to email@example.com, tweet us @WorldBackupDay, or submit them to our Tumblr!” There’s also a Facebook page, an Instagram feed, and a Pinterest page.
In addition, there’s a full press kit, which includes an infographic.
All kidding aside, it’s not a bad time to re-examine your backup strategy; a number of vendors actually do have World Backup Day Sales.
There’s even a contest.
And as a bonus, this year’s World Backup Day is also followed the next day by my favorite holiday, Cheap Chocolate Day, though you can’t always count on that happening, plus some people hold out for the traditional February 15 for that one.
AIIM, which is currently having its annual conference in New Orleans, has also released its annual report, “Information Governance — records, risks and retention in the litigation age,” where it surveyed a number of professionals in the industry about their attitudes toward issues such as E-discovery.
The report, which is freely downloadable, surveyed 512 information professionals.
Legal holds and E-discovery were the fourth most likely element to be included in an information governance policy, with almost 50% saying it was included (plus almost 20% who included it in an “all of the below” choice).
“Only 18% have a sufficiently comprehensive policy that covers all of these areas,” AIIM warns. “Taking these into account, over 80% in total have included information retention and access restrictions in their policy. While 75% include data protection of personally identifiable information, this is likely to be a legal requirement for almost any organization that keeps personnel records of employees. Only 57% are dealing with “information in motion” i.e. laptops, USB sticks, etc. Only 49% have a policy on mobile access and only 27% are covering cloud-based file shares.”
In terms of email storage, about 55% of respondents said that employees were expected to manually declare or save important email messages as records, while more than 30% said they expected there were multiple copies of messages on various systems,
That said, while the content may be electronic, E-discovery mechanisms are still manual, the survey found, with 53% of respondents saying they are still reliant on manual processes for E-discovery searches across file shares, email and physical records. However, only about 5% either automatically classified important email messages as records or used outsourcing or the cloud for email archiving.
That’s even more so for social media interactions. Almost 35% said they believed there are social interactions that could be important but that they were not currently recording them; about 22% said they didn’t do social; and about 18% said they weren’t looking at the issue. 34% reported that they have used their social business records for purposes such as staff disciplinary action, staff dismissal, or resolving a customer/citizen dispute or complaint.
For E-discovery, more than 60% of respondents said they needed to deal with re-trial request by attorneys (eg, US –style), about 25% for judge-directed disclosure (eg, UK-style), about 15% for no defined disclosure (civil law, eg, France, Germany), about 30% for competition/anti-trust, fraud, or trading investigation, and more than 20% said “All of the above.”
“We asked if respondents feel that their organization has a consistent and effective E-discovery mechanism across all of their physical and electronic records,” AIIM writes. “Overall, only 9% have achieved this, but a further 29% are optimistic that they are getting there. Another 24% have plans, but 20% consider the task to be simply ‘too difficult.’”
However, in what may be some incentive, the survey also asked respondents about the consequences of their lack of an E-discovery system. In the last three years, 14% of organizations have suffered from embarrassing data loss, 21% have disciplined or dismissed employees for non-compliance with governance policies, 31% have had issues with their regulators, and 18% have been questioned in court about their records, AIIM finds. “As might be expected, larger organizations score nearly double in many of these areas with, for example, 28% suffering from embarrassing data loss — an arguably bigger disaster for a large organization or well-known brand than a small one — and nearly half having issues with auditors or regulators,” AIIM writes.
How do you carve an elephant?
Simple. Take a block of wood and carve away everything that doesn’t look like an elephant.
How do you make a virtualization company? Simple. Take VMware and carve away everything that doesn’t look like a virtualization company. And then you spin it off.
EMC CEO and Chairman Joe Tucci announced today that the company was forming the Pivotal Initiative, comprising Pivotal Labs and Greenplum from parent company EMC, and Cloud Foundry, Spring and Cetas from VMware. It will be headed by former VMware CEO Paul Maritz, who was named chief strategy officer at EMC in July 2012, when speculation arose as to his future role. His role as chief strategy officer at EMC will now be shared with VMware CEO Pat Gelsinger and EMC COO David Goulden.
Altogether, Pivotal, which will technically come to life on April 1, is 69 percent owned by EMC, 31 percent VMWare, with about 1,250 employees and $300 million in revenue, though Maritz predicted it could be a $1 billion business in five years.
“What the newly minted Pivotal Initiative brings to the table is Greenplum’s parallel query and data processing strengths; Gemfire’s ability to rapidly ingest events (lots and lots of events); Cloud Foundry’s application development and deployment strengths and Spring’s Java rapid application development framework,” writes Barb Darrow in GigaOm. Cloud Foundry, which is a platform as a service that currently runs on VMware, will now also run on Amazon Web Services, she added.
The companies had signaled their intention to form the spin-off in December and said more details would be available in the third quarter. With 18 days left in the quarter, apparently they figured they’d better get on the stick. Darrow said at that time that the effort, which had long been predicted, was the companies’ attempt to better compete in the cloud space.
“Last December, while others in our industry suggested that VMWare was shedding its components that weren’t performing to help its bottom line and to keep the company focused on its highly successful virtualization business, we said that that was nonsense — that there was something much bigger at play (especially because EMC’s precious assets Greenplum and Pivotal Labs were involved), that EMC would be spinning off a new company and that its business would be Big Data Apps,” agreed Virginia Backaitis in CMSwire.
Bloomberg also talked about the stock aspects of the move, noting that VMware’s stock has been falling and that Pivotal might eventually have an IPO.
The upshot is that VMware will also be able to focus more on its virtualization business. It said it expects to boost its annual revenue growth as high as 20 percent in coming years, according to Reuters.
It’s not the first time that we’ve learned that our data on a cloud storage system isn’t necessarily private, but it’s a useful reminder.
William Steven Albaugh, 67, was arrested after police found “numerous files of child pornography” on his Verizon online storage locker and several thumb drives, the Baltimore Sun reported. “Detectives began investigating Albaugh after Verizon Online notified the National Center for Missing and Exploited Children that Albaugh, a subscriber, had stored images of children engaged in sexual acts on the online cloud storage system, police said.”
We already learned, in 2011, that cloud storage systems such as Dropbox would turn over files if requested by law enforcement. We also learned that some systems such as Dropbox, when a file is uploaded, check to see if it’s already online, and, if so, just save a pointer to the original copy. While this saves space, it also means that, in theory, law enforcement could upload any number of files it’s illegal to own — such as copies of movies — and if the stored file length is less than the original file, it means someone has it on the system already.
In the process of that, we learned, if we didn’t know already, that in 2010 New York Attorney General Andrew Cuomo made an agreement with several online services such as Facebook and LiveJournal to check uploaded images for child pornography. “Through its investigations, the Attorney General’s Office has created a database of more than 8,000 hash values that are associated with images of child pornography,” the Attorney General’s office wrote at the time. “The database can be used to identify the corresponding child pornography images through the fingerprints and stop that picture from ending up on a site.” The office also said it would continue working with other online services to encourage them to do the same thing.
Apparently, at least one of them was the Verizon Online Backup and Sharing cloud storage service.
Media outlets have pointed out that this was all clearly spelled out in the terms of service. “Like many types of online storage or media services, Verizon’s Online Backup and Sharing states in its terms of service that the company is ‘required by law to report any facts or circumstances reported to us or that we discover from which it appears there may be a violation of the child pornography laws,'” writes the International Business Times.
Because, of course, we all read every word of our terms of service.
If this sounds familiar, it may be because, as of last July, four out of the five cases concerning whether people have to provide the key to their encrypted storage also have had to do with child pornography, according to the Electronic Frontier Foundation’s attorney Marcia Hoffman.
Look, there isn’t any question that child pornography is bad. But there’s a saying, “Hard cases make bad law” — that is, an unpleasant case can lead to a harsher general law that can end up being more widely applied. (We don’t know whether law enforcement is more likely to push the envelope of legal search because they so badly want to catch child pornographers, or because they think people will be less likely to criticize their methods because the crime is so heinous.)
If it’s determined through these cases that checking people’s files as they are uploaded to a cloud storage service is an acceptable practice, it has the potential to apply to all files and all people, not just ones we don’t like.
In the meantime, it sounds like we’d better be sure to read our terms of service carefully.