Yottabytes: Storage and Disaster Recovery

February 19, 2016  3:03 PM

FBI Finds ‘Perfect Test Case’ to Force Apple iPhone Encryption Issue

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Apple, Encryption, FBI, iPhone, privacy, Security, smartphone

Okay, it’s another government vs. encrypted smartphone situation. But this one is different.

Syed Rizwan Farook and his wife Tashfeen Malik, who last December killed 14 people and injured 22 others in San Bernadino, had an Apple iPhone 5c. The Federal Bureau of Investigation (FBI) wants to see what’s inside the phone, and it’s asking Apple for help.

So far, this sounds like your standard encryption case – Apple says it doesn’t have the password, and can’t decrypt the phone, so the FBI is out of luck.

What’s different in this case is that that’s not what the FBI is asking for. Instead, the FBI is asking Apple to write a new version of the phone’s operating system that will make it easier for the FBI to break into the phone.

The iPhone in question has several security features to help protect it against attacks, such as wiping the phone after 10 incorrect password attempts in a row, forcing passwords to be entered via the phone screen, and implementing a pause in-between password attempts. The FBI wants Apple to write software for that phone – and, it claims, only that particular phone – to eliminate those restrictions, so the FBI can more easily implement a brute-force attack against the device.

(Now, if the shooters had used a fingerprint rather than a passcode to encrypt the phone, the FBI would be in the clear. In fact, they could have even used the fingerprint from the dead shooter to open his phone.)

For the policy wonks, the FBI is using an ancient law called the All Writs Act of 1789, which is intended to compel a third party to help with a criminal investigation. Let’s say you stole something and put it in my safe. All Writs can be used by law enforcement to make me open up my safe to retrieve the stolen property.

Apple, though, is refusing, claiming that were it to write such an operating system hack, it could get out into the wild and be applied against any iPhone. (Including, Apple now says, against more modern iPhones that have even more security features built in.) “World War II, especially in the Pacific, turned on this sort of silent cryptographic failure,” writes Ben Thompson in Stratechery. “And, given the sheer number of law enforcement officials that would want their hands on this key, it landing in the wrong hands would be a matter of when, not if.”

Moreover, Apple is concerned about the implication of using the All Writs law in this fashion. “If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data,” writes Apple CEO Tim Cook in an open letter. “The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.”

Also, having once let the genie out of the bottle, what’s to keep the FBI from coming back and requesting this software hack again, in a different case? Or even, writes Farhad Manjoo in the New York Times, prophylactically? “Once armed with a method for gaining access to iPhones, the government could ask to use it proactively, before a suspected terrorist attack — leaving Apple in a bind as to whether to comply or risk an attack and suffer a public-relations nightmare,” he writes.

Apple could also be subjected to the same pressure from other governments, Columbia University computer science professor Steven M. Bellovin (who has just been appointed the first technology scholar for the NSA’s Privacy and Civil Liberties Oversight Board) told CNN.

Naturally, the FBI is using one of the more heinous recent cases of record to force the issue. Terrorism is right up there with child pornography in terms of being one of those crimes that of course you don’t want to be seen supporting. “For the administration, it was perhaps the perfect test case, one that put Apple on the side of keeping secrets for a terrorist,” writes Matt Apuzzo in the New York Times.

One could even speculate that the FBI doesn’t actually need the information on the iPhone, but is simply using this case to establish the precedent.

But having once established the precedent, the software could be used again. Already, notes the New York Times in an editorial supporting Apple, another federal magistrate judge in New York is considering a similar request to unlock an iPhone, this time in a narcotics case. The editorial also pointed out that Apple had already given the FBI data from the phone’s iCloud backup, and that the All Writs Act has a provision against unreasonable burdens. (Manjoo also notes that future versions of the iPhone could potentially close any such loophole.)

At this point, the usual suspects are all lining up on one side or the other on the situation, with some agreeing with Apple and others saying that the company is overreacting. For example, Apple is calling the FBI’s request a “back door,” but is it really? It depends on the definition you use, Thompson writes. “Cook is taking a broader one which says that any explicitly created means to circumvent security is a backdoor,” he writes. But to some, a back door is a way to bypass encryption specifically, which is not what the FBI is asking for, he explains.

Some observers believe that, thus far, Google is equivocating in its support for Apple. What makes it interesting is that Google, along with Apple, was the other company that announced in 2014 that it was turning encryption on in phones by default. Does that mean, if criminals used a Google phone, Google might be more likely to cooperate in breaking the phone’s encryption?

Apple may also feel freer to take a stand on the issue because, unlike Facebook, Google, and Twitter, its business model isn’t as strongly predicated on gathering data from users, write Nick Wingfield and Mike Isaac in the New York Times. In addition, Apple has fewer government contracts that could be at risk than do some of its competitors, they added.

Apple has received an extension from the original February 23 deadline and now has until February 26 to agree to comply.

Or not.

February 9, 2016  8:53 PM

Can Your Heirs Get to Your Data When You’re Dead?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security, Storage

Normally, this blog talks about the value of protecting your data, whether it’s preserving it, locking it up, encrypting it, and so on. But today we’re going to talk about when you probably don’t want to do that.

Namely, when you’re dead.

Passed on.  No more. Ceased to be. Expired and gone to meet your maker. Stiff. Bereft of life. Pushing up the daisies. Metabolic processes are now history. Off the twig. Kicked the bucket. Shuffled off this mortal coil. Run down the curtain and joined the bleeding choir invisible. Ex-geek.

You get the picture.

“In establishing our online presence: a) we use a computer, camera, or mobile device; b) we register with online services: email, banking, online purchases, photo sharing, website hosting; and c) we store files on a hosting server, network, or cloud service,” writes Crystal Sharp in Online Searcher. “Most of us have several online accounts with different types of services: bank accounts and investments in more than one institution, medical records in a personal health record, website domain ownership information, and photos, music, video, and blogs on various social networking sites. On a regular basis, we may pay bills, collect royalties, make investment decisions, update information, renew subscriptions, or close accounts. Access to each account is by password and users are advised, for security, to have different passwords for each account.”

But all of that becomes terribly complex, Sharp warns. “In an emergency, no one may know what accounts we subscribe to, how to access information for each account, or how to deal with the content within each account unless we record details of the accounts we have, show how to gain access to each account, and provide instructions in a readable and easily available format on what needs to be done.”

Something to keep in mind is that these digital assets may have real value. A 2013 McAfee estimate found that the average person has digital assets worth $35,000. Whether it’s Bitcoin, airline miles, domain names you own, or purchased media, digital assets can add up.

There are certain terms of art associated with the post-death disposition of your digital identity, whether it’s data stored on your own servers, or data stored on somebody else’s servers. Moreover, a lot of this stuff is changing all the time, as these services figure out that, hey, clients die, their heirs want access to it, and they’d better figure out how to handle it.

So the terms you’re looking for are typically “digital assets” for the stuff, “digital legacy” for the stuff after you’re dead, “digital estate plan” for what to do with the stuff after you’re dead, and “digital executor” for the person who handles the stuff after you’re dead. This is all complicated by the fact that not all states recognize digital estate plans or digital executors, but it’s a good idea to write it all down anyway, recommends digital estate service vendor Everplans.

There have been a number of well-publicized incidents of heirs who struggled to retrieve the digital assets of people who died. In one case, a son gave up as much as $2000 in a PayPal account because the father hadn’t left a will granting him possession—even though bank accounts had no problem paying out.

Then there’s Michael Hamelin, a hacker who died in an accident in which his wife was also injured. He secured the family’s systems so well that even with the help of other hacker friends, she hasn’t been able to gain access to some of their files, including the only copies of digital photographs they owned, writes Patrick Howell O’Neill in the Daily Dot.

There have also been legal cases as companies wrestle with the issue of privacy vs. legal access. In one example, Peggy Bush, a 72-year-old Canadian widow, was told by Apple that she’d have to get a court order for the company to reveal the password to an iPad card game she and her husband liked to play. “I thought it was ridiculous,” she told Rosa Marchitelli in CBC News. “I could get the pensions, I could get benefits, I could get all kinds of things from the federal government and the other government. But from Apple, I couldn’t even get a silly password. It’s nonsense.”

Moreover, laws may vary from state to state. While the Uniform Fiduciary Access to Digital Assets Act (UFADAA) has been passed to help address this issue, not all states have supported it, and there has been pushback from vendors. Nearly half of U.S. states have introduced legislation in 2015 to enact UFADAA, according to ARMA International. “However, most of those efforts have stalled due to opposition from Internet and telecommunications companies concerned that the act raises privacy questions, conflicts with federal law, and undermines contract rights.”

(Something else to keep in mind is that when faced with grieving widows, companies have been known to bend the rules regarding access to digital assets, leading some to speculate that this will prove to be a fruitful avenue for social engineering, until companies catch on. “I’ve been involved in social engineering,” Andrew Kalat, a friend of the Hamelins who helped the widow deal with the aftermath, told O’Neill. “When I saw how willing companies with little or no planning for death were to bend the rules, I thought, ‘Wow, this is a powerful technique.’”)

The Internet abhors a vacuum, so startups have been springing up to deal with the issue. The Digital Beyond, for example, considers itself, “the go-to source for archival, cultural, legal and technical insights to help you predict and plan for the future of your online content.” While not a service itself, it does maintain a list of more than 50 services intended to help manage and control online content after the death of the owner. Other sites on the topic include Digital Passing, Everplans, and Planned Departure.

Kalat recommends setting up a “legacy drawer” with signon and account information, and actually swapping roles between spouses for a month every year so that everyone becomes familiar with everything.

That said, there may be …things… you don’t want your heirs to find. If you don’t want your kids screaming, “My eyes! My eyes!”, there are provisions for that, too. Some services offer “account incineration,” writes Rob Walker in the New York Times. “If you don’t want your heirs figuring out that you had a secret Tumblog clogged with pictures of Natalie Portman, maybe you should just arrange for it to be ‘incinerated,’” he suggests.

Some services are setting up procedures to deal with a person’s online accounts. Google, for example, offers Inactive Account Manager, a one-stop shop for all Google services that can alert people, pass on information, or wipe your account should you not log in after a certain (configurable) period. Facebook lets you set up a “legacy contact” to control your Facebook account after you die.

One way or another, the Internet will need to deal with the issue, because demographics are not in its favor. “By 2050 more than half of the Internet’s users will be dead,” writes Cory Doctorow in Locus. “That is, of all the accounts ever created by Internet users, more than half will have been created by people who have since died.”

January 31, 2016  8:38 PM

EMC-Dell Merger Hits Turbulence

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Dell, EMC, Storage

Okay, nobody thought that a merger the size of October’s marriage between EMC and Dell would be done this soon. But there’ve been a number of bumps in the road that are making some analysts – and, possibly, customers – concerned.

This past week, EMC held its quarterly earnings call, and the rumblings about the merger were such that CEO Joe Tucci made a point of saying, yes, the merger was still happening and still on track to close by October — if only because the deal included “significant penalties” should either side fall down on the job. (EMC would pay $2.5 billion to terminate the deal; Dell would be out $4 billion, according to the Wall Street Journal.)

EMC has made a number of changes to the merger in response to criticism, writes Barb Darrow in Fortune. “They reversed their stated plan to move VMware’s vCloud Air product into EMC’s Virtustream enterprise cloud unit because VMware shareholders didn’t like the idea,” she writes. “And, on New Year’s Eve, EMC said it was taking a $250 million charge related to its previously announced plan to cut $850 million in costs, including layoffs.”

The opinions of VMware shareholders are relevant because VMware is a big part of this merger. EMC owns about 80 percent of VMware, and VMware also provided about three-quarters of EMC’s value. Also, part of the way the deal is being funded is through VMware being considered a “tracking stock” that is intended to sweeten the deal to shareholders by as much as $9 per share – but some analysts are valuing that part of the transaction as essentially worthless at this point, writes John Shinai for USA Today.

That’s why another action also made watchers of this merger nervous: VMware said last week that it is laying off about 800-900 people, or about 5 percent of the company. In addition, VMware’s CFO is resigning and is being replaced by EMC’s CFO. VMware stockholders are reportedly concerned that the company will end up getting sold to help finance the Dell-EMC merger and they’ll lose money, writes Scott Ard in the Silicon Valley Business Journal.

EMC’s earnings were slightly less than expected. “EMC logged a profit of $771 million (39 cents a share), off from $1.15 billion, (56 cents a share) from a year ago,” Darrow writes. “Excluding merger-related costs and other items, earnings per share fell to 65 cents from 69 cents. Revenue fell 0.05% to $7.01 billion. Analysts had expected 65 cents profit on $7.12 billion in revenue.”

Analysts didn’t blame the merger for the slowdown, just the same sorts of things that have been hurting EMC in recent quarters all along — the adoption of cloud storage, software-defined data centers, and price declines of flash-based storage solutions, writes Morningstar. On the other hand, Tucci reportedly blamed “angst” about the merger as part of the reason for the slowdown, writes Curt Woodward in the Boston Globe. The value of the dollar is also a factor.

In case you forgot, EMC had lower earnings last quarter, too, just a couple of weeks after the merger was announced.

Moreover, since the announcement, both EMC and VMware stock have dropped in value. EMC stock was around $33 a share in October, and now is well under $30 a share, Shinai writes. This is a problem because the deal is predicated on EMC stock being valued at $24.05. If the stock price falls below that level (which it did during at least one point during the week), it’s going to be tough to complete the acquisition, he writes. VMware stock has dropped 40 percent in that same period, he adds.

The result is that the value of the deal has dropped by $9 billion, to only $58 billion, according to the Wall Street Journal.

There’s also concern that Dell might have trouble raising the $40 to $50 billion in debt required to close the deal, writes Billy Utt in AustinInno.

Further down the pike, there’s some concern that EMC may have trouble retaining its employees if they’re concerned about the company’s future, writes Scott Kirsner in BetaBoston.

“We’re confident. We know what we’re doing,” Woodward quoted Tucci as saying on the call.

We shall see.

January 26, 2016  12:04 PM

User Finds Amazon Glacier an Expensive Roach Motel for Data

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Amazon, cloud, Storage

People used to joke about the notion of “write-only memory,” where data could be written to it but not retrieved again. To at least one user, that’s what’s happening with Amazon’s Glacier service.

As you may recall, Glacier was announced in August, 2012, as low-cost storage for long-term archiving in return for customers being willing to wait several hours to retrieve their data. That resulted in a cost of $10 per terabyte of data.

But a fellow who used the service found out that retrieving his data wasn’t nearly as easy as putting it in there. Marko Karppinen writes in Medium that he used the service to back up some 150 CDs, or 63 giagabytes, soon after the service became available. Recently, he decided to migrate the data.

“The culprit was the same neat freak tendency that had me toss all those CDs in 2012,” Karppinen writes. “I simply no longer wanted to have that 51¢ AWS bill appear, each and every month, in my email inbox and on my AmEx statement. Here in present-day 2016 I’m paying for a one-terabyte Dropbox account and, as a part of my Office 365 subscription, a 1TB OneDrive. Why would I keep a convoluted 51¢-a-month archival setup when I already have all the cloud storage I could need, on two diverse–yet–incredibly–convenient providers?”

But Karppinen found out it wasn’t as easy – or as cheap – as he might have thought. First of all, it was technically complicated to do, with limited tools to support it. Moreover, it is – as advertised – glacial, he writes. “Before you try it, it’s hard to appreciate how difficult it is to work with an API that typically takes four hours to complete a task.”

(Kind of like working with punch cards in the old days, grasshopper.)

Karppinen writes that he ended up spending most of the weekend trying various tactics – with a requisite four-hour wait after each new attempt.

Second, it was expensive. “Here I was, working on a full retrieval of the archive, something that Glacier was explicitly not designed for,” Karppinen writes. “Glacier’s disdain for full retrievals is clearly reflected in its pricing. The service allows you to restore just 5% of your files for free each month. If you want to restore more, you have to pay a data retrieval fee.”

When Karppinen had originally researched the fee, he noted that the description said it “started at” $0.011 per gigabyte, and assumed that that was what he would be charged, for a total of 86 cents. But as it turns out, it ended up costing him more than $150.

Glacier data retrievals are priced based on the peak hourly retrieval capacity used within a calendar month,” Karppinen explains.You implicitly and retroactively ’provision’ this capacity for the entire month by submitting retrieval requests. My single 60GB restore determined my data retrieval capacity, and hence price, for the month of January, with the following logic:

  • 8GB retrieved over 4 hours = a peak retrieval rate of 15.2GB per hour
  • 2GB/hour at $0.011/GB over the 744 hours in January = $124.40
  • Add 24% VAT for the total of $154.25.
  • Actual data transfer bandwith is extra.

Had I initiated the retrieval of a 3TB backup this way, the bill would have been $6,138.00 plus tax and AWS data transfer fees.” [All emphasis his.]

Remember, to add insult to injury, Karppinen still hadn’t gotten his music back – but he did eventually figure out how to do that. And he includes all the gnarly details.

Interestingly, when we wrote about Glacier in 2012, we noted two points:

  • “The service is intended not for the typical consumer, but for people who are already using Amazon’s Web Services (AWS) cloud service. Amazon describes typical use cases as offsite enterprise information archiving for regulatory purposes, archiving large volumes of data such as media or scientific data, digital preservation, or replacement of tape libraries. ‘If you’re not an Iron Mountain customer, this product probably isn’t for you,’ notes one online commenter who claimed to have worked on the product. ‘It wasn’t built to back up your family photos and music collection.'” [Emphasis mine.]
  • “There is also some concern about the cost to retrieve data, particularly because the formula for calculating it is somewhat complicated.”

Not to say “I told you so” or anything, of course. And Karppinen sounds like he’s figured that out already – and has a lesson for all of us as well. “More and more, we expect cloud infrastructure to behave like an utility,” he writes. “And like with utilities, even though we might not always know how the prices are determined, we expect to understand the billing model we are charged under. Armed with that understanding, we can make informed decisions about the level of due diligence appropriate in a specific situation. The danger is when we think we understand a model, but in reality don’t.”

January 22, 2016  3:02 PM

California, New York Put Forth Useless Phone Encryption Bills

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Apple, Encryption, Google, phone, Security, smartphone

California and New York are each attempting to pass bills that they claim will help protect people against crime, but in reality would likely simply eliminate a source of sales tax revenue from the state: Each is putting forth a bill that would forbid smartphones with unbreakable encryption to be sold within their respective states, levying a fine of $2,500 on each infraction.

As you may recall, this all started in the fall of 2014, when Google and Apple each released smartphones with encryption that even the respective vendors couldn’t break. Much handwringing on the part of law enforcement ensued, warning us of dire consequences such as pedophilia, terrorism, and so on. After the furor died down a bit, it has come up again in light of recent terrorist attacks and the concern (likely incorrect, as it turned out) that terrorists were using encrypted smartphones.

Now, one of the handwringers, Manhattan District Attorney Cyrus Vance Jr., has encouraged 62 New York district attorneys to ask the New York Assembly to address the issue, because the federal government has failed to do so, writes Seung Lee in Newsweek.

Democratic Assemblyman Matthew Titone, of Staten Island, put forth such a bill last June, but because the Assembly didn’t address it then, he has re-introduced A8093 during this legislative session. The goal of the legislation is to encourage the federal government to act on the issue, a spokesman for the Assemblyman told Lee.

Interestingly, according to some reports, it’s retroactive to January 1 of this year, meaning that Apple and Google could theoretically be on the hook for fines for smartphones they’ve sold legally.

At the same time, California Assemblymember Jim Cooper (D-Elk Grove) put forth a similar bill, Assembly Bill 1681. It is specifically intended to help law enforcement investigate and prosecute suspected criminals and criminal organizations that are found to be involved in human trafficking and other serious crimes, writes Hannah Albarazi for CBS. (One difference – the California bill doesn’t take effect until January 1 of 2017.)

Keep in mind what these bills actually purport to do. They don’t keep people from using encrypted smartphones in New York and California. They simply specify that vendors can’t sell (or lease) those phones in New York and California. The implication is that we could soon expect encrypted smartphone stores, like fireworks stands, to pop up around the borders of whatever states enact such regulations.

“I never thought I’d see an Apple Store in Newark (or Hoboken), but legislation to ban sales of secure smartphones will do exactly that,” noted one Twitter commenter.

Also recall that case law on whether people can be forced to surrender their phone’s encryption key is not yet settled. It all depends on whether an encryption code is something that is the expression of one’s mind, like the combination to a safe, which is protected under your Fifth Amendment rights not to incriminate yourself, or a physical key, something you possess, which is something you can be forced to produce. Courts have been going back and forth on the issue.

Meanwhile, members of the technology community ranging from Apple CEO Tim Cook to security expert Bruce Schneier have pointed out that encryption back doors don’t just open for the government or law enforcement, and would weaken security for everyone. “You can’t build a backdoor that only the good guys can walk through,” Schneier wrote when Apple first announced its policy. “Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You’re either vulnerable to eavesdropping by any of them, or you’re secure from eavesdropping from all of them.”

“There have been people who suggest we should have a backdoor,” Cook reportedly told 60 Minutes. “But the reality is, if you put a back door in, that back door is for everybody, for good guys and bad guys.”

Ironically, while all this is going on, National Security Agency (NSA) Director Adm. Michael Rogers was telling the Atlantic Council, an international affairs think tank, that encryption was here to stay and that attempts to legislate it, as in California and New York, were misguided. “Spending time arguing about ‘Hey, encryption is bad and we ought to do away with it,’ that’s a waste of time to me,” Rogers said, writes Cory Bennett in The Hill.

Of course, to the paranoid, that simply is confirmation that the NSA already knows how to read our encrypted smartphones.

January 14, 2016  5:38 PM

Are the Malheur Occupiers ‘Using’ Government Computers? Depends

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security

Whether it’s arguing about the definition of “is” or just what constitutes a “clean” room,  kids and politicians love to debate about definitions.  Now the people taking over a federal research station in Oregon are doing the same thing.

When the group – –  and it’s up to you whether to call them “militia” or “terrorists” or something in-between – –  first took over the Mather National Wildlife Refuge near Burns,  Oregon on January 2,  concern was expressed about the government computers and data on them located at the site.  

Not to worry,  the group said; they weren’t using the computers.  Honest, Mom. Even though Oregon Public Broadcasting staff saw them doing so,  as well as having access to other personally identifiable information in the station.  

“After [member of the occupying group’s security team LaVoy]  Finicum realized he shouldn’t have allowed OPB to access the room,  he quickly picked up lists of names and Social Security numbers by the computers,  and hid government employee ID cards that were previously in plain sight, “ John Sepulvado of OPB writes.  “We haven’t touched any of the computers,  we haven’t tried to log on – –  we haven’t done anything, “ group leader Ryan Bundy told him.

As it turns out,  their not using the computers is only sort of true,  depending on your definition of “using” – –  and the technique involved is something we should all be aware of should we also find ourselves hosting uninvited guests around our hardware.

According to another article by Sepulvado and Amanda Peacher, the group is indeed using the computers,  via thumb drives with Linux on them.  This is through occupier David Fry, who said he drove in from Ohio to help the group and that he knows “a little bit” about computers. But what he was doing was okay because he wasn’t actually using the computers or the data on them,  he told OPB.

“I am using any computer I can use, “ Fry told OPB.  “Their data is perfectly preserved… you can’t access any of that,  it’s got encryption on it. “

Thank goodness for small favors.

What are the occupiers using – –  for whatever definition of “using” you prefer – –  the computers for?  Making a website for the occupation,  OPB writes,  which Fry identifies in one of his videos as defendyourbase.net.  In fact,  he’s even posted videos of himself “using” the computers and explaining the use of the thumb drives.  

Reuters reporters also observed the occupiers using office printers.  And whether the data came from paper files or the computers,  employees who live in the area report that they have been harassed in the vicinity of their homes by people they didn’t recognize,  which they attribute to the occupiers releasing their personal information.  (Perhaps the next job the office might take on is digitizing their paper files and putting them,  as well,  under encryption.) 

But remember,  the occupiers aren’t really “using” the computers.

It remains to be seen if the law will agree.   Continued »

December 31, 2015  11:08 AM

E-Discovery 2015: Calm Before the Storm

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
ediscovery, legal

The last couple of years have been pretty quiet ones in the world of e-discovery. No multimillion-dollar sanctions for people not following the rules, a few small acquisitions (we’re still dealing with the HP-Autonomy one), a couple of changes in the market but nothing radical. Zzz.

Next year, though, is likely to be different, because of something that actually happened last year. So you can think of 2015 as the calm before the storm.

In case you’ve forgotten, new regulations about the federal rules of civil procedure, which govern e-discovery, were passed in September, 2014, and were slated to take effect on December 1.

“Twitter is abuzz with messages about today’s effective date for the changes to the Federal Rules of Civil Procedure that read more like birth announcements (‘It’s finally here!’),” writes Karin Jenson in Discovery Advocate. “But figuring out what to do once you get that baby home is another matter – despite having a long time to prepare. Moreover, while there is as much commentary about the rules changes as there are parenting books, it’s hard to really figure out what to do until you are doing it.”

So the legal industry is very, very excited about this and is talking a lot about What It All Means, though exactly What It All Means won’t be clear until the rules have been in effect for a while.

“When the 2006 FRCP amendments came out that initially addressed e-discovery, Windows Vista was only a few weeks old, and Apple released its MacBook Pro with a 17-inch screen, 2 gb of RAM, and a 160gb hard drive for $2,799,” notes Jeff Bennion at Above the Law. “Facebook was a few weeks old, and the idea of storing thousands of photos online was still years away. And that was when lawmakers were concerned that electronic data was exploding. It makes it scary to think about how much more data will be created between now and the next update.”

In particular, the new FRCP rules are expected to address many of the ediscovery issues that came up the most in court in 2015, notes Kroll Ontrack’s report, Year in Review: Top Ediscovery Cases in 2015. “As courts grapple with the impact of the new rules, 2016 has the potential to be momentous,” Michele Lange, Kroll’s director of thought leadership, told Amanda Ciccatelli of Inside Counsel. “Will courts hold parties accountable when they only hold ‘drive-by’ meet and confers without raising real, substantive discovery issues at the scheduling conference?  To what extent will the new emphasis on proportionality limit the scope of discovery above and beyond current practices?  How will courts define reasonableness and good faith when determining if sanctions are appropriate?” Ciccatelli writes. “These are meaty issues – with real impacts for requesting and producing parties – that will need to be worked out in judicial opinions in the coming months and years,” Lange told her.

Other e-discovery issues that are likely to crop up? One of them, as always, will be new sources of data – in this case, sensors used in the Internet of Things, writes Edward Sohn for the Association of Corporate Counsel. We’ve already seen some of that with attorneys subpoenaing people’s FitBits and so on; imagine having to provide all the data from all the sensors in a manufacturing plant?

Another continuing issue from 2015 is the matter of data sovereignty and what control various governments have over companies that operate in their regions, even if they aren’t located there. Microsoft has continued fighting efforts by the U.S. government to force it to turn over data located in Ireland, for example, and with the European Union trying to control data exchanges with the U.S., the potential for it affecting other legal cases is high.

December 29, 2015  6:04 PM

Governments, Old Tech, Acquisitions: 2015 Storage Trends

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Encryption, privacy, Security, Storage

The interesting thing about looking over an entire year’s worth of stories at once is that things that seemed like a single event at the time turn out to be part of a larger arc.

Yes, the storage industry is like a Game of Thrones season. Who knew.

If you’ve been around reporters at all, you’ll know that they have a rule of thumb: Anything that happens three times is a Trend. By that measure, here’s a number of trends in the storage industry from 2015, and where they might go in 2016.

Storage meets public policy. The whole concept of storage has really gone beyond the basic functionality of keeping track of bits and bytes. It now extends into public policy and business operations as well. What data can companies store? How can they exchange it? In particular, what kind of data can governments store or access? And, most important of all, how can that data be protected from hackers?

We saw many examples of governments directly or indirectly building databases, ranging from faces to spit. What will happen once the government has a database of what everyone looks like so they can use it to scan faces at a demonstration or compare DNA collected from a protest against a database of genetic material? Especially if the police have their own database of everyone who simply knows criminals, under the theory that friends of criminals must be criminals too? Not to mention Republican Presidential candidate Donald Trump’s potential database of Muslims.

At the same time, governments are gaining access to other organizations’ databases through the courts, whether it’s Facebook’s collection of data, data stored offshore by a cloud vendor, or Dropcam video files. Courts are being used against individuals, too, such as by accusing people of hiding data simply by clearing their browser or using encryption – assuming, of course, that governments don’t succeed in their quests to require back doors and allow surveillance.

Courts are also still trying to decide whether people are required to submit their electronics for search within 100 miles of the border, give up their encryption keys, or let law enforcement search their phones. Moreover, governments themselves are increasingly making it harder for citizens to look at government data, such as by setting up private email servers, “losing” data, or protecting police body camera footage.

What it means for 2016: It seems likely that law enforcement organizations, courts, and governments are going to continue using every opportunity they can to collect data, and yet at the same time not do a great job protecting it nor giving individuals the tools they need to protect it themselves. Expect invocations of Paris and 9/11 to be used to justify ever more government access to our data.

Everything old is new again. Whether it’s Zip drives, cassettes, or Betamax, old storage technology is still out there, even if it isn’t officially supported anymore.

What it means for 2016: It’s never a bad time to migrate data on old media into a more up-to-date storage system. And while you’re at it, make sure that the data is readable by modern software as well. Migrating all the old spreadsheets to a new hard disk isn’t going to help if they’re still all in VisiCalc format.

But thumb drives are still bad. Now they can set your computer on fire. But look on the bright side! They can liberate a totalitarian country!

What it means for 2016: They’re still bad. Stop picking up thumb drives and sticking them into your computer. You don’t know where they’ve been.

Finally, there’s acquisitions. Obviously, the biggest one of these is Dell buying EMC (assuming the deal actually gets finalized), but we also had Western Digital buying SanDisk in the ongoing trend of storage company consolidation. And HP-Autonomy is still hanging in there – in court, at least, even if HP did write down most of the acquisition.

What it means for 2016: You can always count on companies buying and selling each other in the industry. In particular, it will be interesting to see how the Dell-EMC acquisition shakes out, especially if Dell ends up having to divest itself of some pieces to be able to keep the other pieces.

December 20, 2015  7:51 PM

Oh, Go On, Use That Work Database for Anything You Want, Court Rules

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Database, privacy, Security

A U.S. appellate court has recently ruled that violating rules about the use of databases at work isn’t subject to criminal penalties, which opens the potential for all sorts of interesting possibilities.

Of course, just this particular case was interesting enough: A police officer who used a police department database to look up information about women he wanted to kill, cook, and eat.

“Former New York City Police Officer Gilberto Valle was found guilty at trial in March 2013 of conspiring to kidnap women and illegally accessing a police database to collect information on potential victims,” writes Joseph Ax for Reuters. But the 2nd U.S. Circuit Court of Appeals in New York vacated his conviction for using the database, “finding that federal law does not prohibit individuals from accessing a computer they are normally authorized to use, even if they do so for an improper purpose,” he continues.

“As an NYPD officer, Valle had access to the Omnixx Force Mobile (“OFM”), a computer program that allows officers to search various restricted databases, including the federal National Crime Information Center database, which contain sensitive information about individuals such as home addresses and dates of birth,” the court writes. “It is undisputed that the NYPD’s policy, known to Valle, was that these databases could only be accessed in the course of an officer’s official duties and that accessing them for personal use violated Department rules.  In May 2012, he accessed the OFM and searched for Maureen Hartigan, a woman he had known since high school and had discussed kidnapping with Aly Khan.    This access with no law enforcement purpose is the basis for the CFAA charge.”

Prosecutors also used Valle’s illicit research in the database as evidence that he was actually planning to carry out some of his fantasies, for which he was also charged and which the appellate court also threw out because they felt he was simply expressing fantasies. “Valle was not accused of harming any women,” Ax writes. “Instead, prosecutors said he discussed with other online enthusiasts his intention to abduct, torture, cook and eat women.”

Not men, though, because, you know, that would be weird.

The computer charge hinged on the Computer Fraud and Abuse Act (CFAA), and the court reversed the conviction because it was concerned that upholding it would give the government too much power, writes Justin William Moyer in the Washington Post. “While the Government might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters,” he quotes from the opinion. “A court should not uphold a highly problematic interpretation of a statute merely because the Government promises to use it responsibly.”

The problem with the prosecutor’s initial argument, writes Orin Kerr for the Volokh Conspiracy, is that various parts of the law and other courts had used the CFAA to make largely artificial distinctions between the notion of illegal “access” vs. illegal “use” – which, taken to their logical extreme, could make playing Freecell or using Facebook on a work computer a criminal offense. “Playing solitaire or using Facebook plainly satisfies this element,” he writes. “When you play solitaire, you enter in commands to see cards. You therefore obtain information about your cards from the computer accessed. And when you spend time on Facebook, you’re constantly seeing new text, pictures, and videos that you hadn’t seen before you logged in. You are ‘obtaining information’ for purposes of the statute.”

Valle did have access to the National Crime Information Center database in the normal course of his job, and the way the CFAA is written, he could only be charged under it if he was gaining access to information he was not entitled to in any way, writes the Electronic Frontier Foundation in its amicus curiae on the case. (If you’re just dying to read the argument yourself, it’s pages 28-38 in the court’s ruling, and 24-34 in the dissent.)

Consequently, Kerr didn’t feel that Valle was guilty under that charge. “If violating a written restriction on a computer is an unauthorized access, then pretty much everyone is a criminal,” he writes. “That includes me, as I have even testified to Congress about one of my many violations of written restrictions on computers: My Facebook account says I live in Washington, DC, although I actually live in Arlington, VA.”

On the other hand, one wonders, what sorts of shenanigans with work computers are now considered legal due to this ruling? Are there people (other than the mom who created a fake MySpace account for the purposes of harassing one of her daughter’s classmates) who have been charged under this who should now go free? Is there any activity with a work computer that can now be considered criminal, or is it at this point on only a matter of workplace discipline?

Ultimately, the case could go to the Supreme Court, writes Noah Feldman, a professor of law at Harvard University and a columnist for Bloomberg View. “This issue has split the federal courts of appeal, with four adopting the government’s view, and now three saying that under the rule of lenity, an ambiguous criminal statute ought to be read restrictively and in favor of the defendant,” he writes. “The 2nd Circuit’s worry is that a broad reading of the statute turns every violation of an employer’s computer rules into a violation of federal law. That would certainly be an overreading of the statute, not to mention bad policy. The split means the Supreme Court should resolve this issue — possibly even in an appeal in this case.” It also seems likely that the CFAA should be modified to be more clear.

December 11, 2015  12:10 AM

Betamax Goes the Way of the Cassette

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

First it’s the cassette. Now it’s Betamax. What’s a tech geezer to do?

Sony – which, surprisingly, was still making them, more than ten years after it quit making Betamax players – recently announced it was going to stop manufacturing Betamax tapes no later than March, after introducing the machine in 1975.

Assumed already dead by many, the final Betamax cassette will roll off the production line in March 2016 as its maker concedes defeat to the march of time, 20, maybe 30, years late,” writes Samuel Gibbs in the Guardian.

Now, to all you whippersnappers out there who don’t recognize the significance of this action, Betamax – essentially the first popular consumer video recording device – is what gave you the privilege of still watching The Walking Dead or Game of Thrones if you’re busy when it airs. It was a seminal Supreme Court case, filed against Sony and Betamax, that determined that making recordings of tv shows for yourself was fair use.

“For the first time ever TV fans weren’t tied to their local stations’ schedules,” reminisces Douglas Perry in the Oregonian. “No longer would kids have to run home from the school bus to avoid missing the first five minutes of Scooby-Doo. No longer would their parents have to cut out of the neighbor’s cocktail party after only two drinks so they could catch Hill Street Blues. They could watch their favorite shows whenever they wanted to.”

The court ruled that, even if some copyright infringement might occur, the right of the consumer was paramount. “Even if it were deemed that home-use recording of copyrighted material constituted infringement, the Betamax could still legally be used to record noncopyrighted material or material whose owners consented to the copying,” says the decision. “An injunction would deprive the public of the ability to use the Betamax for this noninfringing off-the-air recording.”

“The ruling opened the door for TiVo and other digital gadgetry in the home, then helped defend an assortment of Web-based services with both infringing and non-infringing uses, such as YouTube and other user-generated content sites and Dropbox and other online storage services,” wrote the Los Angeles Times in an editorial on the 30th anniversary of the case.

Of course, even if the Supreme Court had ruled the other way, the horse was out of the barn by then, writes the Museum of Broadcast Communications. “Although the U.S. Court of Appeals reversed the lower court’s decision in October 1981, the decision, if it were to stand, would have been impossible to enforce,” the organization writes. “The home video market had been expanded enormously since the start of the case; VCR sales had increased from 30,000 sets a year in 1976 to 1,400,000 a year in 1981.”

Sadly, Sony never got to enjoy the fruits of its success. A year after the Betamax was introduced, JVC introduced VHS (for Video Home System, who knew?), which within another year was eating the Betamax’ lunch, and eventually killed it. This was even though Betamax reportedly offered better features – “more accurate colour replication, superior resolution and smaller tapes,” writes Stuff. (In fact, the format is still used in the industry, such as for making aircheck tapes.)

“In its first year of sales, VHS took 40% of Sony’s business,” writes Marc C. Scott in The Conversation. “By 1987, 90% of the US$5.25 billion VCR market sales were VHS. Furthermore by 1988, 170 million VCRs had been sold worldwide, of which only 20 million (12%) were Betamax.”

Sales of Betamax videocassettes reached their peak in 1984 (coincidentally, the year the Supreme Court ruled on the case), when Sony shipped 50 million units, writes Robert Hackett in Fortune. “Soon after they became obsolete, living fossils.” By 2002, the company stopped making the machines, after having manufactured 18 million of them, he adds.

What was the fatal blow? Some people like to blame the porn industry.


There’s two theories. The first is the claim that, as with the Blu-Ray format (also produced by Sony), the pornography industry killed Betamax by preferring the VHS format. The second is that Sony indirectly killed Betamax by not allowing porn producers to use the format.

As it turns out, it’s more a correlation than a causality. First of all, some porn was manufactured for the Betamax, though it is true that Sony frowned on it. Second of all, to the extent that porn manufacturers picked VHS, they did so for the same reason that the majority of consumers were choosing it – and it wasn’t because consumers preferred lousier pictures.

A number of factors contributed:

  • Like the PC vs. Apple battles, Sony was more restrictive on its licensing policies, so there were fewer Betamax than VHS manufacturers, meaning machines were more expensive and less common. (Especially with the first model, where it was actually built into the television and cost $2,295, while a one-hour cassette cost $15.95.)
  • Because VHS machines were more plentiful, providers were also more likely to make their content available on VHS, and consumers became more interested in renting or buying content than recording it themselves.
  • Because content was more available on VHS, stores (remember Blockbuster?) tended to stock more VHS than Betamax tapes for rental or purchase.

And this became a vicious circle. The more people bought VHS systems, the more content was available for them, and consequently the less space was devoted to Betamax systems and content.

“VHS became a more open and widely adopted format for the video cassette, which resulted in a larger economy of scale, allowing VHS to beat Betamax on price,” Gibbs writes. “That greater adoption and lower cost saw the pornography industry pick VHS as the format of choice for its home videos, which is largely considered the turning point that propelled VHS to victory.”

Moreover, while Betamax tapes offered better quality, that quality came at a price: The tapes would only last 90 minutes, at most, at a time. This meant you couldn’t go out while recording a two-hour movie or sporting event, which defeated the whole purpose of having a VCR in the first place.

“Betamax was the first successful consumer video format, and at one time it had close to 100% of the market,” writes Jack Schofeld in the Guardian. “All of the video machines in use and all of the pre-recorded movies were Betamax. It had a de facto monopoly, and an element of lock-in (because of tape incompatibilities). It lost because, at the time, it could not do what consumers wanted: record a whole movie unattended.”

Meanwhile, VHS tapes continue to be produced, according to Gibbs, even though they, too, have been superseded by other technology.

Still have a Betamax machine for which you need blank tapes or recorded content? Or do you still have Betamax content you’d like to be able to watch? Cheer up. There’s always eBay.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: