Yottabytes: Storage and Disaster Recovery

March 31, 2017  2:13 PM

What Cake Goes With World Backup Day?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Backup, Storage

Think you’ve missed World Backup Day? It’s not too late. World Backup Day is one of those days that can be celebrated throughout a week – or even all year round.

In case you haven’t heard about it, World Backup Day is always celebrated on March 31, the day before April Fool’s Day, presumably to protect oneself against “tricks.” It’s intended to encourage users to set up regular backup practices for their data, both business and personal.

It tells you how mainstream it’s becoming when the New York Times does an article carefully explaining all the different types of data people have and how to back up each one.

Hopefully, in this day and age, not too many people need to be reminded to back up their systems. Though according to the World Backup Day website, 30 percent of people have never backed up their systems. Why? “Of users reporting that they have no backup solution in place only around seven per cent believe their data is secure without a backup,” reports Kroll Ontrack in a recent survey. “When asked why they chose to forego a backup solution, around 14 per cent of respondents worldwide said the quest for the right backup solution and the expense of managing the solution once installed, entailed too much work.”

That said, even if you think you already back up your data, there’s nothing wrong with making sure – as well as making sure that you can get the data back again should something happen with your system. Kroll reports that 24 per cent of respondents admit to never testing backups; the same percentage of respondents said they test backups at least once per week. 30 per cent test backups once per month and just under 14 per cent once per year.

And with increasing concern about ransomware and cybersecurity, there’s never a bad time to make sure your data is backed up. According to a survey performed by backup vendor Acronis, 75 percent of respondents value their data more than their device – which makes sense, actually – 33 percent protect their computer’s entire system, and almost half value the cost of their data is more than $1,000.

Cloudwards recommends what it calls a 3-2-1 strategy: 3 copies, on two different types of media, and one of them stored offsite. (That said, its infographic also has the infamous “90 percent of businesses that lose data shut down within two years” statistic.)

How are people backing up their data these days? According to Kroll, around twice as many users (about 33 per cent) as last year report they make backups online. At the same time, tape is experiencing a resurgence; 17 per cent of businesses and consumers back up their data on tape, up from about eight per cent in 2016, Kroll reports. “In the UK, 63 per cent of respondents said they back up daily, compared to 44 per cent of survey respondents based in other countries,” the company writes. “More than 18 per cent of respondents back up their data once per week, and almost 16 per cent once per month. Only around four per cent said they back up data only once annually.”

The best part about World Backup Day is the various sales and specials that vendors offer. Vendors such as Acronis, AOMEI Backupper, and Quadric Software are offering sales today, this week, or even longer, associated with World Backup Day. How to find them? Check out the #WorldBackupDay hashtag on Twitter and Facebook, or the World Backup Day page on Facebook.

The bad news? Even if you do back up your data, chances are that you could still end up losing data, according to the Kroll survey, perhaps by not remembering to include all devices and data sources in a backup plan. “Of the respondents who lost data, only 35 per cent did not have a (current) backup,” the survey notes. “A quarter of respondents also reported that their backup failed to work properly. Of the users who experienced data loss and had access to a backup, 67 per cent said they were able to restore almost all their data, while another 13 per cent were able to restore up to three quarters. 12 per cent reported that the backup was corrupted. Just under three per cent were able to restore only a small proportion of their data.”

And according to Acronis, 31 percent of data loss is due to events beyond user control.

That said, backing up data can’t hurt. And besides, there could be cake.

March 27, 2017  4:26 PM

‘Google, How Do I Hide a Body?’

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, law, legal, privacy, Search, Security

Depending on how a certain legal case works out, you may want to become more familiar with tools such as the “incognito” feature in your browsers: Law enforcement might be able to come calling for your search history.

“A county judge in Minnesota approved a uniquely broad search warrant in conjunction with a wire fraud investigation last month that is now in the hands of Google’s lawyers,” writes Colin Wood in StateScoop. “Hennepin County Judge Gary Larson approved on Feb. 1 a search warrant filed by the Edina Police Department (EPD) that requires Google hand over ‘any/all user or subscriber information’ of Edina residents who searched for the full name of the case’s victim during a recent five-week period.”

The problem is, if the ruling stands, it’s pretty scary if you happen to be the sort of person who occasionally Googles things like “how to hide a body.” “It would establish a troubling precedent for those unfortunate enough to use the same search terms as those being pursued in criminal investigations,” Electronic Frontier Foundation staff attorney Stephanie Lacambra tells Wood.

“If Google were to provide personal information on anyone who Googled the victim’s name, would Edina Police raid their homes, or would they first do further investigative work?” writes Tony Webster, who broke the story in his blog. “The question is: what comes next? If you bought a pressure cooker on Amazon a month before the Boston bombing, do police get to know about it?”

Google has pledged to fight the warrant, calling it overbroad, and had previously rejected a subpoena to provide the same information, according to the Minneapolis Star-Tribune.

As you may recall, a somewhat similar situation came up last fall when investigators wanted Amazon to produce possible data recorded by an Amazon Echo smart home device. In that particular case, it wasn’t because investigators thought the defendant might have asked, “Alexa, how do I hide a body?” but because the device might have recorded some incidental sounds that could shed light on the crime. Amazon fought that attempt, but submitted earlier this month when the defendant said they would voluntarily give up the recordings.

Which is what makes this Google situation different. In this case, it could become incriminating to  ask, “Google, how do I hide a body?”, even if one is a writer, has puckish friends, or is simply curious. Just how incriminating it could be, though, won’t be clear until all the rulings on the case are finished.

In fact, part of Amazon’s defense was the contention that search engine results are protected, write Toni M. Massaro, Margot E. Kaminski, and Helen Norton in Slate. “Whether the First Amendment protects Amazon’s speech through Alexa reflects a debate from a few years ago about whether search engine results are protected,” write the three legal scholars. “Back in 2003, Google asserted that its search engine results were protected by the First Amendment. Eugene Volokh, a law professor at the University of California–Los Angeles known for his First Amendment scholarship, wrote a Google-commissioned white paper arguing that search engine results were like the pages of a newspaper: protectable because of editorial choices. Some agreed. Others countered that search engines were more like information platforms or conduits that should be regulated to prevent unfair behavior; or like advisers who owe duties of disclosure and loyalty to users. In 2014, a district court held that Baidu’s search engine results were in fact protected by the First Amendment, citing Volokh’s reasoning and analogizing the search engine to a newspaper. This kind of decision makes it harder to impossible to regulate search engine outputs, for better or for worse.”

(As an aside, imagine combining this with the Senate vote a few days ago to let Internet service providers sell your web browsing history to marketing companies. “I see you recently Googled ‘How do I hide a body?’ Would you like to place an order for rubber gloves, rope, a shovel, and quicklime?”)

Similarly, the so-called USA PATRIOT Act, passed in the wake of 9/11, gave the Federal Bureau of Investigation (FBI) the authority to ask libraries for patron records, so the FBI could find out if you’d checked out Terrorism for Dummies. In response, though, librarians – who are often fierce guardians of civil liberties – have stopped tracking that sort of information, so it’s not available if the FBI comes to call. (And, since many such inquiries have a gag order on them, at least one library has set up a “warrant canary” in the form of a library warning sign that read, “The FBI has not been here,” and then, in smaller type below: “Watch very closely for the removal of this sign.”)

In the meantime, think carefully about what you search for.

March 21, 2017  6:43 PM

Remember Zip Disks? These Election Departments Do

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, Storage

You may recall that a couple of years ago we ran a piece talking about how Ada County, the most populous county in Idaho, was desperately looking for Zip disks and drives to help keep its aging voting machines running.

As it turns out, Ada County isn’t alone. Apparently a lot of counties are in the same boat.

In case you don’t remember, or are too young to remember, Zip disks and drives were developed by Iomega in 1994. They were a similar size to floppy disks – thicker – but held considerably more data; they started at 100 MB and eventually went up to 750 MB. (Which, in those days, was a lot.) Another interesting distinction about them is that they could be used for either PCs or Apple computers.

Several of the major voting machines used back in the day, such as the ESS Model 650 Central Scanner, used Zip disks. And a number of the counties that considered themselves cutting-edge now have to deal with the ancient technology.

“At least once a year, staffers in one of Texas’ largest election offices scour the web for a relic from a bygone technology era: Zip disks,” writes David Saleh Rauf for the Associated Press. “The advanced version of the floppy disk that was cutting edge in the mid-1990s plays a vital role in tallying votes in Bexar County, where like other places around the U.S., money to replace antiquated voting equipment is scarce.”

Bexar County, which had more than 1 million registered voters in the 2016 election and includes the city of San Antonio,  bought its voting equipment in 2002. Now, it’s among the oldest in Texas, Rauf writes. Other states with Zip-disk voting systems include California, North Dakota, and Ohio.

2002 was a big year for acquiring voting machines in the wake of the 2000 “hanging chad” problem. “The 2002 Help America Vote Act provided $4 billion to states, but that money is largely gone,” Rauf writes. “With many state legislatures unwilling to allocate funding, election officials are left scrambling to make do.”

For example, 43 states used machines that were at least a decade old and nearing the end of their lifespans during November’s presidential election, according to the Brennan Center for Justice, Rauf writes. “Election officials in a least 31 states want to purchase new voting machines in the coming years, according to a 2015 report from the center. Most, however, don’t know where they’ll get the money.”

Here’s some examples:

  • Arkansas: Lawmakers two years ago approved $30 million for new statewide voting systems, but the appropriation was never funded, so the secretary of state’s office used leftover money in its budget to improve equipment for part of the state, Rauf writes
  • California: The secretary of state has projected it could cost up to $450 million to replace voting machines
  • North Dakota: Lawmakers recently rejected proposals for $12 million to replace voting equipment, even after being told machines could be unworkable by the next presidential cycle
  • Ohio: The elections chief is asking state lawmakers for help for counties, noting that it cost more than $100 million to replace old machines with money from the U.S. government in 2005
  • Texas: Legislation would create a program for counties to apply for a state grant to cover up to half the cost to replace voting machines

On the other hand, Johnson County in Texas says it’s fine with the Zip disk systems and doesn’t have any trouble keeping stocked up, writes Todd Glasscock in the Cleburne Times-Review.

People buying Zip disks online also sometimes get more than they bargained for, like the fellow in Houston who ended up with nine Zip disks of personally identifiable information, including Social Security numbers.

But whatever happened to Ada County? The county updated its systems before last spring’s Republican Presidential primary so that it no longer is dependent on Zip drives.

Wonder what it did with them. I think I know some people who could use them.

March 15, 2017  11:45 PM

Courts Wield ‘Spokeo’ Precedent

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

As you may recall, about a year ago the Supreme Court ruled on a case about the data aggregator Spokeo, regarding whether people could sue a company based on data it collected about them. By ruling one way, the Supreme Court could open the door to all sorts of frivolous lawsuits based on companies’ tiny procedural errors; by ruling the other way, the Supreme Court could essentially shut down the practice of class-action suits.

Instead of making either of those two decisions, the Supreme Court ruled that it wasn’t an issue because the person couldn’t prove any concrete damages caused by the errors in the Spokeo database. The computer industry heaved a great sigh of relief and went on about its business.

But Spokeo as a legal precedent hasn’t gone away. All sorts of legal cases are continuing to cite it, whether in an attempt to make a lawsuit go away, or in a legal ruling against such a lawsuit.

Some attorneys criticize the Supreme Court’s decision itself, saying that while it avoided the Scylla and Charybdis of the two potential opposing decisions, it also didn’t settle anything and in fact may have been ducking the issue. “If the Spokeo holding recounted above seems to you less than a model of clarity, your response is akin to that of counsel and courts who have struggled to apply the Supreme Court’s reasoning in the wake of the decision,” writes Devin Chwastyk  in JD Supra. “The obliqueness of the decision suggests the court merely kicked the can down the road to allow lower courts and litigants additional opportunities to develop appropriate theories for standing in consumer class actions.”

To add further fuel to the fire, the Spokeo case has different results in federal and state courts, because state courts aren’t bound by Spokeo. In other words, if a defendant uses Spokeo as a defense in federal court, having that ruling granted could simply throw the case to a state court instead, rather than make it go away completely.

“The court’s ruling in Mocek reflects that Spokeo standing arguments may not be a silver bullet for defeating class claims where the plaintiff’s injury was caused by a ‘bare procedural violation, such as those under [the  Fair and Accurate Transactions Act], the Telephone Consumer Protection Act, or the Fair Credit Reporting Act,” write Alan S. Kaplinsky, Burt M. Rublin, and Taylor Steinbacher  in JD Supra. “Indeed, successfully asserting a defense based on Spokeo may lead to the unintended consequence of remand to state court, an outcome that few defendants likely would prefer. It bears emphasis that state courts are not bound by Spokeo in making their own standing determinations.”

If nothing else, these Spokeo cases demonstrate that some people will sue over just about anything. Suing three years after leaving a gym because the gym sent him text messages asking him to rejoin, when he never even replied STOP to the texts? Suing because the employer who hired them had the credit disclosure on a piece of paper with other material on it, rather than on a single piece of paper as the law specifies? Suing a company for asking for your zip code when you buy something, by claiming it violates consumer protection laws? These are all real cases.

Next time you’re tempted to complain about your job, take heart: Instead, you could be a lawyer and have to bring, or defend, cases like this.

February 28, 2017  11:32 PM

Amazon AWS Outage Casts Doubt on Cloud

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Amazon, AWS, Cloud storage

“Don’t have your own storage! Just put everything on the cloud! It’ll always be available!”

Yeah. About that.

The Amazon Web Services (AWS) Simple Storage Service (S3) was down for some four hours earlier today, causing chaos, consternation, and first-world problems as the various services that depend on it were unable to gain access to data and images stored in it.

As you may recall, AWS was also down in 2012 due to weather – not even a hurricane, just a thunderstorm – and in 2011 due to a configuration problem. There’s something to be said for the fact that it happens so seldom that people completely lose their minds when it does, but at the same time it forces us to realize how fragile this connected world really is. The whole point of using the cloud, after all, is so the information will continue to be there even if something goes down.

It’s not that Amazon’s cloud service is so much worse than that of its competitors. If anything, it’s that it’s so widely used that any sort of glitch tends to have really big ramifications. In this particular case, 148,213 sites  use the S3 system, according to Elizabeth Weise in USA Today.

“Sites like Imgur, Medium, Expedia, Mailchimp, Buffer and even the U.S. Securities and Exchange Commission were all impacted, as were communication services like Slack,” writes WCMH. “Also ironically impacted, DownDetector.com, which is a website that tracks when other websites are down.”

“Some of the services affected included Amazon Prime Video and Amazon Music,” writes Janko Roettgers in Variety. “But the outage also affected numerous third-party websites, apps and services.  A number of web publishers, including The Verge and Axios, were unable to load images for their articles. Other media sites, including Business Insider, weren’t able to publish any new stories at all for hours. The outage also affected phone support systems at a number of companies and public agencies, including Boston’s public transit agency and the app-based investment service Acorns. The secure messaging app Signal reported on Twitter that users weren’t able to attach images to their messages. And an outage of the cloud-based scripting and control service IFTTT even led to internet-connected light bulbs ceasing to function, according to user reports.

In fact, so dependent is the world on this particular piece of AWS, based on the East Coast, that Amazon itself  got burned by the outage. “Amazon wasn’t able to update its own service health dashboard for the first two hours of the outage because the dashboard itself was hosted on AWS,” Weise writes.

Maybe, for disaster recovery purposes, Amazon want to re-think that decision? Just a thought.

Why it was down, Amazon hasn’t yet said, other than blaming “high error rates,” though that is likely a symptom rather than a cause. Weise quoted Gartner analyst Lydia Leong  as saying that the most common causes of this type of outage are software-related, either a bug in the code or human error. And the primary way to protect against it is to have multiple backups of the data, she adds. “Only the most paranoid, and very large companies, distribute their files across not just AWS but also Microsoft and Google, and replicate them geographically across regions  —  but that’s very, very expensive,” she tells Weise.

Variety notes, for example, that Netflix stayed up during the outage, likely because it had redundant storage on other services.

As far as what to do in the future, there’s really not much to add to what I wrote in 2011 when this happened:

“Organizations that use the cloud — anybody’s cloud, not just Amazon’s — should take this as a wake-up call. Even if you weren’t affected by this outage, you could be on the next one. Don’t just have a backup. Have a backup for the backup. Yes, it costs money. How much money does it cost for your business to be out for a day?”

February 27, 2017  12:23 PM

Disappearing Government Data Worries Researchers

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Database, government, Open data

As you may recall, a few weeks ago some researchers began copying freely available U.S. government data onto private servers and servers outside the U.S. out of concern that a Trump administration might make the data inaccessible or unavailable in the future. At the time, the people said they were doing it primarily as a precaution. But in recent days, there have been a number of incidents of disappearing government data with little or no warning.

First, soon after or on Inauguration Day on January 20, a number of pages of the WhiteHouse.gov website disappeared, including pages about climate change, gay and civil rights.

Next, a U.S. Department of Agriculture (USDA) database called the Animal and Plant Health Inspection Service (APHIS) disappeared in early February. “The data consisted of inspection reports, enforcement actions, regulatory correspondence and other information related to APHIS’ investigations of animal welfare issues, ranging from puppy mills to abuse of animals in research labs,” writes Joshua New, a policy analyst at the Center for Data Innovation,  in The Hill. “The USDA decided it should not be publicly available due to ill-conceived concerns about the privacy of animal abusers,” he explains.

Later, the USDA posted a message saying the data removal was related to ongoing litigation and that the removal had been planned since before the election. “In 2016, well before the change of Administration, APHIS decided to make adjustments to the posting of regulatory records,” the agency reports. “In addition, APHIS is currently involved in litigation concerning, among other issues, information posted on the agency’s website. While the agency is vigorously defending against this litigation, in an abundance of caution, the agency is taking additional measures to protect individual privacy. These decisions are not final. Adjustments may be made regarding information appropriate for release and posting.” On the other hand, people familiar with the material in the database said that personal information had already been redacted from it.

In the meantime, members of the public should file a Freedom of Information Act request to gain access to any of this data, the USDA writes. “Those seeking information from APHIS regarding inspection reports, research facility annual reports, regulatory correspondence, and enforcement records should submit Freedom of Information Act requests for that information,” the agency notes. “Records will be released when authorized and in a manner consistent with the FOIA and Privacy Act. If the same records are frequently requested via the Freedom of Information Act process, APHIS may post the appropriately redacted versions to its website.” FOIA requests can take years to be approved, notes Karin Brulliard in the Washington Post.

Then, on Valentine’s Day, it was reported that the White House open data portal had disappeared – as much as 9 gigabytes’ worth, according to some reports — though programmer Maxwell Ogden posted on Twitter that he had backed up all the data on January 20. The portal “served as a public clearinghouse for data on everything from federal budgets to climate change initiatives,” New writes.

Needless to say, researchers had kittens. “There is no definitive evidence that the Trump administration intends to roll back the valuable commitments to open data that Obama made during his administration, which require federal agencies to treat their data as open and machine-readable by default,” New writes. “However, the Trump administration has also failed to make any indication that it intends to honor or expand upon these commitments.”

In some cases, there was plausible deniability about where the data had gone. For example, the missing White House web pages were attributed to a reset of the website. “If you’ve ever been part of a website launch, you’ll know that nothing is perfect on the first day, no matter how much you try,” Tom Cochran, the White House’s director of digital platforms in 2011 and 2012, tells Georgia Frances King in Quartz. “Something always slips through the cracks. Given the magnitude and the scale of the migration of a White House website—probably one of the most prominent, if not the most prominent websites in the world—I would say it was a pretty wild success to not have anything really bad happen other than content not be there.”

With the USDA databases, organizations such as the Humane Society of the United States, PETA, the Physicians Committee For Responsible Medicine, and Born Free USA initiated legal action against the USDA, writes Natasha Daly in National Geographic. And after that, some of the missing data was put back, though agency representatives say it wasn’t related to the lawsuit. A large number of Congressional members also complained.

Some of the White House data is expected to be restored, but other parts – such as visitor logs – may not be, writes Nikita Buryokov for NBC News. “Based on timing of data releases by the Obama administration, White House visitors’ logs likely won’t be available until mid-April,” she writes. “However, because no law requires that such logs be made public, their release isn’t guaranteed. The logs can show who, exactly, is speaking with the president and other administration officials. While certain groups can be excluded — a potential Supreme Court nominee, say, or someone whose life might be placed at risk by identification — they have repeatedly cast light on lobbying activities within the White House.” Also, visitor logs are created by the Secret Service, a separate agency that is subject to FOIA requests, she notes.

With some of the screw-ups that have plagued the Trump administration since he took office, it’s certainly believable that the disappearing government data is attributable to human error. But whether the data’s absence could be chalked up to malice or stupidity, the operative fact is that data that people used to be able to see is no longer available, reinforcing the value of backing data up in other locations.

February 21, 2017  5:13 PM

Electronic Border Searches Becoming an Issue Again

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security, social media

The issue of people entering the U.S. having their phones and laptops seized and searched at the border isn’t new, but it’s garnering new attention under the presidency of Donald Trump.

Since August 2009civil libertarians have objected to a Department of Homeland Security that enables U.S. Customs and Border Patrol agents to search laptops and other electronic devices at the U.S. border, for large values of “at” – that is, within 100 miles of the border

100 miles might not sound like much, but according to the American Civil Liberties Union (ACLU), as of 2006, more than two-thirds of the U.S. population lived within 100 miles of the border. Altogether, it meant that anyone in that area with a laptop could have that laptop seized without a warrant, at any time, taken to a lab anywhere in the U.S., have its data copied, and searched for as long as Customs deemed necessary. And despite their objections, the policy has largely been upheld.

In 2015, a judge ruled that – following the lead of the Supreme Court ruling on the Riley case, which stated that law enforcement officials needed a warrant to search someone’s cell phone – customs officials needed to have probable cause before it could search someone’s laptop. The problem with that ruling is it applied just to that one case, not overall.

And that’s where things stood until recently, when a number of people have reported anecdotally that they have had their devices searched. In one case, a US-born NASA engineer who worked with the federal government and was also a part of the Customs and Border Protection Global Entry program was told he couldn’t re-enter the U.S. until he unlocked his encrypted NASA phone. Several other incidents have also happened over the summer, reports the Electronic Frontier Foundation. Even a Canadian journalist was denied entry to the U.S. for refusing to unlock his phone, and a Wall Street Journal reporter had the same experience, though customs agents backed down when she told them to call the paper. A BBC reporter also had to turn over his phone.

It is too soon to tell whether this policy is changing under President Trump, writes Daniel Victor in the New York Times, though he notes that inspection of electronic devices rose from 4764 in 2015 to 23,000 in 2016. But there are also proposals that people entering the U.S. – potentially including U.S. citizens – would have to provide browsing history and device or account passwords, reports Kaveh Waddell in the Atlantic. Customs also asks people to voluntarily provide social media passwords and it may become mandatory – particularly for the seven Muslim-majority countries currently under a travel ban. Similar incidents are happening in other countries as well.

The problem is that the whole issue of whether people are required to unlock or decrypt their phones is not yet settled case law,  Orin Kerr, a law professor at George Washington University who specializes in computer crime law and digital evidence investigation, told the public radio show Here & Now. “You probably don’t have to comply. There are no court cases that have actually tested this, so we really don’t know what the legal limits are on the government getting people to unlock their phones,” he says. “We just don’t have those cases yet because these policies are new and encryption on iPhones is pretty new. And so we’re just starting to get these problems, and it takes the legal system a couple years for all the lawyers to get together and a lawsuit to be filed and a judge to make one decision and then the losing party is going to appeal. And it works its way up to the Supreme Court, and then five or ten years later the Supreme Court says, ‘OK, here’s the rule, here’s the law.’ And so, we just have a natural period of uncertainty until that happens.”

Indeed, the EFF – which has published a guide on border searches — would like to push for such a case to expand the provisions of the Riley case to border searches. “We are eager to further the law in this area—to make it clear that the Riley decision applies at the border,” the organization writes, urging people to let it know when they undergo a border search.

There are ways to protect your data, writes Jonathan Zdziarski in Blog of Things, who describes a number of techniques. “This is a classic security problem like any other and requires you think of a border crossing as a security boundary and the system as an adversary,” he writes. “The goal is to increase cost to exceed their investment of detaining you and diverting government resources away from going after real threats to the country – not you.”

Some people are going so far as to say they won’t take their own phone or laptop across a border at all. “I’ll never bring my phone on an international flight again. Neither should you,” writes Quincy Larson in Medium, noting that other countries are doing this as well.  “If we do nothing to resist, pretty soon everyone will have to unlock their phone and hand it over to a customs agent while they’re getting their passport swiped. Over time, this unparalleled intrusion into your personal privacy may come to feel as routine as taking off your shoes and putting them on a conveyer belt.”

Instead, Larson suggests renting a phone at your destination or having a spare phone and laptop at a destination you visit frequently – or, at the very least, factory-resetting your phone before you fly. “Is all this inconvenient? Absolutely. But it’s the only sane course of action when you consider the gravity of your data falling into the wrong hands.”

February 10, 2017  11:58 PM

How Many Facebook Search Warrants Are OK?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Facebook, government, privacy

It’s no secret that insurance companies, fraud departments, attorneys, and so on scout Facebook and other social media sites looking for evidence of malfeasance. And when such people do so by means of a warrant rather than simply Facebook-stalking someone, more power to them. But how many Facebook search warrants of stored data should such a perusal allow?

That’s the crux behind an ongoing case in New York, where Manhattan District Attorney Cyrus Vance Jr. filed 381 separate search warrants in 2013 for the Facebook records of police and fire department personnel who were suspected of fraudulently claiming disability from 9/11 and retiring.

Facebook complied, because it had to. As it happens, more than 130 people were convicted of fraudulently claiming Social Security disability, 62 of whom were on the list of 381. And prosecutors rightly pointed out that these people were ripping off New York taxpayers. “Resulting guilty pleas and convictions returned $25 million to the U.S. Social Security Administration,” writes Marlene Kennedy in Courthouse News.

“More than 100 people have already been convicted in the ruse,” writes Julia Marsh in the New York Post. “They claimed they were too sick to work in order to get the benefits — then posted photos of themselves on social media platforms like Facebook jet-skiing and sport-fishing.”

But at the same time, Facebook wants to nip this sort of bulk request in the bud. “The ‘carbon-copy’ warrants for 381 accounts placed Facebook in the awkward position of ‘being conscripted’ by law enforcement to invade the privacy of its users and turn over everything in their accounts,” Kennedy writes.

The company had several issues:

  • The warrants were unlimited. A number of civil liberties organizations that filed amicus briefs with the court pointed this out. “The groups noted that of the accounts sought by Vance’s office, the holders of 319 of them were eventually never charged in connection with the disability benefit investigation,” writes Joel Stashenko in the New York Law Journal. “Yet, the civil liberties’ groups argued, the information about the account holders’ private messages, chat history, photographs, lists of friends, religious or political affiliations and other confidential information was subject to review by prosecutors without the account holders’ permission.”
  • There were a lot of them. Facebook’s argument wasn’t that fulfilling all those requests was a lot of work, though it probably was, but simply that it was overbroad. “The ultimate chilling effect would be a similar request for all of the electronic accounts of every resident of New York City,” Kennedy writes. And it’s not like Facebook regularly turns down this sort of request — for the first half of 2016, it received more than 23,000 law-enforcement requests involving nearly 39,000 user accounts and produced some data for almost 81 percent of them, she adds.
  • They were warrants, rather than subpoenas. “Vance’s office applied for the warrants under the federal Stored Communications Act, which governs the disclosure of electronic records held by third-party internet service providers,” Kennedy writes. “Facebook’s failed attempt to quash hinged on attempt to characterize the warrants as more akin to subpoenas.” The difference is that subpoenas can be challenged, while warrants can’t, she adds.
  • Facebook wasn’t allowed to fight the warrants, because the Appellate Division’s First Department decided it didn’t have “standing,” or the legal right to object. Only the individuals – all 381 of them – had standing to object, meaning they each would have had to lawyer up and go through the ordeal of fighting the search warrant.
  • Facebook wasn’t allowed to tell the people that the government was requesting their records. This sort of gag order isn’t unusual; there have been a number of times when companies were not allowed to say that a government agency had requested their records. (In fact, in a number of cases, companies have created what’s called a “warrant canary”on their website, where they note that the government has never asked for their records – and then, at some point, the sentence disappears and watchers can see that such a request must have occurred.) If Facebook had told the people, they would have deleted the records, Vance said.

All of this is critical because people – not just Facebook – are concerned about what it could mean for the future. For example, could the government get a warrant for everyone who posted on Facebook that they had attended the Women’s March so it could arrest them or put them in some sort of database? Could the government get a warrant for everyone who had posted something to Facebook indicating they were Muslim? In this day and age, one never knows.

Testimony on the suit was taken earlier this month to the New York Court of Appeals, with a decision expected to be rendered by the six-judge panel near the end of March, Stashenko writes.

January 31, 2017  2:29 PM

Rettenmaier Case Questions Geek Squad Role in Search

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security

As you may recall, in May we wrote about laws being enacted in Utah to require computer technicians to report child pornography they encounter in the course of their jobs to law enforcement authorities. Some computer technicians, as it turns out, were already doing that; the issue was whether it should be required by law. The Rettenmaier case is taking the question even further.

Reportedly, the FBI has cultivated eight “confidential human sources” in Best Buy’s Geek Squad over a four-year period, according to a judge’s order, with all of them receiving some payment, according to Tom Jackman in the Washington Post. The Geek Squad employees in question were specifically in Best Buy’s data recovery services in Brooks, Ky.

What makes this a problem? “Best Buy searching a computer is legal — the customer authorized it, and the law does not prohibit private searches,” Jackman explains. “But if Best Buy serves as an arm of the government, then a warrant or specific consent is needed.” And the fact that the FBI has cultivated the ongoing relationships and that there is a two-way conversation between the organization and the technicians makes it look more like the Geek Squad is serving as an arm of the government.

For its part, Best Buy contended that the organization had no such policy, that they’re only allowed to turn in pornography they find in the course of their jobs rather than going hunting for it, that it was inappropriate for technicians to be accepting payments, Jackman writes. “Any circumstances in which an employee received payment from the FBI is the result of extremely poor individual judgment, is not something we tolerate and is certainly not a part of our normal business behavior,” a Best Buy spokesman said in a statement.

The case started in November 2011, when Mark Rettenmaier, a gynecological oncologist in Orange County, Calif., took his HP Pavilion desktop to the Best Buy in Mission Viejo, Calif., because it wouldn’t boot up, Jackman explains. “The technicians at the store told him he had a faulty hard drive. If he wanted to retain information from the hard drive, he would need the Geek Squad’s data recovery services in Kentucky,” he writes.

In the process, Rettenmaier signed a form acknowledging that any child pornography found would be turned over to law enforcement authorities, which prosecutors said waived his right to a Fourth Amendment claim.

As it turns out, a Best Buy Geek Squad technician who had been paid by the FBI two months before did indeed find a piece of child pornography on the system – but in unallocated space, meaning the technician required special software to look for it. “In addition, a federal appeals court has ruled that pornography found on unallocated space is insufficient to prove that the user possessed it, since information about when it was accessed, altered or deleted is no longer available,” Jackman writes, because such a file could be put into a computer against the owner’s will or before they owned the system.

On the basis of the file, the FBI got a search warrant and seized Rettenmaier’s cell phone, on which the FBI reportedly found more than 800 other such files, writes Jeremiah Dobruck in the Los Angeles Times. However, in requesting the search warrant, the FBI did not tell the judge that the picture was found in unallocated space, which might have made it more difficult to get the warrant, writes R. Scott Moxley in OC Weekly. There’s also an issue about whether the file would even be considered child pornography at all, Moxley writes in a different OC Weekly article (which also includes some interesting reporting on testimony about just how easily porn can be injected into a computer).

Dobruck notes that taking payments from a law enforcement organization doesn’t necessarily make them an agent of the government. In fact, two Geek Squad employees who said they had received payments also said they had donated the money to charity, writes Andrea Eldredge in the Record Searchlight.

“The problem, from a privacy perspective, is that such rewards create incentives for technicians to start searching people’s perspective rather than just fix them,” writes Jeff John Roberts in Fortune. “Also troubling is that any arrangement between the FBI computer repair services like Best Buy could expand and that, in the future, employees could begin tipping of the agency about other things they find on people’s devices.”

The current status of the case? The judge took two days of testimony earlier this month, after which Rettenmaier’s attorneys had 45 days to file briefs, after which the judge will rule on whether any evidence should be excluded, writes Hannah Fry in the Los Angeles Times.

It should go without saying that child pornography is a heinous crime. But in a day and age where people are concerned about the rule of law and the increased surveillance in our society, it will be interesting to see the outcome of this case. Not to mention, it’s worth keeping in mind if you’re planning to send your hard disk in for repair.

January 26, 2017  10:00 PM

Remember ‘Safe Harbor’? Never Mind

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Safe Harbor, Security

As you may recall, in July the United States and the European Union finally came to an agreement modifying the “Safe Harbor” provisions, which allows companies in the countries to exchange personal data about citizens without having to go through laborious agreements.

The agreement had been in jeopardy since the previous fall, when the European Court of Justice found that, in reaction to the Edward Snowden revelations, the United States did not ensure adequate protection of personal data against surveillance by public authorities for European citizens. Without the Safe Harbor provision, companies that wanted to exchange data between the U.S. and the E.U. about European citizens – such as Google wanting browsing history – would have to individually negotiate elaborate legal agreements. As many as 1500 companies were involved, writes A.J. Dellinger in the International Business Times. So revising it to the Court’s satisfaction was really important.

It took President Donald Trump less than a week to put it in jeopardy again.

On Wednesday, Trump signed an executive order ostensibly to “enhance public safety in the interior of the United States.” But that order also included a provision noting that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” Some experts believe that will mean the E.U. will suspend the agreement.

“While the action may not have been specifically targeting the agreement with the EU, it very well may apply to it by excluding ‘persons who are not United States citizens or lawful permanent residents,’” Dellinger writes. “The phrase would apply to European citizens whose data is traveling across the Atlantic. The executive order puts the U.S. at risk of being sanctioned by the EU for violating its privacy laws and could lead to the suspension of the agreement entirely—a possibility that would be especially troubling for tech companies based in the U.S. who do business overseas.”

It’s also an issue with Canada, writes Michael Geist, a Canadian law professor, in his personal blog. “The decision requires an immediate review by the Privacy Commissioner of Canada on the effect of Canadian personal information and data sharing agreements and a potential re-assessment of what personal information is made available to U.S. agencies,” he recommends.

In response to the executive order, a number of legal professionals are raising the alarm, but it isn’t yet clear what can be done to rescind or modify the executive order to remove the offending paragraph.

In fact, some people in the E.U. had already felt that the protections in the revised Safe Harbor provision were inadequate, and were filing lawsuits, meaning that the Safe Harbor provision was already being threatened without Trump’s action, writes Hogan Lovells in Lexology. “In reality, the future of the Privacy Shield will be linked to the direction of travel of the new Trump administration and the extent to which the assurances given by the previous government on data access controls will stand,” he wrote presciently earlier this week.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: