Yottabytes: Storage and Disaster Recovery

August 16, 2017  11:36 PM

Dreamhost Fights DoJ Inauguration Warrants — All 1.3 Million

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security

As you may recall, in February we covered the question of how many search warrants the government could legally expect to serve on Facebook at once, given that the company felt that the 381 it had received was too many.

“For example, could the government get a warrant for everyone who posted on Facebook that they had attended the Women’s March so it could arrest them or put them in some sort of database?” we asked presciently.

Little did we know.

As it turns out, the Department of Justice is asking the web hosting company Dreamhost to provide information about every visitor to a particular website, www.disruptj20.org, which was intended to help organize protests at the inauguration of President Donald Trump. Some 230 people, including six journalists, were arrested. (“J20” referred to January 20, the date of the inauguration.) But the DoJ is asking for information on all 1.3 million visitors to the website.

And it is asking for a lot of information: “names, addresses, telephone numbers and other identifiers, e-mail addresses, business information, the length of service (including start date), means and source of payment for services (including any credit card or bank account number), and information about any domain name registration,” as well as the content each person viewed.

In other words, even if you simply visited the website once, didn’t post any information, and didn’t attend any protests, the government would now have your information. Incidentally, disruptj20 did not keep logs of this data itself, but Dreamhost did, according to NPR.

So, just by virtue of researching this story, I’m now on this list. Twice.

“No plausible explanation exists for a search warrant of this breadth, other than to cast a digital dragnet as broadly as possible,” writes Mark Rumold of the Electronic Frontier Foundation, which is helping Dreamhost with its defense. “But the Fourth Amendment was designed to prohibit fishing expeditions like this. Those concerns are especially relevant here, where DOJ is investigating a website that served as a hub for the planning and exercise of First Amendment-protected activities.” The organization is also helping Facebook fight a similar request for information, but doesn’t even know whether it’s also about the inauguration, because of a gag order.

Dreamhost, which spilled the beans on all this on August 14 , is fighting the warrant on First and Fourth Amendment grounds, saying it is “overbroad.”

You think?

A hearing is scheduled for Friday.

Interestingly, the DoJ sent out its warrant on July 12. For an event on January 20? It doesn’t necessarily mean that the DoJ attorneys are slow, though they have been fighting with Dreamhost about this data since a week after the inauguration. The Electronic Communications Privacy Act Stored Communications Act changes the rules at 180 days. “Under the ECPA, emails on a server for more than 180 days is considered ‘abandoned’ by users and can be accessed through a subpoena instead of a search warrant,” explains Ryan Reilly in the Huffington Post. To what degree that is actually a factor here is hard to tell, because many of the outlets reporting on this aren’t technical enough to say. But it’s interesting timing.

The DoJ made its initial request, a subpoena and an order to preserve records, on January 27. However, Dreamhost, perhaps disingenuously, didn’t understand what the government was actually asking for. “Within three weeks of service of the subpoena, DreamHost produced its records responsive to these categories,” the company writes. “In its correspondence accompanying the production, DreamHost’s General Counsel made clear that he understood the subpoena was directed to records regarding the registrant, and not records regarding third party visitors to the website.”

Dreamhost also points out in its response that the request is more like a subpoena than a search warrant, because “it requires DreamHost itself to execute the warrant and provide the responsive records to the government.” The company also notes that the information the government is asking for is really more like evidence of a violation than a violation itself, despite how the warrant is worded.

It also isn’t clear exactly what the DoJ is trying to find out, or if it’s simply going on a fishing expedition, because that part of the warrant is sealed. But assuming it gets away with this request, it is making its requests for Microsoft data overseas look like child’s play. If companies can be forced to provide this much data about every single visitor to its customers’ websites, no matter how innocent, this could have a seriously chilling effect on, well, everything.

July 31, 2017  9:03 PM

E-Discovery Data Breach is a Lesson for All of Us

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
E-discovery, Security

Be careful with e-discovery: You might discover something you didn’t intend.

That’s what one attorney recently learned when collecting data for a legal case. “The 1.4 gigabytes of files that Wells Fargo’s lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them,” write Serge Kovaleski and Stacy Cowley in the New York Times – data from some 50,000 customers altogether.

Typically, such personally identifiable information is redacted, or removed, from e-discovery data sent to the opposing counsel, Kovaleski and Cowley explain.

Initially, the attorney blamed the software vendor (of course), which wasn’t named but appeared to include both software and service. But as it turns out, the attorney hadn’t realized how much data the e-discovery request had obtained, writes Christine Simmons in Law.com. Using the software, the attorney reviewed “what I thought was the complete search results” and marked some documents as privileged and confidential, and then coordinated with the vendor to withhold from production anything she tagged as privileged and confidential, Simmons writes.

“What I did not realize was that there were documents that I had not reviewed,” the attorney tells Simmons, adding that her view showed only a set limit of documents at one time. There also appeared to be some confusion about who actually performed the redacting of the documents, and whether any of the data was redacted, according to court documents (which are a thing of beauty, and you really should read them to get the full effect).

Moreover, the files were handed over to opposing counsel with no protective orders and no written confidentiality agreement in place. Consequently, it would be perfectly legal for counsel “to release most of the material or include it in their legal filings, which would then become part of the public record,” Kovaleski and Cowley write.

And it didn’t end there. Because Wells Fargo had released the personally identifiable information, it then became a data breach and was subject to all the laws governing data breaches. Sending the data without redactions or confidentiality agreements violates “various privacy protection laws, Financial Industry Regulatory Authority Inc. guidance and U.S. Securities and Exchange Commission regulations, according to opposing counsel in court documents,” she writes. The attorney who had sent the files to the other attorney asked that the data be returned, but at that point it became evidence in the data breach case.

Wells Fargo and its attorney have been using various legal maneuvers to get the opposing counsel to return the data, as well as destroy any copies it had made of it, Simmons writes. The attorney also noted, however, that the CD was encrypted, and that she’d written “Confidential” on the envelope. Thank goodness.

Regardless, Wells now needs to follow standard data breach protocols, such as notifying the customers that their data has been improperly released, Kovaleski and Cowley write. “And some of the accounts are listed as having a foreign owner, which would potentially trigger a separate set of overseas regulations, such as Europe’s stricter privacy statutes,” they add.

Such data breaches could happen more often as e-discovery becomes more common and more voluminous, Simmons warns.

July 31, 2017  6:38 PM

IBM Mainframe Encryption Apparently Okay

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Apple, Encryption, Google, government, IBM, privacy, Security

When Apple and Google released cellphones with encryption being the default, law enforcement had kittens, with dire warnings about terrorism and child pornography if there wasn’t a back door into it. And governments all over the world, including the U.S., have insisted that data shouldn’t be encrypted unless a back door was available, in case evil people were hiding evidence of their nefarious deeds.

But so far, law enforcement hasn’t complained about IBM’s new Mainframe Z, announced earlier this month. “IBM has launched a new mainframe system capable of running more than 12 billion encrypted transactions per day, in a bid to wade further into the financial cybersecurity market,” writes Ryan Browne for CNBC. “IBM claimed that its new mainframe can encrypt data at a rate 18 times faster than other platforms. The mainframe will be used initially as an encryption engine for IBM’s cloud computing technology and blockchain (distributed ledger technology) services.”

IBM didn’t say when the system would be available, though it said the technology was already in use at six of its own blockchain service centers, and at least one article indicated that the system was would be available in mid-September. The company already supports 87 percent of all credit card transactions, totaling nearly $8 trillion worth of payments each year, Browne writes.  The system is intended to “enable companies to comply with new data protection laws, such as the European Union’s General Data Protection Regulation (GDPR) and the U.S.’s Federal Financial Institutions Examination Council (FFIEC) guidance on the use of encryption in the financial services industry,” he adds. “The GDPR holds that businesses should encrypt personal data to prevent a compromise of confidentiality, while the FFIEC’s guidance states that management should ‘implement the type and level of encryption commensurate with the sensitivity of the information.’”

But by announcing the system, IBM is also drawing a line in the sand and siding with Apple, writes Brian Fung in the Washington Post. “IBM fully supports the need for governments to protect their citizens from evolving threats,” he reports the company said in a statement on the issue. “Weakening encryption technology, however, is not the answer. Encryption is simply too prevalent and necessary in modern society.”

Maybe law enforcement thinks that hackers and terrorists can’t afford mainframes like this one, which according to Fung is supposed to cost $500,000 a pop? But companies like Microsoft can, and the U.S. government has been fighting with Microsoft for several years to gain access to data that it stores overseas. What if Microsoft said fine, here’s the data – but it’s encrypted, so good luck?

Indeed, with some governments wanting to outlaw encryption altogether, is IBM going to be allowed to sell the equipment in those countries? Will people in those countries be allowed to use it? Is IBM releasing the system in hopes that it will be grandfathered in should countries implement anti-encryption laws?

Experts also point out that IBM statements about the encrypted data being more safe from hackers isn’t necessarily true. Commenters to the Washington Post article noted that only the data at rest would be encrypted, while data within an application would still be decrypted and vulnerable. In addition, hackers don’t have to be able to read data to wreak havoc, noted another. “I do not need to know what is in your data for a ‘WannaCry’ attack to work,” writes JoeFromBoston. “Even if YOU have encrypted your data, if I encrypt your encrypted data a second time, you are still in big trouble.”

So far, no comment from the FBI or other law enforcement organizations.

July 22, 2017  10:22 AM

Supremes to Decide Cellphone Location Data Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security, smartphone

The laws governing search and seizure of data on a person’s cellphone continue to evolve – and next fall, they’re likely to evolve some more, as a critical case goes to the Supreme Court. At the heart of the case is the distinction between content and metadata.

Let’s say you send someone an email message. The body of the message is the content. But all the information about the message – to whom you sent it, when you sent it, where you were when you sent it, and so on – is metadata, or data about the message. In a number of cases, courts, prosecutors, and law enforcement have made the distinction between the two, saying that while a search warrant is required to see the content, the metadata is fair game.

Now, one of those issues – in particular, the location data of your cellphone – is actually going to be argued in front of the Supreme Court, which is likely to settle the issue once and for all.

It’s all due to a case called Carpenter. Two guys in Detroit were accused of robbery, and the Federal Bureau of Investigation (FBI) used their cellphones to prove that they were nearby a number of the incidents. To do this, the FBI went to the suspects’ cellphone providers and obtained a lot of data about the suspects’ locations – more than 12,000 for one guy, and almost 24,000 for the other guy. The defense attorneys for the guys are saying that the phones revealed so much personal data about the guys that a warrant should have been required for the search.

Moreover, these two guys aren’t the only ones who had their phones searched for location data; according to providers such as AT&T, this happens thousands of times a year.

You might think, “Wait. Didn’t the Supreme Court decide this already?” Well, sort of. In June, 2014, in a case known as Riley, the Supreme Court ruled that  law enforcement officials needed a warrant to search someone’s cell phone. However, this case is different, because Riley covered searching the content of a cellphone, while Carpenter covers searching the metadata.

A number of organizations – including such odd bedfellows as the American Civil Liberties Union (ACLU), the Electronic Frontier Foundation, and the conservative Cato Institute — have filed friend-of-the-court briefs hoping to protect metadata, saying that giving law enforcement access to a person’s location files amounts to unlawful search and that a warrant should be involved.

“The Fourth Amendment was designed precisely to protect the kinds of intimate details that police seized without a warrant in Carpenter,” writes the ACLU. “For example, an analysis of Carpenter’s whereabouts suggests that he slept away from home on December 22, 2010, in what appears to be an aberration. The location data also shows that in the early afternoon on a number of Sundays, Carpenter made or received calls from the cell tower sectors nearest to his church. His cell phone records do not routinely show him in that area on other days of the week, implying that he was worshipping at those times. Together, the data reveals a granular accounting of Carpenter’s locations and movements over the four-month period.”

“Although the case is formally about cell-site records, it’s really about where to draw lines in terms of what network surveillance triggers the Fourth Amendment and how the Fourth Amendment applies,” argues Orin Kerr of the Volokh Conspiracy, in the Washington Post. “The justices can’t answer how the Fourth Amendment applies to cell-site records without providing a framework for how the Fourth Amendment applies to many other forms of surveillance, such as visual surveillance, obtaining traditional phone records, obtaining e-mail transactional records, obtaining credit card records and the like.”

Not everyone agrees. “Carpenter v. United States is part of the ACLU’s campaign to hobble police and shield wrongdoers — both terrorists and common criminals — from the latest technologies available to law enforcement,” writes Betsy McCaughey in the New York Post, while muttering darkly about terrorists. “But how else could agents find out whether he was near the robbed stores?” (Fortunately, “but law enforcement didn’t have any other way to get the information” isn’t typically an acceptable excuse for violating the Constitution.) There is also some concern that such a ruling could limit the use of location data by marketers.

A particular nuance in this case is the notion of third-party doctrine, Kerr explains. In other words, law enforcement didn’t get the metadata directly from the suspects’ cellphones, but from a third party – their service providers. Third-party records require only “reasonable suspicion” that a person was involved in a crime, not “probable cause,” which requires a warrant, writes Peter Henning in the New York Times.

What’s important about this case is it will determine whether metadata from a third party will also require a search warrant, Kerr explains. For example, the third-party doctrine is frequently cited by the government in support of the legality of NSA collection of metadata, writes Emma Kohse in the Lawfare blog.

Another nuance is that the Supreme Court has already ruled that collection of data from a GPS tracker required a warrant, but law enforcement has argued that the cellphone tower location data obtained in Carpenter was less specific than the data from a GPS tracker, so it didn’t require the same level of protection, Henning adds.

In the meantime, there’s not much you can do to avoid this other than turning off your phone. Moreover, this isn’t even data collection that you can stop by turning off or deleting location tracking, because it’s the cell tower data collected by your provider. So it will be interesting to see how the Supreme Court – with its newly appointed justice Neil Gorsuch – will rule.

July 13, 2017  9:06 PM

Beware! USB Web Key In the Mail

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Security, Storage, USB

You’ve heard about phishing. Now we’ve got one with actual bait: a mailed USB card called a web key.

As one techie describes it, “Here is the prototype for the next big wave of security breaches.”

According to TJ Gamble, founder and CEO of ecommerce company jamerson.com, Blue Cross/Blue Shield is sending out letters that include something like a business card or a credit card with a built-in USB drive. The letter urges recipients to insert the device into their computers to find out all the wonderful things that Blue Cross could do for them.

Gamble Tweeted a picture of one of the letters, showing the USB drive, known as a “web key.” He also put together a YouTube video going into more detail.

In a LinkedIn post elaborating on the Tweet, and in his video, Gamble hastened to clarify that he wasn’t accusing Blue Cross of anything nefarious. “I am not accusing BCBS of creating software that is less than aboveboard,” he writes. “However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software. The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them whether they are official or forged.”

In other words, it would be like phishing – except instead of getting email from what appears to be Google or Facebook, you’re getting actual physical mail from what appears to be a trusted source like Blue Cross. Instead, it could have a potentially nasty payload that could install malware, steal your data, reprogram your device, destroy your laptop, or set it on fire. Moreover, the mailing apparently targeted human resources professionals, who might not know about the security risks involved, Gamble notes.

On the other hand, if someone gets caught sending them out, it’s presumably mail fraud, a Federal crime. And due to this risk, as well as the cost of producing the devices in the first place – 50 cents to a dollar each, he estimates — Gamble writes that he wouldn’t expect to see the general public start receiving these. “However, it definitely provides some ideas for going after high-value targets,” he warns – a variation known as “spear phishing.”

Blue Cross defenders commenting on Gamble’s piece point out that the company is hardly the first to use such Web key devices, linking to a Pinterest board of examples. (For what it’s worth, I’ve never seen the things before.) On the other hand, commenters also noted that malware or other payloads could be inserted anywhere along the supply chain for the devices, including where they were built, and in any event it was dangerous to train users to start inserting these devices.

In any event, the advice remains the same: Don’t poke strange USB sticks into your devices.

June 30, 2017  8:48 AM

Microsoft-DoJ Case Headed to the Supremes

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, Microsoft, privacy, Security

Experts who have been saying for a while now that the Microsoft-Department of Justice case would eventually end up before the Supreme Court are finally being proven right: the DoJ requested earlier this month that the Court handle the case.

As you may recall, the case, which started in 2014,  involved whether Microsoft must release data stored on one of its servers to a U.S. government agency, even though the data in question is outside the U.S., setting the stage for a massive worldwide confrontation on just who has the right to have access to data where. Most recently, in January the Second Circuit Court of Appeals denied a rehearing of the case, which left the Supreme Court as the only option.

Now, at the very last minute – and after two extensions – the DoJ has decided it wants to take the case to the Supreme Court to be decided once and for all.

Microsoft, as well as the other technology companies that have been anxiously watching the proceedings and filing amicus briefs, were surprised, because they had thought that the federal government had agreed with some lower courts that the real solution was a legislative one. This would most likely involve updating the 1986 Electronic Communications Privacy Act and the Stored Privacy Act on which the case was based.

Indeed, Sen. Orrin Hatch (R-Utah) (who is, incidentally, third in line to become President), put forth legislation last year, the International Communications Privacy Act, where it has languished since then. A legislative solution could solve a number of current problems, including making it easier to request such data from foreign governments.

In addition, a new law, the General Data Protection Regulation, governing this issue is also scheduled to take effect in Europe next year. “In less than one year, a new European data protection law will go into effect,” writes Brad Smith, Microsoft’s president and chief legal officer, in a blog post. “Under that law – called the General Data Protection Regulation – it would be illegal for a company to bring customer data from Europe into the U.S. in response to a unilateral U.S. search warrant.” Depending on how the Supreme Court rules, a vendor could find itself violating international law by following American law, or vice versa, he warns.

And the whole thing is predicated on treating digital data – by virtue of its accessibility – differently from other, physical, types of evidence, writes Karlin Lillington in the Irish Times. “If the desired evidence were concrete (say, paper documents) rather than digital, US authorities would have to use existing international law-enforcement agreements,” she writes.

A favorable Supreme Court ruling sets a dangerous precedent for the cloud computing industry, Lillington continues. “If the US government has the right to directly seize internationally-held data, then other countries will of course, expect the same right to in effect conduct international digital raids for American or other nations’ data, in the US or around the world, with near-impunity,” she writes. “This raises obvious data-protection, data-privacy, and surveillance concerns. It also completely undermines the whole concept of cloud computing – the movement and storing of data by organizations in international jurisdictions – and suggests businesses would have to run stand-alone operations and data centers in every geography in which they operate.”

Part of the problem is that while Microsoft has been prevailing legally, a similar, later case with Google was won by the government. In April, a federal magistrate judge in San Francisco denied Google’s attempt to quash a warrant seeking data stored abroad, writes Ben Hancock in Law.com. “It was at least the third such decision involving Google in as many months, and another magistrate judge in Florida in early April forced Yahoo to hand over data in a similar ruling.” Google, like Microsoft, prefers a legislative solution.

However, Google has also been using a different legal argument from the one Microsoft has been using, Hancock writes. “Microsoft argued that if authorities in New York wanted the email data in Ireland, all they had to do was go through a treaty process with Irish authorities,” he writes. “By contrast, Google has essentially argued—in part because of its practice of ‘sharing’ [he means “sharding” – he’s a lawyer, not an engineer] data into pieces spread across servers around the globe, for the purpose of network efficiency—that data stored outside the United States cannot be accessed by U.S. authorities or by authorities in any other jurisdiction.”

If the Supreme Court decides to hear the case, how the Court might rule is undetermined, particularly since there are a couple of new factors. First, the Court has a new member, so it can’t tie and not have its ruling used as a precedent. Second, the new member, Neil Gorsuch, is reportedly very conservative, even activist, according to the Los Angeles Times. Third, the rumor is that swing justice Anthony Kennedy is going to retire before the next session. All of these factors apparently make the government think it is more likely to prevail in this case, rather than waiting on the legislative solution — no matter the consequences.

June 28, 2017  6:40 AM

Micron Shuts Down Lexar

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Memory, Micron, Storage

New Micron CEO Sanjay Mehrotra, cofounder of SanDisk, who took over just in April, is apparently wasting no time: The company has shut down its Lexar primarily consumer division and is looking for ways to sell it.

“Micron Technology today announced that it is discontinuing its Lexar retail removable media storage business,” writes consumer products group vice president Jay Hawkins in a blog post. “The decision was made as part of the company’s ongoing efforts to focus on its increasing opportunities in higher value markets and channels.” Micron is “exploring opportunities” to sell all or part of the Lexar business, he continues.

Hawkins also didn’t say whether layoffs would be involved, though he did thank the Lexar team for its contributions. If Micron is pulling out of consumer products, one wonders how much longer he’ll be around, too.

Micron bought Lexar in 2006 but continued operating it as a separate division from the rest of the company, which sells its products to vendors. Lexar – which still has its own web pages up – was announcing new products as recently as February and March.

Interestingly, Lexar vice president and general manager Wes Brewer had written almost exactly a year ago about the use of storage in drones. With drones’ soaring popularity (sorry), it’s surprising that Lexar couldn’t find a way to make a go out of storage for the devices, nor that Micron would try to use Lexar as a way to get into that lucrative market.

Perhaps coincidentally, Micron is expected to announce its earnings on Thursday. Could it be that they’re going to be bad news and the company wants to either distract everyone or else make it clear that it’s addressing the issue?

And yet the majority of stock analysts believe that the company will beat its earnings projections. Micron stock has also been on a pretty steady upturn since FQ4’16, according to Estimize.

Analysts expect Micron Technology, Inc to report a revenue of $5.41 billion, good for 86.6% YoY growth and 16% sequential growth,” writes Kumar Abhishek  for Amigobulls. “On the earnings side, analysts expect Micron to report a non-GAAP EPS of $1.5, far higher than $0.02 loss per share the company had reported in the comparable quarter last year. Analysts estimates are in line with the company guidance for this quarter.”

“The third quarter is expected by analysts and by Micron management to be its most profitable quarter since 2013 and guidance for Q4 looks poised to be even better, almost exclusively on the back of a rebounding DRAM pricing environment,” predicts Kumquat Research in Seeking Alpha.

The company reported modest second-quarter fiscal 2017 results,” writes Zacks Equity Research.  “The top and bottom lines increased on a year-over-year basis, primarily due to pricing improvement in DRAM and NAND sales volume. We believe that the improving prices for DRAM and NAND chips make investors confident about Micron’s growth. Per various sources, the prices for these specific chips have improved primarily due to a better product mix optimization and higher-than-expected demand for PCs, servers and mobiles. We believe that any increase in prices will have a favorable impact on the company’s top line and the benefit is likely to flow down to the bottom line. The benefit from improved pricing was well reflected in the company’s last quarterly results. We anticipate these benefits to reflect in the to-be-reported quarter as well. Additionally, we are positive about the company’s strategy of enhancing its operating capabilities through acquisitions which are likely to boost its top-line performance.”

On the other hand, none of these rosy articles (even this gigantic one) don’t even mention Lexar, instead focusing on Micron’s DRAM business. So perhaps the company is intending to focus only on its most profitable line. Let’s hope it doesn’t regret putting all of its chips into one basket.

June 19, 2017  12:04 PM

Pence AOL Email Costs State $100K

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Email, government, privacy, Security

Here’s another reason why politicians shouldn’t use private email accounts to conduct official business: It can cost your state $100,000.

This is reportedly what the state of Indiana is spending to hire people to deal with the backlog of Freedom of Information Act (FOIA) requests for former governor, now vice president, Mike Pence after it was ascertained that he used an AOL.com email address for official business.

“Emails released to IndyStar in response to a public records request show Pence communicated via his personal AOL account with top advisers on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe,” wrote Tony Cook for the Indianapolis Star when Pence’s AOL account was revealed in March.

In May, a number of papers reported on the FOIA backlog. “The administration of Pence’s successor as governor, Eric Holcomb, entered a one-year contract last month with a Shelbyville firm, McNeely Stephenson, to handle the ‘unusually high’ number of requests, records show,” writes the Associated Press. “More than 50 such requests are pending.”

“A portion of the requests are generic and ask for emails related to state business sent or received by Pence,” write Cook and Kaitlin Lange in the Indianapolis Star, adding that the paper has two outstanding requests of its own. “Others have asked for emails from Pence’s personal account relating to the 2016 election, voter fraud and RFRA. Among those making requests were national reporters from the New York Times and Rewire, a publication that covers reproductive health issues.”

Interestingly, Lange and Cook report that the $100,000 is to be divided, with $30,000 to be paid in 2017 and the remaining $70,000 in 2018, indicating that the law firm doesn’t expect to respond to the requests soon. On the other hand, if the years are fiscal years rather than calendar years, fiscal 2018 would start on July 1, 2017, and that time period would be less surprising.

It is not clear why Pence chose to use a personal email account for some messages, such as whether he was trying to hide the messages from Indiana citizens, or simply used whatever email address was convenient. The official response was, “Similar to previous governors, during his time as Governor of Indiana, Mike Pence maintained a state email account and a personal email account. As Governor, Mr. Pence fully complied with Indiana law regarding email use and retention. Government emails involving his state and personal accounts are being archived by the state consistent with Indiana law, and are being managed according to Indiana’s Access to Public Records Act.”

At that time, the office released 29 pages of email messages from Pence’s AOL account, but declined to release an unspecified number of others “because the state considers them confidential and too sensitive to release to the public,” Cook writes.

Yes, the messages too confidential and sensitive to release to his constituents were sent using AOL. Oh, and it got hacked. “Pence’s account was actually compromised last summer by a scammer who sent an email to his contacts claiming Pence and his wife were stranded in the Philippines and in urgent need of money,” Cook writes. After that, Pence reportedly set up a different AOL account.

Aside from the security aspect, the private email account also raises troubling issues of government transparency, Cook writes. “Advocates for open government expressed concerns about transparency because personal emails aren’t immediately captured on state servers that are searched in response to public records requests.”

And while Indiana state officials are advised to copy or forward their email messages involving state business to their government accounts to ensure the record is preserved on state servers, there is no indication that Pence took any such steps to preserve his AOL emails until he was leaving the governor’s office, Cook adds, when he sent his staff with 13 cartons of printed email messages to the Indiana Statehouse to be archived. The law firm is trying to get digital access to the messages to speed up the public records response process, according to the AP.

As you may recall, Pence criticized Democratic presidential candidate Hillary Clinton for using a private email server for all of her email messages. “Pence fiercely criticized Clinton throughout the 2016 presidential campaign, accusing her of trying to keep her emails out of public reach and exposing classified information to potential hackers,” Cook writes.

 But that’s different, Pence said.There’s no comparison whatsoever between Hillary Clinton’s practice — having a private server, misusing classified information, destroying emails when they were requested by the Congress,” he responded in March to the Indianapolis Star article. “We have fully complied with Indiana’s laws. We had outside counsel review all of my previous email records to identify any that ever mentioned or referenced state business.”

Pence supporters also say that sending all messages through a private email server that one controls is not the same thing as sending some messages through a commercial email provider. One can argue the relative benefits and weaknesses of the two systems.

Good news, though: Pence has reportedly stopped using AOL since taking office as vice president.

June 13, 2017  2:29 PM

Amazon Unlimited Storage Goes Away

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Amazon, cloud, Storage

Sorry, kids. Amazon has decided to eliminate its unlimited storage plan.

Announced in March, 2015, the plan gave subscribers unlimited storage for $60 a year. While there’s been a lot of storage price wars over the past few years, it was hard to beat unlimited.

Now, however, for $60 you get a terabyte. “If you currently have a paid Unlimited Storage subscription, you can continue to use your current subscription until the plan expires,” Amazon said. “At the end of your current plan, you will automatically be entered into a 1 TB plan if you have 1TB or less of content, unless you’ve disabled auto-renew on your current subscription.” (Which means, if you didn’t use your unlimited storage very much, you might want to check your plan and see how much money you can save now.)

If you already have more than a terabyte stored, Amazon will give you options for other pricing plans – basically, an additional $60 per terabyte per year, up to a limit of 30 terabytes. “If you have more than 1 TB of content stored, or if you’ve disabled auto-renew, you will not be automatically renewed. You will have the opportunity to select a new plan that covers your content needs by visiting Manage Storage.” You have six months (180 days) of being over quota before Amazon starts zapping your files, last first, to bring you under the limit.

It’s not like unlimited Amazon storage was necessarily great shakes anyway. People who used it when it was first announced two years ago reported on Reddit that it was slow and had an awkward interface. Hmm, almost as though they didn’t want to make it too easy to use for fear people would use it too much. Note that cloud storage companies that want to encourage people to use a lot of storage have been offering services where you could send in a hard disk drive, eliminating the upload delay problem.

Other companies that have tried to promise “unlimited” storage have also had to back down. Microsoft announced unlimited storage for OneDrive in 2014, backing off from it a year later.

The issue is that when people get the opportunity to do anything unlimited, the really heavy users come out of the woodwork, Jared Newman wrote in Fast Company in 2015. “Drawing on its knowledge of how people used traditionally priced, tiered storage services, the company had assumed it would see a fairly even distribution between lighter and heavier users,” he wrote. “Combined with ‘de-duplication’ technology that prevents redundant data from being stored more than once in the cloud, Bitcasa figured it could keep costs down and stay in the black. But after launch, the sheer demand from heavy storage users blew up those assumptions.”

Gleb Budman, CEO of BackBlaze at the time, told Newman that people consume five to 10 times more data when presented with an unlimited plan. And Microsoft reported that some of its customers were using up to 75 terabytes, he wrote.

“One particularly messy issue for storage providers is that they can’t weed out legitimate high-volume uses from those that violate their terms of service,” Newman pointed out. “If a user with an unlimited consumer-grade plan is backing up their business servers or running a homegrown streaming video service, the provider should be able to shut that down. But doing so would involve looking at the actual files, which would be a breach of privacy and may not even be possible if the data is encrypted.”

It isn’t clear whether the problem here is that people were abusing it; Amazon didn’t say why it had decided to discontinue the service. Some analysts, in fact, believe that this was Amazon’s plan all along – to attract people with low storage prices and then hope they’ll stay when the prices went up. “Remember, this is the consumer market; and while more technically advanced users may utilize a multi-cloud strategy, moving from one cloud to another is a daunting task for most, and one that most people will balk at. Imagine a customer who has 1.5TB stored on Amazon Drive, their propensity to move all that data, and any links, pointers, etc. that pointed to that data, is very small,” writes Neuralytix. “They are more likely to pay the extra $60/year to allow the data to remain at Amazon. Neuralytix believes that this was Amazon’s intent from the beginning, and we believe that they have executed their plan very well.”

In the meantime, all U.S. customers receive 5 GB of free storage for use with Amazon Drive and Prime Photos, and Prime members continue to receive unlimited photo storage as a benefit of their Prime membership, Amazon said. Also, photos taken with and uploaded to Amazon Drive from a Fire Phone or eligible Fire tablet are stored for free in an Amazon Drive, and Kindle personal documents stored in your Amazon Drive using Send to Kindle tools and services do not count against your Amazon Drive storage limit, the company added.

May 31, 2017  10:54 PM

E-Discovery Proportionality is Now a Thing

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

There isn’t often much that’s new and different about e-discovery lately, but a lot of legal people are excited about a new word: proportionality.

Basically, proportionality means asking for a reasonable amount of electronic documents in the context of the legal case you’re fighting – the don’t-use-a-sledgehammer-to-swat-a-fly theory. And, expectedly, the reason it’s coming up is that in some legal cases, people weren’t being proportional, and as we’re reaching the 18-month anniversary of implementing the proportionality rule, judges are calling them on it.

Of course you remember that proportionality came up during the most recent revision to the Federal Rules for Civil Procedure, which were modified in 2006 to support electronic discovery and enhanced in 2015, taking effect on December 1. Proportionality had actually been a thing in regular paper discovery, but of course when it’s so easy to say “Give me every piece of email for the past 20 years,” it was much more critical in the age of e-discovery, when it was being used for fishing expeditions. But it’s taken until now for the legal profession and the courts to really start sinking their teeth into the whole proportionality thing.

“Within days of its enactment, amended Rule 26(b)(1) began being utilized and referenced in opinions,” write H. Chrisopher Boehning and Daniel Tahl in the New York Law Journal. “Dozens of courts have cited to the amended Rule and many have conducted a proportionality analysis,” they write. “One court even noted that ‘proportionality has become the new black, in discovery litigation, with parties invoking the objection with increasing frequency.’ Some of these early decisions underscore that judges are now focused on proportionality when deciding whether to grant or deny motions to compel discovery.”

Boehning and Tahl went on to describe three recent cases where judges had thrown out e-discovery requests for being overly broad – or, in other words, not proportional. For example, in one case, judges found that complying with an e-discovery request could involve a search of “as many as a million pages” and a review of potentially “200,000 pages” to result in a small number of documents, the court writes.

At the same time, simply saying that a request is not proportional is not a Get Out of Jail Free card for defendants, writes Michael Miles for the American Bar Association. “Defense counsel must be prepared to demonstrate why it is not proportional,” he writes. “This will require a thorough understanding of both the claims asserted—to show how the discovery at issue is not significant to resolving the case—and the available sources of information to potentially offer less burdensome alternatives. A plaintiff may not be entitled to a full search of all electronically stored information where a simple interrogatory would suffice.”

Instead, courts are supposed to take six factors into consideration when deciding whether an e-discovery request is proportional, according to Kristien Jones in the National Law Review.

  1. How much will getting the information cost, compared with how valuable it is to the case?
  2. The information should come from the easiest place.
  3. If the party’s own actions are what’s making the request burdensome, that should count against them.
  4. There needs to be actual evidence that the data is needed, not just assertions.
  5. There’s more to determining whether something is burdensome than money – staff and IT is also a factor.
  6. Parties should consider using automated tools to make the job easier.

Meanwhile, get ready: there’s a new batch of e-discovery rules planned for this December.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: