Yottabytes: Storage and Disaster Recovery

December 26, 2018  10:12 AM

eDiscovery Year in Review 2018

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

eDiscovery is kind of a funny thing. Every few years, the rules governing it change, but it takes a couple of years after that to see the effect, based on case law.

As you may recall, a new set of rules for the Federal Rules for Civil Procedure (FRCP) took effect in December, 2015. (That was after the original set, in 2006.) These included a number of amendments intended to streamline the preliminary steps of the legal process by as much as half. Several other amendments reduced the number and length of depositions, requiring more specificity in objections, and required that participants consider proportionality — basically, be reasonable in their e-discovery demands.

So, how are they working out?

Sadly, Gibson Dunn has not yet released its frighteningly complete set of ediscovery case law for 2018. Nonetheless, there are still some conclusions that can be made. (Heck, iDiscover released its Top 5 eDiscovery Trends for 2018 in August.)

  1. It’s still possible to get ginormous sanctions for having the court believe that you’re withholding documents. In Klipsch Group, Inc. v. ePRO E-Commerce (2d Cir., Jan 25, 2018), the company allegedly spoiled discoverable information, writes Michael Hamilton in Legaltech News. “Namely, the defendant:
  • Failed to place adequate legal holds on electronic data including emails;
  • Did not disclose 40,000 relevant sales documents; and
  • Manually deleted thousands of files and emails,” he writes.

As a result, the company was slapped with a $2.7 million fine. To add insult to injury, it was only a $20,000 case to begin with!

  1. The legal system is still trying to figure out the nuances of technology-assisted review (TAR), or the notion of using artificial intelligence to help weed out documents in eDiscovery. In particular, the current question is whether that needs to be disclosed, writes Casey Sullivan – a really funny guy — in the Logickull blog. “If you are going to use robots to ‘review’ documents without actually having a human being put eyes on them, do you need to disclose this to the other side beforehand?” he writes. “It’s a debate that still rages with staunch proponents on either side — the human sides (the robots don’t seem to care) — which came to light most recently, with a side of dry, English wit in Triumph Controls UK Ltd & Anor v Primus International Holding Co & Ors[2018] EWHC 176 (TCC) (07 February 2018).”

In response to figuring out the nuances, some courts are going into voluminous detail, Sullivan writes. “In Re Broiler Chicken Antitrust Litigation, 1:16-cv-08637 (N.D. Ill. Jan. 3, 2018) has been hailed as the ne plus ultra of TAR protocols, with eight pages of exacting detail that appear, at least to some, as the ultimate means to avoid further TAR disputes,” he writes. “Yet, to others, the very precision of the In Re Broiler Chicken protocol is the precise reason that it will be the sine qua non cause of endless discovery disputes.” But the case did have one advantage, he adds. “The one thing that we can know at this time is that the case certainly has been the cause of endless and endlessly awful chicken-related puns, a temptation which we will, perhaps surprisingly, ourselves resist (if only because that it’s just too… easy).”

  1. Courts are still learning to figure out how eDiscovery relates to social media, texting, and other communications systems, especially for ones intended to be ephemeral. If a company (or a government) is using an app that automatically destroys messages, is that just good document hygiene or a way to evade detection? And just how long do you need to keep texts and social media posts around, anyway?

In the case high-profile Waymo v. Uber Technologies, Uber used ephemeral apps to quickly erase any messages they made, writes Victoria Hudgins in Legaltech News. “Waymo claimed Uber used the apps to minimize its paper trail,” she writes. “[U.S. District Judge Xavier ] Rodriguez said the case questioned when companies can circumvent the duty to preserve and if there’s a duty to preserve messages in message-deleting apps. If companies allow employees to communicate through a message-deleting app about a product at issue, they must ensure the messages aren’t deleted, Rodriguez advised.”


December 11, 2018  9:46 AM

End of an Era: BackBlaze Switches Out Its 3 TB Hard Disk Drives

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Backblaze, Backup, Storage

It’s always interesting to read about how the BackBlaze backup service is doing with its hard disk drives. Like companies such as Facebook and Google, it uses so many hard disk drives that it ends up stripping off extraneous parts and building its own structures with them. But because the company is so much more forthcoming than Facebook or Google about what it’s doing, it’s a lot more instructive to the industry. It’s fun – if you’re a certain kind of person, anyway – to read over the years of BackBlaze reports as they migrate from 2 TB to 3 TB and on up to 12 TB hard disk drives.

As you may recall, BackBlaze used to use “pods” of 45 hard disk drives, but a year or so ago started using “vaults” made up of up to 20 even bigger “pods,” each of which hold up to 60 hard disk drives. Gradually, as time goes on, the company replaces the hard disk drives in each of those structures as technology improves. The result is that the capacity of the pods and vaults keeps going up over time.

BackBlaze also uses commodity hard disk drives rather than the latest and greatest bleeding-edge technology, not only because it’s cheaper but because it’s easier to get in large quantities. Because the company works with such large quantities of a single model of hard disk drive, that makes it easier for them to  calculate longevity and failure statistics than if they had a whole lot of different models.

At this point, BackBlaze has now migrated out the last of its 3 TB hard disk drives, and its most popular hard disk drive is now 12 TB. Seems like only yesterday that it was talking about testing 6 TB hard disk drives, but that was actually back in 2014. Time flies. Similarly, the company plans to upgrade all its 4 TB hard disk drives to larger capacities over the next couple of years.

So, what else is new with BackBlaze?

  • It now has 99,636 hard disk drives – 1,866 boot drives and 97,770 data drives. That’s 584 fewer drives than last quarter, but because of the larger sizes, it’s actually added 40 petabytes of storage, because the company replaced 3 TB, 4 TB, and some 6 TB drives – all about four years old — with 3,600 new 12 TB drives. In fact, it has more 12 TB hard disk drives – in this case, a Seagate one – than any other model, with 25,101.
  • The least reliable hard disk drives during the quarter – that is, the ones with the highest percentage of drive failures – are 6 TB Western Digital drives, with a failure rate of 4.64 percent. Several hard disk drives, including 4 TB from Hitachi, Toshiba, and Western Digital, 5 TB from Toshiba, and 12 TB from Hitachi, haven’t failed at all during the quarter. (Though, to be fair, the 12 TB Hitachi hard disk drives were in service only nine days during that quarter, BackBlaze points out.)
  • The least reliable hard disk drives that the company is still using are also the 6 TB Western Digital ones. Other than the new 12 TB Hitachi ones, the most reliable drives are 4 TB Hitachi ones. Incidentally, the company’s overall failure rate is 1.71 percent, which it said was the lowest it had ever achieved.

As always, BackBlaze makes its full data set available to people who want to play with it. “All we ask are three things,” the company writes. “1) you cite Backblaze as the source if you use the data, 2) you accept that you are solely responsible for how you use the data, and 3) you do not sell this data to anyone. It is free.”

Does this all mean that the models that work well for BackBlaze will work well for you, too? Not necessarily. Obviously, hard disk drives kept in pods or vaults are much more heavily and steadily used than an everyday hard disk drive for home use or even for a company. But it’s a good way to bet. The results you get might be different, but in general, a hard disk drive with a failure rate of 4 percent isn’t likely to work out as well as a hard disk drive with a failure rate of 0.5 percent.

Disclaimer: I am a BackBlaze customer.

December 4, 2018  12:33 AM

Yes, E-Discovery Day is Apparently a Thing

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

What with World Backup Day, Electronic Records Day, Ask an Archivist Day, and Sysadmin Day, I suppose it’s no surprise that there’s an E-Discovery Day. Incidentally, it’s Tuesday.

There was, apparently, some controversy about when to schedule E-Discovery Day this year. Typically scheduled on December 1, that date fell on a Saturday this year, so it was moved to December 4. Why a Tuesday and not a Monday? Organizers didn’t say.

(Why it’s December 1 in the first place isn’t specified, either. In comparison, March 31’s World Backup Day is the night before April Fool’s Day, presumably in case someone loses data due to a puckish prank, while Electronic Records Day is October 10 so it can be 10-10 to symbolize digital data.)

Like those other days, E-Discovery Day is sponsored by a number of vendors and organizations that could be said to have some investment in the technology. That said, promoters swear that the list of webcasts scheduled for the day are informational and not sales promotions. And some of them actually sound interesting, such as how GDPR will affect e-discovery, controversial issues in e-discovery, and people’s e-discovery wish lists.

(To judge by the list of in-person events, one of the things e-discovery professionals like to do is drink. About half of them are happy hours in various cities.)

Naturally, there’s a Twitter feed and even an Instagram page, but, oddly, no Facebook page.  And, notably, some of the webinars and in-person events count for continuing legal education (CLE) credit, for people who need to worry about such things. There is also, apparently, a Women in E-Discovery organization – TIL – as well as an Association of Certified E-Discovery Specialists. I was crushed and dismayed, however, to get a 404 on the latter’s page that was supposed to contain “E-Discovery Day themed E-Cards, badges, and memes.”

In any event, E-Discovery (not EDiscovery, though things like the Twitter feed drop the hyphen) Day, which has been going on for four years now, is intended to raise awareness of the critical issues surrounding E-Discovery, as well as, like the other days,  providing a focal point for discussion. “More e-discovery in one day than the rest of the year combined,” notes the event’s web page.

“All too often, e-discovery professionals operate in the background,” the webpage notes. “Hot-shot litigators argue cases in court. Judges command attention from the bench. Even IT security pros and hackers get occasional headlines when a there’s a data breach. In 2015, we decided that enough was enough. E-Discovery plays a critical—and growing—role in the legal process. After all, organizations spend almost $10 billion per year on e-discovery services. To get e-discovery, and the hard-working professionals who make it happen, the attention they deserve, we established E-Discovery Day.”

The event seems to have ramped up this year, which is especially interesting because the market itself seems to have slowed; Gartner doesn’t even seem to produce a Magic Quadrant for E-Discovery any more. Up until now, the event had accumulated a total of 37 webcasts and 20 live events later. Just this year, there’s 19 webcasts and 14 live events, as well as 25 supporting organizations, compared with 15 online webinars and 13 in-person events around the United States last year.  “E-Discovery Day 2018 will certainly eclipse last year’s record of over 3,000 participants attending live and online educational events” is undoubtedly true.



November 30, 2018  10:07 PM

Another Shoe Falls as Autonomy CEO is Indicted

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Autonomy, HP

Okay, I know I just wrote about Autonomy earlier this month, but after months of silence, news is occurring again. The latest: former CEO Mike Lynch is being charged with conspiracy and fraud.

You have to agree that actual criminal charges make the whole situation a little more interesting.

The Department of Justice filed criminal charges on Friday against former Autonomy CEO Mike Lynch, accusing the British executive of misrepresenting the Autonomy’s finances in the lead up to the company’s $11 billion sale to HP in 2011,” writes Jonathan Vanian in Fortune.  If convicted, Lynch faces up to 20 years of prison and a $250,000 fine, he adds. In addition, the US wants to force Lynch to forfeit $815m of gains made from selling Autonomy, write Richard Waters  and Kadhim Shubber for the Financial Times.

Stephen Chamberlain, formerly vice president for finance, was also named in the indictment. Former CFO Sushavan Hussain was convicted on separate charges by a US jury of wire fraud in August, and faces up to 20 years in prison, according to the Guardian. He is appealing.

According to the court filings, Autonomy intended to make its quarterly earnings and stock price look good so that it would look like a good acquisition target, Vanian writes. It did this by backdating sales, not mentioning contingencies, lying to auditors and analysts, and intimidating, pressuring, or paying off employees and analysts who questioned the company’s financial practices, he explains.

Altogether, the indictment includes one count of conspiracy and 13 counts of fraud, as well as 28 instances in which former Autonomy executives are alleged to have issued false statements, Waters and Shubber write.

Attorneys for Lynch continued to say what the company has said all along – that it boils down to a difference in accounting practices between the US, where HP is located, and the UK, where Autonomy was located.

Waters and Shubber also gave us a chance to see what Lynch has been doing over the past few years aside from responding to lawsuits and filing some of his own. For example, he now invests in startups, In addition, “Mr. Lynch is a member of the UK government’s Council for Science and Technology, which advises the prime minister, and also a fellow of the Royal Society. His past roles have included board positions at the BBC and the British Library. He was made an officer of the Order of the British Empire in 2006.” Lynch resigned from the board of one of the startups and from his advisory position after the charges were filed, according to the Telegraph UK.

Interestingly, Hussain and several other unnamed former Autonomy officers were also invested in the same startups, which led some to suspect that this was to keep them from testifying, writes the Irish Times (which made a point of noting that Lynch had been born in Ireland).

Hussain sold about $4 million in startup shares to Lynch, and plans to sell him more, the Times writes, noting that prosecutors felt Lynch was overpaying for them.

“’It would appear that Mr Lynch is paying a ridiculously high dollar value’ for shares Hussain sold him, ‘raising questions’ about the purpose of the transactions,” the Times writes.

“The government argues that Mr Lynch’s reassembling of his Autonomy inner circle at the new firm, including Hussain, isn’t illegal by itself but may have created financial relationships that prevented some of those people from coming forward as witnesses,” the paper writes. “’Where the same circle of participants who defrauded Autonomy’s investors, HP, and HP’s investors are all reliant on the wealthiest of the co-conspirators, the government has legitimate concerns about hush money,’ prosecutors said in a court filing.”


November 24, 2018  2:44 PM

Law Enforcement Asking for Google Cellphone Data Near Crimes

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security

Should law enforcement be able to get a search warrant for your phone just based on the fact that you happened to have been near the vicinity of a crime?

So far, the courts are saying yes.

Cellphone location data has been a big deal lately, with cases such as Carpenter limiting the sort of data that law enforcement can get from cell towers, which store location information from phones on a regular basis even if the phone isn’t being used (and even, apparently, if you turn location data off).

This is different. This involves law enforcement finding the location of a crime scene, and saying, okay, Google, please give me anonymized data for all the phones that were near that location for a particular time period. Based on what the phones have been doing, law enforcement can then ask for more detailed—and not anonymized–data about specific phones.

“On a satellite image, they drew shapes around the crime scenes, marking the coordinates on the map, “ writes Tyler Dukes for WRAL, which did an extensive report on such efforts in North Carolina. “Then they convinced a Wake County judge they had enough probable cause to order Google to hand over account identifiers on every single cell phone that crossed the digital cordon during certain times.”

After that, law enforcement would narrow down the list, Dukes writes. “Detectives wrote that they’d narrow down that list and send it back to the company, demanding ‘contextual data points with points of travel outside of the geographical area’ during an expanded timeframe. Another review would further cull the list, which police would use to request user names, birth dates and other identifying information of the phones’ owners.”

It’s only at that point that law enforcement could then ask for specific information such as email messages or cellphone numbers, Dukes writes.

Similar efforts have happened in Virginia and Maine, writes Thomas Brewster in Forbes.

To history and legal nerds, this sounds like a general warrant, the sort of thing that English Kings did that led to the creation of the Fourth Amendment in this country. One expert noted that in some cases, there wasn’t even any evidence that the criminals in question had cellphones.

“In those cases, the evidence provided to establish probable cause seems very thin to me,” one law professor said. “These amount to fishing expeditions that could potentially snare anyone in the vicinity with a cell phone, whether they were involved in the crime or not.”

“To just say, ‘Criminals commit crimes, and we know that most people have cell phones,’ that should not be enough to get the geo-location on anyone that happened to be in the vicinity of a particular incident during a particular time,” another expert noted.

The distinction between this and the cellphone tower data referred to in Carpenter is that the Google data is much more precise, Dukes writes.
Another distinction is that there has been a gag order on these, which means that nobody – – including people who might be under suspicion due to their proximity to the cases—knows that they’re being investigated, Dukes writes. That also makes it difficult for journalists to research them, he adds.

Last year’s Supreme Court – – even before Kavanaugh was added – – ruled 5-4 that ”Tower dumps” of cellphone location were legal, so unless that changes, it’s likely that “Google dumps” of location data may be found acceptable as well. Assuming, of course, that such a case would even make it to the Supreme Court in this political climate.

November 19, 2018  8:49 PM

Another Case of ‘Alexa, How Do I Hide a Body?’

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Amazon, ECHO, government, privacy, Security

A judge has ordered Amazon to turn over any recordings that an Amazon Echo device may have made during a three-day period when two women appear to have been killed in the home.

Timothy Verrill is accused of killing Christine Sullivan and her friend Jenna Pellegrini in Sullivan’s home over suspicions that they were informing police about an alleged drug operation, writes Meagan Flynn in the Washington Post.

Amazon is resisting the judge’s order, saying that it will not release customer information without a “valid and binding legal demand properly served on us,” according to a company spokesman, who didn’t describe exactly what that meant. “Amazon objects to overbroad or otherwise inappropriate demands as a matter of course,” the spokesman continued.

This was all in mid-November, so it isn’t clear yet what’s going to happen.

As you may recall, there was a similar incident a couple of years back, when a person was accused of murder when a person was found dead after a party at his home. In that case,  prosecutors, wanting to know whether the Amazon smart speaker in the room had heard anything, obtained a search warrant, signed by a judge, requesting all audio recordings, transcribed records, text records and other data’ from the person’s Echo speaker.

The upshot is that the owner of the home, and the Echo speaker, eventually gave permission for the recordings to be released, and the prosecutor ended up dropping the case because there were too many possible other options for how the person had died, writes Nicole Chavez for CNN.

As with the previous case, it’s not like the murderer asked, “Alexa, how do I hide a body?” Instead, it is hoped that in the process of performing its normal functions, the speaker happens to record some useful sounds in the process. “Prosecutors believe there is probable cause to believe there is evidence on the Echo, such as audio recordings of the attack and events that followed it,” court documents said.

The phrase “probable cause” is significant, writes Travis Anderson in the Boston Globe. “Mason Kortz, a clinical instructor at the Harvard Law School Cyber Law Clinic at the Berkman Klein Center for Internet & Society, said it’s telling that Houran used the probable cause standard, which is the ‘highest standard for electronic searches,’ in weighing the government’s request to obtain the Echo speaker data,” he writes. “The use of that standard, rather than the lower reasonable suspicion standard that applies for other types of searches, shows Houran is ‘taking seriously the fact that there is a privacy interest that falls under the scope of the Fourth Amendment constitutional right against unreasonable search and seizure,’ Kortz said.”

The other interesting nuance about this case is that law enforcement is interested in “any information identifying cellular devices that were paired to that smart speaker during that time period,” according to the search warrant. Echo devices offer Bluetooth capability to enable users to play music from services such as iTunes or Google Play Music using a cellphone or tablet.

Exactly what law enforcement thinks might be on there or what information a cellphone might provide isn’t clear, and lends credence to the notion that this is either a fishing expedition or, as with the previous incident, law enforcement personnel who aren’t particularly technical. Perhaps they’re simply trying to find out if there’s any other cellphones that need to be examined for calls – for which, presumably, they’ll need yet another search warrant.

Interestingly, family members of the murdered women said they were upset about this – in one case because they learned about it from the newspaper, and in another case because they said they had informed law enforcement of the devices when the murder first happened, and they wondered why it had taken law enforcement two years to get around to it.

Naturally, this has led to another batch of paranoia that Alexas, smart televisions, and other devices are secretly listening to us and storing our conversations. “And what of the audio recordings they think might possibly be on the device,” writes Jazz Shaw on Hot Air. “Unless one of the victims cried out for Alexa to call 911 while they were being killed, the Alexa isn’t supposed to be listening or recording anything right? All I’m saying is that I’ve never believed that these digital servants are as inert as the manufacturers claim they are when not in use. How would they hear you say ‘Alexa’ and wake up if they weren’t already listening?”

Eventually, companies such as Amazon and Google that make such devices may end up installing a code or fingerprint on them that would make it more difficult for law enforcement to gain access to any recordings, Anderson writes.

The case is set to go to trial in May.

November 13, 2018  10:09 AM

The HP-Autonomy Merger Officially Sucks

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Autonomy, HP

Well, it’s official. The 2011 acquisition of Autonomy by Hewlett-Packard was the sixth-worst corporate merger and acquisition of all time.

That’s according to CB Insights, which recently generated a list it called Fools Rush In: 37 Of The Worst Corporate M&A Flops.Mergers and acquisitions are one of the most important ways a big corporation can stay competitive — when they work out,” the company writes, inspired by the recent Sears-Kmart debacle. ”Unfortunately many of these marriages don’t always make it. Below, we look at some the worst mergers and acquisitions undertaken by large corporations, and how the good times went bad.”

(Why 37? It didn’t say. They’re fans of prime numbers, maybe?)

“Chairman and CEO Leo Apotheker, during his brief time in charge at HP, backed the company’s $11.1B acquisition of Autonomy, a European data analytics company,” writes the company. ”Aside from baffling industry experts as to how the new company would fit into HP’s strategy, it came out in 2012 that Autonomy had cooked its books and had been massively overvalued during the acquisition. With Apotheker fired in 2011 for a slew of missteps that had contributed to the company’s massive losses, nothing ever came of the acquisition. Instead, Autonomy’s purchase was written down as a $9B loss and in 2016 HP sold off their Autonomy assets.”

It all started in August 2011, when HP took part in an industry-wide effort to acquire e-discovery vendors, using the Gartner Magic Quadrant “Leaders” quadrant as a shopping list. Symantec had acquired Clearwell, Autonomy itself had acquired Iron Mountain, and several other acquisitions took place over the next couple of years.

But Autonomy was considered the big fish, and the price tag proved it. Opinion at the time was that HP was aiming to follow IBM’s trajectory of moving from hardware to software and services, and while the Wall Street Journal noted that that wasn’t easy, the general consensus was that HP had made a wise purchase, though some did express unease at the high price tag.

However, it didn’t take long for the bloom to come off the HP-Autonomy rose. Little more than a year later, in November 2012, HP was forced to write off $8 billion of the acquisition due to what it said were accounting irregularities. By then, Apotheker himself was gone, and new CEO Meg Whitman was doing her best to pick up the pieces. And despite the praise of the acquisition a year before, suddenly there were all sorts of analysts coming out of the woodwork talking about how they’d said all along that HP had paid too muchand hadn’t done its due diligence.

While HP considered selling the beleaguered company, that didn’t happen. Instead, HP itself ended up splitting up.

Then the lawsuits began.

They started with a shareholder lawsuit, which HP settled in 2015 for $100 million.

Most recently, the former Autonomy CFO, Sushovan Hussain, was found guilty in May on 16 counts of wire and securities fraud. And there’s more. HP also has a $5 billion civil suit scheduled to go to trial in London in 2019, a countersuit by former Autonomy CFO for $160 million, and an appeal by Hussain.

All in all, it looks like the only people who ended up making money on the HP-Autonomy deal were the lawyers. And maybe the accountants, since so much of this seems to hinge on accounting, especially the differing accounting methods used in the United States and the United Kingdom.

HP and Autonomy weren’t the only technology merger to make the list. In fact, many of the mergers on the list were technology companies, including Microsoft-Nokia, Google-Nest, Yahoo!-Tumblr, Zynga-OMGPOP, and Google-Motorola.

October 31, 2018  7:18 PM

An Incredibly Gnarly Legal Encryption Discussion

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security

New news in the world of whether you can be forced to decrypt your phone by law enforcement.

As I wrote in May 2017:

As you may recall, the whole issue boils down to how a device is encrypted. Traditionally, courts have ruled that you can be compelled to give up something you have, such as your fingerprint, which is used to encrypt your phone, but you cannot be compelled to give up something you know, such as a password. That’s because simply admitting you have the correct password on a particular encrypted phone or other storage device could be considered self-incrimination.”

There’s been discussion and some case law recently about the self-incrimination part that looks like it will change. Because encryption is so common, the reasoning goes, it should be okay for law enforcement to force someone to decrypt their storage, if it is obvious that it belongs to the person. But law enforcement can’t use the mere fact that someone knows the password as evidence of guilt, that theory goes. (By the way, if you start researching this issue, there’s a commonly cited case, Fisher v. United States. It ain’t me.)

In a recent case, Judge Charles Breyer in the Northern California District Court ruled that a defendant, Ryan Spencer, did have to provide the encryption key for several devices in his home that law enforcement alleged contained child pornography, because it was a “foregone conclusion” that they were his, since they were in his home and he said they were.

In other cases, the “foregone conclusion” that had to be met was that the files law enforcement was looking for was on the encrypted devices, which was a much higher bar. However, the judge wrote, law enforcement wasn’t looking for a particular file; it was looking to decrypt the entire device.

“Turning over the decrypted devices would not be tantamount to an admission that specific files, or any files for that matter, are stored on the devices, because the government has not asked for any specific files,” Breyer writes. “Accordingly, the government need only show it is a foregone conclusion that Spencer has the ability to decrypt the devices. That the government may have access to more materials where it seeks a hard drive through a search warrant than it would have had if it sought specific files through subpoena is simply a matter of the legal tool the government uses to seek access. To the extent Spencer contends that the government has not adequately identified the files it seeks, that is an issue properly raised under the Fourth Amendment, not the Fifth.”

Does it seem unlikely to you that someone could know the password and yet not know what files are on the device? People could have files saved to their devices by other people in the household, other people who have remote access to it, or even by hackers. “I happen to know the passcode to my sister’s smart phone,” writes Orin Kerr in a forthcoming paper in the Texas Law Review on the subject. “I learned it at a family event when I wanted to use her phone to google something. I asked her for the passcode, and she told me. If the government obtained a court order requiring me to enter in the password, I could comply with the order because I know the password. But critically, I have no idea what files are stored in my sister’s phone. The only thing I know about my sister’s phone is its password. Unlocking the phone would admit I know the passcode, but it wouldn’t admit that I know what is on the phone. Because I don’t.”

The upshot of it all is that law enforcement may be able to force people to decrypt their drives, but not use the fact that he was able to do so as evidence of his guilt, Breyer writes. “Once Spencer decrypts the devices, however, the government may not make direct use of the evidence that he has done so,” he writes. “If it really is a foregone conclusion that he has the ability to do so, such that his decryption of the device is not testimonial, then the government of course should have no use for evidence of the act of production itself.”

Well, that’s something. In other words, they can’t have it both ways – if they’re going to say it’s a “foregone conclusion” that they’re his drives, they then can’t turn around and say it’s a surprise to them that he has the password.

And this stuff gets incredibly picky. In an amicus brief Kerr recently wrote, he lays out the distinction between a person giving law enforcement a password, vs. entering the password without law enforcement seeing it.

The reason this is all being discussed is that it’s a change. In 2013, for example, the Electronic Frontier Foundation and the American Civil Liberties Union submitted an amicus indicating that this kind of compelled decryption was a violation of someone’s Fifth Amendment rights. Basically, encryption is now common enough that simply knowing the password can’t be seen as incriminatory.

That’s not to say that the Fifth Amendment is never a protection against giving out passwords, Kerr notes. “Imagine the government obtains a search warrant to search a home for computer-stored images of child pornography,” he writes. “The home has three residents. The search yields one computer, and that computer has an encrypted hard drive that requires a password to use. Further assume that investigators have no evidence about which resident owns or uses the computer. In an effort to bypass the encryption, investigators obtain court orders requiring each of the three residents to enter the password. In such a case, each resident would have a valid Fifth Amendment privilege against complying with the order.”

In addition, hidden files, hidden volumes, and files that are themselves encrypted on the disk could also be protected under the Fifth, Kerr writes.

October 26, 2018  9:03 AM

Who Owns Your Car’s Data? Hint: It Isn’t You

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Automobile, car, privacy, Security, Storage

We’ve talked before about data storage on cars – why it’s important to delete it and how it’s going to be stored. But there is a more fundamental question to be discussed: Who owns it?

The Auto Care Association, an industry trade group, recently conducted a survey finding that 86 percent of consumers said vehicle owners should have access to driver and vehicle data, also known as telematics. Additionally, the survey found 88 percent of consumers believe a vehicle’s owner should decide who has access to this data.

However, that isn’t always the case, the association warned.

“Each year, vehicles get ‘smarter’ and infused with telematic technologies, which enable real-time, wireless transmission of information related to driving behavior, such as steering, acceleration and braking; and vehicle health, including fuel use, emissions and engine hours,” the organization writes. “However, as this technology has advanced, vehicle manufacturers are gaining exclusive access to vehicle data at the expense of consumers.”

As an example, the organization notes, remote diagnosis of vehicle problems is one of the primary selling points of telematics. “However, as of today, only vehicle manufacturers can take advantage of this information,” the organization writes. “As a result, vehicle owners have little to no choice when it comes to servicing their vehicle.”

The survey found 71 percent of respondents incorrectly assumed that the vehicle owner has access to driver and vehicle data, which was greater than the percentage of respondents who assumed the vehicle manufacturer and the dealership have access to this data (59 percent and 44 percent, respectively). And nearly half of respondents (45 percent) incorrectly believed that vehicle owners own their car’s data.

This is increasingly going to become an issue as cars become more automated, particularly as they become autonomous. Do you want your car reporting to your health insurance company how often it takes you to McDonald’s? Should auto manufacturers be able to sell your travel data to advertisers who can market businesses along your route? Will law enforcement use the concept of third-party doctrine to say it doesn’t need probable cause to get access to all your car’s data?

“By monitoring his everyday movements, an automaker can vacuum up a massive amount of personal information,” writes Peter Holley in the Washington Post.  This includes “everything from how fast he drives and how hard he brakes to how much fuel his car uses and the entertainment he prefers. The company can determine where he shops, the weather on his street, how often he wears his seat belt, what he was doing moments before a wreck — even where he likes to eat and how much he weighs.” In particular, he notes, health data collected by a non-health provider isn’t covered by the federal privacy rule known as HIPAA.

And automotive data has the potential to be a big market. “A 2016 white paper from industry research and consulting firm McKinsey projects a $450 billion to $750 billion industry for automotive data by 2030,” writes Jeff Plungis in Consumer Reports.

This is all part of a campaign by the Auto Care Association called Your Car, Your Data, Your Choice, intended to raise awareness of this issue. And to be sure, they have their own ax to grind. The organization represents 533,000 businesses in the auto care industry, including independent manufacturers, distributors, repair shops, marketers, and retailers – all of whom are afraid that they’re going to be locked out of this data by auto manufacturers in the future, and threatening their livelihood.

“By 2020, more than 90 percent of new cars will transmit real-time information about the owner’s driving behavior and the vehicle’s condition,” the organization writes. “More than 80 percent of car owners think that they should have control over their data. 93 percent of auto industry employees think car owners should control their own data.” And, to get to the crux of the issue, “90 percent of car owners think they could save more money by visiting an independent repair shop.”

According to the organization, it is trying to negotiate a settlement with automakers, who have reportedly proved recalcitrant. “Absent an agreement, the only apparent solution for ensuring consumer control and access to data is legislation, which we are actively working on via our government affairs department, our coalition partners and more,” the organization writes.

How well that’s going to work, in an administration that has thus far been more interested in protecting large companies than small ones, is going to be an interesting question.

October 23, 2018  9:12 AM

How Did You Celebrate ‘Electronic Records Day’?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

So apparently Electronic Records Day is a thing. Who knew? In fact, it’s been going on for seven years. I knew about Ask an Archivist Day (which, this year, was celebrated October 3). Actually, they’re both part of American Archives Month, which is observed the entire month of October, though Electronic Records Day – this year observed on October 10 — is inexplicably missing from the American Archives Month calendar, which seems like an odd mistake for archivists to make. And just how many celebratory days and months do archivists need?


Unlike Ask an Archivist Day, which appears to be the first Wednesday of October, Electronic Records Day is always observed on October 10. Or 10-10. Like, bits and bytes. Get it?

Archivists are a funny bunch.

The purpose of Electronic Records Day is to share information managing state digital resources and to enlist help in preserving electronic records. But just because it’s intended for state records doesn’t mean you can’t use it for your personal and corporate digital resources as well. And although Electronic Records Day is already gone and past, the information that was generated and promoted about it is still around, and that’s actually got some pretty useful storage tips in it. A number of them were posted to Twitter using the hashtag #ERecsDay.

In addition, the Council of State Archivists (CoSA) held webinars in 2017 and 2016 about Electronic Records Day, and though they didn’t hold one on 2018, the older webinars are still available online. Because, you know, archivists.

This year, the Council of State Archivists generated a number of files – both in Word and in .pdf format, so that you could edit them if you wished – about electronic records topics, ranging from Electronic Government Records Overview to 10 Reasons for E-Records to Electronic Records Emergency Planning and Response to Why You Need More Than Backups to Preserve Records and so on. (Though I have to say, Word and .pdf? Don’t archivists frown on vendor-specific file storage formats?)

Electronic records awareness is important because increasingly government is moving to electronic records from paper ones. “Between 2006 to 2016, there was a 1,693 percent increase in state and territorial electronic records, according to a report published by CoSA,” writes Jared Beinart in StateScoop. “This increase has led to a 445 percent growth of electronic over paper records. ”There are, in fact, 1,371 terabytes of state and federal electronic records.

And as we all know about the “digital dark ages,” electronic records have …issues…compared with paper ones, especially in the context of preservation. But anyone who’s tried to get data off a ZIP drive lately knows the problem of incompatible formats, whereas we can still read things originally written on goat skins.

Actually, to look at the “10 reasons why we need to preserve electronic records” list, we might forget the actual advantages of electronic records. It’s easy to send electronic records around, and be able to read the information in them, they can store a lot of data in a small space, and they don’t get vermin. State archivists are still trying to encourage states to convert their paper documents to digital.

That also includes destroying them on a regular basis through a standardized retention schedule.

Sadly, Electronic Records Day doesn’t seem to generate the sort of sales and things that World Backup Day (observed on March 31) does, other than a single-day sale of 20 percent off on three digital records books. Perhaps next year. And in the meantime, we can Ask an Archivist (which, next year, should be October 2, though there’s no announcement about it yet) why Electronic Records Day isn’t listed on their calendar.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: