Yottabytes: Storage and Disaster Recovery

April 28, 2018  10:35 PM

Genetic Database Used to Identify Criminal

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Database, privacy, Security

Whether it was “ingenious” or “creepy” depends on which way you look at it, but the recent capture of the alleged Golden State Killer wasn’t the first time that law enforcement has used genetic databases to find criminals. However, it went further than police have done so before, and some people are concerned.

The so-called Golden State Killer was said to have been responsible for12 killings, 50 rapes, and 120 burglaries in 10 counties across California between 1976 and 1986. Police had obtained a DNA sample from a crime scene, and figured they would compare it with DNA samples in genealogical databases. In this particular case, law enforcement used the “open-source” site GEDmatch, as opposed to commercial sites that have been used at other times, such as Ancestry.com and 23andme.com.

But where to start? “The FBI created a database of DNA profiles in the 1990s, and police queued up to check their evidence samples against it, hoping that their suspect might be an ex-convict, or already imprisoned, or otherwise in the system,” writes Avi Salk in the Washington Post. “The method even allowed police to solve old cold cases — some of them initially investigated long before DNA testing existed. But the database was little help if the person tied to the DNA wasn’t already in it,” which was the case here.

First,  they selected people who lived in areas where the Golden State Killer struck. They then narrowed down their search to people who fit the same age and description. Finally, they compared the DNA sample with those people. They also obtained a DNA sample from a piece of trash from the suspect, and compared it with the DNA sample from the crime scene, to make sure it matched.

“The suspected Golden State Killer was not in this database, either, but it didn’t matter,” writes Selk in a different Washington Post article. “A distant relative of his was, police say, and that person’s DNA partially matched evidence related to the serial killer. Instantly, the pool of suspects shrank from millions of people down to a single family.”

Interestingly, unlike some other cases, law enforcement did not work with the database company, but simply used its resources. In fact, part of the reason that police used GEDmatch was that 23andMe and Ancestry have refused law enforcement requests, Selk writes, out of concern about false positives.  “Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch’s policy to inform users that the database could be used for other uses,” the company reportedly said in a statement.

GEDMatch is a free site where users who have obtained DNA profiles from commercial companies such as Ancestry.com and 23andMe can upload them to expand their search for relatives, according to CBS News, which added that an investigator told them that officials did not need a court order to access GEDMatch’s database of genetic blueprints. For example, it is also used to help identify remains, including murder victims, according to CBS News.

“If you are concerned about non-geneatological uses of your DNA, you should not upload your DNA to the database and/or you should remove DNA that has already been uploaded,” the statement from GEDmatch said. Well, yes. But how many people think of that sort of thing when they’re hoping to find relatives? How many of them will remember the places they’ve uploaded it to take it down now?

In fact, in response, some genealogists are reportedly making profiles on GEDmatch private, writes Sarah Zhang in The Atlantic. They fear that backlash from this case could make it harder for people trying to find family—or even police trying to find other suspects—in the future. The practice, known as familial DNA testing, is actually forbidden in some states. “A policy that implicates New Yorkers in a criminal investigation solely because they are related to someone with DNA in the state’s databank is a miscarriage of justice,” Donna Lieberman, the New York Civil Liberties Union’s executive director, told CBS News, which added that Maryland and the District of Columbia have banned it.

“People who submit DNA for ancestors testing are unwittingly becoming genetic informants on their innocent family,” Steve Mercer, the chief attorney for the forensic division of the Maryland Office of the Public Defender, told the Associated Press, adding that they “have fewer privacy protections than convicted offenders whose DNA is contained in regulated databanks.”

April 23, 2018  12:16 AM

Attorneys Speculate on E-Discovery Implications of Cohen Files

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
E-discovery, government

There’s one group of people that is really, really excited about the seizure of the potentially millions of legal documents associated with President Donald Trump: E-discovery people.

“Discovery nerds — and political junkies — are having a field day with the materials seized by the FBI’s raid of Trump Organization attorney Michael Cohen,” writes Kathryn Rubino of the Above the Law blog.

E-discovery is an issue because the seized materials include not only paper records, but electronic ones, write Benjamin Weiser and Alan Feuer of the New York Times. “The courtroom battle over what to do with the seized material came one week after federal agents, in an extraordinary move, descended on Mr. Cohen’s properties and walked away with 10 boxes of documents and as many as a dozen electronic devices, including cellphones and computer hard drives.”

(No word on whether any of the electronic devices are encrypted or otherwise protected by a fingerprint or a password. That would be an interesting wrinkle. Although, seriously, they should have been.)

In fact, several of the people proposed to be the Special Master in charge of the documents are experts in e-discovery, writes Rubino writes in a separate blog post. The purpose of the Special Master is to act as a neutral party to determine which of the documents might be protected by attorney-client privilege, explains Weiser in a different New York Times article.

The Hon. Frank Maas, Retired Federal Magistrate Judge, now with the mediation firm of JAMS Neutral, is described by Rubino as a “Frequent speaker on e-discovery issues at the Conference on Preservation Excellence and the E-Discovery Institute Leadership Summit, while the Hon. James C. Francis IV, a retired Federal Magistrate Judge and a Distinguished Lecturer at City University of New York Law School, is described as a “Frequent lecturer on electronic discovery, employment litigation, constitutional torts, legal ethics, and pretrial practice.”

Incidentally, both of these gentlemen are on the government’s list of potential special masters – not the defense’s, Rubino notes. This is as an alternative to what the prosecution actually wants, which is a “taint team,” a term that has enabled an entire section of the legal profession to channel its internal 12-year-olds. (What is a “taint team,” aside from making people giggle? “A taint team made up of lawyers who are not involved in the underlying investigation will almost certainly be put in place to review the materials obtained in the raid before those materials are handed over to the prosecutorial team,” writes Claire Foran of CNN.)

All in all, E-discovery people haven’t been so excited about a gigantic set of documents since Hillary Clinton.

Most excited of all is Andy Wilson, CEO of Logikcull, an e-discovery vendor. Logikcull, which has only been on the radar since 2015 or so, has actually been bringing e-discovery into several current events these days, including bitcoin.

Wilson was interviewed by Ian Lopez of the Legaltechnews blog. “In Wilson’s estimation, document collection and review with about 1.4 million documents and two reviewers would take between 24 and 48 hours,” Lopez writes, primarily by giving those reviewers tools to let them filter out the Amazon orders, fantasy football discussions, and other “junk” from the email records. (Presumably “junk” is literal and not metaphorical in this particular case, speaking of 12-year-olds.)

In fact, it’s the presence of all that junk that has led many legal professionals to encourage their clients to set up a rigid document retention policy that ends up deleting many email messages and other files after a short period of time. Anything that’s retained has the potential of causing damage later, as well as increasing legal costs by adding to the pile that must be examined.

April 18, 2018  11:59 PM

Facebook’s Private Setting No Shield in Forman Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Facebook, legal, privacy, social media

If you’ve been revealing secrets on Facebook and thinking that you’re okay because your messages and postings are private, not public, think again: a recent court case ruled that attorneys could rule to more easily discover private as well as public Facebook material.

The case is Forman vs. Henkin, and the court that so ruled, unanimously, was the New York Court of Appeals.

“Prior to Forman, the developed case law with respect to discovery of social media accounts largely required a defendant to lay a factual predicate for the relevancy of the evidence being demanded,” write Robert S. Kelner and Gail S. Kelner in the New York Law Review. While courts could sometimes gain access to private material in Facebook, it was typically because there was something public that led people to believe there was more incriminating material privately.

In the case of Forman, that didn’t happen. “Plaintiff was injured in a fall from a horse,” the Kelners write. “She testified that, before she was injured, she posted photographs of herself engaging in various activities on Facebook. She claimed that her injuries prevented her from continuing to participate in those activities. She further alleged that because of brain injuries caused by the accident, she had sustained cognitive impairment. She testified that since her injury, she was unable to compose emails and text messages.”

Consequently, attorneys for the owner of the horse, whom she was suing, wanted to see all of her Facebook postings. The court rejected this, but did say she had to produce all the post-accident private photographs “that did not show nudity or romantic encounters.”

In addition, since she was claiming that she was unable to compost email and text messages, she also “was directed to provide an authorization for defendant to obtain records from Facebook, showing each time plaintiff posted a private message after the accident and the number of characters or words in the text of each private message, from the date of her injury until she deactivated her Facebook account.”

“The practical upshot of the Forman decision is that the traditional rules governing most forms of discovery are applicable to plaintiffs’ social media accounts. It is no longer necessary for a defendant to lay a specific kind of foundation from the public portions of a plaintiff’s Facebook page to obtain any social media discovery,” the Kelners write. “But that does not mean that defendants now have unfettered access to plaintiffs’ social media information,” A defendant’s boilerplate demand for a plaintiff’s full social media accounts is exceedingly unlikely to pass muster under Forman. Plaintiff’s counsel should carefully scrutinize demands to ensure they are appropriately tailored and object to overbroad demands for unlimited Facebook records.”

This isn’t the first time that the legal profession has been salivating to get its hands on the wealth of data Facebook holds. In 2013, New York prosecutors had filed 381 warrants to get photos and private information from Facebook on hundreds of public employees – some of them 9/11 first responders — suspected of Social Security fraud. Facebook continued to argue in 2017 that the warrants were overbroad.

This is also a case of not being greedy. According to one attorney, the case was appealed in the first place by the plaintiff, not the defendant. “Although this was only a partial victory for the defendant, it was actually the plaintiff who appealed the decision to the Appellate Division,” writes Christine Rodriguez in Above the Law. “That court further limited the order and directed plaintiff to provide only photographs posted on her Facebook account that she intended to use at trial.  The defendants decided to appeal that order in the Court of Appeals and won.”

In fact, because the defendant didn’t appeal, it’s possible a future court may rule on the issue even more broadly, writes Martin Clearwater and Bell. “Since the defendant did not appeal from the Supreme Court Order which denied much of his original request, review by the Court of Appeals was limited to reinstating the discovery allowed by the Supreme Court’s Order,” it writes. “As a result it is possible that the Court of Appeals will reach these issues again, at which point it may allow even greater discovery into social media material.”

Rodriguez also notes that this limited ruling only applies to civil cases. “In criminal matters, courts often grant search warrants that may require disclosure of everything in a Facebook account,” she writes. “This is common in large scale drug and gang conspiracy cases where what someone else posts about you could be used as evidence to link you to the conspiracy – and then your whole Facebook account and every other social media account is fair game.”

One might say that the logical conclusion is that people should make sure they don’t have any such evidence – public or private – on their Facebook page or other social media account when filing a lawsuit. On the other hand, deleting such material, particularly once a lawsuit has been filed, could be seen as destroying evidence, writes Patrick M. Connors in the New York Law Review. “An attorney is permitted to advise a client to remove postings from a social media site, but cannot advise the client to destroy such information,” he writes. (The distinction between “removing” and “destroying” in this context isn’t clear.) He also cites the New York Rules of Professional Conduct, which provides that a lawyer “shall not suppress any evidence that the lawyer or the client has a legal obligation to reveal or produce.”

“While not addressed in Forman, lawyers advising clients regarding the contents of a social media site must be aware of potential disclosure obligations and the duty of preservation, which begins at the moment litigation is reasonably anticipated,” Connors writes. “Once litigation is reasonably anticipated, anything of potential relevance that is removed from a site must be preserved so a party can comply with any future obligations to produce the materials in disclosure.”

March 31, 2018  8:27 PM

Remember World Backup Day?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

With all the strife going on right now, it’s nice to know that the world can come together on one day in mutual agreement. No, it’s not the Olympics, and that was last month, anyway. It’s World Backup Day.

In case you haven’t heard about it, World Backup Day is always celebrated on March 31, the day before April Fool’s Day, presumably to protect oneself against “tricks.” It’s intended to encourage users to set up regular backup practices for their data, both business and personal. First held in 2011, World Backup Day was actually spawned by a reddit discussion and is primarily intended for consumers who might otherwise lose pictures, music, and so on.

To be honest, it isn’t clear to what extent World Backup Day is still a thing. The Facebook and Twitter pages for World Backup Day haven’t been updated in a year, and the content on the website doesn’t have dates on it so it isn’t clear whether any of that is new either.

One thing that did get updated was the OnTrack survey on backups. According to that survey,– 67 percent of businesses and consumers use some sort of backup solution, but almost 20 percent of the respondents experienced a data loss in 2017, compared with 27 percent in 2016.

Of the people who did experience data loss, 33 percent were not using a backup, down from 37 percent in 2013 and 39 percent in 2015. The main reason respondents did use a backup solution was that they didn’t have enough time to research and administer one.

From the respondents who experienced a data loss in 2017, 43 percent were able to restore 75-100 percent of their data from their backup, while 11 percent were able to restore 40-75 percent of their data. The remaining respondents lost either most of their data or all of it. In 2016, 66 percent were able to restore 75-100 percent of their data, while11 percent could only retrieve 40-75 percent of the data.

The problem, OnTrack says, is that people don’t test their backups. 27 percent of the respondents test their backup weekly while 32 percent test once a month. The remaining respondents either test their backup once a year or never. In 2016 24 percent of the respondents tested their backup once a week, 34 percent at least once a month, and 13 percent do a backup check once a year and almost 24 percent never did.

While there aren’t any official sponsors for World Backup Day this year – another indication that it might be going by the wayside – a number of vendors do have specials going on to commemorate the day.  (Not to mention, presumably, hoping to sell a few products.) They appear to be the primary ones keeping World Backup Day alive. They include:



MacXDVD Software

Unitrend MSP

And even the people who run websites explaining all the special days of the year.

Disclaimer: I am a BackBlaze customer.

March 27, 2018  10:23 PM

CLOUD Act Ends Microsoft Ireland Supreme Court Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Microsoft, privacy, Security

Oh hey. You know that Microsoft Ireland Supreme Court case?

Never mind.

In case you forgot, the case, which started in 2014, involved whether Microsoft must release data stored on one of its servers to a U.S. government agency, even though the data in question is outside the U.S. In January 2017, the Second Circuit Court of Appeals denied a rehearing of the case, which left the Supreme Court as the only option. At the very last minute – and after two extensions – the Department of Justice decided in June to go for it, and in October the Supreme Court agreed to hear the case. (Here’s a good description of it.)

The Supreme Court heard arguments on the case in February, and the consensus was actually that things didn’t necessarily look so good for Microsoft, but we would find out by June.

Which brings us to now. It’s been suggested all along that the proper way to address the situation would be to have Congress deal with it, and that’s just what happened. Legislation to update the Stored Communications Act and explicitly declare how the U.S. and foreign countries were to look at the data that each has about the other’s citizens was developed in February, cutely called the Clarifying Lawful Overseas Use of Data (CLOUD) Act. As it turns out, it was snuck into the omnibus spending bill that President Donald Trump signed on March 23.

Whether that’s a good thing depends on whom you ask.

The technology companies that have all been submitting amicus briefs on this case – Google/Alphabet, Apple, Facebook, and Oath, as well as Microsoft itself – said they were happy.

“The proposed CLOUD Act creates a modern legal framework for how law enforcement agencies can access data across borders,” writes Microsoft president Brad Smith, in a blog post. “It’s a strong statute and a good compromise that reflects recent bipartisan support in both chambers of Congress, as well as support from the Department of Justice, the White House, the National Association of Attorneys General and a broad cross section of technology companies. It also responds directly to the needs of foreign governments frustrated about their inability to investigate crimes in their own countries. The CLOUD Act addresses all of this, while ensuring appropriate protections for privacy and human rights. And it gives tech companies like Microsoft the ability to stand up for the privacy rights of our customers around the world.”

In particular, the law helps clarify what happens when a foreign government tries to get data about a foreign person from the same country who is in the U.S. “Partner governments can, pursuant to a long list of qualifications, directly request data of non-U.S. persons from U.S.-based providers without going through the [Mutual Legal Assistance] process,” write attorneys Jennifer Daskal and Peter Swire in Lawfare. “If the foreign government wants to request the data of a U.S. citizen or resident, it still needs to employ the MLA system.” This was an issue because, increasingly, foreign governments were demanding that data about their citizens needed to be stored in their country, because they didn’t want to have to deal with the U.S. court system to get it, they write.

On the other hand, the civil liberties organizations that have also been submitting briefs, such as the American Civil Liberties Union and the Electronic Frontier Foundation, are not happy.

“First, it empowers U.S. law enforcement to grab data stored anywhere in the world, without following foreign data privacy rules,” writes David Ruiz of the Electronic Frontier Foundation. “Second, it empowers the president to unilaterally enter executive agreements with any nation on earth, even known human rights abusers. Under such executive agreements, foreign law enforcement officials could grab data stored in the United States, directly from U.S. companies, without following U.S. privacy rules like the Fourth Amendment, so long as the foreign police are not targeting a U.S. person or a person in the United States.”

In particular, the foreign country would then be able to seize the communication between the foreign person and U.S. people, and then be able to pass that data on to the U.S. government, Ruiz warns. “At no point need probable cause be shown. At no point need a search warrant be obtained.”

Pragmatically, the point can be made that 1) We likely weren’t going to get legislation that was much better, at least with this Administration and 2) If Microsoft lost the Supreme Court case, which is what it was looking like, then there wouldn’t be any protection at all. So to a certain extent it seems like it’s, at least, better than nothing. To what degree this can be modified going forward isn’t clear.

It’s also not clear exactly what this means for the Supreme Court case. Do they just drop it? Will they get together and then say never mind? Or can they still issue a ruling? I guess we’ll see.

March 20, 2018  11:14 PM

There’s a Dropbox IPO? Really?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Box, Dropbox

Anyone who’s surprised by the Dropbox IPO this Friday, please poke out your right eye. Because this thing has been a loooooooooooooong time coming.

As far back as 2011, analysts were speculating that Dropbox would file for an IPO. It was actually pretty surprising when Box filed for one first, in 2014. Then there was some back-and-forth and Box pulled its IPO because it was getting sued by OpenText. When it finally had its IPO in January 2015, it ended up going more than 50 percent, $20.20, after its initial price of $14 on the first day.

Today? Box is at 21.69, after going as high as 23.82 and as low as $9.90 since then.

Once Box filed, people expected Dropbox to soon follow. As long ago as 2015, Dropbox had hired a chief financial officer experienced in IPOs, presumably because the company had Plans. And now, finally, the day is here. Like competitor Box, it filed secretly, in January.  The guess is that it’s going to go well; reportedly, it is already oversubscribed at its opening price of $16-$18 per share.

On the other hand, its valuation is actually less than it was a few years ago. According to Forbes contributor David Trainer, the valuation is $7 billion. As he himself points out, “At the midpoint of Dropbox’s expected price range, its post IPO valuation would be nearly one-third below the $10 billion valuation it earned in 2014,” he writes.

And Trainer is concerned it means the stock is overpriced. “Dropbox’s revenue growth is slowing. Revenue growth dropped from 40 percent in 2017 to 31 percent in 2016. Paid users grew by 35 percent in 2016 and 25 percent in 2017, while average revenue per paid user has barely changed,” he writes. “Despite amassing a large user base over the past decade (500+ million), Dropbox has yet to monetize these users in a profitable manner.”

Trainer isn’t the only one concerned. All sorts of people are making all sorts of comparison between Dropbox and Snap, which went public last year and didn’t do so well afterwards. In addition, a number of people are also reporting what they say are reasons that Dropbox actually isn’t doing too well (besides the fact that it’s operating at a loss), such as competing offerings from bigger companies such as Google and Microsoft. Plus, the stock market is nothing if not volatile these days.

On the other hand, after the successful IPO of Zscaler, a successful IPO for Dropbox – which will be followed by an IPO for Spotify – could presage all sorts of other major IPOs this year.

Another interesting theory is that Salesforce will eventually acquire Dropbox. It wouldn’t be the first time there had been rumors about a Dropbox acquisition. One wonders, though, if the company’s going to be acquired, why bother going through an IPO in the first place?

Disclaimer: I am a Dropbox customer.

March 11, 2018  5:19 PM

Fresno State Hard Drive Theft Raises Questions

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security, Storage

Another day, another missing unencrypted portable hard disk drive.

In this particular case, it was from the athletic department at California State University, Fresno (which athletic fans typically refer to as Fresno State University, despite the fact that Fresno is not a state). The school lost a portable hard drive containing data about 15,000 people, “including names, addresses, phone numbers, birth dates, credit card numbers, driver’s license numbers and full or last four digits of Social Security numbers,” after a theft from the athletic department over the Christmas holiday that wasn’t detected until January 12. The data included former student athletes, sports-camp attendees and Athletic Corporation employees and were mostly from 2003 to 2014, the university said, adding that only about 300 of the people were still associated with the university.

This leads to the usual series of questions.

  1. Why wasn’t the data encrypted? That’s a lot of personally identifiable information. So what kept the university from encrypting the data?
  2. For that matter, why did the university collect 12 years of that data about 15,000 people all together in the first place? If the majority of these people are no longer with the university, wouldn’t it be a good idea to get rid of that data?
  3. And if that data had to be collected, why in the world was it on a portable hard disk drive? “Having sensitive information on an external hard drive is a breach waiting to happen,” writes Bailey Miller in YourCentralValley.com.
  4. Reportedly, 18 laptops were stolen from the department at the same time. Didn’t those laptops have hard disk drives as well? What sort of data is on those? Were they encrypted? Or were they all Chromebooks that connected to the university data via the cloud? Given how often laptops and hard disk drives seem to walk away, wouldn’t it actually make sense to use a Chromebook or some similar system?
  5. Why did it take almost two months from the time the theft was detected until letting the potential victims know? “Notification of affected individuals began this week as soon as University officials could verify the extent of the breach and the names and contact information of those affected, and the proper notification process.” Okay, but *why* does it take that long? Don’t criminals usually try to use such numbers right away before the victims know they’re missing?
  6. Why did it take so long to discover that the portable hard disk drive was one of the items stolen, if the theft happened over the Christmas break? Interestingly, the school’s announcement said only that the hard disk drive was “reported missing” on January 12, not that it was stolen then. When was it actually stolen, anyway? A different notification indicated that the theft was during the last week of the year. So it took more than two weeks just to realize it was missing?
  7. That different notification also adds that “health-insurance numbers and personal health information” could also have been part of that data. Why was that fact left out of the other notification? How much do people have to worry about having their health information compromised or their health insurance used by someone else?
  8. How do they know exactly what data was on that hard disk drive? If it’s simply a dump of the university database, aren’t those people wondering why the university has that data? (One story noted that the CIO had to go through a million files to determine what data was on the drive.)
  9. Oh, so “there is no reason to believe that the hard drive was stolen for the information it contained” and that the thieves didn’t know what was on it. WELL, GUESS THEY KNOW NOW, DON’T THEY? Yes, there’s reasons why these thefts have to be promoted the way they are, and security through obscurity doesn’t work, but these announcements do seem counterproductive sometimes.
  10. Even if the thieves didn’t steal the hard drive for the data, wouldn’t they check the hard drive to see what goodies might be on it before fencing it, even if they were only looking for a bootlegged copy of Girls Gone Wild? “There’s this implication that the information was not or will not be accessed because the hard drive wasn’t stolen for the information,” writes AlertBoot, a security vendor, in its blog. “How faulty is that logic? Let us assume that some guy boosts a car because he’s going to sell it to a chop shop. Are you telling me that he’s not going to maybe take a peek in the glove compartment box or the trunk because he stole the car for its hardware, and not its content? Possibly lift up the armrest to access the center console? Steal the quarters in the ashtray?”
  11. “To help reduce the possibility of similar incidents from happening in the future, Fresno State is reinforcing its procedures with its employees regarding the proper storage of confidential information and the importance of protecting portable electronic devices.” You think? Like, maybe not using portable electronic devices at all? And encrypting them if for some reason they’re necessary?
  12. Victims are being offered the usual free year of credit monitoring. Ever wonder whether credit monitoring companies stage these thefts to help keep themselves in business?

February 28, 2018  11:37 PM

Supreme Court Hears Microsoft-Ireland Data Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Microsoft, privacy, Security

It is not looking good for Microsoft after the first day of hearings at the Supreme Court for the case regarding whether the company has to turn over to law enforcement data that is stored on a server in Ireland.

So far, the debate appears to hinge on whether to rule on the case, or wait for Congress to update the law and not have to rule on it at all. “Justices Ruth Bader Ginsburg and Sotomayor both asked why they shouldn’t just let the lower court opinion (in Microsoft’s favor) stand and allow the case to be decided by congressional action,” writes Andrew Keane Woods, in Lawfare, in one of the best analyses of the day’s arguments. “This makes some intuitive sense:  If the Stored Communications Act (SCA) is so hard to apply to a global cloud, let Congress update it. And Congress is trying.” But it hasn’t done it yet, and Congress hasn’t been too good about finishing things it’s started this year.

On the other hand, Chief Justice John Roberts appears to have a good idea for a business model. “Nothing would keep Microsoft ‘from storing United States communications, every one of them, either in Canada or Mexico or anywhere else, and then telling their customers: Don’t worry if the government wants to get access to your communications; they won’t be able to,” without getting help from a from foreign government, Roberts told Microsoft lawyer Joshua Rosenkranz, according to Bloomberg.

Congratulations, Justice Roberts. You just invented Swiss Banks for data.

If you’re really a glutton for this stuff, the full transcript is available, and there’s some pretty neat stuff in it. For example, there’s this government argument: “Suppose that a defendant in federal court were convicted and ordered to pay a fine and the defendant said, I can’t do that with my domestic assets. They’re all located abroad. I am fairly confident that the courts would say the obligation falls on you. How you raise the money is your concern. It’s not an extraterritorial application of the statute to say bring the money home and pay the fine. And that’s the same that we’re asking to happen with the warrant.” The thing is, it’s not the mere possession of the data that’s the issue but the fact that the data could be used to send someone to jail – a point that nobody seemed to make.

There was also an interesting discussion about the distinction between a subpoena and a warrant, and how one of the main distinctions was how the subject of a subpoena could go to court and object to it while the subject of a warrant couldn’t. “A warrant allows the government to just come right in. If we had a warrant, and we could get a Rule 41 ordinary warrant if we wanted to, we would go to Microsoft headquarters and ask the gentleman sitting at the keyboard to step aside and sit down and do the work ourselves.”

Justice Alito also brought up an interesting point: “If this person is not Irish and Ireland played no part in your decision to store the information there and there’s nothing that Ireland could do about it if you chose tomorrow to move it someplace else, it is a little difficult for me to see what Ireland’s interest is in this.” On the other hand, Microsoft’s attorney noted, “We protect information stored within the United States and we don’t actually care whose information it is because we have laws that guard the information for everyone.”

The primary concern appears to be less about the person who has their data on an Irish server in the first place, and more on what the repercussions might be based on the Supremes’ decision. “Countries around the world are watching this case because it could be used as a precedent—privacy advocates have called it a dangerous precedent—for the state to exert extraterritorial control over the internet,” Woods writes. “If the U.S. can do it, the thought goes, then other states will do it.” The problem with that argument, he writes, is that there are already plenty of examples of foreign governments doing just that.

And then there’s this thing of beauty:

“There is not an international problem.This is largely a mirage that Microsoft is seeking to create. For the 20 or so –­ “

JUSTICE SOTOMAYOR: “You mean all those amici who have written complaining about how this would conflict with so much foreign law. We’ve got a bunch of amici briefs telling us how much this conflicts.”

The justices are expected to rule by June, which should be one humdinger of a month at this rate.

February 25, 2018  11:46 PM

Expect Many More Spokeo Cases

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Database, legal

Spokeo, Spokeo, wherefore art thou Spokeo? We’ll be seeing that name a lot more in the next few months after the Supreme Court turned down the opportunity to hear the case a second time.

As you may recall, in June*** 2016, the Supreme Court was due to rule on a case involving the stored data of Spokeo, a data aggregation company that provides data about individuals. A man sued the company for having incorrect data about him, and the case made it all the way to the Supreme Court. Owners of databases were concerned that a ruling against them would mean that anybody could sue them for anything they happened to have wrong, while individuals were concerned that a ruling in favor of Spokeo could essentially shut down the practice of class-action suits.

The Supreme Court sidestepped the issue by saying that the lower court hadn’t proved actual damages in the first place, so sent it back to that lower court. After taking a year to think about it, the lower court decided that damages had actually happened, and sent it back to the Supreme Court.

In the meantime, using the precedents that already existed, all sorts of courts were making all sorts of decisions based on Spokeo,

All caught up now?

In response to all this, a number of companies –including Spokeo itself — pleaded with the Supreme Court to take it up again and make a real decision this time. Spokeo’s argument also had to do with asking the Supreme Court to decide on the nature of harm to the plaintiff. Is somebody really harmed if a company puts more than five digits of their account number on their bill, even if it is theoretically possible that, yes, an identity thief could end up hacking their credit card number that way?

But earlier this year, the Supreme Court decided it wouldn’t re-hear the case, meaning that all those lawsuits based on Spokeo were likely to continue.

You’d think that the lawyers would be happy about this. After all, the Spokeo case is turning into the Attorneys Full Employment Act of 2018. But they are not. In fact, a number of amicus briefs were filed to the Supreme Court asking them to rehear the case. “The decision to pass on revisiting Spokeo was in spite of Spokeo receiving support from several outside parties for its review bid. In six separate amicus briefs filed on January 5, 2018, TransUnion LLC, the U.S. Chamber of Commerce, the National Association of Professional Background Screeners, a group of real estate trade associations, the Consumer Data Industry Association and the Retail Litigation Center,” notes Lexology.

The result is that many of the cases are going to continue, attorneys warned. “The issue presented here arises virtually every single day in courts across the country, as plaintiffs bring putative class actions alleging violations of federal and state statutes authorizing statutory damages without any claimed harm beyond the statutory violation,” write Spokeo’s lawyers in their brief to the Supreme Court. “Spokeo I has been cited in over a thousand decisions since May 2016—with over six hundred discussing this Court’s opinion in detail.”

Plus, the courts aren’t all agreeing. “Given this massive number of cases, it is no surprise that courts have reached conflicting results for virtually identical claims—meaning that jurisdiction continues to vary court by court and statute by statute,” notes the brief. “As one set of commentators summarized, ‘[w]e have found numerous cases that are essentially indistinguishable on the facts presented, yet courts have reached opposite results.’”

Other lawyers agreed. “Although the 2016 Spokeo decision had created a pathway for the lower courts to stem the tidal wave of claims under the Fair Credit Reporting Act (FCRA), the Fair Debt Collection Practice Act (FDCPA) and the Telephone Communications Protection Act (TCPA) where the plaintiffs had inconsequential, if any, damages, the Supreme Court failed to provide substantive guidance in its 2016 decision as to when a case should be dismissed for lack of injury. Consequently, the lower courts approached this issue in different, sometimes inconsistent, ways.

Indeed, in just the last few weeks, there have been several other cases based on Spokeo that have progressed in one way or another. In one case, “A district judge in the Southern District of Florida recently dismissed a FACTA class action on Spokeo grounds even though he had previously approved a near-$600,000 settlement in the same case” where a company was being sued for, yes, displaying more than five digits of an account number on the paperwork.

Similarly, another case had to do with someone’s entire credit card number being displayed on a ticket, but in that particular case, the court ruled that the person couldn’t sue because there was no evidence any actual harm had been committed, writes The Recorder. “Today we answer a question that would certainly sound exotic to our nation’s founders: Is receiving an overly revealing credit card receipt—unseen by others and unused by identity thieves—a sufficient injury to confer Article III standing?” wrote Judge M. Margaret McKeown. “We need not answer whether a tree falling in the forest makes a sound when no one is there to hear it. But when this receipt fell into Bassett’s hands in a parking garage and no identity thief was there to snatch it, it did not make an injury.”

On the bright side, cases like these may actually get people to start reading things like terms-of-service agreements, if only to look for things they might be able to sue under.

February 15, 2018  11:53 PM

Lawyers Dealing With Bitcoin E-Discovery

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Bitcoin, Cryptocurrency, ediscovery

We talked a couple of months ago about the best places to store bitcoin and other cryptocurrencies and their advantages and disadvantages. It turns out there’s another nuance: Cryptocurrencies and e-discovery.

It makes sense. The whole point of cryptocurrency – at least, one of them – is to have anonymous currency that can’t be traced back to you. So, naturally, all sorts of nefarious people are finding that an advantage. “Because of the way cryptocurrency systems protect the anonymity of their participants, they have become ideal vehicles for money laundering, tax fraud and illicit purchases,” writes Eric Pesale for the Logikcull blog.

So what’s an attorney to do?

“Litigators could compel an opposing party to submit a hard drive image of the user’s cryptocurrency ‘wallet,’” write attorneys Nkosi Shields and Ryan A. Walton from the firm of BakerHostetler, in Mondaq.  “From this wallet, one could pinpoint files useful for identifying suspicious activity during the discovery process.” This is especially true if the wallet uses an open-source framework such as Bitcoin-QT, which stores the entire user’s transaction history within the app, Pesale writes. “If this is the case, a lawyer or investigator working from a hard drive image of the wallet could locate and extract files related to certain suspect transactions and cryptocurrency data activity,” he explains.

In fact, there can be traces in many devices, Pesale writes. “Any devices the user used to connect to Bitcoin’s network could contain important evidence in the devices’ volatile memory,” he writes. “Other useful evidence can be found by examining the user’s transactions in the cryptocurrency’s public blockchain ledger or by subpoenaing the user’s encrypted cryptocurrency credentials, though government attorneys trying this strategy during a criminal case could face Fifth Amendment issues similar to those involving encrypted hard drives and passwords.”

Other researchers are looking at ways to de-anonymize blockchain itself, Shields and Walton write. “By clustering different bitcoin addresses, one can assign common ownership to a user’s pseudonym(s),” they write. “International law enforcement agencies, including the Federal Bureau of Investigation, have made significant strides in piercing the anonymity of cryptocurrency transactions, leading to several notable prosecutions, including actions brought against BTC-E, a prominent virtual currency exchange believed to have been involved in international money laundering.”

Indeed, Noel Edlin writes in Law Technology Today that blockchain’s very design makes it easy for attorneys to use it in cases. “The very virtue that makes them attractive as a decentralized currency also makes attorneys leery: transactional transparency,” he writes. “There is no way to hide bitcoin transactions, because the bitcoin ledger is available to all. Every transaction conducted using bitcoins is tracked, meaning that through the internet, bitcoin transactions can be identified and monitored, although savvy users of cryptocurrencies will argue they are just as anonymous as cash.”

Pesale notes, though, that blockchain might not be admissible as evidence even if law enforcement organizations were able to compile it. “California attorney James Ching has explored the possibility that blockchain evidence could be inadmissible hearsay, falling outside of Federal Rule of Evidence 803’s exception for business records,” he explains.

Cryptocurrencies have also seen their anonymity challenged in the courts, Shields and Walton write. “In 2016, the Internal Revenue Service (IRS) issued a ‘John Doe’ summons in an effort to investigate potential investors who may have underreported or failed to report income from gains while trading cryptocurrencies.”

However, that use is controversial, Pesale writes. “These summonses, which are issued only upon receiving court approval, allow the IRS to investigate the tax liability of unidentified individual, or group of, taxpayers upon an initial finding of a tax compliance problem,” he writes. “They are often used to uncover anonymous tax shelter beneficiaries or owners of tax-exempt bonds. Although John Doe summonses are not supposed to be issued to conduct ‘fishing expeditions,’ the way the IRS has been using them in relation to cryptocurrency transactions is spurring controversy.” For example, one of its mass warrants has received a lawsuit, while the IRS also received a Sternly Worded Letter, he writes.

In any event, attorneys of all stripes need to be familiar with cryptocurrencies, writes Carolyn Elefant in Above the Law, as they’re even becoming common in divorces and wills.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: