A DNA testing database was apparently hacked sometime last fall, but it wasn’t nearly as interesting as it could have been.
It wasn’t one of the more well-known sites like 23andme or ancestry.com. It also wasn’t the GEDmatch site that law enforcement used to track down the so-called “Golden State Killer”a few months back. It was a site called MyHeritage.com with about 92 million users, though it isn’t clear how many of them had actually submitted DNA.
Moreover, none of the DNA information appeared to have been stolen. In fact, it was a pretty run-of-the-mill incident, for these days; a file called MyHeritage was reportedly found on a third-party server that had a list of 92 million email addresses, followed by their hashed, or encoded, passwords. Since the passwords were hashed, there’s not likely going to be a way for anyone to reverse-engineer them to the actual passwords. And the company said that no financial information was involved, either.
“Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage,” the company wrote in a blog post about the incident. “Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.”
So what we actually have stolen here is a list of 92 million email addresses – basically, all the system’s users up until October 26, 2017. And sure, someone could have fun with that, looking to see how many of them have “password” as their password, or how many of them reused a password from a different system that hackers might know, and so on.
But generally, as these things go, this was pretty ho-hum, because the company did what it was supposed to. It encrypted its passwords. It stored its financial information separately. It stored its genetic information separately. As a number of security experts have been saying, it’s less an issue of hardening your system so that you *never* get broken into, because sometime, it’s likely going to happen. Instead, it’s an issue of how to limit the damage once someone breaks in.
Because there’s lots of interesting things that could have been done with stolen DNA:
- Plant it somewhere to incriminate someone, ranging from a crime to blackmail, or to protect a criminal by having multiple people’s DNA at a crime scene
- Use it to get medical treatment
- Use it to reveal someone’s dirty laundry, such as being illegitimate or unable to get health insurance due to a genetic condition
- Use it to protect against being called out for a genetic condition, much the way people will buy clean urine to pass a drug test
- Heck, they could have started cloning people, or breeding people
That said, it may just be a matter of time before one of these DNA storage places is hacked – with actual DNA. As you may recall, researchers are looking into storing data on DNA. Apparently there is also research going on into how you could store malware on DNA, and then submit that DNA to a DNA storage service, where it would “come to life” and start stealing data. “The researchers were even able to encode a strand of synthetic DNA to contain malware, allowing them to take remote control of a computer being used to sequence and process genetic data,” writes Usha Lee McFarling in STAT.
Meanwhile, the company is doing all the appropriate things. It’s not only recommending that people change their passwords; it’s forcing everyone to do so (though it isn’t clear whether they could just put in the same password they’d used before). They also set up a round-the-clock security team to answer user questions. They are working on setting up two-factor authentication (and yes, they should have done that in the first place), but it sounds like they aren’t going to require it, but only “recommend” it. It is also looking into how the data got stolen in the first place, and why it didn’t detect that at the time.
But it could have been so much more interesting.
Configuration is hard.
At least, that’s the conclusion to draw from a recent storage security issue where the Los Angeles County hotline number, 211, was storing many of the records regarding its hotline calls in the cloud. Except instead of keeping it secured, as would be required by law as a medical record, the organization had a number of its files configured to be publicly available.
While not all the files themselves were publicly available, a number of them were, which meant that anyone who happened to have the URL of that Amazon AWS resource could download the information stored there. That included “access credentials for those operating the 211 system, email addresses for contacts and registered resources of LA County 211, and most troubling, detailed call notes,” according to the organization discovering the error. “These notes describe the reason for the calls, including personally identifying information for people reporting the problem, persons in need, and, where applicable, their reported abusers. Included in the more than 3 million rows of call logs are 200,000 rows of detailed notes, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns. In many of these cases, full names, phone numbers, addresses, and even 33,000 instances of full Social Security numbers are revealed among the data.”
Los Angeles County211 blamed the issue on a configuraton problem, according to the report. Fortunately, the problem has now been fixed, and the Amazon AWS files have been properly configured.
How this was discovered is actually the more interesting part. It turns out that there’s this company called Upguard and they do the same sort of thing that hackers do – roam the world looking for open back doors and ports and unpatched systems and so on. But when they find them, instead of breaking in, they contact the company and let it know so that the problem can be corrected.
Then Upguard alerts the media so people in other companies can also be aware of these problems.
So, that’s what happened here. Somebody was playing around with Amazon AWS links, and realized they could get in, so they wandered around for a while, taking screenshots of the available data and, eventually, letting the organization and eventually the media know.
The group of people who do this are called the UpGuard Cyber Risk Research Team, and they have it down to a science. “The UpGuard Cyber Risk Research team follows the processes and procedures detailed in the internal governance document ‘UpGuard Breach Research Process’ for breach research, notification, and disclosure,” the company writes in its Cyber Risk Research Guidelines.
Needless to say, UpGuard considers itself a “white hat” or ethical hacker, as opposed to the “black hats” who do the same thing but steal the information or sell access to it. “The UpGuard Cyber Risk Research team finds publicly exposed data, helps the owners secure it, and shares information on how these exposures can be avoided,” the company explains. “Reducing data exposures is a public good, and the vast majority of individuals whose data is leaked lack the capacity to identify and remove those exposures themselves. Publicizing these findings raises awareness of the problem of data breaches, both in its scale and the severity of the data exposed.”
Ethical hacking! How chaotic good can you get?
Not that the company is doing this for purely altruistic reasons. “While we believe this activity provides a benefit to the public, and indeed to ourselves as private citizens, it also benefits UpGuard in that UpGuard provides solutions for preventing data breaches and a mature market for cyber risk mitigation would logically benefit UpGuard,” the company goes on to explain.
That said, it doesn’t try to shake down its subjects. “UpGuard never uses the discovery of a data breach to approach any affected entity in a sales capacity for UpGuard’s separate enterprise services,” the company writes. It also appears that the company is essentially doing a passive search, looking for security holes, as opposed to, say, using social engineering to try to create vulnerabilities.
It isn’t entirely clear to what extent the entities that are exposing their data have any say-so in whether the vulnerability gets published. (Once it’s secured, of course.) “The UpGuard Cyber Risk Team can also work to help secure a data exposure without publishing a report,” the company writes. “The guiding decision in a decision to publicize a breach is whether the public interest is best served by a public report. UpGuard has no obligation to report exposed data. As an institution, we feel compelled to promote visibility and address as many leaked data sets as we feel appropriate. The research team evaluates the projected impact of each data breach, and other relevant factors, in order to prioritize breach notifications.”
Though the company does go on to add, “The manner in which the breached entity responds to the data breach notification may impact the manner in which media are made aware of the situation and when the information is presented.” Heh. It would be fun to be a fly on the wall in some of those instances.
In any event, for some people, that has got to be the funnest job in the world.
There is such a thing as a device specifically intended to destroy a hard disk drive.
In fact, there’s actually a number of such devices. This isn’t just degaussers and so on that are intended to wipe the data from the hard disk drive itself through magnetism (or de-magnetism, as the case may be). No, this is purely physical destruction. Some of them even brag that they don’t use electricity (which would actually be handy, if you were, say, about to be overrun by someone and they had cut your power or something).
Some of them punch a hole through the disk drive, while others shred the platters. Others just crunch it completely.
“Other hard drive destroyers just fold or punch a couple of holes in a hard drive,” notes one vendor, saying that its product “obliterates hard drives with a potent combination of 20 tons of force and corrugated crushing plates. The result is a drive that’s rendered hopelessly inoperable, with every inch of the media totally ruined.”
This may seem like overkill. Not to mention, wasteful. You can’t donate the hard disk drive to Computers for Kids or something so they can be used by someone else? You can’t even recycle the components? But as we’ve mentioned before, if you absolutely, positively can’t let the data get to anybody else, the only sure way is to physically destroy the drive.
And while shooting it with a .45, taking it apart with a hammer, and so on, are all great ways to do it (or, if you’re Terry Pratchett, running a steamroller over it), aside from letting out your frustration, what does a company do when it needs to destroy hundreds of disks on a regular basis? Nobody is that frustrated.
Enter the hard disk drive destruction device, some of which claim that they can destroy multiple drives at once, or can destroy a drive in five seconds. If you have hundreds of drives to destroy on a regular basis, that’s the way to go. Or, in particular, if you have a company, perhaps, that’s in the business of destroying hard disk drives for people.
The problem is, of course, if you’re using such a company, you as the hard disk drive owner have to make sure that they really are destroying the hard disk drives, and not just putting them on eBay with all the data still present on them, which happens periodically. Security experts periodically buy used hard disk drives on Craigslist and such, not just to see what goodies they can pick up but to see, in general, if any companies can be shamed about doing this.
Not surprisingly, these machines can be expensive. Even the one that doesn’t use electricity, and is essentially a fancy vise grip, costs more than a thousand dollars. And that one is pretty onesy-twosy as far as destroying hard disk drives. A device that destroys two hard disk drives per minute using a shredder can cost more than $30,000, while the “20 tons of force” machine costs more than $16,000. (Though right now it’s on sale for $11,000. Is there some reason that May is the bargain month for these devices? Perhaps some sort of post-Tax Day sale?)
Needless to say, as with so many things today, you can see video of some of these devices in action on YouTube. Search for machines destroying hard disk drives for hours of destructive fun.
OMG. Can our long international nightmare be over? HP won a criminal case against Autonomy, the e-discovery vendor it bought in 2011 for more than $10 billion, of which it had to write off $8.8 million, claiming that the U.K. company had inflated its value.
Sushovan Hussain, “the former chief financial officer of Autonomy Corp. was found guilty of orchestrating an accounting fraud to arrive at the $10.3 billion price Hewlett-Packard Co. paid for the U.K. software maker more than six years ago,” writes Joel Rosenblatt for Bloomberg. “A jury voted to convict Sushovan Hussain Monday on all 16 counts of wire and securities fraud after three days of deliberations in San Francisco federal court.”
The trial lasted three months, according to the Telegraph. Hussain was first charged by prosecutors in 2016. He was convicted of one count of conspiracy, fourteen counts of wire fraud and one count of securities fraud. Assuming the charges stick, he faces a maximum sentence of 20 years in prison, and a fine of $250,000, plus restitution, for the conspiracy count and each of the wire fraud counts, as well as a maximum sentence of 25 years in prison, and a fine of $250,000, plus restitution, for the securities fraud count. He was supposed to have been sentenced May 8, but that appears to have been changed to August. In the meantime, he had to surrender his passport, wear a GPS bracelet, and can’t go to airports or bus stations, according to the Times UK (which also has even more detail about the accounting problems Autonomy had).
So what did he do?
“Specifically, Hussain used backdated contracts, roundtrips, channel stuffing, and other forms of accounting fraud to inflate Autonomy’s publicly-reported revenues by as much as 14.6% in 2009, 17.9% in 2010, 21.5% in the first quarter of 2011, and 12.4% in the second quarter of 2011,” according to a Department of Justice press release. “In addition, Hussain, and his co-conspirators, fraudulently concealed from investors and market analysts the scale of Autonomy’s hardware sales, which were used to boost the company’s reported top-line revenue. Autonomy’s total revenues included re-sold hardware of approximately $53.3 million in 2009, $99.08 million in 2010, $20.09 million in the first quarter of 2011, and $20.85 million in the second quarter of 2011.”
On the other hand, HP didn’t come off so great in the case, either. For one thing, it didn’t help HP’s case that it had several other purchases where it had to write off part of the value.
“Hussain’s lawyer argued that HP bought, and then hobbled, an increasingly profitable software company,” Rosenblatt writes. “It was one of a string of failed acquisitions requiring write-offs, a list that includes Palm, Compaq, and Electronic Data Systems, he said.”
“Even if his conviction is upheld, HP’s acquisition of Autonomy should be remembered as one of the most poorly thought out and incompetently executed deals of all time,” notes the Financial Times in an unsigned editorial. “ It does not suggest that HP was anything less than catastrophically careless.
But hey! We’re not done!
“It also gives the company momentum as it heads toward a trial next year in London in a $5 billion civil suit against Hussain and Autonomy co-founder and former Chief Executive Officer Mike Lynch,” Rosenblatt writes.
Plus, Hussain plans to appeal, writes FT.
Here we go again.
Yet another court has ruled that U.S. Customs and Border Patrol agents have to have some sort of probable cause to search people’s electronics. The Fourth Circuit has now agreed.
The Department of Homeland Security has said in the past that it is entitled to broad powers of search within 100 miles of the U.S. border. Knowing that the U.S. is 3000 miles across, that doesn’t sound like much, but given how bumpy our border is, that covers a lot of territory. More to the point, it covers a lot of territory where people are.
CityLab actually has a really cool map of just how much territory we’re talking about. “The border zone is home to 65.3 percent of the entire U.S. population, and around 75 percent of the U.S. Hispanic population,” writes Tanvi Misra. “This zone, which hugs the entire edge of the United States and runs 100 air miles inside, includes some of the densest cities—New York, Philadelphia, and Chicago. It also includes all of Michigan and Florida, and half of Ohio and Pennsylvania.”
And those broad powers of search are…pretty broad. “In the ‘border zone,’ different legal standards apply,” Misra writes. “Agents can enter private property, set up highway checkpoints, have wide discretion to stop, question, and detain individuals they suspect to have committed immigration violations—and can even use race and ethnicity as factors to do so.”
Consequently, over the past few years, there have been a number of incidents of people having the storage of their portable electronics, ranging from laptops to cellphones, and even cameras, searched. That includes the electronics of people such as journalists and attorneys, who are supposed to have some degree of protection against such things.
And we’re not just talking a Border Patrol agent taking a cellphone and scanning to see what apps it has. This involves actually taking the person’s electronics, shipping them hundreds of miles to a lab, and doing a full forensic—sometimes taking as long as seven months. It also appears that this sort of search has been ramping up under President Donald Trump.
This has been drawing the ire of civil liberties organizations such as the American Civil Liberties Union and the Electronic Frontier Foundation for some time.
Fortunately, over the past couple of years, courts have started to agree, especially after the Riley Supreme Court decision that said law enforcement officials had to have a warrant to search someone’s cellphone. In March, the Eleventh Circuit – while it did uphold a border search – at least had a strong dissent. Also in March, the Fifth Circuit made such a ruling, although it fell short of actually saying agents couldn’t search devices.
Most recently, the Fourth Circuit made a similar ruling, in a case called Kolsuz. “After Riley, we think it is clear that a forensic search of a digital phone must be treated as a nonroutine border search, requiring some form of individualized suspicion,” the court writes. Indeed, the court suggested that it might have gone further had the appeal asked for it. “Because Kolsuz does not challenge the initial manual search of his phone at Dulles, we have no occasion here to consider whether Riley calls into question the permissibility of suspicionless manual searches of digital devices at the border.”
In response to criticism and rulings, Customs and Border Protection has been backing off some. For example, in January it clarified that agents could only search the physical devices themselves, not whatever storage they might have access to in the cloud. A number of people are also taking steps such as not taking their own phones and laptops across the border, or wiping them as they approach the border.
Where this goes from here isn’t clear. So far, it seems like the lower courts are mostly agreeing. In addition, the civil liberties organizations have been pushing for a test case that would extend the Riley decision to laptops at the border. This may yet end up at the Supreme Court, but it isn’t clear how it would rule with this court and in this political climate.
A couple of weeks ago, there was some discussion about the material seized from the office of Michael Cohen, the attorney for the Trump organization, and the e-discovery implications of that. In passing was also a reference to a number of cell phones and hard drives that had also been seized, and since then, there’s been some further discussion of this nuance.
“Manhattan federal prosecutors seized as many as 16 cell phones when the FBI raided the home, office and hotel room of President Trump’s personal lawyer Michael Cohen,” writes Kaja Whitehouse [which has to be the best journalist name ever] in the New York Post. “Prosecutor Thomas McKay made the astonishing revelation while telling a judge Thursday that the feds are on track to hand over seized materials to Cohen’s lawyers by May 11. In explaining the process, McKay said the feds have already turned over the contents of four phones and one iPad.”
What does this tell us? At the time the materials were seized, I wrote “(No word on whether any of the electronic devices are encrypted or otherwise protected by a fingerprint or a password. That would be an interesting wrinkle. Although, seriously, they should have been.)” So, among other things, it appears that the phones weren’t encrypted, or even particularly password-protected, if the FBI was already able to retrieve their contents.
On the other hand, McKay reportedly said that some will take longer. “The contents of two Blackberries may take as long as three weeks to be produced to Cohen and the special master and one cell phone may take 104 days to have its data extracted,” write Kara Scannell and Katelyn Polantz, for CNN. This could indicate that some of them were encrypted. Back in the day, one of the selling points of BlackBerrys was how secure they were.
One of the more interesting side discussions were the people who found it “astonishing” that someone in 2018 would have 16 cell phones, and used that as “proof” there must have been something nefarious going on (including some pretty funny lists of what all the phones could have been used for).
Not to mention the age of some of the electronics. “Among the devices seized are two BlackBerrys, suggesting Cohen has been holding on to his electronics for many, many years,” Whitehouse writes.
I would expect that most of my friends have ten-year-old electronics kicking around their houses. I know I do. And BlackBerry fans tended to be particularly…possessive about their devices.
“You know how I know Michael Cohen is either a professional fixer or one of the drug dealers from The Wire?” writes Monique Judge in The Root. “Because when federal agents raided his office, hotel room and apartment earlier this month, they seized as many as 16 phones and other devices. You read that correctly. There were 16 phones. Either Cohen is working very hard in the lowrises, keeping McNulty and Bunk off of Stringer and Avon’s trail, or he had all those phones to deal with his various troublesome clients who couldn’t seem to stay out of trouble. No, seriously? Who has 16 old phones just lying around, waiting to be taken and imaged by federal agents who are possibly building a case against you and your biggest and most famous client, the president of the United States?”
Um, me. Except for the federal agents part.
If having 16 cell phones is incriminating, I’m in trouble. I don’t even buy a new phone every year, nor do my partner and child, and yet our household probably has close to 16 phones kicking around.
- 3 OnePlus (a One, and Two, and my 5T, my current phone)
- Samsung Galaxy SIII, my previous phone
- At least two flip phones before that
- My daughter has at least two cell phones and a flip phone
- My partner just got a new phone, plus he has at least two Samsung Galaxy Notes before that
That’s up to 12 already, and I haven’t even looked around the device shelf or the computer room.
Other nerds are also backing Cohen up on this. “In fairness there are a dozen cellphones in my house right now,” writes one commenter to Judge’s article. “They’re between 1 and 18 years old. I can’t just throw them away. It’s one of those things that I should do, but can’t bring myself to do. What can I say, I’m a tech junkie.”
And as an attorney, Cohen probably lives and dies by his phone. A recent Vanity Fair piece noted that, even though the FBI had allegedly literally seized the phone he was holding in his hand, a couple of days later he was still…on the phone.
But what about the old phones? “16 phones?” Judge writes. “Was he keeping them so he could later blackmail his clients?”
Why do people keep cell phones?
- In the case of an attorney, it may be that he’s concerned about security and what might be on the phones.
- Or he could think, as I have sometimes, “these are too good to throw out or donate, I should try to sell them” – and never get around to it.
- When you have a teenage girl, you often keep a couple of spare phones around in case something happens to her primary phone, because MOM OH MY GOD MY PHONE DIED is worse than losing an arm.
- This is kind of a nerdy household, so we’re always thinking we’ll find some sort of project use for them, such as acting as some sort of server for the TV or stereo. I also understand that some Pokemon Go fans have multiple accounts so they can gang up on raids or exchange gyms among each other, and you would need a separate device for each of those.
- And occasionally we do donate phones to a battered women’s shelter; they can always use them to give to people trying to escape abusive situations who don’t have the money to get their own.
So Cohen may or may not be a bad guy. But 16 phones doesn’t prove that. It just means he’s one of us.
Whether it was “ingenious” or “creepy” depends on which way you look at it, but the recent capture of the alleged Golden State Killer wasn’t the first time that law enforcement has used genetic databases to find criminals. However, it went further than police have done so before, and some people are concerned.
The so-called Golden State Killer was said to have been responsible for12 killings, 50 rapes, and 120 burglaries in 10 counties across California between 1976 and 1986. Police had obtained a DNA sample from a crime scene, and figured they would compare it with DNA samples in genealogical databases. In this particular case, law enforcement used the “open-source” site GEDmatch, as opposed to commercial sites that have been used at other times, such as Ancestry.com and 23andme.com.
But where to start? “The FBI created a database of DNA profiles in the 1990s, and police queued up to check their evidence samples against it, hoping that their suspect might be an ex-convict, or already imprisoned, or otherwise in the system,” writes Avi Salk in the Washington Post. “The method even allowed police to solve old cold cases — some of them initially investigated long before DNA testing existed. But the database was little help if the person tied to the DNA wasn’t already in it,” which was the case here.
First, they selected people who lived in areas where the Golden State Killer struck. They then narrowed down their search to people who fit the same age and description. Finally, they compared the DNA sample with those people. They also obtained a DNA sample from a piece of trash from the suspect, and compared it with the DNA sample from the crime scene, to make sure it matched.
“The suspected Golden State Killer was not in this database, either, but it didn’t matter,” writes Selk in a different Washington Post article. “A distant relative of his was, police say, and that person’s DNA partially matched evidence related to the serial killer. Instantly, the pool of suspects shrank from millions of people down to a single family.”
Interestingly, unlike some other cases, law enforcement did not work with the database company, but simply used its resources. In fact, part of the reason that police used GEDmatch was that 23andMe and Ancestry have refused law enforcement requests, Selk writes, out of concern about false positives. “Although we were not approached by law enforcement or anyone else about this case or about the DNA, it has always been GEDmatch’s policy to inform users that the database could be used for other uses,” the company reportedly said in a statement.
GEDMatch is a free site where users who have obtained DNA profiles from commercial companies such as Ancestry.com and 23andMe can upload them to expand their search for relatives, according to CBS News, which added that an investigator told them that officials did not need a court order to access GEDMatch’s database of genetic blueprints. For example, it is also used to help identify remains, including murder victims, according to CBS News.
“If you are concerned about non-geneatological uses of your DNA, you should not upload your DNA to the database and/or you should remove DNA that has already been uploaded,” the statement from GEDmatch said. Well, yes. But how many people think of that sort of thing when they’re hoping to find relatives? How many of them will remember the places they’ve uploaded it to take it down now?
In fact, in response, some genealogists are reportedly making profiles on GEDmatch private, writes Sarah Zhang in The Atlantic. They fear that backlash from this case could make it harder for people trying to find family—or even police trying to find other suspects—in the future. The practice, known as familial DNA testing, is actually forbidden in some states. “A policy that implicates New Yorkers in a criminal investigation solely because they are related to someone with DNA in the state’s databank is a miscarriage of justice,” Donna Lieberman, the New York Civil Liberties Union’s executive director, told CBS News, which added that Maryland and the District of Columbia have banned it.
“People who submit DNA for ancestors testing are unwittingly becoming genetic informants on their innocent family,” Steve Mercer, the chief attorney for the forensic division of the Maryland Office of the Public Defender, told the Associated Press, adding that they “have fewer privacy protections than convicted offenders whose DNA is contained in regulated databanks.”
There’s one group of people that is really, really excited about the seizure of the potentially millions of legal documents associated with President Donald Trump: E-discovery people.
“Discovery nerds — and political junkies — are having a field day with the materials seized by the FBI’s raid of Trump Organization attorney Michael Cohen,” writes Kathryn Rubino of the Above the Law blog.
E-discovery is an issue because the seized materials include not only paper records, but electronic ones, write Benjamin Weiser and Alan Feuer of the New York Times. “The courtroom battle over what to do with the seized material came one week after federal agents, in an extraordinary move, descended on Mr. Cohen’s properties and walked away with 10 boxes of documents and as many as a dozen electronic devices, including cellphones and computer hard drives.”
(No word on whether any of the electronic devices are encrypted or otherwise protected by a fingerprint or a password. That would be an interesting wrinkle. Although, seriously, they should have been.)
In fact, several of the people proposed to be the Special Master in charge of the documents are experts in e-discovery, writes Rubino writes in a separate blog post. The purpose of the Special Master is to act as a neutral party to determine which of the documents might be protected by attorney-client privilege, explains Weiser in a different New York Times article.
The Hon. Frank Maas, Retired Federal Magistrate Judge, now with the mediation firm of JAMS Neutral, is described by Rubino as a “Frequent speaker on e-discovery issues at the Conference on Preservation Excellence and the E-Discovery Institute Leadership Summit, while the Hon. James C. Francis IV, a retired Federal Magistrate Judge and a Distinguished Lecturer at City University of New York Law School, is described as a “Frequent lecturer on electronic discovery, employment litigation, constitutional torts, legal ethics, and pretrial practice.”
Incidentally, both of these gentlemen are on the government’s list of potential special masters – not the defense’s, Rubino notes. This is as an alternative to what the prosecution actually wants, which is a “taint team,” a term that has enabled an entire section of the legal profession to channel its internal 12-year-olds. (What is a “taint team,” aside from making people giggle? “A taint team made up of lawyers who are not involved in the underlying investigation will almost certainly be put in place to review the materials obtained in the raid before those materials are handed over to the prosecutorial team,” writes Claire Foran of CNN.)
All in all, E-discovery people haven’t been so excited about a gigantic set of documents since Hillary Clinton.
Most excited of all is Andy Wilson, CEO of Logikcull, an e-discovery vendor. Logikcull, which has only been on the radar since 2015 or so, has actually been bringing e-discovery into several current events these days, including bitcoin.
Wilson was interviewed by Ian Lopez of the Legaltechnews blog. “In Wilson’s estimation, document collection and review with about 1.4 million documents and two reviewers would take between 24 and 48 hours,” Lopez writes, primarily by giving those reviewers tools to let them filter out the Amazon orders, fantasy football discussions, and other “junk” from the email records. (Presumably “junk” is literal and not metaphorical in this particular case, speaking of 12-year-olds.)
In fact, it’s the presence of all that junk that has led many legal professionals to encourage their clients to set up a rigid document retention policy that ends up deleting many email messages and other files after a short period of time. Anything that’s retained has the potential of causing damage later, as well as increasing legal costs by adding to the pile that must be examined.
If you’ve been revealing secrets on Facebook and thinking that you’re okay because your messages and postings are private, not public, think again: a recent court case ruled that attorneys could rule to more easily discover private as well as public Facebook material.
The case is Forman vs. Henkin, and the court that so ruled, unanimously, was the New York Court of Appeals.
“Prior to Forman, the developed case law with respect to discovery of social media accounts largely required a defendant to lay a factual predicate for the relevancy of the evidence being demanded,” write Robert S. Kelner and Gail S. Kelner in the New York Law Review. While courts could sometimes gain access to private material in Facebook, it was typically because there was something public that led people to believe there was more incriminating material privately.
In the case of Forman, that didn’t happen. “Plaintiff was injured in a fall from a horse,” the Kelners write. “She testified that, before she was injured, she posted photographs of herself engaging in various activities on Facebook. She claimed that her injuries prevented her from continuing to participate in those activities. She further alleged that because of brain injuries caused by the accident, she had sustained cognitive impairment. She testified that since her injury, she was unable to compose emails and text messages.”
Consequently, attorneys for the owner of the horse, whom she was suing, wanted to see all of her Facebook postings. The court rejected this, but did say she had to produce all the post-accident private photographs “that did not show nudity or romantic encounters.”
In addition, since she was claiming that she was unable to compost email and text messages, she also “was directed to provide an authorization for defendant to obtain records from Facebook, showing each time plaintiff posted a private message after the accident and the number of characters or words in the text of each private message, from the date of her injury until she deactivated her Facebook account.”
“The practical upshot of the Forman decision is that the traditional rules governing most forms of discovery are applicable to plaintiffs’ social media accounts. It is no longer necessary for a defendant to lay a specific kind of foundation from the public portions of a plaintiff’s Facebook page to obtain any social media discovery,” the Kelners write. “But that does not mean that defendants now have unfettered access to plaintiffs’ social media information,” A defendant’s boilerplate demand for a plaintiff’s full social media accounts is exceedingly unlikely to pass muster under Forman. Plaintiff’s counsel should carefully scrutinize demands to ensure they are appropriately tailored and object to overbroad demands for unlimited Facebook records.”
This isn’t the first time that the legal profession has been salivating to get its hands on the wealth of data Facebook holds. In 2013, New York prosecutors had filed 381 warrants to get photos and private information from Facebook on hundreds of public employees – some of them 9/11 first responders — suspected of Social Security fraud. Facebook continued to argue in 2017 that the warrants were overbroad.
This is also a case of not being greedy. According to one attorney, the case was appealed in the first place by the plaintiff, not the defendant. “Although this was only a partial victory for the defendant, it was actually the plaintiff who appealed the decision to the Appellate Division,” writes Christine Rodriguez in Above the Law. “That court further limited the order and directed plaintiff to provide only photographs posted on her Facebook account that she intended to use at trial. The defendants decided to appeal that order in the Court of Appeals and won.”
In fact, because the defendant didn’t appeal, it’s possible a future court may rule on the issue even more broadly, writes Martin Clearwater and Bell. “Since the defendant did not appeal from the Supreme Court Order which denied much of his original request, review by the Court of Appeals was limited to reinstating the discovery allowed by the Supreme Court’s Order,” it writes. “As a result it is possible that the Court of Appeals will reach these issues again, at which point it may allow even greater discovery into social media material.”
Rodriguez also notes that this limited ruling only applies to civil cases. “In criminal matters, courts often grant search warrants that may require disclosure of everything in a Facebook account,” she writes. “This is common in large scale drug and gang conspiracy cases where what someone else posts about you could be used as evidence to link you to the conspiracy – and then your whole Facebook account and every other social media account is fair game.”
One might say that the logical conclusion is that people should make sure they don’t have any such evidence – public or private – on their Facebook page or other social media account when filing a lawsuit. On the other hand, deleting such material, particularly once a lawsuit has been filed, could be seen as destroying evidence, writes Patrick M. Connors in the New York Law Review. “An attorney is permitted to advise a client to remove postings from a social media site, but cannot advise the client to destroy such information,” he writes. (The distinction between “removing” and “destroying” in this context isn’t clear.) He also cites the New York Rules of Professional Conduct, which provides that a lawyer “shall not suppress any evidence that the lawyer or the client has a legal obligation to reveal or produce.”
“While not addressed in Forman, lawyers advising clients regarding the contents of a social media site must be aware of potential disclosure obligations and the duty of preservation, which begins at the moment litigation is reasonably anticipated,” Connors writes. “Once litigation is reasonably anticipated, anything of potential relevance that is removed from a site must be preserved so a party can comply with any future obligations to produce the materials in disclosure.”
With all the strife going on right now, it’s nice to know that the world can come together on one day in mutual agreement. No, it’s not the Olympics, and that was last month, anyway. It’s World Backup Day.
In case you haven’t heard about it, World Backup Day is always celebrated on March 31, the day before April Fool’s Day, presumably to protect oneself against “tricks.” It’s intended to encourage users to set up regular backup practices for their data, both business and personal. First held in 2011, World Backup Day was actually spawned by a reddit discussion and is primarily intended for consumers who might otherwise lose pictures, music, and so on.
To be honest, it isn’t clear to what extent World Backup Day is still a thing. The Facebook and Twitter pages for World Backup Day haven’t been updated in a year, and the content on the website doesn’t have dates on it so it isn’t clear whether any of that is new either.
One thing that did get updated was the OnTrack survey on backups. According to that survey,– 67 percent of businesses and consumers use some sort of backup solution, but almost 20 percent of the respondents experienced a data loss in 2017, compared with 27 percent in 2016.
Of the people who did experience data loss, 33 percent were not using a backup, down from 37 percent in 2013 and 39 percent in 2015. The main reason respondents did use a backup solution was that they didn’t have enough time to research and administer one.
From the respondents who experienced a data loss in 2017, 43 percent were able to restore 75-100 percent of their data from their backup, while 11 percent were able to restore 40-75 percent of their data. The remaining respondents lost either most of their data or all of it. In 2016, 66 percent were able to restore 75-100 percent of their data, while11 percent could only retrieve 40-75 percent of the data.
The problem, OnTrack says, is that people don’t test their backups. 27 percent of the respondents test their backup weekly while 32 percent test once a month. The remaining respondents either test their backup once a year or never. In 2016 24 percent of the respondents tested their backup once a week, 34 percent at least once a month, and 13 percent do a backup check once a year and almost 24 percent never did.
While there aren’t any official sponsors for World Backup Day this year – another indication that it might be going by the wayside – a number of vendors do have specials going on to commemorate the day. (Not to mention, presumably, hoping to sell a few products.) They appear to be the primary ones keeping World Backup Day alive. They include:
And even the people who run websites explaining all the special days of the year.
Disclaimer: I am a BackBlaze customer.