Facebook will throw you under the bus

Tryin to ruin my name
Threw me under the bus
Riding all over the town
Spreading rumors around
Threw me under the bus
From Under the Bus by Lolene

In my previous post I explained why I left Facebook. Doing so freed up enough time to actually do another bl0g entry so it’s only apropos that this entry reinforce the idea that Facebook is not your friend. Unless of course your friends are conniving weasels who steal from you and will throw you under the bus in a heartbeat. Like being friends with Casey Anthony (but I digress). If you have friends like that then Facebook is what you are used to. If not then read on.

In this post by the oft quoted (by Security For All at any rate) Sharon D. Nelson, Esq. of the {ride the lightning} blog the following question is asked: How Much Data is Facebook Giving Law Enforcement Under Secret Warrants?

According to Reuters, since 2008, federal judges have authorized at least two dozen warrants to search Facebook accounts to the FBI, the DEA and ICE. The investigations have involved such things as arson, rape and terrorrism.

What interested me most is that these warrants demands a user’s “Neoprint” and Photoprint” – terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to. So much for Facebook’s claim that the “Download Your Account” button gives you everything that Facebook itself possesses.

Facebook doesn’t tell users about the warrants to give them a chance to challenge those warrants legally.

Yikes! Talk about throwing your users under the bus. And without notice. As Sharon points out even Twitter has a policy of notifying users before they hand over anything to law enforcement. But not Facebook.

And then there is this post by fellow Security Blogger Carole Theriault in the nakedsecurity blog that asks Does using Facebook put you at more risk elsewhere on the internet?

The Pew Research Center has shown that the more time you spend on the internet, especially social networks like Facebook and Twitter, the more trusting you become.

Not just on social networks, but everywhere – both online and in real life.

With 30% of the world estimated to be online – about 80% of North America and 60% of Europe – and more than half of these users belonging to some social networking site, an increase in trust could have major impacts on how people interact in the future.

Does this mean that social network users will eventually become a bunch of loved-up hippies? It is really difficult for me to imagine what I would be like if I shed my cynical armour.

I shouldn’t really worry: while I study social networks all the time, I am more of a voyeur than a player. Let’s be honest here – I find them really scary.

Many users of social networks seem completely addicted – they are on there all the time, recording every event of their lives. It just seems so intrusive to me…and compulsive.

So the premise is that people on Facebook are more trusting than other internet users, and MUCH more trusting than non-internet users.

It seems clear me to me that if Facebook users are genuinely more trusting, they are more at risk of online scams, both on and off social media sites.

Maybe research like this proves that social networking sites like Facebook and Twitter need to show greater interest in educating their users about being safe online.

One could argue that they should proactively protect their community against commonly encountered threats.

I agree that it would be swell if Facebook showed a greater interest in educating their users about being safe online but from where I sit I’ve only seen an interest in exploiting their users. But it is a great interest.

To borrow a soundbite (in spite of the lack of audio in this blog) from former First Lady Nancy Reagan, Just say No! to Facebook. Or friend Casey Anthony.

Why I left Facebook

Speak my friend, you look surprised
I thought you knew I’d come disguised
On angel wings, dressed in white
From Descent of the Archangel by Kamelot

Last week I finally had enough. The cumulative effect of every sleazy privacy invading stunt that Mssrs. Zuckerberg et al have pulled was definitely part of the motivation. Also the recent departure of several of security blogger “friends” including Richard Stiennon was another part. That, and the reality that I’m already following all of my blogger “friend’s” blogs so Facebook was like a cheesy notification service of new blog entries which is not only redundant  as news aggregators do a much better job, but includes tons of advertising  which I was compelled to filter.

Then there was the simple fact that Facebook is a an incredible time sink [read waste of time]. When I realized that the last two entries in this blog were Captain X-Ploit sagas – and the good captain doesn’t appear that often – it became clear that some priorities were seriously amiss. There were some mitigating factors of course not the least of which is that I work for a company that builds actual products for actual customers and the particular actual product that I’m working on is getting close to release [disclaimer: this is not a product announcement since I have nothing to do with that kind of stuff and is not meant to imply or represent anything about Ricoh products] which means plenty of work and deadlines. And the fact that I spent any time on Facebook is hard to justify.

And then there was a post that was forwarding and reposting it’s way among my less technically savvy (or possibly delusional) “friends” that went like this.

Who says Facebook friends aren’t real friends?.. They enjoy seeing you on line everyday. Miss you when you’re not there. Send condolences when you lose a loved one. Send you wishes on your birthday. Enjoy the photos you post. Put a smile on your face when you’re down. Make you laugh when you feel like crying. Repost if you are grateful for your Facebook friends. I know I am.

Seriously? Come on folks – a Facebook “friend” is an online persona. They are NOT REAL PEOPLE. You may buy into the abstraction that your “friends” represent real people, but I for one have always been very open about the fact that my Facebook profile was completely fraudulent. This was to help mitigate the privacy infringing business model of Facebook. If you really don’t mind letting Facebook have it’s way “monetizing” your personal information with no compensation to you I guess that’s your choice. Sucker.

And then there’s the legal exposure. Yeah that’s right. Legal exposure. Here’s an example from the Electronic Discovery Law blog.

In this case arising from a car accident which the plaintiff claimed resulted in physical and psychological injuries, the parties invited the court to conduct a review of Plaintiff’s social networking accounts “in order to determine whether certain information contained within Plaintiff’s accounts is properly subject to discovery.” Using Plaintiff’s log-in information, the court reviewed Plaintiff’s Facebook account, including “a thorough review of Plaintiff’s ‘Profile’ postings, photographs, and other information.”

But the thing that finally caused me to bail from Facebook was the realization that the Facebook – and nearly all social networking sites’ – business model is fundamentally flawed. This is articulated quite nicely in this article by Bob Garfield in IEEE Spectrum entitled The Revolution Will Not Be Monetized.

1. If you build it and they come, does that guarantee that there’s money to be made? (Hint: No.)

2. Which of Facebook, YouTube, and Twitter will amass the millennium’s first megafortune and a borderless virtual state, with a vast population, political influence, economic clout, and a lair in a hollowed-out volcano from which to control the world’s weather? (Well, you can probably eliminate Twitter.)

3. The Wall Street valuations of companies like Facebook, which is worth US $85 billion on the secondary market, are stratospheric. Should we stockpile ammo and canned goods for when the bubble bursts? (Not a bad idea; remember Pets.com.)

According to the Interactive Advertising Bureau, U.S. advertisers spent $25 billion online in 2010—representing about 15 percent of the $164 billion U.S. ad market and, for the first time, a bit more than their spending on print newspapers. That was no small milestone. But here’s the thing: According to eMarketer, 31 percent of Americans’ media-consuming time in 2010 was spent online. Which means, speaking broadly, marketers valued new-media time only half as much as old-media time. And that’s the rose-colored view. Chris Anderson, curator of the TED Conferences, recently crunched numbers from Nielsen, Forrester Research, the Yankee Group, and other modelers to synthesize the value, medium by medium, of an individual’s time. Globally, print publications fetched $1 per hour of reader attention. TV got a quarter for a viewer hour. Online fetched “less than a dime.”

Why is online advertising such a poor stepchild? Well, extremely delightful and informative books with pale-blue and white covers have been written on this subject, but let’s reduce the problem to its essence: The endless supply of online content means an endless supply of places where ads could go, which by definition depresses demand and, with it, price. Period.

The second problem is more basic still. Ever click on a banner ad? Have you? Ever? Of course not, because why would you leave what you’re doing—especially socializing—to go listen to a sales pitch? The click-through rate, industry-wide, is less than 1 percent—and chalk some of that up to mouse error and click fraud. Some advertisers deal with this problem by popping ads into your face, blaring audio, or subjecting you to “preroll” video messages before the video you actually wish to see. As Anderson sagely observed to a Madison Avenue audience, that was an acceptable quid pro quo in the days of passive TV viewing. Online, though, users are active and in control. “If you take control away from them,” he said, “they will hate you.” Or, put another way: Online, all advertising is spam. These two structural problems leave two possibilities: Either advertising will never be the force in new media that it was in the five predigital centuries (a theory to which I personally subscribe), or someone will crack the code.

Yep. That pretty much covers it. When you are a Facebook “member” [read product] you are essentially trading your privacy for Facebook to convince advertisers that they can target you with spam better than their competitors. It’s not even as clever as Google’s for-fee search engine poisoning (er… Search Engine Optimization) and a whole lot more intrusive.

So there you have it. I really doubt that I will be missed on Facebook. Certainly not by Facebook themselves since I never provided them with any private information and probably not by any “friends” [read online personae that I found amusing] since those who matter in any real way can either call me or find me at this blog. All the others will probably find it refreshing to not be mocked with snarky comments when they post silly nonsense on their walls. And fear not, this blog is still represented on Facebook through the intrepid David Nicholas Stone, AKA Captain X-Ploit. Feel free to become a fan.

Oh – and to my “friend” Mark Zuckerberg - Take the money and run dude! It will get ugly when the investors sober up.

Social Network privacy officially an oxymoron

It’s good to know you’re thought of, it’s good someone should care
It’s good to know you’re trusted but not to know they’re there
Too late to shut your curtains they’ve caught you unaware
They’re not at your window man, they’re sitting in your chair
From Privacy Invasion by Exploited

I have attempted on numerous occasions, for example here, here and here, to get the point across that you have no reasonable expectation of privacy on social networks. Posting anything on Facebook or MySpace is the same as announcing it on network television. Only with more marginally sentient viewers. “Oh yeah, we already know all about that.” I hear you thinking (it’s a gift, my telepathy). “ But that’s only on the public part of my Facebook page and stuff I post publicly to my friends’ pages. All my private stuff is password protected and, well, private“. Yeah. You wish. This entry in the Electronic Discovery Law blog describes a ruling that should disabuse you of those social networking privacy notions forever.

In this personal injury case, defendant sought access to plaintiff’s social network accounts and requested production of his user names, log-in names, and passwords.  Plaintiff objected, arguing that the information was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days and that plaintiff should not take steps to delete or alter the existing information on his social network accounts.

Holy social privacy slapdown, Batman! You mean that a court can compel you to [that means throw your fuzzy butt in jail if you don't] hand over your Facebook logins and passwords? Yes indeed. And that’s not all, folks. The judge in this case had some very specific points to make vis-à-vis social networking [emphasis mine].

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.

The court concluded that no person could reasonably expect that his communications on a social network site would remain confidential; that confidentiality was not essential to maintain the relationships between social network users; that the relationship between users was not one that the “community seeks to sedulously foster”; and that “whatever relational harm may be realized by social network computer site users [by disclosure of their communications] is undoubtedly outweighed by the benefit of correctly disposing of litigation.” As to the last point, the court went on to reason that “[a]s a general matter, a user knows that even if he attempts to communicate privately, his posts may be shared with strangers as a result of his friends’ selected privacy settings.  The court thus sees little or no detriment to allowing that other strangers, i.e., litigants, may become privy to those communications through discovery.

So you have only the right to be hoist by your own petard and your friends’ petards and their friends’ petards and so on. Privacy? Not so much. Actually, not at all. Not now. Not Ever. I would especially like to draw your attention to the statement: the relationship between users was not one that the “community seeks to sedulously foster”.  While you should definitely look up “sedulously”, I’ll translate as a public service: the “community” doesn’t give a rodent’s pa-toot about your relationships. Don’t ask, don’t tell, don’t care. And just in case you are still holding a glimmer of privacy hope allow me to allow the court to snuff that glimmer forever.

Where there is an indication that a person’s social network sites contain information relevant to the prosecution or defense of a lawsuit, therefore, and given Koken’s admonition that the courts should allow litigants to utilize “all rational means for ascertaining the truth.” 911 A.2d at 1027, and the law’s general dispreference for the allowances of privileges, access to those sites should be freely granted.

In case you doubt the veracity of my paraphrase and quoting abilities here is the full opinion.

RIP Social Network Privacy. We only wished we knew you.

E-discovery is hard

Sometimes life is hard like trying bail out the ocean with a spoon
Sometimes life is hard like trying to turn December into June
And sometimes life is hard like trying lasso a quarter moon
From Life Is Hard by Eric Durrance

I’m trying really hard to catch up on all of the e-discovery news I’ve been ignoring in favor of goofing off. It is summer after all and I don’t get paid nearly enough for doing this. Okay, so I don’t get paid at all for doing this. That certainly isn’t nearly enough. But as I was saying before I was sidetracked by my schizophrenic alter ego, while catching up on what’s happening in e-discovery and legal proceedings related to security and privacy I came across several articles that while seemingly unrelated really do have a common and interesting thread. One, in fact, actually being about threads. But I’m ahead of myself.

The first article comes from the Electronic Discovery Law blog and is entitled New York Court Provides Detailed Instruction on Protocol for Discovery of Cloned Hard Drive. The background of the story is this.

In this matrimonial action, plaintiff sought access to her husband’s (the defendant) office computer to determine his true financial condition. After denying plaintiff’s initial motion, the court directed (by stipulated order) that a clone of defendant’s office hard drive be made at plaintiff’s expense.  Thereafter, the court denied plaintiff’s motion for access to the cloned drive upon finding her request for unrestricted access overbroad. “Equally important” to the court was plaintiff’s failure to propose any protocol for investigation of defendant’s hard drive. The court instructed that should the plaintiff wish to renew her motion, her renewal “must contain a detailed, step-by-step discovery protocol that would allow for the protection of privileged and private material.”

So in other words the court said, “We’re not going to give you carte blanche to do anything you want with hubby’s financial data. You have to have a plan. Just like real e-discovery and forensics guys – not to be confused with TV CSI guys – do. Furthermore, the court was good enough to provide such a plan to the plaintiff and her apparently clueless legal counsel. Here is the abbreviated list, but definitely check out the full text of the court’s opinion for some great information.

(a) Discovery Referee:  The parties [must] agree on an attorney referee, preferably someone with some technical expertise in computer science, to be appointed to supervise discovery.

(b) Forensic Computer Expert:  The parties [must] agree on a forensic computer expert who will inspect and analyze the [hard disk] clone.

(c) File Analysis:  The expert will analyze the clone for evidence of any download, installation, and/or utilization of any software program, application, or utility which has the capability of deleting or altering files so that they are not recoverable, extract all live files and file fragments and recover all deleted files and file fragments.

(d) Scope of Discovery:  Plaintiff will list the keyword and other searches she proposes to have the expert run on the files and file fragments, subject to a reasonably short time frame in [they] were created or modified.  Plaintiff is cautioned that she should narrowly tailor her search queries so as to expedite discovery and reduce the costs of litigation to the parties.

(e) First-Level Review:  The expert will run keyword or other searches on all of the extracted files and file fragments.  After performing searches, the expert will export to CDs or DVDs a copy of the native files and file fragments which were hit by such searches, and will deliver such media to defendant’s counsel to conduct a privilege review.  An exact copy of the media delivered to defendant’s counsel will be contemporaneously delivered by the expert to the referee.

(f) Second-Level Review:  Within twenty days after delivery of the media containing the extracted files and file fragments, defendant’s counsel will deliver to plaintiff’s counsel all non-privileged documents and information included in the extracted files and file fragments, together with a privilege log which identifies each document for which defendant claims privilege and describes the nature of the documents withheld, so as to enable plaintiff to assess the applicability of privilege.

(g) Discovery Disputes:  The referee will resolve any disputes concerning relevancy and privilege.

(h) Cost Sharing:  All costs for the expert will be borne by plaintiff, subject to any possible reallocation of costs at the conclusion of this action.

(i) Discovery Deadline:  The parties should agree to a fast-track discovery schedule.

(j) Retention of Clone:  The discovery referee will keep the clone until the action is concluded.

Yep – that’s quite a lot of detail. Certainly more than the “let’s clone hubby’s hard drive and take a look” that the plaintiff originally suggested (probably after watching CSI on TV). There’s a lot more to this e-discovery business than most people including, apparently, some lawyers think.

The next article comes from the e-discovery 2.0 blog and is entitled Courts Undecided on How to Handle Email Threads in Electronic Discovery. We’re all familiar with email threads, but just in case you’re not familiar with the “thread” terminology the article has a really good description.

Email allows us to communicate in a way that helps us associate context to our discussions, namely in its ability to be chained into a sequential thread when email users reply to or forward emails they previously received. This accomplishes two important tasks: 1) it allows the person sending the reply or forward to get an understanding of the issues so he/she can craft a meaningful response, and 2) it allows the person receiving the response to understand that response in the context of other on-going discussions. Email programs help by automatically including content from prior emails, thus producing a long chain of reference.

So see you really knew what they were all along. Anyway, as you can imagine email threads are quite valuable as evidence in litigation. Quite a bit more so, in fact, than the individual messages on their own would be. But unfortunately for courts, even something as straightforward as email threads isn’t really that simple. Once again the idea of priviledge rears it’s ugly (or beautiful depending on whether you get it or not) head.

The area of greatest confusion and uncertainty has been the determination of privilege when emails are exchanged with in-house counsel and attorneys and whether such emails are protected by attorney-client privilege or not. A central issue is the composition of privilege logs under these circumstances.

There are several legal opinions on the matter of intermingling privileged and non-privileged communications in an email chain. These opinions have left the matter with little clarity, especially regarding whether the entire email thread is privileged or whether individual emails must be separated out and classified as privileged, with a privilege log listing them. Typically, the most recent email in a thread contains all other emails in that thread. Separating out individual emails (i.e., the contained emails) from the containing email would allow for treatment of just the portions of the email thread that may have privilege. When such separation is permitted, some contained emails may be assessed as privileged while others may not. However, it is entirely possible that the contained email is also present as an independent email under possession of the same custodian or another custodian. When it is present, one could argue that the contained email can just be ignored, and if the corresponding email is responsive, one can ignore the contained email. But rarely does a collection include a complete set of custodians, so the question of whether the privilege log should include the contained item in question still remains. In terms of management of review, and for constructing a privilege log, treating the most recent email and all its contained emails as a single entity is less expensive and cleaner than separating and determining privilege status of each contained email.

Another complicating factor is simply a determination of privilege. Does the mere fact that an attorney was listed as a courtesy CC recipient make the entire email privileged? And, when such emails are then forwarded only to an attorney involved in the case, with a legal strategy discussed in the containing email, is only the new content added to the containing email privileged, or does the privilege determination extend to the other contained emails?

Wowzers! That makes my brain hurt. Confusing indeed. After some great legal references, the second article unfortunately devolves into a flack piece for the Clearwell E-Discovery Platform which you can read about if you are so inclined. Actually I’m being a bit harsh, since the author is simply stating the problem and presenting a product that helps solve the problem. I’m just not in the market.

So the common thread between these two articles is that admissible electronic evidence is not an easy, cheap or sometimes even well defined proposition. Which is why e-discovery and forensic specialists get paid the big bucks [Okay you e-discovery guys and gals can stop laughing now]. The points you can take from this are several including:

  1. If you are thinking of enrolling on one of those “become a CSI” courses, read this post and these articles over and over until you understand what they really mean. Then go to Vegas instead.
  2. If you are involved in litigation and your attorney suggests that you “snag the computer and take a look” for some evidence, point him/her to this blog entry as a handy reference on what “snag the computer and take a look” really involves. Then fire the fool and get an attorney with a clue.

Nasty attempt to destroy evidence

Eat it, eat it, eat it, eat it
If it’s gettin’ cold, reheat it
Have a big dinner, have a light snack
If you don’t like it, you can’t send it back
Just eat it, eat it, eat it, eat it
From Eat It by Weird Al Yankovic

And in news of the weird, we have this article from The Smoking Gun entitled Giga-Biter In Obstruction Charge that begs an entire post filled with genuine potty humor.

In a bold and bizarre attempt to destroy evidence seized during a federal raid, a New York City man grabbed a flash drive and swallowed the data storage device while in the custody of Secret Service agents

Yowza! I would have loved to hear the e-discovery motions by the prosecution on this one. [The following scenario is entirely fictional and occurred only in the mind of the author].

Prosecutor: Your honor, in order to access the evidence acquired through the legal search warrant we will require a court order to administer laxatives and/or enema to the defendant.
Judge: WTF! Is that some new encryption protocol?

But sadly they were able to avoid any hilarious legal maneuvering the old fashioned way. Through collusion with friendly medical professionals.

When [the suspect] was unable to pass the item after about four days, doctors – concerned that the drive was not compatible with the suspect’s GI tract – concluded he “would be injured if they allowed the flash drive to remain inside of him”. [The suspect] eventually agreed to allow doctors at New York Downtown Hospital to remove the item, according to a source familiar with the incident.

I must concur that a flash drive is probably not compatible with your GI tract. Although passing it would definitely be a pain in the… Well, you get it. So, presumably after cleaning up the evidence, [this adds a whole new meaning to "sanitizing data"] there was still the question of whether the data was damaged by the tour of the suspect’s digestive system.

A Kingston executive said it was unclear if stomach acid could damage a flash drive. “As you might imagine, we have no actual experience with someone swallowing a USB device”.

Since the case is still pending, we have no idea of the ultimate disposition or disposal of the evidence. Or of the state of the suspect’s GI tract.

Left naked in the rain by social networking

I must have been out cold
But the way the story’s told
They found me lying naked in the rain
From Bible Black by Heaven and Hell

Any number of times in the past I’ve warned about the inherent lack of privacy with social networking in posts like thisthisthis and even this. But this week Sharon Nelson of the {ride the lightning} Electronic Evidence blog had a very interesting post wherein she points outs that employees who engage in social networking at work expose their employers as well as themselves.

So you have a policy against social networking on work computers? Who cares? Probably not your Millennial generation employees. 45% of them use social networking at work whether or not their employers have imposed policy restraints. Of course, you can use technology to block them from visiting these sites on their computers. And then they reach for their cell phones chanting the Millennial mantra, “There’s an app for that.”

That’s right Mr. CIO, pretty much leaves you naked in the rain. But it’s not all bad though, e-discovery folks like Sharon love these miscreants for the bounty they allow them to harvest. Well okay, maybe it is all bad for you. The post references this report from Accenture titled Jumping the Boundaries of Corporate IT which examines the Millennials’ use of technology. Some of the highlights include:

29% of those surveyed say that they don’t know if their company has a social networking policy.
17% say a policy has never been published.
11% say that what the company has published is too complex to understand.
11% say – in essence – screw the policy, I’ll do as I see fit.

If these little tidbits don’t have your IT security folks hyperventilating then you’re not paying attention. I’m thinking that it might be a really good idea to check out that Accenture report and try to understand how Millenials think and their proclivity for defying company policy and look for things that policy tells you shouldn’t exist. It’s not much but it’s better than being completely naked in the rain.

Web 2.0 Miranda

don’t say a word or we’ll surely expose
that it’s you who are wicked and vile
anything you say will be used against you
and now it is you here on trial
from Don’t Say a Word by Cici Porter

For a long time now I’ve tried to get folks to realize that there is nothing private or protected about social networking. To wit, these posts here and here. In case you think I’m overreacting you should check out this post by Sharon Nelson in the {ride the lightning} blog.

Recently, Facebook spokesman Andrew Noyes said that the company has created a team led by a former FBI employee to manage requests for information in criminal cases. According to Noyes, a big part of the job is explaining the applicable laws and the limitations on access to Facebook user information. He said that Facebook strives to respect the balance between law enforcement’s need for information and the privacy rights of citizens.

To be fair to Sharon’s point in the post, judges are increasingly ruling on the side of individual privacy in cases with requests to make social network content discoverable or admissible. But the fact that the number of such cases have increased to the point that FaceBook needs a team to “manage requests for information in criminal cases” is my concern. It almost seems like this has progressed to the point that every social networking site should display your Miranda rights prominently. In actual fact FaceBook does display, albeit not terribly prominently, something like that in their Privacy Policy.

We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.

Twitter has a similar statement in their privacy policy.

We may disclose your information if we believe that it is reasonably necessary to comply with a law, regulation or legal request; to protect the safety of any person; to address fraud, security or technical issues; or to protect Twitter’s rights or property.

So what’s the big deal? These Web 2.0 site have to comply with the law just like everybody else. Exactly. So think about that the next time you want to post a photo of that truly epic party. You know, the one with the funny pictures of you and your peeps totally hammered and passing the bong. Or maybe that post where you really let everyone know how you feel about your sleazy ex. Just remember that you have been “Mirandized”. Sort of. And to the extent you have any rights you didn’t waive by using the social network.

Does encryption imply expectation of privacy?

Recently Chris Webster, a law student at the University of Maryland Baltimore School of Law, started this email thread which I will present here with minimal editing in hopes that some experts or interested parties among you, dear readers, can chime in. Just so everyone is clear, a disclaimer: I’m fascinated by e-discovery and legal issues surrounding security and privacy and blog about these subjects fairly often. I’m not, however, an expert in this area. And I’m certainly not a lawyer. Having said that, let’s begin.

This article from the Wall Street Journal Law Blog Newsletter about an opinion Re United States, – F.Supp.2d -, 2009 WL 3416240 (D.Or. 2009) handed down by District Judge Mosman earlier this year is what started the exchange.

Here’s a question: Is it kosher for a law enforcement agency to, pursuant to a lawfully granted search warrant, search your Gmail account without telling you? According to [District Judge Mosman] the answer is yes.

The Fourth Amendment protects our homes from unreasonable searches and seizures, requiring that, absent special circumstances, the government obtain a search warrant based on probable cause before entering. . . . This is strong privacy protection for homes and the items within them in the physical world.

When a person uses the Internet, however, the user’s actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus, “private” information is actually being held by third-party private companies.

It is clear that notice is an essential part of the reasonableness calculus in judging searches and seizures under the Fourth Amendment. The Federal Public Defender has argued that this constitutional notice requirement supports [the view] that the copy of the warrant and receipt . . . must be provided to the subscriber to the e-mail account, rather than just to the ISP. The notice must be provided to the subscriber because the ISP “has a far lesser privacy interest in the content of its subscriber’s e-mails than the subscribers themselves.”

This argument fails to take into account the third party context in this case. If a suspect leaves private documents at his mother’s house and the police obtain a warrant to search his mother’s house, they need only provide a copy of the warrant and a receipt to the mother, even though she is not the “owner” of the documents. (citations omitted). In such a case, it is irrelevant that the suspect had a greater privacy interest in the content of the documents than did his mother. When he left the documents in her possession he no longer has a reasonable expectation of privacy in their contents.

Chris:

I think I found a judge who reads your blog…

Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.

I am concerned about the legal effect of this misunderstanding – are we entering a world in which all data storage is online, and so not protected by the constitution? For example, we just bought a scanner to upload our contracts and family records (bills, medical records, insurance and such).  I thought I was being a “good” lawyer when I decided to upload these to an online account. This way a disaster striking my home would not leave me without my vital records and contracts – my primary evidence in a contractual dispute. Now I am rethinking this. I never had the intention of opening those documents up to search and seizure without notification. Now my records live on a DVD in the bank vault – where the constitution still applies. DVDs in a bank vault, it’s a 19th century solution to a 21st century problem.

Very dicey topic. Thought you might want to weigh in.

Joe:

This judge is saying that on the internet you essentially have no reasonable expectation of privacy. While I agree wholeheartedly with his assessment, I would submit that the act of encrypting data that is sent into the cloud does, in fact, give you a reasonable expectation of privacy – that being the sole purpose of encrypting the data. Therefore, while I’m not sure what the legal standing is on this, it would seem like encrypted data that requires a privately held key, explicitly excluding routine data transmission encryption (e.g. HTTPS and SSL), is no different than a safe deposit box at the bank where you hold the key. In other words, while you may be compelled to provide the key subject to a court order, that court order would require probable cause.

I can certainly offer some advice with respect to the offsite archive of your personal data.

I have a Verisign OpenID (which you can get for free here). In the process you setup a “Personal Identitly Portal” which includes an encrypted “File Vault” that holds 2 GB. That’s a lot of documents. I’m exceedingly paranoid so I encrypt everything prior to putting it in my file vault using SecureZip (which you can get for free here*) so there is minimal chance of exposure.

[* update 17-November-2010: SecureZip Express (free version) is no longer available. There is a 30-day trial available for free but the full product starts at $39US]

Chris:

If the Government seizes documents which are encrypted can they then seize the key from you? The request for the key would be effective notice of sorts, but would you have to provide it? I know this is a purely legal question, but I thought you might know the answer.

Joe:

Legally the answer is “yes” the government can compel you to reveal your password. Practically there are so many ways around it that the answer is “fat chance”. A really simple workaround would be for you to have an encrypted data store where only your wife has the key. A private key escrow. As you know your spouse can’t be compelled to testify (i.e. provide the key) against you.

The other point is that any encrypted data store whether online or not is not amenable to search. In other words you can’t even see what’s there so there is no way to know know what’s in it. From the point of view of Google, a Verisign file vault doesn’t exist.

If you are really paranoid, Bruce Schneier has this article all about plausible deniability. The article is about securing laptops but the principles apply anywhere.

The bottom line is, sure the government can try to compel you to reveal encrypted data, but only if they know it exists. TrueCrypt has this guidance on plausible deniability. So to be completely safe and secure you could create a “hidden encrypted volume” inside an encrypted volume and upload the encrypted container to a Verisign file vault. With a little creative key management, you would be untouchable in any practical sense.

Now you may end up doing time for contempt of court or some bogus DHS charge but your data will be safe.

Chris:

Ok, this is heading into some really interesting legal waters. Building on your last comment,  I am not an expert on the criminal side, but I can tell you that on the civil side a judge can compel discovery. If you do not comply the Judge can order the jury to draw the negative inference (meaning that they will be instructed that the encrypted document is what the plaintiff says it is, and that it says what they say it says). There is however a safe harbor for electronic documents destroyed in the course of regular maintenance – I would be interested to see if this would include encryption keys which are time sensitive, or single use.

Switching to the criminal example we are working with – if my wife had a physical copy of the key (on a hard drive or otherwise) a judge could compel production of this in the same way he could make her give over a murder weapon. If it was memorized, I suppose she could refuse.

My concern wasn’t really with the compulsion to turn it over, it was the fact that you get no notice. This allows for secret searches (fishing expeditions)  to take place. Also, presumably they have probable cause, or the warrant in this case would not have been issued.

I do find the distinction between encrypted data and non-encrypted data, and the differing expectations of privacy intriguing. However, would your expectation of privacy survive the fact that the data is housed on another person’s machine. In the example the case offers, a letter on your mother’s table can be taken into evidence without your notice if your mother’s house is searched under a valid warrant. In that case the only one who gets notice is dear old mum. It is hard to argue the ruling would be different if you had the papers in a safe at mom’s place – the result would be the same, notice to mom, none to you.  Would the same be true for packets of encrypted information on internet servers? Maybe you have an expectation of privacy with encrypted data (like with the safe) but the reality is governed by the physical location of the “evidence”. Once they have the encrypted data can they subpoena you, or your mom, or others, to compel the production of a key? I acknowledge this would give you notice. This is more proof that the internet is absolutely non-private, even when encryption leads to an expectation of privacy.

The problem is, the conclusion that the internet is a group of guest houses through which your packets pass, and at any given time are subject to ownership by the individual who runs the house, is a troubling roadblock for the development of the net. In order to streamline our society, the internet must at some point be viewed as an instant “post-office” type service. While people sometimes use the mail to do bad things, or even steal it, the Feds and suing parties can’t. In fact messing with people’s mail, even by carriers and third parties, is a crime. Shouldn’t the same model be imposed on the internet, even if it is a legal fiction? Wouldn’t such a model be better for the ISP’s and users?

Joe:

The salient feature of encrypted data is that it is useless (i.e. random noise) without the decryption key. If you hold that key then clearly you must be notified in order to compel you to provide the key, otherwise there is no evidence.

For example, let’s say that the letter you left on mom’s table was encoded using a one-time-pad. The letter is seized under a valid court order. What have they got? Diddley. Just some weird random text on a page that is meaningless until the key – which only you have – is applied to it.

Now they can try to decode it, but the chances of success are exceedingly unlikely. They may attempt to compel you to provide the key, at which point if you refuse, you may get slapped with contempt or adverse inference but either way you get notified.

So unless they can make the case that some random collection of bits is anything more than just that, it will be impossible to use it for a fishing expedition. The point being, who cares if they seize it, it’s useless.

The original court opinion was with respect to GMail type services where your data is stored in cleartext for anyone who has the legal authority or technical prowess to see. But even the U.S. government would have a hard time deciphering AES 256 encrypted data without the key in your lifetime.

As for the instant “post-office” model legal fiction you suggest, that’s called “Net Neutrality” and the main groups opposed to it are the entertainment industry who wants to control their copyrighted content (same clowns, different circus) and some large ISPs that would like to give precedence to their own content over competitors (everybody thinks they can be Microsoft). Of course that’s not what they’re saying, but it essentially boils down to that. For the record, I agree that net neutrality would be much better for ISPs and net users alike. Whether they recognize it or not.

Exposing yourself Web 2.0 style

Everybody knows that social networking sites are notorious for their ill-advised exhibitionism. Folks who are reasonably demure and respectable in person get their freak on when it comes to FaceBook or MySpace. Yep, insert an internet connection between them and the world and the gloves come off. Or rather only the gloves stay on. I’ve written about this phenomenon before and warned of the need to take your online shadow seriously. But increasingly the exposure these social network exhibitionists face is more than simply embarrassment and ridicule on a worldwide scale. Prosecutors  have discovered a veritable treasure trove of unprotected self-incriminating evidence on social networking sites. This entry in the Electronic Discovery Law blog describes just such a case.

Defendant was found guilty of murdering a two year old girl left in his care and was sentenced to life in prison without parole.  On appeal, [he] argued that the trial court improperly admitted evidence from his MySpace account in violation of Ind. R. Evid. 404(b).  Taking up the “novel question” of the propriety of admitting such evidence, the Supreme Court of Indiana ruled that the trial court did not err in admitting the evidence, particularly where [his] own testimony made his character a “central issue” of his defense.  The verdict and sentence were therefore affirmed.

Yikes! Hoist by his own petard as it were. While most Web 2.0 exhibitionists are no doubt posers and certainly not murderers or child abusers, it’s going to be a little embarrassing - not to say legally damaging – if they are ever find themselves a defendant in a criminal or legal proceeding where their chief defense is good character and their FaceBook page proclaims “Gangsta 4Evah!”.

But there are further exposures as well as illustrated in this entry by Christopher Boyd on the SpywareGuide blog.

Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer “Hacked Facebook and Photobucket accounts” for a price.

Yes, the site is actually called “Hackedsluts.com” and claims to offer up an endless series of images from “hacked” accounts including Myspace, Photobucket and Facebook in return for a monthly fee.

Just when you think they can’t possibly get any creepier or salacious, [they] throw in dubious claims of hacked accounts / stolen images AND [they] lob in a blood splattered “Too extreme” banner supposedly covering up some of the pictures. While this is clearly a piece of Lame Marketing 101, the overall effect of the site is extremely disturbing.

Disturbing indeed. While I agree with Christopher when he concludes that the bulk of the content on “Hackedsluts.com” is made up of stock pornographic content and almost certainly not the result of hacking social networking sites, the fact that there is an actual market for such content is a very distasteful realization. We all know what happens when you mix unsavory and illicit demand with criminal entrepreneurs. Clearly there are people out there who would pay to see you acting the tart. Only you don’t get paid (like a proper tart). That’s being a pro-bono hooker, which is just stupid. And what happens when your future boss turns out to be a Hackedsluts.com aficionado? Good luck with those sexual harassment claims. Or how about when your future ex-spouse sues for custody of your kids?

So the next time you feel like exposing yourself to the world, kick it old school and just get naked, throw on a trench coat and flash the neighbors. The indecent exposure misdemeanor will be way less exposure than an ill-considered photo on MySpace.

Baseball and e-discovery

It’s not often that I get to write about two of my favorite yet unrelated things in a single blog entry. In this serendipitous case the two things are Major League Baseball and E-discovery. Or more specifically a ruling about the discovery in the infamous steroids use by MLB players investigation. This entry in the Electronic Discovery Law blog sums the deliciously ugly business up nicely.

The Justice Department’s aggressive steroids probe has led the 9th U.S. Circuit Court of Appeals to enunciate a new set of Fourth Amendment protections for the digital age.

In an en banc opinion Wednesday that split conservatives on the court, Chief Judge Alex Kozinski said federal agents were wrong to seize swaths of drug test results from labs in Nevada and California.  The computer files taken by the government revealed information about far more people — including professional baseball players and others — than allowed by a search warrant.

Whoa! Let me get this straight, the U.S. Attorney’s office did a wholesale snatch of confidential information? To paraphrase a famous baseball quote, “Say ain’t so!

Or more appropriately given recent entries in Security For All, “It’s deja vu all over again“.

For complete details check out the Westlaw document (in MS Word format) with the full opinion.