Social Network privacy officially an oxymoron

It’s good to know you’re thought of, it’s good someone should care
It’s good to know you’re trusted but not to know they’re there
Too late to shut your curtains they’ve caught you unaware
They’re not at your window man, they’re sitting in your chair
From Privacy Invasion by Exploited

I have attempted on numerous occasions, for example here, here and here, to get the point across that you have no reasonable expectation of privacy on social networks. Posting anything on Facebook or MySpace is the same as announcing it on network television. Only with more marginally sentient viewers. “Oh yeah, we already know all about that.” I hear you thinking (it’s a gift, my telepathy). “ But that’s only on the public part of my Facebook page and stuff I post publicly to my friends’ pages. All my private stuff is password protected and, well, private“. Yeah. You wish. This entry in the Electronic Discovery Law blog describes a ruling that should disabuse you of those social networking privacy notions forever.

In this personal injury case, defendant sought access to plaintiff’s social network accounts and requested production of his user names, log-in names, and passwords.  Plaintiff objected, arguing that the information was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days and that plaintiff should not take steps to delete or alter the existing information on his social network accounts.

Holy social privacy slapdown, Batman! You mean that a court can compel you to [that means throw your fuzzy butt in jail if you don't] hand over your Facebook logins and passwords? Yes indeed. And that’s not all, folks. The judge in this case had some very specific points to make vis-à-vis social networking [emphasis mine].

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.

The court concluded that no person could reasonably expect that his communications on a social network site would remain confidential; that confidentiality was not essential to maintain the relationships between social network users; that the relationship between users was not one that the “community seeks to sedulously foster”; and that “whatever relational harm may be realized by social network computer site users [by disclosure of their communications] is undoubtedly outweighed by the benefit of correctly disposing of litigation.” As to the last point, the court went on to reason that “[a]s a general matter, a user knows that even if he attempts to communicate privately, his posts may be shared with strangers as a result of his friends’ selected privacy settings.  The court thus sees little or no detriment to allowing that other strangers, i.e., litigants, may become privy to those communications through discovery.

So you have only the right to be hoist by your own petard and your friends’ petards and their friends’ petards and so on. Privacy? Not so much. Actually, not at all. Not now. Not Ever. I would especially like to draw your attention to the statement: the relationship between users was not one that the “community seeks to sedulously foster”.  While you should definitely look up “sedulously”, I’ll translate as a public service: the “community” doesn’t give a rodent’s pa-toot about your relationships. Don’t ask, don’t tell, don’t care. And just in case you are still holding a glimmer of privacy hope allow me to allow the court to snuff that glimmer forever.

Where there is an indication that a person’s social network sites contain information relevant to the prosecution or defense of a lawsuit, therefore, and given Koken’s admonition that the courts should allow litigants to utilize “all rational means for ascertaining the truth.” 911 A.2d at 1027, and the law’s general dispreference for the allowances of privileges, access to those sites should be freely granted.

In case you doubt the veracity of my paraphrase and quoting abilities here is the full opinion.

RIP Social Network Privacy. We only wished we knew you.

Is privilege transitive?

A little less than a year ago in a post called No privilege for you! a situation was discussed where communication that appears on the surface to be clearly privileged, that between a client and attorney, was not. Due to the circumstances of the communication. Namely it was an email thread that took place over a corporate email network where the court deemed that there was no reasonable expectation of privacy due to the corporate policy. No expectation of privacy, no privilege. Well now we have yet another twist in the attorney client privilege for email saga. In this entry in Electronic Discovery Law blog the situation is described as follows.

The magistrate judge rejected the explanation of plaintiffs’ son that his “technical assistance was necessary for his parents to timely receive the email communications from counsel” because his parents were “not proficient in the use [of] electronic mail.”  The magistrate judge reasoned that “[l]ack of technical competence … is not the equivalent of an inability to communicate.

Now hang on just a darn minute! This magistrate is saying that if you need help getting your email then any correspondence with your attorney isn’t privileged? Apparently this is a really young judge with no older parents or grandparents. A millennial orphan perhaps. Or possibly a tech-savvy computer senior who just wants to punish his internet-illiterate peers. In any case I can assure you that if my mom’s lawyer sent her an email, her first call would be to me to make sure she got it with no problems. Fortunately the district court that reviewed the issue when the plaintiffs objected to the order took a more realistic view.

The district court identified an exception to the principle that communications involving third parties are generally not privileged where “the purpose of the communication [to a third party] is to assist the attorney in rendering advice to the client” and where the party asserting the privilege can establish that the client had a reasonable expectation of privacy with respect to the communication at issue and that disclosure to the third party was necessary for the client to obtain informed legal advice.  The court further established that disclosure to an agent of the attorney or the client does not result in waiver.

Actually New York State law is pretty clear on this matter.

New York State law addressing the “attorney-client privilege’s application in the context of electronic communications, including email.”  Section 4548 of the New York Civil Practice Law and Rules states:  “No communication … shall lose its privileged character for the sole reason that it is communication by electronic means or because persons necessary for the delivery or facilitation of such electronic communications may have access to the content of the communication.

So this certainly brings up some interesting questions. With almost all communications happening electronically over the internet and with more lawyers and doctors becoming aware of the need to protect correspondence with clients and patients as a result of regulatory compliance, the mechanisms that will be put in place to protect these communications are only going to make it more complex for a large portion of the recipients. This will necessitate ever more assistance from tech-savvy helpers. I mean seriously, there’s no way you can expect my mom to be able to decrypt email without assistance. So does that  imply that if I help my mom (don’t worry she loves it when I use her as an example – right mom?) communicate with her lawyer electronically that the privilege is transitive to me? I mean her privilege. I certainly wouldn’t expect privilege to extend to unrelated correspondence between her lawyer and me. But if so how far does the transitive privilege extend? To children? Siblings? Cousins? Any relative? Friends? Nigerian princes? [just kidding]. In any case this is an important question that will no doubt be tested further in courts as technology continues to outstrip the ability of an ever larger portion of the population to comprehend it.

E-discovery is hard

Sometimes life is hard like trying bail out the ocean with a spoon
Sometimes life is hard like trying to turn December into June
And sometimes life is hard like trying lasso a quarter moon
From Life Is Hard by Eric Durrance

I’m trying really hard to catch up on all of the e-discovery news I’ve been ignoring in favor of goofing off. It is summer after all and I don’t get paid nearly enough for doing this. Okay, so I don’t get paid at all for doing this. That certainly isn’t nearly enough. But as I was saying before I was sidetracked by my schizophrenic alter ego, while catching up on what’s happening in e-discovery and legal proceedings related to security and privacy I came across several articles that while seemingly unrelated really do have a common and interesting thread. One, in fact, actually being about threads. But I’m ahead of myself.

The first article comes from the Electronic Discovery Law blog and is entitled New York Court Provides Detailed Instruction on Protocol for Discovery of Cloned Hard Drive. The background of the story is this.

In this matrimonial action, plaintiff sought access to her husband’s (the defendant) office computer to determine his true financial condition. After denying plaintiff’s initial motion, the court directed (by stipulated order) that a clone of defendant’s office hard drive be made at plaintiff’s expense.  Thereafter, the court denied plaintiff’s motion for access to the cloned drive upon finding her request for unrestricted access overbroad. “Equally important” to the court was plaintiff’s failure to propose any protocol for investigation of defendant’s hard drive. The court instructed that should the plaintiff wish to renew her motion, her renewal “must contain a detailed, step-by-step discovery protocol that would allow for the protection of privileged and private material.”

So in other words the court said, “We’re not going to give you carte blanche to do anything you want with hubby’s financial data. You have to have a plan. Just like real e-discovery and forensics guys – not to be confused with TV CSI guys – do. Furthermore, the court was good enough to provide such a plan to the plaintiff and her apparently clueless legal counsel. Here is the abbreviated list, but definitely check out the full text of the court’s opinion for some great information.

(a) Discovery Referee:  The parties [must] agree on an attorney referee, preferably someone with some technical expertise in computer science, to be appointed to supervise discovery.

(b) Forensic Computer Expert:  The parties [must] agree on a forensic computer expert who will inspect and analyze the [hard disk] clone.

(c) File Analysis:  The expert will analyze the clone for evidence of any download, installation, and/or utilization of any software program, application, or utility which has the capability of deleting or altering files so that they are not recoverable, extract all live files and file fragments and recover all deleted files and file fragments.

(d) Scope of Discovery:  Plaintiff will list the keyword and other searches she proposes to have the expert run on the files and file fragments, subject to a reasonably short time frame in [they] were created or modified.  Plaintiff is cautioned that she should narrowly tailor her search queries so as to expedite discovery and reduce the costs of litigation to the parties.

(e) First-Level Review:  The expert will run keyword or other searches on all of the extracted files and file fragments.  After performing searches, the expert will export to CDs or DVDs a copy of the native files and file fragments which were hit by such searches, and will deliver such media to defendant’s counsel to conduct a privilege review.  An exact copy of the media delivered to defendant’s counsel will be contemporaneously delivered by the expert to the referee.

(f) Second-Level Review:  Within twenty days after delivery of the media containing the extracted files and file fragments, defendant’s counsel will deliver to plaintiff’s counsel all non-privileged documents and information included in the extracted files and file fragments, together with a privilege log which identifies each document for which defendant claims privilege and describes the nature of the documents withheld, so as to enable plaintiff to assess the applicability of privilege.

(g) Discovery Disputes:  The referee will resolve any disputes concerning relevancy and privilege.

(h) Cost Sharing:  All costs for the expert will be borne by plaintiff, subject to any possible reallocation of costs at the conclusion of this action.

(i) Discovery Deadline:  The parties should agree to a fast-track discovery schedule.

(j) Retention of Clone:  The discovery referee will keep the clone until the action is concluded.

Yep – that’s quite a lot of detail. Certainly more than the “let’s clone hubby’s hard drive and take a look” that the plaintiff originally suggested (probably after watching CSI on TV). There’s a lot more to this e-discovery business than most people including, apparently, some lawyers think.

The next article comes from the e-discovery 2.0 blog and is entitled Courts Undecided on How to Handle Email Threads in Electronic Discovery. We’re all familiar with email threads, but just in case you’re not familiar with the “thread” terminology the article has a really good description.

Email allows us to communicate in a way that helps us associate context to our discussions, namely in its ability to be chained into a sequential thread when email users reply to or forward emails they previously received. This accomplishes two important tasks: 1) it allows the person sending the reply or forward to get an understanding of the issues so he/she can craft a meaningful response, and 2) it allows the person receiving the response to understand that response in the context of other on-going discussions. Email programs help by automatically including content from prior emails, thus producing a long chain of reference.

So see you really knew what they were all along. Anyway, as you can imagine email threads are quite valuable as evidence in litigation. Quite a bit more so, in fact, than the individual messages on their own would be. But unfortunately for courts, even something as straightforward as email threads isn’t really that simple. Once again the idea of priviledge rears it’s ugly (or beautiful depending on whether you get it or not) head.

The area of greatest confusion and uncertainty has been the determination of privilege when emails are exchanged with in-house counsel and attorneys and whether such emails are protected by attorney-client privilege or not. A central issue is the composition of privilege logs under these circumstances.

There are several legal opinions on the matter of intermingling privileged and non-privileged communications in an email chain. These opinions have left the matter with little clarity, especially regarding whether the entire email thread is privileged or whether individual emails must be separated out and classified as privileged, with a privilege log listing them. Typically, the most recent email in a thread contains all other emails in that thread. Separating out individual emails (i.e., the contained emails) from the containing email would allow for treatment of just the portions of the email thread that may have privilege. When such separation is permitted, some contained emails may be assessed as privileged while others may not. However, it is entirely possible that the contained email is also present as an independent email under possession of the same custodian or another custodian. When it is present, one could argue that the contained email can just be ignored, and if the corresponding email is responsive, one can ignore the contained email. But rarely does a collection include a complete set of custodians, so the question of whether the privilege log should include the contained item in question still remains. In terms of management of review, and for constructing a privilege log, treating the most recent email and all its contained emails as a single entity is less expensive and cleaner than separating and determining privilege status of each contained email.

Another complicating factor is simply a determination of privilege. Does the mere fact that an attorney was listed as a courtesy CC recipient make the entire email privileged? And, when such emails are then forwarded only to an attorney involved in the case, with a legal strategy discussed in the containing email, is only the new content added to the containing email privileged, or does the privilege determination extend to the other contained emails?

Wowzers! That makes my brain hurt. Confusing indeed. After some great legal references, the second article unfortunately devolves into a flack piece for the Clearwell E-Discovery Platform which you can read about if you are so inclined. Actually I’m being a bit harsh, since the author is simply stating the problem and presenting a product that helps solve the problem. I’m just not in the market.

So the common thread between these two articles is that admissible electronic evidence is not an easy, cheap or sometimes even well defined proposition. Which is why e-discovery and forensic specialists get paid the big bucks [Okay you e-discovery guys and gals can stop laughing now]. The points you can take from this are several including:

  1. If you are thinking of enrolling on one of those “become a CSI” courses, read this post and these articles over and over until you understand what they really mean. Then go to Vegas instead.
  2. If you are involved in litigation and your attorney suggests that you “snag the computer and take a look” for some evidence, point him/her to this blog entry as a handy reference on what “snag the computer and take a look” really involves. Then fire the fool and get an attorney with a clue.

Maybe privilege for you after all

In an earlier post entitled No privilege for you! I wrote about how an employee’s attorney-client privilege was not applicable because communication with his attorney took place via his employer’s email and therefore there was no reasonable expectation of privacy. In that case the e-mail communication in question took place on the employer’s internal email system via hardware owned by the employer. The four factors the court set forth for consideration in determining whether an employee has a reasonable expectation of privacy in computer files or email are worth repeating here.

  1. does the corporation maintain a policy banning personal or other objectionable use,
  2. does the company monitor the use of the employee’s computer or email,
  3. do third parties have a right of access to the computer or e-mails, and
  4. did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?

Recently a similar case, with a subtly different twist received a completely different ruling from the Supreme Court of New Jersey. This entry in Electronic Discovery Law blog reports it as follows.

Stengart v. Loving Care Agency, Inc., 2010 WL 1189458 (N.J. Mar. 30, 2010)

In this employment litigation, the Supreme Court of New Jersey addressed whether employees have a reasonable expectation of privacy as to attorney-client privileged emails sent and received on a work computer. The court held that under the circumstances presented, the employee/plaintiff did have a reasonable expectation of privacy as to emails with her attorney. Additionally, the court remanded the case to the trial court to determine what, if any, sanctions should be imposed upon defense counsel for reading and utilizing the emails at issue, despite indications that they were protected as privileged.

So what makes the circumstances of this case different from the first case wherein the court ruled that the email in question was not protected by the attorney-client privilege because the defendant had no reasonable expectation of privacy? Well, it turns out there was at least one major difference. Ellen Messmer in this article in Network World describes the circumstances of this case.

[The employee's] lawyers and [employer's] own team of lawyers had been squabbling over whether [employer], which had collected [employee's] e-mail after she filed suit against the company, had to turn over to [employee's] lawyers the half-dozen or so Webmail-based e-mails the company had managed to capture as forensic evidence.
These were e-mails [employee] had sent via her personal password-protected Yahoo account to her lawyers before her resignation; [employee's] lawyers also wanted [employer's] lawyers disqualified in the case. [Employer's] lawyers argued [employee] had no reasonable expectation of privacy in files on a company-owned computer in light of the company’s electronic communications policy.
[Employee] had sent the e-mail via her Yahoo account via her work computer at the office, not her corporate e-mail account. [Employer's] lawyers argued that [employee] “had no reasonable expectation of privacy in files on a company-owned computer in light of the company’s policies on electronic communications,” a court document states. [Employee] argued she had been given no warning that e-mail sent from a personal account would be monitored or stored.
According to a court document, [Employer's] policy states the home care services firm may review, access, and disclose “all matters on the company’s media systems and services at any time,” and also stated that e-mail, Internet communications and computer files are the company’s business records and are “not to be considered private and personal” to employees. It also stated “occasional personal use is permitted.”

So the key difference was that in this case the employee, while utilizing the employer’s computer at the employer’s site was communicating via her personal e-mail account – not the corporate e-mail system. So this certainly sets aside the prevailing notion that there is no reasonable expectation of privacy when using your employer’s computer. Unfortunately it’s not that clear. Not yet anyway. As this summary of the history of the case shows.

Upon leaving her position and filing her complaint, [her] former employer hired experts to create a forensic image of [her] laptop. The emails, which had been stored in the laptop’s temporary files, were recovered, passed on to counsel, and eventually utilized in the course of discovery. Upon learning of defense counsel’s possession of the emails, [employee’s] counsel demanded their immediate return. Defense counsel refused, and the issue went before the court. The superior court decided in favor of [employer] and held that there was no breach of attorney-client privilege “because policy placed [employee] on sufficient notice that her emails would be considered company property”. The appellate court held that the policy upon which the trial court relied could allow an objective reader to conclude that not all personal emails were company property and reversed the trial court. The issue was then appealed to the Supreme Court. The Supreme Court found in favor of [employee].

There is another key issue here related to the use of Webmail: The employer had to resort to extraordinary means – a forensic analysis of the computer – to actually retrieve the e-mail in question. This also figured in the court’s analysis of the case.

Beginning its analysis with an evaluation of the policy addressing an employee’s personal computer use, the Supreme Court determined that the scope of [employer's] written policy was “not entirely clear.”  The ambiguity resulted from the policy’s failure to specifically address personal emails, from the lack of warning that the contents of all emails were stored on the users’ computers and could be forensically retrieved and read later, and from the policy’s explicit statement that “occasional personal use [of email] is permitted.”

The court found that “[employee] had a reasonable expectation of privacy in the emails she exchanged with her attorney on [employer’s] laptop.” Specifically, the court noted that [employee] “took steps to protect the privacy of those emails” by using a personal, password-protected email account and by not saving the password on her computer. “In other words, she had a subjective expectation of privacy in messages to and from her lawyer discussing the subject of the future lawsuit.” The court also cited the ambiguity of the policy, as explained above, in support of her “objectively reasonable” expectation of privacy and also that noted the emails were neither illegal nor inappropriate and that the emails were marked as privileged.

But don’t start celebrating this new reasonable expectation of privacy on personal communications from your employer’s equipment too soon. The court concluded that your employer still has the right to enforce electronic communication policies that you might consider quite invasive of your privacy. In other words your expectation of privacy with respect to your work laptop is not reasonable in light of a well written policy.

Regarding the effect of their conclusion, the court stated:

Our conclusion that [employee] had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers. Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy. But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual–that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system–would not be enforceable.

So there you have it. Maybe some privilege for you after all.

Web 2.0 Miranda

don’t say a word or we’ll surely expose
that it’s you who are wicked and vile
anything you say will be used against you
and now it is you here on trial
from Don’t Say a Word by Cici Porter

For a long time now I’ve tried to get folks to realize that there is nothing private or protected about social networking. To wit, these posts here and here. In case you think I’m overreacting you should check out this post by Sharon Nelson in the {ride the lightning} blog.

Recently, Facebook spokesman Andrew Noyes said that the company has created a team led by a former FBI employee to manage requests for information in criminal cases. According to Noyes, a big part of the job is explaining the applicable laws and the limitations on access to Facebook user information. He said that Facebook strives to respect the balance between law enforcement’s need for information and the privacy rights of citizens.

To be fair to Sharon’s point in the post, judges are increasingly ruling on the side of individual privacy in cases with requests to make social network content discoverable or admissible. But the fact that the number of such cases have increased to the point that FaceBook needs a team to “manage requests for information in criminal cases” is my concern. It almost seems like this has progressed to the point that every social networking site should display your Miranda rights prominently. In actual fact FaceBook does display, albeit not terribly prominently, something like that in their Privacy Policy.

We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.

Twitter has a similar statement in their privacy policy.

We may disclose your information if we believe that it is reasonably necessary to comply with a law, regulation or legal request; to protect the safety of any person; to address fraud, security or technical issues; or to protect Twitter’s rights or property.

So what’s the big deal? These Web 2.0 site have to comply with the law just like everybody else. Exactly. So think about that the next time you want to post a photo of that truly epic party. You know, the one with the funny pictures of you and your peeps totally hammered and passing the bong. Or maybe that post where you really let everyone know how you feel about your sleazy ex. Just remember that you have been “Mirandized”. Sort of. And to the extent you have any rights you didn’t waive by using the social network.

Does encryption imply expectation of privacy?

Recently Chris Webster, a law student at the University of Maryland Baltimore School of Law, started this email thread which I will present here with minimal editing in hopes that some experts or interested parties among you, dear readers, can chime in. Just so everyone is clear, a disclaimer: I’m fascinated by e-discovery and legal issues surrounding security and privacy and blog about these subjects fairly often. I’m not, however, an expert in this area. And I’m certainly not a lawyer. Having said that, let’s begin.

This article from the Wall Street Journal Law Blog Newsletter about an opinion Re United States, – F.Supp.2d -, 2009 WL 3416240 (D.Or. 2009) handed down by District Judge Mosman earlier this year is what started the exchange.

Here’s a question: Is it kosher for a law enforcement agency to, pursuant to a lawfully granted search warrant, search your Gmail account without telling you? According to [District Judge Mosman] the answer is yes.

The Fourth Amendment protects our homes from unreasonable searches and seizures, requiring that, absent special circumstances, the government obtain a search warrant based on probable cause before entering. . . . This is strong privacy protection for homes and the items within them in the physical world.

When a person uses the Internet, however, the user’s actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus, “private” information is actually being held by third-party private companies.

It is clear that notice is an essential part of the reasonableness calculus in judging searches and seizures under the Fourth Amendment. The Federal Public Defender has argued that this constitutional notice requirement supports [the view] that the copy of the warrant and receipt . . . must be provided to the subscriber to the e-mail account, rather than just to the ISP. The notice must be provided to the subscriber because the ISP “has a far lesser privacy interest in the content of its subscriber’s e-mails than the subscribers themselves.”

This argument fails to take into account the third party context in this case. If a suspect leaves private documents at his mother’s house and the police obtain a warrant to search his mother’s house, they need only provide a copy of the warrant and a receipt to the mother, even though she is not the “owner” of the documents. (citations omitted). In such a case, it is irrelevant that the suspect had a greater privacy interest in the content of the documents than did his mother. When he left the documents in her possession he no longer has a reasonable expectation of privacy in their contents.

Chris:

I think I found a judge who reads your blog…

Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.

I am concerned about the legal effect of this misunderstanding – are we entering a world in which all data storage is online, and so not protected by the constitution? For example, we just bought a scanner to upload our contracts and family records (bills, medical records, insurance and such).  I thought I was being a “good” lawyer when I decided to upload these to an online account. This way a disaster striking my home would not leave me without my vital records and contracts – my primary evidence in a contractual dispute. Now I am rethinking this. I never had the intention of opening those documents up to search and seizure without notification. Now my records live on a DVD in the bank vault – where the constitution still applies. DVDs in a bank vault, it’s a 19th century solution to a 21st century problem.

Very dicey topic. Thought you might want to weigh in.

Joe:

This judge is saying that on the internet you essentially have no reasonable expectation of privacy. While I agree wholeheartedly with his assessment, I would submit that the act of encrypting data that is sent into the cloud does, in fact, give you a reasonable expectation of privacy – that being the sole purpose of encrypting the data. Therefore, while I’m not sure what the legal standing is on this, it would seem like encrypted data that requires a privately held key, explicitly excluding routine data transmission encryption (e.g. HTTPS and SSL), is no different than a safe deposit box at the bank where you hold the key. In other words, while you may be compelled to provide the key subject to a court order, that court order would require probable cause.

I can certainly offer some advice with respect to the offsite archive of your personal data.

I have a Verisign OpenID (which you can get for free here). In the process you setup a “Personal Identitly Portal” which includes an encrypted “File Vault” that holds 2 GB. That’s a lot of documents. I’m exceedingly paranoid so I encrypt everything prior to putting it in my file vault using SecureZip (which you can get for free here*) so there is minimal chance of exposure.

[* update 17-November-2010: SecureZip Express (free version) is no longer available. There is a 30-day trial available for free but the full product starts at $39US]

Chris:

If the Government seizes documents which are encrypted can they then seize the key from you? The request for the key would be effective notice of sorts, but would you have to provide it? I know this is a purely legal question, but I thought you might know the answer.

Joe:

Legally the answer is “yes” the government can compel you to reveal your password. Practically there are so many ways around it that the answer is “fat chance”. A really simple workaround would be for you to have an encrypted data store where only your wife has the key. A private key escrow. As you know your spouse can’t be compelled to testify (i.e. provide the key) against you.

The other point is that any encrypted data store whether online or not is not amenable to search. In other words you can’t even see what’s there so there is no way to know know what’s in it. From the point of view of Google, a Verisign file vault doesn’t exist.

If you are really paranoid, Bruce Schneier has this article all about plausible deniability. The article is about securing laptops but the principles apply anywhere.

The bottom line is, sure the government can try to compel you to reveal encrypted data, but only if they know it exists. TrueCrypt has this guidance on plausible deniability. So to be completely safe and secure you could create a “hidden encrypted volume” inside an encrypted volume and upload the encrypted container to a Verisign file vault. With a little creative key management, you would be untouchable in any practical sense.

Now you may end up doing time for contempt of court or some bogus DHS charge but your data will be safe.

Chris:

Ok, this is heading into some really interesting legal waters. Building on your last comment,  I am not an expert on the criminal side, but I can tell you that on the civil side a judge can compel discovery. If you do not comply the Judge can order the jury to draw the negative inference (meaning that they will be instructed that the encrypted document is what the plaintiff says it is, and that it says what they say it says). There is however a safe harbor for electronic documents destroyed in the course of regular maintenance – I would be interested to see if this would include encryption keys which are time sensitive, or single use.

Switching to the criminal example we are working with – if my wife had a physical copy of the key (on a hard drive or otherwise) a judge could compel production of this in the same way he could make her give over a murder weapon. If it was memorized, I suppose she could refuse.

My concern wasn’t really with the compulsion to turn it over, it was the fact that you get no notice. This allows for secret searches (fishing expeditions)  to take place. Also, presumably they have probable cause, or the warrant in this case would not have been issued.

I do find the distinction between encrypted data and non-encrypted data, and the differing expectations of privacy intriguing. However, would your expectation of privacy survive the fact that the data is housed on another person’s machine. In the example the case offers, a letter on your mother’s table can be taken into evidence without your notice if your mother’s house is searched under a valid warrant. In that case the only one who gets notice is dear old mum. It is hard to argue the ruling would be different if you had the papers in a safe at mom’s place – the result would be the same, notice to mom, none to you.  Would the same be true for packets of encrypted information on internet servers? Maybe you have an expectation of privacy with encrypted data (like with the safe) but the reality is governed by the physical location of the “evidence”. Once they have the encrypted data can they subpoena you, or your mom, or others, to compel the production of a key? I acknowledge this would give you notice. This is more proof that the internet is absolutely non-private, even when encryption leads to an expectation of privacy.

The problem is, the conclusion that the internet is a group of guest houses through which your packets pass, and at any given time are subject to ownership by the individual who runs the house, is a troubling roadblock for the development of the net. In order to streamline our society, the internet must at some point be viewed as an instant “post-office” type service. While people sometimes use the mail to do bad things, or even steal it, the Feds and suing parties can’t. In fact messing with people’s mail, even by carriers and third parties, is a crime. Shouldn’t the same model be imposed on the internet, even if it is a legal fiction? Wouldn’t such a model be better for the ISP’s and users?

Joe:

The salient feature of encrypted data is that it is useless (i.e. random noise) without the decryption key. If you hold that key then clearly you must be notified in order to compel you to provide the key, otherwise there is no evidence.

For example, let’s say that the letter you left on mom’s table was encoded using a one-time-pad. The letter is seized under a valid court order. What have they got? Diddley. Just some weird random text on a page that is meaningless until the key – which only you have – is applied to it.

Now they can try to decode it, but the chances of success are exceedingly unlikely. They may attempt to compel you to provide the key, at which point if you refuse, you may get slapped with contempt or adverse inference but either way you get notified.

So unless they can make the case that some random collection of bits is anything more than just that, it will be impossible to use it for a fishing expedition. The point being, who cares if they seize it, it’s useless.

The original court opinion was with respect to GMail type services where your data is stored in cleartext for anyone who has the legal authority or technical prowess to see. But even the U.S. government would have a hard time deciphering AES 256 encrypted data without the key in your lifetime.

As for the instant “post-office” model legal fiction you suggest, that’s called “Net Neutrality” and the main groups opposed to it are the entertainment industry who wants to control their copyrighted content (same clowns, different circus) and some large ISPs that would like to give precedence to their own content over competitors (everybody thinks they can be Microsoft). Of course that’s not what they’re saying, but it essentially boils down to that. For the record, I agree that net neutrality would be much better for ISPs and net users alike. Whether they recognize it or not.

Exposing yourself Web 2.0 style

Everybody knows that social networking sites are notorious for their ill-advised exhibitionism. Folks who are reasonably demure and respectable in person get their freak on when it comes to FaceBook or MySpace. Yep, insert an internet connection between them and the world and the gloves come off. Or rather only the gloves stay on. I’ve written about this phenomenon before and warned of the need to take your online shadow seriously. But increasingly the exposure these social network exhibitionists face is more than simply embarrassment and ridicule on a worldwide scale. Prosecutors  have discovered a veritable treasure trove of unprotected self-incriminating evidence on social networking sites. This entry in the Electronic Discovery Law blog describes just such a case.

Defendant was found guilty of murdering a two year old girl left in his care and was sentenced to life in prison without parole.  On appeal, [he] argued that the trial court improperly admitted evidence from his MySpace account in violation of Ind. R. Evid. 404(b).  Taking up the “novel question” of the propriety of admitting such evidence, the Supreme Court of Indiana ruled that the trial court did not err in admitting the evidence, particularly where [his] own testimony made his character a “central issue” of his defense.  The verdict and sentence were therefore affirmed.

Yikes! Hoist by his own petard as it were. While most Web 2.0 exhibitionists are no doubt posers and certainly not murderers or child abusers, it’s going to be a little embarrassing - not to say legally damaging – if they are ever find themselves a defendant in a criminal or legal proceeding where their chief defense is good character and their FaceBook page proclaims “Gangsta 4Evah!”.

But there are further exposures as well as illustrated in this entry by Christopher Boyd on the SpywareGuide blog.

Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer “Hacked Facebook and Photobucket accounts” for a price.

Yes, the site is actually called “Hackedsluts.com” and claims to offer up an endless series of images from “hacked” accounts including Myspace, Photobucket and Facebook in return for a monthly fee.

Just when you think they can’t possibly get any creepier or salacious, [they] throw in dubious claims of hacked accounts / stolen images AND [they] lob in a blood splattered “Too extreme” banner supposedly covering up some of the pictures. While this is clearly a piece of Lame Marketing 101, the overall effect of the site is extremely disturbing.

Disturbing indeed. While I agree with Christopher when he concludes that the bulk of the content on “Hackedsluts.com” is made up of stock pornographic content and almost certainly not the result of hacking social networking sites, the fact that there is an actual market for such content is a very distasteful realization. We all know what happens when you mix unsavory and illicit demand with criminal entrepreneurs. Clearly there are people out there who would pay to see you acting the tart. Only you don’t get paid (like a proper tart). That’s being a pro-bono hooker, which is just stupid. And what happens when your future boss turns out to be a Hackedsluts.com aficionado? Good luck with those sexual harassment claims. Or how about when your future ex-spouse sues for custody of your kids?

So the next time you feel like exposing yourself to the world, kick it old school and just get naked, throw on a trench coat and flash the neighbors. The indecent exposure misdemeanor will be way less exposure than an ill-considered photo on MySpace.

No privilege for you!

Everybody knows about the idea of attorney-client privilege. At least in the USA. It’s what keeps lawyers in business and their clients out of jail. In general, any communication between attorney and client is privileged. It’s a secret that no court can compel either party to divulge. Kind of like the privilege between confessor and confessee [priest and sinner in confession]. Only God usually isn’t involved. If the conversation is via telephone? Covered. Postal mail? Ditto. E-mail? Absolutely. Except when it’s not.

You see, privilege hinges on the idea that the conversation is private. Since it’s not possible to “un-hear” a public conversation you don’t get no stinking privilege. Well duh! you might be thinking about now. Of course not. But when a client sends an email directly to an attorney then it’s private. Not so fast there, buckaroo! In this post on the Electronic Discovery Law blog an incident is described wherein that privileged email turns out not to be.

At issue before the court was an email sent from defendant’s counsel to plaintiff’s Vice President and In-House General Counsel regarding a prior conference call attended by [the] defendant, [both counsels] and another lawyer for plaintiff.  At the time of the call, [the] defendant was CEO and Vice-Chairman of the plaintiff corporation.

Evidence was presented that during [the defendant's] employment with plaintiff, [the In-House General Counsel] served as [the defendant's] personal advisor.  Accordingly, [the defendant] claimed the email was a privileged communication between his counsel and his “personal advisor and agent”.  Issues of whether the relationship between [them] was sufficient to establish privilege aside, the court ruled that the email in question “[was] not protected by the attorney-client privilege because [the defendant] had no reasonable expectation of privacy…”

That’s right. Do not pass Go, do not collect $200. This is a point I’ve been trying to drive home since I started blogging lo those many months ago (14 to be exact): when you send and receive email at work you have no reasonable expectation of privacy. Just so there’s no confusion, here are the four factors the court set forth for consideration in determining whether an employee has a reasonable expectation of privacy in computer files or email:

  1. does the corporation maintain a policy banning personal or other objectionable use,
  2. does the company monitor the use of the employee’s computer or email,
  3. do third parties have a right of access to the computer or e-mails, and
  4. did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?

That’s right, you better check the old employee manual to see what your employer’s policy is. Or better yet just pay attention to that disclaimer message that comes up every time you log in to your PC or workstation. You know, that one you always ignore? I willing to bet that it doesn’t say “Use this computer for anything you like. We don’t care and won’t pay any attention to you.

Bottom line is that you have no reasonable expectation of privacy when you email at work. And therefore no privilege. Not with your lawyer. Not with your priest. Even though God might forgive you in the latter case, a judge certainly will not in the former. You’ve been warned. Now go in peace and sin no more.

Justice happens

For meting out true justice the coveted Security for All Simon Award goes to JAMES C. FRANCIS IV, United States Magistrate Judge for his ruling on Green v. McClendon, 2009 WL 2496275 (S.D.N.Y. Aug. 13, 2009). The Simon Award takes it’s name and inspiration from the classic 1980 Alan Arkin film Simon wherein Prof. Simon Mendelssohn (played by Arkin) who was abandoned at birth is convinced by a shadowy group of rogue scientists that he is of extraterrestrial origin. He then escapes and attempts to reform American culture by overriding TV signals with a high power TV transmitter, becoming a national celebrity in the process. Along the way he convinces congress to pass a law requiring that lawyers who lose cases receive the same punishment as their clients.

DIGRESSION: There is a scene in which Simon is regressed to the state of an amoeba using sensory deprivation as part of the brainwashing and then re-evolves back into a human [to "Also sprach Zarathustra" of course], including “religious repression and accompanying guilt”, that is truly classic.

The Electronic Discovery Law Blog describes the case that compels us to present the prestigious Simon Award to Judge Francis as follows.

Upon one of the defendant’s revelation that she had lost all original versions of electronic files when she transferred those files to CD and then reinstalled her operating system, plaintiff filed a motion for sanctions.  Finding that the defendant and counsel violated their duty to preserve evidence, the court authorized additional discovery and awarded plaintiff his costs, including attorney’s fees, to be paid by the defendant and her counsel.

Addressing culpability, the court found that the defendant and her counsel had been “at least negligent” in failing to implement a litigation hold, properly search for documents, and supplement discovery responses.

Finding some sanctions were warranted, the court authorized further discovery, including further deposition of the defendant, and awarded the plaintiff costs and attorney’s fees, in an amount to be determined, to be allocated between the defendant and her counsel.  Interestingly, the court offered the defendant and counsel the opportunity to work out the allocation between them, and to involve the court only if necessary.

Hurrah for justice! I’m not into lawyer bashing (much) but I have to admit that when a lawyer gives bad counsel or, as is most likely in this case, goes along with their client’s hare-brained scheme to bamboozle the court it’s refreshing to see them get spanked. I just wonder how that “opportunity to work out the allocation between them” part is working out.