You can download a copy of the report from Gibson Dunn’s website here.

One of the more interesting pieces that I gleaned from this report was the various state bar associations issuing ethics opinions on the use of social media “trickery” to gain additional information. The example cited in the report, from the New York State Bar Association, states that attorneys may view public profile pages, etc., but may not “friend” the person, nor direct a 3rd party to do so.

Chiling perhaps, but nothing sends as clear of a message about your online life as this quote from the report (emphasis mine):

“Another trend last year saw courts holding that there is no expectation of privacy or confidentiality for social networking communications. In Romano, for example, the court held that the production of information from social networking sites did not violate the plaintiff’s right to privacy, regardless of her chosen privacy settings, because the social networks’ terms of use and their inherent nature provide no expectation of privacy.”

Based on a review of 323 decisions (all of which are listed in the report for your reference), this is perhaps the most comprehensive anylsis of the current state of e-discovery available.

Related articles:

1. (ISC)2 Secure Metro New York The CISO/CPO Partnership: Addressing Online Risks Brightfly is pleased to...

As far as the scope of search goes, Chief Judge Kane references four Supreme Count rulings that held that it was appropriate to rely upon evidence obtained by a third party.  However, the government is limited in its warrantless search to the scope of the private search, and not materially broader. In United States v. Runyan, this was further held that “the expectation of privacy in all files contained on a single computer disk is breached by a private examination of any files on the disk, but the expectation of privacy in other unmarked disks located near the privately searched disk remains intact”.  What is notable here is that this ruling was based upon evidence presented in 1999.  In 1999, the “containers” were floppy disks (1.44MB), CDs, and 100MB ZIP drives.  If a private party discovered one contraband file in a “container” and turned the “container” over to authorities, the entire container was then subject to search without warrant, but other containers that the private party did not search were held to require a search warrant.  While that makes sense with a floppy disk, how should it apply in 2008 when a USB thumb drive can be 64 Gigabytes?  (Kingston Datatraveler 150)  How is this to be interpreted when a single $150 SATA drive can be 1Terabyte (1,000 Gigabytes!)? While this interpretation was considered a prevention of overzealous search in its time, it now could be used as an instrument for overreaching searches.  This seems to be Judge Kane’s position, though not stated quite so succinctly, when she writes, “The Court cannot embrace the Government’s view of Jacobsen and Runyan.  The Court finds that the EnCase search exceeded the scope of the private party search, and all further searches were, likewise, unreasonable under the Fourth Amendment”.  Expect there to be more cases that are materially impacted by interpretations of these rulings.

A second aspect of this case that is interesting is the Chain of Custody.  How long can a computer be in the hands of a 3rd party, without following recognized forensic procedures, before the evidence is considered contaminated?  How many people can sit at the keyboard, and for how long, before the evidence derived later is questioned?  In this case, the computer was taken from the suspect’s apartment and placed at the curb. Another party (Hipple) came by later in the day and picked the computer up and took it to yet a 3rd person’s house.  At this friend’s house, presumably a computer knowledgeable individual, they logged onto the computer to “basically just cleaned it up, get past profiles”.   After this invasive interaction, Hipple brought the computer home and logged on again to, as he postured “go through and see what [he] could delete”. He then claims to have found the contraband, “freaked out” and deleted the entire folder where the contraband was found.  It was three days before Hipple finally contacted authorities to report the contraband.  It was not until the responding officer entered the computer into evidence that it was treated in a forensically sound manner!   So, apparently the time frame is at least three days.  How long does it take for malware to take over a computer?  How long does it take to copy 1600 pictures to a computer?  Did the forensic investigator make a compelling argument, based on his investigation, including a timeline of events, internet cache folder, temporary internet files folder, the history folder, and the index.dat files, that made a case for the contraband to be undeniably the result of action taken by the computer’s owner?  If not, what was done to validate that the files found were not a plant?  This three day gap in accountability should be unnerving to those of us that use computers.

Perhaps the questions asked above would have been the line of questioning had the Judge ruled differently on other aspects of admissibility (scope of search).

The final area of interest is the Court’s confusion over what constitutes a “container”.  Judge Kane writes “A hard drive is not analogous to an individual disk.  Rather, a hard drive is comprised of many platters, or magnetic data storage units, mounted together.  Each platter as opposed to the hard drive in its entirety is analogous to a single disk as discussed in Runyan.  As such, the EnCase search implicates Crist’s Fourth amendment rights”.  Wow.  While the Judge deserves some recognition for an attempt at technical savvy, this analogy falls quite short.  Under the guise of this analogy, the geometry of the hard drives platter’s determined what is searchable and what is not.  If the target is a 500GB Seagate drive with four platters and eight read/write heads, is less data is to be considered within the scope of the search than if the exact same information were stored on a 500GB Samsung drive with one platter and two read write heads? If the data is stored on a RAID array, how do you determine which platters in which drives are within the scope of the search?  The judge also skips over the fact that even in the Runyan case, there were two recording surfaces for each floppy disk.  Since the introduction of MS-DOS 1.1, the Microsoft operating system has used both sides of a diskette, these are distinctly two separate recording surfaces of a floppy disk, yet it appears to the computer user as a single “container”.  Using the single platter logic, in the Runyan case, they would have only been within bounds to search the side of the floppy disk that contained the file that the third party found/viewed.  In this context, it appears that a logical volume should be the boundary for a container, but, with the advances in drive density, considering this as a boundary is disconcerting.

What is apparent here is that there is no clear precedent on the boundaries of a digital container, the restrictions on the scope of a warrantless search, or requirement for strict adherence to proper digital chain of custody procedures.  The courts have a huge challenge keeping pace with the changes in technology and its impact on Fourth Amendment rights.  Eventually there will be precedent set by the Supreme Court, in the mean time, in Lower Courts your justice will vary.  If you are in law enforcement, protect your case by obtaining search warrants when digital searches go beyond the scope of third-party information.  If you are a defense attorney, hold prosecution accountable to following proper Chain of Custody procedures and respecting the boundaries of warrantless searches.

No related articles.

Whoa!  Can you say "punitive damages"?  Apparently the courts are starting to accept circumstantial evidence, based upon a chronology of events following a privacy breach, to hold organizations accountable for bad things happening.  IT security pros now have even more of a reason to lobby management to do what to takes to secure their PII.  However, human nature being what it is, I'm sure this is not the last case of this kind we'll see.

No related articles.

What the FTC is doing is applying Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, and they also violated the Fair Credit Reporting Act.   However, this section does not allow for the imposition of fines, so for that they are leveraging the Fair Credit Reporting Act (FCRA).  The example given was that of ChoicePoint, which was fined $10 million in January, 2006.  In addition, The FTC currently has more than 24 open information security investigations going on.  I find it interesting that the FTC is getting in on the security enforcement  bandwagon by equating companies’ non-compliance with their own information security and privacy promises to practicing “unfair and deceptive trade practices.”  Hmmm.  Is this simply a money grab by the FTC in the form of fines?  If so, does it even matter if the end result is better security?  Regardless, the article makes it clear that the FTC can, and will, apply penalties against organizations that do not have proper information security and privacy practices and programs in place, even if there has not yet been a breach!

No related articles.

The 5 count indictment implicates Butler in the creation and administration of “Cardersmarket”, a website that serves as a community and clearinghouse for those engaged in the theft, use and sale of credit cards.

Additional press coverage can be found here.

Related articles:

1. IT Pros Routinely Break the Rules According to a recent survey, most IT professionals admit to...

No related articles.

No related articles.