Corporate Social Media | Civil Lawsuit E-Discovery

Log-on and Password to Opponent?

A few cases have required a social media user to give his password, user name and log in ID to an opponent for ediscovery.  In these cases, the user was an individual.   But what if the user were an enterprise?

In Zimmerman v. Weis Markets Inc., an employee claimed he suffered great injury from a workplace accident, so he sued his employer.   But the public portions of his Myspace and Facebook sites contradicted some of his claims.   His employer surmised that non-public portions of his social sites would reveal more information relevant to his injury.

No Expectation of Privacy?

The Pennsylvania court compelled the employee to give to the employer his Myspace and Facebook passwords, user names and log in names.  The court dismissed the employee’s claims to privacy, saying, “Zimmerman voluntarily posted all of the pictures and information on his Facebook and Myspace sites to share with other users of these social network sites, and he cannot now claim he possesses any reasonable expectation of privacy to prevent [his employer] from access to such information.”

What Do Social Media Privacy Policies Say?

The court went on to say, “All the authorities recognize that Facebook and Myspace do not guarantee complete privacy.  Facebook’s privacy policy explains that users post any content on the site at their own risk and informs users that this information may become publicly available.”

Although the privacy policies at those sites are very complex, the court did not engage in an in-depth analysis of the precise words in those policies.

Access to Email and Chat Messages?

Further, the court did not consider that those log-on credentials will grant access to the content of private, one-on-one chat or email messages, or messages that are the equivalent to private email.

Historically, in civil ediscovery, it has been more common to require an email user to turn over relevant messages -- one-by-one –- not to turn over his log-on credentials so the opponent can access all messages in his email account.

The configuration of social media sites is complex, and privacy for particular bits of information can often be adjusted with a fine degree of precision.  For example, in Google Plus, a user can “post” information on his page, but make it viewable by only one friend.  In effect, the “post” is analogous to a private email message to that friend.


Enterprise Data in the Cloud

Could the logic of Zimmerman be applied against an enterprise in a civl lawsuit?  Could it lead to a requirement that an enterprise turn over full administrator access credentials for a social networking facility the enterprise uses with its employees and select trading partners such as vendors and customers?

It is becoming common for firms to use services like Yammer or Chatter, third-party, cloud-based services, to provide “internal” social networking.

Imagine this scenario: The opponent of a corporation shows a court that public postings of the corporation, sent in connection with a service like Yammer, are inconsistent with claims the corporation makes in litigation.   The “internal” part of the service shares information among the corporation, its employees and selected “business associates.”  In the “internal” service, varying degrees of access are granted to different people for different bits of information.

Further imagine that the confidentiality terms of the service provider do not guarantee absolute confidentiality under all circumstances. (A service provider cannot make such a guarantee.)

Under the logic of Zimmerman, I can imagine the corporation’s opponent arguing that it should be given powerful log-on credentials so it can broadly view the part of the service used “internally” by the corporation.

Non-Disclosure Terms

What is a corporation using services like Yammer to do?   One step would be to liberally post terms and banners requiring users of the internal service to agree that the contents of the service are confidential and shall not be disclosed.   That step will not defeat all of the Zimmerman logic, but it will help to distance this corporate scenario from the facts of the Zimmerman case.  In Zimmerman, the employee did not post a notice on the private portions of his social sites requiring viewers to maintain confidentiality.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related Post: Social Network terms of service applicable to forensic investigation?

Cloud Computing Police Raid

Seizure of Servers; Co-mingled Data

What happens when police seize servers belonging to a cloud computing service provider?

Spring 2009, a federal district court granted the FBI a search warrant to seize control of computer servers and related equipment in facilities run by Core IP Networks.  Apparently Core leased its facilities to the owners of servers, including a cloud computing service provider named Liquid Motors. Liquid Motors was not accused of wrongdoing, but the FBI had information suggesting that a criminal enterprise (including apparently Core) had used LM’s servers or some of the data stored in them.

LM helps large, national auto dealers manage their inventory and Internet marketing.  The seizure shut LM down, and debilitated the operations of its innocent customers.  The data of all LM users and customers were co-mingled in a cloud-computing style.

Request Relief from Court

LM promptly requested that the court cause the FBI to release the servers.  It claimed that it and its innocent customers were suffering great economic hard. 

The court denied the request. The court was satisfied that the FBI had adequate justification to hold the servers.

Court Appearance Gives FBI Sense of Urgency

However, the court hearing put FBI under the spotlight.  FBI did not want to appear unreasonable in court.  Recognizing the economic impact of its action, the FBI said it was working urgently (over a weekend) to copy data from the hard drives of the servers, with a view to returning the servers to LM as quickly as possible. Liquid Motors, Inc. v. Lynd, No. 3:09-cv-0611-N (N.D. Tex. April 3, 2009).

As cloud computing becomes more common, I suspect courts will come to expect police like FBI to refine their methods so that targeted data can be secured without damaging all the innocent people whose data and services are coincidently housed with it. Refined methods might include, for example, allowing servers to continue functioning normally while target records are copied.

Backup Data

The customers of cloud services face more than just the risk that police will confiscate a provider's servers. The provider may go into bankruptcy or suffer sabotage at the hands of a disgruntled employee. To address these risks, customers might spread or duplicate their data and services across multiple service providers, located in multiple jurisdictions. 

–Benjamin Wright, Legal Issues Instructor at the SANS Institute

Update:  The risk that police raids will damage innocent cloud customers needs to be seen in context.  Similar risk applies in many sectors of the economy.  It is not uncommon that the seizure of assets by police affects innocent bystanders.  For example, FBI confiscated $392,000 of cash belonging to an innocent New York check-cashing company when it seized assets from an armored car company under investigation.  John Emshwiller and Gary Fields, "Federal Asset Seizures Rise, Netting Innocent with Guilty," Wall Street Journal, August 22, 2011.

Related:  Opinion regarding Megaupload Takedown and

Theories of Relief for Legitimate Megaupload Users

FBI Cloud Computing Raid

Minimizing Collateral Damage

When the FBI raided DigitalOne, a co-location data center, in search of data belonging to criminals, it also disrupted innocent businesses.  One of those was Instapaper.  Services for Instapaper were offline for most of a day.  The services unexpectedly stopped, and then resumed many hours later.  

Whether the disruption was unavoidable is unclear.   The FBI did not explain how the raid transpired.  DigitalOne suggested that the FBI was clumsy, taking a whole enclosure of servers, rather than the particular servers that were the focus of its raid. 

Some in the technical community have criticized the FBI for not knowing the difference between an enclosure and a server.

I don’t know whether the FBI was in fact clumsy.  The full story is probably complicated.

Problem Will Be More Common

This not the first time that a well-meaning FBI raid of a contract data center caused disruption to innocent businesses housed at the center. A company named Liquid Motors complained in court when an FBI data center raid damaged its business, which was not connected with the criminal activity that precipitated the raid.

Disruptions like this threaten to grow more common.  Co-location, cloud computing and other IT outsourcing are on the rise.  FBI and other law enforcement need to refine their methods of investigation.  When they must raid a data center that serves multiple clients, they should not cause more harm than good.

What FBI Should Do

Yes, FBI needs to shut down cyber criminals and collect evidence so they can be prosecuted.  But FBI undermines the community’s trust when it damages innocent bystanders.

Before executing a raid, FBI should evaluate whether its mission truly requires it to seize hardware and take it offline.  It should develop techniques for surgically getting what it needs, while avoiding disruption of anything else.

FBI further should strive for transparency and accountability.  It should vow to the community to disclose as much as it can, as soon as it can, about what it is doing and how. It should explain which servers it is impacting, in what way and for what reason.

I realize that explanation to the public is time-consuming work.  And explanation can lead to second-guessing and criticism.  But explanation is necessary to ensure that FBI is constantly refining its methods and learning from any mistakes it makes. Explanation also promotes FBI’s stature within the technical community.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related:  Justice for innocent users of Megaupload

Archive Storage Costs

Cloud? Content Addressable Storage?

Is it too expensive for an enterprise to store lots of email for many years? On this blog I have been arguing that the law motivates enterprises to keep email generously.  But generous retention (many records many years) raises questions about cost. 

Earlier on this blog, I have aired arguments about whether cloud computing or content addressable storage (creates an in-house cloud) are effective technologies for archiving email economically.

One commenter argued that the alleged allure of content addressable storage (CAS) is just vendor hype.  
To that, my friend Greg Smith at Messaging Architects responds:

“It is true that the cost of data centers, power, rack space and environmental conditions is a big cost to take into account when evaluating storage costs.   But too often the thought when organizations are looking at storing terra bytes of data is to look at traditional storage mechanisms such as a SAN.  Although a SAN is more economically feasible than local storage, it still requires the overhead of redundant drives for data protection . . . so that in effect some systems running a RAID 6 environment with an 8 drive array have a 25% operating overhead.  

“Contrast content addressable storage designed for secure, in-house, long term storage. Since it does not employ a traditional file system, it does not have the limitations or constraints of a traditional system. In fact CAS systems, which can provide storage for under $3 / GB, are designed to replicate and validate data to ensure that:

* corruption and disk failure do not destroy data, and

* in the event of hardware failure, replacement of hardware is not the lengthy rebuild process that would apply to a SAN.

“How does CAS compare with storage in an external cloud provider?  External cloud storage costs are low, and it is difficult for any form of in-house storage to compete with those low costs.  However, what remains to be seen is whether the accessibility and security of data in the external cloud will be satisfactory.  Let’s not forget that a cloud looks solid enough from the ground, but if you fly through it, it becomes translucent.

“Sometimes being able to physically touch something provides more assurance of its existence and accessibility.  Still, that perception may change over time.

“On the subject of external cloud storage, one other question is data ransom.  After you have stored many terra bytes of valuable data in a vendor’s cloud, the vendor will see that it can raise prices. When it does that, there is no choice but to pay these higher ongoing prices, as the cost to move that data in-house or to another provider may be prohibitive.”

–Benjamin Wright

SANS Conference on Computer Records Policy

Summit Title: "E-Data Retention, Discovery and Destruction: Developing and Implementing IT Policy"

Announcement:  We have cancelled this conference.  We are evaluating whether to revive it at different place, time and/or format.  If readers or potential partners/sponsors have any ideas, please contact Ben Wright.  Many thanks to the speakers who agreed to support this summit.

Former date and place:  September 27-28, 2010, Las Vegas

Summit Description:  Almost unheard of ten years ago, electronic discovery is today chewing up IT resources – equipment, services and staff time.  Recognizing that many electronic records such as e-mail, spreadsheets and text messages might some day be demanded in a lawsuit or freedom-of-information request, what policy should your enterprise adopt for retaining and destroying electronic records?  Although it is foolhardy to keep everything forever, numerous, recent court cases have punished organizations for failing to retain data, or for failing to find and disclose it in a timely, responsive manner.  This summit [conference] draws from the wisdom of diverse experts and end-users, including case studies, to address: 

- the process for setting workable policy,

- techniques for managing storage and service costs,

- confidentiality, security and other tradeoffs between in-house and cloud storage,

- ever-improving methods for searching and culling vast troves of records,

- real-world experiences on the interplay between lawyers and IT professionals,

- protocol for access to records for internal investigations,

- international issues, including non-US privacy laws.

Given that law and technology are simultaneously undergoing rapid change, the summit assesses what the future may hold for e-records management policy, products, services and legal expectations.

We are looking for sponsors and suggestions!  If you wish to exhibit or offer an idea, then please: 

- leave a comment below; or

- call me at 1.214.403.6642; or

- email ben underscore wright at compuserve dot com (put "BLOG" in subject line).

Update:  We are proud to announce these confirmed speakers: 

- Steven Broberg and Shawn Malone of the Records Management Department of Travis County, in Austin, Texas

- Jorge Rey, Director of Information Security and Compliance, Kaufman, Rossin & Co., P.A. (policy development case study)

- Kevin Bong, Director of Corporate Security, Johnson Financial Group (end-user policy case study)

- Sonian, Inc. (cloud email archiving)

- Alex Blumrosen (American attorney practicing in Paris, France)

- Greg Smith, Messaging Architects

- Vivien Osamiluyi, Internal Auditor, Legg Mason

- CrowdFlower will demonstrate crowdsourcing as a tool for assessing large quantities of documents in an official investigation, such as a lawsuit or government inquiry

- Michael Osterman of Osterman Research

- Brian W. Foster, Access Sciences Corporation

- Kevin Larson - Qualcomm, Inc (end user enterprise)

- Digital Reef

- Jesse Wilkins - Access Sciences Corporation

- Jim Balter - University of Miami

Twitter hashtag for the Summit:  #sanspolicy

Summit Agenda

[Tentative as of July 21, 2010 - Subject to Revision.]

[Not yet approved by Speakers.]

September 27 – 28, 2010

Las Vegas, NV

Title: "E-Data Retention, Discovery and Destruction: Developing and Implementing IT Policy"

The mission of this Summit is to stimulate discussion and debate as a tool for learning. Each session will allow ample time for interaction among participants.

DAY ONE Monday, September 27

9:00-9:40: Welcome and Introduction

Speaker: Benjamin Wright, Summit Chairman

 

 

Title: Resolving the conflict in electronic records retention policy setting.

Abstract: The quantities of electronic records are skyrocketing, and courts are expecting better retention of them. How do we reconcile these developments with traditional records management practices? What to expect in this Summit. Mr. Wright will query participants to bring their issues and experiences to light.

Throughout the Summit, Mr. Wright will attempt to summarize and stimulate discussion around major points that emerge from the sessions.

9:50 – 10:50

Title: Records Managers – Travis County, Texas – Confront E-mail

Speakers: Steven Broberg and Shawn Malone, Records Department, Travis County, Texas.

 

 

Abstract:  Professional records managers will articulate the considerable challenges they have encountered in trying to square legal expectations with the realities of email in a complex enterprise having 4500 email users.

10:50 – 11:10 Break

11:10 - 12:15

Session Title: Experts on Record Retention Policies

Speaker: Access Sciences Corporation - Brian W. Foster (former Director of eDiscovery at one of the top five global oil companies) and Jesse Wilkins

Session description to be determined.

Lunch 12:15 – 1:30

1:30 – 2:20

Session Title: Finding Email Records in the Real World

Speaker: Greg Smith, Messaging Architects

Abstract: Practical e-discovery experience – the proliferation of email records throughout an enterprise, including in unexpected places. Stories from the trenches.

 

 

2:20 – 2:40 Break

2:40 – 3:55

Session Title: User Panel

Abstract: All enterprises wrestle with how to set policy for the retention of electronic records in a changing environment. Hearing the experiences of diverse user enterprises can paint a more realistic picture of what is possible and what should be expected for well-crafted policy.

Panel Members:

Internal Auditor: Vivien Osamiluyi, Legg Mason

Kevin Bong - Johnson Financial Group

 

Kevin Larson - Qualcomm, Inc (end user enterprise) - How do security issues influence policy on electronic records retention? Podcast about Kevin's presentation: Download Sans_intro_klarson

- Jim Balter - University of Miami

 

Steven Broberg and Shawn Malone, Records Department, Travis County, Texas

4:00 – 5:00

Session Title: e-Discovery's Influence on Email Record Retention Policy

Speakers: Digital Reef - Steve Akers (Founder and CTO) and Digital Reef's Customer, James Bandes

Abstract: What are practical experiences with e-discovery telling us about how to write and implement e-record retention policies?

DAY TWO Tuesday, September 28

9:00 – 10:00

Session Title: European Experience

Speaker: Attorney Alexander Blumrosen, Bernard-Hertz-Béjot - Paris, France

Abstract: In lawsuits and investigations, privacy issues can loom larger outside the US. How are these issues influencing e-Discovery and the development of e-records policy in Europe?

10:05 – 11:00

Session Title: Drawing Practical Lessons

Speaker: Benjamin Wright, Summit Chairman

Abstract: What are the larger implications of the stories from day 1? How can these be combined with the lessons today to write a take-home list of principles and guidelines? Mr. Wright will lead the group in compiling that list, starting now and running through the rest of the day.

11:00 – 11:20 Break

11:20 – 12:15

Session Title: The Future of Electronic Records Policy and Technology

Speaker: Michael Osterman, Osterman Research

Abstract: What are the big trends in records management and e-discovery and how are organizations not keeping pace from a policy perspective with regard to records management, social media management, or managing data for regulatory or legal compliance? How is technology changing and what is the role of technology vis-à-vis things like employee training and establishment of corporate policies? What can we expect two years, five years from now? How should enterprises prepare for the future from both a technology and non-technology perspective?

12:15 – 1:30 Lunch

1:30 - 2:30

Session Title:  e-Mail & Electronic Records Disposal Policy Case Study

Speaker: Jorge Rey, CISA, Kaufman, Rossin & Co., P.A.

 

Abstract: In this case study, an accounting firm helped an organization save costs by implementing a policy that reduced the quantity of electronic records and emails retained. During this session, ample time will be available for all Summit participants ask questions, make comments and debate.

2:30 – 2:50 Break

2:50 – 3:40

Session Title: Cloud Storage of Records

Speaker: Sonian, Inc. and End-User Customer

Abstract: What are the true costs for storing enterprise email in the cloud? As a practical matter, can the enterprise be assured that those records will be secure and will be retrievable many years in the future? Will privacy and confidentiality issues limit the use of cloud services for the storage of critical business archives? Can these issues be addressed with contracts, technical controls and other procedures?

3:45 - 4:15

Session Title: TBA

Speaker: TBA

4:20 – 5:00

MUST SEE HIGHLIGHT OF THIS SUMMIT!

Session Title: Crowdsourcing Demonstration

Speaker: CrowdFlower

Abstract: In modern lawsuits and investigations, the massive volumes of electronic records is daunting. How do we make sense of all these records? Crowdsourcing may be one effective tool, where a swarm, an army, of virtual workers is employed to review and analyze records. CrowdFlower will present a pioneering demonstration of this concept, live at the Summit. Don't miss this unprecedented learning experience.   Download Media alert SANS-CrowdFlower