Behavioral Biometric Forensics | Privacy

Computer interfaces to measure and record human movement are becoming more common.  These recorded measurements can be analyzed forensically to help identify people.

Microsoft is about to launch Kinect, a technology for detecting and interpreting the movement of humans in a defined space, like a living room.  Initially Microsoft will apply the technology to its Xbox game console, so that players can interact by moving their bodies rather than moving a joystick or a wii-mote.  With time, however, Microsoft envisions Kinect gathering human input in many computing environments.

Even though Kinect may today not be intended for biometrics, it will be capturing biometrically measurable information about the movement of people.  To one degree or another, the way an individual moves (walks, swings her arms and so on) is unique.    If Kinect is capturing and measuring movements, it is inevitable that the measurements will be recorded.  

If records exist, then it is only a matter of time before they become the subject of an investigation into who was interacting with a certain computer at a certain place and time.  Cell phones and toll road tags were not intended to track the whereabouts of users.  But they collect a lot of data about the location of people at particular times, and that data became irresistible to divorce lawyers and criminal investigators, who, using the power of law, were able to demand access to the data.  

Imagine an interactive display in a shopping mall.  As patrons walk by, they can interact with the display by dancing, jumping or waving.  But eventually there will be an investigation into whether Joey walked by that display (on his way allegedly to rob a store), and authorities will access the data for analysis.

Other sources of measurements for human movement are the accelerometers in iPhones.  They have been used to measure, for example, the gait of the person holding an iPhone.  If those measurements can be captured, someone can write an app to record them.  Then, contrary to the intention of the app writer, some investigator will lawfully tap those records in e-discovery to find out who was using the iPhone.

Behavior biometric measurements are not, by themselves, highly reliable identifiers of individuals.  However, the measurements can be forensically meaningful.  When combined with other indicia of identity (such as eyewitness identification), biometric measurements can help to pinpoint someone.

Behavioral biometric records will be a new privacy battleground in coming years.

Virtual Counterfeit Investigations

Consent, Contracts, Privacy Rights in the Information Economy

Professional investigators should read cyber terms of service.

Technology contracts like terms of service (ToS) and end user license agreements (EULAs) are having a growing impact on the execution and outcome of investigations . . . internal investigations, private investigations, forensics examinations, law enforcement investigations, intellectual property investigations, cyber-theft investigations and many more.

Increasingly, social, business, academic and entertainment interaction occurs inside virtual environments.  These environments saturate modern life:  web pages, video games, online schools, social networks, digital media (books, music, movies) smartphone apps and corporate computer networks.

As users enter these environments, they are commonly required to agree to legal terms of use and access.  These agreements can govern official investigations that may come later.  These agreements can (and increasingly do) contain statements that users consent to official audits and probes and consent to limits on their privacy.

 

University Network Terms Applicable to Student

For example, when a freshman student at the University of Wisconsin attached his PC to the university's network, he agreed to terms of service, which included an acknowledgment that the university could execute IT security measures.  Later, when a university system administrator suspected that the student's PC was involved in an ongoing, dangerous hacking incident on the network, the administrator hacked remotely into the student's PC.  

While searching inside the PC, the administrator found evidence that incriminated the student in illegal hacking outside the university's network.  The university gave this evidence to government prosecutors, who attempted to use the evidence in a criminal trial against the student.  The student objected, on the grounds that the university had violated his privacy.  The court disagreed with the student.  The court said the student's privacy had not been violated because he consented – by virtue of the security clause in the network terms of service – to the search by the system administrator. US v. Heckenkamp

 

Social Network's Terms Authorizing Investigation

Here are example terms of service authorizing investigations, published by Zenbe, a social networking service for sharing information among friends:

Zenbe reserves the right to access, read, archive, monitor, and disclose any information it reasonably believes is necessary to:  1. enforce this Agreement, including investigation of potential violations hereof.  2. protect the rights, property or safety of Zenbe, its users and the public.  3. satisfy any applicable law, regulation, legal process or governmental request.  4. detect, prevent, or address fraud, security or technical issues, including the filtering of spam.

Terms like these can be relevant to monitoring users in online communities and business  transactions.

 

Terms for Investigationg Abuse of Online Games and Credits

Entrepreneurs are inventing new ways to transact business online.  They are devising myriad electronic credits, coupons, vouchers, discount codes, trading cards, play money, online property, virtual game pieces and more.  As they distribute these virtual goods and assets to users, their power to investigate their users is critical to nixing abuse, foiling hacks, thwarting counterfeits and maintaining the quality of their product or service.  Investigations are a growing component of the information economy.

A substantial method for entrepreneurs to police their products and services is to require users to click on terms of use that include power on the part of the entrepreneurs to investigate their users.

 

Terms for Internal Investigations

Some investigations are internal to an enterprise, as is the case with a human resources (HR) investigation.  The scope of an internal investigation can depend on contract terms or written employment policies.  For example, in Ontario v Quon, a police officer said his boss violated his privacy when the boss reviewed text messages the officer sent from his employer-issued pager.  In other words, he argued that his government employer violated his Fourth Amendment right to be free from unreasonable search.  However, the US Supreme Court held the employer did not violate privacy, in part because the officer had previously known by virtue of department policy that management could review (investigate) the content of messages exchanged through the department's equipment.

An employer or other organization that creates an electronic space is remiss if it lacks terms of use that include rights for official investigation.  Although those rights may exist without explicit statement in an agreement, the user's assent to them erodes her ability to object to an investigation when it happens.

 

Terms of Service Applicable to Professional Investigators

To be sure, terms in an agreement cannot legitimize an irresponsible investigation.  But terms can help clarify that the user was warned he could be scrutinized, records could be captured and evidence could be used against him.   They can clarify that as a condition to his treatment as an authorized user, he consents to monitoring and evaluation.

A professional investigator should take note when the subject of investigation has agreed to no relevant terms or agreement.  The lack of agreed terms can constrain the investigation.

Conversely the investigator should note whether multiple, overlapping terms of investigation apply simultaneously to a person under investigation.  For instance, suppose an investigator is engaged by the operator of a game app that works inside Facebook, and the investigator is examining whether Jane is abusing the game.  The game terms that Jane agreed to when she started the game may support the investigation.  The investigator may gather relevant evidence from game app’s network.

 

In addition, the terms of Facebook may support the investigation.  The investigator may be able to get help from Facebook.  Facebook, based on its terms of service, may be willing to cooperate with the investigation and turn over its own records about Jane.

–Benjamin Wright

Mr. Wright teaches e-Investigations Law at the SANS Institute.

Related: EDiscovery and Investigations on Facebook.

 

 

 

SANS Conference on Computer Records Policy

Summit Title: "E-Data Retention, Discovery and Destruction: Developing and Implementing IT Policy"

Announcement:  We have cancelled this conference.  We are evaluating whether to revive it at different place, time and/or format.  If readers or potential partners/sponsors have any ideas, please contact Ben Wright.  Many thanks to the speakers who agreed to support this summit.

Former date and place:  September 27-28, 2010, Las Vegas

Summit Description:  Almost unheard of ten years ago, electronic discovery is today chewing up IT resources – equipment, services and staff time.  Recognizing that many electronic records such as e-mail, spreadsheets and text messages might some day be demanded in a lawsuit or freedom-of-information request, what policy should your enterprise adopt for retaining and destroying electronic records?  Although it is foolhardy to keep everything forever, numerous, recent court cases have punished organizations for failing to retain data, or for failing to find and disclose it in a timely, responsive manner.  This summit [conference] draws from the wisdom of diverse experts and end-users, including case studies, to address: 

- the process for setting workable policy,

- techniques for managing storage and service costs,

- confidentiality, security and other tradeoffs between in-house and cloud storage,

- ever-improving methods for searching and culling vast troves of records,

- real-world experiences on the interplay between lawyers and IT professionals,

- protocol for access to records for internal investigations,

- international issues, including non-US privacy laws.

Given that law and technology are simultaneously undergoing rapid change, the summit assesses what the future may hold for e-records management policy, products, services and legal expectations.

We are looking for sponsors and suggestions!  If you wish to exhibit or offer an idea, then please: 

- leave a comment below; or

- call me at 1.214.403.6642; or

- email ben underscore wright at compuserve dot com (put "BLOG" in subject line).

Update:  We are proud to announce these confirmed speakers: 

- Steven Broberg and Shawn Malone of the Records Management Department of Travis County, in Austin, Texas

- Jorge Rey, Director of Information Security and Compliance, Kaufman, Rossin & Co., P.A. (policy development case study)

- Kevin Bong, Director of Corporate Security, Johnson Financial Group (end-user policy case study)

- Sonian, Inc. (cloud email archiving)

- Alex Blumrosen (American attorney practicing in Paris, France)

- Greg Smith, Messaging Architects

- Vivien Osamiluyi, Internal Auditor, Legg Mason

- CrowdFlower will demonstrate crowdsourcing as a tool for assessing large quantities of documents in an official investigation, such as a lawsuit or government inquiry

- Michael Osterman of Osterman Research

- Brian W. Foster, Access Sciences Corporation

- Kevin Larson - Qualcomm, Inc (end user enterprise)

- Digital Reef

- Jesse Wilkins - Access Sciences Corporation

- Jim Balter - University of Miami

Twitter hashtag for the Summit:  #sanspolicy

Summit Agenda

[Tentative as of July 21, 2010 - Subject to Revision.]

[Not yet approved by Speakers.]

September 27 – 28, 2010

Las Vegas, NV

Title: "E-Data Retention, Discovery and Destruction: Developing and Implementing IT Policy"

The mission of this Summit is to stimulate discussion and debate as a tool for learning. Each session will allow ample time for interaction among participants.

DAY ONE Monday, September 27

9:00-9:40: Welcome and Introduction

Speaker: Benjamin Wright, Summit Chairman

 

 

Title: Resolving the conflict in electronic records retention policy setting.

Abstract: The quantities of electronic records are skyrocketing, and courts are expecting better retention of them. How do we reconcile these developments with traditional records management practices? What to expect in this Summit. Mr. Wright will query participants to bring their issues and experiences to light.

Throughout the Summit, Mr. Wright will attempt to summarize and stimulate discussion around major points that emerge from the sessions.

9:50 – 10:50

Title: Records Managers – Travis County, Texas – Confront E-mail

Speakers: Steven Broberg and Shawn Malone, Records Department, Travis County, Texas.

 

 

Abstract:  Professional records managers will articulate the considerable challenges they have encountered in trying to square legal expectations with the realities of email in a complex enterprise having 4500 email users.

10:50 – 11:10 Break

11:10 - 12:15

Session Title: Experts on Record Retention Policies

Speaker: Access Sciences Corporation - Brian W. Foster (former Director of eDiscovery at one of the top five global oil companies) and Jesse Wilkins

Session description to be determined.

Lunch 12:15 – 1:30

1:30 – 2:20

Session Title: Finding Email Records in the Real World

Speaker: Greg Smith, Messaging Architects

Abstract: Practical e-discovery experience – the proliferation of email records throughout an enterprise, including in unexpected places. Stories from the trenches.

 

 

2:20 – 2:40 Break

2:40 – 3:55

Session Title: User Panel

Abstract: All enterprises wrestle with how to set policy for the retention of electronic records in a changing environment. Hearing the experiences of diverse user enterprises can paint a more realistic picture of what is possible and what should be expected for well-crafted policy.

Panel Members:

Internal Auditor: Vivien Osamiluyi, Legg Mason

Kevin Bong - Johnson Financial Group

 

Kevin Larson - Qualcomm, Inc (end user enterprise) - How do security issues influence policy on electronic records retention? Podcast about Kevin's presentation: Download Sans_intro_klarson

- Jim Balter - University of Miami

 

Steven Broberg and Shawn Malone, Records Department, Travis County, Texas

4:00 – 5:00

Session Title: e-Discovery's Influence on Email Record Retention Policy

Speakers: Digital Reef - Steve Akers (Founder and CTO) and Digital Reef's Customer, James Bandes

Abstract: What are practical experiences with e-discovery telling us about how to write and implement e-record retention policies?

DAY TWO Tuesday, September 28

9:00 – 10:00

Session Title: European Experience

Speaker: Attorney Alexander Blumrosen, Bernard-Hertz-Béjot - Paris, France

Abstract: In lawsuits and investigations, privacy issues can loom larger outside the US. How are these issues influencing e-Discovery and the development of e-records policy in Europe?

10:05 – 11:00

Session Title: Drawing Practical Lessons

Speaker: Benjamin Wright, Summit Chairman

Abstract: What are the larger implications of the stories from day 1? How can these be combined with the lessons today to write a take-home list of principles and guidelines? Mr. Wright will lead the group in compiling that list, starting now and running through the rest of the day.

11:00 – 11:20 Break

11:20 – 12:15

Session Title: The Future of Electronic Records Policy and Technology

Speaker: Michael Osterman, Osterman Research

Abstract: What are the big trends in records management and e-discovery and how are organizations not keeping pace from a policy perspective with regard to records management, social media management, or managing data for regulatory or legal compliance? How is technology changing and what is the role of technology vis-à-vis things like employee training and establishment of corporate policies? What can we expect two years, five years from now? How should enterprises prepare for the future from both a technology and non-technology perspective?

12:15 – 1:30 Lunch

1:30 - 2:30

Session Title:  e-Mail & Electronic Records Disposal Policy Case Study

Speaker: Jorge Rey, CISA, Kaufman, Rossin & Co., P.A.

 

Abstract: In this case study, an accounting firm helped an organization save costs by implementing a policy that reduced the quantity of electronic records and emails retained. During this session, ample time will be available for all Summit participants ask questions, make comments and debate.

2:30 – 2:50 Break

2:50 – 3:40

Session Title: Cloud Storage of Records

Speaker: Sonian, Inc. and End-User Customer

Abstract: What are the true costs for storing enterprise email in the cloud? As a practical matter, can the enterprise be assured that those records will be secure and will be retrievable many years in the future? Will privacy and confidentiality issues limit the use of cloud services for the storage of critical business archives? Can these issues be addressed with contracts, technical controls and other procedures?

3:45 - 4:15

Session Title: TBA

Speaker: TBA

4:20 – 5:00

MUST SEE HIGHLIGHT OF THIS SUMMIT!

Session Title: Crowdsourcing Demonstration

Speaker: CrowdFlower

Abstract: In modern lawsuits and investigations, the massive volumes of electronic records is daunting. How do we make sense of all these records? Crowdsourcing may be one effective tool, where a swarm, an army, of virtual workers is employed to review and analyze records. CrowdFlower will present a pioneering demonstration of this concept, live at the Summit. Don't miss this unprecedented learning experience.   Download Media alert SANS-CrowdFlower

 

Custom Professional Training

Tutorials | Questions Answered

Price | Professional Credit | E-Policy Workshop

Many professionals who visit this blog are looking for education on electronic records or technology law. We can deliver custom tutorials on the topics important to you right now.  A tutorial can be one hour, two hours, a half-day, or more.

Benjamin Wright and Messaging Architects have much experience training professionals on such topics as e-discovery, e-record privacy, data security law, cyber defense investigations, record retention policies, email data restoration, e-commerce records and contracts, and more.

Now we deliver this continuing professional education on a tailored, as-needed basis.  Tell us what interests you, and we will work with you to develop a curriculum and a delivery plan.  The number of students could be one, two, 100, or more.

The method of delivery could be Webex, on-site, telephone conference, or something else, depending your needs and resources. A tutorial could combine lecture and interactive Q & A.

To discuss, please call Mr. Wright at 1.214.403.6642.


Price

Price would depend on many factors, such as the length of seminar time, the medium of delivery, out-of-pocket expenses, and the amount of advanced preparation involved.  A one-hour briefing by Mr. Wright to a small audience (delivered by telephone call you initiate) on a topic for which he already has his own material, could cost as little as $375.


Continuing Professional Education Credit

Many professionals – auditors, lawyers, investigators, accountants, records managers, security professionals -- need continuing professional education (CPE and CLE) hours.   Our tutorials are of a quality to support the granting of credit.  Mr. Wright will be happy to sign a letter confirming that any particular professional participated in a seminar.  However, the application for and obtaining of credit will be the responsibility of the individual professional.

Rules for continuing legal education credit vary by jurisdiction.  Often an attorney can obtain credit by applying for it after attending a seminar.


Policy Workshop

Mr. Wright and Messaging Architects deliver an in-house workshop for developing enterprise policy on the retention, destruction and management of electronic records, especially e-mail.

=
Statement from Andrew Scygiel, Merck & Co., Inc. to Mr. Wright:  "Thanks again for a great class and very insightful information.  You have really changed my view of records and I have 'aspired' to be much more aware of our policy and how today's climate can affect us."

As senior legal instructor at the SANS Institute, Mr. Wright emphasizes that -- in response to an IT security incident -- an effective public message is just as critical as the technical and legal responses.

Employee ESI: Private?

Internal Investigations under Data Protection Legislation

Many countries have data privacy laws limiting the disclosure of personal information their citizens. Although the laws are far from uniform around the world, the European Data Protection Directive (95/46/EC) is a leading guide.

These laws motivate (multinational) corporations to configure controls into email (as well as webmail and text-instant-message) record retention systems.

The European Data Directive generally instructs European countries to enact local privacy legislation to regulate personal information. The legislation can apply to e-mail and other electronically stored information (ESI).  As a practical matter, the details on implementation and enforcement of local (non-US) privacy laws with respect to e-mail is a very complex topic.  Some local laws can frustrate internal corporate investigations that might appear, to US-based managers for example, as routine and responsible.  They can cause emails to be withheld from investigators.

One instance: In 2001 French courts held that a foreign-headquartered company violated the privacy rights of a French engineer when it inspected his e-mail records, stored on company computers.  The records revealed he was wrongfully moonlighting on company time.  Doreen Carvajal, “The Workplace: When bosses spy on workers,” International Herald Tribune, April 21, 2004 .

As corporations install appliances to store e-mail archives, they should consider whether to implement controls for compliance with local privacy statutes.  The controls might include

1. written policies calling for compliance with local law;

2. technical blocks to prevent unauthorized people or departments from accessing specific records, while granting access to those who have been authorized; and

3. alerts and audit trails to enable after-the-fact review of who accessed which records and when.

--Benjamin Wright

Mr. Wright is a consultant to Messaging Architects, develper of sound process for electronic mail record-keeping and investigation.