Computer interfaces to measure and record human movement are becoming more common. These recorded measurements can be analyzed forensically to help identify people.
Microsoft is about to launch Kinect, a technology for detecting and interpreting the movement of humans in a defined space, like a living room. Initially Microsoft will apply the technology to its Xbox game console, so that players can interact by moving their bodies rather than moving a joystick or a wii-mote. With time, however, Microsoft envisions Kinect gathering human input in many computing environments.
Even though Kinect may today not be intended for biometrics, it will be capturing biometrically measurable information about the movement of people. To one degree or another, the way an individual moves (walks, swings her arms and so on) is unique. If Kinect is capturing and measuring movements, it is inevitable that the measurements will be recorded.
If records exist, then it is only a matter of time before they become the subject of an investigation into who was interacting with a certain computer at a certain place and time. Cell phones and toll road tags were not intended to track the whereabouts of users. But they collect a lot of data about the location of people at particular times, and that data became irresistible to divorce lawyers and criminal investigators, who, using the power of law, were able to demand access to the data.
Imagine an interactive display in a shopping mall. As patrons walk by, they can interact with the display by dancing, jumping or waving. But eventually there will be an investigation into whether Joey walked by that display (on his way allegedly to rob a store), and authorities will access the data for analysis.
Other sources of measurements for human movement are the accelerometers in iPhones. They have been used to measure, for example, the gait of the person holding an iPhone. If those measurements can be captured, someone can write an app to record them. Then, contrary to the intention of the app writer, some investigator will lawfully tap those records in e-discovery to find out who was using the iPhone.
Behavior biometric measurements are not, by themselves, highly reliable identifiers of individuals. However, the measurements can be forensically meaningful. When combined with other indicia of identity (such as eyewitness identification), biometric measurements can help to pinpoint someone.
Behavioral biometric records will be a new privacy battleground in coming years.
Consent, Contracts, Privacy Rights in the Information Economy
Professional investigators should read cyber terms of service.
Technology contracts like terms of service (ToS) and end user license agreements (EULAs) are having a growing impact on the execution and outcome of investigations . . . internal investigations, private investigations, forensics examinations, law enforcement investigations, intellectual property investigations, cyber-theft investigations and many more.
Increasingly, social, business, academic and entertainment interaction occurs inside virtual environments. These environments saturate modern life: web pages, video games, online schools, social networks, digital media (books, music, movies) smartphone apps and corporate computer networks.
As users enter these environments, they are commonly required to agree to legal terms of use and access. These agreements can govern official investigations that may come later. These agreements can (and increasingly do) contain statements that users consent to official audits and probes and consent to limits on their privacy.
University Network Terms Applicable to Student
For example, when a freshman student at the University of Wisconsin attached his PC to the university's network, he agreed to terms of service, which included an acknowledgment that the university could execute IT security measures. Later, when a university system administrator suspected that the student's PC was involved in an ongoing, dangerous hacking incident on the network, the administrator hacked remotely into the student's PC.
While searching inside the PC, the administrator found evidence that incriminated the student in illegal hacking outside the university's network. The university gave this evidence to government prosecutors, who attempted to use the evidence in a criminal trial against the student. The student objected, on the grounds that the university had violated his privacy. The court disagreed with the student. The court said the student's privacy had not been violated because he consented – by virtue of the security clause in the network terms of service – to the search by the system administrator. US v. Heckenkamp
Social Network's Terms Authorizing Investigation
Here are example terms of service authorizing investigations, published by Zenbe, a social networking service for sharing information among friends:
Zenbe reserves the right to access, read, archive, monitor, and disclose any information it reasonably believes is necessary to: 1. enforce this Agreement, including investigation of potential violations hereof. 2. protect the rights, property or safety of Zenbe, its users and the public. 3. satisfy any applicable law, regulation, legal process or governmental request. 4. detect, prevent, or address fraud, security or technical issues, including the filtering of spam.
Terms like these can be relevant to monitoring users in online communities and business transactions.
Terms for Investigationg Abuse of Online Games and Credits
Entrepreneurs are inventing new ways to transact business online. They are devising myriad electronic credits, coupons, vouchers, discount codes, trading cards, play money, online property, virtual game pieces and more. As they distribute these virtual goods and assets to users, their power to investigate their users is critical to nixing abuse, foiling hacks, thwarting counterfeits and maintaining the quality of their product or service. Investigations are a growing component of the information economy.
A substantial method for entrepreneurs to police their products and services is to require users to click on terms of use that include power on the part of the entrepreneurs to investigate their users.
Terms for Internal Investigations
Some investigations are internal to an enterprise, as is the case with a human resources (HR) investigation. The scope of an internal investigation can depend on contract terms or written employment policies. For example, in Ontario v Quon, a police officer said his boss violated his privacy when the boss reviewed text messages the officer sent from his employer-issued pager. In other words, he argued that his government employer violated his Fourth Amendment right to be free from unreasonable search. However, the US Supreme Court held the employer did not violate privacy, in part because the officer had previously known by virtue of department policy that management could review (investigate) the content of messages exchanged through the department's equipment.
An employer or other organization that creates an electronic space is remiss if it lacks terms of use that include rights for official investigation. Although those rights may exist without explicit statement in an agreement, the user's assent to them erodes her ability to object to an investigation when it happens.
Terms of Service Applicable to Professional Investigators
To be sure, terms in an agreement cannot legitimize an irresponsible investigation. But terms can help clarify that the user was warned he could be scrutinized, records could be captured and evidence could be used against him. They can clarify that as a condition to his treatment as an authorized user, he consents to monitoring and evaluation.
A professional investigator should take note when the subject of investigation has agreed to no relevant terms or agreement. The lack of agreed terms can constrain the investigation.
Conversely the investigator should note whether multiple, overlapping terms of investigation apply simultaneously to a person under investigation. For instance, suppose an investigator is engaged by the operator of a game app that works inside Facebook, and the investigator is examining whether Jane is abusing the game. The game terms that Jane agreed to when she started the game may support the investigation. The investigator may gather relevant evidence from game app’s network.
In addition, the terms of Facebook may support the investigation. The investigator may be able to get help from Facebook. Facebook, based on its terms of service, may be willing to cooperate with the investigation and turn over its own records about Jane.
Summit Title: "E-Data Retention, Discovery and Destruction: Developing and Implementing IT Policy"
Announcement: We have cancelled this conference. We are evaluating whether to revive it at different place, time and/or format. If readers or potential partners/sponsors have any ideas, please contact Ben Wright. Many thanks to the speakers who agreed to support this summit.
Former date and place: September 27-28, 2010, Las Vegas
Summit Description: Almost unheard of ten years ago, electronic discovery is today chewing up IT resources – equipment, services and staff time. Recognizing that many electronic records such as e-mail, spreadsheets and text messages might some day be demanded in a lawsuit or freedom-of-information request, what policy should your enterprise adopt for retaining and destroying electronic records? Although it is foolhardy to keep everything forever, numerous, recent court cases have punished organizations for failing to retain data, or for failing to find and disclose it in a timely, responsive manner. This summit [conference] draws from the wisdom of diverse experts and end-users, including case studies, to address:
- the process for setting workable policy,
- techniques for managing storage and service costs,
- confidentiality, security and other tradeoffs between in-house and cloud storage,
- ever-improving methods for searching and culling vast troves of records,
- real-world experiences on the interplay between lawyers and IT professionals,
- protocol for access to records for internal investigations,
- international issues, including non-US privacy laws.
Given that law and technology are simultaneously undergoing rapid change, the summit assesses what the future may hold for e-records management policy, products, services and legal expectations.
We are looking for sponsors and suggestions! If you wish to exhibit or offer an idea, then please:
- leave a comment below; or
- call me at 1.214.403.6642; or
- email ben underscore wright at compuserve dot com (put "BLOG" in subject line).
Update: We are proud to announce these confirmed speakers:
- Steven Broberg and Shawn Malone of the Records Management Department of Travis County, in Austin, Texas
- Jorge Rey, Director of Information Security and Compliance, Kaufman, Rossin & Co., P.A. (policy development case study)
- Kevin Bong, Director of Corporate Security, Johnson Financial Group (end-user policy case study)
- Sonian, Inc. (cloud email archiving)
- Alex Blumrosen (American attorney practicing in Paris, France)
- Greg Smith, Messaging Architects
- Vivien Osamiluyi, Internal Auditor, Legg Mason
- CrowdFlower will demonstrate crowdsourcing as a tool for assessing large quantities of documents in an official investigation, such as a lawsuit or government inquiry
- Michael Osterman of Osterman Research
- Brian W. Foster, Access Sciences Corporation
- Kevin Larson - Qualcomm, Inc (end user enterprise)
- Digital Reef
- Jesse Wilkins - Access Sciences Corporation
- Jim Balter - University of Miami
Twitter hashtag for the Summit: #sanspolicy
Summit Agenda
[Tentative as of July 21, 2010 - Subject to Revision.]
[Not yet approved by Speakers.]
September 27 – 28, 2010
Las Vegas, NV
Title: "E-Data Retention, Discovery and Destruction: Developing and Implementing IT Policy"
The mission of this Summit is to stimulate discussion and debate as a tool for learning. Each session will allow ample time for interaction among participants.
DAY ONE Monday, September 27
9:00-9:40: Welcome and Introduction
Speaker: Benjamin Wright, Summit Chairman
Title: Resolving the conflict in electronic records retention policy setting.
Abstract: The quantities of electronic records are skyrocketing, and courts are expecting better retention of them. How do we reconcile these developments with traditional records management practices? What to expect in this Summit. Mr. Wright will query participants to bring their issues and experiences to light.
Throughout the Summit, Mr. Wright will attempt to summarize and stimulate discussion around major points that emerge from the sessions.
9:50 – 10:50
Title: Records Managers – Travis County, Texas – Confront E-mail
Speakers: Steven Broberg and Shawn Malone, Records Department, Travis County, Texas.
Abstract: Professional records managers will articulate the considerable challenges they have encountered in trying to square legal expectations with the realities of email in a complex enterprise having 4500 email users.
10:50 – 11:10 Break
11:10 - 12:15
Session Title: Experts on Record Retention Policies
Speaker: Access Sciences Corporation - Brian W. Foster (former Director of eDiscovery at one of the top five global oil companies) and Jesse Wilkins
Session description to be determined.
Lunch 12:15 – 1:30
1:30 – 2:20
Session Title: Finding Email Records in the Real World
Speaker: Greg Smith, Messaging Architects
Abstract: Practical e-discovery experience – the proliferation of email records throughout an enterprise, including in unexpected places. Stories from the trenches.
2:20 – 2:40 Break
2:40 – 3:55
Session Title: User Panel
Abstract: All enterprises wrestle with how to set policy for the retention of electronic records in a changing environment. Hearing the experiences of diverse user enterprises can paint a more realistic picture of what is possible and what should be expected for well-crafted policy.
Panel Members:
Internal Auditor: Vivien Osamiluyi, Legg Mason
Kevin Bong - Johnson Financial Group
Kevin Larson - Qualcomm, Inc (end user enterprise) - How do security issues influence policy on electronic records retention? Podcast about Kevin's presentation: Download Sans_intro_klarson
- Jim Balter - University of Miami
Steven Broberg and Shawn Malone, Records Department, Travis County, Texas
4:00 – 5:00
Session Title: e-Discovery's Influence on Email Record Retention Policy
Speakers: Digital Reef - Steve Akers (Founder and CTO) and Digital Reef's Customer, James Bandes
Abstract: What are practical experiences with e-discovery telling us about how to write and implement e-record retention policies?
DAY TWO Tuesday, September 28
9:00 – 10:00
Session Title: European Experience
Speaker: Attorney Alexander Blumrosen, Bernard-Hertz-Béjot - Paris, France
Abstract: In lawsuits and investigations, privacy issues can loom larger outside the US. How are these issues influencing e-Discovery and the development of e-records policy in Europe?
10:05 – 11:00
Session Title: Drawing Practical Lessons
Speaker: Benjamin Wright, Summit Chairman
Abstract: What are the larger implications of the stories from day 1? How can these be combined with the lessons today to write a take-home list of principles and guidelines? Mr. Wright will lead the group in compiling that list, starting now and running through the rest of the day.
11:00 – 11:20 Break
11:20 – 12:15
Session Title: The Future of Electronic Records Policy and Technology
Speaker: Michael Osterman, Osterman Research
Abstract: What are the big trends in records management and e-discovery and how are organizations not keeping pace from a policy perspective with regard to records management, social media management, or managing data for regulatory or legal compliance? How is technology changing and what is the role of technology vis-à-vis things like employee training and establishment of corporate policies? What can we expect two years, five years from now? How should enterprises prepare for the future from both a technology and non-technology perspective?
12:15 – 1:30 Lunch
1:30 - 2:30
Session Title: e-Mail & Electronic Records Disposal Policy Case Study
Abstract: In this case study, an accounting firm helped an organization save costs by implementing a policy that reduced the quantity of electronic records and emails retained. During this session, ample time will be available for all Summit participants ask questions, make comments and debate.
2:30 – 2:50 Break
2:50 – 3:40
Session Title: Cloud Storage of Records
Speaker: Sonian, Inc. and End-User Customer
Abstract: What are the true costs for storing enterprise email in the cloud? As a practical matter, can the enterprise be assured that those records will be secure and will be retrievable many years in the future? Will privacy and confidentiality issues limit the use of cloud services for the storage of critical business archives? Can these issues be addressed with contracts, technical controls and other procedures?
3:45 - 4:15
Session Title: TBA
Speaker: TBA
4:20 – 5:00
MUST SEE HIGHLIGHT OF THIS SUMMIT!
Session Title: Crowdsourcing Demonstration
Speaker: CrowdFlower
Abstract: In modern lawsuits and investigations, the massive volumes of electronic records is daunting. How do we make sense of all these records? Crowdsourcing may be one effective tool, where a swarm, an army, of virtual workers is employed to review and analyze records. CrowdFlower will present a pioneering demonstration of this concept, live at the Summit. Don't miss this unprecedented learning experience. Download Media alert SANS-CrowdFlower
Many professionals who visit this blog are looking for education on electronic records or technology law. Mr. Wright can deliver custom tutorials on the topics important to you right now. A tutorial can be one hour, two hours, a half-day, or more.
Benjamin Wright has much experience training professionals on such topics as e-discovery, e-record privacy, data security law, cyber defense investigations, record retention policies, BYOD, e-commerce records and contracts, and more.
Now he delivers this continuing professional education on a tailored, as-needed basis. Tell him what interests you, and he will work with you to develop a curriculum and a delivery plan. The number of students could be one, two, 100, or more.
The method of delivery could be Webex, on-site, telephone conference, or something else, depending your needs and resources. A tutorial could combine lecture and interactive Q & A.
To discuss, please call Mr. Wright at 1.214.403.6642.
Price would depend on many factors, such as the length of seminar time, the medium of delivery, out-of-pocket expenses, and the amount of advanced preparation involved. A one-hour briefing by Mr. Wright to a small audience (delivered by telephone call you initiate) on a topic for which he already has material, could cost as little as $375.
Many professionals – auditors, lawyers, investigators, accountants, records managers, security professionals -- need continuing professional education (CPE and CLE) hours. Mr. Wright's tutorials are of a quality to support the granting of credit. Mr. Wright will be happy to sign a letter confirming that any particular professional participated in a seminar. However, the application for and obtaining of credit will be the responsibility of the individual professional.
Rules for continuing legal education credit vary by jurisdiction. Often an attorney can obtain credit by applying for it after attending a seminar.
Mr. Wright and Messaging Architects deliver an in-house workshop for developing enterprise policy on BYOD and the retention, destruction and management of electronic records, especially e-mail.
= Statement from Andrew Scygiel, Merck & Co., Inc. to Mr. Wright: "Thanks again for a great class and very insightful information. You have really changed my view of records and I have 'aspired' to be much more aware of our policy and how today's climate can affect us."
As senior legal instructor at the SANS Institute, Mr. Wright emphasizes that -- in response to an IT security incident -- an effective public message is just as critical as the technical and legal responses.
Internal Investigations under Data Protection Legislation
Many countries have data privacy laws limiting the disclosure of personal information their citizens. Although the laws are far from uniform around the world, the European Data Protection Directive (95/46/EC) is a leading guide.
These laws motivate (multinational) corporations to configure controls into email (as well as webmail and text-instant-message) record retention systems.
The European Data Directive generally instructs European countries to enact local privacy legislation to regulate personal information. The legislation can apply to e-mail and other electronically stored information (ESI). As a practical matter, the details on implementation and enforcement of local (non-US) privacy laws with respect to e-mail is a very complex topic. Some local laws can frustrate internal corporate investigations that might appear, to US-based managers for example, as routine and responsible. They can cause emails to be withheld from investigators.
One instance: In 2001 French courts held that a foreign-headquartered company violated the privacy rights of a French engineer when it inspected his e-mail records, stored on company computers. The records revealed he was wrongfully moonlighting on company time. Doreen Carvajal, “The Workplace: When bosses spy on workers,” International Herald Tribune, April 21, 2004 .
As corporations install appliances to store e-mail archives, they should consider whether to implement controls for compliance with local privacy statutes. The controls might include
1. written policies calling for compliance with local law;
2. technical blocks to prevent unauthorized people or departments from accessing specific records, while granting access to those who have been authorized; and
3. alerts and audit trails to enable after-the-fact review of who accessed which records and when.
--Benjamin Wright
Mr. Wright is a consultant to Messaging Architects, develper of sound process for electronic mail record-keeping and investigation.
"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.
Blogger
Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.
"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training
Important!
No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.
The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.
Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.
Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.
The only person responsible for Mr. Wright's words is Mr. Wright.
Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.
Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.
Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.
Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.
Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.
