Posted by rjbiii on July 17, 2009
Attorneys at Ogletree Deakins post a case summary in which the court, among other things:
…specifically rejected the idea that a company’s ownership of a computer is the sole determinative factor in deciding whether an employee’s personal communications become the company’s property.
The case is: Stengart v. Loving Care Agency, Inc., No. A-3506-08T1 (App. Div., June 26, 2009)
Posted in Articles, Privacy, Waiver of Privilege, email | Leave a Comment »
Posted by rjbiii on February 22, 2009
An EU “working group” has released a proposed set of guidelines (warning: PDF document) for companies who are subject to EU Privacy Directives to follow when complying with discovery rules in U.S. matters. The document’s purpose is described thusly:
The working party sees the need for reconciling the requirements of the US litigation rules and the EU data protection provisions. It acknowledges that the Directive does not prevent transfers for litigation purposes and that there are often conflicting demands on companies carrying on international business in the different jurisdictions with the company feeling obliged to transfer the information required in the foreign litigation process. However where
data controllers seek to transfer personal data for litigation purposes there must be compliance with certain data protection requirements. In order to reconcile the data protection obligations
with the requirements of the foreign litigation, the Working Party proposes the following guidelines for EU data controllers.
The document is an excellent primer for EU-US cross-border discovery matters. It also discusses the differences in discovery between common law and civil code systems, and those of the U.S. with other common law nations.
Posted in Discovery, European Union, International Issues, Legislation, Privacy | Leave a Comment »
Posted by rjbiii on September 13, 2008
Somewhat alarming; but interesting with respect to forensics and investigations:
A United Nations agency is quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous.
The U.S. National Security Agency is also participating in the “IP Traceback” drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.
The potential for eroding Internet users’ right to remain anonymous, which is protected by law in the United States and recognized in international law by groups such as the Council of Europe, has alarmed some technologists and privacy advocates. Also affected may be services such as the Tor anonymizing network.
The article notes the potential of these standards to aid repressive regimes:
A second, apparently leaked ITU document offers surveillance and monitoring justifications that seem well-suited to repressive regimes:
A political opponent to a government publishes articles putting the government in an unfavorable light. The government, having a law against any opposition, tries to identify the source of the negative articles but the articles having been published via a proxy server, is unable to do so protecting the anonymity of the author.
Posted in Articles, International Issues, Privacy | Leave a Comment »
Posted by rjbiii on August 12, 2008
Private Videos and Related Data
YouTube.com users may override the website’s default setting–which makes newly added videos available to the public–by electing to mark as “private” the videos they post to the website. Plaintiffs move to compel production of copies of all those private videos, which can only be viewed by others authorized by the user who posted each of them, as well as specified data related to them.
Defendants are prohibited by the Electronic Communications Privacy Act (“ECPA”) (18 U.S.C. § 2510 et seq.) from disclosing to plaintiffs the private videos and the data which reveal their contents because ECPA § 2702(a)(2) requires that entities such as YouTube who provide “remote computing service to the public shall not knowingly divulge to any person or entity the contents” of any electronic communication stored on behalf of their subscribers, FN8 and ECPA § 2702 contains no exception for disclosure of such communications pursuant to civil discovery requests.
FN8:The prohibition against divulgence of stored subscriber communications set forth in ECPA § 2702(a)(2) applies only “if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing” (id. § 2702(a)(2)(B)), but defendants satisfy that condition here because their authorization to access and delete potentially infringing private videos is granted in connection with defendants’ provision of alleged storage services.
Plaintiffs claim that users have authorized disclosure of the contents of the private videos pursuant to ECPA § 2702(b)(3) (remote computing service providers “may divulge the contents of a communication * * * with the lawful consent of * * * the subscriber”) by assenting to the YouTube website’s Terms of Use and Privacy Policy, which contain provisions licensing YouTube to distribute user submissions (such as videos) in connection with its website and business, FN9 disclaiming liability for disclosure of user submissions, FN10 and notifying users that videos they divulge online in the public areas of the website may be viewed by the public.
FN11 None of those clauses can fairly be construed as a grant of permission from users to reveal to plaintiffs the videos that they have designated as private and chosen to share only with specified recipients.
FN9: “However, by submitting User Submissions to YouTube, you hereby grant YouTube a worldwide, non-exclusive * * * license to * * * distribute * * * the User Submissions in connection with the YouTube Website and YouTube’s (and its successors’ and affiliates’) business.” This authorizes YouTube to post the video on the website; the privacy designation restricts to whom it may be shown.
FN10: “YouTube does not guarantee any confidentiality with respect to any User Submissions.”
FN11: The record shows that the provision of the Privacy Policy plaintiffs point to, which states that “Any videos that you submit to the YouTube Sites * * * may be viewed by the general public” refers to “personal information or video content that you voluntarily disclose online (on discussion boards, in messages and chat areas, within your playback or profile pages, etc.)” which “becomes publicly available.”
But the ECPA does not bar disclosure of non-content data about the private videos (e.g., the number of times each video has been viewed on YouTube.com or made accessible on a third-party website through an ‘embedded’ link to the video). Plaintiffs argue that such data are relevant to show whether videos designated private are in fact shared with numerous members of the public and therefore not protected by the ECPA, and to then obtain discovery on their claim (supported by evidence) FN12 that users abuse YouTube’s privacy feature “to share infringing videos with any interested member of the public while evading detection by content owners.” It is not clear from this record whether plaintiffs’ interpretation of the ECPA is correct, but their view is colorable, as the statute’s legislative history states that “a subscriber who places a communication on a computer ‘electronic bulletin board,’ with a reasonable basis for knowing that such communications are freely made available to the public, should be considered to have given consent to the disclosure or use of the communication.” Plaintiffs need the requested non-content data so that they can properly argue their construction of the ECPA on the merits and have an opportunity to obtain discovery of allegedly infringing private videos claimed to be public.
FN12: Plaintiffs submitted a snapshot of a YouTube user’s web page entitled “THE_RUGRATS_CHANNEL” which states “Disclaimer: Rugrats_and all Rugrats_related items are a copyright of Viacom” and on which the user states:
WELCOME TO MY_RUGRATS_PAGE. Previously rbt200, this is my new channel. The old one got deleted so I thought I’d start again, but this time, it’s JUST_RUGRATS! A whole channel dedicated to this fantastic cartoon! I will be posting whole episodes over the coming weeks so be sure to subscribe or add me as a friend because they might be set to private.
Viacom Int’l Inc. v. YouTube Inc., 2008 U.S. Dist. LEXIS 50614 at *25-30 (S.D.N.Y. July 1, 2008 ) (internal citations removed).
Posted in 2nd Circuit, Case Blurbs, Discovery Requests, Duty to Produce, Electronic Communications Privacy Act, Judge Louis L. Stanton, Objections to Discovery Requests, Privacy, Relevance, S.D.N.Y, Scope of Discovery | Tagged: Google, Viacom, YouTube | Leave a Comment »
Posted by rjbiii on August 12, 2008
Video-Related Data from the Logging Database
Defendants’ “Logging” database contains, for each instance a video is watched, the unique “login ID” of the user who watched it, the time when the user started to watch the video, the internet protocol address other devices connected to the internet use to identify the user’s computer (“IP address”), and the identifier for the video. That database (which is stored on live computer hard drives) is the only existing record of how often each video has been viewed during various time periods. Its data can “recreate the number of views for any particular day of a video.” Plaintiffs seek all data from the Logging database concerning each time a YouTube video has been viewed on the YouTube website or through embedding on a third-party website.
They need the data to compare the attractiveness of allegedly infringing videos with that of non-infringing videos. A markedly higher proportion of infringing-video watching may bear on plaintiffs’ vicarious liability claim, n3 and defendants’ substantial non-infringing use defense.
Defendants argue generally that plaintiffs’ request is unduly burdensome because producing the enormous amount of information in the Logging database (about 12 terabytes of data) “would be expensive and time-consuming, particularly in light of the need to examine the contents for privileged and work product material.”
But defendants do not specifically refute that “There is no need to engage in a detailed privilege review of the logging database, since it simply records the numbers of views for each video uploaded to the YouTube website, and the videos watched by each user.” While the Logging database is large, all of its contents can be copied onto a few “over-the-shelf” four-terabyte hard drives. Plaintiffs’ need for the data outweighs the unquantified and unsubstantiated cost of producing that information.
Defendants argue that the data should not be disclosed because of the users’ privacy concerns, saying that “Plaintiffs would likely be able to determine the viewing and video uploading habits of YouTube’s users based on the user’s login ID and the user’s IP address.”
But defendants cite no authority barring them from disclosing such information in civil discovery proceedings, FN5 and their privacy concerns are speculative. Defendants do not refute that the “login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube” which without more “cannot identify specific individuals, and Google has elsewhere stated:
We . . . are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot.
FN5: The statute defendants point to, 18 U.S.C. § 2710 (titled “Wrongful disclosure of video tape rental or sale records”), prohibits video tape service providers from disclosing information on the specific video materials subscribers request or obtain, and in the case they cite, In re Grand Jury Subpoena to Amazon.com, 246 F.R.D. 570, 572-73 (W.D.Wis. 2007) (the “subpoena is troubling because it permits the government to peek into the reading habits of specific individuals without their prior knowledge or permission”), the court on First Amendment grounds did not require an internet book retailer to disclose the identities of customers who purchased used books from the grand jury’s target, a used book seller under investigation for tax evasion and wire and mail fraud in connection with his sale of used books through the retailer’s website.
Therefore, the motion to compel production of all data from the Logging database concerning each time a YouTube video has been viewed on the YouTube website or through embedding on a third-party website is granted.
Viacom Int’l Inc. v. YouTube Inc., 2008 U.S. Dist. LEXIS 50614 at *15-19 (S.D.N.Y. July 1, 2008 ).
Posted in 2nd Circuit, Case Blurbs, Data Collection, Data Sources, Databases, Duty to Produce, Judge Louis L. Stanton, Privacy, S.D.N.Y, Scope of Discovery, Undue burden or cost | Tagged: Google, Viacom, YouTube | Leave a Comment »
Posted by rjbiii on July 31, 2008
This time, the CEO (and former litigator) of Catalyst, John Tredennick, writing in Law Technology Today (reg’n may be required) passes comment:
Two states have recently enacted statutes that make it a crime for unlicensed individuals to engage in computer forensics. Texas passed a law that would give regulators the power to impose up to a year in jail and a $14,000 fine on people doing “computer investigations.” Michigan went a bit further. On May 28 th of this year, Governor Jennifer Granholm signed into law a bill that makes unlicensed computer forensics work in Michigan a felony punishable by up to a four-year prison term, damages of up to $25,000 and a criminal fine of up to $5,000.
Read the article for details, but Tredennick summarizes the Texas law thusly:
As I read these [Regulatory Agency] opinions, there is some comfort for people doing routine electronic discovery collection but not if there is a forensic or testimonial aspect to the collection. There is a strong suggestion that experts who are called to testify in Texas courts regarding examinations of electronic files better be licensed in Texas. If you don’t have a license, you might be pulled off the stand and escorted to the hoosegow for an extended visit.
Seriously…not the hoosegow!
With respect to Michigan:
How far does this reach?
Good question. If I were a forensics expert and offering testimonial services, I would be pretty nervous about this law. The Act seems to focus on:
Computer forensics to be used as evidence before a court, board, officer, or investigating committee.
Most electronic discovery is focused on collection rather than forensics and an argument could be made that your eDiscovery efforts are not about forensics but rather the collection of relevant evidence for review. But do you want to make this argument to some Michigan criminal court? I wouldn’t.
Post Process has previously blogged on this issue (here, here, here, here, here, and here).
Posted in Articles, Data Collection, EDD Industry, Forensics, Laws, Michigan, Privacy, Texas, Vendor Liability | Tagged: Catalyst, John Tredennick | 2 Comments »
Posted by rjbiii on June 19, 2008
Post Process-Plaintiff Attorney objected to a forensics exam of his computer hard drive, a computer which he used both personally and professionally. The court, though noting the validity of issues raised, ruled for Defendants. In doing so, it appointed two forensics experts to act as officers of the court, and issued the following protocol:
[T]his Court ORDERS:
1. Within seven days of the date of this Opinion and Order, Plaintiff’s forensic computer expert shall mirror image both of Plaintiff’s computer systems’ hard drives and Plaintiff shall preserve this mirror image.2. Plaintiff’s forensic computer expert shall then remove only Plaintiff’s confidential personal information from the mirror image of Plaintiff’s computer systems’ hard drives. Plaintiff’s expert shall provide Defendants with the protocol he utilized to remove the confidential information.
3. Plaintiff shall then provide Defendants’ computer forensic expert access to his computer systems’ hard drives.
4. Defendants’ forensic computer expert shall mirror image Plaintiff’s computer systems’ hard drives in approximately four to eight hours for each system. If the expert finds that this is not enough time, Plaintiff is expected to be reasonable in allowing some additional time. Defendant is expected to be considerate with regard to scheduling times that are less intrusive to Plaintiff and his business.
5. Defendants’ expert shall review his findings in confidence with Plaintiff prior to making any findings available to Defendants.
6. Plaintiff shall identify for deletion any information that is irrelevant and create a specific privilege log of any relevant information for which he claims privilege. The computer forensic expert shall remove the information claimed as privileged and provide all other information to Defendants.
7. Defendants’ expert shall provide Plaintiff with the protocol he utilized to remove the privileged information.
8. Forensic computer experts C. Matthew Curtin and Scott T. Simmons shall act as officers of this Court. Defendants shall be responsible for remunerating Mr. Curtin and Plaintiff shall be responsible for remunerating Mr. Simmons.
Ferron v. Search Cactus, L.L.C., 2008 WL 1902499 at *5 (S.D. Ohio Apr. 28, 2008 )
Posted in 6th Circuit, Computer Forensics, Cost of Discovery, Duty to Preserve, Duty to Produce, Form of Production, Judge Gregory L. Frost, Privacy, Privilege Log, S.D. Ohio | Tagged: Bingham McCutcheon, Ferron & Associates, Hockstad Law Office, John W. Ferron, Roetzel & Andress, Search Cactus LLC | Leave a Comment »
Posted by rjbiii on June 19, 2008
Post Process-Plaintiff Attorney objected to a forensics exam of his computer hard drive, a computer which he used both personally and professionally. The court, though noting the validity of issues raised, ruled for Defendants. In doing so, it appointed two forensics experts to act as officers of the court:
It appears to the Court that both of the forensic computer experts presented to it are qualified. In certain situations, courts appoint computer forensic experts to act as officers of the court to help “reduce privacy intrusions and privilege waiver issues during forensic analysis.” Mark E. Borzych, Avoiding Electronic Discovery Disputes: Practice Questions Answered, 41 AZ Attorney 36 (January 2005). See also Thielen, 2007 U.S. Dist. LEXIS 8998, at *8 (court ordered forensic analysis by third party and accepted that no waiver of privilege occurred). Thus, the two identified computer forensic experts shall serve as officers of this Court.
Ferron v. Search Cactus, L.L.C., 2008 WL 1902499 at *4 (S.D. Ohio Apr. 28, 2008 )
Posted in 6th Circuit, Case Blurbs, Computer Forensics, Judge Gregory L. Frost, Neutral Third Party, Privacy, S.D. Ohio | Tagged: Bingham McCutcheon, Ferron & Associates, Hockstad Law Office, John W. Ferron, Roetzel & Andress, Search Cactus LLC | Leave a Comment »
Posted by rjbiii on June 18, 2008
Post Process has already remarked on a Texas law that implies that computer forensics experts must have a private investigator’s license. Now it’s Michigan’s turn.
Joe Howrie has written an article on a new Michigan law that requires people engaging in “computer forensics” to acquire a license as a private investigator:
“According to the state of Michigan Web site, Michigan House Bill 5274, “the professional investigator licensure act,” was signed into law by Gov. Jennifer Granholm on May 28.
According to the terms of the act, it becomes effective immediately (Sec. 29) and it is now a felony punishable by up to a four-year prison term and a $25,000 fine for a person to engage in computer forensics in Michigan unless that person is licensed under the act or falls within one of its exemptions (Sec. 3(3)).”
The exemptions mentions attorneys, but not staff working under a lawyer’s supervision, although Howrie feels that staff would be exempted:
Presumably, the attorney exemption extends to staff employed to assist an attorney as attorneys have historically used support personnel for litigation. If the legislature had intended that lawyers could only use support staff with whom the lawyers had employer-employee relationships, the employer-employee language from 4(e) would also appear in the 4(a) lawyer exemption section.
This particular law, driven evidently from privacy concerns, seems broader and harsher than others we’ve seen recently, including the Texas law. Questions abound: if I am in Houston, and I use an application to pull data from a server in Michigan, for the purposes of preparing some of that data for submission to a court as evidence, am I in violation of the statute? If I merely hold myself out as a computer forensics professional, do no business in Michigan directly, but engage in “forensics” elsewhere, are there any consequences (minimum contacts and the web?).
While protecting the public and privacy is important…is a Private Investigator’s license really the best vehicle for this sort of regulation? Stay tuned…
Posted in Articles, Data Collection, Forensics, Laws, Legislation, Privacy, Trends, Uncategorized | Tagged: EDD Update, Joe Howrie, Michigan | 1 Comment »
Posted by rjbiii on June 16, 2008
An interesting post on quantum encryption is found at arXiv. The post explains why quantum encryption is not bullet-proof:
Here’s one loophole. The security of quantum encryption schemes depends on our inability to make a copy of a quantum state. If that were possible, [the eavesdropper] could make a copy of the message and pass on the original without anybody being the wiser. But in the quantum world, copying anything destroys the original, so the sender and receiver can always tell if they’ve been overheard by examining the error rates in their message. If it rises above a certain limit, the line is not secure.
That would be pretty convincing were it not for our ability to make imperfect copies of quantum states without destroying the original. That’s a loophole that an eavesdropper can exploit to extract information from a quantum message without the sender or receiver knowing. It should work as long as Eve is careful to keep the error rate below the critical limit.
He then points to an outline of a quantum eavesdropper.
Posted in Articles, Computer Security, Encryption, Privacy | Tagged: arXive | Leave a Comment »
