A Bad Idea…

Leaving your thumb drive containing child porn in a computer used by multiple employees isn’t too smart. And if your fellow employees are police officers, it’s a real bad idea.

Around the Block (March 10, 2011): EU Privacy laws rankle web-site owners, and Howrey’s possible dissolution caused by E-Discovery Vendors?

Web Operators inside the UK are complaining that E.U. Privacy directives are putting them at a competitive disadvantage. The Government’s Information Commissioner has stated that “explicit consent” must be given by users before sites can place cookies that “track” their activities on their computers. From the Article:

The reaction [to privacy laws] from start ups has been strong and angry. Nick Halstead, CEO of U.K. start up Mediasift, behind the very popular Tweetmeme service, has been vociferous in his condemnation.

“If users are presented with a pop up every time a cookie is going to be set, they are simply going to go to sites outside of Europe that are not hampered in the same way. It will put us at a major disadvantage compared to American sites.

“On our site, if you re-tweet we set a cookie. That cookie remembers other stories you have re-tweeted. Now that should be a useful thing for users. But you could say that is tracking them.”

Mr. Halstead called on governments to tread very lightly…

See a brilliant interactive demo of what the user experience might look like here.

In the chaos now hovering at Howrey, apparently one party being blamed for the firm’s collapse is E-Discovery Vendors. The quote that got my attention:

Another challenge was the rise of third-party document-discovery specialists that could provide litigation support services at substantially lower rates, he said. Howrey, a law firm with many offices in big cities, and thus, higher costs and couldn’t compete, he added.

Perhaps the problem wasn’t competition, but scope creep on the part of the firm. Lawyers should practice law, and manage the process of e-discovery. Competing with technology firms in a technology field when it isn’t a “core business” is a bad idea. The complaint is that vendors were more efficient than was Howrey at processing data. The firm was, therefore, unable to charge above-market prices for its EDD services, and apparently, this was a vital revenue stream for them. My opinion is that the “law firm as technology vendor” model doesn’t work. Howrey is exhibit A.

Leita Walker and Joel Schroeder pen an article on how to locate and use evidence from social media sites. In, Making Your Case with Social Media, they write:

[I]t’s never too early to start poking around. As soon as counsel contemplates suing or believes their client may be sued, they should investigate their opponent’s online presence. Once litigation commences, litigants may restrict their privacy settings — or remove the sites altogether — making it much more difficult to readily access potentially game-changing evidence.

Of course, once discovery commences, lawyers can employ more formal methods of fact-gathering and move to compel that evidence if met with opposition. Interrogatories should seek to identify an opponent’s screen names and relevant social media usage. Requests for production should seek blog entries and social media posts, and requests for admission should be designed to authenticate such information. In addition, counsel should be prepared to talk about social media and its production format at a Rule 26(f) or other discovery conferences.

Finally, before offering such evidence in court, counsel should be prepared to respond to objections related to relevance, hearsay, and authentication. With regard to the latter, the threshold for admissibility is low, and can be satisfied by the testimony of a witness who has personal knowledge that the evidence is what it purports to be. In fact, courts have held that website printouts need not be authenticated by the site’s owner but can be authenticated, for example, by an attorney who testifies that she visited a particular site, recognized it as the opposing party’s, and printed what she saw on the screen. Jarritos, Inc. v. Los Jarritos (2007).

Around the Block-November 24, 2010

Around the block is a regular feature of Post Process, providing a brief survey of articles and issues of note affecting law and technology.

The EU “Cookie Rule” will soon go into affect. A Computer World article penned by Stewart Room notes that this entails big changes for ISPs. From the article:

These new rules focus in particular on the dropping of cookies onto our equipment. This will only be lawful if the service provider has the subscriber or user’s consent. In order for consent to be valid, it must be freely given, specific and informed, the benchmarks established by the Data Protection Directive.

The EU’s Article 29 Working Party, which is made up of the national data protection regulators and other officials, issued an opinion on cookies and the consent issue earlier in 2010, observing that the new rules will not be satisfied by default browser settings, bulk consents, web user inactivity or the use of opt-outs.

Criticisms of the rule, which appears to require user consent every time a cookie is to be dropped on a computer, include charges that it isn’t practical, that it (along with other regulations) will stifle e-commerce growth, and that such a “pro-privacy” approach will actually work to diminish the user’s enjoyment of the internet.

Facebook May Become a More Frequent Target of Discovery. Facebook’s recent announcement that it will introduce a communication system that could replace email may complicate the lives of us working in electronic discovery. Shannon Green, in her article “Facebook Creates a Mess for EDD: Messages,” notes that the service’s large user-base having these additional tools creates additional burdens and risks for future litigants and employers:

The system has three key components: seamless messaging, a social inbox, and conversation history. Facebook engineer Joel Seligstein blogged, “You decide how you want to talk to your friends: via SMS, chat, e-mail or Messages.” Facemail messages will be clustered by sender instead of by the “antiquated” concept of using a subject line.

So far, so good. But what might be most problematic for employers is that Facebook will preserve these messages — text, chat, or smoke signals — forever.

“It’s definitely a problem in that it means these e-mails will be outside the boundaries of their retention policy,” said Rudy Rouhana, an attorney and director of product marketing at Daegis, a provider of e-discovery services. “So, if they typically delete e-mail every 90 days, 2 years, etc., they will be unable to enforce that on e-mails created in this system,” he said.

Protect your data when traveling internationally. Wired has posted an article in their “How-to” Wiki on protecting your data during border crossings. From the article:

But recently, we’ve seen incidents of computer security experts with ties to WikiLeaks and white hat hackers being stopped by government agents and having their laptops and phones thoroughly inspected.

Unless you work in computer research, or if you have ties to whistleblowers or cybersecurity journalists, the chance is very, very slim that your electronics will be searched. But even if you don’t think you’re up to anything that would arouse the suspicion of the Feds, you should still take precautions. Also, the threat of theft or snooping is something you should pay attention to, no matter how far from home you wander.

Note that these rights extend only to U.S. citizens. Any foreign visitor can be refused entry to the country by border officials on almost any grounds, even if you have a visa.

Around the block: 10/18/10

A few articles of note:

Unsurprisingly, to those who have been paying attention, some of Facebook’s apps transmit personally identifiable data. This breaks Facebook’s rules and raises many of the same privacy questions that has dogged the site in recent times. From the a WSJ article on the issue:

The problem has ties to the growing field of companies that build detailed databases on people in order to track them online—a practice the Journal has been examining in its What They Know series. It’s unclear how long the breach was in place. On Sunday, a Facebook spokesman said it is taking steps to “dramatically limit” the exposure of users’ personal information.

“A Facebook user ID may be inadvertently shared by a user’s Internet browser or by an application,” the spokesman said. Knowledge of an ID “does not permit access to anyone’s private information on Facebook,” he said, adding that the company would introduce new technology to contain the problem identified by the Journal.

The Ensigns blog has posted an interesting article on Search, perhaps inaptly entitled E-Discovery Search: The Truth, the Statistical Truth, and Nothing But the Statistical Truth. It is a very good primer on search, rather than on statistical methodology that one might surmise from the title. It is, however, a good article. An example is a passage on Latent Semantic Indexing:

What does “Latent” mean? Roughly speaking, it means “hidden.” And “Semantic” means, again roughly, “meaning.”

So, the phrase is actually descriptive of what we are trying to accomplish: find the hidden meanings (patterns) in a collection of documents, not because of the specific words we choose as input, but because of the other words in the documents containing the words we did choose and their “co-occurrence” with words in other documents, documents which do not contain our search terms.

Law.com provides you 10 helpful tips for managing cases. In 10 Tips for Effective Litigation Case Management, there is more than just a nod to applying project management principles to help with ROI and making decisions, an approach of which I greatly approve. From the article:

The past decade has ushered in significant new challenges in litigation case management. These include: the explosion in electronic discovery, the increasing importance of cross-border cooperation in litigation and investigations, and the expectation that counsel will keep abreast of, and communicate to their clients, changes in relevant legal rules and precedent on a virtually real-time basis.

These challenges have been accelerated by the global financial crisis, which has led clients to become more comfortable asking for, and coming to expect, services and fee arrangements tailored to their unique needs and goals. We are in an era of increasing competition and increasingly sophisticated legal consumers. The goal must be maximizing client value without sacrificing quality service. In the end, after all, the business of law really is all about the client and achieving its objectives.

In brief, other topics include:

• Hong Kong may criminalize unlawful transfers of personal data;
• Boston College 3L Asks for His Money Back; Hilarity Ensues;
• RIP, Benoit Mandelbrot, Novel Mathematician. See his presentation on Fractals and the Art of Roughness.

Privacy in the Age of Google and Social Media

Jeffrey Evans, CEO and founder of Tiger Text, expresses his concerns about privacy and hopes for a “cyber shredder” that will allow us some control of what information remains in the public domain. From the article:

In that same interview, Schmidt said, “I don’t believe society understands what happens when everything is available, knowable and recorded by everyone all the time.” Sadly, he is right.

I conducted a little experiment the other day. I told an intern at our office to use the internet to find out as much as he could about me in ten minutes. The only data he could use to launch his investigation were my name and the fact that I am the CEO of TigerText.

In about the same amount of time as it takes for me to make my kids’ breakfast on Saturday morning, he discovered my entire work history, dating back to jobs I had almost 20 years ago, and including where I went to college and business school. He even knew my salary at several of those jobs. Not concerned yet? There’s more.

When Should You Disclose Your Social Security Number?

Yahoo! Finance presents an article discussing when it is safe to give out your SSN, and when you should give more thought to doing so. From the article:

Just because someone asks for it doesn’t mean you have to comply, says Michael J. Arata, the author of “Identity Theft For Dummies,” especially since there are only a handful of organizations that actually have a valid need for it. For instance, anytime you’re applying for credit — for a new credit card, a loan, new telephone or cellular service — the creditor will need your Social Security number to run a credit check. You’ll also need to provide it if you are applying for federal or local government benefits such as Social Security, Medicare or Medicaid, unemployment insurance or disability. Another example: If you or your children receive services or aid at the state or local level, such as free or reduced fee lunch or financial aid. The local motor vehicle department, thanks to the USA PATRIOT Act, has the legal right to ask for Social Security numbers, too. In addition, when you complete a cash transaction totaling more than $10,000 you’ll be required to provide your number so that transaction can be reported to the Internal Revenue Service, says ITRC’s Foley.

The article contains a nice chart that divides organizations who request your card into “mandatory” and “optional” groups. It also has a sidebar that tells you what the sections in your social security number mean.

MS Bing to erase user data after six months…

Evidently doing so in an effort to appease EU regulators.

(NJ) Employee’s Attorney-Client Privilege not Waived when Communication was made on a Company Computer

Attorneys at Ogletree Deakins post a case summary in which the court, among other things:

…specifically rejected the idea that a company’s ownership of a computer is the sole determinative factor in deciding whether an employee’s personal communications become the company’s property.

The case is: Stengart v. Loving Care Agency, Inc., No. A-3506-08T1 (App. Div., June 26, 2009)

EU Working Group Releases Proposal for Reconciling EU Data Privacy Laws with US Discovery Rules

An EU “working group” has released a proposed set of guidelines (warning: PDF document) for companies who are subject to EU Privacy Directives to follow when complying with discovery rules in U.S. matters. The document’s purpose is described thusly:

The working party sees the need for reconciling the requirements of the US litigation rules and the EU data protection provisions. It acknowledges that the Directive does not prevent transfers for litigation purposes and that there are often conflicting demands on companies carrying on international business in the different jurisdictions with the company feeling obliged to transfer the information required in the foreign litigation process. However where
data controllers seek to transfer personal data for litigation purposes there must be compliance with certain data protection requirements. In order to reconcile the data protection obligations
with the requirements of the foreign litigation, the Working Party proposes the following guidelines for EU data controllers.

The document is an excellent primer for EU-US cross-border discovery matters. It also discusses the differences in discovery between common law and civil code systems, and those of the U.S. with other common law nations.

UN Agency seeks to Curb Internet Anonymity

Somewhat alarming; but interesting with respect to forensics and investigations:

A United Nations agency is quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous.

The U.S. National Security Agency is also participating in the “IP Traceback” drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

The potential for eroding Internet users’ right to remain anonymous, which is protected by law in the United States and recognized in international law by groups such as the Council of Europe, has alarmed some technologists and privacy advocates. Also affected may be services such as the Tor anonymizing network.

The article notes the potential of these standards to aid repressive regimes:

A second, apparently leaked ITU document offers surveillance and monitoring justifications that seem well-suited to repressive regimes:

A political opponent to a government publishes articles putting the government in an unfavorable light. The government, having a law against any opposition, tries to identify the source of the negative articles but the articles having been published via a proxy server, is unable to do so protecting the anonymity of the author.