Confidentiality in Interviews: What You Can Promise and What You Can't

Posted by Philip Segal on September 28, 2012

“Three may keep a secret,” wrote Benjamin Franklin, “if two of them are dead.” While attorney-client privilege confers a lot of power on lawyers and their agents to keep a secret, the privilege is never absolute. It can be waived by the client anytime, and can be breached in all sorts of ways.

GettyImages_confidential.jpg

That’s why it’s unwise to promise an interview subject that what he tells us will forever remain confidential, no matter what.  

As investigators, we are sometimes asked by people we interview whether what they tell us can be kept “secret,” “just between us,” “confidential” or “off-the-record.” Those terms and other similar ones may have specific legal meanings under the rules of evidence, but can also mean different things to different people.

Good reporters always go over the ground rules of an interview if a subject seeks to put a limitation on what may be reported or disclosed to third parties.

Good investigators ought to do the same if asked. We’ve written before about the importance of using templates – a script of how an investigator will represent himself and the degree to which he will identify his client, in Trial Ethics: A Template Can Save Your Life.

In every one of our templates is a response to the question from the person we are seeking to interview, (if asked): “Can my comments remain confidential?”

Our answer tends to be something like, “Our firm has to share anything I hear from you with our client, but we won’t tell anyone else that you’ve told us anything unless a court orders us to do that.” This makes the investigator’s promise truthful, but doesn’t promise that what the person making the comments says will forever stay between that person and the investigator.

If we are hired by an attorney, then we will assert that anything we report to that attorney is protected by attorney-client privilege. As agents of the attorney, for the purposes of privilege it’s as if the attorney is doing the interviews we do.

But what happens if word gets out that we have done an interview, and the other side in litigation seeks a court order demanding that we hand over our notes or divulge the contents of our conversation? Our letter of engagement with attorneys promises that

we will promptly notify you [our client] and follow your direction with respect to any third-party effort, by subpoena or otherwise, to gain access to any document or information pertaining to this matter, including any effort to obtain testimony from us.

In other words, we’ll get our clients the information we learn in an interview, because our first duty is to our clients. And, we’ll fight as hard as our client would to preserve that secret. Beyond that, what happens to the information we report can be taken out of our control.

What works best for everyone concerned is that everything we promise is written down in an interview template and a letter of engagement. It helps our clients sleep better, and when they are happier, so are we.

Direct and Indirect Evidence: Learning from Computer Scientists

Posted by Maria Matasar-Padilla on August 23, 2012

GettyImages_84080791.jpgIn September 2011, Gauss, a new malware described by the tech-press “as a cyber-espionage tool kit” emerged from the Middle East.  Gauss steals highly sensitive data, including browser passwords, online bank accounts as well as cookies and system configurations.  Gauss closely resembles the malware Flame and Stuxnet, which according to Kaspersky Labs, were created in state-sponsored factories.  Consequently, analysts believe that it too might be state-sponsored.  Since its debut, Gauss appears to have infected 2,500 machines worldwide.  However, the total number of victims may actually be much higher, in the realm of tens of thousands. 

And that number could just keep growing.  Shortly after Gauss was discovered in June 2012, its command and control infrastructure was disabled.  This may sound like a victory, but it is actually far from the truth.  As tech journalist Larry Dignan explains on Cnet.com, the Gauss “malware is dormant waiting for servers to become active.” In other words, it may continue to wreck havoc.

Admittedly, this sort of thing—state-sponsored hackers breaking into bank accounts— could keep one up at night.  What is interesting from an investigative point of view, however, is the way that computer scientists have figured out how to root out the Gauss malware before it causes harm.  Apparently, computer scientists have determined that the font Palida Narrow is used during a Gauss cyber attack.  Therefore, programs designed to detect Gauss check for that particular font to help determine whether the malware is in fact present and needs to be rooted out

To be clear, the font does not cause the theft to occur.  Instead, its presence merely correlates with the malware that does.  It is an indirect and yet highly elegant and quick way to detect whether a problem may exist.

As investigators, we can’t always get exactly to the evidence we want to prove.  Sometimes it merely doesn’t exist.  Often, ethical and legal constraints keep us from being able to obtain the facts we definitively need to prove what we are investigating. 

It’s easy to get lost searching for the unsearchable, pining for that one nugget that will help everything fall into place.  But investigators don’t have that luxury. 

So, we sometimes have to do what the computer scientists have done by pinpointing a font as a sign of trouble: We have to take a step back and look for clues elsewhere.  This may mean getting off one path and onto another. For instance, we may not have direct evidence of wrongdoing, but we can scour the evidence in order to detect patterns that suggest wrongdoing.  Alternatively, we can review the facts to see if we can find any that correlate with what it is we’ve been asked to help prove or disprove.

This is not about making assumptions—we never say that because x exists, therefore y.  Instead, it is about being able to look for solutions that advance our clients’ knowledge, even if they fall short of the ideal solution.  

Lawyers and Cybersecurity: Preventing Breaches of Confidential Information

Posted by Maria Matasar-Padilla on August 09, 2012

GettyImages_dv485145.jpgAttorneys have a professional obligation to protect client confidences and communications, but technology has made this increasingly difficult.  As a recent article in the Wall Street Journal, “Lawyers Vigilant on Cybersecurity,” explains, lawyers face serious cybersecurity threats precisely because their clients entrust them with highly sensitive and classified information.  Criminal and state-sponsored hackers target law firms to gain access to these confidential cases, especially if the information involves corporate mergers or acquisitions.  In some instances, insider information could be sold for millions, and so tech-savvy criminals go after the weakest link—the lawyers with access to this sensitive data.

There are no statistics of how many firms have been hacked: The FBI doesn’t keep records on which types of businesses have been the subject of attacks, and law firms have been less than forthcoming about whether they’ve had security breaches.  Admitting client information leaks would be far too damaging to a firm’s reputation.  Law-enforcement officials suggest, however, that more and more often, law firms find themselves the targets of cyberattacks.  As the Wall Street Journal article notes, the FBI has evidence of confidential business documents exfiltrated from law firms via cyberattacks.

Recently proposed changes to attorney ethical rules by the American Bar Association (ABA) also suggest that the profession sees technical breaches as an industry-wide problem.  Earlier this week the ABA Commission on Ethics announced that its proposed changes to the Model Rules includes requiring lawyers to take proactive measures to protect their client’s information when using new technologies.  The proposed edits suggest that lawyers have to be more aware of both “inadvertent and unauthorized” disclosures—in other words, leaks from inside and hacks from outside a firm. These changes warn technophobes that they need to abandon their Luddite ways, because lawyers now have a duty to "keep abreast of changes in the law,... including the benefits and risks associated with relevant technology." In other words, claiming ignorance is simply not an excuse.

By putting the onus on lawyers, the ABA is acknowledging what those of us who study and track security breaches have been shouting from the rooftops for years: preventing security breaches is not just about technology; it’s about changing human behavior.  As the Wall Street Journal article makes clear, “the weakest link at law firms of any size are often their own employees.”

Other industries face similar problems.  For example, a recent article on data breaches in the health care industry suggests that the epidemic of breaches of confidential health care information has more to do with human error than it does with IT shortcomings. As Larry Clinton, president and CEO of the trade association Internet Security Alliance succinctly points out, when it comes to data  breaches, “[p]eople are the biggest problem.”  Consequently, Collins predicts that breaches in hospitals and health care systems will only be prevented if these organizations approach these breaches as a “human-resource management issue and not an IT issue.” 

In other words, phones don’t just go around leaking information. Email accounts don’t shoot off confidential messages at random.  Computers are not really out to get us.  These technologies become weapons in the hands of adversaries because users didn’t take the necessary precautions to protect their data.   

Moreover, despite what people usually assume, taking these precautions doesn’t require having a Masters degree in computer science.  In many instances, all that’s called for is simple behavior modification coupled with a healthy dose of common sense

  • Password protect your cell phone, tablet and laptop. 
  • Use different passwords for different devices and accounts, and make sure they are hack-proof. Programs like Kaspersky Password Manager can generate virtually hack-proof passwords and keep a running list of all your different passwords.  
  • Don’t use free Wi-Fi connections, since hackers rely on free Wi-Fi to eavesdrop on users’ conversations.  
  • Don’t click on links in text messages because doing so might activate malware that could log keystrokes or even record phone calls. 
  • Be suspicious of any emails from unknown senders that ask you to open attachments or click on links—these so-called Trojan emails will retrieve data from your computer. 
  • Invest in good computer security software, and for heaven’s sake, keep its settings updated and make sure to run checks on it on a regular basis.  Otherwise, it’s like investing in an expensive alarm system for your home but refusing to set it before you go out. 

The real key to security for cell phone communications, internet browsing and emailing is human behavior. Peace of mind will only come once people change how they act. For lawyers, that time may be sooner, rather than later.   

The Never-ending Story: Protecting Your Privacy Online

Posted by Maria Matasar-Padilla on July 06, 2012

The news is out and it’s not good. In fact, it’s downright troubling.  It seems that every day, usually several times a day, there is more and more information available about the dangers of the Internet.  It’s enough to make a Luddite out of even the most devoted technophile.  Here’s a sampling of some of the latest updates on the lack of privacy on the Internet, and threats to personal and financial information:

  • Online Tracking is Worse Than We Thought: UC Berkeley Law School recently released its first ever Web Privacy Census, which was aimed at measuring how companies track visitors to their websites. The report confirmed that all the top 100 web sites use cookies to track users and visitors. If that’s not worrisome enough, the study also determined that the use of tracking software on users' computers has doubled in the past year. This is about more than tracking users anonymously to provide targeted advertising—like when you scroll a website for a grill and then you check your email and suddenly see ads for some of the same grills you clicked on from the sites you just visited.  Apparently, companies are just as likely to collect and use personal information in ways that may subject consumers to price discrimination, lowered credit scores and limits, and even identity theft.
  • Social Networking Can Be Dangerous: The FBI recently issued a new warning on social networking.  The FBI pointed out that hackers are not only threatening governments—they are also targeting individual users via social networks, exposing the users and their workplaces, if they are online in the office, to great harm.  Hackers either exploit personal connections through social networks or write and manipulate computer code to gain access and/or install unwanted software on personal or company computers or phones. 
  • Tweets and Facebook Posts May be Used Against You: The courts continue to weigh in on whether social networking may be used against users who post information on their personal sites.  While the judiciary’s responses vary on a case-by-case basis, so far the trend seems to be that posts on Facebook or tweets may be used as grounds for dismissals from jobs, or even against defendants in criminal or civil cases.

Politicians are paying attention.  Senators and Representatives have introduced a plethora of competing bills and held or plan to hold a number of hearings to discuss how best to protect Internet users.  A good summary of the most recent efforts can be found on the Data Privacy Monitor blog run by the law firm Baker Hostetler.  Issues being addressed include protections to safeguard users’ privacy, requiring greater transparency from companies about how they troll for information from users and what they use that data for, and clearer terms of use that allow consumers to easily opt out of having their time online tracked.  In addition, the National Telecommunications & Information Administration (NTIA) has announced its first meeting to develop a code of conduct in order to uncover how companies that provide apps for mobile devices deal with personal information.

Keeping up with all the changes is daunting, but as we’ve said before, in our entries "The Myth of Online Privacy" and "Fight Hackers With Encryption," there are simple steps you can take to protect yourself.  This article, “How to Keep Your Facebook Profile Private Yet Usable,” written by Dave Copeland details the best ways to protect yourself on Facebook, short of not signing up in the first place. Numerous software programs exist to block tracking data from being stored on your computers.  Creating a clear Internet use policy for your company and making sure your employees understand what is expected of them is also a good plan.

And, as always, doing the bare minimum is crucial: encrypting emails, only using secure Wi-Fi connections and avoiding some of the most common tricks used to activate malware that can log keystrokes or record phone calls.

None of these measures will provide complete protection, but they are good places to start to ensure that you and your company are being proactive about guarding against some of the dangers that lurk online. 

The Myth of Online Privacy

Posted by Maria Matasar-Padilla on May 08, 2012

GettyImages_125109629.jpgCardozo Law School recently hosted a multi-disciplinary conference on privacy and the Internet, "Anonymity and Identity in the Information Age."  Lawyers, computer scientists and public health advocates wrestled with the challenges of protecting personal information at a time when so much data is easily obtainable online.  There were various tips and suggestions beyond merely mastering privacy settings on social media sites and avoiding public Wi-Fi hot spots when doing any online banking—although these are easy and important first steps.       

Recently there have also been a number of good articles inspired by the public acknowledgement that major Internet companies like Google have been less than forthright about their use and abuse of private information, as confirmed by the FCC’s decision to fine Google for its collection of private data during its Street View program.  The best ones, like "How to Muddy Your Tracks on the Internet" by Kate Murphy in the New York Times, are easy how-to guides for savvy Internet users interested in gaining control over their information.  Devoid of jargon, Murphy clearly details easy steps to take in the defense against online snooping. 

But however empowering it may feel to think we’ve finally mastered the privacy settings of the technologies we use every day, the truth of the matter is that despite all our best efforts, information can and will be leaked.  As computer science Professor Steven Bellovin of Columbia University explained at the Cardozo conference, you can protect your email correspondence from being cross-referenced with your browsing history if you avoid Google or Yahoo email accounts and instead set up your own mail server.  But your messages are still fair game to Google if you email someone with a Gmail account.  Or you can activate your browser’s privacy mode to help wipe clean your browsing history.  But this change will stop short of concealing your computer’s I.P. address, the unique identifier that distinguishes it from all other computers.  And as Murphy points out, deciding to take that extra step and mask your I.P. address means incurring additional costs and possibly severely compromising your Internet speed.

Or you may assume that because you’ve never posted your address or physical whereabouts on Facebook or Twitter that you’ve managed to conceal where you actually live.  But the minute you post a picture, the image’s metadata may pinpoint the coordinates of where you took the shot.  So if you snapped that picture of your new puppy at home, you might be giving out your exact location when you upload it to Facebook. 

And then of course there’s the likelihood that information will be leaked by plain old human error, yours or someone else’s. There are always cautionary tales about someone inadvertently sending an email “Reply All” when it clearly shouldn’t have been.  At the Cardozo conference one computer privacy expert sheepishly admitted to making this rookie mistake himself—a confession that inspired chuckles of recognition from far less computer-literate audience members. 

And the actions of others, even if they were acting innocently, may expose your personal information as well.  For instance, one of our clients asked us to track down the settlor of a trust whose whereabouts had long since been a mystery.  But his family was all over Facebook, constantly updating their information with details about their home life and travels.  Eventually, we were able to locate him through them. 

Or take for example the recent news story of the Italian mobster finally arrested after being on the run for nine years.  He didn’t make a mistake, but his girlfriend did.  Police had been monitoring the mobster’s pregnant girlfriend’s social media sites for information about his whereabouts.  They hit the jackpot when the girlfriend decided to use Facebook to share photographs of her growing belly with friends and family.  In one of the photographs she posed in front of a sign for a beach in the Costa del Sol town of Marbella.  Then she uploaded another shot of her outside a well-known Italian restaurant in Marbella.  Soon after she sent the mobster an email predicting that she was going to go into labor sometime soon—an email that, unbeknownst to her, the police were monitoring.  Sure enough, the police apprehended the mobster when he arrived in Marbella shortly thereafter. 

So, despite the feelings of invincibility and invisibility that the Internet seems to inspire, the truth of the matter is that complete privacy or anonymity online are impossible.  

Talk Isn't Cheap Even When Offline

Posted by Philip Segal on August 01, 2011

A quick reflection on the executive at Allstate, who according to the Wall Street Journal lost his job in part because of profanity-laced comments about a superior to colleagues in a bar.

How did the Journal get the story? Not by crawling around blogs, not by looking at the executive’s Facebook page, but by old-fashioned interviewing.

Gossip.jpg

As we’ve pointed out here and here, very little of our lives sits out there on the Internet. How many of your ex colleagues, friends, romantic partners, apartments, cars and other possessions are linked to you via Google? Less than one or two percent in most cases.

To find out about people, you nearly always have to talk to others about them. That’s what the newspaper did in this case: they talked to people who the paper said had either heard the comments by the executive, Joseph Lacher, or else people familiar with the company’s internal investigation.

No Facebook, no LinkedIn, no blogging, no emails accidentally sent to the wrong person.

It’s an investigation that could have taken place just this way 20, 40, or even 80 years ago. And as we often tell clients, it’s an indispensible part of investigations today too.

Of course, a lot of what you may hear could turn out to be gossip. But being gossip doesn't always mean something isn't true. It can also mean that it's factual information someone doesn't want you to know about. 

 

 

Flashback: Can you get me someone's phone records? Hell no!

Posted by Philip Segal on July 17, 2011

Following is an entry from our firm's website originally published in September 2009 and, we think, timely.

Plenty of people - even sophisticated lawyers - sometimes ask us in the course of an investigation: “Can you get me his phone or medical records?”

The answer for anyone interested in staying out of jail is no. If you’re interested in hiring a firm that plays fast and loose with the rules, just remember that you could be held liable for the actions of your agents.

Medical records have been strictly off limits under federal law since 1996 under HIPAA, and there are state laws that may also restrict information flow.

As for phone records, despite all those ads on the Internet featuring companies that can get you someone’s cell phone records, you might want to ask them how they’re doing it before you hand over your money. Investigators used to love to pretend to be someone else when they called up a phone company and requested a duplicate copy of their cell phone bill.  But since 2007, that’s against federal law too.

Put simply, you should stay clear of any investigator who uses pretexting – impersonating someone else – to obtain information. If an investigator seems vague about how he’s getting his information, back away. Nothing he’s doing for you is rocket science and it should all be easily explainable. 

Fight Hackers with Encryption

Posted by Pavel Nikolaev on July 06, 2011

With all the focus on tech IPOs that reward gaming and chatting, it’s nice to see a company dedicated to privacy getting a little of bit of venture cash behind it. With just $1.5 million raised so far, CertiVox is still a tech minnow, but its idea is a solid one: people need to be able to trust that some privacy online is still a possibility.

key.jpgRemember all that spam e-mail for male enhancement and mysterious lottery winnings? Most people have become wise to the classic spam or phishing schemes, and hackers have stepped up their game. The new tactics are spear-phishing (researching and targeting specific users) and whale-phishing (targeting executives who have access to the most information).

One way this works is for hackers to research their target in the social network, pick one of the target’s “friends” and set up an e-mail account that looks like it belongs to the friend. The target won’t think twice about clicking on the malicious link that comes in from their friend. With this tactic, some hackers seek to simply create mischief, others are targeting corporations.

Recently we wrote about a particularly worrying study on corporate security breaches – think Sony, Lockheed Martin and Citigroup. The data shows that the problem lies largely with employees’ mobile devices and the completely unencrypted transfer of information. People are using Facebook, sending e-mails and clicking on links, all of which results in a public transfer of information that can be intercepted. Hackers bet on our complacency and “that’s just how the internet works” attitude and win every day.

Now comes CertiVox, whose goal is to provide government-grade encryption to corporations and your web browser. Their new (and free) PrivateSky plug-in allows you to encrypt what you do online and show it only to those for whom it’s intended. Your e-mail is no longer an open postcard and your Facebook rants stay private. For corporations, there are more robust solutions for the entire network.

A concern here is that a good encryption product, one that does not allow the product’s creator to see the message, could fall into the hands of criminals. Governments can crack highly sophisticated encryption programs, but at what cost in time and money? If CertiVox gets big enough, will it have to cough up its code to government authorities in order to keep going, as Research in Motion did in India?

While we don’t vouch for CertiVox’s reliability or competitiveness, it’s certainly a step in the right direction that such a company is able to raise cash to keep itself going.

(Photo Credit: Sasha Wolff) 

Security Breaches in U.S. Companies "Almost a Statistical Certainty"

Posted by Pavel Nikolaev on June 28, 2011

If 90% of U.S. companies are falling victim to computer hackers, according to a new Ponemon Institute study, is it that the companies are woefully unprepared or are the hackers are particularly smart? Looks like this one is on the companies.

hacking.jpgA research center dedicated to privacy and data protection, Ponemon looked at 583 U.S. companies and concluded that data breaches are “almost a statistical certainty.”

Most companies say there’s little they can do about it. That includes big names such as security firm RSA, Lockheed Martin, Oak Ridge National Laboratories and the International Monetary Fund.  Tech departments blame financial resources and complexity of networks as top reasons for breaches. Nearly two-thirds of the attacks resulted in losses anywhere from $250,000 to $2.5 million

But dig deeper and the numbers tell a story about risk that could be better managed.  Most companies are already running a firewall on their network and have anti-virus and anti-malware installed in their employees’ computers.  The problem is, the study found that 63% of breaches occurred from unsecured employee devices – laptops and mobile phones.  The vast majority of threats originate from website and social media malware and malicious software downloads.

Either the companies’ anti-virus software is outdated, or employees allow themselves to be too liberal with what they download.

This therefore looks like a training problem. Employees, and not just the IT department, should be aware of how to start lessening the risk.

  • If attacks are coming in from laptops and mobile devices (smartphones, tablets, etc.), it’s time to implement a new policy on how employees connect to the network or enterprise systems when out of the office.  The days of living one’s personal life on a company-owned device may have to come to an end.
  • Only 30% of companies report the use of encryption, while citing theft of information assets as their top concern. An encryption policy seems like a no-brainer. Data theft is a lot easier to tolerate when to the thieves it appears as a meaningless mishmash that would take sophisticated computers days or weeks to decrypt. The thing about encryption, though, is that you have to use it. If it’s turned off or if your password is your birthday or the name of your dog, it won’t help you.

Why You Should Encrypt Your Data Now

Posted by Philip Segal on June 09, 2011

A chilling story in the Wall Street Journal’s Digits Blog yesterday told us that LinkedIn, Netflix and Foursquare “stored various forms of users’ personal data in plain text on a mobile device, putting sensitive information at risk to computer criminals.”

As if to confirm worst-case scenarios, Citibank then revealed that hackers have accessed the accounts of some 200,000 credit card customers in North America.

binary.jpg

Even with a rash of data breaches, encryption is the part of computer security we tend to forget about. We know increasingly that social networking can let too many strangers into our lives and that we should think twice before entrusting anyone with sensitive financial information.

But how many of us encrypt data on our computers? It’s so easy to do, and I would argue that it should become best practice for professionals everywhere. Our firm does so it, so that if our computers were ever stolen thieves would find nothing but encrypted garbage where case files should be. We like the free, open-source Truecrypt program, available here. Other alternatives are available but at a cost.

But what about email? There is plenty of evidence that a deleted email can stick around in many forms on your computer or server even after you hit “delete,” but few think about the dozen servers between your office and the server of the person receiving your email. Both you and the recipient can do whatever you want, but your unencrypted email may be stuck (for years or decades) on multiple servers in multiple countries, all ready to be hacked.

While it’s true that hackers with enough patience and computing power can break many encryption codes, the idea is to raise the cost for criminals even to try.  If you encrypt just the tiny portion of your emails carrying sensitive financial information, you direct a hacker right to your most vulnerable material. If you encrypt thousands of emails, a hacker will give up after working for hours to unveil messages that say “Happy Birthday!” or “Tks, will do.”

Yesterday the U.S. Commerce Department issued its green paper on cybersecurity, but stopped short of recommending encryption of emails. It strikes us that for certain highly sensitive matters encryption of email is worth the trouble. There can be problems with forwarding, and in many cases it makes sense for both sides to have an encryption program. Otherwise, you need to keep the same string of messages going for a non-licensee to benefit from the encryption-licensee’s program.

At the very least, we should all make sure our email accounts have their own passwords. That way if someone looks at your desktop computer at work, your Microsoft Outlook can at least stay locked. Password protection for Outlook can be arranged by setting a password for your Personal Folders File (.pst) within Outlook. You can do this on the File menu under Data File Management.  

iCloud - Darker Than Expected

Posted by Pavel Nikolaev on June 06, 2011

Imagine this: You have an iPhone, iPad and Mac computer. You use all three devices mostly for personal home use, but you also receive work e-mail on them. Medical records, tax returns, and other confidential information goes on these devices. They all sync amongst themselves and you’ve just started using Apple’s new server farm, iCloud. The system sends files into storage automatically over your wireless signal once a day and all your private data ends up on Apple’s new cloud. There’s no assurance that all these personal files cannot be intercepted, but Apple promises to keep them under secure lock and key. 

Steve Jobs.jpgNews from Apple’s World Wide Developer’s Conference is flooding the web today. Our call regarding iCloud was on the mark, but today’s formal announcement brings several serious worries into even sharper perspective. iCloud is designed for sharing not only music, videos and photos, but also to store your e-mail and personal calendar. And the system does this with all of your Apple devices, wirelessly, while running in the background. 

No need to hit “send.” Apple with just grab your information and store it for you. 

As Steve Jobs said regarding iCloud: “We think this is going to be pretty big,” and we wholeheartedly agree with him. It’s just that big in this case is not better. 

Dark iClouds

Posted by Pavel Nikolaev on June 03, 2011

We now know that Apple will use next week's Worldwide Developer’s Conference to unveil iCloud, its new cloud storage product. Apple’s first attempt at cloud storage, MobileMe, was such a failure that Steve Jobs publicly tore into the Apple team for tarnishing the company’s reputation. 

iClouds.jpgIt looks like the 2.0 version will probably be getting it right and customers will now be able to share their documents, movies, music and photos from the Apple "cloud" (and by cloud, we mean Apple-owned servers on the ground in fire-proof rooms). Most of Apple's customers will use the company's products without thinking twice about the sensitivity of the information they are handing over. 

That’s a lot of trust that could be misplaced. The risk for any form of cloud computing is that you no longer have exclusive access to your files. Cloud storage by Apple and others sounds economical in terms of hard-drive space saved at your office and used more efficiently by Apple, but cloud computing creates vast opportunities for theft of private information and, as we’ve written before here, there’s no proof that Apple will be able to protect yours. 

For now, speculation has it that iCloud will be used mostly for sharing movies, music and photos. But the plan is also to integrate it into the upcoming iPad and iPhone software iOS 5, creating an operating system that will be able to communicate with the Apple cloud with or without your approval. A further concern is that the very popular apps that define Apple’s devices could be able to transmit information over the new cloud-based system. 

Simply put, your files and information, including location and other personal data, are going to be somewhere in cyberspace, where they stand a chance of being intercepted. Or Apple could just have unlimited access to them. 

This type of information interception has the U.S. Senate taking first steps in formally drafting laws that aim to further protect personal data. In mid-April, Senators John Kerry and John McCain offered a privacy bill that would “strike a balance between consumer advocacy groups and the [tech] industry.” Now that Apple is introducing iCloud to their enormous following, the Senate’s discussion on adequate regulation could not be coming at a better time. 

Although the Kerry/McCain bill is a step in the right direction, a solution from lawmakers will probably take more time than is required for companies, such as Apple, to roll out new products and gather large quantities of sensitive information. 

Is Apple Changing Its Story on User Tracking?

Posted by Pavel Nikolaev on May 10, 2011

Two weeks ago, Apple and Google were called to answer growing concerns over privacy practices before Senate lawmakers. Today, executives from both companies responded to questions in a Senate hearing, but did little to alleviate our fears of user tracking.

iphone.jpgThe tracking of smartphones and their users’ activities is a scary thought.  We know that certain websites use invasive tracking cookies to store user behavior. With smartphones it’s worse. They can do the same thing, but you can’t hide behind an ambiguous IP address – your phone identifies exactly who you are, every time. For example, an iPhone app that uses the device’s GPS feature stores (and probably transmits without your knowledge) any locations you visit – your home, the office, restaurants, your child’s school.

On April 25th, Minnesota Democrat Al Franken, chairman of a new Senate Judiciary subcommittee focused on technology and privacy issues, wrote to Apple’s Steve Jobs. He asked, “why Apple is collecting the data, how it is generated, why it's not encrypted, and why Apple customers were never affirmatively informed of the collection and retention of their location data.”

At today’s hearing, Apple responded with this: “Apple is deeply committed to protecting the privacy of all our customers,” and said that the company plans to decrease how much personal location information is stored. Later in the day, Apple stated that the collection resulted from a "bug" that was fixed last week and that it has never recorded users' location data. Whether or not Apple is changing its story remains unclear, but the potential for such tracking is already in place. Perhaps Apple does not track users, but it has been found that plenty of popular apps in its store do.  

Aside from promises to stop recording user data, nothing has been done to conclusively address the future of tracking practices, despite Apple's fixing of a mysterious "bug" and continued monitoring of apps in its App Store, according to the Wall Street Journal. Apple does not currently require apps to display privacy policies and developers of third-party software are free to do what they like with our data. This is a serious privacy issue, one that may be news to most users, and, as Franken further states, “our federal laws do far too little to protect this information.” 

The Silence of the Communicators

Posted by Philip Segal on April 25, 2011

Apple, Google and Amazon are in the communications business, but their leaders all need to take some courses at Hamburger University to learn how to communicate with their customers.

Any trial lawyer or investigator will tell you that WHEN something happens can be at least as important as the event itself.

Take the responses to three of the largest news stories of the past week:

HU.jpg

1)  the revelation that iPhones and Droids transmit the location of the phones back to phone makers Apple and Google several times a day;

2) The partial breakdown of the Amazon “cloud” of servers that house prominent websites across the country. A whole of bunch of websites were down for a prolonged time;

3) The savage beating by two women of a third woman in a Baltimore McDonald’s caught on tape and widely viewed across the U.S.

ReadWriteWEb’s initial review of Amazon was not good. A little bit of updating as the crash wore on, but nothing an ordinary person could look at and understand.

And days after the Wall Street Journal reported that Apple and Google were regularly collecting data as to the location of the owners of their handsets, Apple remains mute. Google defended its policy, but on its website there was nothing that an ordinary customer could easily find to read that would give comfort. Readers of the Journal were told that Google’s advice was to perform a “factory reset” to insure the kind of privacy many may have thought they already had with a Droid phone.

This locational data that Apple and Google have access to is valuable. The stuff scientists can figure out about us based on where we are is astounding, and frightening if that information were to be used against us.

Contrast this corporate pattern of behavior with the episode revealed over the weekend when two women were caught on tape giving a severe beating to a woman at a McDonald’s restaurant in Baltimore. The revolting footage was made worse by the inactivity of bystanders who chose not to come to the aid of the beaten woman.

How easy was it to see what McDonald’s thought of this? Very. Right on the website’s media center was a prominent statement that the company was shocked at the incident and would investigate. You typed mcdonalds.com, and two clicks away you were at the statement.

Marketing experts will tell you that if you don’t have an “elevator speech” ready to go about your business (a 30-second answer to the question “What does your company do?”) then you’re not ready for primetime. In this case, Apple, Google and Amazon didn’t have elevator speeches ready to go.

Not having an elevator speech can mean one of two things: you’re unprepared for the question, or worse yet, you have no clear idea of what you think (or what you think it’s safe to say).

Here is where timelines are so important. If McDonald’s had waited a month to express outrage at this incident, the timing would have overtaken the content in importance. We might think McDonald’s was not really annoyed at the beating, but was responding in a way that a lawyer or consultant advised was prudent. That could still be the case, but the quick response by McDonald’s could also mean that it truly is incensed that its franchised restaurant staff failed to rescue the helpless victim of a beating.

What about Apple’s timeline? Whatever Apple ends up saying about the tracking features of the iPhone, how good will we feel about all the information Apple has on us when the company can’t even comment on one of the most discussed stories in the world at which it’s at the center.

For Apple, Google, and Amazon, the time for the elevator speech has passed. The doors have closed and we - the customers - will need to be reached in a different way. 

RFID Tags - The Invisible Threat

Posted by Pavel Nikolaev on April 20, 2011

While the U.S. Supreme Court is deciding whether it’s lawful to covertly track a suspected felon through warrantless GPS monitoring (see April 15, 2011 petition here), the European Commission is tackling a more powerful, already implemented technology that could potentially threaten everyone’s privacy if left unregulated.

rfidlabel.jpg

Ever heard of the “Internet of Things?” The term was coined by the Radio Frequency Identification (RFID) community 10 years ago and refers to sensors that can read physical, environmental changes and report them back over the internet. (RFID technology uses radio waves to identify data from an electronic tag and has commonly been used by businesses for inventory management and logistics.)

The Internet of Things is a collection of sensors that are “readable, recognizable, locatable, addressable and/or controllable via the Internet.” Imagine these as sensors of any kind with the ability to monitor any type of action, including radiation detection.

The good news about having lots of sensors spread around: The recent devastating earthquakes and tsunami in Japan prompted a need for immediate region-wide radiation detection. During what has emerged in the last few weeks as a nuclear accident ranked as seriously as Chernobyl, the internet of things played its part in monitoring and reporting back over IP (Internet Protocol) the radiation levels in real-time to news sources, rescue and aid organizations, and the brave cleanup crews. Hundreds of radiation sensors, very much like weather sensors, were already in place – strategically positioned around the country for an event just like this disaster.

Sensors, like the ones used to monitor radiation in Japan, can all be operated remotely and businesses are beginning to use them in remarkable ways. One company allows food suppliers to trace their goods along the supply chain, allowing their customers to see where the food came from. Another lets farmers monitor the health and vitals of their livestock through sensors planted in an animal’s ear. And the technology is not reserved only for businesses, thanks to a company making recent waves in the news called Pachube.  

Now anyone can use the system to link a sensor, and have the Pachube computer control a setting. For instance, one developer uses a temperature sensor in his office and has Pachube automatically turn on the fan for him. Pachube’s sensor data is available to anyone in real-time, and the service is free. It’s clear that these “smart systems” are allowing businesses to improve their services and better allocate their resources, but they could also be used for more sinister purposes.

But if we let our imagination run a little, we start to see a potential problem for privacy.

Envision walking by a remotely operated sensor, monitored over a service like Pachube, as all of your clothes and your electronic devices contain RFID tags. The sensor reports your exact preferences and the receiving party – the manufacturer, for instance, has your credit card information on file. The sensor now knows exactly who you are from the RFID tags. This is where the implications and dangers of this kind of technology really begin to run rampant and why many countries are already ahead of the game in preparing regulation.      

The European Commission, along with supply chain standards organization GS1 and the European Network and Information Security Agency (ENISA) are partnered in working on implementing guidelines for all companies in Europe using RFID technology in order to address the issue of data-protection. Miguel Lopera, GS1’s CEO, stated that the partnership is working so that “no personal data is actually present on a tag.” Is it then up to the individual companies to protect the purchaser’s information in some sort of gentleman’s agreement?

Sensors like the ones used to transmit radiation data in Japan are undeniably important during a crisis. If left unchecked, this technology, along with Pachube’s efforts to “democratize the sensor” could allow anyone to set up a sensor and secretly monitor what it is reading.

I don’t know about you, but that idea scares me.

The Right to Privacy on the Web

Posted by Philip Segal on March 14, 2011

What is the right level of privacy we are entitled to expect on the web? The answer is expanding and contracting by the day, but not only because legislators in Europe are attacking cookies and newspaper stories, or that people are figuring out that “free” Facebook comes with a cost and are starting to pay attention to their privacy settings.

The very notion of what is supposed to be private and what isn’t is surprisingly subject to change across borders and even within countries over short periods of time. The right to privacy sounds good, but means nothing until you know what’s supposed to be off-limits.

Take your salary. How much you make at work is nobody’s business and the IRS can’t even share your information with other government agencies. Except as pointed out by Taxhistory.org, Congress has twice allowed the public to look at tax records – once during the Civil War, and then again for two years in the 1920s.

That would be unthinkable for many today, but why should it be? If you don’t want people to know how much money you have, why should they be able to look at a copy of the deed and mortgage for your house, to see that you paid $2.5 million and financed almost all of it? That’s standard procedure in the U.S. (and by the way is a great way to figure out what someone’s side company in Delaware is called: people often buy a house and then sell it to their new company).

Now skip on over to Norway, where everyone’s income tax records are a matter of public information. You can look them up here. Norwegians value their privacy, but just don’t define privacy as including the amount of money they earn.

Looking up old newspaper stories is a research tool many of us have enjoyed using for years. If you think a newspaper got it wrong, you have libel laws and can get the paper to run a correction. But now with Google comes a newly sought  “right to be forgotten.”  The Spanish Data Protection Authority is taking the side of a doctor who’s grown tired of seeing an old El Pais newspaper article about his alleged malpractice sticking around on the web all these years. 

Of course, taking something off Google doesn’t mean it will be forgotten. In the dark days before Google – prior to 1998 – we could still find out plenty of things about people’s pasts. This involved reading old newspaper articles and looking at courthouse records to see who had sued them, and then talking to relevant people to figure out what might have happened.

Since that’s what we do today in addition to looking at Google, the right to be forgotten is really just the right to kick bad stuff off Google.

Unless the right to be forgotten is just a first wedge toward real advances in privacy that cross the line into what many of us would call censorship. Would privacy advocates want the El Pais archives closed to the public? What about court records? We shred old traffic violations in many U.S. states after two years, but what if some of Bernard Madoff’s underlings were able to serve their time, get out of jail and have their court records and newspaper coverage made off-limits to new investors?

This is where Google’s global privacy counsel Peter Fleischer is going on his personal blog:

Privacy is the new black in censorship fashions. It used to be that people would invoke libel or defamation to justify censorship about things that hurt their reputations. But invoking libel or defamation requires that the speech not be true. Privacy is far more elastic, because privacy claims can be made on speech that is true.

No fewer than seven pieces of privacy-related legislation have either been introduced in the U.S. House or soon will be, says Bob Sullivan in a thoughtful privacy column at MSNBC.com.

Given that privacy can mean so many things to so many people, there may be a lot more heated debate over the contents – not to mention legal challenges -- than is happening in Europe today.