Archive for the ‘eDiscovery’ Category

Crashing the Third Party: Experts Weigh How Far the Government/Opposing Parties Can Go in Reading Your Email & Documents in the Cloud

August 16, 2012

This article Crashing the Third Party: Experts Weigh How Far the Government Can Go in Reading Your Email – Magazine – ABA Journal discusses whether one loses confidentially when sending documents via email, and by extension, when one stores documents in the cloud. This can be compared/contrasted with previous rulings on the expectation of privacy in bank records and phone numbers dialed. This is a area of increasing concern for both lawyers and their clients. Because the rights are no longer clearly defined and are being impacted by changes in technology, it is only by the retroactive application of rulings to the situations that the current expectations of privacy become clear. I think this is a topic that deserves more attention and I intend to share thoughts on it going forward.

It is also important to note that this issue is not limited to the Government, but raises the question in the civil litigation of whether the attorney/client privilege is breached by sharing confidential documents in the cloud or via email. Is email entitled to the same protections as paper mail sent through the post office? Should only the “envelope” data be considered exposed, or if the ISP or email provider scans the actual attachments for spam or viruses, has that caused a breach of confidentiality and hence a loss of the privilege?


e-discovery – Judge saves party from overwhemling document review

December 22, 2011

This ruling in I-Med Pharma, Inc. v. Biomatrix Inc shows why attorney’s need to continue to expand their knowledge about e-discovery:

A federal judge in a contract case has excused compliance with a discovery agreement that would have required the plaintiff to produce an estimated 65 million documents, finding it would cost too much to screen them for privilege.

“This case highlights the dangers of carelessness and inattention in e-discovery,” District Judge Dickinson Debevoise wrote in a Dec. 9 ruling. “While Plaintiff should have known better than to agree to the search terms used here, the interests of justice and basic fairness are little served by forcing Plaintiff to undertake an enormously expensive privilege review of material that is unlikely to contain non-duplicative evidence.

Without the effort and understanding of the judge in this case, the plaintiff would have been overwhelmed by the costs of complying with the e-discovery agreement.

Hat tip to Above the Law.

Warning – Dropbox files may NOT be encrypted from viewing by Dropbox or its employees

May 18, 2011

There are many articles encouraging attorney’s to use Dropbox to share files with others or with themselves. Often it is suggested a great way to get files between a work computer and a laptop or iPad.  However, this is first time I have seen a claim that the files are not securely encrypted and that they can be viewed by Dropbox employees and subject to subpoena.   Please review the below information and take appropriate steps to protect the confidentiality of your client’s data.  I am sure we will hear more about in the days to come.

Christopher Soghoian, a security researcher has published the following information at  How Dropbox sacrifices user privacy for cost savings:

Dropbox, the popular cloud based backup service deduplicates the files that its users have stored online. This means that if two different users store the same file in their respective accounts, Dropbox will only actually store a single copy of the file on its servers.

The service tells users that it “uses the same secure methods as banks and the military to send and store your data” and that “[a]ll files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” However, the company does in fact have access to the unencrypted data (if it didn’t, it wouldn’t be able to detect duplicate data across different accounts).

This bandwidth and disk storage design tweak creates an easily observable side channelthrough which a single bit of data (whether any particular file is already stored by one or more users) can be observed.

If you value your privacy or are worried about what might happen if Dropbox were compelled by a court order to disclose which of its users have stored a particular file, you should encrypt your data yourself with a tool like truecrypt or switch to one of several cloud based backup services that encrypt data with a key only known to the user.

The issue is also discussed in this Infoworld article, Dropbox caught with its finger in the cloud cookie jar  and for me the most interesting part of the article was this:

On April 12, the Dropbox help site said:

Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)… All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.

Starting on or before April 14, Dropbox changed that help page, and changed it again on April 23, so it now says:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata… we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances… All files stored on Dropbox servers are encrypted (AES-256)

A little different, eh?

Dropbox followed up on April 21, discussing employee access to encrypted data, and explaining changes to its Terms of Service Agreement, including this new TOS provision:

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights.

So Dropbox appears to be clearly stating they have access to your data and have the right to disclose it as they believe necessary.

Once again, the security of cloud computing for attorneys is brought into question.

Time Warner Ordered to Hand Over IDs in Illegal Downloading Suit

March 31, 2011

From the Blog of Legal Times:

A Washington federal judge has ordered Time Warner to identify several hundred subscribers accused of illegally downloading movies, over the cable giant’s protests that the request is unfairly expensive and time-consuming.

U.S. District Court Judge Beryl Howell, in an opinion (PDF)issued yesterday, struck down Time Warner’s motion to quash the subpoenas for subscriber information in two of the three cases pending before the court, meaning Time Warner will have to come up with the identities of about 250 subscribers.

Now that this has been granted, it will be interesting to see if Time Warner contacts their subscribers and notifies them to give them the opportunity to file objections, before their information is handed over. As they are not currently parties to the case as this time, this creates additional complications for anyone wishing to try and protect their identity.

Sony gains access to Geohot’s Paypal records in “hacking” case.

March 18, 2011

David Kravets from Wired reports:

A federal magistrate said Sony may subpoena the PayPal account of PlayStation 3 hacker George Hotz, as the gamemaker ratchets up its civil lawsuit against the man who released the first full-fledged PS3 jailbreak in the console’s four-year history.

Tuesday’s order came two weeks after Magistrate Joseph Spero in San Francisco granted Sony the right to acquire the internet IP addresses of anybody who had visited Hotz’s website from January of 2009 onward. Sony has also won subpoenas for data from YouTube and Google, as well as Twitter account data linked to Hotz, who goes by the handle GeoHot.

Respected for his iPhone hacks and now the PlayStation 3 jailbreak, the 21-year-old New Jersey man is accused of breaching the Digital Millennium Copyright Act and other laws after his website published an encryption key and software tools that allow PlayStation owners to gain complete control of their consoles from the firmware on up. Hotz has complied with a court order and removed the hack.

The latest development allows the Japanese console maker to acquire “documents sufficientto identify the source of funds (.pdf) in California that went into any PayPal account associated with for the period of January 1, 2009, to February 1, 2011,” Spero ruled.

The information sought is part of a jurisdictional argument over whether Sony must sue Hotz in his home state of New Jersey rather than in San Francisco, where Sony would prefer.


It will be interesting to see if PayPal simply complies or whether it seeks a protective order from the court. Additionally the bigger question may be, whether those people who made payment to Hotz have standing to object before their information is released?

Lawyers Suing Over Suspect’s Shooting Death Seek Facebook Information for 57 Officers

March 5, 2011

Continuing to follow the news of social media and its discovery potential in a legal dispute bring us to the post linked below:

An Albuquerque, N.M., policeman who listed his job description as “human waste disposal” on Facebook has caught the attention of lawyers who filed a wrongful death suit against the city for a police shooting in January 2010. The lawyers are asking the city to provide Facebook usernames and passwords of 57 police officers who were at the scene after a police detective shot and killed Iraq war veteran Kenneth Ellis, according to the Albuquerque Journal (sub. req.) and Lawyer Joe Kennedy alleged in an interview with KOAT that officers called to the shooting scene were eating pizza and applauding the fatal shooting of a man they wrongly believed to be a gangbanger. Co-counsel Frances Crockett told the Albuquerque Journal that the officers were likely more candid on Facebook than they would be in a deposition or internal investigation. The officer who listed his job…

via Lawyers Suing Over Suspect’s Shooting Death Seek Facebook Information for 57 Officers – News – ABA Journal.


Online Commenters Who Targeted CEO Must Be Identified, Judge Rules

March 3, 2011

More on the potential implication of commenting publicly on internet postings:


An Indianapolis judge has ruled the state’s shield law does not bar the release of identifying information about online commenters in a defamation lawsuit. The ruling by Judge S.K. Reid of Marion Superior Court requires the Indianapolis Star and the Indianapolis Business Journal to release information about anonymous posters, the Indianapolis Star reports. The judge was set to decide this week whether a third outlet, WRTV, must release the information. The defamation suit filed by Jeffrey Miller, former chief executive of Junior Achievement of Central Indiana, targets online statements that allege, among other things, that he “most likely” committed a criminal act and is “the most greedy man I’ve ever known,” the Indianapolis Star reports in a separate story. The Star quotes David Hudson, an ABA Journal freelance writer and a scholar with the First Amendment Center in Nashville. He said the public should…

via Online Commenters Who Targeted CEO Must Be Identified,

%d bloggers like this: