Archive for the ‘Privacy’ Category

Crashing the Third Party: Experts Weigh How Far the Government/Opposing Parties Can Go in Reading Your Email & Documents in the Cloud

August 16, 2012

This article Crashing the Third Party: Experts Weigh How Far the Government Can Go in Reading Your Email – Magazine – ABA Journal discusses whether one loses confidentially when sending documents via email, and by extension, when one stores documents in the cloud. This can be compared/contrasted with previous rulings on the expectation of privacy in bank records and phone numbers dialed. This is a area of increasing concern for both lawyers and their clients. Because the rights are no longer clearly defined and are being impacted by changes in technology, it is only by the retroactive application of rulings to the situations that the current expectations of privacy become clear. I think this is a topic that deserves more attention and I intend to share thoughts on it going forward.

It is also important to note that this issue is not limited to the Government, but raises the question in the civil litigation of whether the attorney/client privilege is breached by sharing confidential documents in the cloud or via email. Is email entitled to the same protections as paper mail sent through the post office? Should only the “envelope” data be considered exposed, or if the ISP or email provider scans the actual attachments for spam or viruses, has that caused a breach of confidentiality and hence a loss of the privilege?

Advertisements

Warning – Dropbox files may NOT be encrypted from viewing by Dropbox or its employees

May 18, 2011

There are many articles encouraging attorney’s to use Dropbox to share files with others or with themselves. Often it is suggested a great way to get files between a work computer and a laptop or iPad.  However, this is first time I have seen a claim that the files are not securely encrypted and that they can be viewed by Dropbox employees and subject to subpoena.   Please review the below information and take appropriate steps to protect the confidentiality of your client’s data.  I am sure we will hear more about in the days to come.

Christopher Soghoian, a security researcher has published the following information at  How Dropbox sacrifices user privacy for cost savings:

Dropbox, the popular cloud based backup service deduplicates the files that its users have stored online. This means that if two different users store the same file in their respective accounts, Dropbox will only actually store a single copy of the file on its servers.

The service tells users that it “uses the same secure methods as banks and the military to send and store your data” and that “[a]ll files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” However, the company does in fact have access to the unencrypted data (if it didn’t, it wouldn’t be able to detect duplicate data across different accounts).

This bandwidth and disk storage design tweak creates an easily observable side channelthrough which a single bit of data (whether any particular file is already stored by one or more users) can be observed.

If you value your privacy or are worried about what might happen if Dropbox were compelled by a court order to disclose which of its users have stored a particular file, you should encrypt your data yourself with a tool like truecrypt or switch to one of several cloud based backup services that encrypt data with a key only known to the user.

The issue is also discussed in this Infoworld article, Dropbox caught with its finger in the cloud cookie jar  and for me the most interesting part of the article was this:

On April 12, the Dropbox help site said:

Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)… All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.

Starting on or before April 14, Dropbox changed that help page, and changed it again on April 23, so it now says:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata… we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances… All files stored on Dropbox servers are encrypted (AES-256)

A little different, eh?

Dropbox followed up on April 21, discussing employee access to encrypted data, and explaining changes to its Terms of Service Agreement, including this new TOS provision:

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights.

So Dropbox appears to be clearly stating they have access to your data and have the right to disclose it as they believe necessary.

Once again, the security of cloud computing for attorneys is brought into question.

Principal Surprises Students by Showing Their Social Media Shots at Assembly

April 12, 2011

High school students in Old Saybrook, Conn., were not happy when their various Facebook photos and status updates were displayed at a freshman school assembly. But administrators say the presentation was meant to teach students a lesson about Internet safety, specifically privacy settings. Many students were upset that the school didn’t ask for permission before showing their information, which a school resource counselor pulled from Twitter and Tumblr. “I just think it’s a violation of privacy,” a junior at the school told the New Haven Register. Oliver Barton, principal of Old Saybrook High School, said that the assembly was meant to show students how public their tweets, online profiles and photos are if their privacy settings aren’t strict enough. He didn’t think the pictures shown would embarrass anyone, he told the paper, and the pictures in question were publicly accessible. About 20 photos were assembled by…

via High School’s Internet Safety Lesson Riles Students Upset That Info Was Shared at Assembly – News – ABA Journal.

Camera Scans of Car Plates Are Reshaping Police Inquiries

April 12, 2011

From the NY Times: License plate readers, once used primarily in counterterrorism, have been transforming how the Police Department conducts traditional investigations. 

“We knew going into it that they would have other obvious benefits,” Paul J. Browne, the Police Department’s chief spokesman. said about the use of the readers in the initiative. “Obviously, conventional crime is far more common than terrorism, so it is not surprising that they would have benefits, more frequently, in conventional crime fighting than in terrorism.”

——–

It will be interesting to follow the privacy implications of this. Is this any different that what an officer can observe standing in the same location as the camera with the naked eye?  The article goes on to list several car thefts and other crimes where the perpetrator was caught through the use of this technology.  As the number of people in our cities increases and budgetary pressures force law enforcement to do more with less, I think the use of technology will expand to fill the gap. Long gone are the days where the local officer knew everyone on his beat.

But  perhaps the more interesting question, is what access can people other than law enforcement get to the database of information?  Can it be subpoenaed for use in a divorce case, say to track someone’s coming and goings?

Time Warner Ordered to Hand Over IDs in Illegal Downloading Suit

March 31, 2011

From the Blog of Legal Times:

A Washington federal judge has ordered Time Warner to identify several hundred subscribers accused of illegally downloading movies, over the cable giant’s protests that the request is unfairly expensive and time-consuming.

U.S. District Court Judge Beryl Howell, in an opinion (PDF)issued yesterday, struck down Time Warner’s motion to quash the subpoenas for subscriber information in two of the three cases pending before the court, meaning Time Warner will have to come up with the identities of about 250 subscribers.

Now that this has been granted, it will be interesting to see if Time Warner contacts their subscribers and notifies them to give them the opportunity to file objections, before their information is handed over. As they are not currently parties to the case as this time, this creates additional complications for anyone wishing to try and protect their identity.

Sony gains access to Geohot’s Paypal records in “hacking” case.

March 18, 2011

David Kravets from Wired reports:

A federal magistrate said Sony may subpoena the PayPal account of PlayStation 3 hacker George Hotz, as the gamemaker ratchets up its civil lawsuit against the man who released the first full-fledged PS3 jailbreak in the console’s four-year history.

Tuesday’s order came two weeks after Magistrate Joseph Spero in San Francisco granted Sony the right to acquire the internet IP addresses of anybody who had visited Hotz’s website from January of 2009 onward. Sony has also won subpoenas for data from YouTube and Google, as well as Twitter account data linked to Hotz, who goes by the handle GeoHot.

Respected for his iPhone hacks and now the PlayStation 3 jailbreak, the 21-year-old New Jersey man is accused of breaching the Digital Millennium Copyright Act and other laws after his website published an encryption key and software tools that allow PlayStation owners to gain complete control of their consoles from the firmware on up. Hotz has complied with a court order and removed the hack.

The latest development allows the Japanese console maker to acquire “documents sufficientto identify the source of funds (.pdf) in California that went into any PayPal account associated with geohot@gmail.com for the period of January 1, 2009, to February 1, 2011,” Spero ruled.

The information sought is part of a jurisdictional argument over whether Sony must sue Hotz in his home state of New Jersey rather than in San Francisco, where Sony would prefer.

————————————-

It will be interesting to see if PayPal simply complies or whether it seeks a protective order from the court. Additionally the bigger question may be, whether those people who made payment to Hotz have standing to object before their information is released?

Judge Says No Anonymity For Anyone Who Visited GeoHot’s PS3 Hacking Website Or Watched YouTube Video

March 5, 2011

An article on Wired covers the opinion from a federal magistrate granting Sony the right to get the IP address of people who viewed or commented on Geohot’s YouTube video of a hack being used on Sony’s Playstation 3.   This is another new area of law and it will be interesting to see how it evolves.   I doubt there are very many people who would realize they could be subject to legal action just by watching a video on YouTube.  The next question will be, do those individuals have the right to challenge to these subpoenas before their data is released to Sony?

A federal magistrate is granting Sony the right to acquire the internet IP addresses of anybody who has visited PlayStation 3 hacker George Hotz’s website from January of 2009 to the present.

Thursday’s decision by Magistrate Joseph Spero to allow Sony to subpoena Hotz’s web provider (.pdf) raises a host of web-privacy concerns.

Respected for his iPhone hacks and now the PlayStation 3 jailbreak, Hotz is accused of breaching the Digital Millennium Copyright Act and other laws after he published an encryption key and software tools on his website that allow Playstation owners to gain complete control of their consoles from the firmware on up.

Sony also won subpoenas (.pdf) for data from YouTube and Google, as part of its lawsuit against the 21-year-old New Jersey hacker, as well as Twitter account data linked to Hotz, who goes by the handle GeoHot.

 

Online Commenters Who Targeted CEO Must Be Identified, Judge Rules

March 3, 2011

More on the potential implication of commenting publicly on internet postings:

 

An Indianapolis judge has ruled the state’s shield law does not bar the release of identifying information about online commenters in a defamation lawsuit. The ruling by Judge S.K. Reid of Marion Superior Court requires the Indianapolis Star and the Indianapolis Business Journal to release information about anonymous posters, the Indianapolis Star reports. The judge was set to decide this week whether a third outlet, WRTV, must release the information. The defamation suit filed by Jeffrey Miller, former chief executive of Junior Achievement of Central Indiana, targets online statements that allege, among other things, that he “most likely” committed a criminal act and is “the most greedy man I’ve ever known,” the Indianapolis Star reports in a separate story. The Star quotes David Hudson, an ABA Journal freelance writer and a scholar with the First Amendment Center in Nashville. He said the public should…

via Online Commenters Who Targeted CEO Must Be Identified,

Court Holds that Data About Car Speed and Brake Usage Stored in Car’s Computer Protected by Fourth Amendment

February 10, 2011

This is a link to a post by Orin Kerr covering that the data contained in a car’s “black box” is protected by the fourth amendment and that police (at least in that area of California) need to a get a search warrant before retrieving it.

Quote from State v. Xinos opinion:

We do not accept the Attorney General’s argument that defendant had no reasonable expectation of privacy in the data contained in his vehicle’s SDM. The precision data recorded by the SDM was generated by his own vehicle for its systems operations. While a person’s driving on public roads is observable, that highly precise, digital data is not being exposed to public view or being conveyed to anyone else. . . . We conclude that a motorist’s subjective and reasonable expectation of privacy with regard to her or his own vehicle encompasses the digital data held in the vehicle’s SDM.

Internet Users Right to Anonymity and/or Privacy and protection from Subpoena

February 10, 2011

Another posts from Kashmir Hill on her blog THE NOT-SO PRIVATE PARTS covers the issue of the hosting site “fighting” subpoena aimed at discovering the identities of their users.  This is growing area of litigation that is yet to be settled.

Will Facebook and California Defense Attorney Continue to Fight the Killa Mobb?

Facebook’s lawyers have been looking for a rumble over the company’s responsibility to turn over user’s account information in legal cases. Now they’ve got one, thanks to a California juror and his grandstanding defense attorney.



%d bloggers like this: