Data Seizures at Borders

Recently this story came up in the news:

Travelers arriving at U.S. borders may soon be confronted with their laptops, PDAs, and other digital devices being searched, copied and even held by customs agents — all without need to show suspicion for cause.

Like most privacy issues this subject will divided people into two camps – the left and right. Those on the left who think that personal privacy, above everything, is critical and if we don’t have personal privacy then the world will be ran by crazy dictators and fascists. Those on the right think that its fine to give up all the privacy we have because of all those crazy terrorists who have their finger over the button of a nuclear bomb, ready to release it at any moment: It is only by reading our emails and intercepting the phones calls can those boys in blue, green, or dark shades, protect us.

Ok, those two sides may be slightly polarized, and very slightly exaggerated, but you get the idea.

The argument put forward by law enforcement is that it is no different to search a computer as to searching other devices, e.g. your brief case or your suitcase. This argument is wrong, for so many reasons, but here are the two biggies: Scale and Content

Scale

Traditionally people don’t carry around tones of paper documents, and all the letters they have ever received, and especially not on multinational trips.  It’s just not something you do. Electronically this is, of course, easy to do, and we do it all the time. It seems obvious to say, but apparently not obvious to those looking at privacy issues in the US.

People carry around their data and don’t delete as they don’t need to. Giving anybody access to all your data is hugely concerning, from both a personal and a professional perspective. If customs can search the laptops of travelers, without reason, then it is the equivalent of giving them a warrant to search every office in the world.

Content

The second problem is content. People keep things on their laptop, lots of things that tells you about them and their habits, perhaps information that even they are not aware was stored on their laptops.

How many people use Outlook, Outlook Express, or AOL to download their email onto their laptop? A lot is the answer. All of those people will be allowing US Customs access to their personal emails.

What about databases? People are always moving data around (we know this as its always being lost). If there is a database on your laptop the US can have it if they “search”  your computer.  This will give them a huge amount of information about you, your company and/or your clients.

Passwords, now this is a biggie. Many people “cache” their passwords. This means that they type the password in and ask the computer to store it – you know if you do this because you will see dots or **** appear when you log on to something, as the password has been typed already.  If you do this and you fly across the US border, this is an issue. Cached passwords, as the name implies are stored on the operating systems and can be taken out. Extracting this information, within Window’s operating systems is relatively trivial for a computer forensics investigator. What does this mean? It means the US will have access to all of your personal emails accounts, company VPN, and possibly bank details. What they do with this after wards is a whole different issue, but it only takes a stroke of a legislator’s pen to allow the US to access your data, remotely.

Feasibility

The risks described above are certainly a possibility, but are they plausible? Is it actually feasibly for the US Customs to take all of the laptop data in a reasonable time scale, and then do something useful with it?

In short, yes.

Hard drives can be imaged at huge speeds, up to 6 GB a minute. This means that piece of data from a 100 GB hard drive can be obtained in around 30 minutes, allowing for taking the hard drive out and handing it back again. This can also be done on mass. For example 10 people could be delayed for 30 minutes, while customs suck up all of the data.  But if this too slow, programs are available just to take the active data, i.e. just the more recent/undeleted data.  This would allow access to key data incredibly quickly.

Once the data has been obtained, doing something useful with it is, in short, easy and relatively cheap (given the scale). But once they have the data, they have all the time they need to look at it.

Some people, surprisingly, still think that the Windows password provides some sort of security against those in the computer forensics industry – it does not, it makes no difference whatsoever. This means that, unless a third party encryption tool is in use, that the US Customs will have access to all of your data. Pulling out cached passwords can be automated, as can building databases of communications, who is talking to who.

As the US has been buying up, and obtaining, databases for years from around the world, including the NSA obtaining phone records, it seems highly unlikely they would ignore such a huge volume of data sitting within arm’s reach of them.

Nowadays there is lots of software, commercially available, that is designed to pull together this huge information and allow people draw together assumptions about the information they are seeing, building pictures and creating conclusions.

Is it right?

Is it right that the US government is able to build up a huge network of data about you, your passwords, your personal emails, your files, your company files, your bank details, your pictures, etc, with no evidence, or even suspicion against you?

That is a moral decision, and not a technical one. But it’s one that must be taken by looking at all of the facts, and not just accepting that a computer search is the same as a search of a brief case.

On  a personal note on the issue of “Is it right that the US government is able to build up a huge network of data about you, your passwords, your personal emails, your files, your company files, your bank details, your pictures, etc, with no evidence, or even suspicion against you?” I think the clue is in the question.

Privacy: US Searches of Laptops at Borders

Computerworld – Travelers arriving at U.S. borders may soon be confronted with their laptops, PDAs, and other digital devices being searched, copied and even held by customs agents — all without need to show suspicion for cause.

Notices are being proposed by the Privacy Office at the U.S. Department of Homeland Security (DHS), which last week released a report approving the suspicionless searches of electronic devices at U.S. borders.

The 51-page Privacy Impact Assessment also supported the right of U.S. Immigration and Customs Enforcement agents to copy, download, retain or seize any content from these devices, or the devices themselves, without assigning any specific reason for doing so.

Full Story: Searching computers at US borders

Electronic Discovery: FTC Guidelines (2006)

In February 2006 the FTC issued guidelines to reduce the burden on companies during the merger review process.

The Federal Trade Commission (“FTC”) issued an announcement today detailing reforms to the merger review process designed to reduce burdens associated with second requests for documents and data. Such burdens have increased substantially since the Hart-Scott-Rodino Act (“HSR Act”) became operational in 1978 due to an increased reliance by agencies upon direct market analyses and advances in technology resulting in higher production volume. Parties and agencies often spend millions of dollars, and associated investigations can take six to nine months. Last fiscal year alone, the FTC received nine productions exceeding one million pages. New guidelines and procedures will take effect for all HSR Act filings submitted on or after February 17, 2006.

Reforms are designed to reduce the volume of production, permit rapid identification of substantive issues and relevant material, and control costs by “reducing the volume of electronic storage materials that parties need to preserve, eliminating the need for most multiple searches of employees’ files, and reducing the size of privilege logs.”

Highlights from the new guidelines and procedures include the following:

Custodian Presumption
-There is a presumption that a party will not be required to search the files of more than 35 of its employees provided that the following conditions are met:

    oStaff is provided with materials that allow identification of employees and their positions (such as organization charts.)
    oEmployee(s) are made available to meet with staff to provide information about the responsibilities of those employees who have certain relevant knowledge.

    oWritten descriptions of the responsibilities of a limited number of employees are provided upon request.

    oEmployee(s) “…knowledgeable about how the party collects, maintains, and uses the types of data specified in the second request, and the databases and other software used by the party to store and analyze the data” are made available to meet with staff until staff and the party agree upon the data to be produced.

    oProduction of materials occurs 30 days prior to formal certification of compliance or within some other mutually acceptable time frame (such as via a “rolling” production.)

    oIf the FTC challenges the transaction, the party agrees to jointly propose a scheduling order containing at least a 60 day discovery period.

-The staff shall promptly notify the party of the identities of the 35 or fewer chosen employees once information reasonably necessary to make the selection is provided.

-The files of a designated employee shall be considered to include all hard copy and electronic files of those responsible for maintaining that employee’s files.

-The restriction on the number of employees does not apply to requests for information contained in “corporate” or “central” files such as databases.

-A privilege log need not be produced until the party certifies that it has substantially complied with the request.

-The Director of the Bureau of Competition can authorize a larger than 35 employee search group when necessary, but the party will first be enitited to meet or confer with the Director to present its views.

Two-Year Relevant Time Period
-There will be a presumed relevant time period from two years prior to the date on which the second request is issued until 45 days prior to the date on which the party certifies substantial compliance with the request (where the 30 day advance production requirement applies, the relevant time period ends 45 days prior to the date of production.)

-The two-year period does not apply to requests for data.

-The time period can be enlarged when deemed reasonably necessary to analyze competitive effects.

Empirical Data
-Staff will inform parties of the competitive effects theories under consideration and the types of analyses that may prove useful.

-Parties are encouraged to provide “(1) a written description of how the party collects, maintains, and uses the types of data that are responsive to the second request; (2) a proposal to limit the data request, and data samples to support the proposal; and (3) access to the employees of the party who are knowledgeable about how the party collects, maintains, and uses the types of data specified in the second request (collectively, “Data Negotiation Information”).

-A party shall be entitled to meet or confer with a Director or Deputy Director if it believes that staff has not sufficiently limited the data requests.

Preservation of Backup Tapes
-“There will be presumptions that (1) a party may elect to preserve backup tapes for only two calendar days identified by staff, and (2) the FTC will require a party to produce documents contained on backup tapes only when responsive documents are not available through other more accessible sources. If a party’s document storage system does not permit designation of backup tapes for two specific calendar days, staff will work with the party to designate a comparable set of backup tapes that the party must preserve.”

Partial Privilege Log
-A party can elect to produce a partial privilege log for all of the custodians in the party’s search group, in conjunction with a complete privilege log for a small subset of those custodians, if it agrees to certain conditions.

-The partial log will contain the following information for each withheld document for a covered custodian: (1) the name of the custodian from whom the responsive documents are withheld on the basis of a claim of privilege; and (2) the total number of documents (stating the number of attachments separately) contained in each such custodian’s files that are withheld under a claim of privilege.

-Within five business days after receipt of the partial log, staff may identify five individuals or ten percent of the total number of custodians searched, whichever is greater, for which a complete log must be produced.

Electronic Production and De-Duplication
-The use of “de-duplication” and “near-de-duplication” tools can effectively reduce production volume and costs, but can also hinder investigations. Thus, staff must be advised about its use:

If you intend to utilize any De-duplication or Near-de-duplication software or services when collecting or reviewing information that is stored in the Company’s computer systems or electronic storage media in response to this Request, or if the Company’s computer systems contain or utilize such software, you must contact the attorneys for the government to determine, with the assistance of the appropriate government technical officials, whether and in what manner the Company may use such software or services when producing materials in response to this Second Request.

Law: Hacker Fails To Block Extradition

British Hacker, Gary McKinnon, has, once again, failed to prevent his extradition from the UK. This time he has failed at the House of Lords, after his latest appeal to them failed.

Gary admits his guily (which causes a problem for any defence), and wanted to be tried in the UK, but the CPS refused. If that decision is due to pressure from the US, or a point of law, is  is not clear. As hacking is an offence under the Computer Misuse Act, and the CMA does not specify in which country the computer being attacked is based, it would imply that the UK could try Gary, who faces upto 70 years in a federal prison, with a high risk of suicide (if not murder).

Having been through the courts, to the High Court, and the House of Lords, and the Home Secretary refusing to step in, there are little, if any options, left for Gary McKinnon

Guidance Software in the Dock

Guidance Software Inc, the makers of Encase ( the famous forensics tool), who also make electronic discovery tools,  have been criticized by the courts for failure to find documents in their own electronic discovery case.

The irony of this is not wasted on the industry and FTI and Aon, have already come out to comment to Guidance’s failure.

To make matters worse for Guidance, Access Data, their rivals  and the company who attempted to buy Guidance recently, where able to produce the documents required.

Cassondra Todd (not CSI, but ex-GSI)

Cassondra Todd (not CSI, but ex-GSI)

The court case revolves around an ex-employee suing for damages, an Arbitrator, Guidance not finding documents, and an ex-employee now at Access Data

The claimant, and former marketing director, Cassondra Todd (pictured inset) alleges she was forced out of Guidance Software and had several negative, but unwarranted, performance reviews. The claim is that the Chairman of Guidance , Shawn McCreight, put pressure on her manager to get her out.  Cassondra Todd argues that she was discriminated against, mainly because she was a woman. Todd was eventually sacked, and as a result Todd sued Guidance software for wrongful termination.

As part of the litigation process Guidance were expected to produce any emails they have to that effect.

However, Guidance produce relatively few emails between Todd and the company, and no self incriminating documents.

However, one of Cassondra Todd’s former managers at Guidance, Tim Leehealey who is now the CEO and Co-Owner of Access Data, happened to retain some of his reviews of Cassondra Todd.

One of this emails, to the CEO of Guidance Software stated that “Other than [Guidance Chairman] Shawn McCreight’s hatred of her, she was a good employee and produced for me,”.

The documents that an ex-employee had a copy of were not produced by Guidance Software, and as Tim Leehealy stated “Those documents were on people’s hard drives for sure, and they [Guidance Software] didn’t produce them,”. This implies, of not states explicitly, that Guidance Software failed to produce all of the documents they should have.

The Arbitrator in this case, as it was taken to arbitration rather than a court hearing, hinted that he believed that Guidance Software were deliberately hiding information by stating that “I want this game-playing stopped“.

The Abitrator found against Guidance Softwar in this case, again indicating that Guidance Software were not playing fair. As a result GSI were asked to pay the costs of Todd,  and she was awarded $300,000 in compensation.

The fact that Guidance did not “find” these documents, either through failure or malice, poses a problem for Guidance Software, legally and for PR purposes.

FTI’s  Brett Harrison stated that Guidance Software’s electronic discovery Process “was not performed to commonly accepted standards within the e-discovery field and in great part did not occur at all.”

This case has a hint of the 2005 incident when Guidance Software has hacked into, and credit card details stolen. At the time Guidance was pushing security, and intrusion detection courses.

The irony…they just need a good marketing staff now…..

Add to Technorati Favorites



Follow

Get every new post delivered to your Inbox.

Join 29 other followers