Up Front

News, trends, and analysis for the information management professional.

Bookmark and Share
FOIA

Conn. High Court: Public Universities Can Withhold Records

Public universities can withhold records using a “trade secrets” exemption, the Connecticut Supreme Court has ruled.

The case, University of Connecticut v. Freedom of Information Commission, came from a 2008 freedom of information request by former state Democrat Rep. Jonathan Pelto seeking information from the University of Connecticut (UConn). According to the Student Press Law Center (SPLC), he requested the names of the athletic department’s season ticket holders, the performing arts’ database of subscribers and ticket purchasers, the Center for Continuing Studies’ database of people interested in programs offered, and the library’s donor database.

A lower court declared three of the four databases trade secrets under the statute as “customer lists.” The court did not consider the library’s database to be a customer list, but still sent it to the state’s Freedom of Information Commission (FOIC) to determine whether the list may still be protected under the trade secret exemption, the SPLC reported. (At the time of this writing, the FOIC was still considering this matter.) The Connecticut Supreme Court upheld that decision.

"Specifically, we consider  whether a public agency that creates and maintains information that would constitute a trade secret if created by a private entity must engage in a ‘trade’ in order to shield such information from disclosure under the act. We answer that question in the negative,” the court stated in its unanimous opinion. “If the information meets the statutory criteria, it is a trade secret and the entity creating that information would be engaged in a trade for purposes of the act even if it was not so engaged for all purposes.”

The decision is now Connecticut law unless lawmakers act to change it, according to Colleen Murphy, executive director and legal counsel for the Connecticut FOIC. The FOIC told the SPLC that it does not plan to propose a legislative change. END

ARCHIVES

NARA May Miss Declassification Deadline

The National Archives and Records Administration (NARA) has acknowledged that it may not complete its three-year program to evaluate 400 million official historic documents for possible declassification by the December 2013 deadline.

According to Federal ComputerWeek, the “Bi-annual Report on Operations of the National Declassification Center,” which was released by NARA in January, attributes delays to a lack of prior reviews of the documents to ensure they do not contain sensitive information and restricted data related to nuclear weapons, as required under national defense authorization laws.

NARA’s National Declassification Center was formed by President Barack Obama in 2010 and assigned to clear a huge backlog of documents, all 25 years old or older. It had finished processing 31%, or about 123 million documents, as of Dec. 31, 2011, according to the NARA report.

“Although we will certainly successfully assess all 400 million backlog pages within the next two years (and probably sooner), our ongoing assessment of the backlog suggests we must divert extensive interagency and NARA resources toward addressing prior failures by agencies to address the Restricted Data/Formerly Restricted Data-related requirements, and this unexpected extra review step will certainly impact our ability to complete all declassification processing by the deadline,” the operations report said. END

PRIVACY

Watchdogs Criticize New Google Privacy Policy    

Google’s new privacy policy is causing controversy in the United States and worldwide.

On March 1, 2012, Google began creating a single profile for each user by combining the data it collects about that user from its various websites and services. It also simplified and condensed its privacy policy to pacify government regulators, according to Google officials.

In a statement, Alma Whitten, a Google privacy director, wrote that the changes “will mean a simpler, more intuitive Google experience.” She said the changes streamline and simplify the privacy practices it employs worldwide across about 60 different online services and provide greater clarity for users.

But privacy watchdogs, who are urging the U.S. Congress to look into the changes, are concerned that the new policy also changes the way Google can use users’ information. In fact, Google’s new privacy policy states that Google can use information shared on one service in other Google services, according to The New York Times.

The Electronic Privacy Information Center (EPIC) has filed a complaint with the Federal Trade Commission (FTC) about the Google search changes on privacy and antitrust grounds. The Los Angeles Times reported that the main concern is the new Google search feature called Search plus Your World. This feature allows photos, updates, and other private information from the Google+ social network to appear in search results.

Google emphasized that its core privacy guidelines will not change. For instance, it does not sell personal information or share it externally except in the case of a valid court order, and it allows data liberation, which means Google users can move their information to other services.

French data protection officials have also objected to Google’s new privacy policy and said it may violate European Union law. France’s National Commission for Computing and Civil Liberties (CNIL) wrote in a letter to Larry Page, Google’s co-founder and chief executive, that the policy is unclear in explaining how the company would use private data.

“Rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices,” the letter from the CNIL said. “Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals.”

According to The New York Times, an advisory panel to the European Commission asked the French agency to conduct an initial assessment of the Google privacy changes. The French agency can fine companies up to £300,000 ($400,000 U.S.) for privacy breaches in France.

EU Privacy Commissioner Viviane Reding had previously asked Google to delay adoption of its new privacy policy to allow regulators to assess its compatibility with European law, but Google refused.

Last year, Google settled with the FTC over privacy misrepresentations it made related to its social networking tool Buzz. It agreed to audits of its privacy processes every other year for 20 years and to pay a fine for any future missteps. Google has since shut down Buzz. EPIC said it believes Google’s new social search tool violates that agreement. END

HEALTH RECORDS

EHRs: Now There’s an App for That

Nine million Kaiser Permanente patients now can access their medical records on their mobile devices. Kaiser Permanente owns the largest non-government electronic health record (EHR) system in the world. Its new app for mobile devices (e.g., the Android and iPhone) provides full access to patients’ information with the mobile-optimized version of the member website, kp.org.

With the free app, Kaiser Permanente patients get 24/7 access to lab results, diagnostic information, direct and secure e-mail access to their doctors, and they can order prescription refills and schedule appointments.

Kaiser Permanente has been a leader in EHRs. For example, its KP HealthConnect enables all of its nearly 16,000 physicians to electronically access the medical records of all 8.9 million Kaiser Permanente members nationwide and serves as a model for other care systems, according to a company press release. END

INFO TECHNOLOGY

IBM Researchers Store a Bit on 12 Atoms

IBM researchers have figured out how to store a single bit of data in just 12 atoms. It’s quite a feat, as today’s computer hard drives require about 1 million atoms per bit.

To set up the tiny storage system, engineers used a scanning tunneling microscope at temperatures near absolute zero. Instead of collecting atoms that spin in the same direction to hold memory, or “ferromagnets,” they alternated iron atoms that rotate one way with ones that turn in the opposite direction, arranging them in two rows of six on a coppernitride surface. That alternating alignment – called antiferromagnetism – kept the atoms from creating a magnetic field that would repel other atoms, allowing researchers to “really pack them right next to each other” study author Andreas Heinrich told MSNBC.com.

The technique could lead to computers that store much more data than current ones while expending far less energy. But adapting the new technology for mass production is “a huge engineering challenge” that might take another decade to overcome, Heinrich said.

One challenge is the bytes that the scientists assembled were stable for only a few hours at temperatures barely above absolute zero: about 0.5 Kelvin or -458 degrees Fahrenheit. But while atomic-scale hard drives won’t be ready for the mass market anytime soon, Heinrich said larger antiferromagnets could be used in storage devices much sooner, as early as the next five to 10 years. END

E-RECORDS

NY Courts Push Statewide E-Filing

State court officials in New York are pushing for mandatory electronic filing of documents statewide.  

Thomson Reuters reported that litigants have been able to e-file in many parts of the state for the past 10 years, but just two years ago, some New York City courts began requiring electronic documents.

Former Chief Administrative Judge Ann Pfau released a report last June asking the state legislature to pass a bill requiring e-filing in almost all courts in the state, according to Thomson Reuters. She said the move would result in “hundreds of millions of dollars” of savings for the court system and litigants.

Several New York counties have followed Pfau’s lead and recently made e-filing mandatory in their courts. For example, Thomson Reuters reported that:

  • All probate and administration proceedings must be filed electronically in Surrogate’s Court in Chautauqua, Erie, and Monroe counties.
  • All contract, tort, and commercial actions, regardless of the amount of money disputed, must be filed electronically in Manhattan State Supreme Court.
  • All cases in Supreme Court in Westchester and Rockland counties must be e-filed, excluding matrimonial, election law, Mental Hygiene Law, and Article 78 proceedings.
  • Brooklyn’s Supreme Court has gone paperless for commercial actions in which $75,000 or more is in dispute, and all medical malpractice cases in the Bronx must now be e-filed.

Officials also have unveiled voluntary e-filing in a number of courts in recent weeks. As of March, all commercial, contract, tort, and tax certiorari claims in Supreme Court in Onondaga County could be e filed, Thomson Reuters noted. At least a dozen other counties opened their Supreme Courts to e-filing this past January, including Albany, Nassau, and Suffolk.

Local government is pursuing online access, too. New York recently passed a law requiring town boards, county legislatures, and other public bodies to post proposed laws, resolutions, policies, and other public documents online before discussing them at meetings, the Times Herald-Record reported.

The new state law, which went into effect in February, applies to any government entity with a regularly updated website and high-speed Internet service. Open government advocates say the law gives citizens the same access to public records that officials have. END

E-DISCOVERY

Judge Issues Opinion on Computer-Assisted Review

In what may be the first time a court has approved the use of computer-assisted review in electronic discovery, Magistrate Judge Andrew Peck (U.S. District Court for the Southern District of New York) determined that it may be used in “appropriate cases” for reviewing large volumes of documents.

In Monique Da Silva Moore, et al. v. Publicis Groupe & MSL Group, five women plaintiffs sued a large advertising firm and its U.S. public relations subsidiary for gender discrimination, according to  Law Technology News.

Peck cited a study that concluded technology-assisted review is more accurate – and 50 times more economical – than “exhaustive manual review.” In other words, it determined that computers do a better job than humans in reviewing electronically stored information (ESI) for discovery production.

He also acknowledged that computer-assisted review should not be used in all cases, and the protocols he approved in the Moore case may not be appropriate in all future cases that use computer-assisted review, Law Technology News said.

In this process, which is also called “predictive coding,” a “screening program is revised and re-revised to refine subsequent searches to find a higher percentage of relevant documents than ordinary keyword-based review,” according to an article by Alison Frankel on Thomson Reuters News & Insight.

Peck acknowledged that judges and parties have worried about being the first to produce discovery by way of predictive coding, for fear that the document production process wouldn’t hold up to scrutiny. He also said there has been a fear by plaintiffs that defendants would tamper with search parameters to hide potentially relevant documents.

In the Moore case, the judge rejected concerns from class counsel at Sanford Wittels & Heisler, noting that he would closely supervise the computerassisted review. “The idea is not to make this perfect, it’s not going to be perfect,” he told the parties. “The idea is to make it significantly better than the alternatives without nearly as much cost.”

Peck told the lawyers that they no longer have to worry about being a guinea pig for computer-assisted review. He added that “computer-assisted review is an available tool and should be seriously considered for use in large-data-volume cases where it may save the producing party (or both parties) significant amounts of legal fees in document review. He said it was up to them “to design an appropriate process, including use of available technology, with appropriate quality control testing, to review.”

E-discovery experts have said they believe Peck’s decision will, in fact, pave the way for the use of computer-assisted review in major civil litigation and reduce the costs of document production in federal court suits, according to Thomson Reuters. END

E-RECORDS

ERA Costs May Hit $1B, GAO Says

Development costs for the National Archives and Records Administration’s (NARA) Electronic Records Archive (ERA) have more than doubled and may be spiraling out of control, according to a new report from the Government Accountability Office (GAO).  

“National Archives Needs to Strengthen Its Capacity to Use Earned Value Techniques to Manage and Oversee Development,” which was published in January 2012, says current development costs have soared from $317 million to $567 million and may reach $1 billion.

NARA has been developing ERA since 2001 to preserve and provide access to its digital records. But several delays, revisions to the original plans, and weaknesses in management control have proved problematic and expensive for the program. END

PRIVACY

Ikea Paid Firm to Spy on Customers, Staff

Swedish furniture giant Ikea allegedly paid private security firms to spy on “complaining” customers and “suspicious” employees at its stores in France, according to France’s Canard Enchaine newspaper.

The spying began in 2003, according to the newspaper, and included checking the criminal records and links to political groups for more than 200 people.

The Canard Enchaine said it uncovered e-mails showing that Ikea officials paid £70 ($111 U.S.) each for the reports taken from a national French police database. The paper said the e-mails were between the head of Ikea’s risk management department, Jean-François Paris, and Yann Messian of private investigator Sûreté Internationale. The exchanges discussed gaining access to the police’s controversial database, Stic.

According to a remote file inclusion (RFI) report, Stic has been accused of compiling unreliable files on criminals, victims, and witnesses.

The Canard Enchaine stated: “Questions were asked about more than 200 people, including requests for criminal records, vehicle registration checks, and affiliations with political organisations. IKEA’s head of security authorised payments of £80 [$107 U.S.] for each check carried out. The information was then used in deciding whether to fire certain staff members or provide intelligence on customers involved in legal disputes with them.”

The RFI reported that Ikea France allegedly asked for information on a customer who was suing it for £4,000 ($5,329 U.S.) and for the name of the owner of a car that approached a site where it planned to open a store.

As a result of the revelation, 10 IKEA employees are now suing the company for illegal use of personal data. In addition, the offense is punishable by a £270,000 ($430,013 U.S.) fine and up to five years in prison, the paper said.

Ikea has been criticized for its security procedures before. A 2010 book, The Truth About IKEA, claimed the company was “racist and nepotistic” and said its surveillance methods on staff were “worthy of the Stasi,” according to the United Kingdom’s The Telegraph.

An Ikea spokesman in France said the company disapproves of “all these kinds of illegal practices” and intends to carry out a full investigation. END

DATA SECURITY

Stolen NASA Laptop Breached, IG Says

The National Aeronautics and Space Administration (NASA) recently announced a major breach involving a stolen laptop containing the formulas used to control the International Space Station. An internal investigation revealed that the laptop was unencrypted. 

“The March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station,” said NASA Inspector General Paul K. Martin in his written testimony to lawmakers in late February 2012.

During 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in a loss of more than $7 million, Martin said. He told a House Science, Space, and Technology Committee investigations panel that the incidents have resulted in the “significant disruption to mission operations” and “the theft of export-controlled and otherwise sensitive data.”

According to Nextgov, Martin’s office is still investigating an intrusion that went undetected for a period of time at NASA’s Jet Propulsion Laboratory and involved China-based network addresses. In that episode, the culprits gained total control over systems at the lab, which operates the Deep Space Network. They had the ability to alter files, add user accounts, and install hacking tools to steal staff credentials, Nextgov reported.

The frequency of breaches shouldn’t be a huge surprise; for years, the space agency has struggled to tighten information security – an institutional problem that some critics say is due to the chief information officer’s (CIO) lack of authority, according to Nextgov. The CIO supervises administrative systems, but has no power over mission-critical systems supporting NASA’s aeronautics, science, and space programs, including the Deep Space Network. END

E-DISCOVERY

NY Court: Producing Party Should Pay Discovery Costs

A New York appeals court has ruled that the party that produces documents in a lawsuit must pay discovery costs, even when it requires costly retrieval of electronic documents, Thomson Reuters reported.

The First Department, Appellate Division of New York ruled that the requesting party should not bear the enormous costs of discovery.

In the recent case U.S. Bank National Association et al. v. GreenPoint Mortgage Funding Inc., the appeals court ruled unanimously that GreenPoint Mortgage Funding must pay the costs of finding and producing a “vast” amount of electronic documents in a mortgage-backed securities lawsuit, according to Thomson Reuters.

The First Department called it an “unsettled” area of the law, partly because of the sky-high cost of finding and producing electronically stored information (ESI).

In 2009, U.S. Bank sued GreenPoint Mortgage Funding over $1.8 billion in subprime mortgage-backed securities issued by GreenPoint in 2005 and 2006. The lawsuit claimed that GreenPoint committed “gross violations” of the “representations and warranties regarding the attributes of the loans and the practices and policies under which the loans were originated, underwritten, and serviced,” according to the ruling. The bank requested that GreenPoint produce a “vast” number of documents, the court said.

GreenPoint successfully persuaded Manhattan Supreme Court Justice Bernard Fried that U.S. Bank should pay the costs, but the appeals court reversed the decision. The court noted the state’s civil practice rules do not address paying for discovery.

The court also pointed out that several state courts have ruled in favor of requiring either the requesting or the producing party to pay discovery costs, but the enormous expense of searching for and retrieving electronic documents has pushed the issue to the forefront in recent years.

“There has been a movement among other courts, where the cost of discovery production is significant, to adopt the standards articulated by the United States District Court in Zubulake ... and to place the cost of discovery, including searching for, retrieving, and producing ESI, at least initially, on the producing party,” the court wrote.

The panel noted that under Zubulake, judges can still consider whether to reallocate costs based on factors, such as the narrow tailoring of the discovery request or the resources of each party in the lawsuit. END

INFO TECHNOLOGY

Coming Soon: Google Glasses

Instead of using a smartphone to check sports scores and find the nearest yogurt shop, Google is betting some people will opt for tricked-out, navigationenabled glasses instead.

Google is working on glasses – set for release later this year – that will use augmented reality software to return real-time information about locations and people, according to a New York Times technology blog.

The Times said the glasses will be able to stream data to the wearer’s eyes in real time. While Google isn’t officially commenting, some Google employees have revealed that the high-tech glasses will cost about the same as today’s smartphones, $250 to $600, according to The Times.

The employees told The Times the glasses will be Android-based, feature a small screen that will sit a few inches from the wearer’s eye, and include a 3G or 4G data connection and motion and GPS sensors.

They also will have a unique navigation system that requires head tilting to scroll and click, the blog reported. The glasses’ low-resolution camera will be able to monitor the world in real time and overlay information about locations and nearby buildings and friends, according to Google employees.

The glasses will send data to the cloud and then use things like Google Latitude to share location, Google Goggles to search images and figure out what is being looked at, and Google Maps to show other things nearby, the Google employee said. END

INFO TECHNOLOGY

Videoconferencing Vulnerable, Security Expert Says

A security expert says videoconferencing systems in conference rooms around the world are vulnerable to hackers.

HD Moore, a chief security officer at Boston-based computer security company Rapid7, demonstrated the vulnerability of companies that use videoconferencing equipment by hacking into a dozen companies’ conference rooms around the globe. He said he easily could have eavesdropped on privileged conversations or read a report lying on the table, using their videoconferencing equipment.

According to an article in The New York Times, Moore wrote a computer program that scans the Internet for videoconference systems that are outside firewalls and configured to automatically answer calls. In less than two hours, he had scanned 3% of the Internet and discovered 5,000 wide-open conference rooms at law firms, medical companies, oil refineries, and universities. According to the article, even some videoconferencing equipment vendors came up in Moore’s scan, including Polycom, Cisco, LifeSize, and Sony.

With this information, Moore was able to hack into a lawyerinmate meeting room at a prison, an operating room at a university medical center, and a venture capital pitch meeting where a company’s financials were being projected on a screen, according to The Times. He even found a path into the Goldman Sachs boardroom via a company it videoconferences with, but he did not dial in, The Times noted.

The Times said most new videoconferencing systems are designed with visual and audio clarity, but not necessarily security, in mind. Rapid7 discovered that while businesses are investing in these top-quality videoconferencing units, some administrators are setting these systems up outside firewalls and configuring them to automatically accept inbound calls, allowing anyone to dial in and look around without detection. According to Moore, companies should install a “gatekeeper” that securely connects calls from outside the firewall, but the process is complex and therefore often skipped. END

PRIVACY

China Issues Data Protection Regulation

The Ministry of Industry and Information Technology of the People’s Republic of China (MIIT) has issued a new regulation to protect personal data. “Several Provisions on Regulating Market Orders of Internet Information Services” defines “user personal information” as any information that independently identifies a user or may be used to identify a user when combined with other data.

The Hunton & Williams LLP Privacy and Information Security Law blog reported that the new regulation will require Internet information service providers (IISPs) to provide stronger protection for the personal data they collect from users in China and will subject them to notice and consent requirements and collection and use limitations.

The new regulation prohibits IISPs from collecting or providing to third parties a user’s personal information without the user’s consent. In obtaining consent, IISPs also must clearly define the method, content, and purpose for collecting and processing the personal information. Also, the regulation notes that IISPs will not be allowed to collect information that is not necessary to provide their services or for any purpose other than providing those services.

According to Hunton & Williams, the new regulation includes breach notification obligations and requires IISPs to keep user personal information in proper custody to mitigate the risk of security breaches, immediately report any breach of information to the proper telecommunication authority, and cooperate in any investigation. END

SOCIAL MEDIA

Employers, Colleges Demand Facebook Passwords

Job applicants and college athletes are increasingly being asked and, in some cases, required, to surrender their Facebook password to potential employers and universities.

Two examples, according to MSNBC.com, are:

  • Individuals who apply for work at Maryland’s Department of Corrections (DOC) have been asked during interviews to log into their accounts and let an interviewer watch while the potential employee clicks through his or her private Facebook wall posts, friends, and photos.
  • The University of North Carolina’s handbook states: “Each team must identify at least one coach or administrator who is responsible for having access to and regularly monitoring the content of team members’ social networking sites and postings” … “The athletics department also reserves the right to have other staff members monitor athletes’ posts.”

Maryland’s DOC’s policy first came to light last year, when a corrections officer complained to the American Civil Liberties Union (ACLU) that he was forced to provide his Facebook user name and password during an interview. The state agency suspended the policy for 45 days and eventually settled on the “shoulder-surfing” policy, MSNBC.com reported.

In defense of the policy, the DOC said it wants to ensure that the prison guards it hires don’t have gang ties. The agency told the ACLU it had reviewed 2,689 applicants via social media and denied employment to seven because of gang-related signs found on their pages. It also said the policy of surrendering passwords is voluntary, and five out of the 80 employees hired in the last three hiring cycles did not provide access.

Student athletes, however, aren’t usually free to deny access to their Facebook and Twitter accounts. According to MSNBC.com, many schools now have a policy similar to the University of North Carolina’s (UNC) – requiring students to “friend” a designated coach or compliance officer, giving them access to their private posts.

Some schools have even purchased social media-monitoring software tools from firms like UDiligence and Varsity Monitor to automate snooping on students’ accounts. These programs provide a “reputation scoreboard” to coaches and send “threat level” warnings about individual athletes to compliance officers,     MSNBC.com said.

This is wrong, Washington, D.C., lawyer Bradley Shear told MSNBC.com, and both schools and employers are violating the First Amendment.

Shear has pushed Maryland state legislators to propose two separate bills aimed at banning social media access by schools and potential employers. The ACLU is aggressively supporting the bills, said Melissa Coretz Goemann, the Maryland ACLU legislative director.

No one is proposing laws to pro tect student athletes yet, but Shear says it’s “troubling” that some schools are telling students they have to friend a coach in order to play on the team.

An embarrassing incident two years ago incited UNC’s aggressive social media policy. A football player tweeted about expensive purchases on his account and then became the subject of a National Collegiate Athletic Association investigation about improper conduct with a player agent, MSNBC.com reported.

Whether a government agency monitors job applicants or schools monitor students, Goemann said it violates Facebook’s Terms of Service, which stipulates that account holders will not share their password or “let anyone else access your account or do anything else that might jeopardize the security of your account.”

Frederic Wolens, a Facebook spokesman, wouldn’t comment on the Maryland legislative proposals, but he told MSNBC.com that many of these policies appear to violate the site’s terms.

“Under our terms, only the holder of the email address and password is considered the Facebook account owner. We also prohibit anyone from soliciting the login information or accessing an account belonging to someone else,” he said in a statement to MSNBC.com. Wolens said Facebook has yet to take a position on collegiate social media monitoring.

The state of Illinois also is considering similar legislation to ban social media password demands by employers. But Shear says anything less than a federal law to stop the practice is not good enough. END

PRIVACY

Supreme Court: GPS Tracker Violated Privacy

In a decision that may have future implications for new technologies, the U.S. Supreme Court unanimously ruled that police violated the Fourth Amendment when they put a global positioning system (GPS) tracking device on a suspect’s car and monitored its movements for 28 days.

Five justices said the main problem was that police placed the device on private property without obtaining a warrant. The majority also expressed their unease with the government’s use of or access to various modern technologies, including video surveillance in public places, automatic toll collection systems on highways, devices that allow motorists to signal for roadside assistance, location data from cellphone towers, and records retained by online merchants, according to The New York Times.

The case concerned Antoine Jones, who owned a Washington nightclub and was suspected of being part of a cocaine-selling ring, The Times reported. Police placed a tracking device on his Jeep Grand Cherokee without a valid warrant, tracked his movements for a month, and used the evidence gathered to convict him of conspiring to sell cocaine. He was sentenced to life in prison.

The U.S. Court of Appeals for the District of Columbia Circuit over turned his conviction, ruling that the sheer amount of information that had been collected amounted to an unreasonable search and violated the Fourth Amendment, The Times said.

The Supreme Court agreed, but for a different reason. “We hold that the government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a ‘search,’” Justice Antonin Scalia wrote for the majority. “It is important to be clear about what occurred in this case … The government physically occupied private property for the purpose of obtaining information. We have no doubt that such a physical intrusion would have been considered a ‘search’ within the meaning of the Fourth Amendment when it was adopted.” END

CLOUD COMPUTING

Megaupload Shutdown Reveals Cloud Risk

When the U.S. government shuttered popular file-sharing service Megaupload earlier this year for violating copyright laws, users cried censorship, and the hacker group Anonymous retaliated by taking down the Department of Justice’s (DOJ) website.

The DOJ executed more than 20 search warrants in the United States and in eight other countries to seize servers and domains belonging to Megaupload, according to the 72-page federal indictment unsealed on January 19. Megaupload’s CEO, Kim Dotcom, and other officials were arrested in a raid in New Zealand, according to Wired. The DOJ is seeking to extradite Dotcom to the United States to face criminal conspiracy charges.

Megaupload is an online “locker” service in which users can anonymously upload large files to the company servers and share the content via a unique URL. Before it was shut down, it was the most popular web-based file-sharing service by far, according to Wired. In a recent study of 1,600 networks, Palo Alto Networks found it accounted for about a quarter of all file-sharing traffic, about 10% more than its nearest competitor.

While the Federal Bureau of Investigation was targeting Megaupload users who used the site to illegally share music, television shows, movies, and software, as the indictment claimed, there were many other individuals who used the service to store personal and private files, including work documents, personal videos, and photographs.

Gant Redmon, general counsel of Co3 Systems, advises organizations to evaluate online hosting, backup, and collaboration providers to determine which ones are trustworthy before moving their data outside of their own networks.

Experts say the Megaupload incident doesn’t mean organizations should stop using cloudbased services, but it does mean they should consider the possibility that their employees are using such services to store corporate data, according to Wired. END

PRIVACY

Search Firms to Mine Tweets

Twitter has announced that it will sell users’ tweets to two research firms, who will then release the information to companies willing to pay for the privilege of mining the data, according to The Financial Post.

Gnip Inc. and DataSift Inc. are licensed by Twitter to analyze archived tweets, as well as basic information about users. DataSift said it will release Twitter data in packages that will contain the past two years of its customers’ activity.

More than 700 firms are on a waiting list to receive the data, a DataSift official told Reuters. Those firms that buy the data will be able to see tweets on specific topics and even isolate those views based on geography.

The data firms have said no private conversations or deleted tweets can be accessed, but privacy advocates say they still are concerned.

“Harvesting what someone said a year or more ago is game-changing,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego. END

LEGAL

Courts Rule For, Against Hard Drive Decryption

A Colorado court has ordered a woman to decrypt her hard drive in a mortgage trial, while an Atlanta court has decided not to force a child abuse suspect to decrypt his hard drive because doing so would violate his Fifth Amendment rights.

The recent ruling by the Atlanta-based U.S. 11th Circuit Court of Appeals in the case of an unnamed suspect from Florida (known as “John Doe” in court papers) goes against past U.S. court precedent where judges have determined that a person should be required to turn over hard drive passwords in a criminal investigation, according to The Wall Street Journal (WSJ).

Courts in Colorado and Vermont have previously held that the government can order suspects to turn over encryption passwords in certain circumstances.

In the case heard by the 11th Circuit Court of Appeals, the suspect allegedly refused to supply the passwords for five of his laptop hard drives and five external hard drives. His hard drives had been seized by police at the time of his arrest in a hotel room in October 2010 and encrypted using TrueCrypt, according to court documents. The police had no knowledge of what the drives may contain.

The suspect refused to supply the passwords in time for his appearance before a federal grand jury in Florida and in response to a later court order requiring him to decrypt the hard drives, the WSJ reported. A federal judge held the suspect in contempt, but the appeals court overturned this ruling.

But, in January 2012, a federal judge in Colorado ordered a woman charged with fraud to turn over decryption keys to her computer. A regional appeals court rejected her appeal, and she was ordered to decrypt the information in February.

In U.S. v. Fricosu, the court ordered Ramona Fricosu to produce an unencrypted version of her laptop’s hard drive to prosecutors in a mortgage fraud case. She and her ex-husband were indicted in 2010 on bank fraud charges, The Denver Post reported. When authorities served a search warrant on their home, they seized the laptop with the encrypted drive.

Judge Robert Blackburn of the U.S. District Court for the District of Colorado said the government sought a search warrant under the All Writs Act, which “would require Fricosu to produce the unencrypted contents of the computer.” However, she did not provide the information, “asserting her privilege against self-incrimination under the Fifth Amendment.”

Blackburn cited the Vermont case in his decision. In In re Grand Jury Subpoena to Boucher, child pornography was found on the defendant’s laptop during a border search in Vermont. When the computer was evaluated as part of the search, pornography was discovered. The laptop was subsequently seized, but was found to be password protected. A magistrate judge initially sided with the defendant, but upon appeal, a judge for the U.S. District Court for the District of Vermont reversed the decision.

According to Law Technology News, the Fricosu ruling may undermine Fifth Amendment protections in the digital age. The Electronic Frontier Foundation supported Fricosu’s Fifth Amendment privilege, noting that “the government makes an aggressive argument here that may have far-reaching consequences for all encryption users.” END

PRIVACY

White House Proposes Consumer Bill of Rights

The Obama Administration recently released a plan for an online privacy bill of rights meant to protect consumers and help them better control what information about them is collected online.

The bill of rights sets standards for the use of personal data, including individual control, transparency, security, access, accuracy, and accountability, according to The New York Times. It would give consumers the right to know what information is being collected about them, and it calls for do-not-track technology in most major web browsers to make it easier for users to control online tracking.

Officials from the Federal Trade Commission and National Telecommunications & Information Administration said Congress will have to write legislation governing the collection and use of personal data to implement the White House’s recommendations. But, in the meantime, the agencies plan to meet with everyone from Internet firms to consumer groups to develop and implement enforceable rules based on the bill of rights that companies can voluntarily adopt in the absence of legislation, according to PCmag.com.

As released by the White House, the proposed Consumer Privacy Bill of Rights includes seven protections:

  1. Individual control: Consumers have a right to control what personal data organizations collect from them and how it is used.
  2. Transparency: Consumers have a right to easily understandable information about privacy and security practices.
  3. Respect for context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways consistent with the context in which consumers provide the data.
  4. Security: Consumers have a right to secure and responsible handling of personal data.
  5. Access and accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
  6. Focused collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

According to The Times, the agreement will force software developers to post privacy policies detailing what personal data they plan to collect and how they will use it. It also compels app store providers like Apple and Google to offer ways for users to report apps that do not comply.

The White House announced that companies responsible for delivering nearly 90% of online behavioral ads – ads that appear on a user’s screen based on browsing and buying habits – have agreed to comply when consumers choose to control online tracking. Google, Yahoo!, Microsoft, and AOL have each committed to the bill of rights.

The Digital Advertising Alliance, a group of marketing and advertising trade groups, said it had committed to following the instructions consumers gave about their privacy choices by using do-not-track technology already available in most web browsers, according to The Times.

Stu Ingis, general counsel for the organization, said the group hoped to reach agreement within about nine months with browser companies on standards for the use of a one-click notification of a consumer’s privacy desires.

The advertising industry also committed not to release consumers’ browsing data to companies who might use it for purposes other than advertising, such as employers making hiring decisions or insurers determining coverage, The Times said. END

Download the complete PDF here.

From May - June 2012