Ride The Lightning

Law.com published an article last week entitled "Using Computer Forensics to Investigate IP Theft." I read it with great interest since this comprises about 25% of our digital forensics work at Sensei. Some time ago, I recall reading a report that said that 56% of all employees admit to stealing data when they leave a company.

The morality of such conduct aside, it has made a healthy market for digital investigations.

As the article points out, there are obvious things an employer should do to help prevent data theft. Immediate termination of user credentials and remote access is critical - and overlooked an amazing number of times.

If you know the employee was disgruntled or suspect misbehavior before departure, you may want to log the employee's activity and get a forensics image of his/her computer upon departure. When they do bad stuff, it's more often to be found on the local machine than the server as they commonly use web-based mail for their "secret" communications.

At the very least, all of the employee's computers, smartphones, flash drives etc. should be put aside for a while until a decision is made that the departure constituted no threat.

In a more sophisticated environment, data loss prevention (DLP) technologies can automatically flag when sensitive files are touched or an unusual number of files accessed or copied. In less sophisticated environments, logging is critical in obtaining proof of bad behavior. As one example, your expert may be able to tell you what model/make of flash drive was inserted in the employee's machine at a particular time, but not what was copied onto it - unless you have logging enabled.

We recommend that employers compose a lengthy "Departing Employee Checklist" so nothing is ever forgotten. The list itself will vary by the individual employer but might include changing office lock codes, collecting keys, asking questions about any personal devices that may have company data, having the employees sign a statement acknowledging that all company data has or will be returned and another statement acknowledging that any post-departure access to the network would be a criminal act.

Composing this list takes a team of those knowledgeable about the company's policies, procedures and technology - but boy, it sure helps prevent leaving an "open door" for those with bad intent. And, as the article points out, having the expertise of a digital forensics expert can be key to following the employee's digital trail and proving that data theft took place.

Yesterday, I received a press release from Nuix (and a similar release was sent out by EDRM) saying that Nuix and EDRM had republished the EDRM Enron PST Data Set after cleansing it of private, health and personal financial information.

A portion of the Nuix release said:

"The EDRM Enron data set is an industry-standard collection of email data that the legal profession has used for many years for eDiscovery training and testing. However, it was well known to contain large amounts of personal information about the company’s former employees."

The only part of that paragraph I quibble with is "it was well known." It was certainly well known to those who used the data and to certain others in the EDD sector. But as this blog has indicated in previous posts, the extent of personal information in the data set was unknown to many.

Nonetheless, I applaud the Nuix folks and EDRM for cleaning the data set of more than 10,000 e-mails and attachments of such things as credit card numbers, social security numbers, dates of birth and other personal information.

To download the cleansed data set and the case study that explains the methodology used, visit here.

Nuix will host a Twitter chat to discuss the release of the cleansed EDRM Enron PST Data Set on Thursday, May 23rd 2pm–3pm ET. Its experts will describe the process of identifying unsecured financial, health and personally identifiable information in corporate data. You can follow the hashtag #NuixChat and send in your questions beforehand to @nuix.

One thing I've always admired Logik for is its creativity.

On May 13th, Logik announced a new Logikcull.com subscription service available to law firms and corporations in need of predictable document discovery. With subscriptions starting at just $895/month, Logik predicts a savings of 28-50% over per-document pricing.

Each subscription comes with unlimited projects, unlimited storage, unlimited users, and a generous number of documents. Like Logikcull's per-document pricing, which is priced at a flat $0.05/document/month, there are no gigabyte or storage fees. Subscription customers can receive an additional 20% discount by signing up for an annual subscription. And there's a free trial for new customers.

The press release quotes CEO Andy Wilson:

"Our philosophy is simple - eDiscovery should be predictable and affordable. With our new subscription packages, everyone from solo practitioners to law firms to major corporations are now able to gain greater control of their legal expenses.  For our customers uploading large volumes of documents a subscription can provide significant savings and predictable costs. Subscriptions aren't for everyone of course, so we still have our popular per-document pricing as an option as well."

Another thing I admire about Andy is that he has sartorial self-confidence enough to wear red sneakers - with everything. Good luck to my friends at Logik with a pricing model that makes a lot of sense to me.

This certainly was a potboiler story on all the networks and throughout the Internet yesterday.

Though the dust is settling on the facts and there is probably a lot we don't yet know, it appears that the Department of Justice (DOJ) notified the Associated Press (AP) last Friday about a surveillance operation in which the DOJ spied on phone lines used by up to 100 AP reporters. It apparently obtained subpoenas to access phone records for 20 phones lines used by AP staff members from April-May 2012.

News reports last night indicated that the surveillance had to do with leaks about a foiled Yemini terror plot that appeared in an AP story on May 7, 2012.

AP CEO Gary Pruitt wrote a letter to the Justice Department yesterday in which he said in part:

"There can be no possible justification for such an overbroad collection of the telephone communications of The Associated Press and its reporters. These records potentially reveal communications with confidential sources across all of the newsgathering activities undertaken by the AP during a two-month period, provide a road map to AP's newsgathering operations, and disclose information about AP's activities and operations that the government has no conceivable right to know."

It seems to me that this is a concise and compelling summary.

Pruitt pointed specifically to a violation of regulation 28 C.F.R. §50.10, which requires that any subpoena "be as narrowly drawn as possible" Pruitt called for the DOJ to "immediately return to the AP the telephone toll records that the Department subpoenaed and destroy all copies. At a minimum, we request that you take steps to segregate these records and prohibit any reference to them pending further discussion."

The White House denied knowledge of the operation. The ACLU, Congress and many others are calling for an investigation - this should be an interesting story to follow.

As I have often lectured, none of us knows whether we are being watched, by whom, how, or for what reason. Welcome to the digital era.

Hat tip John Jones for some of this information.

CNET reported on Friday that Apple receives so many police demands to decrypt seized iPhones that it has created a "waiting list" to handle the flood of requests. The length of the waiting list is unknown, but it looks as though it can be up to four months based on anecdotal examples.

Last year, leaked training materials prepared by the Sacramento sheriff's office included a form that would require Apple to "assist law enforcement agents" with "bypassing the cell phone user's passcode so that the agents may search the iPhone." Google takes a more privacy-protective approach: it "resets the password and further provides the reset password to law enforcement," the materials say, which has the side effect of notifying the user that his or her cell phone has been compromised (though in many cases the individual would already know that!).

A Bureau of Alcohol, Tobacco and Firearms (ATF) official said that Apple "has the capabilities to bypass the security software" and "download the contents of the phone to an external memory device."  Reportedly, once the Apple analyst bypasses the passcode, the data will be downloaded onto a USB external drive and delivered to the ATF.

It's not clear whether that means Apple has created a backdoor for police - which some have speculated that it has - or whether the company has custom hardware that's faster at decryption, or whether it simply is more skilled at using the same procedures available to the government. Apple declined to discuss its law enforcement policies. No surprise there.

Our electronic world causes all kinds of mishaps. You may have read a story about the FBI agent in Virginia who fatally shot his estranged wife several times last month. While the case had many peculiarities, the one that intrigued me was the fact that Arthur Gonzales told the 911 operator to send an ambulance and deputies to his home on Alderwood Drive in Stafford, VA.

However, an alert went out to the address which seemed to be the origin of the call, the 1800 block of Maverick Trail in Las Cruces, NM. After several deputies, firefighters and medical personnel arrived on the scene, they found out that the real emergency was in Virginia.

Gonzales had moved from New Mexico to Virginia and taken his VoIP routers with him - the routers allow users to connect landline telephones through an Internet service provider. However, he never told the service provider that he had moved.

Maybe this all makes sense in the context of an agent who shot and killed his wife after saying "I had to shoot her . . . She cut me on the arm." They don't teach FBI agents to shoot without killing?

But then, it has been a "What do I know?" kind of week.

Hat tip to Deb Matthews.

If you've been watching the last two RTL posts, you are aware of the personally identifiable information (PII) that is contained in the Enron Email Data Set. Responding to a report from BeyondRecognition's CEO John Martin, Amazon Web Services wrote to John yesterday and advised him that the Data Set had been taken down.

Through the prism of today's concerns with privacy, I believe this is the correct result and applaud John for ensuring that people outside the industry were made aware of the PII. It was time to revisit the issue of whether that data should be publicly available. I am glad that EDRM is working with Nuix to remove the PII so that the data set may once again be made public. When that happens, I'll be sure to post the new link to the data set.

There was a lot of discussion, private and public, after I covered last week's announcement by BeyondRecognition's CEO John Martin that he had discovered a lot of personally identifiable information in the Enron dataset.

Monica Bay penned a nice roundup of thoughts in Law Technology News.

EDRM's George Socha was among many, including our friend Craig Ball, to note that the fact that the Enron material had personally identifiable information was well known to many. Most of those who knew it worked with the data - which I (and so many others) have not - so to us it was a revelation.

FERC determined that releasing the data was in the public interest outweighing the PII exposure risk. But both Socha and Ken Withers, director of judicial education at The Sedona Conference, noted that the privacy lens of 2013 might be different than that of 2003. Withers said that "Americans are increasing concerned with personal privacy . . . . While the legal standards for approving a discovery protective order or a sealing order for court documents remain the same, the context has dramatically changed in the past few years, such that the calculus of 'good cause' in the former situation or 'compelling interest' in the latter may be different in 2013 than in 2003. It may be time to update the Sedona Guidelines on Confidentiality and Public Access."

Clearly, people do believe that having the PII available is problematic, because Socha stated that EDRM  has already been working with Nuix to remove the PII. Nuix's CEO Eddie Sheehy stated that EDRM removed the dataset from its site last year due to the presence of PII and a cleansed version of the sandbox is expected to be released later this month. Deborah Baron, Chief Marketing Officer of Nuix, said that more than 10,000 high risk documents have been removed (not simply redacted) from the dataset. She also said that Nuix will also support the hosting of the data and will share with the community the methodology developed by the Nuix team.

In the end, it became apparent that a good number of people knew about the PII. However, Martin's "discovery" was unknown to many - including me. Others in the EDD field wrote to concur that they too had not known about the PII. The story generated a lot of discussion - and that's a good thing. As valuable as the Enron dataset is, I agree with Withers that the legal outcome might differ today.

I want to thank all who wrote and called. I received an outpouring of education which was sorely needed and quickly became apparent.

My brief distillation of the dataset's history is this:

FERC determined that the public interest in publishing the data outweighed the PII exposure risk.

Enron petitioned the Fifth Circuit for a Writ of Mandamus to suppress publication.

The Fifth Circuit denied the Writ.

It granted a stay which proved moot when the parties apparently reached agreement and Enron dismissed its appeal.

FERC re-released the dataset after removing several thousand of the PII documents identified by Enron.

While the court may not have specifically blessed the release of the dataset, it was aware of the PII when it denied Enron’s effort to block it.

There's a lot more to it, but that's the digestible version.

And there you have it. Let the discussion continue - we are all better informed for having these conversations.

It is a startling revelation when you learn that a dataset that has been public for years and contains over 7,500 instances of unredacted social security numbers, credit card numbers, dates of birth, home addresses and phone numbers. But that is precisely the claim of John Martin, the CEO and founder of BeyondRecognition.

The EDRM Enron Email Data Set v2 (EDRM Data) is a collection of documents originally gathered by the Federal Energy Regulatory Commission (FERC) as part of its investigation of Enron's energy trading practices and then made public by FERC. The EDRM data is a reworked version of the original documents which was available for download over an extended period of time at EDRM's website - it has since been transferred to Amazon Web Services for downloading, though there is a link from EDRM to the download site.

Why have so many people/teams worked with the data for years without discovering all the personally identifiable information (PII)? EDRM teams worked with it. The NIST-sponsored Text Retrieval Conference (TREC) Legal Track for 2010 and 2011 used that data set. Teams from around the world used it.

Beyond Recognition acknowledges that it worked with the data set for several months without checking for PII - it was an accidental discovery when testing its mass redaction tool.

Let me make it clear that I understand that publishing a post on this issue serves the business interests of BeyondRecognition - John Martin himself is quick to point that out. Whatever the motivation, there is a lot of sound advice in the post about identifying and removing PII.

Putting motivation to one side, it is a real issue that publication of this data set necessarily meant that a data breach had taken place and it is astonishing that no one ever checked for PII. EDRM, in an e-mail I have seen, acknowledges that it is aware of the PII content and is working with an EDRM partner to make "a PII clean" version of the data available via EDRM.

But if the data breach was known, why were the proper authorities not notified?

At this point, BeyondRecognition has notified EDRM, FERC, Amazon Web Services, the FTC and the Texas Attorney General.

Let me hasten to add that I have no personal knowledge of what has gone on here - but it is disturbing that no one looked for PII when the data was made available and that no one (other than John Martin) reported the breach.

So . . . if there is something I am missing - if other players on this stage wish to have a voice, I urge them to write a measured response, which I'll be happy to post.

The Pittsburgh Post-Gazette reported on April 29th that Matthew James West, 21, had pled guilty to helping Alyson Cunningham and her husband Jonathan Cunningham access the computers of a law firm. The firm was identified only as VG, but as I indicated in an earlier version of this story, the firm appears to be Voelker & Gricks, LLP, in Pittsburgh.

Alyson had been fired by the firm in November 2011 and provided her computer password to West. She and her husband directed West, via a Skype conversation, as he entered the firm's network and inserted a program that transmitted to him passwords of anyone who logged into the network.

Mr. West, not a rocket scientist, then sent an e-mail to the firm, saying that he was a part of the hacktivist group Anonymous and was monitoring the firm's activities to confirm that it was behaving in a fair and just manner and that he was "not interested in ruining your business."

West has no prior criminal record and the charges to which he pled are misdemeanors. He will be sentenced on September 4th.

The pressing question for those involved with law firm security is this:  How in the devil did the law firm neglect to terminate Alyson's ability to connect to the network when they fired her? "Cut all means of access to the network" should be a mantra by now. If you don't have an employee termination checklist, make sure to create one.