Ride The Lightning

Jeffrey Brandt reported an interesting story yesterday on Legal IT Professionals. It involves a global law firm that has been BADLY breached and reacted by terminating its BYOD policy and banning personal devices from the network. The personal use of firm e-mail was also banned and real-time scanning of e-mail was implemented. 

It included an internal memo of the law firm and remember that the typos may be explained by the OCR process. However, there were other things that made me question the story.

After chatting with Jeff via e-mail, the story turned out to be a hoax by Jeff to stir up conversation about information security. A badly needed conversation and the best fodder for a CLE I've seen in a long time.

Here is one of the e-mails I received from Jeff, posted here with his permission:

I have attacked the law firm security angle in multiple posts from multiple angles, earnest education, humor, etc.  but firms are still barely moving or not moving at all (there are exceptions of course).  I was reading some Above the Law posts that included memo leaks and was inspired.  Since law firms are such herd animals I figured a story about a massive breach would get them buzzing - everyone wondering who it was and what they did in response.  And of course, what they needed to do to make sure they weren’t next.  Apparently it did.  I got many emails and even direct calls – one that pretty much went “Hello Jeff.  Was it [name of firm]?”  Some former colleagues told me I made several of the private CIO listservs, that it was sent to the FBI and more.

King & Spalding was the first that I know of to step outside the comfort zone and mandate a security policy that was intrusive and inconvenient to the partners.  That made firms talk.  So I figured I’d pick some intrusive counter measures and (hopefully) make them think outside the box.  My hope is that it continues and isn’t just a flash in the pan, especially after people figure out it wasn’t real.

I join Jeff in the hope that law firms will continue conversations and make hard decisions about the steps necessary to secure their data.

The ABA Journal recently reported on a case in which testimony about mobile phone tracking was found not to be reliable. The judge even wrote that the FBI special agent's "chosen methodology has received no scrutiny outside the law enforcement community."

It is actually surprising that defense lawyers have long "laid down and taken" prosecutors' assurances that cell tower evidence is wholly scientific. Of course, these are lawyers, many of whom are notably technophobic and their understanding of the science may have been limited.

Though it makes perfect sense to attack some cell tower tracking evidence as unreliable under Daubert, one doesn't want to overstate the case by tarring and feathering all such evidence with the "junk science" label being put forward by some.

As Professor Edward Imwinkelreid (I can't imagine how many times he has had to spell that name) has noted, cell phone records can tell you whether a person who has denied being in the coverage area of a particular tower at a given time was lying.

In some cases, cell phone triangulation can use three towers to give a reasonably accurate location in urban areas, where there are more towers and a more general location in rural areas.

If the phone has GPS, it can pinpoint a caller's location within about 50 meters. Without it, we are left with the far less precise locating capacities of the cell phone towers. One of the misconceptions referenced by the judge was the notion that cell phones always connect to the tower with the strongest signal. Not necessarily so. Factors that determine which tower a phone will connect to include weather, topography, network congestion, physical obstructions, tower maintenance and whether the phone is used indoors or outdoors.

But don't think this case, where an expert may not have done his homework, is a death knell for cell tower evidence. As the good professor noted, that's "just silly."

Hat tip to Dave Ries.

As reported yesterday, Wikileaks founder Julian Assange told reporters in a 75-minute telephone conference call that Edward Snowden is “healthy and safe.” As I type, we don't know where the former NSA contractor is.

Assange clearly wanted to highlight the assistance that Wikileaks is providing to Snowden, facilitating his departure from Hong Kong. Assange spoke from Ecuador’s embassy in London, where he has spent the past year fighting extradition to Sweden on sexual assault charges, which many believe to be inflated. He confirmed reports that Snowden has been given travel papers by Ecuador pending his asylum claim there - a necessity since the U.S. Government (a tad late) revoked his passport. Snowden has also applied for asylum in other countries, no doubt a smart insurance policy.

As usual, the U.S. government is doing itself no favors. Having treated Private Bradley Manning despicably in the recent past, the government now fumbles about publicly with ironies abounding on both sides. Governments which are known to be hostile to the U.S. (and often inhumane) become the natural refuge for someone branded a traitor. Assange sees no irony there, but I do.

On the other side of the coin, the government which champions American values and the Constitution has apparently spied on one and all with impunity for years. Did we think it would never come out? There would inevitably be a Snowden, by any other name. And do we really think the man himself is the problem? Forget his laptops - the data is surely already in the hands of his natural allies, including Wikileaks and the press.

Edward Snowden is not the government's biggest worry - while they must deal with him one way or another (and let us not think black ops here), the far bigger concern is the now-proven activity of the government.

We have heard John Kerry hurl words like "traitor" against someone who, while probably committing a criminal act, gave us proof of widespread government conduct that is likely unconstitutional, appalling to those who value privacy and certainly worrisome to other governments who now perceive the frightening extent of America's communication interceptions of friends and enemies alike. If, as President Obama says, we must focus on checks and balances, where are they? In secret courtrooms?

We do the indefensible and wrap in a cloak of patriotism at our own peril.

“In the end the Party would announce that two and two made five, and you would have to believe it."
- George Orwell, 1984

Reuters reported that Facebook announced on Friday that it had inadvertently exposed 6 million users' phone numbers and email addresses to unauthorized viewers. The data leaks began in 2012 and reportedly were caused by "a technical glitch" - not a very informative explanation. Apparently, Facebook users who downloaded contact data for their list of friends obtained additional information that they were not supposed to have.

The leak was fixed within 24 hours of its discovery and Facebook issued an "important message" on its blog saying that, "We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing."

The company added, "it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again."

On the plus side, I do give Facebook credit for leading successful negotiations, along with Google, Microsoft, Apple and Yahoo, that permit the companies to reveal the approximate number of user information requests that each company has received, including secret national security orders. As George Orwell seems more and more a prophet, this was at least a step in the right direction.

Texas has never been my favorite state, though it gets points for being the residence of dear friends Craig Ball and Tom Mighell.

Apart from that, I rarely have cause to give Texas a shout-out, but last Friday it became the first state in the U.S. to prohibit e-mail snooping by state and local authorities without a warrant. So kudos to the Lone Star state for passing that law - and where are the 49 other legislatures?

Mind you, no state action can stop the prying eyes of the Feds. Under federal law, a warrant must be procured only if the e-mail is unopened. Once it has been opened, it's fair game under the antiquated Electronic Communications Privacy Act (what a misnomer) - and ditto if it has been sitting unread for 180 days. And if the communication falls under the Patriot Act . . . well, goodbye to any protection.

The need to revise the ECPA has been glaringly apparent for years. Let's hope Congress (one of these days) will get that message.

In the meantime, I will raise a glass of wine and toast the Lone Star State for being the first to act to protect its citizens from warrantless spying by state and local authorities. Maybe I'll even watch "The Alamo" - drinking wine has always improved my assessment of John Wayne's acting.

And so, in large part, have I.

An excellent post by Craig parallels my own thinking about predictive coding and how that thinking has evolved over time.

I won't ruin the fun of reading a vintage pithy Craig Ball piece, but the essence is that predictive coding takes far less time and money than full-blown human review. Humans screw up relentlessly - machines do not. It is easy for both humans and machines to distinguish the clearly relevant from the clearly irrelevant but the machines are so much faster - and they can ask for guidance on questionable documents and become smarter still.

This was my favorite paragraph:

So why isn’t everyone using predictive coding?  One reason is that the pricing has not yet shifted from exploitive to rational. It shouldn’t cost substantially more to expose a collection to a predictive coding tool than to expose it to a keyword search tool; yet, it does. That will change and the artificial economic barriers to realizing the benefits of predictive coding will soon play only a minor role in the decision to use the technology.

Craig says it so well that I am left with only "Amen, brother." For smaller cases, the exploitive pricing of predictive coding continues to make it out of reach. One day, smart vendors will change that,  but keyword search tools will remain in widespread use until then.

There is a day of reckoning - and for law firms, that day has come.

After many years of lax information security, clients are increasingly demanding that law firms undergo cyberaudits.

Hat tip to colleague Joan Bullock for reminding me of a Law Technology News story that I meant to blog about when it first came out.

As the story notes, Bank of America Merrill Lynch is auditing the cybersecurity policies at its outside law firms, partly under pressure from government regulators to do so. As one of its representatives observed, Bank of America is "one of the largest targets in the world" for cyberattacks, and law firms are "considered one of the biggest vectors that the hackers, or others, are going to go at to try to get to our information."

Regulators at the Office of the Comptroller of the Currency, which oversees BofA and other financial services companies, are reportedly focusing on law firms and demanding cybersecurity audits, focusing on technology as well as policies and practices. Beyond audits, they also want penetration testing. And forget law firms doing their own auditing - clients want independent audits.

While large law firms are grappling with this more than small law firms which tend to have smaller clients, it is certain to filter down as clients become more concerned about the security of their data.

It was a great personal honor to be sworn in by Virginia's Chief Justice Cynthia Kinser as the President of the Virginia State Bar on June 14th. To use a now-antiquated phrase, it was a Kodak moment - the first time in Virginia that a woman Chief Justice has sworn in a woman President. How nice that it happened during the Bar's 75th anniversary. We've come a long way baby!

I guess it is time this morning to roll up my sleeves and get to work. I am both honored and humbled. Thanks to all who traveled to Virginia Beach to see me sworn in - boy oh boy, that's a night I'll never forget.

Many of my readers have seen news of my induction and sent me gracious and supportive notes - thanks to all of you and I hope I can live up to your many kind words!

Seriously? You can't pay $150 a month in child support for your three-year old child (for three years!), but you can flash cash in a Facebook photo?

Christopher Robinson may be rethinking his Facebook posts which showed him flush with cash.They helped the Milwaukee County District Attorney's office charge him with failure to pay child support. As you might imagine, the images were sufficient to allow the district attorney's office to obtain a search warrant to investigate further, resulting in access to Robinson's Facebook profile.

Robinson, quite the model of parental concern, was served with an arrest warrant in February and failed to appear in court. If found guilty on all three counts, he could serve up to nearly 11 years in prison.

"Think before you post" should have special meaning to some people.

 

The New York Times reported that the American Civil Liberties Union sued the Obama administration yesterday over its “dragnet” collection of logs of domestic phone calls, alleging that the program is illegal and asking a judge to order the collection stopped and records purged. It seems likely to me that this case will wend its way to the Supreme Court.

The complaint alleges that the program “gives the government a comprehensive record of our associations and public movements, revealing a wealth of detail about our familial, political, professional, religious and intimate associations,” adding that it “is likely to have a chilling effect on whistle-blowers and others who would otherwise contact” the ACLU for legal assistance.

In previous lawsuits that bear some similarity, the government has successfully argued that the courts should dismiss the suits without ruling on the merits because the litigation would reveal state secrets or that plaintiffs could not prove they were personally affected and thus lacked standing.

But this is a horse of a different color. For one thing, the government has now declassified the existence of the program. And the ACLU is a Verizon customer, Verizon having received a secret court order for all domestic calling records - that is said to provide standing.

The call logging program keeps a record of “metadata” from domestic phone calls, including which numbers were dialed and received, from which location, and the time and duration.      

Even one of the authors of the Patriot Act, Representative F. James Sensenbrenner Jr. has said, "I authored the Patriot Act, and this is an abuse of that law.”      

Over the weekend, James R. Clapper Jr., the director of national intelligence, said that officials may access the database only if they can meet a legal justification — “reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization.” Queries are audited under the oversight of the national security court. The government's argument is that people’s privacy is not invaded by having their records collected, but only when a human examines them.

I don't buy it. We can no longer pick up a phone without a record of that call accessible to the federal government. Moreover, as the article points out, history has shown that new government powers granted for one purpose often end up applied to others. Treacherous waters for the Fourth Amendment - I hope the courts will act to revive our rights under that Amendment.