privacy

Data Sovereignty and the GDPR; Do You Know Where Your Data Is?

Bill Tolson CCPA, GDPR, Information Governance, privacy, Uncategorized , , ,

Blog02142019As more companies move their data to the cloud, the question of data sovereignty is becoming a hotter topic. Data sovereignty is the requirement that digital data is subject to the laws of the country in which it is collected or processed. Many countries have requirements that data collected in a particular country must stay in that country. They argue that it’s in the Government’s interest to protect their citizen’s personal information against any misuse. Continue reading

The Right to be Forgotten Versus The Need to Backup

Bill Tolson CCPA, Cloud Storage, GDPR, Information Management, privacy, records retention, Uncategorized ,

Blog02072019A great deal has been written about the GDPR and CCPA privacy laws, both of which includes a “right to be forgotten.” The right to be forgotten is an idea that was put into practice in the European Union (EU) in May 2018 with the General Data Privacy Regulation (GDPR). Continue reading

Emails considered “abandoned” if older than 180 days

Bill Tolson Cloud Storage, eDiscovery, Information Governance, records retention, Technology , , , , , , , , , ,

The Electronic Communications Privacy Act – Part 1

Email Privacy

It turns out that those 30 day email retention policies I have been putting down for years may… actually be the best policy.

This may not be a surprise to some of you but the government can access your emails without a warrant by simply providing a statement (or subpoena) that the emails in question are relevant to an on-going federal case – criminal or civil.

This disturbing fact is legally justified through the misnamed Electronic Communications Privacy Act of 1986 otherwise known as 18 U.S.C. § 2510-22.

There are some stipulations to the government gaining access to your email;

    • The email must be stored on a server, or remote storage (not an individual’s computer).This obviously targets Gmail, Outlook.com, Yahoo mail and others but what about corporate email administered by third parties, what about Outlook Web Access, remote workers that VPN into their corporate email servers, PSTs saved on cloud storage…
    • The emails must have already been opened. Does Outlook auto-preview affect the state of “being read”?
    • The emails must be over 180 days old if unopened

The ECPA (remember it was written in 1986) starts with the premise that any email (electronic communication) stored on a server longer than 180 days had to be junk email and abandoned.  In addition, the assumption is that if you opened an email and left it on a “third-party” server for storage you were giving that “third-party” access to your mail and giving up any privacy interest you had which in reality is happening with several well-known email cloud providers (terms and conditions).  In 1986 the expectation was that you would download your emails to your local computer and then either delete it or print out a hard copy for record keeping.  So the rules put in place in 1986 made sense – unopened email less than 180 days old was still in transit and could be secured by the authorities only with a warrant (see below); opened email or mail stored for longer than 180 days was considered non-private or abandoned so the government could access it with a subpoena (an administrated request) – in effect, simply by asking for it.

Warrant versus Subpoena: (from Surveillance Self-Defense Web Site)

To get a warrant, investigators must go to a neutral and detached magistrate and swear to facts demonstrating that they have probable cause to conduct the search or seizure. There is probable cause to search when a truthful affidavit establishes that evidence of a crime will be probably be found in the particular place to be searched. Police suspicions or hunches aren’t enough — probable cause must be based on actual facts that would lead a reasonable person to believe that the police will find evidence of a crime.

In addition to satisfying the Fourth Amendment’s probable cause requirement, search warrants must satisfy the particularity requirement. This means that in order to get a search warrant, the police have to give the judge details about where they are going to search and what kind of evidence they are searching for. If the judge issues the search warrant, it will only authorize the police to search those particular places for those particular things.

Subpoenas are issued under a much lower standard than the probable cause standard used for search warrants. A subpoena can be used so long as there is any reasonable possibility that the materials or testimony sought will produce information relevant to the general subject of the investigation.

Subpoenas can be issued in civil or criminal cases and on behalf of government prosecutors or private litigants; often, subpoenas are merely signed by a government employee, a court clerk, or even a private attorney. In contrast, only the government can get a search warrant.

With all of the news stories about Edward Snowden and the NSA over the last year, this revelation brings up many questions for those of us in the eDiscovery, email archiving and cloud storage businesses.

In future blogs I will discuss these questions and others such as how does this effect “abandoned” email archives.

Next Generation Technologies Reduce FOIA Bottlenecks

Bill Tolson eDiscovery, Information Management, records retention, Technology , , , , , , , , , , ,

Federal agencies are under more scrutiny to resolve issues with responding to Freedom of Information Act (FOIA) requests.

The Freedom of Information Act provides for the full disclosure of agency records and information to the public unless that information is exempted under clearly delineated statutory language. In conjunction with FOIA, the Privacy Act serves to safeguard public interest in informational privacy by delineating the duties and responsibilities of federal agencies that collect, store, and disseminate personal information about individuals. The procedures established ensure that the Department of Homeland Security fully satisfies its responsibility to the public to disclose departmental information while simultaneously safeguarding individual privacy.

In February of this year, the House Oversight and Government Reform Committee opened a congressional review of executive branch compliance with the Freedom of Information Act.

The committee sent a six page letter to the Director of Information Policy at the Department of Justice (DOJ), Melanie Ann Pustay. In the letter, the committee questions why, based on a December 2012 survey, 62 of 99 government agencies have not updated their FOIA regulations and processes which was required by Attorney General Eric Holder in a 2009 memorandum. In fact the Attorney General’s own agency have not updated their regulations and processes since 2003.

The committee also pointed out that there are 83,000 FOIA request still outstanding as of the writing of the letter.

In fairness to the federal agencies, responding to a FOIA request can be time-consuming and expensive if technology and processes are not keeping up with increasing demands. Electronic content can be anywhere including email systems, SharePoint servers, file systems, and individual workstations. Because content is spread around and not usually centrally indexed, enterprise wide searches for content do not turn up all potentially responsive content. This means a much more manual, time consuming process to find relevant content is used.

There must be a better way…

New technology can address the collection problem of searching for relevant content across the many storage locations where electronically stored information (ESI) can reside. For example, an enterprise-wide search capability with “connectors” into every data repository, email, SharePoint, file systems, ECM systems, records management systems allows all content to be centrally indexed so that an enterprise wide keyword search will find all instances of content with those keywords present. A more powerful capability to look for is the ability to search on concepts, a far more accurate way to search for specific content. Searching for conceptually comparable content can speed up the collection process and drastically reduce the number of false positives in the results set while finding many more of the keyword deficient but conceptually responsive records. In conjunction with concept search, automated classification/categorization of data can reduce search time and raise accuracy.

The largest cost in responding to a FOIA request is in the review of all potentially relevant ESI found during collection. Another technology that can drastically reduce the problem of having to review thousands, hundreds of thousands or millions of documents for relevancy and privacy currently used by attorneys for eDiscovery is Predictive Coding.

Predictive Coding is the process of applying machine learning and iterative supervised learning technology to automate document coding and prioritize review. This functionality dramatically expedites the actual review process while dramatically improving accuracy and reducing the risk of missing key documents. According to a RAND Institute for Civil Justice report published in 2012, document review cost savings of 80% can be expected using Predictive Coding technology.

With the increasing number of FOIA requests swamping agencies, agencies are hard pressed to catch up to their backlogs. The next generation technologies mentioned above can help agencies reduce their FOIA related costs while decreasing their response time.

EPIC Asks FTC to Investigate Facebook’s “Timeline”

Bill Tolson eDiscovery, Technology , , , ,

Last year I wrote two blogs titled Spoliation of the Facebook Timeline and Frictionless eDiscovery; social media addicts beware…

which discussed the potential privacy problems with the new Facebook Timeline feature. Yesterday the blog site: The ESI Ninja Blog posted a blog about further developments around privacy and the Timeline feature. The below content is from that blog:

EPIC Asks FTC to Investigate Facebook’s “Timeline”

Posted on January 10, 2012 at 6:44 pm by John M. Horan

When Mark Zuckerberg unveiled Facebook’s new Timeline feature at the company’s Sept. 22, 2011 f8 developer conference, he described it as “The story of your life . . . .  All the stuff from your life.”  According to a Sept. 22, 2011 Facebook Blog post,

The way your profile works today, 99% of the stories you share vanish. The only way to find the posts that matter is to click “Older Posts” at the bottom of the page. Again. And again.

. . .

With timeline [sic], now you have a home for all the great stories you’ve already shared. They don’t just vanish as you add new stuff.

The Timeline announcement came toward the end of an investigation by the Federal Trade Commission into Facebook’s privacy practices, culminating in the Commission’s Nov. 29, 2011 announcement that Facebook had agreed to settle FTC charges “that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”  In general outline, the FTC said, the proposed settlement

bars Facebook from making any further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

Three days before the Dec. 30, 2011 close of the 30-day comment period on the proposed settlement, privacy rights organization Electronic Privacy Information Center (EPIC) urged the FTC to investigate whether Facebook’s new Timeline feature complies with the terms of the proposed settlement.  Echoing some of the concerns it raised in a Sept. 29, 2011 letter to the FTC regarding “frictionless sharing,” EPIC’s Dec. 27, 2011 letter to the FTC asked the Commission to: <the rest of the blog entry can be viewed here>

Spoliation of the Facebook Timeline

Bill Tolson eDiscovery, Technology , , , , ,

In a previous posting, I described the new feature in Facebook called “frictionless sharing”, a Facebook feature that will make sharing even easier by automatically sharing what you’re doing on a growing community of Facebook-connected apps. Potentially everything you do on the web could be shared on a timeline with your “friends” and any others (like attorneys) that get access to your page based, for example, on a Judge’s order for discoverable information.

The USA Today Tech section published an article titled “Facebook Timeline a new privacy test” a couple of days ago that got me thinking. From the USA Today article:

Up until now, Facebook accounts have focused on the most recent posts. With the new profile format, the most recent Facebook activities will be at the top. But as users go back in time, Timeline will summarize past posts — emphasizing the photos and status updates with the most “likes” or comments.

“A lot of people just don’t realize how much information they’ve shared in the past.”

This new timeline feature that takes much of what you have done on the internet and neatly organizes it into a timeline is a perfect target for eDiscovery. This brings up two questions; can you edit or hide items on your timeline and can you permanently delete data from your Facebook timeline? These two questions also highlight another question…if you edit your Facebook account and or remove something from your timeline, could that be considered spoliation in a legal proceeding?

Before I address the spoliation issue, let me address the first two questions.

1. Can you edit or hide items on your timeline? The answer is yes you can. From the Facebook help center:

How do I remove a story from my timeline?

You get to decide which stories appear on your timeline. Hover over a story on your timeline to see your options:

  • (Feature on Timeline): This allows you to highlight the stories you think are important. When you star a story, the story expands to widescreen. Starred stories are also always visible on your timeline.
  • (Edit): This gives you the option to:

  • Hide from Timeline: This removes stories from your timeline. Note that these stories will still show up in your activity log, which only you can see. They also may appear in your friend’s News Feeds.
  • Depending on the type of story (ex: status update, check-in, tagged photo), you may also have the option to:
  • Change the date of a story (ex: for an old photo, you can enter the date the photo was taken so it shows up in the right place on your timeline)
  • Delete a post (that you posted)
  • Report a post or mark it as spam (that someone else posted)

You’ll notice there isn’t a “delete” capability in the edit function.

2. Can you permanently delete timeline data from your Facebook account? As far as I can tell you can. In Facebook there is a feature called the “activity log” that is a record of all of your activity on Facebook. From the Facebook help center:

What is the activity log?

The activity log is a record of all of your activity on Facebook. So if you hide a story from your timeline, this story will still appear in your activity log. Your activity log is only visible to you. However, all of the stories in your activity log are eligible to appear on your timeline (unless you hide them from your timeline) or in your friend’s News Feeds.

The stories in your activity log are organized by the date they happened on Facebook. You can access your activity log by clicking the View Activity button on your timeline.

From the activity log you can:

  • Scroll through a history of all of your activity on Facebook
  • View and approve your pending posts
  • Filter the type of activity you see (ex: see all of your status updates or all of the links you’ve shared)
  • Choose which stories are featured on your timeline

You can also click the button to the right of each story. Depending on the story type (ex: status update, photo, app story), you may have the option to:

  • See the audience you shared
  • Delete posts
  • Report a post or mark it as spam
  • Change the date of a story
  • Remove an app from your account

So you can potentially delete items from your timeline… So this brings up my question on spoliation of the Facebook timeline; what, if anything, do organizations have to do to safeguard against altering the organization’s or employees personal Facebook timelines if pending litigation is foreseeable?

Obviously the Facebook timeline is potentially discoverable depending on the circumstances of the case. Organizations need to include the Facebook timeline in their litigation hold/eDiscovery process and to inform impacted employees of their responsibilities to protect potentially responsive information from within all of their personal accounts that could hold relevant ESI including the Facebook timeline data.

As a side note, it’s always a good practice to regularly remind employees not to mix business ESI with their personal accounts.

The Four Factor Test for Employee Expectation of Privacy

Bill Tolson eDiscovery , , , ,

On May 23, in SEC v. Reserve Management Co. Inc.,the U.S. District Court for the Southern District of New York ruled that an employee does not have a reasonable expectation of privacy with respect to communications with a spouse through an employer’s email system. In reaching its decision, the court used the four-part test from In re Asia Global Crossing Ltd to determine if the employee had a reasonable expectation of privacy. A key point in this analysis was the presence and actual notice to employees of an email policy that both forbade personal communications and warned employees of possible disclosure of company-controlled email communications. A write up of this outcome from the National Law Review can be viewed here.

Several cases have afforded protection to employees who may reasonably have expected privacy when using company IT systems. In Asia Global Crossing, the court set forth a four-factor test to assess the reasonableness of an employee’s privacy expectation in personal email transmitted through a corporate email system. The Asia Global Crossing test is composed of four basic questions:

  1. Does the company maintain a policy banning personal content or other objectionable use?
  2. Does the company monitor the use of the employee’s computer or email?
  3. Do third parties have a right of access to the computer or emails?
  4. Did the company notify the employee, or was the employee aware, of the use and monitoring policies?

If all four questions can be answered in the affirmative, then the employee should have no expectation of privacy.

This four factor test has been adopted by a number of courts faced with the task of determining the reasonableness of privacy expectations. As the Reserve Management court pointed out, “the cases in this area tend to be highly fact-specific and the outcomes are largely determined by the particular policy language adopted by the employer.”

Further questions that should be considered when putting one of these policies together:

  • Does the company maintain a policy banning personal content or other objectionable use?
    • Is the policy written down?
    • How often is it updated?
    • Was the policy communicated to employees?
    • How was it communicated?
    • Can employees find it if they want to?
    • Was the policy reviewed by legal staff?
  • Does the company monitor the use of the employee’s computer or email?
    • Did the company explain to the employees that the company and other legal entities has a right to access and review employee email?
    • How was this communicated?
  • Do third parties have a right of access to the computer or emails?
    • Was this explained to all employees
    • How was it communicated to the employees?
  • Did the company notify the employee, or was the employee aware, of the use and monitoring policies?
    • How did the company notify the employees?
    • Does the company audit the policy?
    • Does the company enforce the policy?

Some of the added question detail above highlights intent. Is the company’s intention to not allow personal communications from their employees (usually not) or is the intent to educate the employees as to their lack of privacy if they choose to utilize the corporate email system for personal use?

This review serves to remind organizations of the importance of creating and training employees on well thought out “use policies”. A well thought out and comprehensive use policy that employees are not aware of is in reality, not a policy. Lastly, when creating and adopting these use policies, it is always a good practice to get acknowledgements from all employees as to their understanding of the use policy.

2011 Seems to be the Year of On-Line Privacy Laws…Finally

Bill Tolson eDiscovery, records retention , , , , , , , , , , , ,

One day after an internet privacy bill was introduced in the senate, one was introduced in the house. The senate bill called the Commercial Privacy Bill of Rights introduced by Sens. John F. Kerry and John McCain includes measures to address consumer concerns that their sensitive data could be misused. The senate bill does not however include the “Do Not track” provision asked for by many. The unrestrained collection and sale of our data and on-line habits to retailers and others have raised wide concern.

The house bill, referred to as “the Consumer Privacy Protection Act of 2011” was introduced by U.S. Rep. Cliff Stearns. The Stearns bill would require web sites to clearly state what personally identifiable information is being collected and how it is used. If a consumer opts out from having his information collected, the opt-out will last for five years unless the consumer changes his mind before then.

“The Consumer Privacy Protection Act of 2011” bill joins another House bill introduced in February by Congresswoman Jackie Speier, Democrat from California, that also targets privacy issues. Speier’s “Do Not Track Me Online Act of 2011” directs the FTC to develop a “do not track” mechanism that allows consumers to opt out of having their data collected, used or sold. The California State Legislature also is considering a bill at the state level that would give consumers more control over how their online behavior is tracked and shared with marketers and retailers.

What do these potential laws mean to consumers? Well, if one or more of them are finally passed into law, your electronic footprints, habits and on-line purchasing information will not be sold to organizations that you don’t know and don’t approve of. These types of laws need to be passed into law so the average consumer is not afraid to utilize all aspects and capabilities of our electronic frontier.

French Email Privacy Restrictions Not Always FRCP Obstruction

Bill Tolson eDiscovery , , , , , , , , , , ,

The two blog entries below point out some slightly different views of an interesting case about employee email privacy decided in France on Dec 15, 2009. The case was: Bruno B. vs. Giraud et Migot, Cour de Cassation, Chambre Sociale, Paris, 15 Dec. 2009, No. 07-44264

http://chrisdale.wordpress.com/2010/02/22/the-extent-of-te-right-to-privacy-in-french-employee%E2%80%99s-e-mails/

http://www.hhdataprotection.com/2010/02/articles/litigation/new-french-case-removes-automatic-privacy-shield-from-employee-emails-making-them-more-amenable-to-us-discovery/

From the Hogan & Hartson blog: The French high labor court (the Cour de Cassation Chambre Sociale) may have provided some grounds for arguing that a party in France can review a French employee’s e-mails and electronically stored information to determine whether the data is relevant to a U.S. litigation, without the employee’s knowledge or presence.  This is a significant development in the perennial tension between EU privacy law and U.S. discovery principles.

French employee privacy protection policies usually block U.S. FRCP eDiscovery requests that request French employee email for a case in the United States.  This case, on the face of it, seemed to set a precedent in the ruling saying the employer could review French employee email and ESI without the employees knowledge.

From the e-Disclosure Information Project Blog: There is no doubt, however, that many will use it as a reason to ignore everything they have heard about EU privacy. The case may well have implications for US litigants, but I do not think that a single Labour Court case in which an employee neglected to mark private e-mails as such will open the floodgates to FRCP discovery. It’s most likely consequence, I suspect, is that all French employees will start marking the e-mails” Private”, making it harder rather than easier to discriminate between those which are and those which are not genuinely private.

The bottom line for this case was this; the French employee’s email and ESI was searchable and reviewable without the employee’s approval or knowledge because the documents had not been marked as “Private” by the employee. My guess is that French employee committees will quickly instruct French employees on the proper marking of all emails and ESI as “Private”.