Tek4n6 Blog

A Minnow Swims In The Giant Legal Tech Sea

2012-02-13T06:10:00.000-08:00

Trade show is awesome, just not geared toward small firms

Editor’s Note: Earlier this month, ALM, the parent company of the Law Tribune, presented its annual LegalTech expo in New York City. Attorney Monique Ferraro, manager of Technology Forensics LLC in Waterbury, offered to attend the event and report on it from the perspective of someone running a small law firm.

By MONIQUE M. FERRARO

The pocket protector Star Trekky side of me secretly hoped LegalTech would be a gathering of my people. So, when I walked in and spotted a guy who was dressed head to toe in an outfit that looked like he just emerged straight out of The Matrix, I was psyched.

Wrong room. Drats.

Pointed in the right direction, I entered the exhibit hall where the blue suits and armies of similarly clad “teams” clamored. Two entire floors of the New York Hilton on 6th Avenue were filled with more than 200 vendors. Without question, this event was both impressive and over-stimulating.

Legal Tech is Gotham’s annual gargantuan gathering of geeks, lawyers and their support staff. It is daunting to take on the whole two floors of exhibits, but my mission was to find software to track time and bring it into billing for a small firm. Trying to find a turn-key solution has proven frustrating so far, and demos eat up our time and resources.

We’ve narrowed down the search to a few products, but I figured that if there was a place in the world that would have what I was looking for, Legal Tech would be it. So, with empty brief case ready to receive

my SWAG (Stuff We All Get), I went in search of software. It was good to have a focus, because one could easily spend days roaming from vendor to vendor learning about the different products they offer.

It didn’t take long to fill the SWAG bag —stress ball, computer mug, a bazillion pens, a light-up ball for my dog, a Nerf thing for my son. A lot of the vendors gave away iPads. It seemed to me that the attendees probably used iPads as coasters. If the vendors wanted to impress the attendees, they should have given away helicopters. That might have made an impression.

Lots Of E-Discovery

Unfortunately, I didn’t find many products for small firms. Maybe next year when I have more time and am more familiar with the layout I’ll find more technology for the little people. Just from eyeballing the vendors, it’s a pretty fair estimate that at least half or more of them were hawking e-discovery, information management or digital forensics.

There was a lot going on with e-discovery. The field seems to have taken on a life of its own with all sorts of confusing products and services provided that, upon my review, were either just fancy names for something that’s been done for a long time or something that really shouldn’t be done by software vendors.

For instance, “early case assessment” is simply the act of taking stock of the information technology resources a party has in hand prior to producing materials for electronic discovery in a particular case. One would think that every company with general counsel would have a good idea of the electronically stored data it possesses prior to litigation. Maybe I expect too much, but it seems to me that given a particular case “early case assessment” shouldn’t require a roomful of blue suits.

“Predictive coding” is a technology patented by Recommind that purportedly automates the review process and cuts costs by 45 percent to 70 percent. By all accounts, the other e-discovery vendors were peeved when Recommind obtained the patent. Document review is wildly expensive. If it works, it will be great. If it doesn’t work, how will the results be measured and how will we know? The parties and counsel who take the risk take a big risk.

Some of the e-discovery software seems promising. Some offer de-duplication — which reduces the number of duplicate documents. There are, of course, arguments for not de-duplicating. For one thing, it takes some important decisions out of the hands of the attorney that should probably remain with the litigator rather than the software engineer. Certainly, it’s a process that should be undertaken only after the attorney has all the information about e-discovery, the electronically stored information in the specific case, and how the specific software used for e-discovery in the specific case operates.

A very interesting group of products is offered by a Hartford company. TyMetrix offers corporate legal departments software that analyzes how well their outsourced firms are doing based on various performance measures. But general counsel aren’t the only beneficiaries. The company delivers metric software for law firms to track their productivity and compare themselves against competitors in the market.

Continuing legal education sessions echoed the vendor displays. There was a session on technology-assisted review in e-discovery, a session on international e-discovery … so many classes on e-discovery that a lawyer could immerse oneself in it and theoretically learn all the angles. Again, it seems from the material and various offerings to be very complicated. But e-discovery really isn’t.

For lawyers interested in technology other than e-discovery, there were some very interesting sessions on information management and productivity analytics. There were presentations on the effects of social media on trials and juries and quite a few sessions on cloud computing. Social media discovery was buzzing everywhere. There was a session on iPad apps for lawyers.

An emerging field that one of the sessions addressed was reputation management for law firms — upon researching that topic, I found that a subscription for reputation management can cost upwards of $15,000 to $20,000 a year.

Enlist An Army

Bottom line: LegalTech New York is stunning. For big law to hook up with big e-discovery, it was a perfect match. For mid-sized law to learn about its options for e-discovery, information management and other legal technology, it was awesome. For small law, it was an amazing display of technology, but not so helpful.

To take in all that Legal Tech has to offer, one would have to enlist an army whose members would attend various programs in addition to checking out the vendors. With my little narrow focus, I was a single, very small minnow seeking a teeny piece of algae in an ocean of sharks, piranha, and barracuda vying for the blue whales.

To get the most out of the event, check out the “virtual show” online this year at www.legaltechshow.com and, later on, see how you like the vendors that plan to participate next year. It is very inexpensive to attend the keynotes and exhibits. A full-day or full-event pass is expensive, so unless you work for a big firm or have money to burn, it’s prohibitive. However, there is excellent content that is worth the investment if you look through the itinerary ahead of time and plan your schedule for a day or two well in advance. If you team up with a colleague, you can share what you learn afterward.•

Reprinted from the Connecticut Law Tribune, Published Monday, February 13, 2012

I added the pictures.

Anonymous Update: Interception of FBI and Scotland Yard Communications

2012-02-04T06:52:00.000-08:00

Since I wrote the article on Anonymous for the Connecticut Law Tribune, the group has perpetrated perhaps its most audacious act yet. It intercepted a telephone conference between FBI officials and Scotland Yard and posted the contents online. The conference call topic was how to deal with specific suspected members of the group. See a rough transcript of the conversation here: RAW DATA Anonymous Transcript and an audio recording here: Anonymous Intercept FBI & Scotland Yard Call

Of course the issue isn’t the contents of the conversation between the law enforcement agencies. The ISSUE is that a telephone conference was intercepted by a rogue group of nerdy bad boyz and girlz. Coverage of the incident didn’t seem to be as extensive in the United States as it was in the United Kingdom. I can’t figure if it’s because the media in the US is too afraid to cover it or that they just don’t understand the enormity of this threat. It is huge.

As a technology matter, what they did wasn't a big deal. The conference call code was probably gained through monitoring someone's email via a Trojan or keylogger (just a guess) and then someone just called in and recorded the conversation.

Worse, and more likely, is that there's an internal security breach within the FBI and/or Scotland Yard that's sympathetic to the Anonymous cause. It doesn't have to be a law enforcement agent. Any disgruntled employee or ex-wife/husband will do. (Some very, very cynical folks say that law enforcement would never make any narcotics arrests if it weren't for women scorned by dealers and, of course, lucky patrol officers.) Actually intercepting a telephone or voice over IP call is much more difficult. That doesn't mean Anonymous operatives couldn't do that. They just didn't do that in this instance.

But don't let me minimize the magnitude of this event. No one has EVER done this. Intercepting law enforcement communications is a big deal. They’re supposed to be secure. It’s bad enough that the US Department of Justice website was taken down in January. Now the FBI has had its live communications intercepted. What does that mean?

It means that our government basically sucks at security and Anonymous is exploiting that fact. For all of their puffed up blow-hardery (I made that word up. . . do you like it?), the feds have got nothing. That’s the point. That’s what Anonymous is doing. They’re hacking the feds and laughing their asses off. They’re posting their exploits to show that not only did they do it, but they spanked the feds hard.

Unfortunately, the knee-jerk reaction of the feds will be to spend more money and expend more resources tracking down the impossible. As an example, CNN reported that the feds are getting more secure phones. They’ll want to ‘bring the Anonymous threat to justice.’ And, predictably, they will fail and Anonymous will respond with more and more outrageous exploits that will make the DOJ and Homeland Security look like absolute dopes. So, how best to deal with it?

My two cents? Partner with them. Ask their advice. Give them some sort of clemency under a shroud of privacy. Hitting this threat head on is only going to escalate it. And, the more it’s escalated, the better Anonymous looks and the worse the US government and all the collateral governments, corporations and institutions look.

No. I know what you’re thinking. This is definitely not the same thing as negotiating with terrorists. The reason is that terrorists are looking to break us down and replace the government with something else. Anonymous has a completely different motivation. Find the common interests and work from there. They like the Bill of Rights, the government (is supposed to) likes the Bill of Rights. You get the picture.

Hacktivists: Robin Hoods Of The New Millenia

2012-02-04T06:11:00.000-08:00

As with most criminal activity, the government is basically impotent against cyber crime. As more people log on, there is more crime. The more applications and sophisticated the technologies, the more adept the offenders become at using them to facilitate their criminal acts or avoid detection.

We saw this played out last month when the group Anonymous took down the U.S. Department of Justice, Warner Music and the Recording Industry Association of America web sites on Jan. 19. The hacks were in retaliation for the shutdown of Megaupload, an Internet site used to facilitate sharing large files, such as movies and large caches of music. The owner of the site and three others were arrested. Several million dollars in assets were seized. The Justice Department alleges that Megaupload’s primary use was to unlawfully traffic copyrighted material.

The takedown of the DOJ and RIAA sites are the most recent in a slew of exploits Anonymous claims responsibility for. Should you be concerned? Hell yes. First, let’s talk about who Anonymous is. Second, let’s talk about what that means for us lawyers and, most importantly, how that might impact us in our pockets short and long term. Finally, I offer an observation on the future of Anonymous and our information and communications technology.

Barely known a year ago, Anonymous has emerged as a powerful hacktivist group. (Hacktivists are computer network hackers who claim that their cyber crimes are motivated by political activism.) The group uses the Guy Fawkes mask as its symbol. Probably the most notorious traitor in English history, Fawkes led the Gunpowder Plot of 1605 in England. The goal of the plot was to blow up the Houses of Parliament. Although nowhere near successful, the conspirators actually got gunpowder close to Parliament. Fawkes was arrested after one of his co-conspirators sent a note alerting one of the Lords. Fawkes was subsequently tortured and executed, but he maintained his anonymity for several months under questioning. The English celebrate Bonfire Night each year to commemorate his capture and the safety of the queen. Fawkes’ effigy is burned on the fires, and the mask has become his symbol. Today, the mask is an emblem of anonymity and audacious challenge to the government.

Facilitating Uprisings
It isn’t so much that Anonymous hackers don't like the government and big business. They don’t. It’s more that their allure is that they come off looking like the Robin Hoods of the new millennium. In a very short span of time, they have amassed an enormous following and garnered the support and respect of many. Anonymous was instrumental in facilitating the uprising in Tunisia and has been central to the Arab Spring. They have been very active in the Occupy Wall Street movement, referring to themselves as, “the 99%.”

Their overarching message in blogs, on YouTube videos and in media releases is that they advocate for truth, freedom, freedom of speech on the Internet, the right of the people to protest and assemble and to right wrongs. Who can argue with that?

They have no leadership, but there are many supporters and obviously participants in the collective have signifcant technical skill sets and knowledge. Their targets have ranged from the government of Tunisia to NATO. They claim responsibility for taking down Sony PlayStation service, the CIA web site and the San Fransisco Bay Area Rapid Transit system web site. In December of 2011, Anonymous hacked Straffor — a company in the business of information security and intelligence — and used client credit card information to make donations to charitable organizations.

After the technology security company HBGary claimed to have infiltrated Anonymous, the group retaliated by shutting down the company’s phone system, hacking its web site, and publishing e-mails and other documents taken from their servers. Other victims of Anonymous attacks include the CIA, Facebook and a rapidly growing list of governments, academic institutions and corporations.

Lost Confidence
Why should we care? Well, as with terrorist attacks, when institutions we trust are compromised, that threatens our security. Our economy still hasn’t recovered from the Sept. 11 attacks. Consider the travel industry. Airlines are forever changed. Our confidence is still shaken. The hacking and security compromises of government, academic and corporate information and communications technology by Anonymous have similar ramifications.
Although it is doubtful anyone will be dissuaded from making purchases online, I don’t think anyone who knows about the incidents has the same confidence that the Justice Department web site is secure or that the RIAA is safe from attack.

It doesn’t take much. That’s the theory and success behind terrorism and hacktivism.

One success reverberates to create a great sense of threat. That’s why we spent so much money on homeland security. That’s why we spent so much money on two wars. If you boil the impetus down behind all the billions of dollars spent on the security and all the billions lost in revenue by our economy, it all goes back to the events of 9/11 and the hijackers.

“Do you want to see Anonymous rise up? Try to shut down the message.” OK, we get the message that the group doesn’t want Internet censorship or oppression. But how does that jibe with law enforcement’s struggle to beat back the rising tide of cyber-wrongs — serious injustices such as online child exploitation, violent crimes, human trafficking, theft, fraud, and intellectual property infringement? If Anonymous really is the Robin Hood of the new millennium, right those wrongs for us.

Anonymous has hacked many child pornography sites and taken down large criminal enterprises in the past. If its members would concentrate more on righting those wrongs — maybe by developing technology to identify and obliterate images that depict child sex abuse or that infringe on intellectual property rights — that would free up a lot of law enforcement resources. It would also reduce our tax burden substantially. It may relieve me of a great deal of my workload, but it would be a reduction I’d be happy to take.

Reprinted from the Connecticut Law Tribune February 6, 2012

Oxymorons: Google Privacy v Microsoft Uber Alles

2012-02-03T07:05:00.000-08:00

People seem to be up in arms about Google’s new privacy policy.They’ve taken all their sixty something policies and now they have one. That’s how they’re selling it to customers. But critics are paranoid that the new policy heralds the dawn of Google Big Brother tracking us from our Gmail to our Google searches to our phones to our iPads. Woopee. As if that’s a revelation.

What the critics are griping about is the potential for Google to use targeted marketing across its many platforms. Google may amass our searches and send ads to our smartphone or to our gmail banner. Most of us won’t notice.

There have been calls for Congress to ‘do something.’ Um, like what? I hesitate to show my impatience, but, do folks realize that Google is actually a corporation that is out to make money and not a government entity? If you want to dictate Google policy, buy stock and get on the Board of Directors. OR, maybe you can just use . . . the. . . other Google. Hmmmm.

To that end, Microsoft has pitched its own bitch. The corporation launched a print ad campaign decrying the Google privacy policy, implying that we no longer have any protection from the prying eyes of the leering corporation and its minions. Sour grapes. Microsoft wishes it was Google. And, it wishes it could come up with both a single policy to govern all of its many concerns and track all of us as effectively and profitably as Google uber alles.

Anonymous Struck USDOJ.gov HARD

2012-01-19T18:02:00.000-08:00

Hey- Remember how I said that Anonymous was taking us to school? Well, it looks like they're taking the feds to school, too. As I write this, the United States Department of Justice website is down. Down. That is unacceptable, folks. It was bad enough that NATO and the CIA sites were hacked, but they didn't learn from that? How could the DOJ allow their site to be compromised? That is a failure of our government in a big way. How will we recover our confidence in Internet security if the GOVERNMENT isn't secure?

(Note- The picture above is a screenshot of the usdoj.gov website taken at about 9 pm eastern time on 1/19/2012)

Zappos and Other Hacks

2012-01-17T07:55:00.000-08:00

Zappos was one of several online vendors hacked this week. The company claims that only personal information, like names and addresses of its 24 million customers were accessed, but not credit card data. Right.

6pm, another online retailer that happens to have my account information was also hacked and claims that ‘only’ the personally identifying information, like names, addresses, last four digits of the credit cards and passwords of its customers. The company assured us that our credit card information had not been accessed.

Well woop-de-do. . . Individuals don’t seem to care much about their data or where it’s stored or whether it is compromised. After all, they’re on all sorts of mailing lists and they get spammed from all directions, they’re called constantly- barraged by an endless stream of advertising. We rightly assume that the law protects us from credit card fraud and individual data breaches. The fact that our credit card information hasn’t been compromised really isn’t a big issue, is it. After all, our liability as individual consumers amounts to $50, and that’s usually waived by the credit card company in these situations. The real issue is much, much more serious.

While vendors are going around touting cloud computing, every day we hear of large scale hacks of e-commerce providers, government, cloud computing vendors and academia. What could Zappos or 6pm have done differently? How is it possible that the CIA and NATO and Straffor have been hacked?

The crux is that security is mostly a reactive endeavor. There’s only so much that can be done prophylactically. The grand plans that many security vendors market may sound sexy, but they will always be a step behind the conspiracies of the bad guys looking to breach your system and steal your data. That’s just the way law enforcement and security works. The best you can hope for is to have a good structure in place for responding to threats when they happen and a team that can assemble to both quash the security breach and anticipate future threats.

Anonymous Coverage on CNN and the History Behind the Mask

2012-01-16T07:16:00.000-08:00

If you missed the piece Saturday on Anonymous, CNN posted it online at:

Part 1 http://www.cnn.com/video/#/video/us/2012/01/15/lyon-anonymous-pt1.cnn

Part 2 http://www.cnn.com/video/#/video/us/2012/01/15/lyon-anonymous-pt2.cnn?iref=allsearch

You can order a Guy Fawkes mask from Amazon for as little as $4.00 (before shipping) here:

http://www.amazon.com/s/?ie=UTF8&keywords=guy+fawkes+masks&tag=googhydr-20&index=aps&hvadid=4308600137&ref=pd_sl_5yqqdt97qc_b

Guy Fawkes lived in the 1500's in England. He's famous for leading a group of rebels who tried to blow up the House of Lords. His plot was discovered when a coconspirator revealed it to a member of the House of Lords by allegedly sending a note saying to stay away on November 5. The country celebrates a holiday called 'Bonfire Night,' during which they set off fireworks and light bonfires. Manic The holiday is officially intended to celebrate the safety of the monarch. People make dummies to symbolize Guy Fawkes, and throw them on the fires.

The mask that has come to be associated with Guy Fawkes is the one adopted by Anonymous as the symbol of its group. The association between the Guy Fawkes mask and Anonymous is that Fawkes struck at government- he attempted to blow up the House of Lords. And, he maintained his anonymity. Of course, he did so unsuccessfully, but go with it. . . It's cool and it's symbolic and so far they're on a roll.

Great Way to Dump Your Child Porn

2012-01-10T16:54:00.000-08:00

As I procrastinated, avoiding more tedious assignments by watching the CES (and now by writing), I saw a commercial for a great new business that purchases your unwanted computing devices. Just send them the device and they send you money. You don’t even have to pay shipping. Of course, the thought occurred to me, “What a GREAT way to get rid of unwanted child pornography!”

Wait- haven't people been in trouble for destroying devices with child pornography on it before? Let’s just consider what these folks are doing in light of, say, the famous conviction of a Connecticut attorney for misprision of felony. His actual activity was that he destroyed a laptop that contained child pornography. How are the situations similar and different?

Well, the attorney in the case represented a church. An employee of the church was found to have child pornography on a church laptop, which the church brought to the attorney. The employee admitted the activity and was terminated. The attorney destroyed the laptop. The FBI initiated a criminal investigation against the employee one day prior to the destruction of the laptop, unknown to anyone outside of the FBI. Well, gee. The attorney didn’t know an investigation had been initiated, but that didn’t matter to the Department of Justice. They arrested the attorney under a couple provisions of the Sarbanes-Oxley Act of 2002 (aka SOX). SOX merely requires that a federal investigation be foreseeable. Since the attorney came to know that there was child pornography on the laptop, he should have known a federal investigation was foreseeable. Or so the reasoning goes.

SOX is a federal law that was originally intended to ensure corporate responsibility. (Not for nothing folks, but how’s it doing on that front- does criminal prosecution of an attorney for destroying a client’s laptop that contains child pornography improve corporate responsibility?) The attorney later plead guilty to misprision of felony and received a reduced sentence in return. Misprision of felony is an old common law crime which consists of knowing someone is committing a felony and concealing the fact- a small twist on conspiracy.

Anyway, the legal community in Connecticut and throughout the country at the time was outraged by the (mis) enforcement of SOX, because, they argued, what else could the attorney do given the situation? (The Justice Department position was that the attorney should have withdrawn and demanded that the church go to the police. While that position can be taken theoretically, it’s not very practical, nor does it square with the many hundreds of years of tradition and law regarding the relationship between attorney and client. )

We now come to the business that’s buying up used devices and destroying them and the difference between the Connecticut attorney and the business in question. Well, we could confine the analysis to SOX, but that wasn't what the attorney's conviction was for, was it? He was convicted of misprision of felony. Hell, anybody can get convicted of THAT. So, theoretically, any of the technician who hazards to come across a device with child pornography on it tempts the federal fates. Who knows what awaits them in the state or county jurisdiction in which they operate.

The customer service representative said that the technicians don’t look at the pictures, etc. Do we believe that? Um, I don’t know. What if they turn the devices on to see if they work. Let’s assume, for kicks, that they do. Do they look at the screen? What if the screen saver is a depiction of child sex abuse? It’s not as if that is far-fetched and has never happened before. Happens all the time. . . Ok, say the attorney has advised the business to turn the devices on but not to look at the screens so as to avoid potential liability under SOX. Do you see where I’m headed?

And why am I writing about this? Convoluted, complicated mess of esoteric nonsensical legal crap. Because it brings to light two things. 1- that law needs to be simple and precise, so as to avoid its misapplication. 2- child pornography is an area of criminal law that evokes visceral and often insane responses by even the most even tempered and rational people. I talk about this stuff because I think it’s important to think about. It’s essential for important people to involve themselves with it because innocent people get hurt- by people we label as the perpetrators and by the people we label as the good guys who sometimes ensnare the wrong bad guys. Because that happens, we need really smart people- a lot smarter than me- to figure out where we need to go with all of this. And, in order to figure out where we need to go, we need to start talking about it.

I also write about it because I like the mental exercise. It’s entertaining at least and keeps me off the streets at most.

Consumer Electronics Show and Anonymous on TV this Week- YAY!

2012-01-09T17:31:00.000-08:00

The CES is going to be covered on starting Tuesday afternoon on Spike.

And, although the CNN website sucks and the information is not posted there, it’s reported on the network that on Sunday Jan 14 at 8 p.m. there’s going to be a program on Anonymous.

They’re the hacking group that claims responsibility for the biggest exploits of 2011. Sure, I’ll admit that buying into media coverage of a hacking group like Anonymous is the same thing as sopping up the clap trap fed to us by terrorists. But, ignoring Anonymous is something we do at our peril, apparently. They’ve hacked the CIA and NATO and Straffor. Anonymous is really scary and important because they are, no kidding, smarter than we are in lots of ways. And, we’re doing a crappy job of protect ourselves against the threats they pose.

For one thing, they’re making pretty easy work of showing up our top flight security and intelligence resources- like NATO and Straffor and the CIA. You’d think those sources would be locked down pretty tight- you know, there’d be solid access controls, encryption, if the sites were compromised they wouldn’t be back up unless they were hack-proof. NOT. Although I definitely do not subscribe to feeding the beast, I do admit we’re being taken to school. I, for one, am going to be watching.

Research in Motion Pursues the "London" - Maybe Microsoft System will be the Winner?

2012-01-08T05:33:00.000-08:00

Blackberry- Ummmm. Toooo little. . . . Toooo late.

The screen is still too small and I haven't lost so many brain cells that I can't figure out that the keyboard is the same, lame keyboard in the same place it's always been. Thinner? Maybe. Is that enough? No.

On another note, there's an article in today's New York Times heralding the dawn on an awesome new Window s Phone operating system for smartphones to be unveiled at the International Consumer Electronics Show in Las Vegas tomorrow (which looks totally overstimulating, but probably something to check out at least online or in review).

Nokia is making the hardware. We should see what that will look like soon.

The Times describes the operating system as being tiled and alerting the user when contacts post to areas of interest. The article was silent on security and how the OS hooks up to existing infrastructure. Like I've said in prior posts, probably a good idea to take a 'wait and see' approach- I'm holding off on my next smartphone commitment until I am a bit more certain about the security and viability of the phone operating systems moving forward.

I’m Free! Wait- No, I’m Not. . . My Resolution to Unsubscribe from Spam

2012-01-05T08:41:00.000-08:00

New Year’s Day 2012, I spent an hour or more responding to the spam emails in my inbox by unsubscribing to the lists. It’s something I’ve wanted to do for a long time, but put off because I figured it was easier to just delete the email than it was to negotiate my way through the unsubscribe process. And, in the past, I’ve found it frustrating that I make valiant efforts to unsubscribe to email but I’m not actually unsubscribed. In following through on my resolution, I’ve found that not only do unsubscribe orders not work many times, but even worse- and this should make lawyers’ jaws drop in HORROR- many reputable companies who send out commercial email don’t provide the functionality on the email to unsubscribe. Or even the information necessary to unsubscribe. Not good, my friends. . . not good.

Yes, of course I’m documenting this nonsense. And yes, of course, I’m going to write nasty-grams to the companies and threaten CAN-SPAM lawsuits. Just a word to those companies who send out advertisements by mail and the lawyers who advise them- you have to provide information and an ability to unsubscribe from future emails. Consider it a heads-up before you get one of my nasty-grams.

The CAN-SPAM Act of 2003 is a federal law that provides for $15,000 penalties against businesses who send out commercial emails that do not meet its mandates. OUCH! That’s just the fines from the government (provided, of course, the government does anything about it). However, there are means of civil redress of grievances as well. Here’s some of what the Federal Trade Commission website has to say:

"Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.

Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.

Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible."

It’s January 5, 2012 and I have now invested at least five hours of my valuable time unsubscribing from email lists. Hundreds of different sources, from E-Bay to LL-Bean, webinar providers to law book sellers. I was receiving email from Major League Baseball under two different accounts. Victoria’s Secret. K-Mart. Walmart. Neiman Marcus. Zappos. Every conceivable e-commerce site that I’ve ever purchased so much as a stick of gum from sends me regular emails. Countless information security sites and news services pared down to only the very few legal and real news sources that I actually read. I’ve unsubscribed from them all (except for Kate Spade, which is absolutely essential).

Yet, after five days of dutifully deleting my name from lists, each time I check my email, there are more. Admittedly, I get a lot of email. But it wasn’t until I embarked on the unsubscribe venture that I became aware of just how much is crap. When I say hundreds of unsubscribes, I mean hundreds. Every time I go into my email there are at least five more emails lists to unsubscribe from- and that is whittled down substantially.

The good news is that when I open my email in the morning, there aren’t a hundred and fifty emails. There are like forty or fifty, and that’s not bad. I actually read those. I’ll let you know when I’m done unsubscribing. I’m figuring it will be sometime in March or April, but not counting on it. However, five hours in, it’s worth the effort to open my inbox and see that it’s pretty clean.

A New Blackberry Bold in 2012? I think not. . .

2012-01-04T16:29:00.000-08:00

Who watched New Year’s Rocking Eve and saw the ‘new’ Blackberry Bold for 2012 unveiled? Yawn. Same size screen. No new apps. Woo hoo- you can tweet. Yippee- you can facebook. Wait! It’s got a touch screen! Hey, my Palm Pre had a touch screen. Palm. . . Blackberry. . . same thing very soon. . .

Just as I was thinking I had been too hard on Research in Motion, they proved me right. There is nothing going on over there except for passing the hat for the next person jumping ship before they shut the lights off. The only thing left for them is who takes over their corporate services and who will take over the hardware. In the meantime, nobody in their right mind is buying BB for themselves. The problem is. . . what to go with now?

Security conscious folks- those in business who have intellectual property and trade secrets to protect, lawyers, doctors and other professionals who are required to protect privilged and confidential data and all of the support staff we rely on who communicate with us are stymied- where should we look for our next smart phone?

As Sharon Nelson reported on her blog, Ride the Lightning, recently, the Department of Defense has nixed the iPhone because Apple won’t give on security issues. The DoD chose to go with Android, but their choice is a bit perplexing and certainly leaves the question of where to turn for our next phone unresolved. The DoD only approved the Android 2.2 operating system, and at that, a stripped down version. The only phone it approved as ‘secure’ is the Dell Venue. Not the sexiest communication device on the market. Of course, phones are currently shipping with the 2.3 operating system. The security differences between the two are not completely known, but according to most sources, Android is the most hacked system out there.

Aside from security issues associated with the Android OS, there are ongoing challenges by Apple claiming that Google infringed upon its intellectual property , at least one of which has been successful. Others are pending. There is no doubt that the challenges will continue. The implications for actual users remains a wild card, but it is unlikely that either the iOS or the Andoid OS will become unavailable or unworkable in the near future.

Until then, what's a lawyer to do?

1) Well, in my experience, hacking phones isn't a big issue. The biggest problems with mobile devices are losing them. So, secure whatever device you have with a password. Other problems with smartphones have come from dropping it in coffee, my son taking it outside to play without my permission and leaving in the rain, dropping it in the toilet- an ugly, ugly event- and, unfortunately, but you guessed it. . . forgetting the password and wiping the phone. Which brings me to #2. . .

2) Back up your phone information. You don't have to do it every day, but do it regularly. There are few things more painful than losing all your contact information and all the emails you received on your phone but didn't sync up to your pc.

3) Do not. . . i repeat. . . DO NOT. . . sell or give away any device, most especially your smart phone that at any time contained privileged or confidential data. Engage the services of a professional to wipe and dispose of the device. I've told this story before, but it bears repeating because it's horrifying and true.

Once upon a time, a laywer who dropped her cell phone in the toilet turned to e-Bay to buy a new Blackberry Bold. This tack was partly taken for research purposes and partly because e-Bay offers the best deals on used, unlocked phones (by unlocked, I mean you can use the phone again). With purchase in hand and savings in the bank, the sly lawyer went about activating the phone. To her surprise (and admitted merriment), the former owner of the phone had not de-activated his email. Although he followed all the instructions provided by the communications carrier and Research in Motion for deleting his information and 'wiping' the phone, quite a bit of data remained, and continued to be transmitted to the phone.

This wouldn't have been much of an issue, I suppose, if the prior owner was a teenager looking to fund the next smartphone upgrade. This particular prior BB owner was, in fact, employed in the finance department of a major oil company. Major. And the new owner of the smartphone received all sorts of data about acquiring new companies, pricing and cost information and, oh, you get the idea. The phone even came with a couple of pictures of the prior owner's kids. Had the phone not fallen into the hands of a responsible lawyer, who knows what might have happened? However, this phenomena didn't occur once in isolation. It occurred again after another unfortunate incident involving some moisture and a smartphone and the self-same lawyer. This time, the prior owner was not nearly as interesting. However, personal identifying information is personal identifying information, and who needs for it to fall into the wrong hands?

4) Treat your media tablets and your laptops as you would your smartphone- password protect it.

Technology Forensics Principal, Monique Ferraro, Testifies in Important Litchfied CT Case

2011-06-15T09:39:00.000-07:00

Handling of evidence delays rulings on case for Litchfield man accused of shooting his wife

Published: Wednesday, June 15, 2011

By CHRIS RUELI

LITCHFIELD — In spite of a lengthy argument that ensued Tuesday regarding a motion for disclosure in Litchfield resident John Lavoie’s first-degree assault case, no decision was rendered.

Lavoie, 54, engaged police in a 10-hour standoff after allegedly shooting his wife in November 2009.
Lavoie was previously in custody for nearly two months after he barricaded himself inside his East Litchfield home on Nov. 24, 2009, following an alleged assault on his wife. Police said Lavoie used a loaded shotgun to shoot his wife in the leg. She was able to escape and drive herself to the hospital, but only after she successfully wrestled the shotgun away from Lavoie and escaped, documents detailed.

On Tuesday, attorney Rachel M. Baird, Lavoie’s defense counsel, requested exact duplicates of the computer hard drives that were seized by state police in order for the defense to create their own report during the hearing in Litchfield Superior Court.

Baird called Monique Ferraro, a digital forensics expert at Technology Forensics in Waterbury, to testify regarding the copies of the hard drive that have already been turned over by state police. Ferraro testified she needed the hash values from the computer, something equivalent to DNA or fingerprint identification, in order to determine if she received exact copies of the hard drives. (Click here for Register Citizen article.)

Research Needed on Peer to Peer

2011-06-08T10:28:00.000-07:00

I want to do some research on child pornography, but cannot because only law enforcement can possess it. Recently enacted federal and state statutes have made it so that if anyone other than law enforcement wants to access child pornography they have to do so at a government facility. This post does not address the nine hundred, ninety-nine thousand, nine hundred ninety-nine other reasons why these laws are really bad ideas and do not serve the cause of justice. Here, I’ll only address the issue of the need for research on child pornography and how these laws have limited it.

The situation is actually quite appalling. I have done no less than ten cases lately that follow this pattern. . . . an Internet Crimes Against Children Task Force undercover officer (or a federal agent) utilizes software modified to search for child pornography files on LimeWire and/or one of its cousins (using the hash value from a known value database). Once a hit is obtained, the undercover accesses the shared folder and searches it. Confirming that there is at least one image depicting sexually explicit activity of a minor, the undercover applies for a search warrant for the residence having a nexus to the IP address. The police seize a bunch of stuff, search the computers and find child pornography in the LimeWire directory. Because there are images in the shared folder, the defendant is charged with both possession and at least attempted distribution. At the state level, they’re charging the defendant with possession and attempted promoting (in Connecticut). Possession ranges, depending on how many images, from a class D to a class C felony. Promoting is a class B felony. At the federal level, the distribution charge can carry up to a life sentence and has a mandatory minimum. Now here’s what most concerns me that, in my opinion, should be addressed. . .

Almost every one of these defendants says that the child pornography came down with regular porn or music. I’ve discussed this with law enforcement folks and prosecutors and they blow it off, dismissing my concerns not only as without merit, but as if it were impossible that it were anything other than what they allege. However, I cannot find any empirical research to support either the law enforcement position or the defendants’ assertions. I’d like to find out the truth, though.

There is a dearth of research as to what types of files a user brings down when s/he searches peer to peer software and downloads adult porn, music or other files. Although search warrant and arrest warrant affidavit after affidavit cavalierly assert that the officer “knows” that child pornography was sought and downloaded knowingly by the suspect, is that really true? How do we know for sure?

Here is an example: A suspect unquestionably entered a search for pornography, and a search term was “young.” Ok, so, if that brought 100,000 images of child pornography, the person who received the child pornography would not be eligible to assert an affirmative defense (in a lot of jurisdictions that even have one) because the affirmative defense is limited to three images or so. Say the person searching for the pornography is an eighteen year old and doesn’t want to look at naked pictures of old ladies. I’m not throwing the example out there to be difficult. I’m just asking questions because I’ve seen this exact situation play out more than once. And, I’ve seen defendants spend a healthy portion of their adult lives in prison for it. I’m not taking a position either way. I’m just asking questions, that’s all. It’s an academic endeavor.

Although I’ve worked literally hundreds of child exploitation cases and I trust almost no one, never mind someone charged with a sex offense, I believe it is quite possible for child pornography in fairly large amounts to be downloaded unwittingly along with music and/or pornography from peer to peer software. It is technologically possible, and the search terms used are not sufficiently narrow in many cases to hone in on the child predators.

Of course, there ARE child predators who download child pornography using peer to peer programs and they do use specific terms to do so. Those search terms are not repeated here, although they are fairly widely available online. (This is not a “how-to” guide for searching for child pornography.) However, there is a rather big difference between a term used to gain child pornography and one used for a generic group that embraces a much larger set of images that include protected speech (for instance, compare the search term, “asparagus” which is a child pornography search term to “young” which is a generic term embracing both potential child pornography as well as images that depict pornography but are protected by the First Amendment.

We need the ability to conduct research to determine whether or not the defendants are telling the truth. For crying out loud, doesn’t it behoove us to at least look into the matter if we’re going to send people away for 25 years or even life? This brings us to the problem of limiting access to child pornography. The problem with doing any research into the area of child pornography possession or distribution is that it’s unlawful. Even thinking about doing anything empirical with the material sends shudders down my back and I imagine a SWAT team breaking down my door and being forced to eat some carpet. The only people who can lawfully possess child pornography are law enforcement. That means the defense can’t have it to make any meaningful examination of it in furtherance of one’s defense AND it means that no empirical study can be conducted. That also means that there is no way to determine, for sure, whether or not what law enforcement asserts about intent of the defendants when downloading from peer to peer networks is correct or not.

The prosecution has it not only both ways, they have it all ways. That doesn’t seem fair, and I doubt that was the real intent of the legislation. More likely, the legislators had a more benevolent intent and sought to protect the public. Instead, it’s possible the public is suffering harm because its members are being unfairly or incorrectly charged and convicted of crimes they had no knowledge they committed.

The peer to peer issue is only one area in which child pornography research is needed. We need to know much more about offenders and their proclivities, the size of their collections and the connection to whether or not they actually physically prey on children. These things need to be documented by real academics doing real research, not just law enforcement officers who make statements based on what their “brother officers” believe to be true, or believe they have probable cause to believe is true.

Child pornography and the field of child exploitation is an emotional issue for many, if not most of us. Police officers, therapists, lawyers and judges frequently display visceral reactions to the material. I’ve witnessed it. Is it possible to be objective about something so profoundly emotionally evocative?

Police officers testify as both investigators and as experts when it comes to Internet facilitated child exploitation and that should not be the case. Well, at the very least, there should be some clarity as to what official hat they are wearing when they testify. They should either be the investigating officer or the expert. If acting as the investigating officer, then testify as to the investigation. If the expert, there is a duty to be objective and to testify as to what is known to be factual- not just what the officer ‘feels’ to be true or has heard from other officers.

There are myriad reasons for the dual investigator/digital expert role. The Internet Crimes Against Children Task Force funding program administered by the Office of Juvenile Justice and Juvenile Delinquency Programs has fostered it and the federal law enforcement agencies have fueled the practice. Police officers have been trained to both investigate online child exploitation and conduct digital forensic examinations. Because they play a dual role of investigator and forensic expert, great deference to their assertions has been given. This is true at just about every level of the system, and in all systems- municipal, county, state, federal. There is yet to be, after more than ten years of the ICAC program, a legitimate separation of the forensic science examination from the investigative component with regard to online child exploitation cases.

Nothing good can come of this arrangement over the long term. While born of necessity when the program first began, a separation of the scientific and investigative components is long overdue. Because so much deference is given to the police officer/digital evidence expert, the officer can get away with saying just about anything. So, when a police officer asserts that there was knowledge on the part of the defendant when files were downloaded to a computer, the statement is rarely, if ever, questioned. Take the officer’s testimony and add to it the virtual impossibility of anyone other than the prosecution conducting research to confirm or refute the officer’s assertions, and there you have it- the prosecution has it all ways. . . there is no way for the defendant to ever get out from under a charge with that sort of force militating against him or her.

Am I suggesting that we let anybody download child pornography to conduct “research” (a la Pete Townsend whose defense to a child pornography charge was that he was conducting research)? No. I’m suggesting that we need to develop methods to allow for research on child pornography that allow for empirical study.

Furthermore, we need to fund the study from sources that do not inherently bias the outcome. When the only source of funding for studying online child exploitation is the Department of Justice, motivational bias seems to be axiomatic. (Motivational bias in action: Let’s see. . . we design the study to ensure that we please the funding source. We find what the funding source wants us to find so that we can get continuation funding. If our results are at odds with what the funding source wants, then we figure out how to downplay the results and justify studying the issue again so that we can try to get the results the funding sources wants. . . )

Without academic examination of the phenomena, we will not only learn nothing about it, we will be railroaded by whatever the government says about it. After all, if the government is the only entity that can ever lawfully have it, then the government is the only entity that can tell us anything about it. And, really, do we really trust the government all that much?

Wireless Alone Is Not Probable Cause. . .

2011-05-27T06:45:00.000-07:00

Did you hear the one about the Immigration and Customs Enforcement (ICE) agents who woke a Buffalo, New York man and his wife shortly after 6 a.m. when the agents broke down the couple’s back door? Seconds later, the agents were screaming at the man and threw him down the stairs. U.S. Attorney William Hocul and an ICE agent later apologized to the homeowner involved.

According to the Associated Press, an ICE agent had identified the homeowner’s Internet protocol address (IP address) as one using a peer-to-peer file sharing service to download alleged child pornography some two weeks before. The agent connected to the peer-to-peer account using the IP address and browsed the user’s shared files, a typical practice in that sort of investigation. However, in this case the homeowner who was also the identified subscriber of the IP address was actually not the user who had downloaded any child pornography. He was only the subscriber of the IP address. The user who downloaded the alleged child pornography had done so using the homeowner’s unsecured wireless network connection.
Ok, law enforcement makes mistakes from time to time. They knock down the wrong door. They make reparations. They debrief and try to be more careful when they can and life moves on. Probable cause is not proof beyond a reasonable doubt, nor is it proof beyond all doubt. We get that. But that’s not what happened in this case. It is not what happens in any case in which unsecured wireless networks are used to facilitate criminal activity. Not anywhere. Not in Connecticut . Not in any of the cases I’ve consulted on or have knowledge of or that I have reviewed.

In fact, when it comes to wireless networks, the police in Connecticut can be quite cavalier at times. Police will sometimes conduct additional investigation to determine whether the IP address subscriber was likely the same person who downloaded illegal content. More often, however, they do not. Police do not usually investigate whether an IP address is connected to a wireless network, and then attempt to determine whether or not there is more than one computer involved or another computer user. Police, prosecutors, and very often judges, deem it sufficient probable cause that allegedly illegal content was downloaded and that the IP address used to do so is identified in the warrant application.

The AP article quoted Georgetown Law Professor Orin Kerr, who warned consumers to secure any unsecured wireless connections. If we do not, we may be inviting law enforcement officers to roust us out of bed. and find ourselves face down on our living room floor looking at the dust bunnies under our couch with guns trained upon the back of our heads and Vibram soled boots on our backs.

There are two problems with this scenario. First, it shouldn’t be sufficient for police to simply connect an IP address to an address and alleged criminal activity to establish probable cause to issue a search warrant for the home. In our increasingly wired society, unsecured wireless utilization is a fact of life in these United States, but hard data is lacking. As a matter of our civil liberties, why should we even entertain the proposition that a failure to secure our wireless network invites the possibility of being the target of a criminal investigation and subject to a search? This type of seizure involves the search and extended seizure of our property by law enforcement of all of our personal and confidential digital information until we are proven innocent. Good grief, is this the way the Constitutional guarantee against unreasonable search and seizure works in the new millennium?

The second problem with operating on the assumption that the onus is on citizens to secure their wireless networks, rather than assuming that law enforcement will conduct adequate and thorough investigations, is that the police are often not challenged on their assertions and conclusions . Much of the defense bar and many members of the bench have not sufficiently educated themselves as to the technology involved. Our law has developed over the course of centuries, much of it in the analog era, and this new digital technology and shared network architecture poses special challenges to our freedoms. It can be dangerous to blithely follow the admonitions of law enforcement officers who have a smattering of legal knowledge and even less technical proficiency in the networks involved.

The prosecutors who pass along these search warrants along and the judges who sign them may be persuaded by the use of techno-babble and boilerplate jargon. This language may be incorrect or overly broad or even inapplicable to the case at hand. The crimes alleged can overshadow the thoroughness of the investigation, or the possible ‘inadvertent’ errors in the technical mumbo jumbo. Tell that to the innocent homeowner who was thrown down his own stairs at 6 a.m..

As a profession, we have a duty to do better. We’re not stupid, for chrissakes. We have mastered more intimidating foes. For example, how many of us have figured out the child support guidelines that were something of a mystery when first issued? Surely that’s more of a brain teaser than mastering the concepts underlying the Internet and wireless networking.

Because of this ignorance, some people are being wrongly accused. Law enforcement can go too far, but there is no one within the prosecutors’ ranks and few within the defense bar to push back, or to even question what is happening in these cases. Under the theory of "trash in, trash out," some of the case law being developed also reflects this inadequacy. As an urgent matter, the police, prosecutors and defenders need to become more educated about how wireless communications technology actually works and apply basic legal principles to these cases. The reach of technology to the law is broader still. It reaches civil litigation and permeates every aspect of the law and our disposition of justice. To best serve our clients, all of us must master the concepts or we will certainly fail to zealously represent them.

Finally a new blog...

2011-05-23T06:46:00.001-07:00

Well here we are just back in from the CEIC show in Orlando, lots of good stuff there, met a lot of new friends make some new connections. One exciting item wasn't even on the show agenda but we heard the buzz was a new forensic GPS tool...more about that later.

We obviously have a new website and are very proud of it. Still in a bit of evolution but a big step up for us again, wanted to thank our talented team of web designers Steve and Sean as well.

Stay tuned, bookmark us, follow us on Twitter at http://twitter.com/#!/tek4n6