The 34th International Conference of Data Protection and Privacy Professionals was held this year in Punta del Este, Uruguay, on October 22-26.
Uruguay enacted a comprehensive Data Protection Law, the Ley no. 183331, in 2008, and was recently declared a “third country with an adequate level of data protection” by the European Union.Uruguay was one of the first Latin American countries (after Argentina) to adopt an omnibus privacy law, after which Mexico, Colombia, Costa Rica, Peru and Nicaragua followed suit. Brazil, Chile and Ecuador might be next. We are definitely witnessing a trend in Latin America towards enacting data protection laws, modeled after the European Union data protection framework.
The theme of the conference was: Privacy and Technology in Balance. As Jose Clastornik of the Unidad Reguladora y de Control de Datos Personales (URCDP), the DPA of Uruguay, declared: since technology is part of the problem, it should also be part of the solution.
The iconic symbol of Punta del Este is the “La Mano” sculpure on Brava Beach. It expresses the action of humans in nature. As such, it was also an appropriate symbol for this conference: How to balance the technological advances created by humans with what most data protection authorities around the globe consider human beings’ natural right to privacy and data protection.
Uruguay’s President, Jose Mujica, expressed serious worries about the lack of privacy created by technological developments. He said, jokingly: “Sinners, you’re doomed!” At the same time, he expressed the need for knowledge to move forward and the hope that a proper balance between advancing technology and privacy protection will be achieved.
In Uruguay, technology and knowledge is indeed moving forward at a rapid pace, thanks to the remarkable CEIBAL project. About four years ago, the Uruguyan Government started distributing free laptops to all elementary school students and teachers, and provides no-cost internet connection to all.
In sync with the theme of the conference, I was asked to moderate a panel on digital forensics, titled: “Forensic Tools: What Our Devices Tell About Us”.
Unfortunately, I don’t know much Spanish. That led to an amusing misunderstanding. A Latin American colleague tried to converse with me in English, and asked whether I had seen the hen yet. I said no, what is the hen? He explained that it was a very famous sculpture on the beach of Punta del Este. I spent whatever free time I had in Punta looking for a hen, but couldn’t find any. It was only when an American colleague pointed to a sculpture on the beach and said: this is the “hand”, that I finally understood.
We all speak different languages, and the misunderstandings this creates can lead to some problems of miscommunication, but they have usually limited consequences. All you need, after all, is a translator, dictionary or Google app to set things straight.
We all speak one language though that is identical: today, we all speak digital. We communicate through email, text messages, videoconferencing and social media. Those data are stored on databases in private companies and government agencies, on our laptops, mobile phones and, increasingly, on servers in the “cloud”. According to a recent IBM report, there are currently 2.7 zetabytes of digital data in the universe. That equals one trillion truckloads full of documents. In the case of a security breach, private civil litigation or internal audit, government civil or criminal investigation, the goal is always to find relevant evidence. How does one find relevant evidence among such monstrous numbers? How do we ensure the authenticity and accuracy of digital evidence? And how do we make sure that data protection and privacy rights of individuals are not trampled upon during the search for evidence?
This is the domain of ediscovery and digital forensics, and my panel of experts examined every aspect of this fascinating issue.
My panel consisted of, from left to right, Oscar Puccinelli, an attorney and professor of Constitutional Law at the National University of Rosario in Argentina, Jeimy Cano, CIS at Ecopetrol and professor at the Univesidad de Los Andes in Bogota, Colombia, Gustavo Betarte, CTO at Tilsor and researcher and professor at the Engineering School of the Univesidad de la Republica in Montevideo, Uruguay.
And, from left to right, Yoram Hacohen, head of the Israeli Law, Information and Technology Authority (ILITA), and William C. Barker, associate director and chief cyber security advisor at the National Institute of Standards and Technology (NIST).
William C. Barker started by giving us a digital forensics 101 overview, which you can follow in this powerpoint presentation. He explained the different phases of digital forensics, concepts such as digital signatures and hashing, the policies companies and organizations should adopt regarding forensic investigations, and the standards that NIST has developed so far, such as the Computer Forensic Tool Testing (CFTT).
Following this excellent presentation, Gustavo Betarte delved into the privacy issues arising out of forensic analysis of deleted data. He explained how amazingly difficult it is to truly delete data from computer systems and how very oftern forensic investigators find troves of sensitive data thought to be deleted. For example, in the notorious Enron case, many of the incriminating emails were reconstructed from a “deleted data” folder.
After listening to Gustavo for a while, I started thinking that maybe the whole “right to be forgotten” controversy is just wishful thinking of policymakers with no knowledge of computer forensics.
For more details on Gustavo’s presentation, check out his slides:
Yoram Hacohen gave us a couple of interesting practical case studies conducted by his office involving forensic examinations and privacy.
He explained how his department, with the help of its forensics lab, cracked the biggest privacy breach case that ever occurred in Israel, involving the theft of Israel’s entire Population Registry. See here a previous entry about this notorious case.
Yoram put it very succintly when he said: the suspect remained silent, but his computer spoke volumes!
Watch this fascinating briefing to find out how the investigation led to the unmasking and arrest of six suspects and how one fatal “mistake” by the hacker who published the registry online led to his discovery.
As more and more companies and organizations move their IT operations to the “cloud”, it was essential to address the forensics issues arising in this ecosystem.
Jeimy Cano gave a comprehensive powerpoint presentation on digital forensics in the cloud environment.
This slide gives one an idea of the complexity of conducting digital forensics analysis in a cloud architecture. One of the particularities of cloud forensics is the ability to conduct remote probing into distant systems. There are even applications one can install in order to allow for future remote forensic investigations, should the need arise.
And finally, cloud computing creates a unique challenge in criminal investigations. Whereas in a physical home search, the police must show a warrant before proceeding, in a remote search of computers or servers in the cloud, the data subject or data controllers/processors are not in a position to ask for a warrant before letting investigators in, since remote digital forensics can be executed without the knowledge of the data subject or the data controller/processor. The same is true when cybercrime investigators install remote trojans to monitor suspect computer systems.
Oscar Puccinelli tackled this thorny issue. He sighed at the fact that the law is always seriously trailing behind the technology, and stressed that currently there is a lack of balance between technology and the law. Technology develops at lightning speed, while the law develops at a snails’ pace. This is especially true concerning the cloud environment. He stressed the importance of international cooperation, and praised the EU and US for their cooperation efforts in this field.
Important efforts harmonizing substantive and procedural criminal law come from the Council of Europe Cybercrime Convention, the leading public international law in this field, which came into force on July 2004 with some 47 signatures, including non-European states such as the United States.
Oscar deplored the lack of a regional agreement in Latin America.
He also mentioned that the cloud is a new space that is strongly monitored under national security laws by most government agencies around the globe.
The “Patriot Act” is not alone.
For example, the German Federal Office of Criminal Investigation (BKA) may, in investigations involving terrorism or national security, use a “Federal Trojan” (a government-issued computer virus) to search a Cloud provider’s servers, monitor ongoing communications, or collect communication traffic data without the knowledge of the target. In addition, the G10 Act provides German intelligence services with the authority to monitor and record telecommunications without a court order in investigations of a serious crime or a threat against national security, such as terrorism.
Oscar ‘s conclusion: Clouds in the cloud.
In order not to end with such a gloomy “weather forecast”, I included a short recording of the lavish party that the Uruguayan organizers had prepared for the conference’s attendees. Besides being served a sumptuous banquet, the delegates were treated to a show of “Candombe” an Afro-Uruguayan traditional dance. Enjoy!