Digital Forensics and Privacy and Technology in Balance at the 34th International Conference of Data Protection and Privacy Commissioners

The 34th International Conference of Data Protection and Privacy Professionals was held this year in Punta del Este, Uruguay, on October 22-26.

Uruguay enacted a comprehensive Data Protection Law, the Ley no. 183331, in 2008, and was recently declared a “third country with an adequate level of data protection” by the European Union.Uruguay was one of the first Latin American countries (after Argentina) to adopt an omnibus privacy law, after which Mexico, Colombia, Costa Rica, Peru and Nicaragua followed suit. Brazil, Chile and Ecuador might be next. We are definitely witnessing a trend in Latin America towards enacting data protection laws, modeled after the European Union data protection framework.

Part of a 1977 Punta del Este Mural by Carlos Paez Vilaro – Picture by Monique Altheim

The theme of the conference was: Privacy and Technology in Balance. As Jose Clastornik of the Unidad Reguladora y de Control de Datos Personales (URCDP), the DPA of Uruguay, declared: since technology is part of the problem, it should also be part of the solution.

The iconic symbol of Punta del Este is the “La Mano” sculpure on Brava Beach. It expresses the action of humans in nature. As such, it was also an appropriate symbol for this conference: How to balance the technological advances created by humans with what most data protection authorities around the globe consider human beings’ natural right to privacy and data protection.

“La Mano” sculpure in Punta del Este by Mario Irarrázabal – Picture by Monique Altheim

Uruguay’s President, Jose Mujica, expressed serious worries about the lack of privacy created by technological developments. He said, jokingly: “Sinners, you’re doomed!” At the same time, he expressed the need for knowledge to move forward and the hope that a proper balance between advancing technology and privacy protection will be achieved.

In Uruguay, technology and knowledge is indeed moving forward at a rapid pace, thanks to the remarkable CEIBAL project. About four years ago, the Uruguyan Government started distributing free laptops to all elementary school students and teachers, and provides no-cost internet connection to all.

From left to right: Diego Caneda, Jose Mujica Cordano (President of Uruguay), Felipe Rotondo (President of URCDP), Jose Clastornik (Member of Executive Council URCDP)

In sync with the theme of the conference, I was asked to moderate a panel on digital forensics, titled: “Forensic Tools: What Our Devices Tell About Us”.

Unfortunately, I don’t know much Spanish. That led to an amusing misunderstanding. A Latin American colleague tried to converse with me in English, and asked whether I had seen the hen yet. I said no, what is the hen? He explained that it was a very famous sculpture on the beach of Punta del Este. I spent whatever free time I had in Punta looking for a hen, but couldn’t find any. It was only when an American colleague pointed to a sculpture on the beach and said: this is the “hand”, that I finally understood.

We all speak different languages, and the misunderstandings this creates can lead to some problems of miscommunication, but they have usually limited consequences. All you need, after all, is a translator, dictionary or Google app to set things straight.

We all speak one language though that is identical: today, we all speak digital. We communicate through email, text messages, videoconferencing and social media. Those data are stored on databases in private companies and government agencies, on our laptops, mobile phones and, increasingly, on servers in the “cloud”. According to a recent IBM report, there are currently 2.7 zetabytes of digital data in the universe. That equals one trillion truckloads full of documents. In the case of a security breach, private civil litigation or internal audit, government civil or criminal investigation, the goal is always to find relevant evidence. How does one find relevant evidence among such monstrous numbers? How do we ensure the authenticity and accuracy of digital evidence? And how do we make sure that data protection and privacy rights of individuals are not trampled upon during the search for evidence?

This is the domain of ediscovery and digital forensics, and my panel of experts examined every aspect of this fascinating issue.

My panel consisted of, from left to right,  Oscar Puccinelli, an attorney and professor of Constitutional Law at the National University of Rosario in Argentina, Jeimy Cano, CIS at Ecopetrol and professor at the Univesidad de Los Andes in Bogota, Colombia, Gustavo Betarte, CTO at Tilsor and researcher and professor at the Engineering School of the Univesidad de la Republica in Montevideo, Uruguay.

And, from left to right, Yoram Hacohen, head of the Israeli Law, Information and Technology Authority (ILITA), and William C. Barker, associate director and chief cyber security advisor at the National Institute of Standards and Technology (NIST).

William C. Barker started by giving us a digital forensics 101 overview, which you can follow in this powerpoint presentation. He explained the different phases of digital forensics, concepts such as digital signatures and hashing, the policies companies and organizations should adopt regarding forensic investigations, and the standards that NIST has developed so far, such as the Computer Forensic Tool Testing (CFTT).

Digital Forensics by William C. Barker (NIST)

Following this excellent presentation, Gustavo Betarte delved into the privacy issues arising out of forensic analysis of deleted data. He explained how amazingly difficult it is to truly delete data from computer systems and how very oftern forensic investigators find troves of sensitive data thought to be deleted.  For example, in the notorious Enron case, many of the incriminating emails were reconstructed from a “deleted data” folder.

After listening to Gustavo  for a while, I started thinking that maybe the whole “right to be forgotten” controversy is just wishful thinking of policymakers with no knowledge of computer forensics.

For more details on Gustavo’s presentation, check out his slides:

Threats to Privacy in the Management of Data Stored in Computer Systems by Gustavo Betarte

Yoram Hacohen gave us a couple of interesting practical case studies conducted by his office involving forensic examinations and privacy.

He explained how his department, with the help of its forensics lab, cracked the biggest privacy breach case that ever occurred in Israel, involving the theft of Israel’s entire Population Registry. See here a previous entry about this notorious case.

Yoram put it very succintly when he said: the suspect remained silent, but his computer spoke volumes!

Watch this fascinating briefing to find out how the investigation led to the unmasking and arrest of six suspects and how one fatal “mistake” by the hacker who published the registry online led to his discovery.

As more and more companies and organizations move their IT operations to the “cloud”, it was essential to address the forensics issues arising in this ecosystem.

Jeimy  Cano gave a comprehensive powerpoint presentation on digital forensics in the cloud environment.

This slide gives one an idea of the complexity of conducting digital forensics analysis in a cloud architecture. One of the particularities of cloud forensics is the ability to conduct remote probing into distant systems. There are even applications one can install in order to allow for future remote forensic investigations, should the need arise.

And finally,  cloud computing creates a unique challenge in criminal investigations. Whereas in a physical home search, the police must show a warrant before proceeding, in a remote search of computers or servers in the cloud, the data subject or data controllers/processors are not in a position to ask for a warrant before letting investigators in, since remote digital forensics can be executed without the knowledge of the data subject or the data controller/processor. The same is true when cybercrime investigators install remote trojans to monitor suspect computer systems.

Oscar Puccinelli tackled this thorny issue. He sighed at the fact that the law is always seriously trailing behind the technology, and stressed that currently there is a lack of balance between technology and the law. Technology develops at lightning speed, while the law develops at a snails’ pace. This is especially true concerning the cloud environment. He stressed the importance of international cooperation, and praised the EU and US for their cooperation efforts in this field.

Important efforts harmonizing substantive and procedural criminal law come from the Council of Europe Cybercrime Convention, the leading public international law in this field, which came into force on July 2004 with some 47 signatures, including non-European states such as the United States.

Oscar deplored the lack of a regional agreement in Latin America.

He also mentioned that the cloud is a new space that is strongly monitored under national security laws by most government agencies around the globe.

The “Patriot Act” is not alone.

For example, the German Federal Office of Criminal Investigation (BKA) may, in investigations involving terrorism or national security, use a “Federal Trojan” (a government-issued computer virus) to search a Cloud provider’s servers, monitor ongoing communications, or collect communication traffic data without the knowledge of the target. In addition, the G10 Act provides German intelligence services with the authority to monitor and record telecommunications without a court order in investigations of a serious crime or a threat against national security, such as terrorism.

Oscar ‘s conclusion: Clouds in the cloud.

In order not to end with such a gloomy “weather forecast”, I included a short recording of the lavish party that the Uruguayan organizers had prepared for the conference’s attendees. Besides being served a sumptuous banquet, the delegates were treated to a show of “Candombe” an Afro-Uruguayan traditional dance. Enjoy!

E-Discovery Legal Issues for IT

Lawyers are often labeled as “luddites” and their lack of understanding of technology is legendary.

In an era, where almost all business records are in the form of electronically stored information, it has become essential for lawyers to become more technologically savvy.

On the other hand, it is just as important for IT to understand legal and its requests.

Ediscovery is one area, where this has become an absolute necessity.

But how well do IT professionals understand the legal aspects of their work? Most probably, not very well.

Are you an IT professional?

Do you believe that all your company’s data should be deleted as quick as possible? Do you believe that none of your company’s data should ever be deleted?

Have you ever received an instruction from the legal department that sounded like: “Save all responsive documents” and scratched your head as to what documents legal was referring to?

Is your company moving its database to the cloud? Are you involved in acquiring new hardware or software for your company?

If you answered yes to any of the above questions, the newly published e-book “E-Discovery Legal Issues Guidebook” is for you. It was published on September 7, 2012, by PenTest Magazine, the “only magazine devoted exclusively to penetration testing”.

This seventy page e-book is specifically aimed at IT professionals who deal with ediscovery. With its collection of eleven articles, written by thought leaders in the  field of ediscovery, it aims to inform IT professionals of the basic legal issues surrounding ediscovery.

In it, you will find analyses of the major ediscovery cases, from the seminal Zubulake case to the more recent Apple v. Samsung case. Basic legal ediscovery principles, such as the duty to preserve and spoliation are explained without the usual legal jargon. More advanced topics, such as ediscovery of data stored in the cloud and ediscovery of personal data in the EU are covered as well.

This publication recognizes the essential part IT professionals play in the process of ediscovery, and aims to foster co-operation between the legal and IT departments.

Disclosure: This blogger has contributed to the publication with a chapter on international ediscovery and EU data protection.

Carlota Perez’s Message of Hope at the Web 2.0 Expo New York

Web 2.0 Expo, the trade show for the builders of the next-generation web, just ended in New York.

As usual since its debut in 2004, the conference offered a rich array of presentations related to the web ecosystem, showcasing innovations and practical advice  in design, marketing, ecommerce, cloud computing and social media.

Out of the many excellent keynote presentations, Fred Wilson’s conversation with Carlota Perez stood out, because it offered a message of hope in these dark economic times:

A Conversation with Fred Wilson and Carlota Perez

In this lively conversation between Fred Wilson of Union Square Ventures and AVC.com and Carlota Perez about the current economic crisis, Carlota made a passionate plea for a new way of life.

Carlota believes that it is the technological revolutions that drive positive change. The last technological revolution, which was that of mass production, has led to an economic boom. Today, the new technological revolution is IT, and it has the potential of leading us into a new global “Golden Age”.

“What’s good for IT is good for the world, and what’s good for the world is good for IT,” she said, paraphrasing the famous 1953 remark by GM Chief Executive Charles Wilson.

The old way of life, based on growing consumption of material goods, has become unsustainable, due to the high cost of production and the scarcity of resources.

“For all the people in China and India to live the way we live in America, we would need seven planets.”

In order for IT to realize its potential for global wealth creation, there needs to be a consensus on the necessity to create a new way of life: A “green” life, a sustainable life, with emphasis on consumption of life enhancing services instead of continuous and growing consumption of material goods.

Green societies would create new jobs in areas such as recycling, maintenance, waste disposal, renewal of entire infrastructures, redesign of buildings, and redesign of products to be more durable and more energy efficient.

Only the dinosaurs (a.k.a governments and the old industry) insist on keeping the status quo, she said. She urged leaders in the IT world to become politically involved and called out to leadership to encourage Finance to leave the “casinos” and invest in this real economy instead.

Fred Wilson then turned to the international audience, consisting of VCs, business leaders and owners, entrepreneurs, web developers, web designers, marketers, and consultants and said: “That’s all of you: go out and get it done!”

“Embedded Devices: How Electronic Conveniences Affect Privacy and Discovery” at the Masters Series for Legal Professionals in NYC

This panel was presented at the Masters Series for Legal Professionals, recently held in NYC on July 19, 2011.

The panel was moderated by Steve Akers, CTO and Founder of Digital Reef, Inc. Panelists included Daniel Garrie, ESQ, Special Master and Mediator in eDiscovery and Daniel K. Gelb, Gelb & Gelb LLP.

The panel discussed issues arising when discoverable data are stored in the “cloud”, mobile apps, mobile phones, iPads, GPS tracking devices and more.

Ediscovery, Cloud Computing and EU Data Protection: Cloud Nationalities Do Matter

Cloud Security and Privacy: A Legal Compliance and Risk-Management Guide, Part 1 and 2

In this two-part series, legal expert Robert McHale, author of Data Security and Identity Theft: New Privacy Regulations That Affect Your Business, provides a comprehensive overview of the legal security and privacy risks associated with cloud computing.

Part 1 discusses the principal federal and state laws regulating cloud activities.

Part 2 provides a practical due diligence checklist companies should consult before entering into a cloud service agreement.

While storage of user data on remote servers is hardly a recent phenomenon, the current explosion of cloud computing warrants a closer look at the associated privacy and security implications.

Cloud computing carries with it its own unique risks regarding the privacy, confidentiality, and security of business information, which companies must fully assess before migrating to the cloud. Armed with an appropriate legal compliance and risk-management strategy—and strong, fully-negotiated contractual protections—companies should be able to safely transfer their data and applications to the cloud.

Part I of this article discusses the principal federal and state laws regulating cloud activities, and the legal security and privacy risks associated with cloud computing.

U.S. Laws and Regulations Governing Data Security and Privacy

The United States has numerous federal and state data security and privacy laws with implications for cloud computing. Unfortunately, there is not a single, comprehensive legal framework in which the rights, liabilities, and obligations of cloud providers and cloud users are regulated or defined. Instead, U.S.-based cloud users and providers must rely upon a veritable hodgepodge of (oftentimes) sector-specific laws to evaluate their legal risks and obligations, and the contractual terms between them.

The most notable data security and privacy laws are examined here.

Read More

The European Union Data Protection Directive

The location of information stored in the cloud can have a profound impact upon the level of privacy and confidentiality protections afforded the information in question, and upon the privacy obligations of the cloud provider.

For instance, the European Union’s Data Protection Directive, which regulates the processing of personal data within the EU as a means to safeguard individual citizens’ privacy, is of particular significance.

Under the EU Data Protection Directive, personal data may be transferred to third countries (non-EU member states) only if that country provides an “adequate” level of protection. Most notably, the United States is not on the list of countries that meet the EU’s “adequacy” standard for privacy protection. Accordingly, an organization that does its processing in the cloud may be violating EU law if the data goes to a server outside of the EU to prohibited countries, such as the United States.

In order to provide a means for U.S. companies to comply with the Directive (and thereby ensure continued trans-Atlantic transactions), the U.S. Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor Program” designed to protect accidental information disclosure or loss.

Read More

Cloud Security and Privacy: A Legal Compliance and Risk-

Management Guide, Part 2

Due Diligence and Cloud Service Agreements

An organization’s contractual agreement with a cloud service provider is perhaps the most critical component in evaluating cloud computing risks, and therefore should be carefully examined before being entering into a cloud relationship.

Cloud Service Agreements (CSAs) should clearly describe the services provided, guarantees, warranties, limitations, liabilities, and the responsibilities and rights of each party.

Proper due diligence requires inquiry into the following categories of concern: data security, performance, limitations of service, data migration, government and third-party litigation access, handling of trade secrets/confidential information, and exit plan, all of which are discussed in detail below.

Data Security

To properly manage the operation risk associated with cloud services, the cloud provider’s level of data security should be carefully examined. At a minimum, the following should be ascertained:

• Is the cloud provider contractually obligated to protect the customer’s data at the same level as the customer’s own internal policies?
• Who has access to customer data, and what are their backgrounds?
• Where is the provider’s data center physically located, and what safeguards exist to prevent data centers from unauthorized access (for example, 24/7 security personnel)?
• Does the provider promise to maintain user data in a specific jurisdiction and/or to avoid certain jurisdictions?
• What are the provider’s migration policies regarding moving data back internally or to alternate providers? (Companies need to make sure that no data is lost or falls into the wrong hands.)
• Does the provider conduct regular backup and recovery tests?
• Do the provider’s security policies comply with all applicable regulatory rules?
• Is the provider willing to undergo on-demand or periodic audits and security certifications?
• Is the provider required to investigate illegal or inappropriate activity?
• Is the provider required to disclose any new vulnerabilities that may affect the confidentiality of customer data, or the integrity and availability of their services?
• In the event of lost or compromised data, can the data be backed up, and can it be easily reconstituted from the backups?
• What are the provider’s policies on data handling/management and access control? Do adequate controls exist to prevent impermissible copying or removal of customer data by the provider, or by unauthorized employees of the company?
• What happens to data when it is deleted?
• What happens to cloud hardware (for example, trailers of servers) when the hardware is replaced?

Read more