Rossander’s Security Reader

A federal judge in Los Angeles ruled recently that a computer server’s RAM (random-access memory) is a tangible document that can be stored and must be turned over in a lawsuit. The judge is an idiot.

Background

The case is about copyright infringement. The Motion Picture Association of America (MPAA) is trying to force TorrentSpy, a file-sharing site, to turn over data about visitors to their website. TorrentSpy replied that they don’t keep logs on their users – they are merely an intermediary, allowing data to pass through their website unscreened. They essentially said that they have no data to turn over. Unhappy with that answer, Judge Jacqueline Chooljian ordered TorrentSpy to begin logging user information and to turn that data over to the MPAA.

Unfortunately, the only way that the judge can make that order is to make some real leaps of logic. Companies are required to cooperate with fact-finding requests for documents. That’s what the whole “discovery” thing is about. Our judicial system is based on the assumption that if we can get all the facts on the table, we can quickly figure out who’s right, who’s wrong and how to make the victim whole. (Remember that this is a very different standard from the criminal “innocent until proven guilty” rule.) If you have a document that might be relevant to the case, you are required to produce it to the other side and to the court.

There are a few limits to that broad discovery, however. You can hold back documents (or parts of documents) that are attorney-client privileged or that contain confidential information like SSNs, medical details, etc as long as those details are not relevant to the case. You also can not be compelled to produce documents you don’t have. Courts are not supposed to be able to force you to create new records or documents just to respond to a discovery request.

TorrentSpy does not log user transactions during their normal operations. They do so to protect users’ privacy and because they have no operational need for the data in their normal course of business. MPAA argues that it also makes it easier for people who download pirated material to work in the shadows. They may be right. Regardless, TorrentSpy argued that requiring them to turn on logging is the same as requiring them to begin creating new documents just for this case. From a legal point of view, they’re right.

The judge got around this by arguing that the data already exists in the computer’s RAM. Therefore, she is not asking them to create new documents, merely to produce existing data in a more usable form. You can read the original order here. She does cite some other Ninth Circuit decisions involving RAM but, in my opinion, she is either misreading or misapplying the underlying facts.

RAM is not and can not be considered a “document” for the purposes of eDiscovery. RAM is the ephemeral memory that the computer uses to make calculations and to quickly access the data in other places. Think of RAM as the one that you carry in your head when adding a column of digits. (The data on your hard-drive may hold the result of your calculation in a spreadsheet but that’s a completely different kind of memory. The hard-drive data generally is reasonably accessible.) There is no possible way to record the billions of transactions per second that flash through the RAM of even a small computer. Attempting it would consume more permanent memory than exists in the world. And, by the way, writing all that content also requires transactional decisions and data that pass through RAM. The act of recording it spoliates it.

Okay. The judge is not really an idiot. She is seeking a justification to force cooperation from a company that’s not really playing fair. She wants them to turn on logging. Logging is cheap and easy – at least compared to most other electronic discovery activities. From a social policy point of view, I’m torn. TorrentSpy probably should be cooperating and not being stupid about the “costs of logging” and the applicability of Dutch privacy law. On the other hand, TorrentSpy is not being accused of any direct misdeeds. They are being pulled in as a third-party in MPAA’s attempt to sue their own customers. MPAA’s heavy-handed approach is not winning them any friends. Whichever side you agree with, though, the judge’s contortions about the technological facts of RAM to make her rationalization will get used as precedent outside this narrow circumstance. As the saying goes, “Bad facts make bad law.”

The judge’s decision is already being appealed and has been stayed pending that decision. Her decision has been upheld once but appeals continue. On both technological and legal grounds, I sincerely hope that her decision is overturned. Congress needs to address the problem of compelling cooperation from companies like TorrentSpy but they need to do it cleanly – a new law, not judicial twisting and rationalization.

Here is the article I wish I’d written about Facebook. It’s a bit long but it’s very good and has some funny bits.
10 Security Reasons to Quit Facebook (And One Reason to Stay On) by Joan Goodchild of CSOonline.

The short version boils down to:

• Facebook makes it way too easy for young adults to post things that become forever part of their online history – they sabotage their own privacy without realizing it.
• Facebook does not have your interests at heart. They’re a business and they don’t really buy into the whole privacy concept. That’s why, for example, they don’t really care or even notice when their frequent redesigns disrupt your privacy settings.
• Spam, ads and other targetted malicious stuff.
• And finally, the quote from George Straight’s “All my ex’s live in Texas” and the implications in an internet world was just beautiful.

On the flip side, here’s another article with a possible solution. Even though Facebook doesn’t get it, some developers do and they are posting free Facebook apps to manage the privacy settings for you. It won’t solve all the problems of Facebook but it can mitigate some. If you are a Facebook user, stongly consider using one of these new privacy management apps.

… is an oxymoron. Read this WSJ article for more. Not much else to say except the obvious. When you sign up for a free service, you generally get what you paid for, especially in the area of privacy. Never post anything online that you’d be embarrassed to see on tomorrow’s front page.

It’s not often that I burst out laughing while reading a computer security article. Still less often when I’m reading an HR blog. This article and the comments at the end were a rare treat.

In case the link doesn’t work for you, the author tells a compelling story about how hard it is to get people to lock their computers when they step away from their desks. I agree – it’s miserable trying to convince people that this is an important security control that they should spend time on. You can teach, nag, cajole and people still walk away “just for a minute” and leave their computers open to any hacker in the building. (And if you think you have complete control of the physical facility, you’re kidding yourself.)

Rather than more fruitless policing by one or two committed security geeks, release the goons! Let employees prank each other when someone is careless enough to leave a computer unlocked. Drafting and even sending emails from the unsecured computer is an old trick but must be done with caution – it’s supposed to be a prank, not a career-ending fraud. Better are more personal pranks like changing a Browns fan’s wallpaper to a Steelers logo, changing the autocorrect in MS Word or, my new favorite, flipping the monitor. A harmless prank or three might finally get people to lock those screens.

A few thoughts, though. Make sure that the pranks are harmless. You want to apply judicious social pressure in support of the corporate policy. Workplace bullying is nothing to trifle with. Don’t let it go too far. Second, be very sure that tactic is a good fit for the culture of the team. Tight-knit, high-functioning workgroups have more tolerance for social controls than newly formed or distrustful groups. Finally, be very cautious before “pranking” a subordinate. Behavior that’s completely acceptable with a peer could land the manager in a lawsuit.

Hope you enjoy the article as much as I did.

If you haven’t heard by now, a number of Google executives were convicted in absentia by a court in Italy for failing to police some videos posted by users. In this case, the video was a home movie of several teenagers bullying a peer with Downs Syndrome. The video was anonymously posted to Google Videos where it stayed for several months. Eventually, some adults noticed it and contacted the police who investigated and then asked Google to take the video down. By all reports, Google did so within two hours of receiving the notification.

The Italian prosecutors felt that this was not fast enough and argued in court that Google had an affirmative responsibility for the content even though it was posted by others and even though Google does not exercise any control over the content. One self-appointed consumer advocate is proclaiming this a “victory for individual privacy over corporate interest”.

I am an avid privacy activist but I’m not buying it here for several reasons. First, it’s not possible to evaluate all the content that users are posting. About twenty hours of video content are posted to YouTube alone every minute. Add in all the other Web 2.0 sites and you’d need literally armies of people doing nothing but watching what other people are posting. Nobody could afford that. And even if you tried, that many people just couldn’t do the job without making mistakes. Second, there’s no easy way to tell inappropriate content (like real bullying) from certain types of performance art. That kind of stuff is not to my taste but other people … well, I won’t say they necessarily enjoy it, but they do it. And heaven help you if you censor their artistic content. Third, which set of standards will you apply? Granted, beating up a kid with Downs Syndrome is bad in pretty much every culture but there’s nothing philosophically different about this case and the Chinese suppression of political dissent. There is no way to draw the line about what is or is not acceptable.

Some commentators on this case have argued that other users added comments to the site that the video was inappropriate and that should have been enough to require Google to act. Again, I don’t buy it. User feedback and ratings can have a place but they are remarkably susceptible to abuse. False reports are rampant, either as pranks or as retribution for negative ratings on other users’ content. Remember that the Internet is an inherently pseudonymous environment. That is, even if you have to create a username to use a site, you can still create as many usernames as you want and they don’t necessarily have to have any connection to your real identity. If you want to tank a site or skew a vote, just create a thousand or so accounts (often called “sockpuppets”) and have them all paraphrase your original opinion. If you are careful to change your tone and word choice a bit, it’s very difficult to identify this kind of abuse.

It seems to me that the real culprits are the bullies who 1) abused the victim and then 2) posted the video. Google appears to have been a good corporate citizen, acting quickly and responsibly once notified of a problem by the proper authorities. Attempting to require Google or any other host to actively police ever bit of content on their site would kill the very idea of user-generated content. YouTube, Twitter, Facebook, MySpace, Wikipedia, … all would be run out of business by this social policy. And we would all be much poorer as a result.

I hope this case gets overturned on appeal. It’s hard to predict, though. European law is far less deferential to the idea of free speech than we are used to in the US. They also have not been very successful at grappling with the implications of applying local standards to global operations. If you expect others to kowtow to your local foibles, you have to be equally ready to defer to all of theirs – a standard that very few communities will tolerate in practice.

As a closing thought, I can’t help wondering if this court case was a smoke-screen. It is suspicious that this case comes right as Google is being sued by the state-run media companies for alleged tolerance of copyright violations on the same site. I feel for the kid who was being bullied but this smells to me more of political grandstanding and strong-arm negotiations than it does of a legitimate privacy case.