Background

The case is about copyright infringement. The Motion Picture Association of America (MPAA) is trying to force TorrentSpy, a file-sharing site, to turn over data about visitors to their website. TorrentSpy replied that they don’t keep logs on their users – they are merely an intermediary, allowing data to pass through their website unscreened. They essentially said that they have no data to turn over. Unhappy with that answer, Judge Jacqueline Chooljian ordered TorrentSpy to begin logging user information and to turn that data over to the MPAA.

Unfortunately, the only way that the judge can make that order is to make some real leaps of logic. Companies are required to cooperate with fact-finding requests for documents. That’s what the whole “discovery” thing is about. Our judicial system is based on the assumption that if we can get all the facts on the table, we can quickly figure out who’s right, who’s wrong and how to make the victim whole. (Remember that this is a very different standard from the criminal “innocent until proven guilty” rule.) If you have a document that might be relevant to the case, you are required to produce it to the other side and to the court.

There are a few limits to that broad discovery, however. You can hold back documents (or parts of documents) that are attorney-client privileged or that contain confidential information like SSNs, medical details, etc as long as those details are not relevant to the case. You also can not be compelled to produce documents you don’t have. Courts are not supposed to be able to force you to create new records or documents just to respond to a discovery request.

TorrentSpy does not log user transactions during their normal operations. They do so to protect users’ privacy and because they have no operational need for the data in their normal course of business. MPAA argues that it also makes it easier for people who download pirated material to work in the shadows. They may be right. Regardless, TorrentSpy argued that requiring them to turn on logging is the same as requiring them to begin creating new documents just for this case. From a legal point of view, they’re right.

The judge got around this by arguing that the data already exists in the computer’s RAM. Therefore, she is not asking them to create new documents, merely to produce existing data in a more usable form. You can read the original order here. She does cite some other Ninth Circuit decisions involving RAM but, in my opinion, she is either misreading or misapplying the underlying facts.

RAM is not and can not be considered a “document” for the purposes of eDiscovery. RAM is the ephemeral memory that the computer uses to make calculations and to quickly access the data in other places. Think of RAM as the one that you carry in your head when adding a column of digits. (The data on your hard-drive may hold the result of your calculation in a spreadsheet but that’s a completely different kind of memory. The hard-drive data generally is reasonably accessible.) There is no possible way to record the billions of transactions per second that flash through the RAM of even a small computer. Attempting it would consume more permanent memory than exists in the world. And, by the way, writing all that content also requires transactional decisions and data that pass through RAM. The act of recording it spoliates it.

Okay. The judge is not really an idiot. She is seeking a justification to force cooperation from a company that’s not really playing fair. She wants them to turn on logging. Logging is cheap and easy – at least compared to most other electronic discovery activities. From a social policy point of view, I’m torn. TorrentSpy probably should be cooperating and not being stupid about the “costs of logging” and the applicability of Dutch privacy law. On the other hand, TorrentSpy is not being accused of any direct misdeeds. They are being pulled in as a third-party in MPAA’s attempt to sue their own customers. MPAA’s heavy-handed approach is not winning them any friends. Whichever side you agree with, though, the judge’s contortions about the technological facts of RAM to make her rationalization will get used as precedent outside this narrow circumstance. As the saying goes, “Bad facts make bad law.”

The judge’s decision is already being appealed and has been stayed pending that decision. Her decision has been upheld once but appeals continue. On both technological and legal grounds, I sincerely hope that her decision is overturned. Congress needs to address the problem of compelling cooperation from companies like TorrentSpy but they need to do it cleanly – a new law, not judicial twisting and rationalization.

No longer. It was always vulnerable if your attacker had the shredded chaff and plenty of free time. Think of the shredded embassy documents from the Iranian Hostage crisis of 1979. Those students reconstructed the pages with nothing more than scotch tape and patience. More recently, methamphetamine users have been hired by identity theft ringleaders to do the same thing.

Bill Wilson recently found a number of services which make the “unshredding” problem much more manageable. In the Enron case, the government hired ChurchStreet Technology to scan the chaff, then used computer algorithms to piece the documents together. They claim to take the recovery time from hundreds of hours down to mere minutes. It’s expensive but not terribly complicated.

So how do you fully protect your waste paper in this new environment?

1. If you’re still using a strip-cut shredder, get rid of it now. Upgrade to a cross-cut that chops the paper into very small bits of chaff.
2. Feed your pages into the shredder vertically, that is, with the words perpendicular to the shredder blades.
3. Don’t have unusual-colored paper. Or if you do, shred enough of it that it can’t be easily picked out. The rule in the army used to be no less than 20 sheets of any given paper type in each shred “lot”.
4. Stir the chaff before disposal. A careful opponent could exploit the fact that pieces from the same document tend to come out of the shredder close to each other and remain so in the waste bag. A few quick stirs can randomize the chaff and make reconstruction much harder.
5. Send the chaff to a paper recycler. Even the best reconstructors can’t bring a page back after it’s been turned into new paper pulp. Of course, you have to be sure that your waste isn’t intercepted before it hits the recycler but there are several bonded shredding companies that will do that for you.

How much is enough? It depends on who’s out to get you. For most home users and small businesses, step two is probably enough. If you really have something to hide, consider three and four and look into five when your shredding contract comes up for renewal. Find the right balance, remembering that identity theft is real but that most of us are not dealing with DoD nuclear secrets.

Bill Wilson writes a weekly newsletter for the Big I Virtual University, an arm of the Independent Agent’s Association. It’s filled with useful information and includes a technology column in almost every issue. If you have a small business, you should consider subscribing to his newsletter even if you’re not in insurance.

Their Google Apps Team Edition allows employees to sign up for the Google Applications without any assistance or oversight from IT. Team Edition contains the core applications and collaboration services like the word processor, spreadsheet, Start page, Talk instant messaging and calendar, but does not include Gmail.

In any regulated or litigious industry, this is a recipe for disaster. You might save a few bucks on word processing and spreadsheet software but you’re going to pay far more the first time you have to comply with an electronic discovery request or get into a dispute based on the Terms & Conditions of the application. No only are you putting your confidential data in someone else’s hands and trusting to the security of their data center with little or no evidence of their worthiness of that trust, you’re also still exposing all your data to the Google search indexing algorithms. (For more, see the Tip from April 2007.)

Luckily, you can block the worst aspects of the application/data sharing without having to block off all of the google.com domain. If your internet filter has a category for filesharing or for “Network Storage and Backup”, make sure that category is blocked. You should also strongly consider blocking any category about “Web chat” so you don’t have to worry about electronic discovery requests for instant messages that you didn’t properly control.
Read more about Google Apps latest attempt to bypass the business at ComputerWorld.com.

Update to Suing the scareware vendors (27 Oct 2008)
The Federal Trade Commission has gotten a restraining order against two companies who were marketing scareware software. It’s very good to see law enforcement successfully prosecuting these scammers. Remember, however, that there are lots more out there. Always be suspicious of pop-up ‘alerts’ and ads warning you about “illegal porn content” or “compromised software” on your computer. Read more at the FTC’s consumer alert page.

We talked last week about the problems of holding onto old documents. Microsoft just made the problem even more complicated.

In the Service Pack 3 (SP3) update for Office 2003, Microsoft is blocking a number of older file formats so they can no longer be opened by MS products like Word, Excel or Powerpoint. Microsoft is walking away from it’s commitment to backwards-compatibility because many of the older file formats had weaknesses that could be exploited by hackers to insert viruses and other malicious code into your computer. By disabling the older formats, Microsoft reduces the vulnerability of the Office applications to some of those kinds of attacks.

The problem is that if you are keeping old files in their native format as part of your records retention plan, you may no longer be able to open them. (Worse, if you get sued and have to turn over those documents, the courts don’t care about format compatibilities. You still have the document – it’s your responsibility to make sure that they can be opened and evaluated.)

Microsoft has two workarounds for this problem – neither very good.

The first involves modifying your registry settings so your computer can still open the older formats. That is a high-risk action and I do not recommend it. Not only does it defeat the security advantage of the change, any mistake when editing the registry settings can corrupt your entire computer. Even Microsoft warns against it saying “Serious problems might occur if you modify the registry incorrectly.” and “Modify the registry at your own risk.”

The second is to convert all your historical documents to the newer format. Microsoft has some automated tools to help but the conversion process is much more labor-intensive and error-prone than I think Microsoft wants to admit. I would seriously question the business case for converting any but your most critical of official records.

There is a third option which I consider far better. Take this opportunity to check those old documents against your retention policy and clean out the ones that you should have gotten rid of long ago. For the few that you must retain, make sure that you are keeping your business records in a stable format. Don’t save files in their native MS Word document format – convert them to pdf or even tiff. Those formats are simpler and have far fewer holes that a hacker could exploit. They’re also designed to remain readable across many generations of software.

Call your IT team for instructions on how to convert an old file to an updated format.

Addendum:
Bill Wilson at IIABA’s Virtual University published the tip above in his newsletter and received the following question.
What are the file extensions that Microsoft has abandoned? I think it would be very helpful to know as we would then be able to do searches for those file types stored on our system. Thank you.

As Bill pointed out to the caller, the file extensions alone will not tell you which file formats have been disabled since Microsoft continues to use the same file extensions for the newer versions of it’s software. (A Word document carries the .doc extension whether it’s Word 1.2, Word 2003 or any version in between.) Microsoft has a little bit more information about the changes here but no new answers.

You can read another article about the problem at wired.com.
Thanks to Bill for finding those extra links.

In the paper world, the paper just keeps piling up. The paper must be protected from theft and damage (fire and water) and if it’s ever going to be useful again you need some sort of filing and record-keeping system. A proper records retention facility is expensive to run.

With electronic documents and cheap memory, many people started to think that we could now hold onto everything. A two-gigabyte thumbdrive can hold up to the equivalent of 400,000 pages of documents. That’s 80 boxes of copy paper. And, being electronic, I can type in a few keywords and let the computer find the document I want. No more filing! Right?

Not by a long shot. Memory may be cheap but usable storage isn’t.

Electronic storage costs explode as file formats change over time. For example, a first notice of a claim involving a minor child has to be kept for up to 24 years (the child’s age of majority plus four). What word processor were you using 24 years ago? What printer was the program compatible with? What operating system did it run on? What drivers did it need to operate? What hardware did it use? When was the last time you even saw a 5¼” floppy drive, much less an old 8″ floppy? How much can you afford to pay IT to keep a working version of every system and application in the company’s history?

And that’s assuming you can find the file in the first place. We are used to thinking of searching as being as easy as Google. In fact, searching for documents is very hard when documents are scattered across ad-hoc structures like personal hard-drives and departmental folders. Solutions that try to solve the ad-hoc storage (like Google Desktop) create new problems, especially around the security of the index.

Keeping old records also exposes you to legal costs down the road. Under the new electronic discovery rules, a company must search through all its old documents just to see if they hold anything that might possibly be relevant to the lawsuit. One class action lawsuit can run into millions of dollars just in search and review costs – and that’s even if you don’t find anything. If you do have a relevant document, now you have to convert it, produce it and defend it from anyone who tries to take your words out of context. That’s expensive.

• If your Records Retention Policy doesn’t explicitly require you to keep the record, don’t keep it. Throw it away and then you don’t have to worry about storage or formats. The cost of recreating those few useful things that we lose will be far less than the cost of hanging on to all the rest of the trash.
• If you do have to keep a document, think long and hard about what format to save it in. Convert the file to a more stable format such as pdf or even tiff. Those formats are designed to remain readable across many generations of software. Call your IT team for instructions on how to save a file to an alternate format.

Technically, metadata is data about other data. If the customer’s address is data, the number of entries in your address book is metadata. If the body of a Word document is data, the date you last opened the file is metadata. If the values in an Excel spreadsheet are data, the formulas in each cell are metadata.

From a legal point of view, metadata is everything about the document that’s not immediately visible when the document is printed. It includes all the MS Office "properties" like file size, author and character count. It also includes any hidden features such as the old versions that are still buried in the document when you leave the Track Changes option on. It includes formulae in spreadsheets and formatting commands like the print area.

For most normal uses, the metadata about a document is just background. We take it for granted and almost always ignore it. But if your metadata reveals facts that you wanted to keep private, it can be embarrassing and expensive. In one case, a major pharmaceutical company deleted some study data from a report – and got caught when the New England Journal of Medicine looked in the Tracked Changes to show the deleted comments. In another case, a confidential White House policy paper about Iraq was outed when a quick command revealed the report’s author. In yet another case, officials covered up classified information with black bars, not realizing that readers could easily uncover the text by copying it from under the black and pasting it elsewhere.

When you get into a legal situation, metadata becomes even more important. Metadata is used to show “who knew it and when they knew it” – to provide the context around the document in question. Metadata can either clear you or convict you. Because of its importance, metadata must be preserved and unaltered when you are collecting documents that will be used in court. This is hard because routine Windows operations will change the metadata just by opening the file. Make sure that you have the tools you need to keep metadata intact before you get into the lawsuit.

And, of course, be very careful before you post a document publicly. Make sure you clean out the metadata that you don’t want public.

Garbage left at curbside is considered to be in the public domain. That means it’s not illegal for someone to take items out of your trash. And don’t think that someone won’t go through it just because it’s mixed in with the dirty diapers. In many municipalities, all the waste is opened and manually sorted as part of the area’s recycling program. In Medina County, for example, your trash is touched by about 20 people between the time you put it in your trash can and it ends at the bottom of the landfill. Your credit card statement is a great temptation.

Home-quality shredders are available for as low as $40. If you don’t yet have a shredder at home, you need one. We all need to be concerned with how much of our information can be accessed from our mail, including our credit card and bank statements, and any other piece of mail that may provide confidential information. Anything that has your name, address, phone number or any kind of account number on it should be shredded before discarding. Credit cards should be destroyed by cutting the card across the number.

There are two basic kinds of shredders: strip-cut and cross-cut. Most of the cheaper shredders are strip-cut. They cut the pages into strips between 1/8 and 1/4 inches wide. Cross-cut shredders (also called "confetti-cut") will chop the strips into smaller pieces, and thus provide much greater protection. The other factors commonly used to compare shredders are durability and capacity (how many pages can it shred at a time without jamming).

Note: Keep the shredder unplugged or locked away when young children are around.

Halloween is a time for scary stories – tales of vampires and ghouls rising from the dead to terrify innocents – a time when things that you thought were dead and buried come back to haunt you.

Unfortunately, the analogy between badly written email and the undead is sometimes all too appropriate. A hasty word can return to haunt you long after you hit the send button and thought the conversation was over. Careers have been destroyed, money lost and relationships ruined when an email returned from beyond.

Americans have a bad habit of treating email very casually – as an extension of our last phone conversation or a continuation of the chat in the hallway. We assume that the message is private and that recipient will understand the context and correctly interpret our tone.

In fact, email is more like a postcard – anyone can read it while it’s in transit and any of the recipients can save it, forward it or post it to the internet. Electronic copies can remain in archives and electronic message hubs all over the Internet – places that neither the sender nor the recipient can control. Emails can be subpoenaed and forced into the public record. You have no right of privacy in your email, either sent or received. When you write an email, you must assume that it will be read by an unknown and unforeseen audience.

That unknown audience will assume that you carefully crafted and wordsmithed your message (or, if not, that the hurried email is evidence of the writer’s “real state of mind”). They will not believe that you were “just joking” and won’t care that you were trying to dash off a quick note. They will interpret the tone according to their own preconceptions.

Always assume that anything you write will come out at the worst possible time and in the worst possible light. Be professional in your email. Include enough context that the unforeseen reader understands the message. Be personable yet professional in tone. (In particular, never use sarcasm in email.) Never write anything that you would be embarrassed to see on the front page of tomorrow’s newspaper.

Remember, email can come back to haunt you.

• purpose of the folder
• owner of the folder
• intended audience and users of the folder – who should and should not have access
• retention period – how long should we generally keep the documents in the folder^†

If you name the file _readme.txt, the underline will cause the file to sort itself to the top of the list where everyone can find it. Here’s an example of one I created to describe the folder where I hold my InfoSec Tips drafts. _readme.txt

^† When deciding on the appropriate retention period, refer to your organizational Retention Policy for guidance. And remember that “forever” is technically possible but outrageously expensive for electronic documents. Westfield is 159 years old. If they say that a document should be kept “forever”, they are handing their IT department a blank check to spend whatever it takes to make sure that the document will still be here in another 159 years. There aren’t very many documents with that kind of business need. Make your best estimate of the realistic business need for the documents in the folder. Also remember that saying you want to keep a document for 12 months does not mean that it will be automatically deleted. You (or someone in your organization) will still have to clean out the folder when the documents are no longer necessary.

The regulation does not actually require shredding but for most of us, that is the only cost-effective way to comply with the regulation’s requirements for destruction. Papers in regular trash are exposed to the public and any private information on those papers can be misused by an identity thief. It can cost your customers thousands of dollars to get their identity back and could be considered a violation of federal privacy laws.

I strongly recommend a "shred all paper" policy for your office because there is too much risk that a piece of personal information will be overlooked on the back side of a form or that the page was used for scratch paper while you were on the phone. It’s also easier to enforce the policy when you have a simple rule like "No office paper may be thrown away in the regular trash."

Very small offices can get away with a personal shredder. If you’ve got more than about 10 or 15 people in the office, it’s probably more cost-effective to contract with a reputable shredding vendor who will pick up and properly dispose of your paper waste. Most of the shredding vendors will provide locked bins where the paper waste can be stored until pickup. Have enough bins to be convenient for staff.