Black Chambers

PREVENTATIVE, REACTIVE, most importantly PRIVATE.

The Consumer Fraud Protection Bureau issued its first enforcement action for misrepresenting data security practices. In the simplest terms possible, the CFPB has made it clear that if companies are going to ‘talk the talk’ about data security practices, they also have to ‘walk the walk.’ In addition to a $100,000 fine, the CFPB ordered online payment systems operator Dwolla to take immediate steps to ramp up its security practices on many fronts.

Though hitherto never exercised in the data security context, the CFPB derives its authority to regulate from the Dodd-Frank Wall Street Reform and Consumer Protection Act. Dodd-Frank provides the CFPB power to take action against institutions engaged in “unfair, deceptive or abusive acts or practices.” Signalling data security practices are within their jurisdiction and in their sights, the CFPB’s scathing press release about Dwolla’s deceptive practices indicates further enforcement is sure to come.

Several facts make this action and especially interesting and relevant to data security planning and practices:

1. There was no data breach. Historically, any regulation or fine was a direct result of some form of breach, that leads a regulator to inquire about company practices. This is an enforcement action without any such pre-cursor, and means that any company with public-facing statements about data security practices can be subject to scrutiny.

2. Dwolla’s policies made explicit statements that their practices “exceed[ed]” or “surpass[ed]” industry data security practices, including PCI-DSS. On examination, Dwolla’s practices fell far short of anything even beginning to resemble sound data security practices, and included misrepresentations about the amount of data encrypted, security implemented, and transmission of sensitive data as clear text.

3. Dwolla management now has an ongoing reporting requirement to the CFPB for a period of five (5) years about its security practices and posture. It also established an affirmative obligation of the Dwolla Board of Directors to review all “plans, reports, programs, policies, and procedures,” before these documents are submitted to the CFPB. Obliging the Board is an overt demand for responsibility and accountability on CFPB’s part, and is likely to be part of any future enforcement action.

This is a blaring wake-up call to companies housing, collecting, or processing personal or financial data. In the words of the CFPB, “deception about security and security practices is illegal.” Review, revision, and auditing of security policies is a must.

Government regulation of data security is on the rise. And there is the possibility of regulatory scrutiny from multiple federal and state agencies with often overlapping and unclear jurisdictional boundaries.

These are necessary and sufficient reasons for a company’s data security practices and planning to be performed in a legally privileged context and overseen by experienced attorneys who are themselves information security professionals.

At Black Chambers, this is what we do and why we exist. Please e-mail This email address is being protected from spambots. You need JavaScript enabled to view it. for a consultation.

Black Chambers, together with the Blackstone Law Group, spoke about the ongoing battle between ISPs and copyright holders at the first annual BloomCon Digital Forensics Conference held at Bloomsburg University on 5 February 2016.

Focusing on the landmark decision coming out of the US District Court for the Eastern District of Virginia between Cox Communications and BMG Rights Management, Black Chambers discussed the information security and legal implications of the decision and jury verdict that removed DMCA immunity from Cox Communications and held them accountable for the copyright infringing activities of their customer case to the tune of 25,000,000 USD.

Stepping through the legal reasoning of the decision to remove DMCA immunity from Cox, Black Chambers provided a detailed account and analysis of the internal Cox e-mails that articulated sham “under the table” DMCA compliance policies designed to “collect a few extra weeks of payment” that were directly attributable to Cox’s loss. A clear takeaway was that had these legal DMCA compliance discussions occurred with an attorney – i.e., within the zone of protection of the attorney-client privilege – the damaging e-mails that led to Cox’s loss would not have been made public, and Cox would have very likely prevailed.

Going further, Black Chambers and Blackstone Law Group discussed the information security and compliance issues facing communications carriers resulting from this decision, the effects of enhanced DMCA accountability and user monitoring, and the anti-forensic countermeasures expected to be employed to stymie such efforts.

For a copy of our slide deck and presentation, or to speak further about this issue, please contact us.

Sometimes the signal to noise ratio can unintentionally function as a security feature.  In other words, if you are a needle hiding in a haystack, the hay protects and provides the cover of camouflage.  E-Discovery turns this analogy on its head, which is why information security for law firms and e-Discovery vendors is a pressing and critical issue.

The very nature of the expansive disclosure obligations amongst parties to a litigation under US and UK law mean that vast quantities of data are going to be transferred between the players.  The process by which this occurs is familiar to lawyers, especially younger associates who have been delegated the unenviable task of sifting through thousands of e-mails, documents, and reports to identify the very high-grade ore amongst the rubble dumped on their firm. As for the side doing the dumping, e-mails, documents, and reports which are considered trade secrets, privileged, or otherwise confidential and non-responsive have been tagged and culled, before the exchange of data. 

In short, the hay has been sifted and all the needles identified.  

If these needles are the digital equivalent of trade secrets, privileged communications, confidential business plans, or any other sort of data that should not make it way to the public domain, then perimeter security surrounding this data at rest should be – at a minimum – viewed as a best practice.  

In an article published recently by Bloomberg BNA, Gabe Friedman makes several excellent recommendations for drafting protective orders that require a receiving party be responsible for reasonable information security practices when receiving and handling data during the discovery phase of a litigation.  

Friedman recommends litigants should require their adversaries to do the following: 

  1. Sign a protective order attesting that the receiving law firm meets certain basic cybersecurity protocols and that it indemnifies the disclosing party company against any risk of breach;
  2. Use a trusted e-Discovery vendor; or
  3. If all else fails, the party must access the data through a separate trusted e-Discovery vendor.

These recommendations, however, raise several additional issues for law firms and litigants, especially in light of the alarming prediction that 80% of the top 100 law firms have already been compromised.  Namely: 

  1. What are the basic cybersecurity protocols a law firm should apply as a matter of best practices?
  2. Are law firm practices case-specific, meaning do some matters require additional information security precautions than others; and if so, which?
  3. What is a trusted e-Discovery vendor, and what are the e-Discovery best practices designed to enhance information security?

Add to this the complex issue of auditing the security of your adversary or e-Discovery vendor and you have a hydra-like combination of information security, law, compliance, and judicial economy.  And with information security concerns on the rise for litigants and firms alike, these issues are sure to be raised frequently and fervently.

These mixed questions of law and security are the reason why Black Chambers exists.  We are here to help establish best information security practices for your firm, and will be there if your organization needs to find a trusted e-Discovery vendor, or audit your adversary.  

 

Addressing novel legal theories to combat revenge porn and the technical means available to reduce the risk explicit photos are retained and shared, Black Chambers CEO, Alexander Urbelis, recently published in article in the NY State Bar Association publication 'Perspectives' entitled, 'The (Il)legalities and Practicalities of Revenge Porn.'

 


If you watch the The Newsroom, you
 may recall the Season 2 horror, when comely business news anchor, Sloan
 Sabbith, suddenly realizes that salacious photos of her have been posted on a “revenge porn” site, and were trending on social media.1 Fiction aside, revenge porn, “or sexually explicit media that is publicly shared online without the consent of the pictured individual,”2 is a real world problem and becoming increasingly common. The law is reacting, but as is often the case with novel, tech-driven wrongs, most le- gal redress is cumbersome, ill-fitting, and insufficient.

There are, however, novel legal theories to combat revenge pornat the federal level, and criminal statutes—though of questionable efficacy—at the state level. And, as a practical matter, if a person does share intimate photos, there are technical measures to reduce the likelihood they will remain in another’s possession or subject to misuse.

Revenge Porn and the Law at the Federal Level

A particularly heinous instance of revenge porn involving a current law student has found its way into the U.S. District Court for the Central District of California. Filed by attorneys from K&L Gates, appearing pro bono on behalf of a pseudonymous plaintiff, the complaint alleges that the victim’s ex-boyfriend posted sexually explicit material to revenge porn websites, then contacted the victim’s friends and colleagues to provide direct links to the obscene material.3

This unique federal litigation, seeking injunctive relief and dam- ages, relies on copyright law for jurisdiction. The theory is that since the victim created the images, it is she who owns their copyright. The ex-boyfriend, by posting the images without her consent, is violating the Copyright Act of 1976, entitling the victim to injunctive relief.

There is, however, a major hitch to this approach: relying on copy- right law requires that the explicit images be registered with the U.S. Copyright Office. This process is not only cumbersome, but unrealistic and painful for the victim. What is more, assuming the injunction is effective as to the ex-boyfriend, no legal relief can prevent further dissemination of the images. A court can grant relief only regarding a single defendant, and cannot enjoin down- stream websites from displaying or transferring the offending images,or prevent search engines, such as Google, from displaying disparaging search results that point to these sites.

Another legal tactic, combating revenge porn with Digital Millennium Copyright Act (DMCA) take- down requests, has sometimes had the opposite of the intended effect. Websites have displayed takedown requests with pride to draw more attention (and clicks) to the offending material. The obvious intent behind this brazen disregard is to discourage future DMCA requests, and it is likely that this audacious tactic is effective.

In sum, copyright law may in- deed provide a partial remedy for some patient victims willing to jump through the hoops required of the U.S. Copyright Office, but it is hardly a silver bullet.

Criminalizing Revenge Porn

Defining revenge porn as a criminal act is the clearest signal that this conduct will not be tolerated. Only 13 states criminalize revenge porn, and, technically, New York is not one of them.4 On the international front, Israel was the first to pass a revenge porn statute and the U.K. the latest to tackle the issue.5 The mere existence of such laws may be a powerful deterrent. But there are practical considerations for successful prosecutions, and the possibility of foreseeable but unintentional consequences on several fronts.

Chief among practicalities, the law must fit the crime. In New York, the first prosecution of revenge porn failed, largely because existing laws did not reach this sort of conduct.6 Harassment was not an option be- cause the material was not sent to the victim herself; unlawful surveillance was inapplicable because the images were created consensually; and the display of offensive materials was similarly inconsonant because nudity is not, per se, offensive.

Responding to this and other failed prosecutions, on 1 November 2014, an amended version of New York’s unlawful surveillance statute went into effect, criminalizing the recording or broadcast of images of the sexual or private parts of another which are created without consent.7 Critics have argued that this amendment does not go far enough to protect victims. As a matter of fit, the law is still not a revenge porn statute—it is a re-engineered version of a peeping tom law. As such, the statute does not extend to sexual material created by mutual consent but distributed without the consent of the victim.

Carrie Goldberg, a board member of the Cyber Civil Rights Initiative, who is active in its ‘End Revenge Porn’ campaign, notes that: “In New York it’s criminal to share credit card numbers8 and pirated music,9 yet we have no such protections for the far more personal and devastating distribution of private sexual pictures.” Legislation10 introduced by New York Assemblyman Edward Braunstein would change this, and, according to Goldberg, protect victims regardless of the motive of the distributor, “whether for revenge, entertainment, money, ‘lulz,’ or no reason at all.”11

Another practical reason prosecutions fail is for a lack of resources. Revenge porn is a fast-moving, cross-border offense that occurs on several different technological plat- forms: cameras, smart phones, and web servers. Most local law enforcement and prosecutors do not have the financial, technical, or human resources to track and collect transient forensic evidence across several jurisdictions.

Disappearing Evidence and False Flags

A clear-cut case would look like this: a victim is notified of offending material that can be traced back to an image sent to an ex-boyfriend. The mobile device of that ex-boyfriend contains the image distributed with- out consent, and distribution can be traced to his IP address and his mobile device. Prosecutions, however, are rarely so straightforward.

The first stumbling block is the image itself. If neither the victim nor the ex-boyfriend have a record or copy of the image (perhaps both upgraded their devices or deleted old messages), then only their mobile carrier(s) will have a record of the initial transmission. Acquiring that data is time-consuming and resource-intensive.

But assuming no problem with the above, the next evidentiary hurdle is proof of distribution. Some exes may be so incensed as to throw caution to the wind, but a thoughtful offender would use a new device and public wi-fi for distribution. Technically astute offenders would use a throwaway device and a virtual private network (VPN), to make it seem as if the distribution originated from China or Russia. Acquiring logs and connection data from a foreign VPN provider (if such records are even kept) is both a crapshoot and a herculean task.12 But in the prosecutorial context, if you combine this type of anti-forensic behavior with the fact that mobile devices are often lost or stolen, and add to that the prevalence of data breaches and malware, you have something that begins to look very much like reasonable doubt.

With evidence difficult to collect and resources scarce, failed prosecutions may have serious unintentional consequences: discouraging victims from coming forward, deterring further prosecutions, and emboldening potential offenders.

Practical Advice for Cautious Couples

The best way to ensure images never make their way to revenge porn sites is obvious: do not create them. If, however, a person chooses to take and share intimate photos, there are technical measures that can decrease the likelihood of the image being retained and misused.

First: do not send intimate pictures through text message, iMessage, Whatsapp, or any other messaging platform that creates a continuous historical record of activity. Doing so makes it easy for a spurned lover to scroll backwards in time and find revealing photos exchanged during better times.

Second: if you do share private photos, use third-party messaging applications such as Wickr, Silent Circle, or Snapchat that “burn” images after a specified period of time. With these apps, it is possible to specify that the message or image remain with the recipient for as little as ten seconds. While this does not prevent screen captures of images, it does prevent a person from retrieving previously sent images. Further, apps such as Wickr and Snapchat make executing the screen capture function on an iPhone a more cumbersome process, reducing the likelihood that an image will be stored. Snapchat, by the far the most popular app for sharing intimate photos, alerts senders when an image has been screen captured.13

Third: if sharing is not the goal, do not use an Internet-enabled device to capture private moments. Recall the standalone digital camera, the long-forgotten device used to take pictures and nothing more. Placing several steps between yourself and transmission of a private photo will make it less likely to occur.

Fourth: do not back up intimate photos to a cloud. Many devices, including iPhones, are configured, by default, to keep photos in a cloud’s central repository. Weak passwords and angry exes are an awful combination, and the cloud is an all too easy target.

Fifth and finally: Though unsexy, keep a detailed log of images sent and to whom they are sent. If the relationship devolves into a revenge porn fiasco, those contemporaneous records could be critical to a successful prosecution when evidence from other sources is lacking.

* * *

Technology will always outpace legislation. It is, therefore, no surprise that the legal remedies avail- able to victims of revenge porn are inadequate. Federal remedies are slow, burdensome, expensive, and only partially effective. Criminalizing revenge porn is a strong statement, but also an imperfect solution be- cause of the under-inclusive nature of the proscribed conduct and the ease with which evidence can be destroyed and prosecution frustrated.

What is clear, however, is that victims of revenge porn are seriously and irreparably harmed. The elements and mechanics of criminal

statutes and the civil remedies avail- able require further consideration and study. Unless and until such a time, the best defense is a good of- fense. The more we understand the permanence of our digital footprints and the technical measures at our disposal to reduce them, the better able we, as users, are to avoid the problem of revenge porn altogether.

Endnotes

1. Alan Everly, ‘The Newsroom’ Recap: Sloan’s Nude Photos Go Viral; Maggie’s Losing It, L.A. TIMES, 12 August 2013, http://lat.ms/1DCD0gz.

2. Revenge Porn, WIKIPEDIA, http://bit. ly/1u7p46r.

3. Civil Lawsuit on Revenge Porn, N.Y. TIMES, http://nyti.ms/1AKnHMA.

4. Revenge Porn: U.S. Laws, WIKIPEDIA, http://bit.ly/1MNupZG.

5. Rick Kelsey, Revenge Porn is Being Made a Specific Criminal Offence, BBC NEWSBEAT, http://bbc.in/1FB7HjL.

6. People v. Barber, 42 Misc. 3d 1225(A) (N.Y. City Crim. Ct. 2014).

7. N.Y. PENAL LAW § 250.45.

8. N.Y. PENAL LAW § 165.17.

9. A7811B-2011 (N.Y. 2011); N.Y. PENAL LAW § 275.00.

10. B. A571, 2015 Assem., Reg. Sess. (N.Y. 2015).

11. New York’s proposed revenge pornlaw establishes as the crime of non- consensual disclosure of sexually explicit images as a class A misdemeanor. The bill is available at http://bit. ly/1GuN3Sy.

12. TorGuard, a prominent VPN provider, advertises that it does not keep logs of activity associated with an IP address. Further, it notes that hundreds of users are using any server at any particular time, making attribution of activity nearly impossible. See, Do You Keep Any Log Files, TORGUARD, http://bit. ly/1B5UMlv.

13. A cottage industry of third party applications that surreptitiously capture Snapchat images has developed. However, in recent months, Snapchat has implemented more sophisticated alert measures to combat this. Nothing, however, would detect whether a separate device, such as a camera, was used to photograph the screen of the recipient’s phone while the image was displayed.



Alex Urbelis is a lawyer and hacker with over 20 years of experience with information security. He has worked for the U.S. Army, the Institute for Security Technology Studies at Dartmouth, the CIA, the U.S. Court of Appeals for the Armed Forces, Steptoe & Johnson, and as information security counsel and CCO of Compagnie Financière Richemont SA (Richemont). Alex holds a BA, summa cum laude,
 in Philosophy from Stony Brook University, a JD, magna cum laude, from Vermont Law School, and the BCL from New College, University of Oxford.



 

 

The San Francisco Chronicle interviewed and quoted Black Chambers CEO, Alexander Urbelis, about a the fallout from a controversial injunction ordered against German security research firm, ERNW, days before they were to detail vulnerabilities in FireEye's popular malware detection boxes at 44CON in London.

The injunction from a German court essentially functioned as a gag order and required censorship of major portions of the proposed presentation. In the article, Alexander Urbelis discussed the validity of the injunction and the reasons why this type of heavy-handed use of legal process does not sit well with the InfoSec community.

Read the full article

 

Page 2 of 3