Total: 20 results found.
Quoted in an article by SC Magazine concerning the State Department’s silence on matters of global privacy and cybersecurity practices, Black Chambers CEO Alexander Urbelis opined that his silence is “hardly surprising” given the inconsistent messaging from the administration, executive, and legislative components of federal and state government.
Going further, Urbelis stated that “If State takes a laudatory position on the UN resolution that offline human rights should be similarly protected online, then State is implicitly endorsing the work of digital rights activists, which could be seen to be at loggerheads with the administration's position on whistleblowers.”
The article, published by SC Magazine, is entitled ‘State Dep’t Crippled by Cyber Practices, Inconsistent Messaging from US Agencies,’ and was inspired, in part, by comments about cybersecurity made by President Obama made this past weekend at two separate event.
Created on 2016-07-12 19:02:00
The DHS Intelligence Unit was scalded by an Inspector General report for lack business continuity and disaster recovery planning. Black Chambers CEO Alexander Urbelis was quoted by SC Magazine in an article addressing these failures, plans for improving business continuity preparedness, and the reasons for the major backlog of DHS Freedom of Information Act requests.
The SC Magazine article is entitled, 'Report: DHS Intelligence Unit Lacks ‘Adequate Oversight for Continuity Capabilities’ and was based on DHS Office of the Inspector General report of 16 May 2016, entitled 'Office of Intelligence and Analysis Can Improve Transparency and Privacy.'
Created on 2016-05-26 14:30:17
In a SC Magazine article, discussing the information security practices of Secretary of State Clinton, Black Chambers CEO Alexander Urbelis was quoted discussing proper methods of handling classified and sensitive information, and problems arising from too-quick reversions to insecure methods of communication.
The article entitled “E-mails Raise More Questions About Clinton InfoSec Practices,” was based on recently released documents from Judicial Watch.
Created on 2016-05-13 14:07:50
As a correspondent for the Oxford Martin Cybersecurity Capacity Portal, a project of Oxford University, Black Chambers CEO Alexander Urbelis published an article on impact on corporate defenses that the debate over encryption regulation and legislation is likely to have.
Black Chambers will also be speaking about this topic later this week at the Inside the Dark Web conference.
Please contact us if you would like to attend the conference as our guest.
Created on 2016-05-10 23:11:00
On 12 May 2016, at the ‘Inside the Dark Web’ conference held in New York, Black Chambers will weigh in on the long-lasting and largely undiscussed implications of the ongoing legal battles over encryption.
Taking center stage at the debate over whether encryption should be regulated on the device level, was the federal court repartee between the FBI and Apple. Much has been said about the merits of the arguments on both sides, but little has been discussed about the long-term unintentional consequence of weakening corporate defenses to malicious activity ongoing on the dark web. Our panel will address three components of this direct collision of law and information security.
First, we will first address the disposition of the FBI v. Apple legal battle. Two of our panel participants were intimately involved in the legal battle between 2600 Magazine and the MPAA (Universal Studios v. Reimerdes), being cited for the somewhat shaky proposition that source code should be protected by the First Amendment.
Second, our talk will delve into the often-overlooked State legislation that proposes to regulate encryption on mobile devices and elsewhere and the status of the UK's Investigatory Powers Bill. The focus on this portion will be on the breadth of the legislation, and possible negative effects on corporate security.
Finally, options for securing and protecting data using existing encryption products and services will be explored. Whether the FBI v. Apple legal battle and whether State or international legislation will impact such services will be assessed. Critically, however, this portion will focus on the policies and practices of cloud service providers, and the best options for a company to legally secure its own data, both from the prying eyes of malicious actors and from governmental or regulatory overreach.
Created on 2016-04-07 15:01:13
The Consumer Fraud Protection Bureau issued its first enforcement action for misrepresenting data security practices. In the simplest terms possible, the CFPB has made it clear that if companies are going to ‘talk the talk’ about data security practices, they also have to ‘walk the walk.’ In addition to a $100,000 fine, the CFPB ordered online payment systems operator Dwolla to take immediate steps to ramp up its security practices on many fronts.
Though hitherto never exercised in the data security context, the CFPB derives its authority to regulate from the Dodd-Frank Wall Street Reform and Consumer Protection Act. Dodd-Frank provides the CFPB power to take action against institutions engaged in “unfair, deceptive or abusive acts or practices.” Signalling data security practices are within their jurisdiction and in their sights, the CFPB’s scathing press release about Dwolla’s deceptive practices indicates further enforcement is sure to come.
Several facts make this action and especially interesting and relevant to data security planning and practices:
1. There was no data breach. Historically, any regulation or fine was a direct result of some form of breach, that leads a regulator to inquire about company practices. This is an enforcement action without any such pre-cursor, and means that any company with public-facing statements about data security practices can be subject to scrutiny.
2. Dwolla’s policies made explicit statements that their practices “exceed[ed]” or “surpass[ed]” industry data security practices, including PCI-DSS. On examination, Dwolla’s practices fell far short of anything even beginning to resemble sound data security practices, and included misrepresentations about the amount of data encrypted, security implemented, and transmission of sensitive data as clear text.
3. Dwolla management now has an ongoing reporting requirement to the CFPB for a period of five (5) years about its security practices and posture. It also established an affirmative obligation of the Dwolla Board of Directors to review all “plans, reports, programs, policies, and procedures,” before these documents are submitted to the CFPB. Obliging the Board is an overt demand for responsibility and accountability on CFPB’s part, and is likely to be part of any future enforcement action.
This is a blaring wake-up call to companies housing, collecting, or processing personal or financial data. In the words of the CFPB, “deception about security and security practices is illegal.” Review, revision, and auditing of security policies is a must.
Government regulation of data security is on the rise. And there is the possibility of regulatory scrutiny from multiple federal and state agencies with often overlapping and unclear jurisdictional boundaries.
These are necessary and sufficient reasons for a company’s data security practices and planning to be performed in a legally privileged context and overseen by experienced attorneys who are themselves information security professionals.
Created on 2016-03-04 21:01:00
Black Chambers, together with the Blackstone Law Group, spoke about the ongoing battle between ISPs and copyright holders at the first annual BloomCon Digital Forensics Conference held at Bloomsburg University on 5 February 2016.
Focusing on the landmark decision coming out of the US District Court for the Eastern District of Virginia between Cox Communications and BMG Rights Management, Black Chambers discussed the information security and legal implications of the decision and jury verdict that removed DMCA immunity from Cox Communications and held them accountable for the copyright infringing activities of their customer case to the tune of 25,000,000 USD.
Stepping through the legal reasoning of the decision to remove DMCA immunity from Cox, Black Chambers provided a detailed account and analysis of the internal Cox e-mails that articulated sham “under the table” DMCA compliance policies designed to “collect a few extra weeks of payment” that were directly attributable to Cox’s loss. A clear takeaway was that had these legal DMCA compliance discussions occurred with an attorney – i.e., within the zone of protection of the attorney-client privilege – the damaging e-mails that led to Cox’s loss would not have been made public, and Cox would have very likely prevailed.
Going further, Black Chambers and Blackstone Law Group discussed the information security and compliance issues facing communications carriers resulting from this decision, the effects of enhanced DMCA accountability and user monitoring, and the anti-forensic countermeasures expected to be employed to stymie such efforts.
For a copy of our slide deck and presentation, or to speak further about this issue, please contact us.
Created on 2016-02-08 14:47:00
Sometimes the signal to noise ratio can unintentionally function as a security feature. In other words, if you are a needle hiding in a haystack, the hay protects and provides the cover of camouflage. E-Discovery turns this analogy on its head, which is why information security for law firms and e-Discovery vendors is a pressing and critical issue.
The very nature of the expansive disclosure obligations amongst parties to a litigation under US and UK law mean that vast quantities of data are going to be transferred between the players. The process by which this occurs is familiar to lawyers, especially younger associates who have been delegated the unenviable task of sifting through thousands of e-mails, documents, and reports to identify the very high-grade ore amongst the rubble dumped on their firm. As for the side doing the dumping, e-mails, documents, and reports which are considered trade secrets, privileged, or otherwise confidential and non-responsive have been tagged and culled, before the exchange of data.
In short, the hay has been sifted and all the needles identified.
If these needles are the digital equivalent of trade secrets, privileged communications, confidential business plans, or any other sort of data that should not make it way to the public domain, then perimeter security surrounding this data at rest should be – at a minimum – viewed as a best practice.
In an article published recently by Bloomberg BNA, Gabe Friedman makes several excellent recommendations for drafting protective orders that require a receiving party be responsible for reasonable information security practices when receiving and handling data during the discovery phase of a litigation.
Friedman recommends litigants should require their adversaries to do the following:
These recommendations, however, raise several additional issues for law firms and litigants, especially in light of the alarming prediction that 80% of the top 100 law firms have already been compromised. Namely:
Add to this the complex issue of auditing the security of your adversary or e-Discovery vendor and you have a hydra-like combination of information security, law, compliance, and judicial economy. And with information security concerns on the rise for litigants and firms alike, these issues are sure to be raised frequently and fervently.
These mixed questions of law and security are the reason why Black Chambers exists. We are here to help establish best information security practices for your firm, and will be there if your organization needs to find a trusted e-Discovery vendor, or audit your adversary.
Created on 2015-12-15 12:29:50
Security by design is an empty concept without deliberate thought and foresight. This means thinking carefully about custom and licensed software, network architecture, and parties which ought to be trusted.
Our professionals build and ensure security from top to bottom. We believe in teaching just as much as documenting. Black Chambers’ source code review identifies security-related vulnerabilities with the aim of providing developers insight as to the classes and categories of potential vulnerabilities. By the end of our engagement, source code is more secure and internal developers are better equipped to independently secure an application’s source code.
Our professionals have long histories in the information security community and thus also understand the undesirable narratives that can be spun when undocumented (or worse, documented) vulnerabilities become public information. Within our unique structure of operating through and with the Blackstone Law Group, these narratives are either identified, avoided, or responded to with considered diplomacy.
Network security requires an understanding of entry and access, data flows, and an organization’s risk posture. By working with existing personnel to examine network diagrams and documentation, we provide a legally privileged assessment of existing gaps, areas of non-compliance with stated policies, and assess the function, placement, and need for security controls.
Throughout the engagement, our goal is to cost-effectively ensure our clients are both compliant with industry standard regulations and above reproach for information security best practices.
Third parties have been the root cause of many of the world’s largest data breaches. The range of data-, cloud-, and security-related products and services has never been greater or more overwhelming. Understanding how vendors manage data — and certifying that vendors are trustworthy — is imperative. Our experts have extensive experience with products new and old, and a network of information security associates that extends to every corner of the community and globe. With this background, we assist with identifying trustworthy vendors and partners who can provide effective services your organization actually needs, within the confines of your budget.
Created on 2015-12-02 15:59:09
The privacy and protection of our clients is our chief concern, which is why we work from the outset to reduce exposure to risk. With this in mind, we structure our engagements with and through our affiliated law firm, Blackstone Law Group, so as to minimize the risk that the information derived from analyses, or communications generated during the course of an investigation, will be discoverable by litigants or regulators. Adding value to this arrangement is the litigation and litigation-avoidance experience of the attorneys with which we work at Blackstone Law Group.
In short, privilege protects both our clients’ input and the Black Chambers’ output.
All of our services and engagements are structured in a legally privileged context for a single, predictable fee, and can be invoiced discreetly.
Created on 2015-11-30 20:55:10
The platitude that 'no good deed goes unpunished' holds true in the information security context: Traditional cybersecurity firms can often do more harm to an organization than good by documenting deficiencies without contemplating future risk. This is especially true for organizations facing regulatory scrutiny or potential litigation.
Progressive organizations require information security professionals who have a richer understanding of the implications of their actions — professionals who can not only secure a system or network in the short term, but who can also mitigate long-term risk.
At Black Chambers, we believe information security performed properly requires a multi-disciplinary approach, which is why our services combine the full arsenal of traditional information security practices with the forward-looking legal acumen of our affiliate law firm, Blackstone Law Group.
By structuring our services with and through the Blackstone Law Group, there are several layers of added value for our clients:
Black Chambers is the only information security firm where lawyers and information security professionals work — by design — hand-in-hand on a daily basis, with both sets of professionals having deep knowledge and history with the information security community.
Created on 2015-11-30 20:45:54
Our professionals have several decades of experience with information security and computer forensics, including investigations, offensive and defensive tactics, LAN/WAN architecture, voice and data communications, and due diligence and vetting of commercial solutions. We have consulted for many Fortune and Global 500 companies, pioneering technologies such as micro-payment systems, network storage, secure commercial video and audio broadcast, and network security tools.
But our people are more than just technical. We have experience working in the intelligence community and the Department of Defense. We have several lawyers amongst our founders, who have, in turn, worked as in-house counsel and at the C-level for some of the world’s largest companies and law firms.
It is important to note that we are not comprised of lawyers who became interested in information security in recent years; but rather, we have on board information security professionals who became lawyers.
We are regularly consulted by the media, and state and federal agencies, to opine on matters both legal and technical, and our published writings range from scholarly works, to bar journals, to op-editorials featured on The Intercept.
Our multi-disciplinary approach is unmistakable and is unique amongst our peers.
Created on 2015-11-30 17:09:33
The partnership between Black Chambers and Blackstone Law Group lends itself to discreet and sensitive investigations aimed at uncovering or resolving misconduct involving technology.
We have expertise concerning the misuse of internal systems, insider threat identification, detection of exfiltration of confidential information, uncovering identities of anonymous defamatory statements, piracy and copyright infringement, and many other forms of misconduct. Blackstone Law Group, in turn, has complementary experience with whistleblowing and compartmentalized internal investigations in corporate settings.
Throughout the investigative process, Blackstone Law Group provides litigation-avoidance advice and other confidential legal counseling designed to avoid regulatory intervention and limit exposure to liability.
Further, by working with Blackstone Law Group, the full range of legal process complements our InfoSec investigations. Our partnership enables lawyers to draft subpoenas compelling production of information from third parties otherwise unavailable, draft and file actions leading to discovery, and negotiate directly with in-house counsel for the release of information in accordance with terms of services, privacy policies, or state and federal law.
Created on 2015-11-30 15:11:39
In the event an intrusion, breach, or attack that has occurred or is ongoing, Black Chambers’ relationship with Blackstone Law Group gives an organization the greatest flexibility.
Because communications and analyses are privileged, investigation and remediation can begin immediately without risk of creating legal liability or providing ammunition for regulatory scrutiny. While the InfoSec investigation and incident response process is ongoing, Blackstone Law Group provides confidential counsel regarding regulatory responses, customer notification, cyber-liability insurance applicability, remediation, and litigation-avoidance strategies.
Whether a breach involves a single system or hundreds of systems compromised across a network, our professionals help an organization recover, minimizing the short- and long-term impact.
Created on 2015-11-30 15:06:37
Adapting to the complexity of information security is critical for businesses. With the theft of IP, trade secrets, research and development data, personal data, and financial records steadily on the rise, information security is an existential issue and business imperative.
Within a legally privileged context to minimize risk and client exposure, Black Chambers performs organization-wide and targeted security assessments, encompassing both physical and digital security. Combining the skillsets of information security and legal professionals allows Black Chambers to address security design and compliance as an ecosystem, and not in a tick-the-box manner.
Black Chambers professionals begin each engagement with a risk assessment. Understanding an organization’s business and the identification of core assets are a critical component of this, together with the gathering and analysis of intelligence from outside sources.
Through the lens of a risk assessment, physical and network security architecture and policies are then reviewed, assessed, revised, and remediated to harden defenses around core assets, allowing organizations to be ahead of best-practices curves.
Our professionals have rich and varied experience with large-scale vulnerability assessments. Assess and documenting, however, is not sufficient: our professionals assist with not only with technical remediation, but with adapting and transitioning to information security processes, policies, and procedures designed to reinforce an organization’s all-around security posture.
Created on 2015-11-30 15:04:25
Complex disputes require collection and exploitation of all available information. E-mails and files are a mere starting point: the universe of data and exploitable intelligence that resides on any computer is much greater than appears on the surface.
Our experts recover targeted and actionable intelligence relevant to any investigations or litigation; examples include:
Created on 2015-11-30 15:00:45
With in-house experience at the executive level + backgrounds in intelligence and defense, we provide clear advice and legal risk assessments about the scope and enforcement of regulations that affect international businesses.
Our attorneys have built, from the ground up, worldwide compliance programs integrating crucial components such as anti-money laundering, anti-corruption, whistleblowing, data security and privacy. As with all of our practices, we employ a multi-disciplinary approach to building effective and tailored compliance programs, drawing on our technical expertise, novel risk assessment methodologies, and comprehensive compliance experience.
Created on 2015-11-24 15:35:08
The San Francisco Chronicle interviewed and quoted Black Chambers CEO, Alexander Urbelis, about a the fallout from a controversial injunction ordered against German security research firm, ERNW, days before they were to detail vulnerabilities in FireEye's popular malware detection boxes at 44CON in London.
The injunction from a German court essentially functioned as a gag order and required censorship of major portions of the proposed presentation. In the article, Alexander Urbelis discussed the validity of the injunction and the reasons why this type of heavy-handed use of legal process does not sit well with the InfoSec community.
Created on 2015-10-01 21:47:57
In the wake of the NY Times revelations about a longstanding partnership between the NSA and AT&T, Black Chambers CEO, Alexander Urbelis, published an op-ed on The Intercept arguing that there is nothing novel nor illegal about telecom and intelligence partnerships. As a matter of ethics, efficiency, and integrity, however, Urbelis argued for new limits and protections for the processing of foreigners' data within US borders.
There is something disquieting and unwholesome about telecoms feeding our communications to government agencies. It was headline news, again, last month when we learned that AT&T has had a longstanding partnership with the National Security Agency. Unfortunately, this form of private-public intelligence collusion is neither new nor, in my view, illegal. Whether it is immoral is an entirely separate question.
U.S. communications carriers first became partners in the intelligence game shortly after World War I. Diplomatic and military affairs transmitted via telegram to home countries were intercepted and decrypted by the Black Chamber, the NSA’s precursor. Obtaining telegrams then was eerily similar to how communications are obtained today: The government simply asked.
The Western Union Telegraph Company and the Postal Telegraph Company allowed intelligence officers to copy telegrams, and this partnership persisted in peacetime. In 1929, however, Secretary of State Henry Stimson defunded the Black Chamber. His concise, and seemingly naïve, rationalereportedly being: “Gentlemen do not read each other’s mail.”
World War II exigencies overruled Stimson’s moral objections and the United States resumed telegram interception. Starting in 1945, just after the end of the war, this interception widened, and Western Union, RCA, and ITT provided the government, via the NSA and its predecessors the Army Security Agency and the Armed Forces Security Agency, with paper tape, microfilm, and later magnetic tape copies of most international telegrams. This continued unabated for decades after the war and was known as Project SHAMROCK.
NSA shared this data with law enforcement, including the FBI and Secret Service. Project SHAMROCK, however, suffered from classic function creep, the gradual extension of a system beyond the purposes for which it was conceived. In the 1960s and 1970s, names of American citizens and organizations were added to watch lists. Anti-war activists, Martin Luther King Jr., Muhummad Ali, and Jane Fonda were among the nearly 1,700 U.S. individuals and organizations targeted for domestic surveillance. This was known as Project MINARET.
Presciently, in 1975 on Meet the Press, Senator Frank Church (he himself a target of MINARET) stated:
In the need to develop a capacity to know what potential enemies are doing, the United States government has perfected a technological capability that enables us to monitor the messages that go through the air. … That capability at any time could be turned around on the American people, and no American would have any privacy left. … There would be no place to hide.
The Foreign Intelligence Surveillance Act, codifying a warrant requirement with judicial oversight for electronic surveillance, with particularly strong protections for U.S. persons, was born of the eponymous Church Committee.
This was a philosophical shift in the perception of intelligence activities. Despite infringing privacy of U.S. residents — and undeniably going beyond the degree of intrusion at issue with the Black Chamber — there was no Stimson-like categorical condemnation of surveillance itself. Communications interception was a necessary evil to detect and deter existential threats to the United States. It was crucial, therefore, to safeguard U.S. persons from harm occasioned by this necessary evil.
Foreigners were viewed in a different light, with considerably less protection under FISA as it exists today. Foreigners’ communications have always been legitimate targets of collection, from the time of the Black Chamber and despite fallout from Projects SHAMROCK and MINARET. As an NSA presentation indicates, AT&T even withheld domestic communications before delivering anything to the NSA. The intelligence game in the United States has not changed in over 100 years, so what is the source of the outrage?
As a nation, we are uncomfortable with the morality of the degree (not kind) of intelligence collection that occurs as a result of secret partnerships. In the busiest of MINARET’s six years of operations, there were only 600 domestic and 6,000 foreign targets. Contrast that with the billions of emails flowing across the networks to which AT&T has provided the NSA access. It is the quantity, not the type, source, or method of collection, that produces visceral unease.
Linking this sense of unease to a chilling effect on freedom of speech and association, the ACLU and the Wikimedia Foundation, which runs Wikipedia, have sued to try and halt bulk collection of communications. Our federal courts, however, are not the proper forum. Legal standing and damages requirements mire the process in preliminary motions, and perhaps rightly so because, at root, the question of how surveillance is to be carried out in our names is more of an ethical and political question than a legal issue.
Stimson’s moral prescription that we should not “read each other’s mail” was anachronistic when uttered in 1929. It is ridiculous to suggest we halt foreign intelligence collection derived from U.S. telecoms. It is not outrageous, however, to expect our intelligence be derived more efficiently and fairly. Technologies used to exclude domestic communications can also be adapted to minimize foreigners’ data. Given the quantities of data collected daily, we must expect more to be done to prevent the same function creep that allowed SHAMROCK and MINARET to spiral out of control.
There is a perception that our infrastructure — critical to free expression and global commerce — is exploited and untrustworthy. Our moral compass, again, tells us that this is wrong: Privacy is a right that is universal and fundamental, which ought to apply to all.
Created on 2015-09-27 16:20:18
Addressing novel legal theories to combat revenge porn and the technical means available to reduce the risk explicit photos are retained and shared, Black Chambers CEO, Alexander Urbelis, recently published in article in the NY State Bar Association publication 'Perspectives' entitled, 'The (Il)legalities and Practicalities of Revenge Porn.'
If you watch the The Newsroom, you may recall the Season 2 horror, when comely business news anchor, Sloan Sabbith, suddenly realizes that salacious photos of her have been posted on a “revenge porn” site, and were trending on social media.1 Fiction aside, revenge porn, “or sexually explicit media that is publicly shared online without the consent of the pictured individual,”2 is a real world problem and becoming increasingly common. The law is reacting, but as is often the case with novel, tech-driven wrongs, most le- gal redress is cumbersome, ill-fitting, and insufficient.
There are, however, novel legal theories to combat revenge porn at the federal level, and criminal statutes—though of questionable efficacy—at the state level. And, as a practical matter, if a person does share intimate photos, there are technical measures to reduce the likelihood they will remain in another’s possession or subject to misuse.
Revenge Porn and the Law at the Federal Level
A particularly heinous instance of revenge porn involving a current law student has found its way into the U.S. District Court for the Central District of California. Filed by attorneys from K&L Gates, appearing pro bono on behalf of a pseudonymous plaintiff, the complaint alleges that the victim’s ex-boyfriend posted sexually explicit material to revenge porn websites, then contacted the victim’s friends and colleagues to provide direct links to the obscene material.3
This unique federal litigation, seeking injunctive relief and dam- ages, relies on copyright law for jurisdiction. The theory is that since the victim created the images, it is she who owns their copyright. The ex-boyfriend, by posting the images without her consent, is violating the Copyright Act of 1976, entitling the victim to injunctive relief.
There is, however, a major hitch to this approach: relying on copy- right law requires that the explicit images be registered with the U.S. Copyright Office. This process is not only cumbersome, but unrealistic and painful for the victim. What is more, assuming the injunction is effective as to the ex-boyfriend, no legal relief can prevent further dissemination of the images. A court can grant relief only regarding a single defendant, and cannot enjoin down- stream websites from displaying or transferring the offending images, or prevent search engines, such as Google, from displaying disparaging search results that point to these sites.
Another legal tactic, combating revenge porn with Digital Millennium Copyright Act (DMCA) take- down requests, has sometimes had the opposite of the intended effect. Websites have displayed takedown requests with pride to draw more attention (and clicks) to the offending material. The obvious intent behind this brazen disregard is to discourage future DMCA requests, and it is likely that this audacious tactic is effective.
In sum, copyright law may in- deed provide a partial remedy for some patient victims willing to jump through the hoops required of the U.S. Copyright Office, but it is hardly a silver bullet.
Criminalizing Revenge Porn
Defining revenge porn as a criminal act is the clearest signal that this conduct will not be tolerated. Only 13 states criminalize revenge porn, and, technically, New York is not one of them.4 On the international front, Israel was the first to pass a revenge porn statute and the U.K. the latest to tackle the issue.5 The mere existence of such laws may be a powerful deterrent. But there are practical considerations for successful prosecutions, and the possibility of foreseeable but unintentional consequences on several fronts.
Chief among practicalities, the law must fit the crime. In New York, the first prosecution of revenge porn failed, largely because existing laws did not reach this sort of conduct.6 Harassment was not an option be- cause the material was not sent to the victim herself; unlawful surveillance was inapplicable because the images were created consensually; and the display of offensive materials was similarly inconsonant because nudity is not, per se, offensive.
Responding to this and other failed prosecutions, on 1 November 2014, an amended version of New York’s unlawful surveillance statute went into effect, criminalizing the recording or broadcast of images of the sexual or private parts of another which are created without consent.7 Critics have argued that this amendment does not go far enough to protect victims. As a matter of fit, the law is still not a revenge porn statute—it is a re-engineered version of a peeping tom law. As such, the statute does not extend to sexual material created by mutual consent but distributed without the consent of the victim.
Carrie Goldberg, a board member of the Cyber Civil Rights Initiative, who is active in its ‘End Revenge Porn’ campaign, notes that: “In New York it’s criminal to share credit card numbers8 and pirated music,9 yet we have no such protections for the far more personal and devastating distribution of private sexual pictures.” Legislation10 introduced by New York Assemblyman Edward Braunstein would change this, and, according to Goldberg, protect victims regardless of the motive of the distributor, “whether for revenge, entertainment, money, ‘lulz,’ or no reason at all.”11
Another practical reason prosecutions fail is for a lack of resources. Revenge porn is a fast-moving, cross-border offense that occurs on several different technological plat- forms: cameras, smart phones, and web servers. Most local law enforcement and prosecutors do not have the financial, technical, or human resources to track and collect transient forensic evidence across several jurisdictions.
Disappearing Evidence and False Flags
A clear-cut case would look like this: a victim is notified of offending material that can be traced back to an image sent to an ex-boyfriend. The mobile device of that ex-boyfriend contains the image distributed with- out consent, and distribution can be traced to his IP address and his mobile device. Prosecutions, however, are rarely so straightforward.
The first stumbling block is the image itself. If neither the victim nor the ex-boyfriend have a record or copy of the image (perhaps both upgraded their devices or deleted old messages), then only their mobile carrier(s) will have a record of the initial transmission. Acquiring that data is time-consuming and resource-intensive.
But assuming no problem with the above, the next evidentiary hurdle is proof of distribution. Some exes may be so incensed as to throw caution to the wind, but a thoughtful offender would use a new device and public wi-fi for distribution. Technically astute offenders would use a throwaway device and a virtual private network (VPN), to make it seem as if the distribution originated from China or Russia. Acquiring logs and connection data from a foreign VPN provider (if such records are even kept) is both a crapshoot and a herculean task.12 But in the prosecutorial context, if you combine this type of anti-forensic behavior with the fact that mobile devices are often lost or stolen, and add to that the prevalence of data breaches and malware, you have something that begins to look very much like reasonable doubt.
With evidence difficult to collect and resources scarce, failed prosecutions may have serious unintentional consequences: discouraging victims from coming forward, deterring further prosecutions, and emboldening potential offenders.
Practical Advice for Cautious Couples
The best way to ensure images never make their way to revenge porn sites is obvious: do not create them. If, however, a person chooses to take and share intimate photos, there are technical measures that can decrease the likelihood of the image being retained and misused.
First: do not send intimate pictures through text message, iMessage, Whatsapp, or any other messaging platform that creates a continuous historical record of activity. Doing so makes it easy for a spurned lover to scroll backwards in time and find revealing photos exchanged during better times.
Second: if you do share private photos, use third-party messaging applications such as Wickr, Silent Circle, or Snapchat that “burn” images after a specified period of time. With these apps, it is possible to specify that the message or image remain with the recipient for as little as ten seconds. While this does not prevent screen captures of images, it does prevent a person from retrieving previously sent images. Further, apps such as Wickr and Snapchat make executing the screen capture function on an iPhone a more cumbersome process, reducing the likelihood that an image will be stored. Snapchat, by the far the most popular app for sharing intimate photos, alerts senders when an image has been screen captured.13
Third: if sharing is not the goal, do not use an Internet-enabled device to capture private moments. Recall the standalone digital camera, the long-forgotten device used to take pictures and nothing more. Placing several steps between yourself and transmission of a private photo will make it less likely to occur.
Fourth: do not back up intimate photos to a cloud. Many devices, including iPhones, are configured, by default, to keep photos in a cloud’s central repository. Weak passwords and angry exes are an awful combination, and the cloud is an all too easy target.
Fifth and finally: Though unsexy, keep a detailed log of images sent and to whom they are sent. If the relationship devolves into a revenge porn fiasco, those contemporaneous records could be critical to a successful prosecution when evidence from other sources is lacking.
* * *
Technology will always outpace legislation. It is, therefore, no surprise that the legal remedies avail- able to victims of revenge porn are inadequate. Federal remedies are slow, burdensome, expensive, and only partially effective. Criminalizing revenge porn is a strong statement, but also an imperfect solution be- cause of the under-inclusive nature of the proscribed conduct and the ease with which evidence can be destroyed and prosecution frustrated.
What is clear, however, is that victims of revenge porn are seriously and irreparably harmed. The elements and mechanics of criminal
statutes and the civil remedies avail- able require further consideration and study. Unless and until such a time, the best defense is a good of- fense. The more we understand the permanence of our digital footprints and the technical measures at our disposal to reduce them, the better able we, as users, are to avoid the problem of revenge porn altogether.
1. Alan Everly, ‘The Newsroom’ Recap: Sloan’s Nude Photos Go Viral; Maggie’s Losing It, L.A. TIMES, 12 August 2013, http://lat.ms/1DCD0gz.
2. Revenge Porn, WIKIPEDIA, http://bit. ly/1u7p46r.
3. Civil Lawsuit on Revenge Porn, N.Y. TIMES, http://nyti.ms/1AKnHMA.
4. Revenge Porn: U.S. Laws, WIKIPEDIA, http://bit.ly/1MNupZG.
5. Rick Kelsey, Revenge Porn is Being Made a Specific Criminal Offence, BBC NEWSBEAT, http://bbc.in/1FB7HjL.
6. People v. Barber, 42 Misc. 3d 1225(A) (N.Y. City Crim. Ct. 2014).
7. N.Y. PENAL LAW § 250.45.
8. N.Y. PENAL LAW § 165.17.
9. A7811B-2011 (N.Y. 2011); N.Y. PENAL LAW § 275.00.
10. B. A571, 2015 Assem., Reg. Sess. (N.Y. 2015).
11. New York’s proposed revenge porn law establishes as the crime of non- consensual disclosure of sexually explicit images as a class A misdemeanor. The bill is available at http://bit. ly/1GuN3Sy.
12. TorGuard, a prominent VPN provider, advertises that it does not keep logs of activity associated with an IP address. Further, it notes that hundreds of users are using any server at any particular time, making attribution of activity nearly impossible. See, Do You Keep Any Log Files, TORGUARD, http://bit. ly/1B5UMlv.
13. A cottage industry of third party applications that surreptitiously capture Snapchat images has developed. However, in recent months, Snapchat has implemented more sophisticated alert measures to combat this. Nothing, however, would detect whether a separate device, such as a camera, was used to photograph the screen of the recipient’s phone while the image was displayed.
Alex Urbelis is a lawyer and hacker with over 20 years of experience with information security. He has worked for the U.S. Army, the Institute for Security Technology Studies at Dartmouth, the CIA, the U.S. Court of Appeals for the Armed Forces, Steptoe & Johnson, and as information security counsel and CCO of Compagnie Financière Richemont SA (Richemont). Alex holds a BA, summa cum laude, in Philosophy from Stony Brook University, a JD, magna cum laude, from Vermont Law School, and the BCL from New College, University of Oxford.
Created on 2015-06-08 20:51:05