ABA Issues Opinion on Social Media Ethics

May 7, 2014

The most common question in cases involving Open Source Intelligence (OSI) to support an electronic investigation, is: “To what extent may an attorney ethically use social media during case investigation and discovery?”

The question is not at all surprising.  The extent to which we can develop and use information from social sites, and other types of OSI, has a really high “creep factor”.  My answer has always been:  “If a person has given up information and made it publicly available to anyone with a browser and knowledge of where to look, then what’s the question?”.

Two weeks ago, the ABA agreed… mostly.  In the ABA’s “Formal Opinion 466”, issued on 4/24/2014, the ABA states, in part:

A lawyer may review a juror’s or potential juror’s Internet presence, which may include postings by the juror or potential juror in advance of and during a trial.

In summarizing, the opinion states:

In sum, a lawyer may passively review a juror’s public presence on the Internet, but may not communicate with a juror. Requesting access to a private area on a juror’s ESM is communication within this framework.
The fact that a juror or a potential juror may become aware that the lawyer is reviewing his Internet presence when an ESM network setting notifies the juror of such review does not constitute a communication from the lawyer in violation of Rule 3.5(b).

While this opinion is specific to jurors, might it also apply to witnesses, attorneys, and other parties to a case?  I would think so.

Link to the ABA Journal’s Final Opinion PDF

Deepweb and Google Cheatsheets Updated

If you are interested in researching OSI (Open Source Intelligence), and are an attorney, you will want to request a login to Vidoc Razor’s RazorSuite.  The RazorSuite includes a connector to conduct your own OSI searches in a fraction of the time, and with more information, than manual techniques.  You can request a login here.

If you prefer to do your own manual work, I have been maintaining two “Effective Internet Search” cheat sheets since 2009. The cheat sheets cover the best sites for developing information manually, as well as how to use Google’s advanced features effectively when performing online searches of people, places, and companies.

Link to the updated DeepWeb Cheat Sheet

Link to the updated Google Search Cheat Sheet


Open Source Intelligence (OSI) and Your Case

April 2, 2014

Open Source Intelligence (OSI or OSINT) is intelligence collected from sources that are available publicly.  Much of the information fed to the internet by users, collected by advertisers, or otherwise left behind during a person’s interaction with electronic systems (or with retailers and advertisers that store such information electronically and the resell it) can be identified through “deep-“, or “dark-“ web research.  OSI is important enough of a research methodology that many law enforcement agencies, especially Federal, have dedicated resources to OSINT analysis and gathering. 

In civil litigation OSI is an invaluable resource for:

  • Research of retained and opposing experts
  • Information regarding opposing attorneys
  • Witness and litigant information
  • Uncovering other emails, social site accounts, properties, activities, and repositories of information not disclosed

Consider a recent case that I was involved with: The opposing party had disclosed certain online accounts that contained relevant information regarding their corporate history, communications via web mail, and travel.  An OSI search revealed two alternate web mail addresses, as well as a connection with a competing firm, travel information (previously undisclosed), and some “known associates” that had information relevant to the case.  Metadata analysis of documents and photos contained on the newly discovered sites yielded even more information.  None of this information was contained on the hard drive submitted for inspection.

OSI, on the web, is broken down into two main categories: Direct indexed information, and Dark web (or Deep web) information.

Direct indexed information is the category most familiar to practically anyone that uses the web.  It is information that has been picked up and indexed by a search engine and, with the correct search techniques, can be narrowed down to particular people, places and things.  Indexed information typically ends up on the web through three different paths:

Deliberate – Deliberate information is information that is on the web because of the direct interaction of an entity with a web resource.  This could be information that is publicly available because of social sites, website registration, or signing on to public newsgroups and forums. 

Accidental (Through fault of the information Owner) – Often times information is deliberately provided, but the provider of the information didn’t realize that the information would be publicly searchable.  Facebook is a perfect example of where, by not understanding ALL the privacy implications of use, users (or their friends) often provide way more details, photos, or location information than is intended, desirable, or realized.

Accidental (Through fault of the information Custodian) – Very large data breaches are far too common these days.  The reality is that they have been very common for years and years, but focus has only recently been turned towards the size, and frequency of breaches.  Aside from breaches, however, “information leakage” is not at all uncommon.  Information leakage is where a website or internet resource unintentionally will provide more information than the user, or the owner, realize. There are teams of people, advertisers, and intelligence gathering entities that  look for information leak and harvest the results.

Dark (or Deep) Web information sounds very “techie” and mysterious, but in reality simply describes the large portions of the web that contain information that is not indexed by search engines.  Typically these are databases of information that are accessible from a website, registration information, attendance and membership databases and information of that nature.

The challenge with OSI is to compile information both from direct indexed resources and dark web resources, and then correlate and narrow the information so that it accurate to the particular entity that is being researched.  A thorough manual search can be performed using the “cheat sheets” provided with this book.  The challenge is that aggregation, correlation and verification can take many hours.  There are tools available to an attorney that speed up the process.  LexisNexis offers access to a static database through the Accurint tool (http://www.Accurint.com), and Westlaw (http://www.Westlaw.com) also provides static database information as well.  There are any number of smaller sites that offer various degrees of information through static databases. 

Static information can quickly become inaccurate or stale, and there are tools that fill the niche for automated research.  Vidoc Razor maintains such a tool (If you are an attorney, you can request a login at: http://www.vidocrazor.com/RSInfo.php) that actively mines “live” social information, media and publications, photos, as well as location and known relations and associate information.  The information is then aggregated, correlated, and a baseline validity check performed.  The information is available for filtering and refining from a single point, and custom reports can be generated.

Whether using manual techniques, static databases, or automated approaches, the nature of OSI is important to keep firmly in mind:  it is fluid.  The information “lives” and changes as people live and change.  It is also contradictory; some OSI is incredibly volatile and can “evaporate” without warning, while other OSI is incredibly persistent, and will stay available through harvesting techniques even when the information owner is actively trying to remove it.  Any information derived from any of the harvesting techniques discussed must be verified before action is taken on it.


Part One: Simple Steps To Secure Your Client During Litigation

September 11, 2012

In the past year, there has been a distinct uptick in cases involving data breach and key logging malware- especially in family law cases. This uptick is not by anonymous, random third parties, but rather by the actual litigants in a case.

Part of the reason for the uptick is that “bugging” someone’s computer  or cell phone (electronic intercept) has gotten significantly easier. Most people can handle installing software.  Likewise with breaking into someone’s webmail, banking, or other online accounts.

Here are steps your client can take, right now, to protect their information and communications:

  • Create a List of Electronic Assets – Experience shows that, without a list, things will be overlooked.  Have your client list out cell phone, webmail, social network, and online banking accounts. In the same manner, have them list out things like wifi and home network assets.  This list is the starting point.
  • Change Passwords and Password Recovery Questions – Simply changing passwords is not enough. Password recovery questions (“What is the name of your favorite pet?”) are an easy way for someone who is familiar with your client to gain entry to their online resources.
  • Avoid Password Reuse – Using the same password for everything is a recipe for disaster. Understandably, it can be an inconvenience to use different passwords everywhere, but there are ways to make meaningful passwords that are easy to remember. Here is a full write-up on password reuse.
  • Review WiFi Security – If the opposing side in a matter was the one that set up the home wireless network, then all they need to do is be within range to join back on the network and gain access to systems or to “sniff” and view network traffic (including your client’s passwords, communications, etc.).
  • Review Joint Cellular Accounts – Depending on the carrier, joint cellular plans can give the opposing party access to endpoints in voice and text communications. Some carriers may actually have access to the content of text messages online. While TRO and data protection may prevent a direct change to the account or plan, your client may consider using a pay-as-you-go plan.

These are some simple steps that can be taken with minimal cost, and yet they will provide an immediate boost to your client’s security stance.

Tomorrow: Part 2- Simple Steps In Case of Breach

If you or your client feel that there has already been a breach, or you are facing a particularly aggressive or knowledgeable opposition, you may consider inquiring about our Client Information Security package (CISP).

The CISP is a flat-rate, full assessment of your client’s information security and includes a drop-in firewall with logging and 24/7 monitoring for intrusion attempts, malware activity, and other breach behavior.  Vidoc Razor not only will assess the security of your client, but fixes the issues identified.  All hardware is provided by Vidoc Razor.

You can find more information by clicking HERE.


Weekly Highlights: September 10, 2012

September 10, 2012

Things You Might Have Missed Last Week

(Highlights in legal and electronic discovery news for the past week)

Interesting Electronic Evidence Cases

Robinson v. Jones Lang LaSalle Americas, Inc., No. 3:12-cv-00127-PK (D. Or. Aug. 29, 2012)

The defendant was seeking to compel production of discovery in (among other things) “all social media content involving [Plaintiff] since July 1, 2008” related to the Plaintiff’s “‘emotion, feeling, or mental state,’ to ‘events that could be reasonably expected to produce a significant emotion, feeling, or mental state,’ or to allegations in [Plaintiff’s] complaint.”.

Magistrate Judge Paul Papak (Oregon) found:

“I see no principled reason to articulate different standards for the discoverability of communications through email, text message, or social media platforms. I therefore fashion a single order covering all these communications.”

Link to Opinion PDF

Apple, Inc. v. Samsung Elecs. Co. Ltd., No. C 11-1846 LHK (PSG) (N.D. Cal. July 25, 2012)

The Defendant in this case was sanctioned for the loss of relevant emails due to Defendant’s failure to follow-up with employees to ensure compliance, and the Defendant’s failure to halt the email system’s auto-delete function.  Sanctions included an adverse inference that allowed the jury to presume that the missing evidence was relevant and favorable to the Plaintiff.

Link to Opinion PDF

Weekly Highlighted Case

EEOC v. Simply Storage Mgmt., LLC, 270 F.R.D. 430 (S.D. Ind. May 2010)

This case can be very useful when dealing with social media electronic evidence matters.  It was utilized by the Oregon magistrate in the above listed case (Robinson v. Jones Lang LaSalle Americas) when forming his opinion.

The defendant in this matter was seeking production of claimants’ social networking site profiles, as well as other communications from social sites used by the claimant.

Last May, the Great State of Texas saw a similar matter that relied, in part, on the EEOC case:

IN RE MAGELLAN TERMINALS HOLDINGS, L.P. AND MAGELLAN MIDSTREAM HOLDINGS GP, LLC 
Link to PDF Document

Electronic Evidence News

State Bar of Texas Alert Says ‘Scam Artist’ Stole Nonpracticing Lawyer’s ID for Fake Website

West Let Off the Hook on Web Malpractice Claim

OJ Simpson Prosecutor: Johnnie Cochran May Have Tampered with Bloody Glove


Quick Tips For Preserving Social Media

June 6, 2011

There is no arguing that social media sites are a boon for information related to a case, and not just for Family law, but also for corporate litigation as well.  We have had tremendous success with using social sites to tie component pieces of  a hard drive or cell phone investigation together.

The proliferation of social websites like Facebook can create discovery issues, though: How do you properly preserve a social site?  How do you deal with the opposing side arguing that the request to preserve is “overly burdensome”?

In this article I will walk you through three of the most popular social media sites and some techniques to preserve them easily.

1: Facebook (www.FaceBook.com):  Facebook is probably the easiest site to preserve.  The user can simply go to “Account Settings”, scroll down to “Download Your Information”, and click on “learn more”.  From the Facebook description:

“This tool lets you download a copy of your information, including your photos and videos, posts on your Wall, all of your messages, your friend list and other content you have shared on your profile. Within this zip file you will have access to your data in a simple, browseable manner.”

Once the user clicks “Download”, FaceBook will aggregate the information and email a link to the download.  Depending on how much information is there, this can take several minutes or even hours.

2: LinkedIn (www.LinkedIN.com):  LinkedIN is a site geared more towards a professional profile than Facebook.  We have been successful in using it to uncover additional email addresses, business documents, associations and affiliations primarily in Corporate cases, but it has factored into family law cases before.

The good news is that, while the Facebook preservation method is only useful if you are the specific user, LinkedIN can be documented for the profile information of other users.  The bad news is that it is slightly more complex than Facebook to preserve (but not much more!).

The easiest way to archive a LinkedIN account is to already have one yourself, or to create one.  NOTE: If the person you are archiving has LinkedIN’s upgraded service, or has agreed to let others see when they view a profile, they will be able to see that you viewed their profile.  I’m not going to encourage you to break the Terms of Service by creating an archive account, but that is one way to get around this.

Next, you will want to navigate to Profile-> Profile Organizer.  This is actually a paid service offered by LinkedIN, but usually it has a free 30-day trial.  More importantly, the free trial does not require a credit card.

Once you sign up for the Profile Organizer, you will be able to search for specific individuals, companies, etc.  When you find a profile you can save it to your organizer, archive it, and print it to a PDF.

3: Twitter (www.Twitter.com): Unlike the others, Twitter doesn’t have an actual built-in archiving functionality.  Twitter DOES have a great advanced search function that you can access at: search.twitter.com

Once on the Twitter search site, look for the “Advanced Search” link.  This will allow you to drill into searches by user, dates, topics, specific words or phrases, locations, etc.
Once you have search results, you can print to PDF, save the list, or use the nifty RSS link in the upper right called “Feed for this query”.


Eight Strategies To Control Information Forensic Costs

April 12, 2011

I’m often told that the biggest barrier to introducing information forensics to a potential case is the cost of doing so, and I believe it.  It is hard to explain to a client that they may expend resources with no return on the expenditure, and yet effective use of information forensics can be a valuable part of case strategy.  Here are eight strategies to effectively control information forensic cost:

  1. Prioritize Systems. In cases where there are multiple computer systems, hard drives or electronic devices involved, try to identify which ones are more likely to contain key evidence or facts in the case.  Your expert should be willing and able to help you do this, based on the facts of the case and the role of the devices involved.
  2. Image and Hold. Perform forensic imaging of the systems and devices involved to preserve them, but unless there are other factors involved you may not need to do analysis on ALL the systems at once.  Start with the high priority systems, and then see if there is likely to be value on the other systems or devices involved.  “Image and Hold” can also be an effective early strategy for a single computing device as well.
  3. Be Selective. We are often approached with multiple cell phones and hard drives.  One of the first questions I ask is if the cell phones were potentially backed up on one of the computer systems.  If so, then we can often process the backup (or “synch”) of the cell phones just as though we had the cell phone itself.  This helps to prevent duplicating cost.
  4. Evaluate Before Analyze. Full disclosure: This is a self-serving statement, in that Vidoc Razor runs a flat-rate evaluation service, but that doesn’t make it any less true.  Your expert must be able to provide an evaluation of the computer systems involved to identify which devices are useful to a case, versus ones that are redundant or don’t contain case useful information.  Make sure that the evaluation is  in context with the case, and not a simple cookie-cutter print-out of log files.
  5. Look for Flat-Rate Services. I have heard many complaints of forensic costs that run wild because of hourly rates.  It isn’t hard for a forensic service to provide cost-effective, flat rates that still provide high-quality results.  Your expert should be interested in looking for a long-range relationship as part of your legal arsenal, rather than getting rich off of a single big case.
  6. Understand the Differences Between Data, Information, and Intelligence. This seems like semantics, but it really isn’t.  Data is a stream of un-evaluated, un-interpreted symbols.  Information is what data becomes once it is useful (in context).  Intelligence is what information becomes once it becomes fact.  Once you stop thinking about “data forensics” and start utilizing “information forensics” you can find all three in a variety of places beyond the hard drive, or as a supplement to the evaluation or analysis performed on a hard drive or cell phone.
  7. Know Your End-Game. It is easy to get caught in the flood of information that can open up in the effective use of information forensics.  It is equally easy to chase down information that doesn’t necessarily support your overall case strategy.  For each new  tributary that opens up to you, ask yourself if it is actually something that supports your end-strategy, or potentially alters it.  If not, then why spend resources to chase it?
  8. Take a Deep Breath. If I had a nickel for every time I have heard the phrase “I am completely computer illiterate”, I would be living on easy street.  In a Yogi Berra-esque way: “This ain’t rocket surgery.”  For some reason the mere exposure to electronic investigation causes people to shut down.  While information forensics can be very technical, I promise you that the average attorney has dealt with much more complicated issues.  Take a deep breath and enjoy the new strategies and brand new streams of information that open up to you and your client and augment your ability to argue your cases.

Next Post:  Effective Information Forensic Strategy


Stripping Anonymity From the Internet

January 13, 2011
Stripping anonymity is like peeling an informational onion. It is about tying together otherwise benign pieces of information that, in the aggregate, allow you to identify, uncover, and infer the existence of other pieces of information. 

Pieces of information across the internet can be pulled in from so-called “Dark web” sources (sounds sexy, right? It actually just refers to information that is contained in databases that are not indexed by search engines), public records, search engine indexed information, metadata information contained in posted documents (photos, PDF docs, various graphics formats, etc.), online newsgroups, social media sites to name a few.

Using these pieces of information to uncover locations, associations, activities, behaviors and motives is entirely possible (and, in fact, is done every day in active investigative work), but not in every case. As you may imagine, it is easy for the thread to get broken and for a logical disconnect to occur. The trick is to combine inductive and deductive reasoning with the real information you find, and then to develop theories about other possibly available pieces of information and test those theories.

At a certain point any investigation, electronic or otherwise, will likely require “boots on the ground” to verify assumptions.

For your reading pleasure I’ve provided a link to a popular story back in 2006 about the accidental release of “anonymous” search results by AOL and the subsequent work done by a NY Times reporter in using aggregated information about search queries to strip anonymity.

http://select.nytimes.com/gst/abstract.html?res=F10612FC345B0C7A8CDDA10894DE404482

Wikipedia entry on the same incident:

http://en.wikipedia.org/wiki/AOL_search_data_scandal