The Cross-Border eDiscovery Challenge & The Possible Accountable Systems Solution

Posted by K Krasnow Waterman on Thu, Jun 18, 2009 @ 13:06 PM

Tags: access control, technology implementing law, privacy technology, technology for lawyers, accountability, knowledge discovery for litigation, information management, data protection, digital evidence, technology for business managers, global outsourcing, information security, digital rights, privacy, eDiscovery, forensics

Cross-border eDiscovery is a hot topic this year. The decreased cost of storage has resulted in nearly everyone retaining massively greater quantities of information. Email and the Web have driven a shift in data to less formal, less structured records and files. And, globalization of business has caused the relevant information for an increasing number of lawsuits to be spread among multiple countries. Courts have instituted new rules for how parites will engage in discovery related to this digital evidence. And, these new rules are putting some lawyers in the cross-hairs of other governmental digital control activities. Lawyers, by and large, are not technologists and the challenges arising from handling this mass of distributed data are proving daunting. Technology vendors are offering significant assistance but still more is required.

Discovery, at its simplest, is the concept that one party to a lawsuit can learn what the opposing party knows that is relevant to the resolution of the case. In the US, this had long been accomplished through gamesmanship and strategy (think, hide-and-seek meets go-fish) while, for example, the UK had moved on to affirmative disclosure, the idea that each side needs to identify the truly relevant and provide it. In either case, the parties have needed to decide what data to preserve and how to search it. For a variety of reasons, corporations are adding and deleting data all the time -- doing things like updating client or supplier addresses, changing prices, adding sales, marking deliveries. So, typically, one needs to select a moment in time that's relevant to the issues in a lawsuit and look at all data from that time or up until that time. This is no easy task, as the challenges of selecting the moment, deciding how to save the data, and which tools will provide the best search result are all subject to debate.

Handling a case that involves data in multiple countries compounds the challenge. The EU has had detailed and tightly controlling rules about the handling of information about people by commercial entities for nearly thirty years. By comparison, the US historically has had a comparatively limited concern about the privacy of people whose identities appear in commercial files. For example, in many cases EU rules prohibit making the sort of "moment in time" copy of entire systems described in the last paragraph and have rules that as a practical matter prohibit sending data about people out of the country. Recently, these rules have come into head-on conflict with courts in the US requiring that certain information be turned over in discovery. The decision not to violate the EU rules has resulted in some significant financial penalties being imposed by US judges, while the decision to violate the EU rules and provide the data in the US has resulted in some equally significant financial penalties being imposed by European judges, leaving litigators between a rock and a hard place.

Much discussion is ongoing about ways to resolve this problem. For example, governmental, public policy, and commercial bodies are discussing possible changes to their rules. New forms of insurance may be offered to indemnify parties caught in the current situation. At the same time, there is a quiet march forward of new technologies which may resolve some of the issues. For example, systems that track each data transaction at a very granular level and account for their compliance with rules, called "accountable systems", are in development. Such systems would make it possible to understand the data in the system at a particular moment in time without requiring a "copy" to be made. And, they would be able to recognize competing data rules and apply the correct ones, wherever the resolution of a rules conflict is possible.  In theory, this technology might also make it possible to transfer the substantive portions of the information without the personal information, so that the parties could define very small subsets that are relevant and actually required to be disclosed, thus limiting the release of personal information to subsets so small that requirements, like notice to the individuals in the data, could reasonably be met.

While this new type of technology offers promise for resolving some of the cross-border eDiscovery challenges without requiring any jurisdiction to change its rules, it has drawn relatively little attention in this context to date.  Perhaps this is because the technology needs to be refined and then implemented in the day-to-day digital business practices of organizations before it can be capitalized upon to address this issue.  How long it will be before this occurs will be driven by how quickly people recognize the problems this technology can solve.

Article has 0 Comments. Click here to read/write comments

Legal Standards in a Technologically Bifurcated World

Posted by K Krasnow Waterman on Thu, Jan 29, 2009 @ 10:01 AM

Tags: access control, identity management, technology implementing law, privacy technology, technology for business managers, law about technology, public policy, technology b2b customer service, information security

It's not news that our society is divided into technological haves and have-nots.  Much has been written about the advantages lost or gained - education, professional, and social - based upon the primacy and recency of one's technology.  Recently, I've become increasingly attuned to another place where technological caste matters -- legal standards. 

It's been clear to me for quite some time that the lawyer who resonates with technology can do more successful and faster legal research; propound vastly superior discovery requests; and produce substantially more incisive disclosures.  It's now becoming increasingly clear to me that the law itself is being skewed by those of us who live to keep up with the next big thing in technology.  Debates among lawyers rage in my email inbox about the differences in things like encryption technologies and metadata standards, with lots of cool techie references to things like ISO, NIST, Diffie, OASIS, and XACML.  

In the meantime, I was on the the Social Security Administration website the other day and they wanted me to use an eight digit alphanumeric password (case insensitive, no special characters) to upload W2 and other sensitive tax information.  My bank's brokerage affiliate is using the same outdated and readily hackable password technology  I still see commercial and bar association websites seeking personal and financial information without indicating that they're using SSL or some other baseline method of securing the information.  I still get requests from security professionals to email my Social Security Number.  If you're not particularly technical, trust me, none of these are good things.

The distance between these two realities has got me thinking about all the places that these two technological castes will be competing to set legal standards.  For example, does a "time is of the essence clause" apply the perception of time of a blackberry owner or a person without a laptop?   

As the new administration provides the first coordinated national focus on technology, I'd like to add this to the list.  Perhaps the new national CTO (yet to be appointed) could work with the American Bar Association and other leaders to identify a rational strategy for standards setting in such a technologically bifurcated society.

 

 

 

Article has 0 Comments. Click here to read/write comments

Campaign Hacking a Reminder for Email Security

Posted by K Krasnow Waterman on Fri, Nov 07, 2008 @ 12:11 PM

Tags: access control, technology for lawyers, data protection, technology for business managers, information security, technology management, forensics, cyber-security

Computer hacks were the topic of tech news on the day after Senator Obama's historic election. On Wednesday, Newsweek reported that the Obama and McCain campaigns were the subject of computer hacks during the campaign.  The Obama campaign reported a possible email phishing attack this past summer.  They were ultimately told by federal authorities that both the Obama and McCain campaign computers had been compromised. Reports are circulating that the attacks came from a "foreign entity" and lifted significant amounts of data from both campaigns.

Also on Wednesday, malware creators took advantage of the tremendous interest in the election and began sending emails with "Obama" somewhere in the subject line.  The most common subject lines promised video of a speech, additional election coverage, or new interviews.  One security company alone reported that it had filtered more than 10 million emails in less than 6 hours on Wednesday morning.  Apparently, hundreds of thousands of people sought to open them and were instead infecting their computers with malware.

These two events highlight the importance of email security.  This is the first major election heavily conducted, financed, covered, and influenced on the web.  It reflects the transition to technology for ever-increasing numbers of the population.  And, it reflects our ready acceptance of the transition.

Too many people assume that their spam filter, anti-virus software, etc will protect them.  Yet, any technology professional will tell you that firewalls and software alone are not enough to protect a computer from data theft or destruction.   They'll also tell you that emails are the easiest means of attacking computers because people still act before they think. A huge percentage of hacks rely on "social engineering" - convincing a person to do something that works to the hacker's benefit.  

Education is still a significant tool in the computer security arsenal.  Users must learn to stop and ask themselves whether the email is likely to be what it seems.  First the easy questions: How likely is it that some stranger will really send you millions of dollars?  Is your US bank really going to send you any request from an email address that doesn't contain the company name?  And, if your friend really did lose a wallet on a spur-of-the-moment vacation how likely is it that she'd email you for a credit card number instead of calling her husband, the consulate, or American Express for help?

Is it possible to go the next step and teach users a little technology?  They should always check to see if the attachment they're about to open like a present on Christmas morning ends with ".exe" (a file that will execute some program).  If it does, they should beware and seek tech support.  Or can we teach them to look at the "properties"  of the link they're about to click, see the web address ("URL") and recognize that the source is the wrong country?  A quick look at the domain registry will make it pretty obvious that something that purports to come from around the corner has a two letter code that means it's really coming from a country around the the world.

With so much hacking going on, the problem is no longer just a technical one. More laws are creating responsibility to take reasonable care to protect other people's information and liability for failing to do so. It is important to remember that with these changes, the standard of care is expected to improve, and what was reasonable yesterday may be unreasonable today.


Article has 0 Comments. Click here to read/write comments

Lucky 13, Nicely Nicely and User Attributes in Identity Management for Access Control

Posted by K Krasnow Waterman on Wed, Aug 15, 2007 @ 09:08 AM

Tags: technology innovation, access control, identity management, technology for business managers, technology, technology management

I've always loved the Guys and Dolls song in which a bunch of guys sing a catchy round about picking their favorite nag at the track. They're telling each other why they've made their pick. It goes like this:

"I got the horse right here
The name is Paul Revere
And here's a guy that says that the weather's clear
Can do, can do, this guy says the horse can do"
...
"I'm pickin' Valentine, 'cause on the morning line
A guy has got him figured at five to nine
...
I know it's Valentine, the morning work looks fine
Besides the jockey's brother's a friend of mine "
...
"And just a minute, boys.
I've got the feed box noise
It says the great-grandfather was Equipoise "

What does this have to do with computers? It provides an easy to understand example of how we make decisions. The gamblers are describing where they got their information and what categories of information matter to them. They rely on a favorite racing form, friends of friends, and gossip from the staff. In the brave new world of dynamic access control, we want to do the same thing to reach an automated decision about what data you can see. Instead of racing forms, we have "trusted sources" or "authoritative data" -- repositories we believe have reliable information. And, instead of the weather, lineage, and distance, we're looking for other categories of facts that consistently help us to reach our decisions.

I've recently done a project in which we attempted to define how many things you really need to know about a system user to decide whether or not s/he can have access to particular government work-related information. The idea was to see if there was an universal core of attributes that most system access rules are seeking. In other words, does the decision about what you can see in the human resources system rely on the most of the same categories of information about you as the decision about what you can see in a criminal case file or a person's tax filing. Our answer is "yes," if you create the right sort of categories. And, much to our surprise, our core list is only thirteen attributes.

What's the right sort of category? Other proposals have made each fact its own category. For example, imagine an attribute which indicates whether someone is a law enforcement officer and a different one for whether someone is a lawyer. Organized that way, you would need thousands (millions?) of attribute categories. But, if you say the attribute is "job description" then you can include officer, attorney, and a million other jobs in one attribute category.

Having a small number of needed attribute categories has a tremendous advantage. It means the software can be less complex, handling a smaller number of variables. It means the processing time should be faster. In this design, each system needs to know only the values it cares about. For example, if the access rules for a system only permit government auditors and law enforcement officers to view the data, the particular system doesn't need to know that a person can be a doctor or a dog catcher. It only looks to see if the person seeking access matches (or has an equivalent to) "government auditor" or "law enforcement officer" in his "job description" attribute.

We think the 13 user attributes are:

Employer Name
Employer Subgroup (as many hierarchical levels as needed)
Employer Type (e.g., federal government, private hospital)
Employment Type (e.g., permanent, temporary assignment, contractor)
Job Designation
Location (physical and virtual)
Location Type (permanent, temporary)
Special authorities/licenses (granted by others)
Management Level
Direct Reports
Rating/Reviewing Official
Skill (ability, irrespective of outside grants)
Skill Level

So far, we haven't come across a data access rule we couldn't parse into one of these attributes. If you do, please tell me.





Article has 0 Comments. Click here to read/write comments