The Cross-Border eDiscovery Challenge & The Possible Accountable Systems Solution

Posted by K Krasnow Waterman on Thu, Jun 18, 2009 @ 13:06 PM

Tags: access control, technology implementing law, privacy technology, technology for lawyers, accountability, knowledge discovery for litigation, information management, data protection, digital evidence, technology for business managers, global outsourcing, information security, digital rights, privacy, eDiscovery, forensics

Cross-border eDiscovery is a hot topic this year. The decreased cost of storage has resulted in nearly everyone retaining massively greater quantities of information. Email and the Web have driven a shift in data to less formal, less structured records and files. And, globalization of business has caused the relevant information for an increasing number of lawsuits to be spread among multiple countries. Courts have instituted new rules for how parites will engage in discovery related to this digital evidence. And, these new rules are putting some lawyers in the cross-hairs of other governmental digital control activities. Lawyers, by and large, are not technologists and the challenges arising from handling this mass of distributed data are proving daunting. Technology vendors are offering significant assistance but still more is required.

Discovery, at its simplest, is the concept that one party to a lawsuit can learn what the opposing party knows that is relevant to the resolution of the case. In the US, this had long been accomplished through gamesmanship and strategy (think, hide-and-seek meets go-fish) while, for example, the UK had moved on to affirmative disclosure, the idea that each side needs to identify the truly relevant and provide it. In either case, the parties have needed to decide what data to preserve and how to search it. For a variety of reasons, corporations are adding and deleting data all the time -- doing things like updating client or supplier addresses, changing prices, adding sales, marking deliveries. So, typically, one needs to select a moment in time that's relevant to the issues in a lawsuit and look at all data from that time or up until that time. This is no easy task, as the challenges of selecting the moment, deciding how to save the data, and which tools will provide the best search result are all subject to debate.

Handling a case that involves data in multiple countries compounds the challenge. The EU has had detailed and tightly controlling rules about the handling of information about people by commercial entities for nearly thirty years. By comparison, the US historically has had a comparatively limited concern about the privacy of people whose identities appear in commercial files. For example, in many cases EU rules prohibit making the sort of "moment in time" copy of entire systems described in the last paragraph and have rules that as a practical matter prohibit sending data about people out of the country. Recently, these rules have come into head-on conflict with courts in the US requiring that certain information be turned over in discovery. The decision not to violate the EU rules has resulted in some significant financial penalties being imposed by US judges, while the decision to violate the EU rules and provide the data in the US has resulted in some equally significant financial penalties being imposed by European judges, leaving litigators between a rock and a hard place.

Much discussion is ongoing about ways to resolve this problem. For example, governmental, public policy, and commercial bodies are discussing possible changes to their rules. New forms of insurance may be offered to indemnify parties caught in the current situation. At the same time, there is a quiet march forward of new technologies which may resolve some of the issues. For example, systems that track each data transaction at a very granular level and account for their compliance with rules, called "accountable systems", are in development. Such systems would make it possible to understand the data in the system at a particular moment in time without requiring a "copy" to be made. And, they would be able to recognize competing data rules and apply the correct ones, wherever the resolution of a rules conflict is possible.  In theory, this technology might also make it possible to transfer the substantive portions of the information without the personal information, so that the parties could define very small subsets that are relevant and actually required to be disclosed, thus limiting the release of personal information to subsets so small that requirements, like notice to the individuals in the data, could reasonably be met.

While this new type of technology offers promise for resolving some of the cross-border eDiscovery challenges without requiring any jurisdiction to change its rules, it has drawn relatively little attention in this context to date.  Perhaps this is because the technology needs to be refined and then implemented in the day-to-day digital business practices of organizations before it can be capitalized upon to address this issue.  How long it will be before this occurs will be driven by how quickly people recognize the problems this technology can solve.

Article has 0 Comments. Click here to read/write comments

Digital Rights, Copyright Enforcement, and a Proposed Compromise

Posted by K Krasnow Waterman on Sun, Dec 30, 2007 @ 11:12 AM

Tags: technology implementing law, DRM, digital rights, copyright

Music piracy, movie piracy, tv piracy ... we see it in the news all the time. Yesterday's New York Times carried another article about the long-standing battle between major media entities and customers, with the privacy advocacy community weighing in.

The standard arguments go like this:

Media - We own the copyrights. We're only selling you one copy. You're stealing royalties from the artist when you make a copy and give it to your friends and family.

Customer - I bought it. I own it. There are lots of times I can legally share it. No one stops me from copying or lending any book I've bought.

Privacy - We respect media's copyright, but they're overreaching and unnecessarily capturing personal information as part of their attempted solution.

The reality is somewhere in between:

Some of the media's efforts to solve their problem have involved a) locking down the technology to preclude any copying and b) affixing everyone's personal information to the item to facilitate making infringement cases later. Commonly known as "digital rights management" (DRM) they tend to be more "total control' than "management." And, typicaly, these solutions swing the pendulum well past the bounds of traditional copyright law.

The customers aren't entirely in bounds either. Every copy shop I've ever seen will ask for signed permission from the copyright holder if you try to copy chapters or more from a book. And, even the most honest-minded folks tend to forget about the copyright rules at times. Years ago, I was at a dinner where the most otherwise law abiding woman in her 70s asked who wanted her to make them copies of some recent popular movies. (And, I was working for the FBI at the time!) So, some sort of protective action isn't wholly unwarranted.

My proposed compromise:

That dinner has stayed in my mind as the debate has raged and, recently, I had to tackle the question for a small start-up. Since intensively technical solutions were beyond the scope of the budget, I decided to adopt a web analogy to the FBI seal and warning ... a little education, a little guilt, and a little fear.

When a customer purchases the start-up's audio recordings they will get a very short "terms and conditions" statement:

When you buy ONE copy:

Copies on all your personal devices - your PC, your iPOD, etc.
Giving it to ONE person and deleting your copy
Anything permitted under copyright laws

Giving, loaning, selling, etc. to more than one person

If you violate copyright law, you could be convicted of a crime and/or ordered by a court to pay money for the damages caused.

This is short enough and in large enough font that more customers will read it and not just skip to the "I accept these terms" button.  If my beta tests show they're still not reading it, I'll probably code the window so it sits on the screen for 15 seconds, the time it would take to read it out loud.

For those with the massive budgets of the major media companies, the product could be embedded with or wrapped in code that forced a pop up of the terms and conditions each time a copy or transfer was directed.  For those who want more, the five traditionally permissible uses of copyright material could be explained and/or the the copy owner asked whether his reasons are among them.  

I know that this is not a perfect solution or a technically non-trivial one.  But, perhaps it swings the pendulum more to the center.  And, as the old adage says, a good compromise is one in which neither party is completely satisfied.  


Article has 0 Comments. Click here to read/write comments