Privacy

It sounds crazy, right?  Facebook wants you to stop worrying about your nudes being shared without your consent by actually sending it your nude photos.  It may not be crazy as it sounds.

In the article Facebook: upload your nudes to stop revenge porn, written by Lisa Vaas on the aptly named site Naked Security (what else?), the concept is introduced this way: “Facebook hasn’t given much detail, but from what little has been shared it sounds like it’s planning to use hashes of our nude images, just like law enforcement uses hashes of known child abuse imagery.”

Just as we generate hash values of documents in eDiscovery to identify duplicates, the same type of technology can be applied to photos.  So, the same photo, or identical copies of it, will always create the same hash.  A hash of your most intimate picture is no more revealing than this example provided in the article:

48008908c31b9c8f8ba6bf2a4a283f29c15309b1

Since 2008, the National Center for Missing & Exploited Children (NCMEC) has made available a list of hash values for known child sexual abuse images, provided by ISPs, that enables companies to check large volumes of files for matches without those companies themselves having to keep copies of offending images or to actually pry open people’s private messages.

The hash originally used to create unique file identifiers was MD5, but Microsoft at one point donated its own PhotoDNA technology (which creates a unique signature for an image by converting it to black and white, resizing it, and breaking it into a grid) to the effort.

Facebook hasn’t provided any detail as to whether that’s the technology it plans to use, but it has announced a pilot program with four countries – the UK, the US, Australia and Canada – in which people will typically be advised to send the photos to themselves via Messenger.  Facebook says that it won’t be storing nude pictures but will use photo-matching technology to tag the images after they’re sent via its encrypted Messenger service.  In theory, that would be enough to enable Facebook to take action to prevent any re-uploads, without the photo being stored or viewed by employees.

The author notes that she has submitted questions to Facebook for more info and poses an interesting question in the article: “For example, what safeguards are in place to ensure that people can’t take any old picture they want – a non-porn publicity photo, for example – and send it in, under the false premise that it’s a nude and that it’s a photo they themselves have the rights to have expunged from social media circulation?”

Good question.  Nonetheless, it’s an interesting concept and idea to prevent revenge porn – provided you can actually convince people to upload those photos and trust Facebook with them.

So, what do you think?  Do you trust hash technology to keep your most embarrassing photos from becoming public? As always, please share any comments you might have or if you’d like to know more about a particular topic.

Hat tip to Sharon Nelson and her Ride the Lightning blog (my go to source for interesting cybersecurity news) for the reference to the story.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Last year, we covered the massive data breach at Panama-based law firm Mossak Fonseca (11.5 million documents, 2.6 total TB – yes, terabytes – of data stolen) that has come to be known as the “Panama Papers”.  Now, a Bermuda law firm has finally admitted to a data breach that evidently occurred last year.

According to The Register (Panic of Panama Papers-style revelations follows Bermuda law firm hack, written by John Leydon), Bermuda-based firm Appleby only admitted it had suffered the breach – which actually happened last year – after a group of journos from the International Consortium of Investigative Journalists (ICIJ), who had seen the leaked information, began asking awkward questions.

In a statement, Appleby denied allegations of any tax evasions or other wrongdoing by itself or its clients while admitting that it was “not infallible”. The law firm went on to state that it had shored up its security since the hack, stating “We are committed to protecting our clients’ data and we have reviewed our cyber security and data access arrangements following a data security incident last year which involved some of our data being compromised. These arrangements were reviewed and tested by a leading IT Forensics team and we are confident that our data integrity is secure.”

The Daily Telegraph (subscription required) reported that the leak involved some of Britain’s wealthiest people, who were said to be consulting lawyers and public relations executives in preparations for possible fallout from the hack.

Hat tip (as always) to Ride the Lightning, who noted that Appleby employs 470 staffers and operates from 10 offices across the world. It has stated that it offers services to global public and private companies, financial institutions as well as “high net worth individuals.”

It seems like a lot of “high net worth individuals” are getting their information stolen these days.  As Willie Sutton was reported to have said about why he robbed banks (though he denied saying it in later years) – because that’s where the money is.  Glad I don’t have that problem!  ;o)

BTW, if the term “Bermuda Briefs” takes off, you heard it here first…

So, what do you think?  What should happen to a law firm (or any organization) that fails to report a data breach in a timely manner?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

After yesterday’s story regarding SCOTUS taking up the Microsoft Ireland case, I’m not trying to make this “bad news week” for Microsoft, but with GDPR looming next year, this seemed like a good story to cover…

According to Silicon (Windows 10 Data Collection Branded A Breach Of Dutch Privacy Law, written by Roland Moore-Colyer), the Dutch Data Protection Authority (DPA) has declared that Windows 10 breaches the data protection law in the Netherlands over the way it processes personal information.

A report filed by the DPA says that Microsoft failed to clearly inform its users on what type of data it was collecting and using and the agency claimed that Windows 10 users “lack control of their data” due to the way Microsoft harvests information.

“It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself,” said Wilbert Tomesen, vice-chairman of the DPA.

“What does that mean? Do people know about this? Do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves.”

Microsoft said it had made compiling with Dutch law a priority to avoid having any sanctions posed against it, but also responded justifying why it collects Windows 10 data and explaining that a recent update spells out its data collection policy.

“Since launching Windows 10, we’ve been on a journey listening to feedback from customers and collaborating with regulators around the world,” said Marisa Rogers, Microsoft’s Windows and devices group privacy officer.

“As a result, we’ve made improvements to ensure all versions of Windows 10 meet our customers’ privacy needs and expectations. For example, we’ve worked with Swiss and French data protection authorities to incorporate their guidance, subsequently improving the privacy controls in Windows 10 Home and Pro and earning their positive assessments of the changes.”

“This year we have released a new privacy dashboard and several new privacy features to provide clear choices to our customers and easy-to-use tools in Windows 10. Next week, we have even more privacy improvements coming in the Fall Creators Update.”

Given its current Dutch conundrum, Microsoft’s current feelings about the Dutch may mirror those of this guy…

With the General Data Protection Regulation (GDPR) standard designed to strengthen and unify data protection for all individuals within the European Union (EU) going into effect next May (May 25th, to be exact), expect to continue to see more scrutiny on all companies and their data privacy policies.  And, if you think GDPR doesn’t apply to your firm, you may be wrong about that.

So, what do you think?  Is your organization preparing for GDPR?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Also, I’m excited to report that eDiscovery Daily has been nominated to participate in The Expert Institute’s Best Legal Blog Contest in the Legal Tech category!  Thanks to whoever nominated us!  We’re fading fast, but if you enjoy our blog, you can vote for it and still help it win a spot in their Best Legal Blogs Hall of Fame.  You can cast a vote for the blog here.  Thanks!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

If you’re a person who takes password security seriously and followed advice to create passwords that use a combination of lower and upper case letters, numbers and special characters to foil hackers, good for you.  Unfortunately, that advice was wrong, according to the National Institute of Standards and Technology (NIST) and the retired expert who authored that advice in the first place.

According to The Wall Street Journal (The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!, written by Robert McMillan), the author of an 8-page primer written in 2003 which advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers – and to change them regularly – has admitted the advice was largely incorrect.

Back in 2003, as a midlevel manager at NIST, Bill Burr was the author of “NIST Special Publication 800-63. Appendix A.”  The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.

The problem is the advice ended up largely incorrect, Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he lamented. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay.  The advice that demanded a letter, number, uppercase letter and special character – such as an exclamation point or question mark was also wrong.  Years of research has shown that these measures actually don’t do that much to foil hackers.

“Much of what I did I now regret,” said Burr, 72 years old, who is now retired.

In June, Special Publication 800-63 got a thorough rewrite, led by Paul Grassi, an NIST standards-and-technology adviser, which resulted in removal of several of these password commandments.  The new guidelines, which are already filtering through to the wider world, drop the password-expiration advice and the requirement for special characters, Grassi said. Those rules did little for security—they “actually had a negative impact on usability,” he said.

NIST’s newly updated guide instead encourages a long, easy-to-remember string of words instead.  In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word whereas the password Tr0ub4dor&3 (a typical example of a password using Burr’s old rules) could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-security specialists.

With data accumulated over the last decade or so (which wasn’t available to Burr back then), experts have concluded that the password recommendations from 2003 don’t work because we tend to gravitate toward the same old combinations over and over.  With that in mind, Grassi thinks his former colleague Burr is being a little bit hard on himself over his 2003 advice.

“He wrote a security document that held up for 10 to 15 years,” Grassi said. “I only hope to be able to have a document hold up that long.”

So, what do you think?  Do you use 2003 recommendations to create your passwords?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

One of the most notable data breaches in recent years was the one suffered by health insurer Anthem involving the personal information of nearly 80 million individuals.  It looks like they are going to pay up big to make the class-action lawsuit that was filed in response to that massive data breach go away.

MedCity News (Anthem to pay record $115 million to settle data breach lawsuit, by Erin Dietsche), reports that the settlement must still be approved by a court, but if it is, it will stand as the biggest data breach settlement in history.

Back in 2015, the Indianapolis, Indiana-based insurer was the victim of a cyberattack that involved the Social Security numbers, birthdates, addresses and healthcare ID numbers of 78.8 million people. At that time, Anthem said in a statement, it provided two years of credit monitoring and identity protection services to all impacted individuals.

Nonetheless, more than 100 lawsuits were filed against Anthem that were eventually consolidated.

As part of the $115 million settlement, Anthem will give data breach victims at least two years of credit monitoring and provide cash compensation for individuals who already enrolled in credit monitoring. The health insurer will also cover the out-of-pocket expenses victims have incurred as a result of the data breach.

On top of that, Anthem has to allocate a certain amount of money for security purposes and make specific changes to its data security systems.

In a statement, the insurer said the settlement “does not include any finding of wrongdoing.” Anthem added that it “is not admitting any wrongdoing or that any individuals were harmed as a result of the cyberattack.”

Anthem continued: “Nevertheless, we are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

In a related article by the same author, it appears that Google has begun removing people’s private medical records from its Search results.  Maybe it will soon be more difficult to find (intentionally or inadvertently) someone’s medical records online.

So, what do you think?  Is this the start of a trend?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

BTW, if you’re a member of a solo or small law firm or want to learn how to simplify the discovery process, feel free to check tomorrow’s webcast!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

One of the most telling statistics about cybersecurity and data breaches that we covered during Wednesday’s webcast was from last year’s Verizon Data Breach Incident Report which said that almost 93 percent of breach compromise incidents occur within minutes, with 11 percent of those occurring within seconds. But, less than 25 percent of those breaches are discovered within days.  Maybe your network traffic holds the key to detecting malware sooner.

According to this article in the Georgia Tech News Center by John Toon (with an assist by Sharon Nelson of the Ride the Lightning blog), security administrators could detect malware infections weeks or even months before they’re able to capture a sample of the invading malware by analyzing network traffic going to suspicious domains.  Findings in a new study illustrate the need for new malware-independent detection strategies that will give network defenders the ability to identify network security breaches in a timelier manner.

As the article notes, the strategy would take advantage of the fact that malware invaders need to communicate with their command and control computers, creating network traffic that can be detected and analyzed. Having an earlier warning of developing malware infections could enable quicker responses and potentially reduce the impact of attacks, the study’s researchers say.

In the study, Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology, Graduate Research Assistant Chaz Lever and colleagues analyzed more than 5 billion network events from nearly five years of network traffic carried by a major U.S. internet service provider (ISP). They also studied domain name server (DNS) requests made by nearly 27 million malware samples, and examined the timing for the re-registration of expired domains – which often provide the launch sites for malware attacks.

The researchers had hoped that the registration of previously expired domain names might provide a warning of impending attacks, but found there was often a lag of months between when expired domains were re-registered and attacks from them began.  The research required development of a filtering system to separate benign network traffic from malicious traffic in the ISP data.  By studying malware-related network traffic seen by the ISPs prior to detection of the malware, the researchers were able to determine that malware signals were present weeks and even months before new malicious software was found.

The chart above (courtesy of Georgia Tech) shows the time difference between when malware signals were detected in the network traffic of a major ISP and when the malware appeared on black lists.

In all, the researchers found more than 300,000 malware domains that were active for at least two weeks before the corresponding malware samples were identified and analyzed.  The participants hope their study will lead to development of new strategies for defending computer networks.

So, what do you think?  Could this become a breakthrough in defending against malware?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

As we’ve recently noted (here and here), data breaches are happening within organizations at an alarming rate, and sensitive data is being compromised regularly.  It’s enough to make you wanna cry.  Here’s where you can find out what you can do to protect yourself, your firm and your client from becoming a victim and also what you need to do to keep up with ever-changing requirements for data security, both within the US and internationally.

Today at noon CST (1:00pm EST, 10:00am PST), CloudNine, along with our friends, the cybersecurity experts at Firm Guardian, LLC, will conduct the webcast What Attorneys Need to Know About Cybersecurity and Data Privacy in 2017.  This one-hour webcast will discuss what you need to know today about cybersecurity and data privacy to protect the sensitive data that your organization manages every day.  Examples of topics being discussed include:

• The State of Cybersecurity in the U.S. in 2017
• Top Threats Facing Your Practice
• Your Responsibility to Your Clients: The High Cost of Data Leaks
• How to Protect Your Firm and Your Clients
• Recent Developments in International Data Privacy
• Criteria for Evaluating Providers in Your eDiscovery Projects
• Ethics Considerations
• Looking Forward: The Future of Cybersecurity in the Legal Field

I’ll be presenting the webcast, along with Julia Romero Peter, General Counsel and VP of Sales at CloudNine and joining us from Firm Guardian will be Sean Hall, CEO at Firm Guardian and Paul Cobb, the company’s COO.  The Firm Guardian team has over 30 years of combined experience dealing with foreign and domestic cyber-threats against government and military targets.  So, they have a lot of good information to share to help your organization combat those threats!

To register for the webcast, click here.  Don’t be this firm.

So, what do you think?  Do cybersecurity and data privacy concerns keep you up at night?  They did for this lawyer.  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.