Rossander’s Security Reader

Who owns your contact list? Is your rolodex yours or is it intellectual property of your employer? And how does that rule change when your rolodex is really your LinkedIn account?

Two recent court cases out of the UK concluded that your contact list may well belong to your employer. The first involves the UK arm of a US publishing group, PennWell Publishing (UK). In this case, a departing employee burned 18 files containing contact details for industry members and conference attendees onto a CD. While at the company, the employee had stored both personal and work contacts in his email account address book. As the database contained his own “journalistic contacts”, he believed he was entitled to a copy when he left to set up a competing business. Despite a strong argument by the former employee about “the highly personal nature of the files”, the judge found that an address list in the email system and backed up by the employer is exclusively the employer’s. He went further and said that not only is the employee not entitled to exclusive use of his former address book, he is not even entitled to shared use and was permanently enjoined from using the address list. This was true even though the list was started from a list that the employee brought from his previous employment and updated himself and despite the fact that it contained a proportion of purely personal contacts.

In the second case, a former Hays Specialist Recruitment employee was forced to disclose business contacts added to his LinkedIn account before leaving the company. Again, the company’s motivation was the employee’s use of the contacts to set up a competing business.

Some forms of intellectual property are clear. Stealing the recipe for Coca-Cola, employee lists showing SSNs, the company’s strategic plans or patented machine designs is bad. Whether a customer roster belongs on that list depends a lot on the company’s business model. And whether your own address book counts as a customer roster may depend on your position within the company – there’s a stronger argument if you’re in Sales than if your rolodex consists mostly of IT vendors.

The line between personal and business life is increasingly blurry – and that blurriness helps companies more often than not in my opinion. Often, you want the personal connection of a human name in the contact list. I am not in favor of a blanket rule that you can never mix personal and business contacts. We need to be careful about putting too many barriers in the way of our employees.

In some cases, you can get around the problem by setting up role-based accounts for the company. For example, when I was working the company’s domain registrations, I set up an account called “dom-admin”. All the contacts, registration credentials, alert messages, etc were made in that dummy account’s name. For convenience, the account forwarded to my internal email but everything stayed with the dummy account. When I moved out of that role, we simply switched the forwarding to the new person. It really helped our continuity. That doesn’t work for every situation, though.

Whatever the policy is, your company needs to make the policy clear especially in this age of expanding social media and networking. If your rolodex is yours, fine. If it’s the company’s, make sure your employees know the rule ahead of time. The company’s Social Medial policy is a good place to make clear who owns your contact list. If the policy isn’t clear, push the issue. Ambiguity is good for nobody but the lawyers.

A federal judge in Los Angeles ruled recently that a computer server’s RAM (random-access memory) is a tangible document that can be stored and must be turned over in a lawsuit. The judge is an idiot.

Background

The case is about copyright infringement. The Motion Picture Association of America (MPAA) is trying to force TorrentSpy, a file-sharing site, to turn over data about visitors to their website. TorrentSpy replied that they don’t keep logs on their users – they are merely an intermediary, allowing data to pass through their website unscreened. They essentially said that they have no data to turn over. Unhappy with that answer, Judge Jacqueline Chooljian ordered TorrentSpy to begin logging user information and to turn that data over to the MPAA.

Unfortunately, the only way that the judge can make that order is to make some real leaps of logic. Companies are required to cooperate with fact-finding requests for documents. That’s what the whole “discovery” thing is about. Our judicial system is based on the assumption that if we can get all the facts on the table, we can quickly figure out who’s right, who’s wrong and how to make the victim whole. (Remember that this is a very different standard from the criminal “innocent until proven guilty” rule.) If you have a document that might be relevant to the case, you are required to produce it to the other side and to the court.

There are a few limits to that broad discovery, however. You can hold back documents (or parts of documents) that are attorney-client privileged or that contain confidential information like SSNs, medical details, etc as long as those details are not relevant to the case. You also can not be compelled to produce documents you don’t have. Courts are not supposed to be able to force you to create new records or documents just to respond to a discovery request.

TorrentSpy does not log user transactions during their normal operations. They do so to protect users’ privacy and because they have no operational need for the data in their normal course of business. MPAA argues that it also makes it easier for people who download pirated material to work in the shadows. They may be right. Regardless, TorrentSpy argued that requiring them to turn on logging is the same as requiring them to begin creating new documents just for this case. From a legal point of view, they’re right.

The judge got around this by arguing that the data already exists in the computer’s RAM. Therefore, she is not asking them to create new documents, merely to produce existing data in a more usable form. You can read the original order here. She does cite some other Ninth Circuit decisions involving RAM but, in my opinion, she is either misreading or misapplying the underlying facts.

RAM is not and can not be considered a “document” for the purposes of eDiscovery. RAM is the ephemeral memory that the computer uses to make calculations and to quickly access the data in other places. Think of RAM as the one that you carry in your head when adding a column of digits. (The data on your hard-drive may hold the result of your calculation in a spreadsheet but that’s a completely different kind of memory. The hard-drive data generally is reasonably accessible.) There is no possible way to record the billions of transactions per second that flash through the RAM of even a small computer. Attempting it would consume more permanent memory than exists in the world. And, by the way, writing all that content also requires transactional decisions and data that pass through RAM. The act of recording it spoliates it.

Okay. The judge is not really an idiot. She is seeking a justification to force cooperation from a company that’s not really playing fair. She wants them to turn on logging. Logging is cheap and easy – at least compared to most other electronic discovery activities. From a social policy point of view, I’m torn. TorrentSpy probably should be cooperating and not being stupid about the “costs of logging” and the applicability of Dutch privacy law. On the other hand, TorrentSpy is not being accused of any direct misdeeds. They are being pulled in as a third-party in MPAA’s attempt to sue their own customers. MPAA’s heavy-handed approach is not winning them any friends. Whichever side you agree with, though, the judge’s contortions about the technological facts of RAM to make her rationalization will get used as precedent outside this narrow circumstance. As the saying goes, “Bad facts make bad law.”

The judge’s decision is already being appealed and has been stayed pending that decision. Her decision has been upheld once but appeals continue. On both technological and legal grounds, I sincerely hope that her decision is overturned. Congress needs to address the problem of compelling cooperation from companies like TorrentSpy but they need to do it cleanly – a new law, not judicial twisting and rationalization.

Here is the article I wish I’d written about Facebook. It’s a bit long but it’s very good and has some funny bits.
10 Security Reasons to Quit Facebook (And One Reason to Stay On) by Joan Goodchild of CSOonline.

The short version boils down to:

• Facebook makes it way too easy for young adults to post things that become forever part of their online history – they sabotage their own privacy without realizing it.
• Facebook does not have your interests at heart. They’re a business and they don’t really buy into the whole privacy concept. That’s why, for example, they don’t really care or even notice when their frequent redesigns disrupt your privacy settings.
• Spam, ads and other targetted malicious stuff.
• And finally, the quote from George Straight’s “All my ex’s live in Texas” and the implications in an internet world was just beautiful.

On the flip side, here’s another article with a possible solution. Even though Facebook doesn’t get it, some developers do and they are posting free Facebook apps to manage the privacy settings for you. It won’t solve all the problems of Facebook but it can mitigate some. If you are a Facebook user, stongly consider using one of these new privacy management apps.

… is an oxymoron. Read this WSJ article for more. Not much else to say except the obvious. When you sign up for a free service, you generally get what you paid for, especially in the area of privacy. Never post anything online that you’d be embarrassed to see on tomorrow’s front page.

It’s not often that I burst out laughing while reading a computer security article. Still less often when I’m reading an HR blog. This article and the comments at the end were a rare treat.

In case the link doesn’t work for you, the author tells a compelling story about how hard it is to get people to lock their computers when they step away from their desks. I agree – it’s miserable trying to convince people that this is an important security control that they should spend time on. You can teach, nag, cajole and people still walk away “just for a minute” and leave their computers open to any hacker in the building. (And if you think you have complete control of the physical facility, you’re kidding yourself.)

Rather than more fruitless policing by one or two committed security geeks, release the goons! Let employees prank each other when someone is careless enough to leave a computer unlocked. Drafting and even sending emails from the unsecured computer is an old trick but must be done with caution – it’s supposed to be a prank, not a career-ending fraud. Better are more personal pranks like changing a Browns fan’s wallpaper to a Steelers logo, changing the autocorrect in MS Word or, my new favorite, flipping the monitor. A harmless prank or three might finally get people to lock those screens.

A few thoughts, though. Make sure that the pranks are harmless. You want to apply judicious social pressure in support of the corporate policy. Workplace bullying is nothing to trifle with. Don’t let it go too far. Second, be very sure that tactic is a good fit for the culture of the team. Tight-knit, high-functioning workgroups have more tolerance for social controls than newly formed or distrustful groups. Finally, be very cautious before “pranking” a subordinate. Behavior that’s completely acceptable with a peer could land the manager in a lawsuit.

Hope you enjoy the article as much as I did.