Archive for the ‘Records Retention’ Category

A federal judge in Los Angeles ruled recently that a computer server’s RAM (random-access memory) is a tangible document that can be stored and must be turned over in a lawsuit. The judge is an idiot.

Background

The case is about copyright infringement. The Motion Picture Association of America (MPAA) is trying to force TorrentSpy, a file-sharing site, to turn over data about visitors to their website. TorrentSpy replied that they don’t keep logs on their users – they are merely an intermediary, allowing data to pass through their website unscreened. They essentially said that they have no data to turn over. Unhappy with that answer, Judge Jacqueline Chooljian ordered TorrentSpy to begin logging user information and to turn that data over to the MPAA.

Unfortunately, the only way that the judge can make that order is to make some real leaps of logic. Companies are required to cooperate with fact-finding requests for documents. That’s what the whole “discovery” thing is about. Our judicial system is based on the assumption that if we can get all the facts on the table, we can quickly figure out who’s right, who’s wrong and how to make the victim whole. (Remember that this is a very different standard from the criminal “innocent until proven guilty” rule.) If you have a document that might be relevant to the case, you are required to produce it to the other side and to the court.

There are a few limits to that broad discovery, however. You can hold back documents (or parts of documents) that are attorney-client privileged or that contain confidential information like SSNs, medical details, etc as long as those details are not relevant to the case. You also can not be compelled to produce documents you don’t have. Courts are not supposed to be able to force you to create new records or documents just to respond to a discovery request.

TorrentSpy does not log user transactions during their normal operations. They do so to protect users’ privacy and because they have no operational need for the data in their normal course of business. MPAA argues that it also makes it easier for people who download pirated material to work in the shadows. They may be right. Regardless, TorrentSpy argued that requiring them to turn on logging is the same as requiring them to begin creating new documents just for this case. From a legal point of view, they’re right.

The judge got around this by arguing that the data already exists in the computer’s RAM. Therefore, she is not asking them to create new documents, merely to produce existing data in a more usable form. You can read the original order here. She does cite some other Ninth Circuit decisions involving RAM but, in my opinion, she is either misreading or misapplying the underlying facts.

RAM is not and can not be considered a “document” for the purposes of eDiscovery. RAM is the ephemeral memory that the computer uses to make calculations and to quickly access the data in other places. Think of RAM as the one that you carry in your head when adding a column of digits. (The data on your hard-drive may hold the result of your calculation in a spreadsheet but that’s a completely different kind of memory. The hard-drive data generally is reasonably accessible.) There is no possible way to record the billions of transactions per second that flash through the RAM of even a small computer. Attempting it would consume more permanent memory than exists in the world. And, by the way, writing all that content also requires transactional decisions and data that pass through RAM. The act of recording it spoliates it.

Okay. The judge is not really an idiot. She is seeking a justification to force cooperation from a company that’s not really playing fair. She wants them to turn on logging. Logging is cheap and easy – at least compared to most other electronic discovery activities. From a social policy point of view, I’m torn. TorrentSpy probably should be cooperating and not being stupid about the “costs of logging” and the applicability of Dutch privacy law. On the other hand, TorrentSpy is not being accused of any direct misdeeds. They are being pulled in as a third-party in MPAA’s attempt to sue their own customers. MPAA’s heavy-handed approach is not winning them any friends. Whichever side you agree with, though, the judge’s contortions about the technological facts of RAM to make her rationalization will get used as precedent outside this narrow circumstance. As the saying goes, “Bad facts make bad law.”

The judge’s decision is already being appealed and has been stayed pending that decision. Her decision has been upheld once but appeals continue. On both technological and legal grounds, I sincerely hope that her decision is overturned. Congress needs to address the problem of compelling cooperation from companies like TorrentSpy but they need to do it cleanly – a new law, not judicial twisting and rationalization.

Shredding is the ultimate defense, right? Once it’s shredded, it’s gone!

No longer. It was always vulnerable if your attacker had the shredded chaff and plenty of free time. Think of the shredded embassy documents from the Iranian Hostage crisis of 1979. Those students reconstructed the pages with nothing more than scotch tape and patience. More recently, methamphetamine users have been hired by identity theft ringleaders to do the same thing.

Bill Wilson recently found a number of services which make the “unshredding” problem much more manageable. In the Enron case, the government hired ChurchStreet Technology to scan the chaff, then used computer algorithms to piece the documents together. They claim to take the recovery time from hundreds of hours down to mere minutes. It’s expensive but not terribly complicated.

So how do you fully protect your waste paper in this new environment?

  1. If you’re still using a strip-cut shredder, get rid of it now. Upgrade to a cross-cut that chops the paper into very small bits of chaff.
  2. Feed your pages into the shredder vertically, that is, with the words perpendicular to the shredder blades.
  3. Don’t have unusual-colored paper. Or if you do, shred enough of it that it can’t be easily picked out. The rule in the army used to be no less than 20 sheets of any given paper type in each shred “lot”.
  4. Stir the chaff before disposal. A careful opponent could exploit the fact that pieces from the same document tend to come out of the shredder close to each other and remain so in the waste bag. A few quick stirs can randomize the chaff and make reconstruction much harder.
  5. Send the chaff to a paper recycler. Even the best reconstructors can’t bring a page back after it’s been turned into new paper pulp. Of course, you have to be sure that your waste isn’t intercepted before it hits the recycler but there are several bonded shredding companies that will do that for you.

How much is enough? It depends on who’s out to get you. For most home users and small businesses, step two is probably enough. If you really have something to hide, consider three and four and look into five when your shredding contract comes up for renewal. Find the right balance, remembering that identity theft is real but that most of us are not dealing with DoD nuclear secrets.

Bill Wilson writes a weekly newsletter for the Big I Virtual University, an arm of the Independent Agent’s Association. It’s filled with useful information and includes a technology column in almost every issue. If you have a small business, you should consider subscribing to his newsletter even if you’re not in insurance.

Google continues to roll out new applications to make sharing information easier. Kudos to them for some really creative programming. From a security point of view, though, you have to wonder what they are thinking.

Their Google Apps Team Edition allows employees to sign up for the Google Applications without any assistance or oversight from IT. Team Edition contains the core applications and collaboration services like the word processor, spreadsheet, Start page, Talk instant messaging and calendar, but does not include Gmail.

In any regulated or litigious industry, this is a recipe for disaster. You might save a few bucks on word processing and spreadsheet software but you’re going to pay far more the first time you have to comply with an electronic discovery request or get into a dispute based on the Terms & Conditions of the application. No only are you putting your confidential data in someone else’s hands and trusting to the security of their data center with little or no evidence of their worthiness of that trust, you’re also still exposing all your data to the Google search indexing algorithms. (For more, see the Tip from April 2007.)

Luckily, you can block the worst aspects of the application/data sharing without having to block off all of the google.com domain. If your internet filter has a category for filesharing or for “Network Storage and Backup”, make sure that category is blocked. You should also strongly consider blocking any category about “Web chat” so you don’t have to worry about electronic discovery requests for instant messages that you didn’t properly control.
Read more about Google Apps latest attempt to bypass the business at ComputerWorld.com.


Update to Suing the scareware vendors (27 Oct 2008)
The Federal Trade Commission has gotten a restraining order against two companies who were marketing scareware software. It’s very good to see law enforcement successfully prosecuting these scammers. Remember, however, that there are lots more out there. Always be suspicious of pop-up ‘alerts’ and ads warning you about “illegal porn content” or “compromised software” on your computer. Read more at the FTC’s consumer alert page.

We talked last week about the problems of holding onto old documents. Microsoft just made the problem even more complicated.

In the Service Pack 3 (SP3) update for Office 2003, Microsoft is blocking a number of older file formats so they can no longer be opened by MS products like Word, Excel or Powerpoint. Microsoft is walking away from it’s commitment to backwards-compatibility because many of the older file formats had weaknesses that could be exploited by hackers to insert viruses and other malicious code into your computer. By disabling the older formats, Microsoft reduces the vulnerability of the Office applications to some of those kinds of attacks.

The problem is that if you are keeping old files in their native format as part of your records retention plan, you may no longer be able to open them. (Worse, if you get sued and have to turn over those documents, the courts don’t care about format compatibilities. You still have the document – it’s your responsibility to make sure that they can be opened and evaluated.)

Microsoft has two workarounds for this problem – neither very good.

The first involves modifying your registry settings so your computer can still open the older formats. That is a high-risk action and I do not recommend it. Not only does it defeat the security advantage of the change, any mistake when editing the registry settings can corrupt your entire computer. Even Microsoft warns against it saying “Serious problems might occur if you modify the registry incorrectly.” and “Modify the registry at your own risk.”

The second is to convert all your historical documents to the newer format. Microsoft has some automated tools to help but the conversion process is much more labor-intensive and error-prone than I think Microsoft wants to admit. I would seriously question the business case for converting any but your most critical of official records.

There is a third option which I consider far better. Take this opportunity to check those old documents against your retention policy and clean out the ones that you should have gotten rid of long ago. For the few that you must retain, make sure that you are keeping your business records in a stable format. Don’t save files in their native MS Word document format – convert them to pdf or even tiff. Those formats are simpler and have far fewer holes that a hacker could exploit. They’re also designed to remain readable across many generations of software.

Call your IT team for instructions on how to convert an old file to an updated format.


Addendum:
Bill Wilson at IIABA’s Virtual University published the tip above in his newsletter and received the following question.
What are the file extensions that Microsoft has abandoned? I think it would be very helpful to know as we would then be able to do searches for those file types stored on our system. Thank you.

As Bill pointed out to the caller, the file extensions alone will not tell you which file formats have been disabled since Microsoft continues to use the same file extensions for the newer versions of it’s software. (A Word document carries the .doc extension whether it’s Word 1.2, Word 2003 or any version in between.) Microsoft has a little bit more information about the changes here but no new answers.

You can read another article about the problem at wired.com.
Thanks to Bill for finding those extra links.

Holding onto old documents is hard and far more expensive than most people realize.

In the paper world, the paper just keeps piling up. The paper must be protected from theft and damage (fire and water) and if it’s ever going to be useful again you need some sort of filing and record-keeping system. A proper records retention facility is expensive to run.

With electronic documents and cheap memory, many people started to think that we could now hold onto everything. A two-gigabyte thumbdrive can hold up to the equivalent of 400,000 pages of documents. That’s 80 boxes of copy paper. And, being electronic, I can type in a few keywords and let the computer find the document I want. No more filing! Right?

Not by a long shot. Memory may be cheap but usable storage isn’t.

Electronic storage costs explode as file formats change over time. For example, a first notice of a claim involving a minor child has to be kept for up to 24 years (the child’s age of majority plus four). What word processor were you using 24 years ago? What printer was the program compatible with? What operating system did it run on? What drivers did it need to operate? What hardware did it use? When was the last time you even saw a 5¼” floppy drive, much less an old 8″ floppy? How much can you afford to pay IT to keep a working version of every system and application in the company’s history?

And that’s assuming you can find the file in the first place. We are used to thinking of searching as being as easy as Google. In fact, searching for documents is very hard when documents are scattered across ad-hoc structures like personal hard-drives and departmental folders. Solutions that try to solve the ad-hoc storage (like Google Desktop) create new problems, especially around the security of the index.

Keeping old records also exposes you to legal costs down the road. Under the new electronic discovery rules, a company must search through all its old documents just to see if they hold anything that might possibly be relevant to the lawsuit. One class action lawsuit can run into millions of dollars just in search and review costs – and that’s even if you don’t find anything. If you do have a relevant document, now you have to convert it, produce it and defend it from anyone who tries to take your words out of context. That’s expensive.

  • If your Records Retention Policy doesn’t explicitly require you to keep the record, don’t keep it. Throw it away and then you don’t have to worry about storage or formats. The cost of recreating those few useful things that we lose will be far less than the cost of hanging on to all the rest of the trash.
  • If you do have to keep a document, think long and hard about what format to save it in. Convert the file to a more stable format such as pdf or even tiff. Those formats are designed to remain readable across many generations of software. Call your IT team for instructions on how to save a file to an alternate format.