Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Delete This!
Mark Rasch, 2007-08-07

A series of legal events means that companies that have no business reason to retain documents or records may be compelled to create and retain such records just so they can become available for discovery.

Companies routinely create, maintain and store electronic records. Some records are consciously created – like memoranda, letters, spreadsheets, and even e-mails and chat or instant message communications. Other records are created inadvertently, like meta data, log records, IP history records and the like. Some information is useful to the company, and it wants to retain it, and other information is of little use, merely takes up space, creates potential liability, and represents an unwarranted threat for attack or violation of privacy. The problem for most companies in developing or maintaining a document retention/destruction policy is identifying the documents and records it wants to keep and effectively purging the ones it doesn’t want. Some recent legal events have made the problem of document retention and destruction even more complicated.

A recent case involving file sharing site TorrentSpy illustrates the point. Torrentspy’s privacy policy is clear and concise. It states:

TorrentSpy.com is committed to protecting your privacy. TorrentSpy.com does not sell, trade or rent your personal information to other companies. TorrentSpy.com will not collect any personal information about you except when you specifically and knowingly provide such information.

Pretty straightforward, and not too dissimilar from thousands of other website privacy policies. Such privacy policies are considered to be legally binding contracts, and the United States Federal Trade Commission, and Privacy Commissioners in Europe, Asia and other places routinely hold companies to their promises – under threat of civil and criminal prosecution or fines.

The first problem with this privacy policy – like most privacy policies – is that its not true. Whenever you visit a website, you “involuntarily” provide “personal” information to the site operator – things like the type of browser you are using, your IP address, the physical location of that IP address, your configuration settings, and what website you may have been referred from or to, among other things. If you are engaging in malicious, unlawful, or otherwise “actionable” conduct, the website operator may certainly attempt to use this information to identify you and discern what you are doing – the essence of “personal information.” Indeed, much of what we do as forensic investigators is to use this kind of information to find people. While net-savvy individuals know that this information is being collected and utilized, the vast majority of individuals would not say that they “specifically and knowingly” provided that information to the website. This information frequently has economic value to the website operator as well. Knowing what site referred the user may result in payments from or to the referring site under “pay per click” agreements. Aggregated personal information is useful for advertisers, and valuable to those who collect it. So its not accurate to say that your website ONLY collects information that you voluntarily give them. A better approach to a privacy policy would include language similar to that used by, for example, Google, which specifically states:

Log information - When you use Google services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser

Some of this information is collected automatically as a consequence of delivering web content to the requestor. You would think that, in pursuance of its privacy policies, a company could choose not to collect or more accurately not to store or retain such information – after all, that’s what they promised their customers, no?

There has long been an adage in the law that essentially states that “if it exists, it is discoverable.” Now, as a result of a lawsuit involving TorrentSpy, the United States District Court for the Central District of California has essentially extended this logic to state that, “if it doesn’t exist, we will require that it be created and stored so that it can become discoverable.” The case, Columbia Pictures v. Bunnell arose when the movie studios wanted to find out the identity of people using TorrentSpy to download copyrighted works – personal information about TorrentSpy’s users. TorrentSpy promised its users that it wouldn’t collect such information, and had no legal obligation to do so. As the court noted,

In general, when a user clicks on a link to a page or a file on a website, the website's web server program receives from the user a request for the page or the file. The request includes the IP address of the user's computer, and the name of the requested page or file, among other things. Such information is copied into and stored in RAM.). RAM is a form of temporary storage that every computer uses to process data. Every user request for a page or file is stored by the web server program in RAM in this fashion. The web server interprets and processes that data, while it is stored in RAM, in order to respond to user requests. The web server then satisfies the request by sending the requested file to the user. If the website's logging function is enabled, the web server copies the request into a log file, as well as the fact that the requested file was delivered. If the logging function is not enabled, the request is not retained.

In keeping with its stated contractual privacy policy, TorrentSpy did not enable the logging function, did not capture the information in RAM (or more accurately did not store it) and therefore alleged that it could not produce it in litigation. After TorrentSpy was sued, the question arose about whether or not the information NOT regularly collected by TorrentSpy – the information in RAM – constituted “Electronically Stored Information” subject to both discovery and what is called a “litigation hold.” Under a litigation hold, once you become aware that information you may posess is relevant to ongoing or threatened litigation, you must suspend your document destruction policy and stop deleting that relevant information. Electronically Stored Information is defined under the Federal Rules of Civil Procedure as “information that is fixed in a tangible form and to information that is stored in a medium from which it can be retrieved and examined.” The court rejected TorrentSpy’s claims that the information in RAM was never “stored” since logging was never enabled, and that requiring TorrentSpy to enable logging amounted to requiring it to “create” records that didn’t exist. Certainly the information in RAM was – for a brief time – “stored” at least transitorily, just as streaming media (like a VOIP call, or videoconference) is “stored” on your computer for the brief interval it is being displayed. Thus, the information is (1) electronic; (2) “stored”; and (3) relevant. The consequence of this is that not only is the information subject to discovery under the TorrentSpy precedent, but the entity must then suspend its document deletion policy, which in the case of TorrentSpy was to delete information in RAM that it never stored.

Story continued on Page 2 



Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
Delete This! 2007-08-08
Anonymous
Delete This! 2007-08-08
WRM
Delete This! 2007-08-09
Anonymous
Delete This! 2007-08-09
Anonymous
Delete This! 2007-08-12
Firewallbill
Individual data retention 2007-08-13
Anonymous
Delete This! 2007-08-17
Galvo
Delete This! 2007-08-24
qneill
Tor for privacy, Tor for freedom 2007-09-01
Krishna E. Bera


 

Privacy Statement
Copyright 2010, SecurityFocus