Tag Archives: Privacy

When does ‘Delete’ Really Mean Delete?

William Kellermann
July 27, 2016

In the words of the late, great Browning Marean[i]:  “The “Delete” key is the greatest lie on the keyboard.”  Unfortunately, this maxim was lost on a UK drug trafficker convicted, in part, on emails he thought were deleted from his Yahoo! email account.  In a motion for discovery filed in the federal district court for the Northern District of California, defense lawyers contend Yahoo! produced six months of deleted email, recovered even though Yahoo!’s own policies indicated otherwise.  Russell Knaggs v. Yahoo! Inc., U.S.D.C. ND-Cal., Case #15-MC-80281-MEJ

In the motion, the criminal defendant speculates the email was collected in violation of UK privacy laws, either through real-time interception or some nefarious NSA surveillance program, such as those exposed by Edward Snowden.  As such, the evidence was unlawfully collected and should be suppressed.

Unfortunately for the drug dealer, the source of the mail is likely much more mundane.  Unfortunately for Yahoo!, its explanation was tortured enough that the court ordered limited discovery, and a person-most-knowledgeable deposition.  The focus of the ordered discovery is a determination of the method Yahoo! used to gather the email data to provide to the government.

For anyone who has performed an in-depth analysis of enterprise email systems, to borrow from the words of Dean Wormer in “Animal House,” there is “deleted, double deleted and double-secret deletion.”  To remind the uninitiated, and using Microsoft Exchange and Outlook as a model, the typical deletion process for email goes something like this:

  1. Delete the message in the email reader software (in the Microsoft world, that would be Outlook.)  This step simply moves the message from the “Inbox,” or other folder in which it is held, to the “Deleted Items” folder.
  2. Delete the message from the “Deleted Items” folder.

Viola! The message is gone!  Or is it?  For most people that would be true.  However technologists, IT staff, email administrators, and electronic discovery practitioners know there is more.  Again, in the Microsoft Exchange environment, a copy of the message is retained in the email server “Deleted Items” cache (a/k/a the “Dumpster”) for a period of time.  This allows an administrator to recover mail inadvertently “double-deleted” by a user.  Many other email systems maintain a similar server-side cache of deleted messages for the same reason.  Until the parameters of the cache system are met, the message is recoverable by an administrator.

In the case of Microsoft Exchange, retention is date-driven.  However, other systems may be size-driven – that is content is not deleted from the server cache file until and unless it reaches a certain size.  At that time, older messages are overwritten to make room for newer messages in an updated version of the cache.  Until that time, the messages persist.

Further, most software used to recover, extract, and export messages typically capture, or provide options to capture, every message related to the user account, whether active, deleted, double deleted, archived or retained in the Dumpster.

Of course, further complicating matters, our drug dealer was using the Yahoo! mailbox as a form of message drop where communications were made using drafts of messages never sent.  One dealer would login to the account and create a draft of a message.  The intended recipient would then login to the same account, read the draft and respond, by either overwriting the prior draft or deleting the draft and creating a new draft.  However, as with any good messaging system seeking to save users from themselves, drafts are “auto-saved” periodically.

Yahoo!’s prior responses and the court’s order gets bogged down in a discussion of when and how auto-save works which, while important, ignores the heart of the matter.   Yahoo! never clearly explains how auto-saved drafts might be retained in either “Draft” or “Archive” folders until deleted, double deleted and purged from the server cache or “Dumpster.”

While the outcome of the purported fishing expedition into Yahoo!’s email practices may never be published due to protective orders, it is more likely than not the source of the offending messages will be the digital analog of a time honored, traditional law enforcement investigative method:  Dumpster diving.

[i] Browning Marean, an attorney with DLA Piper, was known to many in the electronic discovery world as the “Godfather of eDiscovery.”  A prolific speaker, writer and general litigation raconteur, he described the litigation electronic discovery process in ways no one else could, then or since.

U.S.-EU Privacy Shield receives final approval, scheduled to go live on August 1.

Everett Monroe
July 15, 2016

The European Commission has approved the EU – U.S. Privacy Shield to replace the Safe Harbor program invalidated by the European Court of Justice last year in Schrems v. Data Protection Commissioner. The Privacy Shield governs the transfer of personal information from the European Union to businesses in the United States. Indeed, it is apparent from the formal approval documents that the European Commission and the U.S. Department of Commerce made great efforts to address the procedural and substantive deficiencies identified in Schrems as well as criticisms raised by the EU’s data protection commissioners.

Key new requirements of the Privacy Shield for businesses include:

  • disclosing more information in their privacy policies,
  • introducing additional recourse mechanisms for data subjects for Privacy Shield violations, and
  • limiting data retention based on the original purposes for data collection.

These new requirements may prove challenging for many businesses. The Safe Harbor framework required assurances that the transferee provided an equivalent level of protection to the Safe Harbor. Whereas, the Privacy Shield requires data holders obtain privacy protective contracts from their business partners, even if the contractor participates in the Privacy Shield or uses other compliance mechanisms. Companies that commit to the Privacy Shield in the first two months of implementation will be given a nine-month grace period to bring existing data sharing arrangements with their vendors and partners into compliance.

The Privacy Shield increases EU regulatory oversight, including the imposition of an annual joint review of the program and a formal exit procedure in the event the Commission finds the program deficient. The joint review will involve reporting—albeit limited—on U.S. intelligence activities intended to address the European Court of Justice’s concerns that the Safe Harbor decision did not include an analysis of the civil liberties protections from surveillance authorities. The results of the first review will be critical to the viability of the Privacy Shield and the confidence of businesses to avail themselves of it, as both the Article 29 Working Party and the European Data Protection Supervisor will scrutinize the application and enforcement of the Privacy Shield closely.

The Privacy Shield kept the benefits of the Safe Harbor’s light administrative procedures and self-certification framework that provides an easier way to receive EU data subject information than other mechanisms like model contract clauses or binding corporate rules. But businesses seeking to avail themselves of this option should be aware of the more stringent requirements, as well as the increased pressure on Federal agencies to show to EU authorities that the framework will substantively protect the privacy of EU data subjects, especially in the first year.

Proposed Privacy Shield framework criticized by European Parliament, civil liberties groups

Everett Monroe
April 7, 2016

On February 29, the European Commission published its complete draft of the EU-U.S. Privacy Shield framework. The framework, if approved, will replace the invalidated Safe Harbor, which was the governing mechanism for the transfer of European personal data to the U.S. for commercial purposes. The framework has been criticized by members of the European Parliament and civil liberties groups in the United States.

The Privacy Shield keeps the basic self-certification mechanism of Safe Harbor, but contains new substantive requirements for U.S. businesses. Privacy Shield participants would need to meet a number of new requirements, as well as more exacting versions of old requirements.

  • Privacy notices must include more information about Privacy Shield requirements than previously needed under Safe Harbor. Businesses will need to make clear their participation, identify redress mechanisms available to European Data Subjects, and explain under what circumstances it will disclose personal data to government agencies for law enforcement or national security purposes
  • Participating businesses will fund a last resort arbitration system, in addition to providing other dispute resolution mechanisms to EU data subjects free of charge
  • Third party data controllers will have to agree by contract to maintain Privacy Shield protections before a participating business can disclose personal information to them. This will be the case even if the third party independently meets EU data transfer requirements
  • Participating businesses must continue to protect data collected under Privacy Shield – even if it later chooses not to re-certify or is disqualified from participating.

Federal agencies have also committed to stronger oversight of the Privacy Shield framework. The Department of Commerce has agreed to step up monitoring and to designate an official contact for European Data Protection Authorities to receive and respond to inquiries, inform them of potential violators, and facilitate resolution of complaints. The Federal Trade Commission has also pledged to step up enforcement, and both agencies will participate in a joint annual review of the framework with the European Commission and Data Protection Authorities.

To satisfy the European Court of Justice’s requirements from the Schrems decision, the Privacy Shield framework includes letters from Office of the Director of National Intelligence and the Department of Justice detailing U.S. regulation of national security surveillance and law enforcement access to data. The framework also establishes a State Department Ombudsman responsible for addressing grievances of EU data subjects over specific alleged surveillance abuses.

Privacy groups and European lawmakers in the European Parliament’s civil liberties committee viewed the framework’s safeguards against improper surveillance with skepticism. Committee members questioned whether commitments made about surveillance by the Office of the Director of National Intelligence and the Department of Justice were suffiently binding and enforceable. In addition, a number of civil liberties group sent a letter expressing their view that legislation from Congress is the only way to guarantee that European personal data would be protected from indiscriminate surveillance.

The European Commission hopes to finalize the Privacy Shield this summer. Before that can happen, the Article 29 Working Party has to give its opinion on the framework, and representatives from EU Member State governments must assent to it. The view of the Working Party is important, despite their inability to officially reject the framework, because the individual Data Protection Authorities that make up the working party can challenge the framework in future court actions. While a negative opinion of the framework is not fatal to finalization, it could signal future challenges to the framework in European courts.

Department of Commerce and European Commission Agree on New EU-US Privacy Shield Framework

Samir Abdelnour
February 10, 2016

Last week, the European Commission announced  they had reached  agreement with the United States Department of Commerce on a new framework for the transfer of personal data of EU data subjects from EU member states to the U.S. The new data framework, called the EU-US Privacy Shield, attempts to address concerns cited by the European Court of Justice that caused it to invalidate the EU-US Safe Harbor last October.

The Privacy Shield will require participating businesses to make and publish their privacy commitments, though it is unclear exactly what substantive commitments will be required. Similar to the Safe Harbor framework, the Department of Commerce and the Federal Trade Commission will enforce those commitments. The new framework will also formalize dispute resolution mechanisms. Businesses will be encouraged to resolve disputes in house, but the Privacy Shield would establish a free (to the data subject) external dispute resolution mechanism. The framework also allow National Data Protection Authorities to refer complaints they receive to the Federal Trade Commission.

Continue reading Department of Commerce and European Commission Agree on New EU-US Privacy Shield Framework

President Obama Presents Cybersecurity Action Plan

Everett Monroe
February 9, 2016

Today President Obama unveiled his new Cybersecurity National Action Plan as part of his 2017 budget proposal to Congress. The Plan has a broad scope designed to address many of the cybersecurity issues that gained high visibility in 2015. In particular, the Plan focus on issues with Federal cybersecurity infrastructure: modernizing antiquated software and systems vulnerable to cyber attacks, developing uniform cybersecurity practices, and developing best practices for Federal agencies to follow in managing both data security and data privacy.

A strong piece of the Plan involves the Commission on Enhancing National Cybersecurity, which the President established today by executive order. The President will appoint up to twelve people to the Commission, with recommendations from Congressional leadership. The Commission will issue a report before the end of the year making recommendations in a number of cybersecurity areas including IT procurement and modernization practices, best practices for networking security, and cybersecurity risk management for Federal agencies, as well as for business and consumers. The Plan also explains implementation of Commission recommendations.

Continue reading President Obama Presents Cybersecurity Action Plan

Congress Includes Measures to Ease Privacy Notice Requirements and Cyberthreat Sharing into Appropriations Bills

Everett Monroe
December 18, 2015

Congress has been busy passing last minute appropriations bills before the year ends to fund the government through the end of the fiscal year and to plan long term infrastructure spending. Congress has added some provisions to those bills that affect federal privacy and cybersecurity laws.

Continue reading Congress Includes Measures to Ease Privacy Notice Requirements and Cyberthreat Sharing into Appropriations Bills

California Updates Its Data Privacy And Security Laws For 2016

Everett Monroe
October 20, 2015

The end of the first year of California’s legislative session brings several bills that modify California’s data privacy and security regime. A number of these bills expand California’s protections for personal information and will affect how California businesses and government agencies protect, use, and disclose the data they collect. The bills will go into effect January 1, 2016.

Three new laws modify California’s data breach notification statute:

AB 964 defines “encrypted” information as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The new law provides a definition of encryption similar to that used by HIPAA. Notification to consumers is not required if only encrypted data is breached.

SB 570 mandates that data breach notices sent to California residents have specific titles that are clearly and conspicuously in the notice, and the body of the notice can be in no less than 10 point font. It also provides an optional model form.

SB 34 includes Automatic License Plate Reader (“ALPR”) data in the personal information definition of the data breach statute, which means that ALPR operators would have to provide notice to California residents if they experience a data breach. This law also requires ALPR system operators to publish a privacy policy.

Continue reading California Updates Its Data Privacy And Security Laws For 2016

European Court Of Justice Rules US-EU Safe Harbor Invalid

Everett Monroe
October 9, 2015

This week the European Court of Justice issued a judgment in the case of Maximillian Schrems v. Data Protection Commissioner finding that the US-EU Safe Harbor is invalid for failing to provide adequate limitations on data processing for national security purposes.

The US Department of Commerce and the European Commission negotiated the Safe Harbor framework to provide adequate privacy protections for the personal information of European data subjects transferred to businesses in the United States. US companies participating in the Safe Harbor self-certified to the Department of Commerce that they would abide by seven privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement.

The decision from the European Court of Justice removes this protection for US businesses seeking to transfer data from European entities and individuals. The judgment also increases the obligations on national data protection authorities to more closely monitor the adequacy of data transfer mechanisms and to depend less on the European Commission’s authority. Businesses in the US participated in the Safe Harbor to get approval to transfer data out of Europe without seeking approval from each individual EU country. It removed the need to get 28 different approvals for Europe wide business transactions, and protected cloud service providers from being forced to maintain separate European servers. It eased the way for cooperation between US and EU businesses, and lowered barriers for data transfers between US companies and their European subsidiaries.

Responses from US regulatory authorities have been guarded. The Chairman of the Federal Trade Commission, the primary enforcement body for the Safe Harbor in the United States, issued a short statement that “we will continue to work together with our European colleagues to develop effective solutions that protect consumer privacy with respect to cross-border data transfers.” The Department of Commerce expressed deep disappointment in the decision and called for an expedited release of the Updated Safe Harbor Framework, noting that it is prepared to work with the Commission to address uncertainty created by the Court’s decision. Meanwhile, the Article 29 working group, a body made up of the national data protection authorities and representatives from EU governing institutions, announced a meeting this week to consider what guidance to provide European and United States organizations in the wake of the decision.

Continue reading European Court Of Justice Rules US-EU Safe Harbor Invalid

With data privacy, you better do what you say you are doing

Everett Monroe
September 28, 2015

Enforcement actions relating to data privacy often get enforced by administrative agencies under State and Federal Unfair Competition Laws. Enforcement actions against companies that fail to meet their commitments to consumers are a common occurrence.

Comcast’s recent $33,000,000 settlement with the California Attorney General is a good example of how state agencies will take administrative action against companies who tell customers one thing and then do something else. Between 2010 and 2012, Comcast mistakenly published the directory information of VoIP customers that had paid Comcast not to list them. The first cause of action in the complaint against Comcast was for a violation of California’s unfair competition law: Comcast broke its promise to its customers that it would not publish directory listing information.

The Federal Trade Commission often uses its enforcement authority over unfair and deceptive business practices to pursue companies that do not fulfill their privacy commitments. A recent example of this is the Commissions complaint against Nomi Technologies. Nomi Technologies tracked mobile devices in participating retail locations, which could generate data on the duration and frequency of customers entering the location and their shopping habits. The FTC’s complaint alleged that Nomi failed to meet two commitments: (1) that customers would be informed as to which retail locations used Nomi’s service, and (2) that customers would be able to opt out of the tracking at the participating retail locations. The FTC obtained a 20-year monitoring agreement over Nomi.

A recent FTC update shows a group of thirteen companies caught claiming that they were certified under the US-EU Safe Harbor in their privacy policies when, in fact, their certifications had lapsed or they were not certified at all. Another group of six companies faced similar charges in 2009.

Intentional wrongdoing is not the centerpiece of these charges. The Comcast complaint alleges that the disclosures were the result of a technical mistake, and the Nomi Complaint does not claim that the company was intentionally deceiving consumers. Regardless, these agencies have made it clear that companies will be held responsible for failing to keep commitments they make to the public.

US/EU “Safe Harbor” Agreement Ruled Invalid By EU Judge

William Kellermann
September 23, 2015

In an influential opinion published September 23, 2015, European Court of Justice (ECJ) Advocate General Yves Bot recommended the ECJ find the US/EU “Safe Harbor” Agreement invalid.   The 40-page ruling provides a preliminary victory for Austrian law student and privacy advocate Maximillian Schrems, but stands to cast the data transfer practices of many companies into turmoil.

The case stems from Shrems’ crusade against the data privacy and data transfer practices of Facebook in light of Edward Snowden’s revelations about the US National Security Agency’s Prism data surveillance program.  Shrems sued Facebook in Ireland, where it locates its servers for services to it’s EU user-base.  The High Court of Ireland referred the matter to the ECJ for a preliminary ruling.

While Bot’s ruling is preliminary, subject to confirmation by the ECJ and would only be directly binding as to Facebook, the recommendations found in Bot’s opinion upend many commercial practices regarding data transfer from the EU to US-based servers.  While the NSA’s Prism program targeted the data transfers of nine internet companies, such as Microsoft, Google, Apple, Facebook, etc. the unraveling of the Safe Harbor agreement could have far-reaching effects on any company with EU operations sending data about EU citizens, including employees, to the US.

The case is  Maximillian Schrems v Data Protection Commissioner, Case # C‑362/14, pending in Luxembourg.