Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

“BYOD Bill of Rights” May Help Concerns about Privacy

Posted in eCommerce, Internet Privacy

TexasBarToday_TopTen_Badge_Small (1)

A recent survey about BYOD (“Bring Your Own Device”) resulted in the finding that “78% of employees use their own mobile devices for work” and “the use of personal technology to access corporate data can be solved by better communication between both parties regarding security, data and privacy concerns.”  On July 10, 2014 Webroot issued its BYOD Security Report entitled ” Fixing the Disconnect Between Employer and Employee for BYOD (Bring Your Own Device)” which included these key findings:

  • Although 98% of employers have a security policy in place for mobile access to corporate data, 21% allow employee access with no security at all.
  • Over 60% of IT managers surveyed reported the use of personal devices by their employees and 58% indicated they were ‘very’ or ‘extremely’ concerned about the security risk from this practice.
  • Most employee devices are lacking real security with only 19% installing a full security app and 64% of employees limited to using only the security features that came with their devices.
  • Over 60% of employers indicated they seek employee input on mobile device security policies, but over 60% also said employee preference has little or no influence on mobile security decisions.
  • Top concerns from employees regarding a company-mandated security app include employer access to personal data, personal data being wiped by an employer, and employers tracking the location of the device. Other concerns included impact on device performance and battery consumption.
  • 46% of employees using personal devices said they would stop using their devices for business purposes if their employer mandated installation of a specific security app.

Webroot proposed these BYOD Bill of Rights: 

1. Privacy over their personal information

2. Be included in decisions that impact their personal device and data

3. Choose whether or not to use their personal device for work

4. Stop using their personal device for work at any time

5. Back up their personal data in the case of a remote wipe

6. Operate a device that is unencumbered by security that significantly degrades speed and battery life

7. Be informed about any device infections, remediation, or other activity that might affect their device’s performance or privacy

8. Download safe apps on their personal device

BYOD  privacy issues continues as headline news, which is likely to continue given the increasing use of BYOD by employees.

“How to Stop Malware” – Strategies and Tools of Cyber Criminals

Posted in eCommerce

Dell’sAnatomy of a cyber-attack” focuses on malware because malware “comes in various forms, some more nefarious than others, ranging from annoying sales pitches to potentially business-devastating assaults.”  This “how to” report from Dell makes the point that you “need to understand the enemy before you can defeat them” and includes these Attack Steps:

Attack step 1: Reconnaissance and enumerationCyber-criminals will do anything to find and exploit your weaknesses

Attack step 2: Intrusion and advanced attacks - A stealthy intruder can access every facet of your network systems.

Attack step 3: Malware insertionHidden malware gives your attacker the keys to your network.

Malware type 1: Nuisance malwareNuisance adware can render a system inoperable if not removed properly.

Malware type 2: Controlling malwareHidden malware gives your attacker the keys to your network.

Malware type 3: Destructive malwareViruses and worms can devastate your network—and your business.

Attack step 4: Clean-up – A skilled criminal can compromise your network without you ever knowing.

Cybercrime is daily front page news and although there is not one solution, Dell’s point is that it has a technology to help called Dell™ SonicWALL™ which “offers a comprehensive line of defenses against all forms of cyber attack and malware.”

BYOD Ruling Requires Employers to Reimburse for Work-Related Calls

Posted in eCommerce

How will BYOD other than cell phones be impacted by a California court ruling that “when employees must use their personal cell phones for work-related calls, Labor Code section 2802 requires the employer to reimburse them”?  On August 12, 2014 in the case of Colin Cochran vs. Schwan’s Home Service, Inc. the California Court of Appeals reversed a Superior Court in Los Angeles County Court.

The Order discussed the purpose of the California Statute was to “‘to prevent employers from passing their operating expenses on to their employees.’” Specifically that:

Pursuant to section 2802, subdivision (a), “[a]n employer shall indemnify his or her employee for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the directions of the employer[.]”

The threshold question in the case was:

Does an employer always have to reimburse an employee for the reasonable expense of the mandatory use of a personal cell phone, or is the reimbursement obligation limited to the situation in which the employee incurred an extra expense that he or she would not have otherwise incurred absent the job?

The Answer from the Court was “that reimbursement is always required. Otherwise, the employer would receive a windfall because it would be passing its operating expenses onto the employee.” The Court ruled:

Thus, to be in compliance with section 2802, the employer must pay some reasonable percentage of the employee’s cell phone bill. Because of the differences in cell phone plans and worked-related scenarios, the calculation of reimbursement must be left to the trial court and parties in each particular case.

Time will tell how BYOD tablets, laptops, and home computers are impacted by courts that follow the ruling in this case.

8 Issues of Cyber Insecurity which Lead to Cybercrime

Posted in eCommerce, IT Industry

A recent report concluded that the “cybersecurity programs of US organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries. Today, common criminals, organized crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect. Particularly worrisome are attacks by tremendously skilled threat actors that attempt to steal highly sensitive—and often very valuable—intellectual property, private communications, and other strategic assets and information.”  The June 2014 report was from a survey of 500 executives from US businesses, law enforcement services, and government agencies, was entitled “US cybercrime: Rising risks, reduced readiness Key findings from the 2014 US State of Cybercrime Survey.”  The US cybercrime report was issued by PriceWaterhouseCoopers and co-sponsored by The CERT® Division of the Software Engineering Institute at Carnegie Mellon University, CSO magazine, and the United States Secret Service.

The “8 cybersecurity issues that should concern you” in the report were as follows:

1. Spending with a misaligned strategy isn’t smart. Strategy should be linked to business objectives, with allocation of resources tied to risks.

38% prioritize security investments based on risk and impact to business

17% classify the business value of data

2. Business partners fly under the security radar.  Recent contractor data leaks and payment card heists have proved that adversaries can and will infiltrate systems via third parties, but most organizations do not address third-party security.

44% have a process for evaluating third parties before launch of business operations

31% include security provisions in contracts with external vendors and suppliers

3. A missing link in the supply chain.  Flow of data to supply chain partners continues to surge, yet they are not required to comply with privacy and security policies.

27% conduct incident-response planning with supply chain partners

8% have supply chain risk-management capability

4. Slow moves in mobile security.  Mobile technologies and risks are proliferating but security efforts are not keeping up.

31% have a mobile security strategy

38% encrypt devices

36% employ mobile device management

5. Failing to assess for threats is risky business.  Organizations typically include cyber risks in enterprise risk-management programs but do not regularly assess threats.

47% perform periodic risk assessments

24% have an objective third party assess their security program

6. It takes a team to beat a crook.  External collaboration is critical to understanding today’s threats and improving cybersecurity but most don’t work with others.

25% participate in Information Sharing and Analysis Centers (ISACs)

15% work with public law enforcement agencies

7. Got suspicious employee behavior?  Cybersecurity incidents carried out by employees have serious impact, yet are not addressed with the same rigor as external threats like hackers.

49% have a formal plan for responding to insider events

75% handle insider incidents internally without involving legal action or law enforcement

8. Untrained employees drain revenue.  Employee vulnerabilities are well known, but businesses do not train workers in good cybersecurity hygiene.

20% train on-site first responders to handle potential evidence

76% less is spent on security events when employees are trained, yet 54% do not provide security training for new hires.

Notwithstanding reports of this sort, cybercrime continues to dominate the news, and likely will continue indefinitely.

Court Grants Search Warrant to Entire Apple eMail Account for [REDACTED]

Posted in eCommerce, Internet Privacy

A Judge ruled it was unreasonable to ask Apple “to execute a search warrant” which “could pose problems, as non-government employees, untrained in the details of criminal investigation, likely lack the requisite skills and expertise to determine whether a document is relevant to the investigation” according to a report in Computerworld.  On August 7, 2014 Chief Judge Richard W. Roberts (US District Court, District of Columbia) in the case of In the Matter of the Search of Information Associated with [REDACTED] that is Stored at the Premises Controlled by Apple, Inc. reversed an earlier decision by a Magistrate Judge which “refused to allow a two-step procedure whereby law enforcement is provided all emails relating to a target account, and is then allowed to examine the emails at a separate location to identify evidence.”

Judge Robert’s ruled “that providing law enforcement with access to an entire email account in an investigation did not violate the Fourth Amendment to the U.S. Constitution that prohibits unreasonable searches and seizures of property” which was in line with the July 18, 2014 New York court ruling which ordered Google to produce all content for

Of course the 1986 Stored Communications Act applies to civil and criminal cases, but in the Google and Apple cases in New York and the District of Columbia the criminal search warrants were issued under Rule 41 of the Federal Rules of Criminal Procedure.

Cybercrime is Getting Worse – 5 Reasons

Posted in eCommerce, Internet Jurisdiction

On the heels of the recent report that cybercrime is a $575 billion growth industry, Infoworld pointed out “that amount of crime has persisted for a long time, well before the Internet.”  The article included these 5 reasons why cybercrime is worse than ever:

1. Internet criminals almost never get caught. The world is full of malicious individuals who have no problem skirting rules and laws, as well as taking property that belongs to other people. Bad people exist — and the Internet is a very low-risk neighborood in which they can run amok.

2. Indefinite legal jurisdiction. Most Internet crime takes place across international borders. Law enforcement agencies are always limited to jurisdictional boundaries. For instance, a city police officer in Billings, Mont., can’t easily arrest someone in Miami, Fla. We have federal law enforcement agencies, which reach across city and state boundaries, but they can’t easily traverse international boundaries.

3. Lack of legal evidence. Another huge impediment to successful convictions is the lack of official, legal evidence. Most courts accept “the best representation” of evidence recorded during the commission of a crime. But most computer systems — and many networks in totality — don’t collect any evidence at all, much less evidence that might stand a chance of holding up in court. I’m still surprised by the number of computers I investigate that don’t, at a minimum, have event logging turned on.

4. Lack of resources. Few victims or victim advocacy groups have the resources, technology, or funding to pursue Internet criminals. I know many people who have lost tens of thousands of dollars to fraudulent transactions, including car sales, stock trades, bank transfers, and so on. Unfortunately, the amount lost usually pales compared to the cost of the resources that would be needed to recover the funds.

5. Cybercrime isn’t hurting the economy enough (yet). Lastly, the amount of Internet crime isn’t hurting economies enough to raise a global red alert. Sure, Internet crime probably results in the loss of hundreds of millions — or perhaps several billion — dollars each year, but that amount of crime has persisted for a long time, well before the Internet.

Nevertheless in 2013 a number of cybercriminals were given long jail sentences as I wrote in my January 2014 eCommerce Times column “Internet Crimes Led to Long Jail Sentences in 2013.”

Judge Allows Libel Suit Based on Google Autocomplete Search Results

Posted in eCommerce, Internet Privacy

A Hong Kong Judge disagreed with Google that Google’s Autocomplete may have created libeleous content and “cited Europe’s recent ‘right to be forgotten’ ruling requiring Google to remove embarrassing or outdated search results upon request” as reported by the Washington Post.  On August 5, 2014 Deputy High Court Judge Marlene Ng ruled that a lawsuit for libel could proceed based on Google Autocomplete because:

Hong Kong business tycoon Albert Yeung Sau-shing Googled his name, the autocomplete feature suggested the word “triad,” a term that, in Asia, is associated with organized crime.

The Washington Post pointed out libel standards in Hong Kong are similar to the US, and even though Mr. Yeung has an impressive business background he has also been convicted of some crimes:

Yeung is the founder and chairman of Emperor Group, a sprawling business empire that includes property development, entertainment and financial services. He has been found guilty of crimes including illegal bookmaking and perverting the course of public justice, and has been fined for insider trading.

Google’s Autocomplete does not produce every possible option since the algorithm of Google Autocomplete (which cannot be turned off):

…automatically detects and excludes a small set of search terms for things like pornography, violence, hate speech, illegal and dangerous things, and terms that are frequently used to find content that violates copyrights.

Although Google Autocomplete is a great tool, the libel ruling in this Hong Kong case may alter how Google provides services in the future.

Cloud at Risk as Microsoft is Ordered to Produce Data in Ireland

Posted in eCommerce, Internet Privacy

As part of a drug trafficking investigation the US government persuaded a Court to issue a warrant that “purports to authorize the Government to search any and all of Microsoft’s facilities worldwide” according to Microsoft’s opposition brief filed on June 6, 2014 in the US District Court for the Southern District of New York.  Microsoft also argued:

Microsoft also has encountered rising concerns among both current and potential customers overseas about the U.S. Government’s extraterritorial access to their user information. 

In some instances, potential customers have decided not to purchase services from Microsoft and have opted to instead for a provider based outside the United States that is perceived as being not subject to U.S. jurisdiction. 

Some of these customers have specially referred to the decision below as a basis for concern about U.S. Government access to customer data. 

If this trend continues, the US technology sector’s business model of providing “cloud” Internet-based services to enterprises, governments, and educational institutions worldwide will be substantially undermined.

The Washington Post reported that the Court ruling:

…also raises significant economic and diplomatic issues for U.S. companies that store mounds of data for others as part of the burgeoning cloud computing industry, which has been battered in the wake of revelations about its cooperation with U.S. spy agencies conducting broad surveillance.

Verizon which operates data centers overseas’ also filed an amicus brief which states:

If the government’s position prevails, it would have huge detrimental impacts on American cloud companies that do business abroad…

There is potentially a very far reaching impact to the Internet so this will be an important case to follow.

6th Year of Blogging and Net Neutrality May be Moot if Cities Build Their Own Internet Systems

Posted in eCommerce, Net Neutrality

My first blog was on August 1, 2008 and at the time it seemed like the FCC had Net Neutrality under control, but not really… and now the FCC wants to “explore the possibility of helping cities build their own connections to the Internet and bypassing the commercial broadband providers like Verizon and Comcast that have generally served as America’s onramps to the Web” according to the Washington Post.  The Post article is entitled “How the history of electricity explains municipal broadband” which explains:

Unlike today, electricity wasn’t always common or plentiful in the United States. Direct-current electricity was hard to transmit over long distances, because the power faded over long distances. Those limitations gave rise to lots of power plants being built in the 1890s that were meant to serve very small areas within a city. As technology improved, those small power plants led to much larger ones serving wider areas and more customers. Eventually, the companies running these plants effectively got taken over by even bigger companies that held ownership stakes in numerous utility firms across the country.

Ultimately in 1933 during the Great Depression the Roosevelt Administration:

…launched the Tennessee Valley Authority (TVA) and the Rural Electrification Administration, among a number of other offices meant to provide power to those who’d been passed over by the privately owned utilities because those areas weren’t as profitable. TVA in particular worked with cities like Chattanooga to provide affordable energy.

Time will tell how this proposal will turn out, but given the need for high speed Internet access municipal broadband may be all, or part, of the solution.

Cybercrime is Growth Industry Estimated to be as Much as $575 Billion

Posted in eCommerce

A recent report estimates that the ”cost of cybercrime includes the effect of hundreds of millions of people having their personal information stolen—incidents in the last year include more than 40 million people in the US, 54 million in Turkey, 20 million in Korea, 16 million in Germany, and more than 20 million in China.” The Center for Strategic and International Studies and McAfee issued their June 2014 report entitled “Net Losses: Estimating the Global Cost of Cybercrime” with these comments about the impact on the world:

  • The cost of cybercrime will continue to increase as more business functions move online and as more companies and consumers around the world connect to the Internet.
  • Losses from the theft of intellectual property will also increase as acquiring countries improve their ability to make use of it to manufacture competing goods.
  • Cybercrime is a tax on innovation and slows the pace of global innovation by reducing the rate of return to innovators and investors.
  • Governments need to begin serious, systematic effort to collect and publish data on cybercrime to help countries and companies make better choices about risk and policy.

The report also has a chapter on acceptable losses which may come as a shock to many, but should not given these observations:

One way to think about the costs of cybercrime is that societies bear the cost of crime and loss as part of doing business and a tradeoff for convenience and efficiency. Companies and individuals have decided that the net gain of using automobiles and giant merchant ships outweigh the potential cost. The problem with these analogies is that many companies do not know the extent of their losses from cybercrime, leading them to make the wrong decisions about what is an acceptable loss.  

Here is a list of the chapters in the report:

Estimating global loss from incomplete data

Regional variations

Incentives explain cybercrime’s growth

Acceptable loss from cybercrime

IP theft and innovation cannibalism

Penalty-free financial crime

Confidential business information and market manipulation

Opportunity cost and cybercrime

Recovery costs

Obviously cybercrime is huge, will never get smaller, and no one is immune