For lawyers, electronic devices pose problems. Devices belonging to clients and staff are not in our control. Devices can be hacked by determined professionals or bitter exes. Data is volatile. So what can we do to protect confidential information and preserve potentially relevant data? I will provide some answers in this article, first by discussing the “big three” client-controlled devices: desktops and laptops, tablets, and cellphones. I will then discuss the devices in your small law office. Next follows a discussion of smart home devices as the newest means of inflicting domestic violence. Finally, I will conclude with a discussion of how to get electronically stored information (ESI) into evidence and by suggesting how to become better informed about electronic discovery. I will not be addressing social media accounts beyond the issue of how to get the ESI before the court.
January 15, 2019 Feature
The Trouble with Devices and the Data They Contain
By Gordon D. Cruse
Client-Controlled Devices
Desktops and Laptops
Thousands of articles address at length the subject of locking down desktops and laptops. In the context of client-controlled machines, however, the reality is that, unless you have sophisticated clients or corporate clients, a password is probably all you can realistically hope for. If clients have secure networks and secured devices—that’s great, but it is rare in my experience.
You can suggest to couples who are separating that they install a virtual private network (VPN) and change passwords. You can also explain that a system used by the other spouse needs to be checked by an expert for security backdoors that may have been created.
Someone trying to access a laptop or desktop needs only enough access to install keylogger software to see everything the other party is doing. This can be installed through a Trojan horse email attachment; generally it is done before the party moves out. It takes only a minute.
Tablets
Whether Apple or Android devices are used, the problem is that clients share data with the entire family. The common family Apple iTunes account has data flying from a parent’s iPad to a child’s iPad. That has resulted in some unusual cases, such as the one in which a parent sent a suggestive photo to a new lover that ended up on the divorcing couple’s ten-year-old’s iPad. Mom and Dad need their own plan and not a family plan, or they need to be thinking about where their data is going to end up. Passwords need to be updated, and a child should not have access to a parent’s data account, as the other parent has access to the child—and, therefore, to the other parent’s data.
Both people in a couple without children but with a shared data plan before separation need to obtain their own accounts and new passwords. They should not forget to change the password on the cell service website if their tablet is cell-enabled.
Cellphones
Here is where the real gold lives. Those text messages, photos, social media links—all that precious data is in the client’s hand. So how do we help clients protect it? Good luck. Clients are less likely to secure their cellphone than any other device. If you can get them to at least use a password, a real password, then you are miles ahead.
The second thing is to get clients to use a VPN instead of free wi-fi. The latter provides no security, leaving devices and data open to attack. There are many good VPNs available at the Apple Store and the Google Play Store.
The same family-plan rules for tablets apply to cellphones. The issue that comes up often is that one party has the cell account (the account owner) and the other is a user. This gives the account owner control over the user account. Services can be altered, call history reviewed, and access to data permitted if allowed by the carrier or service provider.
All of this might seem like common sense nowadays, but in the cases I see referred to me from other lawyers, virtually none of what I have been recommending is ever done.
Lawyer-Controlled Devices
Desktops and Laptops
I will leave it to others to tell you to get a firewall up, assign passwords, set security levels, and prohibit staff from adding software to your desktop and laptop computers. But here is a glimpse at the reason why. I was in a restaurant the other day and saw a colleague using her laptop while enjoying her lunch. She left it for a moment. When she returned, I asked her what she would do if someone had read what she was working on. Or had just stolen the laptop? Or, as she was logged in as the administrator, decided to add something from a thumb-drive kept in a pocket?
Our own hardware is our biggest security risk. We do little to button down our equipment, and we rely upon others to fix it later. Get a good IT firm to come in and access your security and then fix it. The ABA Commission on Ethics 20/20 reiterates that we have a duty to represent our client competently. Competence requires that we know how technology will benefit or hurt our client. This is not a new, post-e-discovery rule. It has always been the rule.
Tablets and Cellphones
If you are not on a VPN, your cellphone and tablet can be hacked on any public wi-fi connection. We have far too much client data on our portable devices to allow them to remain unprotected. You need a real password for your portable devices. There are many password storage and password generator apps out there for any portable device platform.
You must control what devices your staff adds to your servers. I do not allow my staff to connect their personal cellphones or tablets to my servers, whether they are physically in the office or using cloud-based options. I provide them a cellphone for work and any other needed portable devices.
Your IT staff or contractor will be able to set up staff-owned devices if you wish to go down that path. Done right, it can be secure, but you will need professional help to get it right.
You need policies for your staff members’ use of their devices and your data. You will need a means to secure your data when they are not in your office or when they leave your employ.
Email can be hacked, data packets sniffed (read in transit), and email altered. If you think an email has been altered, you will need an expert to help you find out. If the original data file has been altered, your expert can check to see, for example, whether there is a difference in something called the MD5 hash value between the original and the copy. This value can help indicate whether changes to a file have been made after it has been transferred. There is software to do this (Encase, for example), but you need to be a qualified user. An email end user is not going to know how to find the error unless he or she is looking at the original email and the altered document.
I wish there were a simple way to find hacked email, but it’s not that easy. If you try it on your own, you will harm your data and your client. If you have any reason to believe your client’s email is being altered, you need to bring in an expert. If you try to be a computer forensic expert without the training, you will damage your client.
Smart Home Devices: The New Weapons in Domestic Violence
More and more, we add smart home devices to our environment. While these can be incredibly useful, they can also be turned against the end user. Typically, smart home devices are set up by one spouse but used by both spouses. These smart home devices can be anything from an Amazon Echo speaker, a smart thermostat, a programmable vacuum, a smart appliance such as a refrigerator, a smart door lock, or even a smart electrical socket. This list offers just a few of the currently available smart home devices. Imagine the situation where the spouse who set up the smart home devices has moved out and wishes to destroy the emotional or mental calm of the other spouse by doing things such as changing the alarm time on an Echo device from 7 a.m. to 2 a.m., turning on the smart vacuum at 3 a.m., turning off the air conditioning, turning up the heat, or unlocking the front door after your client has gone to bed. In one case, the husband turned off the refrigerator and all the food spoiled.
The best advice you can give your clients is make sure they know how all these devices work and to have the application to run the device on their cellphone, tablet, or laptop. Also advise your clients to change the passwords for every smart home device after the spouse moves out. That is the easiest way to stop this type of harassment.
Assume you have a case where this is going on and your client has convinced herself that she is not crazy (that tends to be the first response by the victim). How do you find out that these devices are being altered by the other spouse? The simplest solution is to get access to the log or activities on each device. Some of the log files will be user-accessible in the application that oversees the operation of the smart home device. Even if your client doesn’t currently have the controlling application on his or her cellphone or tablet, he or she can download it and, with customer service assistance, usually acquire control of the device and then look at the access logs. If that’s not possible, you will need an expert to actually access the smart home device and download the access log files from the device itself.
Spotting Data Alteration
Knowing that your data has been altered requires somebody paying attention to it. So many times, the client will send an email and not think anything of it. In many cases, he or she won’t even keep a copy. In some cases, such as in the case of an altered email message, a physical inspection can show the alteration, but you have to be looking for it. None of us have the time to examine every piece of email received from a client. The most expedient way to determine that there is a problem with data is to have it forensically examined. This is going to take an expert who uses software required to create the hash value I alluded to above. With that, you will know that there’s been an alteration.
That same expert can help you look at the metadata for any file. There are two types of metadata. The first is system-made, and the second is made by accessing applications. Accessing system-made metadata can help you determine whether a device has even been used, the last time it was used, who was logged into the system, and many other little tidbits about what’s happening with the device that’s being accessed. The application-generated metadata can tell you the software used, the number of times the file has been accessed, the number of times it’s been altered, who may have been logged in when the file was altered, and the dates and times of modification and access. Unless you are a sophisticated user, call in the expert.
That same expert can help you find out whether spoofing email applications or text applications have been used to send a communication to make it look as though it came from your client, even though it was really sent by the other side. A forensic examination of your client’s device may be necessary, and it is generally the only expedient way to obtain admissible evidence. You can then provide a chain of evidence, and the experts can testify as to what they did and how they gathered the ESI and what it shows.
Consider securing a forensic copy of the client’s hard drive or other data storage on his or her cellphone and tablet. There is software available so that you can make this clone by yourself, and in a low-budget case, that might make sense. One such application is Clonezilla (it does the job, and I have no relationship with the company). There are many others. If you have the budget, though, do not start engaging in self-collection (although a self-collected forensic drive may be better than none). Get your expert in there and let him or her forensically copy your drive or other form of data storage. Put the forensic copy away. At least you have everything on that device as of the date it was forensically copied.
Please remember that a forensic copy is not just the transfer of data to another device. A forensic copy is a sector by sector copy of the drive or other memory storage option. This will also copy the slack space and any other data fragments that might be useful in the future in your case. If all of this sounds geek to you, then you need to get an expert in to help you. Getting a forensic copy of the data storage device is not expensive, and it can be a way of determining whether data has been altered.
The use of an expert to determine whether there has been alteration of data and how it was done is critical. And it’s critical not just to enable you to know what happened but also to enable the expert to testify and get that evidence before the court.
Be Better Informed
Take any discovery course. I can suggest two excellent ones. Michael Arkfeld, a brilliant lawyer in Arizona, has a terrific online program that I have attended. It puts together both the technical side and legal side of the discovery process, and you can take the course right from your office. There is about ten hours of reading every week, in addition to the online class, which is held one day a week for about two hours. There are tests with every module, so the course is not just reading, and the online sessions are interactive. It is a terrific program, and you also benefit from his outstanding written materials. I get no remuneration from Michael’s program. I recommend it because it’s good. Georgetown Law has another outstanding e-discovery training course. It’s about a week long and it is intensive. You will walk out of that course ready to face the e-discovery world. fa