Legal Investigation in Social Media: How to Do It; How Not to Do It - PowerPoint PPT Presentation

Loading...

PPT – Legal Investigation in Social Media: How to Do It; How Not to Do It PowerPoint presentation | free to view - id: 523cbb-NzNmN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Legal Investigation in Social Media: How to Do It; How Not to Do It

Description:

Legal Investigation in Social Media: How to Do It; How Not to Do It. Benjamin Wright, Attorney. SANS Institute: Law of Data Security & Investigations – PowerPoint PPT presentation

Number of Views:650
Avg rating:3.0/5.0
Slides: 38
Provided by: ncsbnOrg1
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Legal Investigation in Social Media: How to Do It; How Not to Do It


1
Legal Investigation in Social Media How to Do
It How Not to Do It
  • Benjamin Wright, Attorney
  • SANS Institute Law of Data Security
  • Investigations
  • This is not legal advice.

2
Agenda
  • How to record evidence
  • Admissibility and authentication of evidence
  • Risks in collecting evidence
  • Methods for managing risks
  • The power of a preservation letter
  • General principles for guiding social media
    investigations

3
Examples
  • Regulatory investigators gather evidence via
    social media
  • Welfare cheat foiled by Facebook
    http//bit.ly/JQSMrQ
  • Based on Facebook videos, Hawaiian Humane Society
    issues citations prosecutor to press charges
    http//bit.ly/IsfgxZ

4
Many Social Networks
  • Facebook, Twitter and LinkedIn are just a part of
    the topic
  • Many new social networks, like Google Plus,
    Quora, Instagram, Groupon, Pinterest, Touristlink
  • Thousands of blogs and special interest forums

5
Different from Traditional Digital Forensics
Investigations
  • Traditional investigator has access to hardware
    that holds data
  • In web, cloud or social media investigation,
    investigator typically does not have direct
    access to hardware on which original data are
    stored
  • The data can change from minute to minute
  • Format of service changes from month to month
  • Service provider may or may not cooperate

6
Rely on Witness Testimony
  • Ultimately, court looks to someone to testify
    about what happened how it looked at a point in
    time
  • Two witnesses are better than one
  • Printout most common form of social media
    investigative record
  • But printouts can be awkward and can miss a lot

7
Screencast
  • Captures the look, the words, the images, the
    interactivity and inter-relationships from one
    page and link to the next
  • Captures webcam narration by witness which can
    be compelling to judge and jury
  • Free, open-source tool screencast-o-matic.com
  • Other products like Camtasia

8
(No Transcript)
9
Many Posts and Demos of Screencast Evidence
Capture
  • http//bit.ly/e825MF - live chat
  • http//bit.ly/ePV9E0 - web activity
  • http//bit.ly/w3swEC - online financial trades
  • http//bit.ly/nsZ6ZG - undercover police in
    social media
  • I welcome your comments, questions and criticism!

10
Screencast Script
  • Create a unified package of evidence, integrating
    pages, links and testimony
  • Investigator as eyewitness -- recorded by audio
    or webcam
  • Script of the investigator
  • His identity, purpose authority
  • Time and date
  • His statement of signature, taking responsibility
    for what he sees

11
The Power of an AffidavitPaper, Audio, Video or
Other File
  • I, Jane Doe, hereby affirm that I collected the
    following evidence in the way described. Sign,
    date, notarize
  • Prevents Jane Does memory from wandering
  • Jane Doe may not work for, or cooperate with, you
    two years from now
  • Webcam signature is pretty convincing
    http//bit.ly/a0X9kZ

12
Corroborate Date and Time
  • State date and time in record/affidavit then
  • Send record by enterprise email to multiple
    people (timestamp), or
  • Store the record on enterprise sharepoint, which
    shows audit trail with time, or
  • Upload record to a third party service like
    Microsoft skydrive, which records date

13
Undercover Cops Example
  • Two witnesses
  • Record voice but no video
  • Mercer County prosecutors office, New Jersey
    gang investigation
  • http//bit.ly/Ai3nQB

14
(No Transcript)
15
Investigative/Recording Tools
  • Vere Software
  • X1 Discovery
  • Hashbot
  • Iterasi web archiving service
  • Others
  • Each works differently
  • Regardless, an affidavit from a witness is
    helpful.

16
Hook into APIs Collect Meta Data
17
(No Transcript)
18
Consider Terms of Service
  • Platform application developers and operators
    http//www.facebook.com/legal/terms
  • Post privacy policy
  • "You will delete all data you receive from us
    concerning a user if the user asks you to do so,
    and will provide a mechanism for users to make
    such a request. ... You will make it easy for
    users to remove or disconnect from your
    application."

19
General Facebook Terms
  • http//www.facebook.com/legal/terms
  • If you collect information from users, you will
    obtain their consent, make it clear you (and not
    Facebook) are the one collecting their
    information, and post a privacy policy explaining
    what information you collect and how you will use
    it.

20
Interpretation
  • Does this mean no one can, without consent, copy
    something from Facebook for purposes of an
    investigation?
  • I think not.
  • Making limited copies is generally accepted
    practice.
  • But the principle of proportionality is
    relevant.

21
Proportionality
  • The scale of data collection matters
  • A broad, general principle from privacy and
    e-discovery law is that the collecting and
    management of data should be proportionate to
    the case (considering risks, costs, urgency and
    so on)
  • See blog articles http//bit.ly/ga7U7w and
    http//bit.ly/937Swa

22
Admission of Evidence
  • Social media evidence is very commonly admitted
    into legal proceedings
  • Varying degrees of formality in proceedings
  • However, some criminal cases show skeptical
    courts
  • Criminal cases have
  • higher standard of proof

23
Authenticate Myspace
  • Griffin v. Maryland, No. 74 (Maryland Apr. 28,
    2011) - In murder trial, questions arise why a
    witness gives conflicting testimony. Prosecution
    tries to show defendants girlfriend threatened
    witness through Myspace. Court Myspace
    evidence insufficiently authenticated. An
    imposter could have posted the message.

24
Addressing the Authentication Issue Law
Enforcement Search Warrants
  • Can collect details from the service provider
    like IP address, time, application, mobile
    carrier and more
  • These details can help with authentication
  • Zachary Wolff, Twitter To log or not to log Is
    that the question? http//blog.logrhythm.com/unca
    tegorized/631/

25
Alternative Ways to Authenticate Evidence
  • Interact with the user (if permitted)
  • Gather corroborating detail about user
    statements, activities and timeline
  • Corroborating details can be collected from
    multiple sources (Facebook, Twitter, special
    interest forums, games, phone, witnesses and so
    on)

26
Risks Ethical Limitations
  • New York State Bar Ethics Opinion 843
    (9/10/2010) NY City Bar Formal Opinion 2010-2
    San Diego County Bar Opinion 2011-2
  • Lawyers may view public postings of adversaries
  • May not friend an adversary represented by a
    lawyer
  • May not use deception to friend someone

27
No Trespassing Sign?
  • Pietrylo v. Hillstone Restaurant Group
  • Private Myspace forum talk about all the
    crap/drama/and gossip occurring in our workplace,
    without having to worry about outside eyes prying
    in.
  • Management got password fired employees
  • Jury company must pay back wages and punitive
    damages

28
Lessons from the Hillstone Case
  • Exercise restraint and discretion
  • Watch out for and evaluate claims of privacy
  • Careful with passwords that dont belong to you

29
Managing RiskRestraint and Proportionality
  • Canada Privacy Commissioner (PIPEDA Case Summary
    2009-019) employer may investigate if employee
    had violated employment contract
  • Principle have a logical, evidence-based
    justification for getting sensitive information
  • Predicate evidence justifies getting more
    evidence, but only what is necessary
  • This principle is consistent with discovery
    principles in civil litigation

30
Managing RiskInterview the Subject First?
  • A formal HR interview or deposition puts pressure
    on subject to tell the truth
  • Yes, subject could delete data, but
  • Deletion of data itself is evidence of wrongdoing
    that could hang the subject
  • Deleting data is harder than it looks because
    copies are spread everywhere

31
Power of a Preservation Letter
  • Letter puts adversary on notice not to destroy
    records
  • Focuses the adversarys attention electronic
    evidence and all the steps that might be
    necessary to preserve
  • http//bit.ly/A5XrGH

32
Legal Steps to Access Non-Public Data
  • Consent of the user
  • E-discovery demand to user
  • Informal request to social network
  • Subpoena to social network
  • Search warrant for law enforcement
  • Find the data in an alternative, public location

33
Informal Request
  • Very commonly service providers especially
    smaller ones will cooperate with requests from
    government
  • Fugitive plays World of Warcraft
  • Howard County, Indiana, Sheriff sends polite
    letter to operator of game
  • Service provider reveals IP address, which leads
    to fugitive in Canada http//bit.ly/xzpMwh

34
Civil Subpoenas for Content
  • Big service providers tend to resist
  • Smaller service providers may be more cooperative
  • Crispin v. Christian Audigier, Inc.
  • Civil subpoena to FB and Myspace quashed
  • Content protected under Stored Communications Act
  • May be difference between private messages and
    wall postings

35
Alternative Locations for Evidence
  • Notices and copies to email or phone SMS (text)
  • Replication at other sites (my Facebook and
    LinkedIn repeat my tweets)
  • Sharing by friends
  • Cache on computer

36
General Principles for Investigators
  • Keep thorough, signed, time-stamped records
  • Record your justification
  • Keep the methods and evidence capture
    proportionate and within the scope of the
    justification
  • User consent (employment application or terms of
    employment) reduces risk
  • Be creative to find the data

37
Blog benjaminwright.usGoogle Plus
gplus.to/privacy
  • This presentation is not legal advice for any
    particular situation. If you need legal advice,
    you should consult the lawyer who advises you or
    your organization. Use this material at your own
    risk. Anyone may reuse or reproduce it.
About PowerShow.com