2015 Law + Informatics Symposium on Digital Evidence

2015 Law + Informatics Symposium on
Digital Evidence

Friday, February 27, 2015

The Northern Kentucky Law Review and NKU Chase Law + Informatics Institute hosted their annual spring symposium, the Law + Informatics Symposium on Digital Evidence, on Friday, February 27, 2015. The event was held in the Northern Kentucky University George and Ellen Rieveschl Digitorium and was co-sponsored by the Center for Excellence in Advocacy.

The all-day symposium provided an interdisciplinary exploration of digital evidence. Discussion topics included individual autonomy and government security, evidentiary, reliability, digital privacy concerns, drone-obtained evidence, and medical reimbursement fraud. Speakers from across the country participated in the conference and in a final roundtable discussion of various current issues and topics in digital evidence.

  • Michael Losavio, University of Louisville, “A World Information Order – Privacy and Security in a Hyper-networked World of Data and Analysis”
  • Erin Corken, Ricoh Legal, “The Changing Expectation of Privacy”
  • Timothy Ravich, University of Central Florida, “All Arise! Courts in the Drone Age”
  • Jennifer Brobst, Southern Illinois University School of Law, “The Digital Wild Frontier: The Impact of Public Records Requests for Whole Databases and Metadata in Public Health and Criminal Justice”
  • Neil Issar and Edward Cheng, Vanderbilt Law School, “Admissibility of Statistical Proof Derived from Predictive Methods of Detecting Medical Reimbursement Fraud”

The symposium included a student scholarship showcase luncheon. Three law review editors, Kathleen Watson, Casey Taylor, and Lauren Martin, presented on the right to confront technology, warrantless cell phone searches, and computer source code copyright, respectively.

On Thursday, February 26, 2015, as a prelude to the academic symposium, NKU Chase hosted a special screening of The Decade of Discovery, a documentary film about a government attorney on a quest to find a better way to search White House e-mail, and a teacher who takes a stand for civil justice on the electronic frontier. After the viewing, the audience discussed the film with Joe Looby, filmmaker; Jason R. Baron, former government attorney featured in the film; Erin Corken, e-discovery adjunct professor and Ricoh Legal regional review manager; and Joseph Callow, partner and leader of the Keating Muething & Klekamp E-Discovery Litigation Support Group. The film screening was sponsored by Ricoh Legal and Keating Muething & Klekamp PLL.

The symposium was sponsored by Northern Kentucky Law Review, NKU Chase Law + Informatics Institute, Center for Excellence in Advocacy, Keating Muething & Klekamp PLL (film), and Ricoh Americas Corp. Legal (film).

A complete agenda with roster of speakers, biographies, and CLE materials is available here.

Watch the webinar without CLE credit.

About the Law and Informatics Institute: The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media and entertainment, and the public sector.

Continue reading

SUPREME COURT RULES THAT POLICE MUST GET WARRANT BEFORE SEARCHING CELL PHONES

Yesterday, the U.S. Supreme Court ruled in two cases – Riley v. California and U.S. v. Wurie (collectively “Riley”) – that police may not search a person’s cell phone just because the phone is in the person’s possession when he or she is arrested. Instead, the police must either get a warrant to search or else rely on case-specific facts giving rise to individualized suspicion that evidence on the cell phone will be destroyed before a warrant can be obtained. The Riley decision was virtually unanimous, with Justice Alito joining only in part.

After David Riley was arrested in California for a firearms offense, police searched his pockets and found a smartphone. Searches of the contents of the phone disclosed: that Riley had used the term “CK,” short for “Crip Killer,” suggesting that he was a member of the Bloods street gang; videos in which unknown persons used the word “Blood”; and a photo of Riley in front of a car involved in a recent shooting. This evidence was introduced at trial against Riley in California state court to prove his involvement in the shooting and his gang membership.

In a separate case, Brima Wurie was arrested on drug charges in Massachusetts, and police seized a flip phone from him. Police noticed numerous phone calls coming from a contact identified as “My House.” Police searched the phone for the phone number of the “My House” contact, then located the address associated with that number using an online directory. Police then secured a warrant for that address and seized drugs, cash, and a firearm, all of which were introduced at his federal trial on drug and gun charges.

Riley and Wurie each conceded that police had authority to seize their phones pursuant to the “search incident to arrest” (SIA) doctrine, which permits police, without a warrant, to search the person of an arrestee and seize whatever they find. They argued, however, that police went beyond that authority by searching the contents of their phones without a warrant.

The Court agreed. The Court distinguished a 1973 case, U.S. v. Robinson, in which it had upheld as an SIA the search of a cigarette pack obtained from an arrestee. In Robinson, the Court had justified the SIA rule on two grounds: preventing the arrestee from accessing an item that could be used to injure the officer or effect an escape, and preventing him from accessing evidence that could be concealed or destroyed. In Riley, the Court determined that inthe context of a cell phone, the first justification is obviously inapplicable. And the government had shown nothing beyond speculation that searching a cell phone immediately was necessary to avoid having its contents encrypted or remotely wiped.

On the privacy side of the ledger, the Court determined that digital evidence is of a completely different character than the non-digital evidence found in the cigarette pack in Robinson. While a limited number of personal items might be carried in a person’s pockets or purse, cell phones (particularly smartphones) carry a virtually limitless number of items that are quite private in nature: potentially thousands of e-mails and phone and text messages, a veritable music and video library, a daily calendar going back years, GPS location information, an internet browsing history, and dozens of apps. Each of these might reveal very personal information about the arrestee. And the Court said that this was true not only of Riley’s smartphone but also of Wurie’s flip phone. In short, the quantity and quality of information contained on a cell phone is different from non-digital evidence that might be found on an arrestee’s person in the same way that “a ride on horseback is [different] from a flight to the moon.”

In some cases, the Court acknowledged, police will have sufficient suspicion both that a cell phone contains evidence of a crime and that the evidence might be destroyed before a warrant can be obtained. In those cases, the police will be able to search without a warrant, but only if they can point to particular facts and circumstances indicating a need to search imminently. Otherwise, they will have to convince a judge to issue a warrant based on probable cause that the cell phone contains evidence of a crime.

Riley has the potential to be a very significant case. Not only does the ruling have the immediate effect of barring searches of cell phones, and presumably other computer devices, incident to arrest, but it also has broader implications. For the first time, the Court has acknowledged and coherently articulated that digital data are different than non-digital data, not only in degree but in kind. In the years to come, Riley will likely be viewed as the case that brought the Fourth Amendment into the 21st century.

 

Michael J. Zydney Mannheimer

Professor of Law

NKU Chase College of Law

518 Nunn Hall

Highland Heights, KY 41099

859.572.5862

mannheimem1@nku.edu

 

 

Ninth Circuit Provides Important Protection To Bloggers

In an important victory for free speech advocates, the Ninth Circuit has joined other courts in establishing that authors protected by the First Amendment need not be journalists to have such robust protections.

In Obsidian Finance Group, LLC v. Cox, — F.3d —- (2014) (filed Jan. 17th, 2014), the Ninth Circuit overturned a lower court decision that limited certain First Amendment protections to institutional journalists. The Court explained that “protections of the First Amendment do not turn on whether the defendant was a trained journalist, formally affiliated with traditional news entities, engaged in conflict-of-interest disclosure, went beyond just assembling others’ writings, or tried to get both sides of a story.”

In aligning the Ninth Circuit with other circuits which have addressed the issue, the court reaffirms that negligence is the minimum legal standard for any case involving matters of public interest (and possibly all cases). To receive general damages without suffering specific harm and to receive punitive damages, the plaintiff must establish that the defendant published the statements with actual malice, meaning intentional knowledge of falsity or reckless disregard of the truth.

In New York Times Co. v. Sullivan, 376 U.S. 254 (1964), the Supreme Court established the modern First Amendment framework. Public officials must prove actual malice to prove liability. Curtis Publishing Co. v. Butts, 388 U.S. 130, (1967), then extended this standard to public figures. A decade later, in Gertz v. Robert Welch, Inc., 418 U.S. 323, 350 (1974), the Supreme Court held that the First Amendment required a negligence standard for private defamation actions. Significantly less than the actual malice standard, it nonetheless established that there could not be liability without fault.

In Obsidian Financial Group, the Ninth Circuit does not suggest the defendant is blameless:

Crystal Cox published blog posts on several websites that she created, accusing Padrick and Obsidian of fraud, corruption, money-laundering, and other illegal activities in connection with the Summit bankruptcy. Cox apparently has a history of making similar allegations and seeking payoffs in exchange for retraction. See David Carr, When Truth Survives Free Speech, N.Y. Times, Dec. 11, 2011, at B1. Padrick and Obsidian sent Cox a cease-and-desist letter, but she continued posting allegations.

The accusations and statements, however, were difficult to view as factual assertions. Where there were assertions of fact, the court explains, the plaintiff must establish the negligence of the statements.

The Ninth Circuit also sidestepped the issue whether the Gertz negligence standard applies to matters of purely private concern. It noted the unresolved question, when it stated that “the Supreme Court has ‘never considered whether the Gertz balance obtains when the defamatory statements involve no issue of public concern.’” (quoting Dun & Bradstreet, Inc. v. Greenmoss Builders, 472 U.S. 749, 757 (1985) (plurality opinion)).

Instead, the Ninth Circuit noted that the blog was made available to the public at large, just as every blog does. Moreover, the court noted that “public allegations that someone is involved in crime generally are speech on a matter of public concern.” So instead of answering whether the negligence standard applies to private matters, the court expanded the realm of public discourse to almost any public accusation.

This strategy has the effect of expanding the negligence standard to almost any claim. It may leave certain personal matters personal, though this is unclear. It could also leave certain formats, such as personal emails, texts, and friends’ lists as matters of purely private concern, but undoubtedly many of allegedly defamatory posts on such platforms will also be matters of public concern.

The distinction between matters of public concern and purely private matters has less and less meaning, and the distinction is likely to continue to erode in the context of defamation, though perhaps remain relevant in some issues involving privacy.

Nonetheless, the case is an important victory for free speech interests. Of course, this does not mean anything can be published with impunity. Negligence is not a terribly difficult test to meet and those plaintiffs who have truly been harmed will still have their day in court. It is difficult to be the subject of online attacks, but the rules of law should apply equally to all speakers, journalists, bloggers, and citizens alike. In the Ninth Circuit, it now does.

Social Media in the workplace – wide-ranging overview now available

In a recent blog post regarding Sam Moore‘s claim for publicity rights in a fictional film, I provided a general update on publicity rights law because such laws are now being used as part of the social media agreement between the public and such companies as Google and Facebook.

The discussion about continuing evolution of publicity rights doctrine is part of a larger review I have written on the role of social media across the spectrum of media law.  That working paper, Social Media in the Workplace – From Constitutional to Intellectual Property Rights is now available at SSRN: http://ssrn.com/abstract=2348779 or for download.

Social media has become a dominant force in the landscape of modern communications. From political uprisings in the Middle East to labor disputes in Washington State, social media has fundamentally disrupted the way in which communications take place. As noted constitutional scholar Erwin Chemerinsky explained, “technology has changed and so has First Amendment doctrine and American culture. It now is much more clearly established that there is a strong presumption against government regulation of speech based on its content.” Just as the government must tolerate more speech, the same thing is true about employers. Chemerinsky further notes that “for better or worse, profanities are more a part of everyday discourse.” Abrasive speech may be coarse from the word choice or may more readily upbraid the objects of the speech. Whether foul or abusive, such speech now pervades commercial and social media.

Social media fundamentally upends the notion of the traditional commercial media environment and with that, it reverses the established legal doctrine from constitutional assumptions to everyday rules involving copyright, defamation, and unfair labor practice. For employers, these rules are particularly important to navigate because they effect the manner in which the companies communicate with the public, how employees communicate with each other, and how laws are restructuring the employee-employer relationship. The transformation is taking place with changing policies affecting trade secrets, confidential information, copyrighted material, aggregated data, trademarks, publicity rights, and endorsements.

This article highlights the nature of the changes as they present the new paradigm shift and provides some guidance on how to prepare policies for the transitional model. The article tracks the rise of the many-to-many model of social media, its effect on commercial speech, intellectual property, and labor law. The article concludes with suggestions on employment policies geared to managing these changes in the modern workplace.

There will be a CLE program sponsored by the Dayton Intellectual Property Law Association on Friday November 8, 2013 featuring these materials.

Rent-to-Spy Highlights Need for Diligence

Seal of the United States Federal Trade Commis...

(Photo Wikipedia)

Aaron’s Inc. a leading franchisee in the rent-to-own retail market has agreed to settle FTC complaints[1] that allowed Aaron’s franchisees to install and use software to spy on customers.

In announcing the proposed settlement, the FTC explained that “Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites.”

Aaron’s, Inc. is a leading rent-to-own retailer focusing on “residential furniture, consumer electronics, home appliances and accessories with more than 2,000 Company-operated and franchised stores in 48 states and Canada.” Aaron’s reports 1,190 Company-operated Aaron’s Sales and Lease Ownership stores, 717 Aaron’s Sales & Lease Ownership franchised stores, 78 HomeSmart stores, one franchised HomeSmart store, 17 Company-operated RIMCO stores, and six franchised RIMCO stores.

The allegations focus on the franchisees rather than Aaron’s own operations. Nonetheless, the complaint highlights that Aaron’s “allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.”

A proposed consent agreement with the FTC has been approved 4-0 by the Commission. Aaron’s will be prohibited from using monitoring technology that captures keystrokes or screenshots, or activates the camera or microphone on a consumer’s computer, except to provide technical support requested by the consumer.

Unfortunately the consent agreement still allows Aaron’s to install tracking technology, provided the customer gives consent. Given the history of such abuse, Aaron’s should be prohibited from using tracking software at all. Consent does little or nothing to affect consumer behavior; companies who have violated the public trust should be prohibited from seeking such illusory permission to continue to abuse their customers.

The risks of allowing opt-in consent are highlighted from another provision of the proposed consent decree:

The agreement will also prevent Aaron’s from using any information it obtained through improper means in connection with the collection of any debt, money or property as part of a rent-to-own transaction. The company must delete or destroy any information it has improperly collected and transmit in an encrypted format any location or tracking data it collects properly.

Under the agreement, Aaron’s will also be required to conduct annual monitoring and oversight of its franchisees and hold them to the requirements in the agreement that apply to Aaron’s and its corporate stores, and to terminate the franchise agreements of franchises that do not meet those requirements.

The proposed agreement will be subject to public comment through Nov. 21, 2013.[2] If opt-in consent is insufficient, the perhaps the Commission can be convinced.


[1] The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

[2] Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted online by following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

2013 NKU Security Symposium tomorrow, Friday, October 18, 2013

The NKU Chase Law + Informatics Institute, the Center for Applied Informatics, and our event sponsors look forward to the 2013 NKU Security Symposium tomorrow, Friday, October 18, 2013.

The program is free, but you must register. This is your last opportunity.

The Legal Issues in Privacy and Security (Legal Track) will be in Development B of the NKU METS Center in Erlanger, KY.

Legal Track Speakers:

  • John C. (Jack) Greiner, attorney, Graydon Head

  • Scot Ganow, attorney, Faruki Ireland & Cox P.L.L.

  • Jennifer Orr Mitchell, partner, Dinsmore & Shohl LLP

  • Michael G. Carr, JD, CISSP, CIPP, Chief Information Security Officer, University of Kentucky

Click here for the CLE Materials for the maximum of 4.0 general CLE credits approved by KY, OH & IN (new lawyer credits in IN).

  • Jon M. Garon, NKU Chase College of Law

Data Security: Breach Notification Law Issues [pdf]

  • Jennifer Orr Mitchell, Dinsmore & Shohl LLP

Attorneys and Other Contractors – HIPAA Business Associates in 2014 and Beyond [pdf]

For your convenience we have included directions below.

A detailed agenda can be found on the event website at http://cai.nku.edu/security2013/agenda.html

Directions to the NKU METS Center
From Downtown Cincinnati and Northern Kentucky:
I-71/75 South From the South: I-71/75 North … to I-275 West. Take first exit (Exit No. 2 – Mineola Pike). Left turn onto Mineola Pike crossing over I-275. Right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

From Indiana:
I-74 to I-275 South into Kentucky. Stay on I-275, which curves East in Kentucky and go about 22 miles all the way past the Greater Cincinnati Airport until you get to Exit No. 2 – Mineola Pike. Right turn onto Mineola Pike. Then right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

Special thanks to the sponsors of the legal track:  CincyIP and Frost Brown Todd. 

Industrial Internet reshapes the “Internet of Things”

In a term coined in 1999, the Internet of Things, relates to a world in which all objects are connected wirelessly to the Internet and therefore to each other. The model requires each device to have RFID or other near field communications technology to communicate, sharing information about the identity, status, activities, and other attributes of the device. Partnered with big data analytics, the information from these devices can paint a robust picture of how objects interact in the world and how people interact with them.

This week, the model was supercharged. According to a report in the New York Times, General Electric hopes to transform this model with what it terms the “Industrial Internet.”

The so-called Industrial Internet involves putting different kinds of sensors, sometimes by the thousands, in machines and the places they work, then remotely monitoring performance to maximize profitability. G.E., one of the world’s biggest makers of equipment for power generation, aviation, health care, and oil and gas extraction, has been one of its biggest promoters. … The executive in charge of the project for G.E. … said that by next year almost all equipment made by the company will have sensors and Big Data software.

Emerging technology allows devices to distribute usage and telemetry data, to receive instructions, to interact with other equipment, and to serve as the communications bridge extending network coverage so that the devices themselves expand the network on which the equipment communicates. The implications are quite interesting.

Perhaps the most important aspect of the development affects critical infrastructure – the fundamental systems operating our water, power, rail, and telecom infrastructure. Properly secured and interactive, the elements of our aging infrastructure could begin to trouble-spot and eventually provide small repairs without the need for 24-hour crews.

GE’s present equipment tends to be large devices, ranging from jet engines to MRI machines. But the concept could well extend to automobiles, bicycles, phones, cameras, and even clothing. Equipped automobiles, for example, could report mechanical efficiency for every system in the car. They could also share vehicle telemetry, providing a real-time map of how each car was driving in relation to every other car driving on the road. The information could be used to alert a driver to road hazards, to dangerous weather conditions, or to the driver’s weaving. The information could alert police to the same conditions and behaviors.

In the workplace, the Industrial Internet will improve atomization, which helps retain U.S. manufacturing but probably at the cost of fewer workers doing more specialized work. It should also be employed to improve worker safety but could easily be adapted to create a workplace in which every movement was tracked. With Industrial Internet name badges, doors would lock and unlock in response to the presence of authorized personnel, but the data analytics would also be able to see which employees spent the most time with which of their peers, and correlate such interactions with post-interaction productivity. Schools could similarly track student movements and behaviors, identifying which resources and faculty were actually utilized and which of those impacted learning outcomes – for better or worse.

Existing rules for workplace and education environments do not take the pervasive nature of the Industrial Internet into account. Assumptions that privacy is a zone around one’s home and person has little relevance to a cloud of data points broadcasting a picture of each person and how that person interacts.

The FTC has taken small steps to explore these issues and regulate obvious abuses, but legislators need to do much more. Absent legislation, current NSA practices will vacuum this data into its Orwellian data trove.

The Industrial Internet promises to translate the Internet of Things into very practical, valuable industrial improvements. Safer planes, smarter cars, more efficient homes all improve people’s lives. Proper regulation will encourage those uses while protecting civil liberties, privacy, and overreach. Perhaps we can craft the policies to avoid the outrage rather than in response to it.