legal investigation in social media: how to do it; how not ... · digital forensics investigations...
TRANSCRIPT
Legal Investigation in Social Media: How to Do It; How Not to Do It
Benjamin Wright, AttorneySANS Institute: “Law of Data Security
& Investigations”This is not legal advice.
Agenda
• How to record evidence
• Admissibility and authentication of evidence
• Risks in collecting evidence
• Methods for managing risks
• The power of a “preservation letter”
• General principles for guiding social media investigations
Examples
• Regulatory investigators gather evidence via social media
• “Welfare cheat foiled by Facebook” http://bit.ly/JQSMrQ
• Based on Facebook videos, Hawaiian Humane Society issues citations; prosecutor to press charges http://bit.ly/IsfgxZ
Many Social Networks
• Facebook, Twitter and LinkedIn are just a part of the topic
• Many new social networks, like Google Plus, Quora, Instagram, Groupon, Pinterest, Touristlink
• Thousands of blogs and special interest forums
Different from Traditional Digital Forensics Investigations
• Traditional: investigator has access to hardware that holds data
• In web, cloud or social media investigation, investigator typically does not have direct access to hardware on which original data are stored
• The data can change from minute to minute
• Format of service changes from month to month
• Service provider may or may not cooperate
Rely on Witness Testimony
• Ultimately, court looks to someone to testify about what happened & how it looked at a point in time
• Two witnesses are better than one
• Printout – most common form of social media investigative record
• But printouts can be awkward and can miss a lot
Screencast
• Captures the look, the words, the images, the interactivity and inter-relationships from one page and link to the next
• Captures webcam narration by witness –which can be compelling to judge and jury
• Free, open-source tool: screencast-o-matic.com
• Other products like Camtasia
Many Posts and Demos of Screencast Evidence Capture
• http://bit.ly/e825MF - live chat
• http://bit.ly/ePV9E0 - web activity
• http://bit.ly/w3swEC - online financial trades
• http://bit.ly/nsZ6ZG - undercover police in social media
• I welcome your comments, questions and criticism!
Screencast Script
• Create a unified package of evidence, integrating pages, links and testimony
• Investigator – as eyewitness -- recorded by audio or webcam
• Script of the investigator:– His identity, purpose & authority
– Time and date
– His statement of signature, taking responsibility for what he sees
The Power of an Affidavit:Paper, Audio, Video or Other File
• “I, Jane Doe, hereby affirm that I collected the following evidence in the way described.” Sign, date, notarize
• Prevents Jane Does’ memory from wandering
• Jane Doe may not work for, or cooperate with, you two years from now
• Webcam signature is pretty convincing http://bit.ly/a0X9kZ
Corroborate Date and Time
• State date and time in record/affidavit; then
• Send record by enterprise email to multiple people (timestamp), or
• Store the record on enterprise sharepoint, which shows audit trail with time, or
• Upload record to a third party service like Microsoft skydrive, which records date
Undercover Cops Example
• Two witnesses
• Record voice but no video
• Mercer County prosecutor’s office, New Jersey – gang investigation
• http://bit.ly/Ai3nQB
Investigative/Recording Tools
• Vere Software
• X1 Discovery
• Hashbot
• Iterasi web archiving service
• Others
• Each works differently
• Regardless, an affidavit from a witness is helpful.
Consider Terms of Service
• Platform application developers and operators http://www.facebook.com/legal/terms
• Post privacy policy
• "You will delete all data you receive from us concerning a user if the user asks you to do so, and will provide a mechanism for users to make such a request. ... You will make it easy for users to remove or disconnect from your application."
General Facebook Terms
• http://www.facebook.com/legal/terms
• “If you collect information from users, you will: obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.”
Interpretation
• Does this mean no one can, without consent, copy something from Facebook for purposes of an investigation?
• I think not.
• Making limited copies is generally accepted practice.
• But the principle of “proportionality” is relevant.
“Proportionality”
• The scale of data collection matters
• A broad, general principle from privacy and e-discovery law is that the collecting and management of data should be “proportionate” to the case (considering risks, costs, urgency and so on)
• See blog articles http://bit.ly/ga7U7w and http://bit.ly/937Swa
Admission of Evidence
• Social media evidence is very commonly admitted into legal proceedings
• Varying degrees of formality in proceedings
• However, some criminal cases show skeptical courts
• Criminal cases have
higher standard of proof
Authenticate Myspace
• Griffin v. Maryland, No. 74 (Maryland; Apr. 28, 2011) - In murder trial, questions arise why a witness gives conflicting testimony. Prosecution tries to show defendant’s girlfriend threatened witness through Myspace. Court: Myspace evidence insufficiently authenticated. An imposter could have posted the message.
Addressing the Authentication Issue: Law Enforcement Search Warrants
• Can collect details from the service provider like IP address, time, application, mobile carrier and more
• These details can help with authentication
• Zachary Wolff, “Twitter: To log or not to log: Is that the question?” http://blog.logrhythm.com/uncategorized/631/
Alternative Ways to Authenticate Evidence
• Interact with the user (if permitted)
• Gather corroborating detail about user statements, activities and timeline
• Corroborating details can be collected from multiple sources (Facebook, Twitter, special interest forums, games, phone, witnesses and so on)
Risks: Ethical Limitations
• New York State Bar Ethics Opinion 843 (9/10/2010); NY City Bar Formal Opinion 2010-2; San Diego County Bar Opinion 2011-2
• Lawyers may view public postings of adversaries
• May not friend an adversary represented by a lawyer
• May not use deception to friend someone
No Trespassing Sign?
• Pietrylo v. Hillstone Restaurant Group
• Private Myspace forum: “talk about all the crap/drama/and gossip occurring in our workplace, without having to worry about outside eyes prying in.”
• Management got password; fired employees
• Jury: company must pay back wages and punitive damages
Lessons from the Hillstone Case
• Exercise restraint and discretion
• Watch out for and evaluate claims of privacy
• Careful with passwords that don’t belong to you
Managing Risk:Restraint and Proportionality
• Canada Privacy Commissioner (PIPEDA Case Summary #2009-019): employer may investigate if employee had violated employment contract
• Principle: have a logical, evidence-based justification for getting sensitive information
• Predicate evidence justifies getting more evidence, but only what is necessary
• This principle is consistent with discovery principles in civil litigation
Managing Risk:Interview the Subject First?
• A formal HR interview or deposition puts pressure on subject to tell the truth
• Yes, subject could delete data, but
– Deletion of data itself is evidence of wrongdoing that could hang the subject
– Deleting data is harder than it looks because copies are spread everywhere
Power of a Preservation Letter
• Letter puts adversary on notice not to destroy records
• Focuses the adversary’s attention electronic evidence and all the steps that might be necessary to preserve
• http://bit.ly/A5XrGH
Legal Steps to Access Non-Public Data
• Consent of the user
• E-discovery demand to user
• Informal request to social network
• Subpoena to social network
• Search warrant for law enforcement
• Find the data in an alternative, public location
Informal Request
• Very commonly service providers – especially smaller ones – will cooperate with requests from government
• Fugitive plays World of Warcraft
• Howard County, Indiana, Sheriff sends polite letter to operator of game
• Service provider reveals IP address, which leads to fugitive in Canada http://bit.ly/xzpMwh
Civil Subpoenas for Content
• Big service providers tend to resist
• Smaller service providers may be more cooperative
• Crispin v. Christian Audigier, Inc.– Civil subpoena to FB and Myspace quashed
– Content protected under Stored Communications Act
– May be difference between private messages and wall postings
Alternative Locations for Evidence
• Notices and copies to email or phone SMS (text)
• Replication at other sites (my Facebook and LinkedIn repeat my tweets)
• Sharing by friends
• Cache on computer
General Principles for Investigators
• Keep thorough, signed, time-stamped records
• Record your justification
• Keep the methods and evidence capture proportionate and within the scope of the justification
• User consent (employment application or terms of employment) reduces risk
• Be creative to find the data