Webinar: Gathering Social Media Evidence


Published on

Benjamin Wright, Texas attorney and Senior Instructor at the SANS Institute, shares tips for gathering social media evidence in an investigation. Check out the webinar recording: http://i-sight.com/gathering-social-media-evidence/

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Webinar: Gathering Social Media Evidence

  1. 1. Gathering Legal Social Media Evidence <ul><li>Speaker: </li></ul><ul><li>Benjamin Wright, Attorney </li></ul><ul><li>SANS Institute: “Law of Data Security & Investigations” </li></ul><ul><li>(This is not legal advice) </li></ul>
  2. 2. Introduction <ul><li>Benjamin Wright </li></ul><ul><li>Benjamin Wright is the author of several technology law books, including Business Law and Computer Security, published by the SANS Institute. With 27 years in private law practice, he has advised many organizations, large and small, private sector and public sector, on privacy, computer security, e-mail discovery and records management and been quoted in publications around the globe, from the Wall Street Journal to the Sydney Morning Herald. He teaches the law of data security and investigations at the SANS Institute, premier educator for IT professionals. Wright maintains a matrix of popular blogs accessible at benjaminwright.us. Wright graduated from Georgetown University Law Center in 1984.  Russian banking authorities recently tapped him for advice on the law of electronic payments and investigations. </li></ul><ul><li>Joe Gerard </li></ul><ul><li>Joe Gerard is the VP of Sales & Marketing at i-Sight, a leading provider of web-based case management software for corporate investigations. He’s worked with companies like Dell, Coke, Allstate, BP and more than 100 others to implement improved investigative processes that leverage best practices and case management. </li></ul>
  3. 3. Agenda <ul><li>How to record evidence </li></ul><ul><li>Admissibility and authentication of evidence </li></ul><ul><li>Risks in collecting evidence </li></ul><ul><li>Methods for managing risks </li></ul><ul><li>General principles for guiding social media investigations </li></ul>
  4. 4. Very New Topic <ul><li>We will think differently about this topic a year from now </li></ul><ul><li>No investigator knows everything about social networks </li></ul><ul><li>All the networks are changing every day </li></ul><ul><li>Many new apps, links, techniques, roadblocks discovered every day </li></ul>
  5. 5. Many Social Networks <ul><li>Facebook, Twitter and LinkedIn are just a part of the topic </li></ul><ul><li>Many new social networks, like Google Plus, Quora, Instagram, Groupon, Pinterest, Touristlink </li></ul><ul><li>Thousands of blogs and special interest forums </li></ul>
  6. 6. Many Kinds of Investigations <ul><li>HR </li></ul><ul><li>Civil lawsuit (IP, divorce, personal injury) </li></ul><ul><li>Criminal investigation </li></ul><ul><li>Tax audit </li></ul><ul><li>Regulatory investigation </li></ul><ul><li>School investigation </li></ul>
  7. 7. Different from Traditional Digital Forensics Investigations <ul><li>Traditional: investigator has access to hardware that holds data </li></ul><ul><li>In web, cloud or social media investigation, investigator typically does not have direct access to hardware on which original data are stored </li></ul><ul><li>The data can change from minute to minute </li></ul><ul><li>Format of service changes from month to month </li></ul><ul><li>Service provider may or may not cooperate </li></ul>
  8. 8. Rely on Witness Testimony <ul><li>Ultimately, court looks to someone to testify about what happened & how it looked at a point in time </li></ul><ul><li>Two witnesses are better than one </li></ul><ul><li>Printout – most common form of social media investigative record </li></ul><ul><li>But printouts can be awkward and can miss a lot </li></ul>
  9. 9. Screencast <ul><li>Captures the look, the words, the images, the interactivity and inter-relationships from one page and link to the next </li></ul><ul><li>Captures webcam narration by witness – which can be compelling to judge and jury </li></ul><ul><li>Free, open-source tool: screencast-o-matic.com </li></ul><ul><li>Other products like Camtasia </li></ul>
  10. 11. Many Posts and Demos of Screencast Evidence Capture <ul><li>http://bit.ly/e825MF - live chat </li></ul><ul><li>http://bit.ly/ePV9E0 - web activity </li></ul><ul><li>http://bit.ly/w3swEC - online financial trades </li></ul><ul><li>http://bit.ly/nsZ6ZG - undercover police in social media </li></ul><ul><li>I welcome your comments, questions and criticism! </li></ul>
  11. 12. Screencast Script <ul><li>Create a unified package of evidence, integrating pages, links and testimony </li></ul><ul><li>Investigator – as eyewitness -- recorded by audio or webcam </li></ul><ul><li>Script of the investigator: </li></ul><ul><ul><li>His identity, purpose & authority </li></ul></ul><ul><ul><li>Time and date </li></ul></ul><ul><ul><li>His statement of signature, taking responsibility for what he sees </li></ul></ul>
  12. 13. The Power of an Affidavit: Paper, Audio, Video or Other File <ul><li>“ I, Jane Doe, hereby affirm that I collected the following evidence in the way described.” Sign, date, notarize </li></ul><ul><li>Prevents Jane Does’ memory from wandering </li></ul><ul><li>Jane Doe may not work for, or cooperate with, you two years from now </li></ul><ul><li>Webcam signature is pretty convincing http://bit.ly/a0X9kZ </li></ul>
  13. 14. Corroborate Date and Time <ul><li>State date and time in record/affidavit; then </li></ul><ul><li>Send record by enterprise email to multiple people (timestamp), or </li></ul><ul><li>Store the record on enterprise sharepoint, which shows audit trail with time, or </li></ul><ul><li>Upload record to a third party service like Microsoft skydrive, which records date </li></ul>
  14. 15. Investigative/Recording Tools <ul><li>Vere Software </li></ul><ul><li>X1 Discovery </li></ul><ul><li>Hashbot </li></ul><ul><li>Iterasi web archiving service </li></ul><ul><li>Others </li></ul><ul><li>Each works differently </li></ul><ul><li>Regardless, an affidavit from a witness is helpful. </li></ul>
  15. 16. Consider Terms of Service <ul><li>Platform application developers and operators http://www.facebook.com/legal/terms </li></ul><ul><li>Post privacy policy </li></ul><ul><li>&quot;You will delete all data you receive from us concerning a user if the user asks you to do so, and will provide a mechanism for users to make such a request. ... You will make it easy for users to remove or disconnect from your application.&quot; </li></ul>
  16. 17. General Facebook Terms <ul><li>http://www.facebook.com/legal/terms </li></ul><ul><li>“ If you collect information from users, you will: obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.” </li></ul>
  17. 18. Interpretation <ul><li>Does this mean no one can, without consent, copy something from Facebook for purposes of an investigation? </li></ul><ul><li>I think not. </li></ul><ul><li>Making limited copies is generally accepted practice. </li></ul><ul><li>But the principle of “proportionality” is relevant. </li></ul>
  18. 19. “ Proportionality” <ul><li>The scale of data collection matters </li></ul><ul><li>A broad, general principle from privacy and e-discovery law is that the collecting and management of data should be “proportionate” to the case (considering risks, costs, urgency and so on) </li></ul><ul><li>See blog articles http://bit.ly/ga7U7w and http://bit.ly/937Swa </li></ul>
  19. 20. Admission of Evidence <ul><li>Social media evidence is very commonly admitted into legal proceedings </li></ul><ul><li>However, some criminal cases show skeptical courts </li></ul><ul><li>Criminal cases have higher standard of proof </li></ul>
  20. 21. Authenticate Facebook <ul><li>State v. Eleck , AC 31581 (Conn. Ct. App. Aug 9, 2011) - Witness says she did not talk to defendant after an assault. But defendant shows Facebook messages appear from witness to defendant after assault. Witness suggests someone could have hacked her account. Court: Facebook messages inadequately authenticated. </li></ul>
  21. 22. Authenticate Myspace <ul><li>Griffin v. Maryland , No. 74 (Maryland; Apr. 28, 2011) - In murder trial, questions arise why a witness gives conflicting testimony. Prosecution tries to show defendant’s girlfriend threatened witness through Myspace. Court: Myspace evidence insufficiently authenticated. An imposter could have posted the message. </li></ul>
  22. 23. Addressing the Authentication Issue: Law Enforcement Search Warrants <ul><li>Can collect details from the service provider like IP address, time, application, mobile carrier and more </li></ul><ul><li>These details can help with authentication </li></ul><ul><li>Zachary Wolff, “Twitter: To log or not to log: Is that the question?” http://blog.logrhythm.com/uncategorized/631/ </li></ul>
  23. 24. Alternative Ways to Authenticate Evidence <ul><li>Interact with the user (if permitted) </li></ul><ul><li>Gather corroborating detail about user statements, activities and timeline </li></ul><ul><li>Corroborating details can be collected from multiple sources (Facebook, Twitter, special interest forums, games, phone, witnesses and so on) </li></ul>
  24. 25. Require User to Turn Over ID/Password? <ul><li>New/controversial development in civil lawsuits </li></ul><ul><li>Predicated on evidence showing something relevant is probably in private part of page </li></ul><ul><li>Zimmerman v. Weis Markets Inc. </li></ul><ul><ul><li>employee claimed great injury </li></ul></ul><ul><ul><li>public portions of his Myspace/Facebook sites contradicted some claims </li></ul></ul><ul><ul><li>surmised that non-public portions of his social sites would reveal more relevant information </li></ul></ul>
  25. 26. Risks: Ethical Limitations <ul><li>New York State Bar Ethics Opinion 843 (9/10/2010); NY City Bar Formal Opinion 2010-2; San Diego County Bar Opinion 2011-2 </li></ul><ul><li>Lawyers may view public postings of adversaries </li></ul><ul><li>May not friend an adversary represented by a lawyer </li></ul><ul><li>May not use deception to friend someone </li></ul>
  26. 27. Illegality and Impersonation <ul><li>California Penal Code 528.5: “any person who knowingly and without consent credibly impersonates another actual person through or on an Internet Web site or by other electronic means for purposes of harming, intimidating, threatening, or defrauding another person is guilty of a public offense.” </li></ul><ul><li>Connecticut rules of evidence Sec. 52-184a: &quot;No evidence obtained illegally by the use of any electronic device is admissible in any court of this state.” </li></ul>
  27. 28. No Trespassing Sign? <ul><li>Pietrylo v. Hillstone Restaurant Group </li></ul><ul><li>Private Myspace forum: “talk about all the crap/drama/and gossip occurring in our workplace, without having to worry about outside eyes prying in.” </li></ul><ul><li>Management got password; fired employees </li></ul><ul><li>Jury: company must pay back wages and punitive damages </li></ul>
  28. 29. Lessons from the Hillstone Case <ul><li>Exercise restraint and discretion </li></ul><ul><li>Watch out for and evaluate claims of privacy </li></ul><ul><li>Careful with passwords that don’t belong to you </li></ul>
  29. 30. Risks and Surprises <ul><li>Jurisdiction is murky; the laws of many places could apply all at once. </li></ul><ul><li>Could some of the data you collect be subject to European data protection laws? </li></ul><ul><li>In Texas, an independent contractor collecting data about someone’s identity, habits or legal liability needs a private investigator’s license. Texas Occupations Code Chapter 1702 </li></ul>
  30. 31. More Risks and Surprises <ul><li>Brands like Coca-Cola put copyright notices on their Facebook fan pages </li></ul><ul><li>Do you need to safeguard data you collect? </li></ul><ul><ul><li>European privacy law </li></ul></ul><ul><ul><li>Connecticut Public Act No. 08-167 requires you to safeguard data when you have someone’s non-public “identifier” like an account number </li></ul></ul>
  31. 32. Managing Risk: Restraint and Proportionality <ul><li>Canada Privacy Commissioner (PIPEDA Case Summary #2009-019): employer may investigate if employee had violated employment contract </li></ul><ul><li>Principle: have a logical, evidence-based justification for getting sensitive information </li></ul><ul><li>Predicate evidence justifies getting more evidence, but only what is necessary </li></ul><ul><li>This principle is consistent with discovery principles in civil litigation </li></ul>
  32. 33. Managing Risk: Interview the Subject First? <ul><li>A formal HR interview or deposition puts pressure on subject to tell the truth </li></ul><ul><li>Yes, subject could delete data, but </li></ul><ul><ul><li>Deletion of data itself is evidence of wrongdoing </li></ul></ul><ul><ul><li>Deleting data is harder than it looks because copies are spread everywhere </li></ul></ul>
  33. 34. Data Destruction Risk <ul><li>Lawsuit for wrongful death of wife </li></ul><ul><li>Husband’s Facebook page shows him partying and wearing “I Love Hot Moms” shirt </li></ul><ul><li>Attorney tells husband to clean up page and delete photos </li></ul><ul><li>Court fines attorney and husband for illegal destruction of evidence! </li></ul><ul><li>Lester v. Allied Concrete Co. </li></ul>
  34. 35. Legal Steps to Access Non-Public Data <ul><li>Consent of the user </li></ul><ul><li>E-discovery demand to user </li></ul><ul><li>Informal request to social network </li></ul><ul><li>Subpoena to social network </li></ul><ul><li>Search warrant for law enforcement </li></ul><ul><li>Find the data in an alternative, public location </li></ul>
  35. 36. Informal Request <ul><li>Very commonly service providers – especially smaller ones – will cooperate with requests from government </li></ul><ul><li>Fugitive plays World of Warcraft </li></ul><ul><li>Howard County, Indiana, Sheriff sends polite letter to operator of game </li></ul><ul><li>Service provider reveals IP address, which leads to fugitive in Canada http://bit.ly/xzpMwh </li></ul>
  36. 37. Civil Subpoenas for Content <ul><li>Big service providers tend to resist </li></ul><ul><li>Smaller service providers may be more cooperative </li></ul><ul><li>Crispin v. Christian Audigier, Inc. </li></ul><ul><ul><li>Civil subpoena to FB and Myspace quashed </li></ul></ul><ul><ul><li>Content protected under Stored Communications Act </li></ul></ul><ul><ul><li>May be difference between private messages and wall postings </li></ul></ul>
  37. 38. Alternative Locations for Evidence <ul><li>Notices and copies to email or phone SMS (text) </li></ul><ul><li>Replication at other sites (my Facebook and LinkedIn repeat my tweets) </li></ul><ul><li>Sharing by friends </li></ul><ul><li>Cache on computer </li></ul>
  38. 39. General Principles for Investigators <ul><li>Keep thorough, signed records </li></ul><ul><li>Record your justification </li></ul><ul><li>Keep the methods and evidence capture proportionate and within the scope of the justification </li></ul><ul><li>Getting user consent (employment application or terms of employment) reduces risk </li></ul><ul><li>Be creative to find the data </li></ul>
  39. 40. Disclaimer Blog: benjaminwright.us Google Plus: gplus.to/privacy This presentation is not legal advice for any particular situation. If you need legal advice, you should consult the lawyer who advises you or your organization. Use this material at your own risk. Anyone may reuse or reproduce it.
  40. 41. Thank You! <ul><li>If you have any questions, please submit them now. </li></ul><ul><li>Thank you for taking the time to attend today’s webinar. </li></ul><ul><li>If you have any questions about the information covered in the webinar, please contact: </li></ul>