25 January 2014

Evidence: True or False On Privacy Apps...

What is a Chief Legal Counsel to do these days about new messenger focused Apps such as Wickr, Silent Circle, or now even Confide?  Operational Risk Management (ORM) is a constant chess match.

The ranks of the deal makers and the Executive Suite who are more concerned about so called eDiscovery and evidence coming back to haunt them, are using these new found "Privacy Apps."  Buyer beware and the CxO's should be on the look out for this new "Operational Risk" trend within the enterprise.

Regardless of whether employees are potentially circumventing corporate communication networks, or using their own personal devices, these new apps are indeed collecting potential discoverable data:
Confide, Inc. (“Confide”) is pleased to offer you the ability to send and receive encrypted messages (“Messages”) that will self-destruct after a pre-set period of time (the “Service”). We make the Service available to you through a variety of Internet-enabled devices, including smart phones and tablets (collectively, “Devices”). Portions of the Service may also be available to you through our website at getconfide.com (the “Website”).

We provide our Service to you subject to the following Terms of Use, which may be updated by us from time to time without notice to you. By accessing and using the Website or the Service, you acknowledge that you have read, understood, and agree to be legally bound by the terms and conditions of these Terms of Use and the terms and conditions of our Privacy Policy, which is hereby incorporated by reference (collectively, this “Agreement”). If you do not agree to any of these terms, then please do not access or use the Website or the Service.
And this little item in the "Privacy Policy" caught our eye:
5. Geolocational Information
Certain features and functionalities of the Service may be based on your location. In order to provide these features and functionalities, we may – with your consent – collect geolocational information from your mobile Device or wireless carrier and/or certain third-party service providers. Such information is collectively called the “Geolocational Information.” Collection of such Geolocational Information occurs only when the Service is running on your mobile Device.
So since the message is not stored on the corporate server, and it disappears from the App after it is read on the device, does that mean digital forensics on the device are useless?  The answer is, "That depends."

It depends on what you are trying to collect.  It will depend on many aspects of the Operating System (iOS/Android) and whether there is a "forensic wipe" capability for use on the device.  There are dozens of dependencies here. However, is that really the issue at hand?

Off the record communications take place on a daily basis, from "Party A" to "Party B".  Typically this is done verbally.  Now there are a myriad of new phone Apps, that are trying to mimic this same practice using encryption and self-destruct modes.  These provide secure and private communications from digital device-to-device.  What this really is about, is called evidence.
Evidence
Law. data presented to a court or jury in proof of the facts in issue and which may include the testimony of witnesses, records, documents, or objects.
It may be time for the CxO to educate the enterprise about the use of these new Apps as it pertains to corporate "Off-The-Record" conversations.  The formal or informal method for doing so should include:

1.  A review of the risk of using untested, unauthorized apps for corporate communications.

2.  A dialogue on what is evidence.

3.  A set of "Use Cases" that will illustrate to the potential end users why these apps do not circumvent eDiscovery.

Some may argue that when a subpoena is presented, that there is nothing to hand over.  Are you sure about that?
The cautionary tale that many reference is the case of Hushmail, an encrypted mail service that used to claim that "not even a Hushmail employee with access to our servers can read your encrypted email, since each message is uniquely encoded before it leaves your computer" — words that echo Wickr's own proclamations. Sell tells Mashable that Wickr's "architecture eliminates backdoors; if someone was to come to us with a subpoena, we have nothing to give them." 
As it turned out, Hushmail wasn't so impenetrable. In 2007 it was revealed that, actually, Hushmail could eavesdrop on its users communications when presented with a court order.