25 January 2014

Evidence: True or False On Privacy Apps...

What is a Chief Legal Counsel to do these days about new messenger focused Apps such as Wickr, Silent Circle, or now even Confide?  Operational Risk Management (ORM) is a constant chess match.

The ranks of the deal makers and the Executive Suite who are more concerned about so called eDiscovery and evidence coming back to haunt them, are using these new found "Privacy Apps."  Buyer beware and the CxO's should be on the look out for this new "Operational Risk" trend within the enterprise.

Regardless of whether employees are potentially circumventing corporate communication networks, or using their own personal devices, these new apps are indeed collecting potential discoverable data:
Confide, Inc. (“Confide”) is pleased to offer you the ability to send and receive encrypted messages (“Messages”) that will self-destruct after a pre-set period of time (the “Service”). We make the Service available to you through a variety of Internet-enabled devices, including smart phones and tablets (collectively, “Devices”). Portions of the Service may also be available to you through our website at getconfide.com (the “Website”).

We provide our Service to you subject to the following Terms of Use, which may be updated by us from time to time without notice to you. By accessing and using the Website or the Service, you acknowledge that you have read, understood, and agree to be legally bound by the terms and conditions of these Terms of Use and the terms and conditions of our Privacy Policy, which is hereby incorporated by reference (collectively, this “Agreement”). If you do not agree to any of these terms, then please do not access or use the Website or the Service.
And this little item in the "Privacy Policy" caught our eye:
5. Geolocational Information
Certain features and functionalities of the Service may be based on your location. In order to provide these features and functionalities, we may – with your consent – collect geolocational information from your mobile Device or wireless carrier and/or certain third-party service providers. Such information is collectively called the “Geolocational Information.” Collection of such Geolocational Information occurs only when the Service is running on your mobile Device.
So since the message is not stored on the corporate server, and it disappears from the App after it is read on the device, does that mean digital forensics on the device are useless?  The answer is, "That depends."

It depends on what you are trying to collect.  It will depend on many aspects of the Operating System (iOS/Android) and whether there is a "forensic wipe" capability for use on the device.  There are dozens of dependencies here. However, is that really the issue at hand?

Off the record communications take place on a daily basis, from "Party A" to "Party B".  Typically this is done verbally.  Now there are a myriad of new phone Apps, that are trying to mimic this same practice using encryption and self-destruct modes.  These provide secure and private communications from digital device-to-device.  What this really is about, is called evidence.
Law. data presented to a court or jury in proof of the facts in issue and which may include the testimony of witnesses, records, documents, or objects.
It may be time for the CxO to educate the enterprise about the use of these new Apps as it pertains to corporate "Off-The-Record" conversations.  The formal or informal method for doing so should include:

1.  A review of the risk of using untested, unauthorized apps for corporate communications.

2.  A dialogue on what is evidence.

3.  A set of "Use Cases" that will illustrate to the potential end users why these apps do not circumvent eDiscovery.

Some may argue that when a subpoena is presented, that there is nothing to hand over.  Are you sure about that?
The cautionary tale that many reference is the case of Hushmail, an encrypted mail service that used to claim that "not even a Hushmail employee with access to our servers can read your encrypted email, since each message is uniquely encoded before it leaves your computer" — words that echo Wickr's own proclamations. Sell tells Mashable that Wickr's "architecture eliminates backdoors; if someone was to come to us with a subpoena, we have nothing to give them." 
As it turned out, Hushmail wasn't so impenetrable. In 2007 it was revealed that, actually, Hushmail could eavesdrop on its users communications when presented with a court order.

04 January 2014

Black Swan: Strategy Execution for the "Outlier"...

The Black Swan is a surprise event and the idea that a catastrophe can strike without warning. What does your organization plan for? The low consequence high frequency incident or the high consequence low frequency incident? The ratio can tell you what your "Resilience" factor is to Operational Risk loss events. Key Performance Indicators (KPI's) can give you some forward looking view into the risk portfolio yet what about the resilience to the Black Swan?
A black swan is a highly improbable event with three principal characteristics: It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was. The astonishing success of Google was a black swan; so was 9/11. For Nassim Nicholas Taleb, black swans underlie almost everything about our world, from the rise of religions to events in our own personal lives.

Why do we not acknowledge the phenomenon of black swans until after they occur? Part of the answer, according to Taleb, is that humans are hardwired to learn specifics when they should be focused on generalities. We concentrate on things we already know and time and time again fail to take into consideration what we don’t know. We are, therefore, unable to truly estimate opportunities, too vulnerable to the impulse to simplify, narrate, and categorize, and not open enough to rewarding those who can imagine the “impossible.”
Your organization is no doubt spending time on the Operational Risk Management (ORM) events that consistently are in the high frequency "In Your Face" category. In a highly regulated industry sector such as finance, health care or energy the oversight mechanisms require a continuous analysis of risk based upon the criticality of these sectors to the overall resilience of the economy. Yet it is the "Outlier" incident that comes at the most unexpected time that is the real threat and the incident catalyst, that could be your "Black Swan". You never know when it is going to be coming, so you must plan, prepare and imagine that someday it will happen.

Enabling Global Operational Risk Management (ORM) requires thinking beyond models and outside the box analysis of the "Resilience Factor," should an outlier impact the organization, the state or the country. The resources, personnel and systems focused on these areas of risk are small today. But not for long. Just ask those people who had been working 24/7 since the "Fukushima" or "Lehman Brothers" crisis. Or more importantly, the plaintiff lawyers preparing their briefs for the inevitable aftermath of litigation over, who knew what, when.

One prediction into the future could be that litigation will follow all "Black Swan" incidents. If you are in a highly vulnerable industry sector because it's part of the critical infrastructure of the global grid, then you already know you are in the middle of the target zone. What is amazing to many in the after-action reporting is how much we continue to under estimate the magnitude of a lack of planning and resources devoted to these low frequency high consequence events.  Enter Target Corporation:
Is Target to Blame for Its Data Breach? Let the Lawsuits Begin 
By Joshua Brustein December 26, 2013 
The lawsuits started almost immediately after Target’s (TGT) admission that hackers had stolen information related to the credit-card accounts of 40 million shoppers. At least 11 customers are now pursuing class-action suits against the retailer, claiming it was negligent in protecting their data. 
Losing control of sensitive customer data is a fact of life for American companies. They’re collecting more of it, and they are often outgunned by hackers, who are highly motivated to get at it. It’s not even clear how much legal responsibility they have to protect it. “There is limited judicial guidance on what constitutes negligence in the cybersecurity area,” says Craig Newman, a partner at Richard Kibbe & Orbe who follows legal issues related to security.