EPIC Asks FTC to Investigate Facebook’s “Timeline”
Last year I wrote two blogs titled Spoliation of the Facebook Timeline and Frictionless eDiscovery; social media addicts beware…
which discussed the potential privacy problems with the new Facebook Timeline feature. Yesterday the blog site: The ESI Ninja Blog posted a blog about further developments around privacy and the Timeline feature. The below content is from that blog:
EPIC Asks FTC to Investigate Facebook’s “Timeline”
Posted on January 10, 2012 at 6:44 pm by John M. Horan
When Mark Zuckerberg unveiled Facebook’s new Timeline feature at the company’s Sept. 22, 2011 f8 developer conference, he described it as “The story of your life . . . . All the stuff from your life.” According to a Sept. 22, 2011 Facebook Blog post,
The way your profile works today, 99% of the stories you share vanish. The only way to find the posts that matter is to click “Older Posts” at the bottom of the page. Again. And again.
. . .
With timeline [sic], now you have a home for all the great stories you’ve already shared. They don’t just vanish as you add new stuff.
The Timeline announcement came toward the end of an investigation by the Federal Trade Commission into Facebook’s privacy practices, culminating in the Commission’s Nov. 29, 2011 announcement that Facebook had agreed to settle FTC charges “that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” In general outline, the FTC said, the proposed settlement
bars Facebook from making any further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
Three days before the Dec. 30, 2011 close of the 30-day comment period on the proposed settlement, privacy rights organization Electronic Privacy Information Center (EPIC) urged the FTC to investigate whether Facebook’s new Timeline feature complies with the terms of the proposed settlement. Echoing some of the concerns it raised in a Sept. 29, 2011 letter to the FTC regarding “frictionless sharing,” EPIC’s Dec. 27, 2011 letter to the FTC asked the Commission to: <the rest of the blog entry can be viewed here>
Can you wipe your twitter ramblings, and should you?
In December of 2011, the Library of Congress and Twitter signed an agreement that will eventually make available every public Tweet ever sent as an archive to the Library of Congress.
While writing a blog post last week, I began to wonder how long all my twitter postings would be available and who could look at them. For the fun of it, I went back through approximately 6 months of my old twitter postings, re-tweets and replies (yes you can do it, it’s relatively easy and you can look at anyone’s).
I’ve been pretty good about keeping my twitter posts “business-like” and have steered away from personal stuff like “I just checked in to the Ramada Inn on route 11…can’t wait for the evening to begin!”, or “does anyone know how to setup an off-shore bank account?” or “those jerks over at Company ABC are a bunch of losers”. But many tweeters aren’t so disciplined and have posted stuff that could come back to haunt them later. I could imagine a perspective employer reviewing a candidate’s twitter history or even worse an attorney conducting research for a case using the public twitter archives to create a timeline.
With that in mind, could you delete your twitter postings and should you? Twitter does allow you to delete specific tweets one at a time but as far as I can determine, Twitter does not give you the ability to delete your entire twitter history short of deactivating your account. From the Twitter website:
How To Delete a Tweet
If you’ve posted something that you’d rather take back, you can remove it easily. When you hover over your Tweet while viewing your home or profile page, you’ll see a few options appear below the message.
To delete one of your Twitter updates:
- 1. Log in to Twitter.com
- 2. Visit your Profile page
- 3. Locate the Tweet you want to delete
- 4. Hover your mouse over the message (as shown below), and click the “Delete” option that appears
Voila! Gone forever… almost. Deleted updates sometimes hang out in Twitter search. They will clear with time.
We do not provide a way to bulk delete Tweets. If you’re looking to get a “fresh start” on your Twitter account without losing your username, the best way to do this is to create a temporary account with a temporary username, and then switch the username between your current account and the temporary account. Please see our article on How to Change Your Username for more info.
On December 30, 2011, CNET published a story titled “How to delete all your tweets” which highlighted a product called TwitWipe. TwitWipe is a free tool that allows you to delete ALL your past tweets in one fell swoop. This may be handy because you can clean out your twitter account and start fresh without changing your username and dumping all your hard won followers.
This is an interesting capability but I think the more important question is why would you use this drastic of a step? The four most obvious reasons one would want to delete all their twitter postings and start fresh would be:
1. You went through an unfortunate period in your life that you would rather forget
2. You were regularly conducting criminal activities through your Twitter account
3. You are considering a run for the presidency
4. For whatever reason, you don’t want your twitter postings archived and available at the Library of Congress
The ability to delete ESI can be dangerous if done at the wrong time, especially if civil litigation is anticipated. Deleting a single tweet or every tweet you have ever posted can be construed as destruction of evidence if those tweets could have been relevant in litigation. ESI, no matter its format or where it’s stored, is potentially evidence and should be at least considered when protecting ESI for litigation hold. Attorneys on both sides need to include social media content like twitter postings in their eDiscovery plans and be sure to warn all custodians about deleting/editing social media content once litigation is anticipated.
Discovery of Information on Personal Facebook Profile
From the E-Discovery Law Review Blog:
A Pennsylvania court recently decided that information posted by a party on their personal Facebook page is discoverable. Largent v. Reed, Case No. 2009-1823 (C.P. Franklin Nov. 8, 2011) arose out of a chain-reaction automobile accident in which the plaintiffs, who were riding a motorcycle, were hit by a minivan that was hit by the defendant. Plaintiffs claimed serious and permanent physical and mental injuries, pain, and suffering as a result of the accident.
During the deposition of one of the plaintiffs, defense counsel discovered that the plaintiff/deponent had a Facebook profile that she regularly accessed. The defendant then accessed Plaintiff’s public profile and saw posts that contradicted her claims of serious injury.
Huge French Company Cuts off Nose to Spite Face
Susanna Kim of ABC published an article on November 29th describing how a French company has decided to implement a “Zero Email” policy, a policy banning employees from sending internal emails.
The CEO of Atos, Thierry Breton, (a French information technology company!) has said that only 10 percent of the average 200 emails employees receive per day are useful and 18 percent are spam. Because of this statistic, he hopes the company can eradicate all internal emails in the next 18 months forcing the company’s 74,000 employees to communicate with each other via instant messaging and other Facebook style interfaces.
This reminds me of the story about an HR VP who was so tired of employees calling her with questions and problems she stopped answering her phone. She had 30 whole minutes of peace… until employees figured out where her office was.
Why not stop all internal phone calls? It would seem to me that internal phone calls would have the same “waste” statistic. How about this… program your corporate phone system to not allow any calls from one internal number to another and instruct employees that to contact internal employees, they must use Skype. That should solve the problem, right?
Email has become a wildly successful world-wide business productivity tool. To force thousands of employees to abandon it for other types of communications technology doesn’t seem to address the problem. Won’t only 10 percent of employee’s communications using the new communications solutions be useful as well. Is there something magical about the new technology that won’t allow employees to send wasteful communications?
The other problem that arises with this particular strategy is the problem of litigation holds and eDiscovery. Email systems are well known and technology exists to enable organizations to handle email in a legally defensible manner. It seems to me an organizations risk of insufficient eDiscovery and spoliation will rise with a switch to a new communications technology.
The problem is not the technology… its employee’s use of that technology. If 70-90 percent of emails employees send internally is junk, then train the employees on proper etiquette and use policies around the use of email. Train employees to not “reply all” or “BCC” on every email. Audit employee use of the email system and punish those that misuse it.
Running away from one of the most useful business tools ever seems like a gigantic over-reaction.
Facebook Spoliation Costs Widower and His Attorney $700K in Sanctions
The below article is from Abovethelaw.com by Christopher Danzig
In 2008, truck driver William Donald Sprouse pleaded guilty to charges of involuntary manslaughter for the accidental death of 25-year-old Jessica Lester. According to a bluntly-written news article from the time of the trial, Sprouse’s “truck rounded a corner on two wheels, flipped and rolled over onto Lester’s car, a crushing sixty thousand pounds landing where Jessica sat.”
Jessica’s parents and her widower, Isaiah Lester, won a massive wrongful death suit in 2010 against Sprouse and his employer at the time of the accident, Allied Concrete Company. A Virginia jury awarded them a massive $10.6 million. Clearly, the family’s wounds were still fresh.
But the courtroom odyssey was not over.
On October 21 (nearly a year later), Judge Edward Hogshire signed a “final order” (PDF) cutting the jury verdict in half in Lester v. Allied Concrete Company and William Donald Sprouse, and penalizing Lester and his attorney, Matt Murray, a combined $722,000 in sanctions:
Whereas, the court, having reviewed the evidence and arguments of counsel and carefully considered the extensive pattern of deceptive and obstructionist conduct of Murray and Lester resulting in the sanction award, finds that most of the substantial fees and costs expended by Defendants were necessary and appropriate to address and defend against such conduct…
To read the entire article, click here.
Spoliation of the Facebook Timeline
In a previous posting, I described the new feature in Facebook called “frictionless sharing”, a Facebook feature that will make sharing even easier by automatically sharing what you’re doing on a growing community of Facebook-connected apps. Potentially everything you do on the web could be shared on a timeline with your “friends” and any others (like attorneys) that get access to your page based, for example, on a Judge’s order for discoverable information.
The USA Today Tech section published an article titled “Facebook Timeline a new privacy test” a couple of days ago that got me thinking. From the USA Today article:
Up until now, Facebook accounts have focused on the most recent posts. With the new profile format, the most recent Facebook activities will be at the top. But as users go back in time, Timeline will summarize past posts — emphasizing the photos and status updates with the most “likes” or comments.
“A lot of people just don’t realize how much information they’ve shared in the past.”
This new timeline feature that takes much of what you have done on the internet and neatly organizes it into a timeline is a perfect target for eDiscovery. This brings up two questions; can you edit or hide items on your timeline and can you permanently delete data from your Facebook timeline? These two questions also highlight another question…if you edit your Facebook account and or remove something from your timeline, could that be considered spoliation in a legal proceeding?
Before I address the spoliation issue, let me address the first two questions.
1. Can you edit or hide items on your timeline? The answer is yes you can. From the Facebook help center:
How do I remove a story from my timeline?
You get to decide which stories appear on your timeline. Hover over a story on your timeline to see your options:
- (Feature on Timeline): This allows you to highlight the stories you think are important. When you star a story, the story expands to widescreen. Starred stories are also always visible on your timeline.
- (Edit): This gives you the option to:
- Hide from Timeline: This removes stories from your timeline. Note that these stories will still show up in your activity log, which only you can see. They also may appear in your friend’s News Feeds.
- Depending on the type of story (ex: status update, check-in, tagged photo), you may also have the option to:
- Change the date of a story (ex: for an old photo, you can enter the date the photo was taken so it shows up in the right place on your timeline)
- Delete a post (that you posted)
- Report a post or mark it as spam (that someone else posted)
You’ll notice there isn’t a “delete” capability in the edit function.
2. Can you permanently delete timeline data from your Facebook account? As far as I can tell you can. In Facebook there is a feature called the “activity log” that is a record of all of your activity on Facebook. From the Facebook help center:
The activity log is a record of all of your activity on Facebook. So if you hide a story from your timeline, this story will still appear in your activity log. Your activity log is only visible to you. However, all of the stories in your activity log are eligible to appear on your timeline (unless you hide them from your timeline) or in your friend’s News Feeds.
The stories in your activity log are organized by the date they happened on Facebook. You can access your activity log by clicking the View Activity button on your timeline.
From the activity log you can:
- Scroll through a history of all of your activity on Facebook
- View and approve your pending posts
- Filter the type of activity you see (ex: see all of your status updates or all of the links you’ve shared)
- Choose which stories are featured on your timeline
You can also click the button to the right of each story. Depending on the story type (ex: status update, photo, app story), you may have the option to:
- See the audience you shared
- Delete posts
- Report a post or mark it as spam
- Change the date of a story
- Remove an app from your account
So you can potentially delete items from your timeline… So this brings up my question on spoliation of the Facebook timeline; what, if anything, do organizations have to do to safeguard against altering the organization’s or employees personal Facebook timelines if pending litigation is foreseeable?
Obviously the Facebook timeline is potentially discoverable depending on the circumstances of the case. Organizations need to include the Facebook timeline in their litigation hold/eDiscovery process and to inform impacted employees of their responsibilities to protect potentially responsive information from within all of their personal accounts that could hold relevant ESI including the Facebook timeline data.
As a side note, it’s always a good practice to regularly remind employees not to mix business ESI with their personal accounts.
Exchange 2010 Message Search and eDiscovery
An important aspect of the eDiscovery process is finding all potentially responsive ESI. In other words the eDiscovery auditor must perform a search on all ESI repositories which could house responsive ESI.
Key to eDiscovery search in Exchange 2010 is to choose words, date ranges, attachment file names etc to help the auditor narrow the results set to be reviewed, but not to the point of overlooking responsive ESI. The eDiscovery keyword search in Exchange 2010 will only find exact matches of those terms input. Additionally, the eDiscovery multi-mailbox search in Exchange 2010 will not reproduce the history of the email, such as when it was opened, what folders it existed in and when, if it was deleted and when etc., something which can add a great deal of context to the ESI.
Another key in this process is the effectiveness of your system’s indexing capability. Does it index everything including metadata, the entire email message and all attachments so that when you perform a search, you find all instances of the content? And… is the index reliable?
The indexing and search functionality of Exchange 2010 is considered neither accurate nor reliable by eDiscovery industry experts. In testing by a 3rd party market research firm, it was found that:
- Custodian display name and address searches missed more than 20% of custodian email compared to last name only searches.
- Lists of search terms became corrupt without generating warning errors.
- When items are placed on litigation hold, the preservation system did not preserve the critical location context or other metadata properties of content.
To the opposing counsel, these deficiencies are a prime target to call into question your eDiscovery process and maybe enough to have the Judge force you to perform the eDiscovery search again using very expensive third party services.
Although improved over the search capabilities of previous versions of Exchange, several major limitations to Exchange Search remain that should be fully understood. These limitations restrict how Exchange Search is used, and limit its ability to be a primary factor for upgrade for stand-alone eDiscovery support by most organizations.
The biggest drawbacks to Exchange 2010 include:
- Default search filters limited: Standard Microsoft Office formats can be indexed by Exchange 2010 so that eDiscovery searches can find and return these record types, but there is limited support for other common formats such as the popular PDF file format as well as audio or video file formats. By default, the content of email messages with PDF attachments are unsearchable. (see the iFilter section below)
- No public folder search: Organizations with a significant investment in public folders will find that they cannot search across public folder data using the native Exchange Search functionality.
- Localization and language limitations: Emails written in multiple languages are not indexed by Exchange Search. In addition, queries made in a specific language must match the locale of the local computer doing the search.
- Encrypted messages not indexed: Messages encrypted with S/MIME encryption are not able to be indexed and are subsequently not searchable.
- Exchange 2010 effectively has 2 indexes per mailbox: One index exists on the Exchange Server and one on the local Outlook machine. Any local PST files cannot be searched from the eDiscovery search interface. Local user search syntax and search results may differ from the network eDiscovery search.
- Broad-brush legal holds: Legal Holds are a mailbox wide setting meaning that all content in a target mailbox is placed on legal hold. You cannot place individual objects on legal hold. Users can move, forward, reply, flag and categorize items under legal hold with no record. Metadata changes such as the email folder location are not tracked.
- No case management: eDiscovery searches have no matter folders, audit or security for all eDiscovery group users. Searches for unrelated cases will all be thrown together with no ability to set security by matter.
- Metadata can be changed on export: According to a report, email exported from the Exchange archive mailbox could have the Creator, Last Modified, PR_Creation_Time, Conversation Index and even message size changed
A question corporate General Counsels need to ask themselves and their IT departments is; can I respond to an email discovery request quickly enough and in a defensible manner to satisfy the opposing counsel and Judge?
To answer that question, you need to consider another question. Is Exchange 2010 indexing everything in my system so that when you conduct a search it will find all relevant content?
The answer is probably not. The question of completeness of the eDiscovery search capability in Exchange 2010 is a big issue many don’t even think to question.
Can you rely on the Exchange eDiscovery search to produce the results so that 1: all potentially responsive ESI can be found and placed on a litigation hold and 2: does the results you end up with contain all potentially responsive ESI?
Frictionless eDiscovery; social media addicts beware…
eDiscovery just got a lot easier…for opposing counsel.
Facebook’s new system to auto-share what you do around the web may catch many Facebook enthusiasts off guard. Even “power” users of Facebook will probably run into trouble with this “frictionless sharing” feature. Once it’s enabled on a site you won’t get any other warnings that you “tracks” are being broadcast to large numbers of people. In fact, even those people who know exactly how this new feature works will need to be on guard against sharing some seriously embarrassing and or compromising updates.
For those not in the know, Facebook is making sharing even easier by automatically sharing what you’re doing on a growing community of Facebook-connected apps.
Huh? It could be the news articles you read online, the videos you watch, the photos you view, the music you listen to, or any other action within the site or app. In the future it could be the “stuff “you buy on-line or the profiles of people you view, or diseases you looked or the fact that you searched for information on the term “formaldehyde” on a specific day…
To be fair, currently, you must explicitly authorize a site or app to share your information with Facebook. How this sharing mechanism works depends on the app. Authorizing the Washington Post or The Guardian Facebook apps allows you to read those news sites right within Facebook. The downside, however, is that everything you read is shared back to your friends via a timeline… This capability may also effect those news organizations which have jumped into this partnership opportunity. These news organizations may see a drop in views because potential readers will now have to first consider how viewing a particular story will affect their reputation; Do I really want to click on this story knowing my “friends” will know I viewed this?
A timeline… REALLY! Do your friends really need to know you viewed a website titled “BieberFever.Com” at 1:13 am last Thursday morning? Or that you read an article on setting up a Swiss bank account 57 minutes after you received notice of a pending lawsuit? Talk about making the opposing counsel’s job easier…every discovery request will automatically include Facebook accounts.
Another group that needs to be careful are employees. I can imagine an HR representative viewing an employee’s Facebook page to verify, via the employee’s timeline, they have been surfing the web for the last 17 days.
I have repeatedly warned friends that social media sites like Facebook are potentially dangerous in that what you (or an application) post to your social media site could be used against you by potential employers, current employers or attorneys. One question I suggest all social media addicts ask themselves before they post is; “Is this something I would feel comfortable showing up on the front page of the New York Times?”…Because someday it could.
Litigation Hold in Exchange 2010
Litigation hold (also known as a preservation order and legal hold) all have the same legal meaning; a stipulation requiring an individual or organization to preserve all data that could relate to a anticipated or pending legal action involving the individual or organization. The litigation hold responsibility is one of the biggest liabilities individuals and organizations have in the civil litigation process. If a litigation hold is ignored or insufficiently applied, the Judge will not tolerate excuses and the outcome can be a spoliation or destruction of evidence ruling which in turn can cause an adverse inference order be issued and loss of the case. Several third party eDiscovery applications provide for litigation hold placement on individual items to reduce over saving of non-responsive ESI.
In Exchange 2010, Microsoft suggests placing a custodian’s entire mailbox on litigation hold. In other words specifically putting a custodian’s mailbox on litigation hold ensures an indefinite retention on all content, even the content not relevant to the case at hand, in the user’s mailbox until the mailbox is removed from Legal Hold. This shotgun tactic does ensure all potentially responsive ESI is retained at the time of placement but many attorneys are leery of blindly placing a litigation hold on all content due to the possibility of over retaining ESI that is not responsive to the current case but could be in a future case.
To put a custodian’s mailbox on litigation hold in Exchange 2010, the person making that decision needs to be part of the “Discovery Management” Role in Exchange. By default there are no approved auditors in the organization, including the Exchange Administrator, which has the right to put a user’s mailbox on litigation hold. The Exchange Administrator can go into the Exchange Control Panel and give themselves (and others) the right to enable litigation hold for mailboxes.
Another caveat for Exchange 2010 litigation hold is that it could take upwards of 1 hour before a litigation hold takes effect on a given custodian’s mailbox. This is because the policy needs to be enacted on all messages and folders in the mailbox and be replicated through Active Directory. With litigation hold enabled, all messages, regardless of the organization’s retention policy will be retained until released.
Another aspect of placing effective litigation holds in Exchange 2010 is the question of PST files. PSTs are a long running problem area for corporate legal as well as the IT department. The problem is this; PSTs include email, attachments and metadata no longer preset within the Exchange email system. So when an auditor searches a custodian’s mailbox from Exchange 2010 for relevant emails and attachments, they aren’t able to search for any PSTs the custodian has on their local workstation.
