A few years ago I was investigating a fraud case in the Middle East. It was the height of summer and a humid 50 degrees proved to be a challenging environment for our forensics kit. Generally speaking, you see, hard drives are best kept away from heat, condensation and dust!
We were examining the prime suspect’s PC and had uncovered a wealth of evidence of a ‘pump and dump’ scheme. It was alleged that the suspect had bought a quantity of shares in a UK firm and sent out some falsified press releases concerning a takeover. This had artificially inflated their value.
The suspect then ‘dumped’ the shares onto the market, making a tidy profit in the process.
Things were going well for us. We had found snapshots of the suspect’s hotmail Inbox (showing correspondence with the media) and had recovered deleted versions of the press release. We also gathered some interesting intelligence around how he was spending the money gleaned from Internet history and Google searches.
“Someone else was using my computer”
Digital evidence can often reveal the ‘smoking gun’ in a given case. However, there are a number of common defences that we see again and again. An example is the: ‘Someone else was using my computer’ defence. This is commonly applied if the illicit act occurred out of normal office hours.
More often than not, CCTV can be really helpful in this regard. We were in the client’s office and I asked one of my team to have a good look around for the CCTV system. I had seen a camera covering the door to the office, and we didn’t expect many staff to be around during the period in question.
Four hours later, my colleague walks in with a desktop PC under his arm and a big grin on his face. The firm next door, who owned the CCTV system, had happily handed him the CCTV computer wholesale. After a bit of configuration, we managed to obtain the video clips we needed. We were amazed that we were given such access. After all, we were used to dealing with the European privacy laws!
Between a rock and a hard place
Investigations are increasingly international in their nature. An investigator who wishes to collect and analyse e-mails, documents and other data will have to decide where these activities sit with respect to data protection laws in a number of different countries.
Ideally, these considerations will be addressed (at least in part) long before a major incident occurs. Such considerations require a determination of the legal basis for processing and transferring data, an assessment of the punitive sanctions that result from breaching those laws and an examination of how technology can aid compliance.
Companies who leave these considerations too late can often find themselves between a rock and a hard place: between an angry US Regulator and a vehement European Government. Such situations can lead to rash decision-making that can result in an overall impression of data protection law as being an obstacle to be circumvented rather than a necessary level of protection to afford employees.
Take the example of e-mail. If you’re undertaking a large competition investigation then reviewing the e-mails of your sales staff (for example) is absolutely essential. Often, anti-trust investigations can involve multiple jurisdictions and you may be in a ‘race for leniency’ (ie if you discover your staff are operating a cartel, and you get to the Regulator prior to the other cartel members, then this can have a huge impact in the scale of the resulting fine). This is a high stress situation where actions must be taken quickly.
In Europe, there are two things you need to sort out immediately (from a privacy standpoint). First, are we allowed to look through staff e-mails (ie process them) and, second, can we ship these e-mails overseas (ie effecting a ‘trans-border data flow’)?
The right to process data…
With respect to being able to look through an employee’s mailbox, you must first consider the likelihood of there being personal data contained therein. It’s tempting to think that if you have an IT policy that prevents the use of work e-mail accounts for personal use then that is the end of the story. However, this particular argument is not always accepted.
In some countries, it’s upheld that there’s a reasonable expectation employees will use their work e-mail for personal use (as they are restricted to the workplace during the day). In everyday circumstances, if a company holds your personal data, then they need your consent and must be clear about how they intend to use that data. So is consent required prior to an investigation?
Well, the short answer is: ‘Maybe… or maybe not’. There are some exemptions in the UK Data Protection Act that pertain to litigation (for example). It’s often tempting to seek consent regardless, but you need to be aware that once you ‘rely’ on a specific mechanism, it can be difficult to go back if a suspect does not grant consent.
Also, you need to be aware that consent can be withdrawn at any time and must be ‘freely given’.
In some countries, the employee-employer relationship can be defined as having an influence on the employee such that consent can appear to be ‘forced’.
…and the right to export it
With respect to transferring data overseas, similar safeguards are in place. A common situation I come across is when the investigator needs to provide e-mails to US lawyers so that they can respond to inquiries by US regulators (such as the SEC). Again, as data is leaving Europe, it becomes necessary to explore whether such transfers are in breach of local data privacy legislation.
In the US, the Department of Justice controls a system of ‘safe harbour’ whereby companies can sign up to controls that align them with the European Data Protection Directive. Still, it’s important to adopt a healthy scepticism of such controls and the extent to which they’re enforced. For example, if personal data is transferred to a safe harbour then it must not leave the harbour.
Data privacy laws vary considerably across the globe. There have been attempts to bring a consistent approach through such mechanisms as the aforementioned European Data Protection Directive. In 1995, the EU adopted Directive (EC) 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This Directive was intended to pull down barriers to information flow across Europe by defining a minimum standard of data protection to be adopted across Member States.
It was founded upon the earlier OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data. It has been implemented within the UK under the Data Protection Act 1998 (DPA) and in the other Member States with varying levels of protection that go beyond the minimum standard. Recently, this framework has been reviewed, with proposals now in place for greater fines and mandatory reporting.
Consider data protection ahead of time
For a corporate investigator, it’s important to ensure that the role of data protection is considered ahead of time, and that good local advice is sought from a data privacy lawyer in each region where your offices are based. This is essential as there’s no silver bullet with respect to data privacy.
In my experience there’s the danger that organisations take one of three strategies with respect to data privacy in investigations. The ‘biggest stick’ approach is to undertake a risk analysis and then violate the laws of the jurisdiction that either is less likely to prosecute, will issue the lowest fine or is less likely to uncover the incident in the first place.
The ‘one-size-fits-all’ approach, meanwhile, relies on a single simple mechanism (such as consent) to address all data protection woes.
The final approach is ‘head in the sand’.
None of these approaches are acute enough and can lead to problems midway through an investigation.
Unfortunately, the whole situation may be exacerbated by technical factors. This is where a computer forensics professional needs to work closely with the relevant law firm. For example, what if one of your subsidiaries is already in breach of data protection (eg let’s say an e-mail backup tape was unknowingly sent overseas), or what if a suspect’s computer also contains user data for another individual unrelated to the investigation?
Taking this further, what if a computer contains deleted personal data for a previous user that’s recoverable? It’s no wonder investigators tend to shy away from such issues, reluctant to open the data privacy ‘can of worms’.
Technical solution to a privacy challenge
A key thing to remember is that the Data Protection Act pertains to ‘personal data’, and there may be ways of filtering this out prior to a data transfer. It’s becoming increasingly common for e-mails to be searched, filtered and even reviewed within country prior to being exported overseas. These ‘multi-phased’ reviews come with an additional project management overhead, including well defined ‘claw back’ mechanisms if an inadvertent transfer of personal data occurs.
There are other elements of data control that might need to be considered, such as legal privilege, commercial confidentiality and secrecy. A greater level of control for the document review process can be afforded by using enterprise level eDiscovery tools. Often, an investigation may start off by using computer forensics tools that don’t support high volumes of data, multiple concurrent users or complex review functionality. It’s important to recognise what tool is appropriate for each phase of the investigation.
Regulator attention on data privacy is continuing to gather pace. Corporate investigators need to adhere to these regulations in the same way they do for the Regulation of Investigatory Powers Act (in the UK).
Data protection does not have to impede an investigation if the right approach is adopted and many of the key issues are addressed early on.
You cannot deal wholly with this subject in one article: many books have been written on it. The key thing is to consult early and make sure your ducks are in a row before a significant international investigation hits the desk.
Simon Placks leads the Ernst & Young IT Forensics team
