Legal Supplier

Privacy controls and impact on accessing digital evidence

By Peter Small, Contributor

Life is about to get more complicated for litigators seeking digital evidence as privacy controls grow tighter to meet consumer demand, says Jason Green, principal of Hexigent Consulting.

“The lives of litigators could be made harder,” says Green, whose Oakville-based digital investigations and cybersecurity firm offers consultancy services to law firms and businesses.

“It’s likely going to cause them more headaches.”

For consumers, the functionality of any given technology used to be top of mind, Green says.

But privacy is supplanting performance as a priority as data breaches become increasingly common in companies that hold and process data, he says.

Recent trends and events, like the massive leak of Facebook user data, are fueling the demand for more privacy control, Green tells

The firm embroiled in a controversy over its handling of Facebook Inc. user data and its British parent company ceased operations after losing clients and facing mounting legal fees resulting from the scandal over reports the company harvested personal data of millions of people, Reuters reports.

In the face of such debacles, technology providers are increasing their privacy controls, Green says.

For instance, Apple recently announced that the latest version of its Safari web browser will include tracking blockers that make it harder for advertisers to follow people’s online activities, he says.

Apple will also prevent the so-called fingerprinting of its devices, which allows third parties to follow a user’s specific activity, Green says.

In addition, the latest beta version of Apple’s mobile device software, iOS, now features a “USB Restrictive Mode” that limits the ability of third parties to extract data from cellphones, he says. Parties seeking information from mobiles will have to unlock the devices every hour, he explains.

“So that’s going to pose really significant challenges in both criminal and civil litigation matters where an investigator is being asked to review a device containing evidence without a PIN code,” Green says. “That could turn things around quite dramatically.”

Other recent privacy trends include the introduction of heavily encrypted instant messaging tools in which communications travel directly between sender and receiver without going through a middle conduit, he says. In these systems, technology providers can’t access the content of communications even if so ordered by a court, Green says.

Such data and system device encryption features will become standard in the near future, he predicts.

Law enforcement will have to adapt, expediting its procedures for accessing digital information, Green says.

Civil litigators, for their part, will have to obtain more orders allowing them to access stored data at source — like email or cloud accounts — as opposed to the historical way of obtaining the information from the location in which it was stored, like a mobile device or personal computer, he says.

“There’s likely going to be an extra burden on litigators to go to court to get orders,” he says. “It’s going to slow the litigation process down.”

Legal cases may not proceed because the "intricacies of obtaining digital evidence will be so challenging and costly that claimants conclude, 'This is going to be really complex, expensive, and take not weeks, but years,'" Green says.

Changes are happening so rapidly that some of the data-protection technology now in use may be redundant in six months, he says. “Everybody is playing catch up.”

There’s a further complication, Green adds. Recent regulatory compliance requirements such as Europe’s GDPR — General Data Protection Regulation — and Canada’s upcoming mandatory reporting regulations require companies to inform regulators and affected users when they have a data breach, he says.

But companies will find it increasingly difficult to tell regulators exactly what data has been breached because so much will be stored behind privacy walls, Green says.

“To satisfy legislative requirements and privacy wants by consumers and businesses alike, we foresee that organizations are going to need to implement complex sets of controls so that you can get the right balance,” he says. “You can imagine the additional level of effort and potential cost for an organization.”

Corporations will have to get ahead of any upcoming legislation by reviewing their practices and commissioning privacy impact assessments, Green says.

“They need to understand what their responsibilities are going to be and, should the worst happen, be prepared to act quickly and have a plan in place to address any privacy requirements,” he says.

“Basically, don’t wait until something’s gone wrong. Think about it in advance.”

To Read More Hexigent Consulting Posts Click Here