In this InfoGovANZ event, the implications and dangers of the widespread use of social media and apps were highlighted in their evidential value in investigations and litigation. The importance of technical and forensic expertise in the discovery process was demonstrated by reference to particular cases and technology tools by Brett Webber, Principal, ConsilAD and Matthew Golab, Director of Legal Informatics and R&D at Gilbert + Tobin. Susan Bennett, Executive Director InfoGovANZ and Principal, Sibenco Legal & Advisory discussed the duties of technology competence and confidentiality, which extends to cybersecurity to protect client information and the implications of a recent High Court decision.
Social Media Perils
As Michael Tieu, posted on LinkedIn following the event, ‘[i]t was truly astounding to see how important it is to be wary of who, what, when and where you post on social media. Once the genie is out of the bottle, it's nearly impossible to put it back inside. Information governance is as important as ever with the continuing incorporation of social media in our daily activities.’ Brett Webber who has worked on more than 2,000 matters involving social media discovery alone, took us through some of his cases to demonstrate how evidence can be gathered from social media including social media of other people. As Brett says, ‘how social media is found and technically managed can determine winners and losers in cases.’ This requires technical expertise to find probative material and being able to show the meaning within data collections.
Brett discussed his experiences with social media and litigation answering with the questions, ‘what's out there?’. The volume of relevant data in freely available the public domain is often counter-intuitively high.
Finding relevant data for litigation / discovery
Social media discovery frequently draws upon tools and techniques honed by Open Source Intelligence ("OSINT") practitioners. These techniques involve combining sources or data to form a coherent profile of a target or subject. In addition to finding sources of data authored by a party to litigation, it is normally productive to collect material posted “about” the subject (think of items posted by a third party which include a photo of a person, but without a tag or other element which can be controlled by the subject of the photograph). So even where people are cautious of their own online activity, relevant data are often posted by accounts outside of the subject's possession, custody or control.
Searching for data using tags, hashtags or words is increasingly ineffective when social media includes pictures or videos without tags or text. Other search and analysis techniques such a location or social connection are required. These approaches require consideration of metadata.
Social media platforms are designed to share data not to keep it private. Social media account "privacy" controls or settings are unlikely to protect data in the long-term. The visibility of data in most social networks is dynamic, for example interactions with other users through an item being liked, commented upon, reposted serve to increase the public visibility of any posted item.
Breach data such as the Paradise Papers and Ashley Maddison are increasingly being indexed and made searchable. Even if the breach data contents are not suitable or useable as evidence, the very existence of such data which is connected to a targeted individual can be informative. For example, it can show interests and hobbies (e.g. online dating) interactions with businesses, real-world activities, ownership of an account or connection to third parties or a place.
Data linking or "pivoting" techniques increasingly benefit from access to commercial data sources such as government land and property or licensing information. Consideration of these sources with social media data can often provide deep insights.
Collecting OSINT as Evidence
Forensic tools offer particular advantages for litigation-related matters. Speed, rigour, completeness and the ability to demonstrate compliant collection methods are all important considerations. The importance of this is increasingly reflected in emerging bodies of legislation and rules such as the US’ Federal Rule of Evidence 902 (14).
When providing evidence, it is very important to be able to show understanding of the “back story” (context) in the matter and how the information will be used. If any of that would need to be defended in Court and it may be prudent to engage a forensic expert to assist with a defensible collection.
Social media publication methods continue to change very quickly, necessitating a broad portfolio of data search and collection approaches. Examples of changes and the needed adaptation of collection methods include Facebook's anti-scraping controls, Instagram and LinkedIn's Application Programming Interface (“API”) restrictions and an increasingly relevant set of social media data which is not accessible from either web-browsers or APIs but which can only be accessed using mobile devices. Some of these changes have been reactions to highly publicised matters such as the exposure of Cambridge Analytica’s methods.
Methods of data collection commonly used include:
1. APIs or data feeds from social or other databases.
3. Commercial data aggregators.
4. Mobile devices (physical or virtual).
Sound forensic methods should show how any data was accessed, how it appeared in its original context and that the resultant data collection hasn't been tampered with or altered in any way. Attendant metadata should also be collected and able to be explained - showing the relationship of data, sequence of messages and originating author.
Most of the discussion above relates to investigation aka informal discovery. The identification of accounts and ability to demonstrate relevance and that more data can be collected at reasonable cost are often strong supports for discovery applications where the non-public elements of social media accounts are sought. For this and for law enforcement liaison requests, forensic methods which identify account details such as a number rather than a name enable efficient and precise collection.
The Sedona Primer on Social Media also addresses the limitations of self-produced data such as Facebook's Your Data.
An eDiscovery Perspective - Social Media is different to email
Although metadata is quite important in typical eDiscovery which involves emails and documents, social media metadata from the social media platform can be as important as the actual content of a message. For example, in typical eDiscovery, when an email is sent, you have some rudimentary metadata including:
Date and time sent; sender; recipient; subject; content of message
Social media typically has much more extensive metadata. For example, you may take a photo with your phone camera which has the location (GPS coordinates) added to the photo. You then share the photo on social media – some of the social media systems may strip the metadata and/or dynamically reduce the size of the file, however they may also store your location when you uploaded the photo to the social media platform, while also tracking every interaction that is subsequently made with your photo – i.e. who looked at it and when, who commented or otherwise annotated (i.e. likes). In some social media forensics tools, it’s possible to access this deep metadata and so you can then build a graph or who, when and where. Whereas going back to an email, you will rarely know the where, and once you have sent the message you can’t really determine who read it or interacted with it.
Data preservation and spoliation
Spoliation in Australia is surprisingly common. ConsilAD's experience in Australia is that where data has been produced in procedural fairness disclosures and no explicit communication of the data being relevant for prospective litigation or investigation is provided, it is all too common for data to be altered or deleted at source. By contrast our experience in US indicates an almost universal recognition of the obligation to preserve data. A key benefit from discovery using forensic tools is the ability to show the extent of spoliation e.g. to demonstrate the deletion of data by comparison or juxtaposition of available data with the original forensic collection.
1. More is out there than most people expect.
2. Just because you don't operate a social media account, it doesn't mean that social media will be bereft of content about you.
3. Leaked and breach data sources and the interaction of online friends transforms data from private to public in many cases. Finders keepers?
4. Privacy obligations for collecting social data might reasonably be considered as triggered when targeted collections are initiated. This means securing the data, logging it and being able to show provenance and lawful collection.
5. Forensic tools speed up data collection and allow data to be shown in its original context, which can be helpful where the meaning or value of data might be contested.
6. There is a requirement to preserve documents once litigation is reasonably anticipated. Ensuring clients are appropriately advised and organisations issue document/data preservation notices, referred to as ‘legal holds’ is critical to avoid spoliation.
Forensic data collection methods and technology offer effectiveness and efficiency benefits that amateur efforts do not. For lawyers they are required deliver legal services competently and diligently – this includes technology competence particularly for the discovery process in litigation and securing client’s information.
Duty of Technology Competence
The duty of technology competence for lawyers is set out in the American Bar Association Model rule 1.1 as follows:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
The Model Rules have now been adopted in 36 US States. Susan discussed some of the recent US cases dealing with discovery issues and directions for adverse inferences relating to evidence unavailability, particularly in relation to social media, and/or failures in the document production process leading to sanctions. The ABA’s Model Rules are also referred to in the Australian Law Council’s Cyber Precedent, which says;
To be a competent lawyer, you need to understand the value of the information that you are dealing with.
Failing to properly protect your client’s information that has been entrusted to you could cast doubt on your ability to properly manage your practice.
As legal practices operate more in the digital realm the issues of cyber security will play a more prominent role. It is important to keep up-to-date with the current risks and the current security measures.
Susan also discussed the implications of the recent High Court decision in Glenore International AG & Ors v Commission of Taxation of the Commonwealth of Australia & Ors S256/2018. In this case, Glenmore’s documents were part of the ‘Paradise Papers’ that entered the public domain arising from the cyberattack on the Bermudan law firm Appelby and stolen from its electronic management system. The High Court in dismissing Glencore’s proceedings, held that legal professional privilege is not an actionable legal right capable of sounding in injunctive relief. The implication of this decision will be regulators seeking to rely on documents in the public domain as a result of a data breach, which otherwise may have been privileged and not required to be produced. The High Court observed that once privileged communications have been disclosed, resort must be had to the equitable doctrine of breach of confidence for protection respecting that use of material.
Susan pointed out that the Glencore decision was distinguished from the High Court’s decision in Expense Reduction Analysts Group Pty Ltd v Armstrong Strategic Management and Marketing Pty Limited where there had been inadvertent disclosure of 13 privileged documents by the appellants’ law firm to the respondents’ law firm. In that case, the High Court relied on the Court’s roles in the supervision of the process of discovery to permit a party to correct a mistake to deal with inadvertent disclosure of discovered documents. The High Court also noted the ethical duty under Rule 31 of the Australian Solicitors Conduct Rules, which deals with the duty of a lawyer to return material, which is known or reasonably suspected to be confidential, where a lawyer is aware that is disclosure was inadvertent.
The key takeaways are that the duties of technology competence and confidentiality include:
· properly securing and protecting client information, including ensuring appropriate contractual protections with technology and cloud suppliers;
· ensuring appropriate technology and expertise in investigations and litigation to ensure relevant data is retained, identified and collected efficiently.
The rapid changes in technology, widespread and growing use of social media and apps requires lawyers and eDiscovery professionals to continually keep up to date with changes in technology. It highlights the critical importance of sound information governance to secure and protect client data and information.
Brett Webber, Principal, ConsilAD