Viruses, Adware and Spyware Attack Legal Framework

Back in the good old days, electronic evidence for civil cases could be gathered from a custodian's computer, processed to TIFF, Bates numbered and introduced into evidence. Concerns over chain of custody and authenticity were talked about, but rarely argued in the courtroom.

For example, if a document was found on a computer that belonged to me, there was a practice of everyone accepting that it was a document under my control. While I might not have created it, I put it on my computer or allowed it to be put on my computer. Also, the document would be assumed to be what it purported to be, modified at the “last modified” date and time. At most, questions would be asked at deposition time about whom else had access to the computer with administrative privileges or whether I made it a practice of sharing my password.

Likewise, if I were under a litigation hold and it was found later that files had been deleted from a computer that I controlled, I'd be on the ropes for spoliation of data.

It's not so simple anymore.

Viruses, spyware, adware and hijacking are attacking our legal framework for electronic evidence and impacting specific areas of law, such as privacy, attorney client privilege, trade secret, criminal law and products liability.

Viruses Can Corrupt Data

Anyone who uses a computer today deals with the complications of virus infestation, either from a networked computer or from spam e-mail. We routinely run our anti-virus software until something so virulent gets us that we need to start over again. Starting over again may include wiping the computer clean and reinstalling the operating system from scratch. Viruses (and adware, spyware and hijackers) can be so persistent or harmful that starting over is the only remedy for them as well.

“Starting over” can have a tremendous impact when considering spoliation issues, especially if you or your client are under legal hold. If the infected computer is owned by a key custodian, imaging the hard drive prior to reinstallation or completely replacing it to preserve existing data is extremely important. With either solution, it is imperative to have chain of custody documentation for what is done and by whom.

Some anti-virus software will change the access dates of files as it runs over them. Access date is the most transitory date, so changing it shouldn't hurt the authenticity of your electronic evidence. However, when files are “cleaned,” they are saved. This changes the “modify” date. Most systems have a log of “cleaned” files, which can be submitted into evidence if the date on a particular file is in issue.

Most electronic discovery Tier I firms have virus scanning in place, and, for authenticity reasons, will log which files have been cleaned and keep the before and after copy of each file. Generally, unless specifically requested, the cleaned copy of the file will be produced in a native file production; otherwise, it would likely infect the opposition's computers when opened. (Stop smiling, now).

The Impact on Attorney-Client Privilege?

One of the most harmful effects of today's viruses is that they often spread by sending mail to addresses in the infected computer and then having the infected computer sending out e-mails from these addresses without direct authorization. Imagine if one of those e-mails is an attorney client communication. Is the privilege lost if it becomes part of a spam attack started by a virus?

Adware Can Change Electronic Evidence

A more prevalent version of computer corruption lies with adware. Adware are files that are pushed to an individual's computer for the purpose of attracting visitors to a Web site. These files generally manifest in the form of popup screens, with inducements to click on them. Many times they cover the entire screen so there is no alternative to click or shut down the computer and restart. Particularly irritating adware pretends to be an error report requiring you to click to get out of it. This has a two-fold benefit to the adware purveyors: you may purchase the intended product or service or the hit will increase advertising revenue.

It is a popular fiction that individuals consent to adware. Yes, in the terms of use of a Web site, there may be some notice. In advertiser supported software, another source of adware, the license agreement, deep inside it, will ask permission. No one in their right mind consents to software that cannot and will not be removed.

Adware impacts the following areas of law: criminal (child pornography) and employment (hostile workplace, sexual harassment, termination for cause).

Adware files will attach to computers and pop up when you least expect it. These are not simple screens that appear after exiting that ask you to reconsider not buying. These are programs that will download files you've never seen on to your computer, without authorization, which can then be picked up when computers are analyzed for evidence.

Attorneys are now imaging targeted computers and using evidence of pornography on the computer as evidence of wrongdoing. Adware from vice sites, be they pornography or gambling, is extremely sophisticated. It is just a matter of time before the opposition argues, with credibility, that there is no proof that particular files were placed on a computer by its owner.

Imagine pornographic adware popping up during a staff meeting or executive presentation. This could create the impression of a hostile workplace and increase a company's overall liability.

Also, Web history logs and caches are consistently being analyzed to prove that a person accessed a particular Web site at a particular time. It is generally assumed that persons surf with intent. A history file, or a cache, would be full of Web tracks made intentionally by a computer user.

Imagine a popup ad which has a “close button.” The popup does not have pornography, but the close button takes you to a pornographic site where more and more adware is dumped to the computer.

It's extremely important to understand the potential impact of adware on electronic evidence because it can take control of a computer and cause a trail of activity that looks like the owner of the computer took particular steps, when in fact, the owner was simply doing his or her job.

Editor's Note: Law Journal Newsletters has a newsletter dedicated entirely to e-discovery ' providing in-depth analysis of the latest legal and technological issues. For more info, visit www.ljnonline.com/alm?edisc.

Spyware and Hijacking Increase Legal Liabilities

Similar to adware, spyware and hijacking on a computer opens a corporation to many legal issues around the security of information. Spyware sends out reports of keystrokes and other information to the originating computer. Hijacking actually causes the computer to browse to a place not intended by the person using the computer.

For example, have you ever had a new search system appear on your computer instead of your chosen search engine and not be able to get rid of it? These types of adware files can add characters to your web search to send you in a different direction.

For financial firms and health care organizations, where there are clear legal mandates for privacy, having private files transmitted outside of the organization without knowledge increases the legal liability of the company tenfold. Additionally, all firms have mandates around employment records. Most have some form of requirement for systems to be secure. If rogue programs like spyware are recording keystrokes and reporting them to another entity, how secure are those systems? As long as there are no incidents, such companies are safe in the near future. Moving forward, however, organizations must adopt security standards that account for the ever evolving adware, spyware, virus and hijacking threats. Look for accrediting organizations, such as JCAHO, the accrediting organization for health care to sample systems for spyware and to inspect policies regarding these threats. Banking systems, trading systems, companies in California, and SEC reporting companies all will have to face handling the spyware/hijacking issue as part of their information security mandate.

The next time a patient's medical condition is exposed or the SSN's of customers are used for identity theft or credit cards are stolen from an online merchant, look for insurers to determine whether the organization is grossly negligent in the protection of its IT systems.

In fact, the impact of harmful viruses, spyware, adware and hijacking is already being addressed at the governmental level. The House Energy and Commerce Committee has approved H.R.2929, better known as the SPY ACT, that would establish large civil penalties for those who engage in deceptive software practices and would give the FTC the power to enforce, with significant money penalties on a per computer basis. The Senate is tackling the issue with SPYBLOCK legislation.

Meanwhile, organizations anticipating a defense against a charge of gross negligence should consider the following steps:

• Hardware based firewall protection with unused ports closed;
• Monitor outgoing port traffic;
• Push virus and spyware protection to the desktop;
• Stay current on your security patches;
• Have a documented escalation procedure for attacks;
• Discourage use of downloaded screensavers; and
• At least until the industry polices itself, discourage ad supported software.

Are You Weakening your Trade Secret Protection?

Common law requires that an effort is made to keep material confidential if it is to be considered a protected trade secret. Many a corporation builds a fortress with guards, passes, biometrics and retinal scanning, yet spyware and hijackers are crippling these computer systems. How hard would it be to make a case that material was open to anyone if no documented efforts were made to stem this scourge? This lack of attention dramatically weakens trade secret claims.

Products Liability and Mass Tort

As more and more products have a “Web-enabled,” or “browser based” interfaces, what happens when there is a browser malfunction that causes injury?

Today, it is not obvious whether a negligence allegation would stick if there was an injury from an impacted computer with no plan to handle virus, spyware, adware and hijacking. It's more likely that having no plan for virus infestation could indicate negligence for the virus-impacted company. For years, firms have been fighting viruses and there are established procedures and a “standard of care” for enterprises related to virus containment.

However, spyware, adware and hijacking are so new, no such set of clear procedures exist, so there is no coherent technical standard of care. Without a technical standard of care, it is highly unlikely a legal standard of care would apply. At this writing, the technical community is sharing successful practices to protect and eliminate spyware, adware and hijacking. In the next year, I predict that it will be grossly negligence to ignore these threats, opening up the enterprise to strict liability. We certainly can foresee potential damage.

There are four simple methods to reduce your risk:

• Assess your vulnerability;
• Find ways to mitigate (see above);
• Find client-friendly ways to mitigate; and
• Draft contracts and licenses with clear language assigning responsibility to suppliers and clients to monitor the health of the systems that interface with yours.

OEMs (computer distributors) are even at risk when they bundle ad supported software with their products, especially since it is so difficult or impossible to remove the adware once installed. Besides the commercial impact of dissatisfied clients, consider their liability if critical functionality is impacted. Corporations using the services of companies that employ spyware, adware and hijacking are even at risk for the same reason.

Remediating While Under Legal Hold

Users are now removing these threats in order to make their computer functional. What is the optimal way to remediate while under a legal hold?

In addition to informing departments, individuals and IT of legal hold responsibilities, organizations must make sure they have in place a procedure for the help desk personnel who are front line defense for impacted systems.

This is one area where safety and risk reduction requires an evidentiary copy of the hard drive along with chain of custody documentation. Dates are likely to be changed, as are the contents of some files. Because viruses can erase files, it may be advisable to get a forensics image and not just an evidentiary copy of visible files.

The chain of custody should include the following:

• Identifying features of the computer (serial number, asset tag, make, model, network identifier);
• Owner's information, the date of complaint, date of remediation, description of symptoms, the software used to remediate (software, version and date of definition file); and
• A statement that no files were altered outside of the normal functioning of the software. If manual deletions or registry hacks were employed, those should be documented.

Also, you may consider putting the remediation software on read only CD's and filing then away with chain of custody documentation. Products like Source Safe would be the normal place to store such material, except, since it may be used in a legal proceeding, it may not be advisable to open up other confidential material to the legal process.

To determine the best practice for preserving potentially infected damaged electronic evidence, you can send and e-mail to [email protected] for a softcopy form for your helpdesk.

Following is a list of remediation software available today:

• Both antivirus products (Norton and MacAfee);
• Lavasoft; and
• Spybot.

Additionally, there are wonderful reports that, along with good remediation, the Windows XP Service Pack 2 will protect against many of the known threats. The download does not work with browsers other than Explorer but is available on complementary CD.

Some good information on spyware can be found at:

• www.benedelman.org
• www.grc.com
• www.lavasoftusa.com
• www.spybot.info

Hopefully, I will not be violating any license agreements when I remediate. Now we're talking breaking new legal ground. Shall we open up trespass, fraud and of course, intentional infliction of emotional distress?

Back in the good old days, electronic evidence for civil cases could be gathered from a custodian's computer, processed to TIFF, Bates numbered and introduced into evidence. Concerns over chain of custody and authenticity were talked about, but rarely argued in the courtroom.

For example, if a document was found on a computer that belonged to me, there was a practice of everyone accepting that it was a document under my control. While I might not have created it, I put it on my computer or allowed it to be put on my computer. Also, the document would be assumed to be what it purported to be, modified at the “last modified” date and time. At most, questions would be asked at deposition time about whom else had access to the computer with administrative privileges or whether I made it a practice of sharing my password.

Likewise, if I were under a litigation hold and it was found later that files had been deleted from a computer that I controlled, I'd be on the ropes for spoliation of data.

It's not so simple anymore.

Viruses, spyware, adware and hijacking are attacking our legal framework for electronic evidence and impacting specific areas of law, such as privacy, attorney client privilege, trade secret, criminal law and products liability.

Viruses Can Corrupt Data

Anyone who uses a computer today deals with the complications of virus infestation, either from a networked computer or from spam e-mail. We routinely run our anti-virus software until something so virulent gets us that we need to start over again. Starting over again may include wiping the computer clean and reinstalling the operating system from scratch. Viruses (and adware, spyware and hijackers) can be so persistent or harmful that starting over is the only remedy for them as well.

“Starting over” can have a tremendous impact when considering spoliation issues, especially if you or your client are under legal hold. If the infected computer is owned by a key custodian, imaging the hard drive prior to reinstallation or completely replacing it to preserve existing data is extremely important. With either solution, it is imperative to have chain of custody documentation for what is done and by whom.

Some anti-virus software will change the access dates of files as it runs over them. Access date is the most transitory date, so changing it shouldn't hurt the authenticity of your electronic evidence. However, when files are “cleaned,” they are saved. This changes the “modify” date. Most systems have a log of “cleaned” files, which can be submitted into evidence if the date on a particular file is in issue.

Most electronic discovery Tier I firms have virus scanning in place, and, for authenticity reasons, will log which files have been cleaned and keep the before and after copy of each file. Generally, unless specifically requested, the cleaned copy of the file will be produced in a native file production; otherwise, it would likely infect the opposition's computers when opened. (Stop smiling, now).

The Impact on Attorney-Client Privilege?

One of the most harmful effects of today's viruses is that they often spread by sending mail to addresses in the infected computer and then having the infected computer sending out e-mails from these addresses without direct authorization. Imagine if one of those e-mails is an attorney client communication. Is the privilege lost if it becomes part of a spam attack started by a virus?

Adware Can Change Electronic Evidence

A more prevalent version of computer corruption lies with adware. Adware are files that are pushed to an individual's computer for the purpose of attracting visitors to a Web site. These files generally manifest in the form of popup screens, with inducements to click on them. Many times they cover the entire screen so there is no alternative to click or shut down the computer and restart. Particularly irritating adware pretends to be an error report requiring you to click to get out of it. This has a two-fold benefit to the adware purveyors: you may purchase the intended product or service or the hit will increase advertising revenue.

It is a popular fiction that individuals consent to adware. Yes, in the terms of use of a Web site, there may be some notice. In advertiser supported software, another source of adware, the license agreement, deep inside it, will ask permission. No one in their right mind consents to software that cannot and will not be removed.

Adware impacts the following areas of law: criminal (child pornography) and employment (hostile workplace, sexual harassment, termination for cause).

Adware files will attach to computers and pop up when you least expect it. These are not simple screens that appear after exiting that ask you to reconsider not buying. These are programs that will download files you've never seen on to your computer, without authorization, which can then be picked up when computers are analyzed for evidence.

Attorneys are now imaging targeted computers and using evidence of pornography on the computer as evidence of wrongdoing. Adware from vice sites, be they pornography or gambling, is extremely sophisticated. It is just a matter of time before the opposition argues, with credibility, that there is no proof that particular files were placed on a computer by its owner.

Imagine pornographic adware popping up during a staff meeting or executive presentation. This could create the impression of a hostile workplace and increase a company's overall liability.

Also, Web history logs and caches are consistently being analyzed to prove that a person accessed a particular Web site at a particular time. It is generally assumed that persons surf with intent. A history file, or a cache, would be full of Web tracks made intentionally by a computer user.

Imagine a popup ad which has a “close button.” The popup does not have pornography, but the close button takes you to a pornographic site where more and more adware is dumped to the computer.

It's extremely important to understand the potential impact of adware on electronic evidence because it can take control of a computer and cause a trail of activity that looks like the owner of the computer took particular steps, when in fact, the owner was simply doing his or her job.

Editor's Note: Law Journal Newsletters has a newsletter dedicated entirely to e-discovery ' providing in-depth analysis of the latest legal and technological issues. For more info, visit www.ljnonline.com/alm?edisc.

Spyware and Hijacking Increase Legal Liabilities

Similar to adware, spyware and hijacking on a computer opens a corporation to many legal issues around the security of information. Spyware sends out reports of keystrokes and other information to the originating computer. Hijacking actually causes the computer to browse to a place not intended by the person using the computer.

For example, have you ever had a new search system appear on your computer instead of your chosen search engine and not be able to get rid of it? These types of adware files can add characters to your web search to send you in a different direction.

For financial firms and health care organizations, where there are clear legal mandates for privacy, having private files transmitted outside of the organization without knowledge increases the legal liability of the company tenfold. Additionally, all firms have mandates around employment records. Most have some form of requirement for systems to be secure. If rogue programs like spyware are recording keystrokes and reporting them to another entity, how secure are those systems? As long as there are no incidents, such companies are safe in the near future. Moving forward, however, organizations must adopt security standards that account for the ever evolving adware, spyware, virus and hijacking threats. Look for accrediting organizations, such as JCAHO, the accrediting organization for health care to sample systems for spyware and to inspect policies regarding these threats. Banking systems, trading systems, companies in California, and SEC reporting companies all will have to face handling the spyware/hijacking issue as part of their information security mandate.

The next time a patient's medical condition is exposed or the SSN's of customers are used for identity theft or credit cards are stolen from an online merchant, look for insurers to determine whether the organization is grossly negligent in the protection of its IT systems.

In fact, the impact of harmful viruses, spyware, adware and hijacking is already being addressed at the governmental level. The House Energy and Commerce Committee has approved H.R.2929, better known as the SPY ACT, that would establish large civil penalties for those who engage in deceptive software practices and would give the FTC the power to enforce, with significant money penalties on a per computer basis. The Senate is tackling the issue with SPYBLOCK legislation.

Meanwhile, organizations anticipating a defense against a charge of gross negligence should consider the following steps:

• Hardware based firewall protection with unused ports closed;
• Monitor outgoing port traffic;
• Push virus and spyware protection to the desktop;
• Stay current on your security patches;
• Have a documented escalation procedure for attacks;
• Discourage use of downloaded screensavers; and
• At least until the industry polices itself, discourage ad supported software.

Are You Weakening your Trade Secret Protection?

Common law requires that an effort is made to keep material confidential if it is to be considered a protected trade secret. Many a corporation builds a fortress with guards, passes, biometrics and retinal scanning, yet spyware and hijackers are crippling these computer systems. How hard would it be to make a case that material was open to anyone if no documented efforts were made to stem this scourge? This lack of attention dramatically weakens trade secret claims.

Products Liability and Mass Tort

As more and more products have a “Web-enabled,” or “browser based” interfaces, what happens when there is a browser malfunction that causes injury?

Today, it is not obvious whether a negligence allegation would stick if there was an injury from an impacted computer with no plan to handle virus, spyware, adware and hijacking. It's more likely that having no plan for virus infestation could indicate negligence for the virus-impacted company. For years, firms have been fighting viruses and there are established procedures and a “standard of care” for enterprises related to virus containment.

However, spyware, adware and hijacking are so new, no such set of clear procedures exist, so there is no coherent technical standard of care. Without a technical standard of care, it is highly unlikely a legal standard of care would apply. At this writing, the technical community is sharing successful practices to protect and eliminate spyware, adware and hijacking. In the next year, I predict that it will be grossly negligence to ignore these threats, opening up the enterprise to strict liability. We certainly can foresee potential damage.

There are four simple methods to reduce your risk:

• Assess your vulnerability;
• Find ways to mitigate (see above);
• Find client-friendly ways to mitigate; and
• Draft contracts and licenses with clear language assigning responsibility to suppliers and clients to monitor the health of the systems that interface with yours.

OEMs (computer distributors) are even at risk when they bundle ad supported software with their products, especially since it is so difficult or impossible to remove the adware once installed. Besides the commercial impact of dissatisfied clients, consider their liability if critical functionality is impacted. Corporations using the services of companies that employ spyware, adware and hijacking are even at risk for the same reason.

Remediating While Under Legal Hold

Users are now removing these threats in order to make their computer functional. What is the optimal way to remediate while under a legal hold?

In addition to informing departments, individuals and IT of legal hold responsibilities, organizations must make sure they have in place a procedure for the help desk personnel who are front line defense for impacted systems.

This is one area where safety and risk reduction requires an evidentiary copy of the hard drive along with chain of custody documentation. Dates are likely to be changed, as are the contents of some files. Because viruses can erase files, it may be advisable to get a forensics image and not just an evidentiary copy of visible files.

The chain of custody should include the following:

• Identifying features of the computer (serial number, asset tag, make, model, network identifier);
• Owner's information, the date of complaint, date of remediation, description of symptoms, the software used to remediate (software, version and date of definition file); and
• A statement that no files were altered outside of the normal functioning of the software. If manual deletions or registry hacks were employed, those should be documented.

Also, you may consider putting the remediation software on read only CD's and filing then away with chain of custody documentation. Products like Source Safe would be the normal place to store such material, except, since it may be used in a legal proceeding, it may not be advisable to open up other confidential material to the legal process.

To determine the best practice for preserving potentially infected damaged electronic evidence, you can send and e-mail to [email protected] for a softcopy form for your helpdesk.

Following is a list of remediation software available today:

• Both antivirus products (Norton and MacAfee);
• Lavasoft; and
• Spybot.

Additionally, there are wonderful reports that, along with good remediation, the Windows XP Service Pack 2 will protect against many of the known threats. The download does not work with browsers other than Explorer but is available on complementary CD.

Some good information on spyware can be found at:

• www.benedelman.org
• www.grc.com
• www.lavasoftusa.com
• www.spybot.info

Hopefully, I will not be violating any license agreements when I remediate. Now we're talking breaking new legal ground. Shall we open up trespass, fraud and of course, intentional infliction of emotional distress?