 Hi, my name is Alex M, and I'm an alcoholic. Oh, wait a minute, sorry, wrong meeting. OK, I'm sorry, that's about as much as you're going to get for fancy images, graphics. I was trying to get the exploding van from the recent Fox News thing, but I couldn't get that as a swipe in open office. OK, this is basically a nuts and bolts kind of boring guide to protecting your stuff from, well, people like me. And I'm really impressed that there are that many people that are here for another hour of what I'm going to have to call death con law school. OK, standard disclaimer, I'm a lawyer. I'm not your lawyer unless you give me some money and I'm very receptive to that. Topics presented today reflect my personal views and not necessarily those of on site three, my employer. OK, this talk is not legal advice. It's educational and hopefully some entertainment purposes. The important thing in this is this field of law is in flux. What is good today may not protect you in a week. So it's changing really fast and it's changing in kind of scary ways. There are people who are now facing jail time for stuff that their lawyer could have perfectly honestly said, yeah, this is legal. So just to be, you know, be worried. Be worried. Local laws vary. Contents may settle during shipping. OK, this comes from a drunken conversation at a pump con a couple of years ago where I was trying to explain unsuccessfully that what I do for a living is not social engineering. After all, I spent three years $100,000 and I passed two stupid exams that mean that when I threaten somebody with something, it's not social engineering. It's something else. And I'm wrong, actually, to social engineering. But it's the, because this was someone who was saying, like, look, you can't hack my boxes. They're incredible. And I'm like, you know what? Not only can I hack your boxes, I can make you help me. I want this information and I don't want to look for it. Give it to me. I'm like, how can you do it, subpoena. But thinking about it, like, wait a minute. Let's go further into this. And then he got very scared. It's like, wait a minute. Think of these attacks as any other attack, as someone is trying to get your stuff. Someone's trying to make you do something or do something to you in a way. And that made sense to him. Like, wait a minute. Just think of these as more new attacks, like breaking stuff. I can do a destructive search warrant against your systems. Or I can root your box and then erase everything. Both of those are annoying. Both of those mean that you're going to have a down. We're down for temporary maintenance. Sorry for a little while. Shut down. An injunction will do the same thing as a pretty good DOS attack. And also, similar precautions will let you prepare for the sort of stuff that people like me or people like John Benson will do to your systems. Good offsite backups aren't just for disaster recovery. They're also for what happens if you get a destructive search warrant that takes half your systems out. Strong searching and archiving. Full disclosure here. I try to force people on this when I do consulting work. It's often, do you have an archiving solution? Because that makes civil litigation, which is what I do, much, much easier. So I'm going to talk about four basic kinds of legal attacks today. Two criminal, search warrants and wiretaps. And then subpoenas and discovery, civil litigation. And then, if I still have time, I'm going to talk about transit of trust. OK, starting with search warrants. And I put this in every damn talk I've got, because I want people to remember this. This is like the one bastion of civil liberties we have left this week. Because this gets nibbled away every single day. And if you guys don't know what this is and what this means, they'll take it from you. And by taking it from you, they take it from me. So writes the people to be secure in their person's houses. We don't care about that. Papers and effects, that is your data. Against unreasonable searches. It does not protect against all searches. Just unreasonable ones. And no warrants shall issue. But upon probable cause, magical words. Unfortunately, we don't know what those mean. Supported by oath or affirmation, and particularly describing the place to be searched and persons or things to be seized, that's what we've built search warrants around. Now, how do we do search warrants in the United States? You have to have a judge or a neutral judicial officer, usually in the federal system, a magistrate, a lesser judge, who determines that there is probable cause, that a crime occurred, and that the person's named or evidence that I'm looking for, that the officer's looking for is within the place to be searched. It has to be signed in a written affidavit from the law enforcement officer, who is it testing to the probable cause. And it has to be particular. It has to say, I am looking for, say, for example, child pornography. Where it is or where it is likely to be found, so they limit the search. It can't just be all through the continental United States. It can be your data center, if probable cause exists, that your data center is housing child pornography. Now, a warrant allows the things named in the warrant. I'm looking for all evidence of child pornography held by ISPX. So it can allow the seizure of contraband. The evidence, fruits, and instrumentalities of that crime found during the search, even if it's not in the warrant. If they find, say, the typical example is I'm looking for child porn, and I open a door looking for a computer, and I find a kilo of coke and five submachine guns, the officer can say, well, those are mine, too, now. Because I've walked in like, hey, there's more evidence of crime. Now, for computers containing evidence, containing fruits and instrumentalities of crime, there's an interesting question. What does that allow seizure of? Is that seizure of the data there on are the computers? That is a question you're going to hit if you're a sysadmin network administrator, you run a knock, something like that. If they have a warrant to come and say, we're here to seize data, under the current protocols, it is up to the law enforcement officer to decide I'm going to get a copy of your data or I'm deracking your server. This is important when it's three in the morning, there are armed men in your knock that don't work for you, and they want your box in. So thinking about this as like a DOS attack or something, it's noisy and destructive. You don't get warning on this. It's R, if you're unlucky, dude, there are guys with guns here. What do you do? And really, it's as little as possible. No knock warrant can be granted if the police can articulate a suspicion that you will dispoil evidence. Evidence will go away if there's any warning. There are no immediate defenses. Thinking of this as you can prepare for the attack, what do you do during the attack, what do you do after the attack? During it, you cannot make it better. You can make it a hell of a lot worse. So and I want to, it's a problem of you have to play it very, you have to play it right, but you're in a very dangerous position. And I'll talk about that in a little bit. What you're afraid of is what I like to call collateral damage that is unintentional. I've read a few affidavits of, or not really affidavits, I've read a few interviews of people who are running knocks or running systems. And I don't want to insult any law enforcement officers in the audience, but, and I've talked to a few that have done search warrants, and oftentimes they act dumber than they are because it's a great advantage. I'm here to get the server. And they have the biggest, most intimidating goon with the biggest, ugliest set of bolt cutters. Now, imagine I'm going to go derack a server with four foot bolt cutters. You're thinking, oh my God, these guys are going to make such a mess of my knock. They're going to like, they're not even going to unbolt something. You're going to cut through the rails. Now, as, as you know, assistant men, you're thinking, they're going to, oh, it's going to be a, it's going to be a mess. Fine. The server you want's over there. You just did something. You just admitted that you knew something. Now, it doesn't matter if they want to, but you've, you've opened a door. So you have to play the school. You have to be as dumb as possible, yet you have to limit the search. So how do you prepare for the search warrant? First off, if you're anticipating getting hit with search warrants where it's a question of, they're going to derack your servers, or they're just going to take the data. I like multiple site data and systems backup, preferably in multiple jurisdictions if possible, and automatic failover. If they execute a warrant when you're not there, and they just take your systems, you know, like, huh, the Cleveland Colo seems to be down. It's nice to be able to shunt to San Francisco or Amsterdam or wherever. Now, that's the, just the purely IT defenses, the legal defenses. It's minimizing the damage during the warrant execution. You are lucky enough to be the, the, the guy or gal in the knock where there are, you know, men waving guns and bolt cutters around. You have a choice. You can be helpful or you can be passive. One good case study is AOL. If you have a search warrant, AOL has a division or a department that executes search warrants. You fax the search warrant, they give you the data. And the advantage is law enforcement officers like dealing with that because it's, it's easy. I don't actually have to get up or do anything. I just say, here's the search warrant. Here's what I want. And they go, and, you know, do you want that in DVD, CD, or dad, you know? And, and it's advantage for, for AOL to play that way. Because it's, you know, it's just like, oh, it's a business cost. It's not significant. If you're a smaller ISP or you're a little bit more aggressive about civil liberties, you may, they, the police then kind of can fall back and say, we can take all your servers. So you're in kind of this weird gray area. Now, if you are in that gray area and the police are deciding we're going to get a little bit more aggressive, don't interfere. Don't touch the cop. Don't get in his way. Don't refuse. Don't say I'm calling my lawyer. It doesn't matter. You call me. My response is going to be, don't touch him. In fact, stay the hell away. Watch. Bring witnesses in to watch what happens. Don't say shit. In fact, shut the fuck up. Um, the criminal defenses I have done, I've done one child porn possession case where we would have had pretty good shot at, I don't think you're quitting him, but we could have nailed it. We could have knocked a couple charges off of him, except that he not only signed a confession, he went through an initialed and signed every page of a 22 page chat log about what he did. Like, dude, you are a tool. You walked, you're like, well, can you get me off on this? No, no, no. Like, well, I can't go to jail. Don't worry, they'll give you a ride. They'll take you to jail. Don't worry, you don't have to go find the way. They're not letting you go. Now, the important part is don't let the scope expand. If they have a search warrant that says we want all the data from customer A on server X. You know that customer A is actually on servers X, Y, and Z. You don't want to be helpful in this case. Because, and this is something that's been bugging me, because I've been thinking about this hypothetical. You are a colo, because that's one of my jobs I'm an assistant at a web hosting company and I don't know what all my customers are doing, because I don't know, unless I actually look at all their websites, if they're hosting child porn. Now, my fear is that because I remember passwords, even those that aren't my own, I don't want to ever say, oh, you can't get into that system, the password is blah, blah. All of a sudden, I've gone from just being the guy at the knock to I have knowledge and control of that box that holds child porn. All of a sudden, I became more interesting. And that's not something you want to be. So, don't let the scope expand. Don't point to new machines. Say, what machines are you looking for? Good, there it is, there it is, there it is. Here's a screwdriver. Can I power it down for you? Now, cleaning up afterwards, this is the big part. Legally, someone like me can try to exclude evidence. Now, excluding evidence is where you've been, you are now a magical term called defendant. Really, not a place to be. So you can say, if we can argue that the warrant is invalid, it was improperly executed, or that consent was not freely and openly given. See, that's why I talk about don't let the scope expand. If you say, oh, in that box or stuff, may I look, often your answer should be no. Cause that's how most of the drug cases I've worked on, that's how they get them. Do you mind if I look in your trunk? Sure. If you're carrying two kilos of heroin, the trunk is no. No, really, yeah. Well, we're gonna bring drug dogs. Fine, because at least then if you don't open the trunk and go, what's that? Cause you're not gonna, once you've done that, you're not talking your way out of anything. Bob, put that in there. No, no, no, no, no, no. If it's, well, we got a warrant, we opened the trunk and there's two kilos of heroin, you go, I'm never renting another car from Avis again. Okay, so going back, shut the fuck up. Okay, cleaning up afterwards, IT, cut over to another site if you can, restore from backup, think of this as disaster recovery and go back to work. Okay, yeah, ooh, well, wait a minute, no, cause you have, you're backing up from tapes. Okay, oh, I'm sorry, the gist does, if you've got backup tapes of what may be exculpatory evidence, do you restore from those? I think yes, because the tapes aren't changing. You keep, you make an archive of those tapes, hold those aside and if you're the defendant, usually though, I think if you're a defendant, your bigger trouble is not going to jail versus getting the site back up. If you're the ISP of the defendant, sorry Bob, yeah, I think we can let you out of your contract cause you're in jail now. That's your biggest concern. Okay, there are warrantless searches, which are, there isn't a warrant, the cops wanna look at your stuff anyway. There are exceptions, search incident lawful arrest, if you're picked up outside of here and you're carrying something you shouldn't, if the arrest for something else is valid, they can search you. Anything found on you is coming in as evidence. Automobile searches, now this comes in with the regulatory searches. If they find, there are a couple cases of people crossing national borders with laptops containing contraband, namely child porn. That's like the big contraband. There are two different cases saying yes they can, they can do a forensic image of your machine cause you're just going into Canada. No problem cause, no nothing. There's another case saying no, that's bullshit. So right now if you are carrying stuff that would get you in trouble, be careful. Probably don't cross the border with it, at least not on you. If, I mean, one one that came up during another conference someone threw out, FedExit on DVD like, okay, I kinda like that, just not to your own name. The more interesting one is exigent circumstances. I'm an emergency, it's something that I don't have time to get a warrant to make this happen. Heckenkamp is out of, I wanna say Minnesota but I might be wrong, IT staffer, just hacks into a computer attached on the network of a university, doesn't delete anything but just kinda makes a note of the directories to say I think this is this machine has this folder structured. Doesn't take any data off of it. It's still technically a violation of 1030, the Computer Fraud and Abuse Act but they let the data come in for a conviction against Heckenkamp. So they do allow some searches. Now that's a search done by a third party, not by a government agency. The rules change if it's Joe Bob versus the Feds. One other kind of interesting exception to that is the third party search. If Joe Bob is not being paid by the Feds, asked to do something by the Feds but finds evidence of a crime, they can break all your shit, hand it over to the Feds and the Feds can prosecute you based on that or the state can prosecute you based on that. There's a Steiger case, which is really weird, it's this, according to the story, he's Turkish, unknown hacker, breaks into a guy who has child porn on his computer, sends all the information to the FBI and says, I found all this porn, go get the guy. And the FBI's response is, thanks. That was an easy one. And the guy goes to jail and says, well, wait a minute. You had someone break into my system and the Feds honestly say, he did it on his own, we didn't ask him to do that. And that's valid, that evidence is coming in, I can't get that kicked. And then there's permissive searches and permissive searches like the guy with the two kilos of heroin in his trunk sure you can look in my trunk, sure you can look in my PC. Even if I'm borrowing your car, it's your heroin in your car, I stop, cop, pop, sops, can I look in the trunk? I say, sure heroin can be used against you. I may have even had no permission to have the car in the first place, I could have stolen it. But because the cop didn't know that at the time, I had a parent authority to grant the search. There's a case, I forget where Andrews is out of, where dad who knows nothing about computers, he's like a 78-year-old ophthalmologist, lets someone look at his son's computer, he doesn't even have the password, he lets them break into the system. He actually has a bios password. They, according to the affidavit, they immediately yank the drive and encase it, which gets right past the bios password and finds child porn. A parent authority is enough. Cop in good faith, however thin that is, says, I thought the guy was letting me do it, we're in. Okay, wire taps. These are a little bit nastier because they're hidden. You don't know, you know when you're having a search warrant executed against you. You don't know when a wire tap's executed against you. Wire tap requires, has to specify the target, does not have to necessarily specify a specific box. It can say all communication services used by X. It's called a roving wire tap. It can only be granted when there's no, there's no less intrusive method. I can't just search his box. I can't just break into his house. And Kalia, unfortunately, this is what we call, what's known as a bare statute. There aren't many rulings on it, so I don't, we know lawyer can honestly say, I know what this means. They'll say nice wishy-washy things like, that should mean this. And it's like, well, you shouldn't have gone to jail or you shouldn't have paid that fine, but I'm sorry, the judge didn't like my explanation. And that's why lawyers go home and eat and you go home to jail. So there's a scary bit about Kalia that says that any data pulled from a Kalia compliant wire tap or data wire tap has to be transportable back to the FBI with no interference by whoever has the network facility. So it seems to be that it's an opening up for like, there's a Kalia backdoor in every Kalia compliant router. I'm sure if some of you found that backdoor, you would keep it quiet for national security reasons. Okay, hack profile. It's stealthy and incriminating. No one will know what's going on. And I don't even know how you'd find one. You know, if it's something as dumb as like a layer one, you know, it's just a, you know, you're replicating a port. I don't know how you'd find that anything's happening. Like there's 0.002 more latency in this router than that router. You know, I mean, usually my response is like, bad copper. Yeah, I don't know. And you won't know until after you've been charged with the crime when they're like, well, we have all this evidence. Where did that come from? Oh, shit, there's us talking about the drug deal. So defenses, strong encryption with limited distribution of the keys. If the ISPR provider holds the keys, like, hey, we are offering you a secure VPN and we handle all of it. All of a sudden that's less secure to a wiretap because the feds can say, can I have the key? Oh really, it's not really, can I? It's give me the key. A grand jury can subpoena keys. Even if you're running your own, you have all possession. Anyone in between you and who you're talking to is completely out of the loop for your encryption. They can just show up and say, we're subpoenaing your key. We wanna look at your stuff. And there are national security letters and if anyone's ever had one, you are now allowed to show them to an attorney. I will represent you for free because I wanna see one of these things. I'm curious if they look like a Wonka gold ticket. People I've heard of, ooh, I've heard of them. Like, they're talking about Loch Ness Monster. Okay, it's a document. It's probably written in English language. It says, give me this. I'm just curious to see one. Now, legal attacks to prevent a wiretap. You can argue there's no probable cause. There's some flaws in it. The information can be suppressed. If innocent communications are captured, a particle says that no innocent communications can be captured in a compliant wiretap, but it's up to the provider to make sure that no innocent communications are captured. So I don't know how you do that. That's sort of like, we don't know what that means yet. But there are possible civil remedies. If you happen to have the same ISP as Joe Drugdealer and they capture all your emails well, you may have some civil remedy against them. Please don't ask me about the NSA wiretap because I'll just start spitting profanities. Okay, now let's get into civil stuff, which is what I do more of. The criminal stuff is sexy, but the civil stuff is the bread and butter of what I do. It's a court-backed order for information. You must give me stuff. It's not actually a court order. It's not issued by a judge. It's issued by an officer of the court, such as me, such as a grand jury. Our regulatory agencies can often do limited subpoenas. Two basic types, deuces taken, add tests of a condom. Bring us information or let us look at stuff or come and testify under oath. Violating a subpoena is bad. They can go after you for civil contempt. They can jail you in some cases. So it's really hard to fight them on, I'm not doing it. You can go to a lawyer and say, help me fight this, but really on just on your own, unless you can get out of the country and you don't have any assets here, they're really hard to fight. There's no right against self-incrimination in civil cases. So if there's evidence of a crime in that subpoena, you have to make the choice of, well, I guess I'm gonna not give it to you and say I'm taking the fifth and it can limit you in a civil case there's both civil and criminal litigation pending. And you have to specifically say, I don't wanna incriminate myself and all of a sudden it just, it raises red flags. There's a limit on how wide a subpoena can be. It has to be the expensive, it has to be relative to the size of the controversy. If I'm suing someone else for $10,000, I can't order a subpoena that says, give me all the emails you've ever sent. Like clearly that's gonna be damn expensive to do. Also realize that subpoenas can be used against third parties. I can go to your ISP and subpoena them for your stuff. They can say, what's, why are we involved? Okay, we have to still do with that. And I may not even have to pay them for that. They may just be out of pocket. Depends on the local laws. Some states allow it, some states don't. No privilege material and that's limited to attorney-client, some doctor-patient unless that's the nature of the controversy, some national secret stuff. And I'm quoting from Pennsylvania law, not for harassment or improper purpose, whatever that means. So what's the attack profile? I like to think of that as intrusive, mysterious and dangerous as hell because it can crack you wide open. And it's mysterious. What the hell do you really want? Because invariably, you're gonna write one that's broader than you need to so you don't know really what it is you're looking for. Because you wanna write it broader, expecting the other side to narrow it down. It's like negotiating for something. I want a $100,000 salary, but we'll offer you 50 and eventually gets a 75. Can force you to admit incriminating facts. It's scary. You just kind of cracked wide open. Okay, defenses, IT, mitigation. Easily searched indexes of all your electronic documents in the enterprise. That is harder than it sounds. Because it's not just your file servers. Recent rule changes allow any electronically stored information. That is undefined. So that could be voicemail. Yeah. In a subpoena, they can say, that's sort of the space we're dealing in. Like this is all the menu that we can order from is all electronically stored information. So you can say, if the subpoena is more narrow, I want all email from this date to this date versus I want all electronically stored information ever generated by you. One's fairly narrow, one's fairly vague. And the other defense to this is a clear and followed data retention policy. You wanna be able to say, we don't have that. It was destroyed. We keep data for three years and at the end of that, the tapes go in the shredder. The old computers get smashed. Old drives get burned. So that way you can say, no gots. This is potentially unethical, the concept of stonewalling or compartmentalization. Having worked at some really terrible IT shops in my past where we didn't know what existed. So one person could say, that honestly, this is the only data we have until someone shows up with a crate of DLTs. I was the guy that one day, after signing off at David saying, this is all the data we have on this, a crate of DLT shows, I'm like, what's this? That was a bad week. And black holes where there's, like what I'm talking about, this crate of DLTs that I don't know where it was stored. You can store information, but provided that you never ask that person where the data is. So you have like a custodian that their job is to hide and move data. Legal defense, it's motion to quash. You can say the subpoena is too broad. It's, you're trying to get privilege information. You can't get that. You can do a protective order, which is instead of quashing, eliminating subpoena entirely, it's basically let's limit this to something that actually matters to the case that we're fighting over. Encryption keys and passwords may not be, may not be immune to a subpoena. Content of messages held by a provider under 18 USC 2510 at sequence can be protected if unless they are directly relevant. Yeah, is there a question? There's, okay, when I say might, it's because no judge has said yes or no. Looking at the statute, it seems to be that there's a protection, but we don't know how wide that protection is yet. So when I say may it's because there's a statute out there that no one, no judge has said what it means. So that means that I as an attorney go, it might mean this, it might not. I don't know. And our, what we'll say is, that's an interesting problem, which means you're gonna be spending a lot of money. That means that me and someone else is gonna be billing at whatever rate is to scratch our heads about this. Scary. Okay, discovery. This is 95% of my day. When you, it requires a filed suit. Someone is suing someone else over something. It works like a subpoena against the parties of the suit. Why it's nastier than a subpoena is there's automatic disclosures. You have to determine that there's a bunch. When you're sued, you just have to hand over all the relevant information. What the relevant information is, is up to debate. If you don't hand over enough relevant information, are you withhold some relative information? You may be barred from using in court. You may be sanctioned. It's an ugly, ugly problem, because unless you negotiate with the other side to go, we're gonna limit discovery. We're gonna come to some, because otherwise it's just, it's a free for all. It's nasty. There's the automatic disclosure rule under the new federal rules of civil procedure that says you can either hand over all the locations and types of ESI that you hold that's relevant to the dispute. You can claim that we're not actually gonna deliver to you because it's unduly burdensome. Usually this is some proportion. This is some cost-benefit analysis of it's gonna cost us how much money and how much time to produce this information and how much money are we actually talking about in the suit. I have dealt, one problem my company has been doing, I think we've billed maybe a quarter million dollars on this Tivoli system that makes me just a bad, bad cluster fuck. I think we've billed, this building is just like vomiting money and can't we get a limitation on this and the attorneys keep on saying, no, continue working like, but I don't want to. You're like, I'll write the order. Trust me, I'm a lawyer, I can do this. I'll write the quash order and please I'll research it for free because I don't want to look at this stuff anymore but that's a side mark. You can supplement it with additional orders against parties. Oh, I also want this, give me that. And what you deliver, what you disclose to the other side has to be in the format that your organization uses. I often love when hackers come up with like, but aha, you can do this. I'm like, no, no you can't. One question was, what if all of our ESI is in Klingon? And either the answer is that's not the form used in business are you are the biggest nerd on the planet. If your company, if your company's business language is Klingon, dude, that's all I gotta say. Like, I mean it's possible because I've dealt with somewhere it's like our business language is Dutch but it's an American litigation, and then it gets fighting like, who's gonna translate this? And it's like, well, we need to find a bunch of attorneys that speak Dutch, but that are barred in the United States. Like, okay, all 20 of them have already been hired. Not Dutch, but sometimes it's like, even weirder languages. And then you get the phone call like, hey, do you know anyone who speaks use back? No. We need 18 of them. Yeah, sorry. You can also subpoena third parties for responsive information. Yeah. Well, okay, no, that's a good point. No, it's a very good point. I have dealt with this because it's, we're, you know, and invariably you have that IT shop that backs up that really old system because that's how the database works. And yes, it's seven millimeter tape. You know, well, what happens if it breaks? eBay. You know, it's like, dude, I haven't seen a single fried in tape drive in years. Like, I saw this in war games. Yeah, we bought that one. You know, like, and invariably, you know, working in an IT shop, you know, cause it's like, well, we can't get rid of it. Cause, you know, all the coders are dead. And then you have a question of, it is overly burdensome to deliver. Cause it's, you know, either you walk in and go, you know, with your banker's box full of seven millimeter tape going, there you go. I mean, I've done that where it's like, hey, can we do this? Cause someone said, well, we'll just hire an e-discovery company like my employer to go and fish this out. And we had one where it was like 200 boxes of floppies. And I'm like, okay, I can do this. Oh, but it's Macintosh. Like I'm a Mac geek. You know, I can, I couldn't find a drive that read 400 K Mac floppies. Like, dude, I remember these. And I'm like calling up like, you know, the old Mac shops going, dude, do you have any like Mac pluses kicking around? How many need all of them? What formats are, you know, like, and I'm like thinking like, even then, wow, this is in, you know, like, this is in a word processor that hasn't been coded since 87. I, we may not get good data out of this. If you're looking for the smoking gun look elsewhere, but okay. Okay, but back to destruction of evidence. This is often a tempting thing for people. What if I hide it? What if I inadvertently destroy it? No, if you get caught, it gets ugly really fast. There are numerous cases of sanctions in the tens of millions of dollars for spoilation of, for intentional spoilation of evidence. You get sanctions to counsel. Lawyers get, lawyers like very cavalier about, well, this is going to cost the clients some money. No, we build a law firm for, for if the lawyer advised the party to destroy the information, that can be disbarment. That can also be a multi-million dollar fine that the lawyer has to pay and we don't like paying money. You know, adverse inference instructions. That's a legalese term for, you can say the absence of evidence is evidence of absence. It's evidence, we can use that to prove because there's no evidence of this and because they destroyed whatever evidence that may have existed, you can argue the opposite to say that did happen. That has happened. That's terrifying to a lawyer. It's like all of a sudden, your argument goes away. And the big one is dismissal claims. Yes, you did have a valid claim, but because you destroyed the evidence that would have allowed them to defend against that claim, we're dismissing your claim. You're out the money, gone, bye, sorry. I like to think of the discovery attack profile as slow and expensive bleeding. Commercial litigation is like burning pimp rolls of $100 bills and saying, oh yeah, what you got? I got two of them. And you're just burning money and it's like a chicken game. You're hiring very expensive lawyers at three and four and $500 an hour to sit and bloviate and it's just burning money until finally someone says this ain't worth it. You know, can we come to a settlement? It used to be, e-discovery can get crazy expensive because there are, you have attorneys that don't know anything about technology, you have technologists that won't talk to the attorneys, and you have people like me who are like, okay, I have to explain everyone's a two-year-old, and which is why, okay. The old rules were fairly vague and so lawyers just not talk about electronically stored information. We like paper, boxes and boxes and boxes of memos and paper. And you would mention e-discovery, because the old rules allowed like we can look at your databases. That was, I think it was data compilation. So you would do that to kind of say, fuck you to the other side and the other side would go, okay, you know, we'll back down. It's sort of a mutually assured destruction. The new rules were clarified, which means that every attorney is panicking because we don't know what they mean. You know, they're written in stone but no judge has said what they really mean so we don't know what they mean. There's mandatory disclosure. Once you're sued or once you sue somebody, you have to start just handing over stuff and you get to review it to make sure it's not privileged or that it's not relevant, but you just have to start dumping data and then there's a conference that says, well, formats, you know, you've got that old singer fried in tape drive and you go to the other side and go, do you really want that? You know, it's gonna be really expensive for us to give that to you. Are you gonna pay us for it? You're gonna compensate our costs? And the rules are changing really fast. There's one case called, it's Brunner v. I think universal, also known as torrent spy. It changed a duty to preserve into a duty to collect information. And I'll talk about that in a little bit. Defenses against discovery, IT stuff, ability to quickly and efficiently and completely, completely being the operative word, locate and retrieve information, all the information in your shop. I want everything that is relevant to, Jane Smith, Jane Smith was fired, she claims sexual harassment. Our company claims that she was incompetent. Typical case. Now we want all the emails. You want to show all the emails that say, Jane's incompetent, Jane's incompetent, Jane's incompetent. She wants all the emails that say, Jane's hot. And that's how these things break out. Now, of course, because it's electronically stored information, not just emails, not just word documents, she can ask, I want the voice mails because that's stored information. And all of a sudden you're looking for these smoking guns. You're looking for, because you may be able to show if you're the company. See, I've got all these documents saying she sucked us an employee. And I got five voice mails describing something else. All of a sudden, and of course at that point, once you've found them, all of a sudden people get really interested in settling because you never want to play those in an open court. You want to be able to put a price tag when thinking back to the Singer Fried and Tape Drive and say, it's going to cost me $10,000 in tech hours and necessary equipment to convert all that into straight text. Because that's important to say, it's overly burdensome. You're suing us for a 10 grand problem. You want $125,000 worth of information. No can do. You want to quickly determine privilege. Flagging emails as, biggest one is privilege review. I've done a couple of these and it's reading everybody's email to find out if you emailed an attorney asking for advice. It's like, why are we doing this? But because we can't show those to the other side because there might be something magical in it. You want to be able to quickly flag stuff that say, this is two corporate counsel about this. All of a sudden it's no longer discoverable. You want to be able to flag that somehow. Archival and indexing solutions so you can quickly do that. I really like search engines that crawl against all your internal data. And you want to be able to have, preserve that. Once you've been sued or once you're suing somebody, you want to be able to say, we're not deleting anything. All of a sudden, all this data is getting held. If you spool it off to a backup, if you spool it off to a separate litigation server, yeah, no, no, no. Okay, interesting question. Do you get automatic privilege if you CC the lawyer? No, because it has to be a request for information or like, dear attorney, what should I do about this? That's asking, that's privileged. Are the attorney responding saying, this is what you should do. If it's all stuff gets CCed to an attorney, it's not magically privileged. Cause I can't say, hey, let's go to lunch. Won't bite Bob, he's in the legal department. Not privileged, even though you CC the lawyer. Yeah, yes, yeah, trade secrets are also privileged unless of course, the case is about a trade secret. Yeah, in the back, right? I'm sorry, what was the question? Oh, I don't know what law is making you keep the stuff. So it may be different. I would think that you would want to have a coherent retention policy. Cause that way, the important part about it is when you're doing the retention policy, you want to follow it. You want to make sure that five years and one day, are we litigating about this? Nope, put the box in the shredder. But nothing, goes in the shredder. Cause that way you can say, five years and two days, we've been sued, this is all the information, it's gone. Cause that's the scary thing. I talk to lawyers who say, well, I want to hold stuff. And you're like, you're talking about blackholing. That's a scary place. Cause it's scarier for people like me cause we'll get disbarred. It's not like the client's losing my, like I'm losing my license. I have to go back to working in IT. So enforced and rational. You can't, I've dealt with some companies to do like a 22 day email retention policy. And that's like doing the mandatory daily change of your password with strong passwords. Means that post-it notes will hold the password on the monitors. Like we know that, that, that sort of tension between like really militant, like this will protect us. And this is just opening another door that we're not thinking about. So you want to have them rational, but you want them enforced. You want no loopholes. You want to make sure that you can say, you know, we hold stuff for five years. Five years and one day we have a burn party. It's gone. Okay, legal defenses. There's, you can oppose the discovery order showing costs and burden. However, in the Columbia versus Pinellar Tarnspy, they said, look, it's overly burdensome for us to log IPs that are coming into our web server. They're using IIS. The opposing counsel showed the IIS manual and said, you can turn on logging by clicking this button. So the judge was like, nice try. No, you have to have log IPs because they went in and they tried to argue something that was bullshit. And the other legal defense is what I like to call drinking from the fire hose. I'm going to give you so much information you're going to cry. I'm going to increase the cost of litigating this against this by giving you repetitive stuff, giving you responsive but useless information. Okay, and I want to talk about working together with those bastards in the law department. Pre-discovery, IT people can quantify the effort to get inaccessible information. How much is it going to cost to pull that data off that stack of old Mac disks or the seven millimeter tape? You can then, the law department can then use that information to restrict the discovery or the subpoena. During the discovery, IT can assist in specifying incoming-outcoming discovery methods. Because you get this conference called rule 26 conference where you get all the sides together and say, how are we giving you that data? Case in point, company A on a Lotus Notes email, company B is using exchange. Well, we can't read those emails. Well, we'll convert them to a third format or we'll convert them to exchange. The IT guy can explain, here's the, no, it's, you know, that's really easy. That's impossible. Let me show you how we can do that. Counterattack, savvy IT person at the rule 26 conference can call bullshit on the other side. Can call bullshit on, you know, oh, but it'll be so expensive to turn on logging. No, it wouldn't. You know, you just did like, duh, no. And you can be, that's, you can be a really, really useful asset to your company by being there and explaining stuff. Of course you have to explain stuff to like a dumber level than users. Two minutes? Okay. IT and legal work don't work together. You get what I like to call the death spiral where you start hating the other department and everything breaks down. I have some more stories about that. I'll happily tell them in the other room. Transit of trust. This is, you get the information from the weakest link. B and C hold the same data that you want. You go after whoever is more willing to give you information. The two cases I'm thinking of and the one that's really important, I think right now, as anyone, I'm sure some people have heard the Feudor versus GoDaddy and MySpace issues where he was hosting passwords to MySpace and MySpace, instead of going to him and saying, take this down, decided, well, because he'll fight. He might come back at us and say, no, I'm not. He goes to GoDaddy who says, huh, six bucks a year? Lawsuit. And gone, boof. So no one information you've got, no one information you share with other people to protect from a transit of attack. Have defense agreements that let you work with them to say, look, if someone comes sniffing at you for information, let us know. So we can step in and say, no, no, no, no, you don't, you cannot get that information. If you're in sort of a mutual information sharing, it's that way, it's like, look, how much will you reimburse me to fight this? And you do a contract between the two. Jurisdiction issues, can you host information in a nation that grants greater privacy rights? That's becoming a bigger and bigger issue because the Europeans grant far wider privacy rights than we do in the United States. Well, thanks. I think we're pretty close to done. So I'm not sure what the room we're going into or I'm available into for more questions and whatnot. Thank you.