26 June 2007

Cyberspace July 2007

Destroy evidence? Who me?

I recently spoke at a conference about the destruction of evidence. This has become a hot topic since Victoria codified the common law relating to the destruction of documents. The main thing that the legislation really adds to the situation is personal and corporate criminal liability. However, it does bring to the fore the fact that even trying to obscure a car engine number or Vehicle Identification Number can run foul of the law, since it is obscuring a record of information.

We know that we can't destroy things that may be required as evidence in proceedings. But, do we need to create evidence? A US District Court judge thinks so.

Some background: Generally speaking, a "server" is a computer that provides services to one or more other computers. You might use a file server at work or even home so that more than one person can see shared files. A web server dishes out web pages to possibly thousands of people at a time, and so on. Anytime a server does something, it may, or may not, keep a record of what it did. It does this in a "log" which is just a journal of activity. For example, a web server will often keep a log with the time, date, address of the requesting computer, the item requested, and the result of the request. However, there's no need to turn on logging, and since it impacts on the performance of the server it is common to leave it turned off.

So, let's say you run a server (in this case, a bittorrent server) that is probably used mainly for sharing copyright material. You don't turn on logging - it slows the server, and it's probably better (from your point of view!) that you don't keep a log of what your server's been up to. Columbia Pictures isn't very happy with you and the people who use your server. Columbia: "tell us what your server's been up to." You: "I don't know, I don't record that information." Columbia: "Ah, but there is a moment in time when your server DOES know who's using it and what it's doing, because otherwise it wouldn't know where to send the downloads!" You: "True, but that's in Random Access Memory (RAM) and it's only there for a little while, is inherently volatile, and then the server moves on to something else." Columbia: "So in fact, you do have a record, but you're choosing not to preserve it. Gotcha!"

Create evidence - who, me?

This argument was recently run in interlocutory proceedings in Columbia Pictures Industries et al v Justin Bunneli et al, USDC, Central District of California, CV 06-1093. The court found that the data in RAM "constituted electronically stored information and was within the possession, custody and control of [the] defendants." The court ordered that the defendants "preserve the pertinent data within their possession ... and produce any such data in a manner which masks the Internet Protocol addresses ... of the computers used by those accessing [the] defendants' website ..."

Columbia wanted the IP addresses of users, names of files requested and the dates and times of such requests. Traditionally this might have been termed "fishing" in Australia, but to be fair, it must be very frustrating to literally see your content being misused without a way to find out who's doing it. The movie industry doesn't want to just go after the web masters - they want to get the consumers as well. It's a bit like drugs - do you concentrate on users or dealers?

The judgement is a minefield of perceptiveness and woolly thinking. It covers far too many issues to consider here, but the big one is - where information is intrinsically ephemeral (ie data existing only in RAM), can you be forced to create a separete record of that information solely for the pupose of legal proceedings? In this case, yes. In fact, the judge even required to defendants to change their business process and turn on logging!