The same technologies that make cloud computing possible (i.e., the pervasive availability of high-speed wide-area network connections for devices of all kinds) have also enabled the capture of data related to virtually every aspect of our lives. Smart devices are in communication with central data repositories exchanging information about our personal habits and preferences, where we go, and what we do. E-mail and other communication are available at our fingertips, no matter where we are, and a host of social media applications keep us in constant communication with friends and business contacts; this data is also correlated in databases designed to help marketers serve us with advertising intended to be specific to our needs.

The industry and technologies that capture and collate this expansive set of personal information is often referred to as Big Data. Big Data vendors promise enhanced customer interactions, more specifically, the ability to more accurately target potential buyers at the moment they are considering a purchase; this is their stated reason for collecting all that data. Device and operating system manufacturers design their systems to capture and share data with Big Data, and, in turn, utilize big data to refine their offerings. Advertising revenue driven by Big Data is the engine that makes many of the services available in the cloud “free” of cost.

From a litigation and investigation perspective, there is more data available about a subject than at any previous time in history. Much of the data captured would be of direct interest to investigators or parties to litigation depending on the particular legal issue at hand. Cases emerge every day in which attorneys and investigators apply an innovative investigative analysis to data to create a picture of the subject or to support theories about events leading up to the case. Today, investigators and attorneys need to understand the types of data available about subjects, and how to access such data.

Data can reside on a local device, for example, a personal computer, tablet, or smartphone, or it can reside in the hands of a third-party service provider, like Google, or other third party. Technically, accessing data on a local device is relatively easy, and accepted forensic procedures are defined to allow such data to be used in a legal forum. From a legal perspective, accessing data on a local device can become complicated depending on specific circumstances of the case and the device; many of the nuances of such discovery are covered in detail in this book.

For civil litigation, discovery often hinges on ownership or control of a device. Some devices have clear ownership: for example, a company-owned computer installed at an employee’s workstation. Many companies have computer use policies that clarify the ownership of the device and all data included on the device. Under current laws and regulations in the United States, a company should have little trouble examining the device for relevant data and using that discovery for litigation purposes.

On the other hand, some companies allow employees to bring a personal tablet or smartphone to the workplace, and allow them to be used for business purposes. This has become known as Bring Your Own Device (or BYOD), and it tends to muddy the discovery process. Courts are still deciding whether the company has a right to access the device without the owner’s permission, and to what extent such data can be used. Divorce cases frequently involve the family computer, one that is used by both parties to the litigation, and may contain financial information about the family unit, or each party individually. Under many circumstances, either party would be able to access the device and obtain the underlying data; however, in certain circumstances, access may become complicated.

On the criminal side, examination of a device may fall under criminal search and seizure procedures that may not yet be universally applied. If a suspect is arrested, do the police have a right to examine the contents of a smartphone found in his possession? What about computer drives or flash drives? Some law enforcement agencies have claimed a digital device is a “container” that is subject to search the same as a suitcase or purse. Courts have differed on the interpretation, with some jurisdictions requiring an additional search warrant and some that allow the search.

Accessing hosted applications, including e-mail systems, social media sites, and cloud computing solutions, is often driven by identification of the “subscriber” who would have control over the account. The subscriber is often the person who can authorize disclosure of the contents of the systems, and courts differ on the procedures for compelled disclosure. Discovery of data hosted by third-party service providers is generally covered by the restrictions of the Stored Communications Act (SCA) of 1986, which prohibits a service provider from releasing information to a third party. Accessing data held by a third-party provider is frequently the subject of litigation, and courts frequently differ about the type of data protected by the SCA and procedures to access that data.

An Example of Third-Party Data: Google Search Engine

Google is not exclusive in their data-gathering activities; these are highlighted here as an illustration of the extensive types of information captured.

The Google search engine records and collates every search a user has ever performed when logged into Google services, irrespective of the device with which the search was initiated or the Google service that was used. Google services include web search, image search, news search, Gmail (both personal and corporate), YouTube, and Maps, among others. Once a user signs into Google services on a device, Google starts tracking search activity. Let’s say a user signs into their personal Gmail account at work, and performs some web searches using Google. Then they go to lunch and use Google maps to find the restaurant. Both searches will be recorded in the search history for that Google account. Google also accesses and stores information directly from the mobile device, including call information and location data.

Google describes collecting such information in terms of providing a better experience, like providing advertising specific to your interests or finding the people who matter most to you online. The extent of data collected by Google is expansive, and is described in their privacy policy:

• Information we get from your use of our services. We may collect information about the services that you use and how you use them, like when you visit a website that uses our advertising services or you view and interact with our ads and content. This information includes:
  • Device information
  • We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate your device identifiers or phone number with your Google Account.
  • Log information
  • When you use our services or view content provided by Google, we may automatically collect and store certain information in server logs. This may include:
    • Details of how you used our service, such as your search queries.
    • Telephone log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information, and types of calls.
    • Internet protocol address.
    • Device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request, and referral URL.
    • Cookies that may uniquely identify your browser or your Google Account.
  • Location information
  • When you use a location-enabled Google service, we may collect and process information about your actual location, like GPS signals sent by a mobile device. We may also use various technologies to determine location, such as sensor data from your device that may, for example, provide information on nearby Wi-Fi access points and cell towers.
  • Local storage
  • We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.
  • Cookies and anonymous identifiers
  • We use various technologies to collect and store information when you visit a Google service, and this may include sending one or more cookies or anonymous identifiers to your device. We also use cookies and anonymous identifiers when you interact with services we offer to our partners, such as advertising services or Google features that may appear on other sites.¹

A user’s Google search history is available at www.google.com/history; the user must sign in with their Google credentials to view their account. Once in the account, specific items may be flagged and removed by the user.

Consideration of Data Points in Discovery

In a data-driven world, discovery procedures must be updated to consider data points from new sources. They should also be flexible, based on the particular circumstances. The age-old concept of “modus operandi” now should include a subject’s interface with the digital world; in many cases, the subject may not even realize he is creating data points. Considering available data points is a different process than attempting to access the data, which will present technical and legal hurdles; the first step is to consider what data may be available regarding the subject. Like many other areas of litigation, this is an arduous task, as the possibilities may seem limitless. However, to facilitate the process, it is often helpful to break the possibilities down into more manageable subcategories. Below are common examples of data created in the category described; it would be impossible to innumerate all possible data sources within a single book. Also, please consider that systems and applications change extremely rapidly, and newly introduced technologies create new categories of data.

Creating an eDiscovery Plan in a Cloud-Based World

Cloud computing means that important systems and data may be hosted outside the four walls of the organization. Traditionally, investigators could image key computers and servers within the organization and have a copy of all the organization’s data. Today, cloud applications mean that key applications and archives may not be easily identifiable. However, a methodical approach should still identify all key systems. One key difference is that investigators will be looking for clues to the existence of relationships with cloud systems, not necessarily the systems themselves. Additionally, discovery may become a multistep process, with identification of systems separate from attempts to access the data. As more data is produced, additional hosted systems may be discovered.

The following is a generic outline for considerations developing a discovery process considering the possibility of cloud-based systems. Based on the wide variety of litigation and criminal investigations, this should not be considered definitive for a particular matter and does not constitute legal advice:

1. Provide interrogatories and production requests regarding use of hosted systems and cloud-based applications; interrogatories should require identification of the system, vendor, purpose, subscriber to the service, and internal administrator of the service.
   1. As a key system, specific interrogatories should ask about e-mail systems employed by the organization. If the matter is related to an individual, interrogatories should ask them to identify each and every e-mail account utilized by the individual.
   2. The interrogatories should be as broad as possible, and differentiate between systems subscribed by (under the control of) the company versus systems subscribed by the individual.
   3. Interrogatory answers may not identify all the cloud systems in place, but will be important to attempt to extend discovery if additional systems are noticed late in discovery.
2. Interrogatories should specifically identify document retention and archival procedures and vendors used in the retention process for both paper-based and electronic documents. Cloud solutions frequently include data archive systems, and archive information may contain useful information. Identify the vendors used, retention requirements, and litigation hold procedures.
3. Categorize systems between internal systems and cloud-based systems.
   1. Internal systems and data may generally be accessed through production requests and traditional discovery procedures.
   2. Data hosted with third-party service providers (i.e., cloud-based systems) may fall under the restrictions of the SCA, and may require authorization of the opposing party to allow the third party to produce the data.
4. Catalog all devices used by a subject. The device list should include assigned computers and workstations, company-issued tablets, and smartphones.
   1. Additionally, identify any personal device used to conduct business transactions, including home computers or BYOD devices.
   2. Prioritize devices for examination; work with a digital forensics specialist to obtain images of key devices.
   3. Images of the devices should be examined for evidence of undisclosed cloud systems, including shortcuts, saved favorites, and browsing history.
5. Obtain and examine e-mail records for evidence of other systems. This may include discussion e-mails, updates from the vendor, changes in service notifications, etc. Be sure to follow up on any previously unknown systems.
6. Examine payables records and credit card statements for payments to cloud vendors.
7. Deposition questions should be based on an understanding of the business, and include questions about how key transactions are processed.
   1. Note and follow up on any differences from previous discovery procedures.
   2. Consider deposing a lower level person in the organization for questions regarding procedures to record transactions and process functions; often they will be the users of systems and will describe the systems used.

Production of Cloud Data

Beyond the restrictions of the SCA, production of data from a cloud system is different than traditional eDiscovery procedures. Traditionally, an investigator could image the entire computer and obtain a copy of the entire drive; procedures could then be applied to the data to find content related to the case. In a cloud computing model, organizational data is stored in a virtual server containing the data of possibly thousands of other clients; obtaining an image of the entire server is neither technically nor legally feasible. Investigators typically do not directly search the cloud computers for the information requested. Instead, the warrant, subpoena, or authorization by the subscriber directs the service provider to produce all the content of the account or accounts desired, and the information produced is then reviewed by investigators for items that fall within the scope of items to be produced.

As the cloud computing market is still under development, forensic procedures to be applied to a cloud-hosted system are still being built as well. As more data is moved from internally hosted devices to the cloud, the challenges of litigation will continue to grow. Vendors of analytical toolsets will continue to improve and expand their product offerings as demand will grow, and it is a good practice to remain abreast of developments in the cloud computing market as well as in the digital forensics solutions market.