State Bar of Texas Annual Meeting 2018: Preserving Mobile Device Data

State Bar of Texas Podcast

State Bar of Texas Annual Meeting 2018: Preserving Mobile Device Data

07/26/2018

[Music]

Intro: Welcome to the State Bar of Texas Podcast, your monthly source for conversations and curated content to improve your law practice with your host Rocky Dhir.

[Music]

Rocky Dhir: Hello and welcome to the State Bar of Texas Podcast. This is Rocky Dhir, and you know, I am having so much fun.

You know, why I am having fun? It’s because I get to be at the 2018 State Bar of Texas Annual Meeting in Houston, Texas. So, I am from Dallas, this gets me out of the house and it gets me meeting with some fascinating people. And I am going to get to introduce one of those fascinating people to you here today.

We’ve got Craig Ball. Craig is — he is literally a master of all trades because he is actually a special master on Computer Forensics. He has been hired as a Computer Forensics Examiner in cases. He is also an expert in Electronic Discovery and Electronic Evidence. He is quite the whiz kid.

Craig Ball: Thank you, Rocky.

Rocky Dhir: So, Craig, thank you for being here.

Craig Ball: It’s a pleasure to be here. I am home. I spent most of my life in Houston. I went to Undergraduate School at Rice University, raised my family here, then I am going to break the code of silence right now, Rocky. You are fortunate to be in the best restaurant town in the entire United States. I don’t usually like to tell people this, but, Houston has more locally owned wonderful restaurants. The New York City and San Francisco put together.

So, welcome to my hometown.

Rocky Dhir: Wow. Now, see as a Dallas guy, there is that whole Dallas-Houston rivalry, right? So, it’s kind of Dallas people think they have got the best and Houston people think they have the best, and I don’t think the two will ever come to agreement on either one of those.

Craig Ball: Well, what can I say? I have lived here on and off 36 years and I can tell you that Houston is the greatest place to live, raise a family, earn a living. It’s just not a great place to visit, there is no there-there for tourists, but if you want to live a fine life at a low cost, Houston is the one.

Rocky Dhir: I don’t know. I think the Children’s Museum here in Houston is fantastic for little kids, you’ve got the aquarium, there are some great places to come in this town.

Craig Ball: I believe there may be some sports franchises nearby.

Rocky Dhir: Just a couple.

Craig Ball: Yes.

Rocky Dhir: Yeah, a few.

Craig Ball: But, I mean sure, there are things to do and if you have the good fortune to be shown Houston by someone who loves it, you are going to see a great Houston. It’s just one of those things where people who come through Houston they have the bad luck to be here in July or August, don’t see the city that I love and revere.

Now, mind you, I live in New Orleans now.

Rocky Dhir: Yeah, now you are living in a very fun place.

Craig Ball: I love where I live. I am very fortunate. Little known fact, New Orleans is the legal technology center of United States. As I look at the guests on Legal Talk Network, it seems like there is a huge coalescing of talent down in New Orleans, myself not included.

Rocky Dhir: Now, is it officially the legal-tech capital of the United States or is this your observation that is then turned into a hypothesis?

Craig Ball: You mean there would be a difference between my observation and fact? I dub it so. I am making the sign right now.

Rocky Dhir: Yeah, he is doing the whole cross with the hands thing, so I think he has just blessed himself. You did it kind of backwards, so I think you blessed yourself.

Craig Ball: I am sorry. This is the best an atheist can do.

Rocky Dhir: I think you did that on purpose. All right, so Craig, let’s talk for a second about computers and phones and electronic evidence —

Craig Ball: Now, we are getting into my religion.

Rocky Dhir: Well, yeah we are getting into your area, so here’s something that I’ve often wondered about and I think I would say, I’m probably not alone on this. If you’re a lawyer and you’re dealing with — you are trying the preservation of evidence, either for your side or trying to make sure the other side is preserved, what do you do about these devices?

I mean, the iPads, and the tablets, and the phones because so often we talk about preserving evidence in computers but what happens on the device side of it?

Craig Ball: Great question. But let’s start by asking the question, why would you possibly want to waste your time and money preserving a phone? Who’s using these phones today? Or wait a second, pardon me, what am I thinking, everyone, all day, everyday, it’s the single thing we are most unlikely to be separated from in our lives and they are instrumenting us by sensors in so many ways.

So, first, let’s talk — if I may, I don’t mean to co-opt your question because it’s a good one.

Rocky Dhir: I mean, I guess if you want to, you want to talk —

Craig Ball: It’s my show, never mind, it was your show, sorry. So, the first thing is let’s take a look at how these phones have infiltrated our lives and have become, if you will, virtual bards, writing down, following us, acting as silent witnesses to not only what we do and where we go, but essentially what we think and so forth.

(00:05:00)

So, the average user of a phone is using a phone for just under four hours a day and that’s average. So, if you are one of those people that says, I am normal, I am only going to use a phone for two hours a day, well, then somebody else has got to be using it for 8 or 6.

So, right away we have this level of usage. We have people going to their phones roughly 47 times a day in terms of active sessions and that’s only the ones where they’ve put in their code, their credentials. You are going to have doubled that if you start looking at interactions with just the screen.

So, what I’m trying to say is that our estimate of how dependent we are on these phones is often far less than the reality. We are interacting by gesture with phones per day, on average about 1600 times per day, each of us touches, taps, swipes the phone screen.

Rocky Dhir: I made gestures at my phone before, but that’s because it wasn’t doing what I wanted it to do.

Craig Ball: So, what I’m really trying to say here is we are interacting with these things so much. I loved it. When I go to New York, I will go down to old Chelsea and down the West Village and I will sit on a café and I will watch the people go by, walking home from uptown work, and almost half of them, if not more than half of them, are on their phones constantly while they’re walking.

So, the level of interaction is high. I sit at an intersection of two stop signs at my home in New Orleans and so I’ll have my coffee in the morning and I’ll watch the commuters coming through, and I will see how many of them are on their phones, texting while they drive. To the point that throughout America, texting while driving has eclipsed both driving while impaired by alcohol or drugs and speeding as the leading cause of collisions.

The number one reason you are going to go an emergency room, if your age is 16 through 24, is you’ve walked into a fixed object while you were using your phone. So, we are dealing with something that is parts of our body. We have no precedent for it in legal history certainly, in terms of something that is recording all that we do, where we go, and what we think.

As a consequence of that, it’s evidence and it has become a critical importance that we preserve that evidence because these devices contain unique non-duplicative, probative and relevant evidence in a great many cases.

Rocky Dhir: So, what types — what types of evidence are we creating on these devices?

Craig Ball: Well, it sort of depends upon the kind of case. We can start with something as simple as Geolocation data.

Rocky Dhir: Okay.

Craig Ball: By law, your phone is always recording where you are, even if you’ve disabled its Geolocation features.

Rocky Dhir: Oh, so, if I say don’t track my location, it’s still tracking my location?

Craig Ball: That’s because by federal law for now the last six-plus years, your phone to be sold in America must track your location and report it any time it is capable of being used as a phone.

Rocky Dhir: So, it doesn’t matter if it’s a smartphone or if it’s a flip-phone from like 1998, it’s still going to track you.

Craig Ball: Well, I was talking about within the last six years, but the level of resolution will change. An old flip-phone will have the resolution you would get by a cellular tower triangulation signal.

Rocky Dhir: Got you.

Craig Ball: So, you’d get in the neighborhood.

Rocky Dhir: Okay.

Craig Ball: You might get a little closer than that.

Rocky Dhir: Sure.

Craig Ball: But your smartphone has GPS Geolocation, and by law it has to resolve your location to a distance of no greater than 10 meters or about roughly 30 feet. So, our phones know that we’re sitting at this table together.

Rocky Dhir: Do you think that’s a good thing or a bad thing?

Craig Ball: We can talk about it from a moral standpoint. I think it’s a thing-thing. I think it’s an integral part of life that isn’t going to go away. I don’t see anybody using their smartphones less often or buying less sophisticated phones with less fewer features and capabilities.

So, I think it’s overall been a good thing. I mean, if you start looking at what mobile has enabled for us, there’s a reason why we’re looking at those phones all the time, it’s because they contain content that is irresistible to us.

Rocky Dhir: Sure.

Craig Ball: I mean, the whole industries could not exist without mobile, I mean, we couldn’t look for a yelp — what would be the point on an Uber, a Lyft? We could go on.

Rocky Dhir: I wouldn’t know what your dessert look like at dinner.

Craig Ball: It’s so important, so important.

Rocky Dhir: Without me checking social media.

Craig Ball: I mean, my gosh, how are you going to know that I had cornflakes for breakfast unless I have blogged about it? Really.

Rocky Dhir: And my day wouldn’t be complete unless I’d known that.

Craig Ball: It’s very kind of you to say so. I’d long suspected that, Rocky, but it’s very kind to have that confirmed.

Rocky Dhir: Do you add sugar to your cornflakes or you eat it straight up?

Craig Ball: No, I’m working on my diabetic coma, I always add sugar to my cornflakes.

Rocky Dhir: Oh good, good. I add sugar to frosted flakes sometimes, it’s pretty —

Craig Ball: There is help, there is help.

Rocky Dhir: You have not lived.

Craig Ball: That explains why you’re so upbeat, I guess.

Rocky Dhir: Yeah, you have not lived, nor have you come as close to death as you do when you put sugar on cornflakes.

Craig Ball: We have digressed a tad.

Rocky Dhir: We do that often, don’t we?

(00:09:58)

Craig Ball: So, where were we? We were talking about preserving smartphones.

Rocky Dhir: Right, sure.

Craig Ball: Okay. Smartphone, we talked about Geolocation, applications, health. Your phone, it knows where you are, it knows how high you are — and I am not talking about California High, I am talking about — there probably is —

Rocky Dhir: Maybe a Rocky Mountain High.

Craig Ball: There you go! So, a Rocky High, that’s a signal to Lawrence over there; Rocky is high, Lawrence.

Okay, so — I have totally lost it. We’ve got these devices that are instrumenting our bodies or actions. More than two-thirds — write out two-thirds of all email today goes through phones and because it goes through phones it’s changed the character of email, because if you respond to an email through a phone, that response is going to be only a-third the length on average as you would if you made the same response through a desktop or laptop.

Rocky Dhir: Because people don’t have the thumb energy to sit there and tap out a lengthy response just using their phone, is that why?

Craig Ball: I think so. I have seen the studies, I am not sure I have seen the analysis to the point of why, but obviously, we can speak in hieroglyphics. We have emoticons and emoji, so we can save a lot of words by just sharing a steaming pile of poop as our emoji to share our deeply held sentiments.

We also have a tendency to use a great deal more initializations and shorthand, but I think it’s simply what you are pointing out, which is the nature of the medium, the nature of the screen and the way we interact by thumb-typing, all augers in favor of much shorter responses, and as a consequence of that we have less text. When you have less text you have less text to use in advanced analytical tools, less text to provide context for electronic discovery, and as a consequence of this we are seeing a change that is a move away from e-mail, both in terms of the quantities of e-mails that are discoverable evidence, and to the extent that we are seeing double-digit reductions in the instances of e-mail on an annualized basis, offset by double-digit gains in the use of text.

Rocky Dhir: Okay, there you go.

Craig Ball: So, we have not only is the e-mail text becoming shorter and somewhat less relevant, less revealing, but at the same time you are having this explosion in text. And the bottom line for that is what I call the Streetlight Effect, I didn’t coin the phrase, but what it means, Rocky, is that we are getting much better tools to look in the wrong place with a wrong evidence.

Rocky Dhir: Interesting, okay. So, in other words, I guess if I am understanding what you are saying correctly. We are using our discovery and preservation tools to preserve e-mails when really that may not be where the key information is, it might be they are in a text message or in something like a Skype chat or on a WhatsApp platform or a Viber platform, something where people are messaging back and forth instantaneously as opposed through e-mail.

Craig Ball: Instantaneously, collaboratively our phones have become our primary conduit from communication in particularly non-voice communication, and importantly unlike an e-mail, for example, where the information that is in the email is that which someone is volitionally intentionally placed in the message. Our phones are independently recording information about our steps, our movements all kinds of abilities that we give, think of the number of sensors and communication devices.

Your phone has three independent radio systems in it. Your phone has a barometer, it’s got a gyroscope, it’s got an altimeter, it’s got light detectors, touch detectors, biometric sensors. I mean, the phones are amazing technologies. They have transformed us in so many ways. It’s not all of them positive and they have also become, in my opinion, the primary conduit and often the most significant repository for revealing electronic evidence.

Now, this is news to lawyers in the civil world, it’s not at all news to law enforcement. Law enforcement goes to the phone first now because that’s where the richest evidence is. Unfortunately, my colleagues in civil litigation have been very slow, almost obstinate to try to avoid dealing with phones, and so what I have been doing in the last year or so is trying in my small way to change their minds, to show them not only our phone’s essential evidence that should be our first line of attack in electronic discovery in many instances, but importantly that there are low-cost scalable and reliable methods, defensible methods by which we can preserve and acquire phone data that are — the kind of thing where we don’t have to bring in someone like me, a Computer Forensic Examiner, but that we can have it done in a trustworthy and defensible way by our clients and others who we should be looking to take straightforward steps on a routine basis to put this data on hold when it’s subject to a legal preservation duty.

(00:15:06)

Rocky Dhir: So, I guess, two parts to my next question. First is, what is it that we’re preserving exactly? I mean, what are we concerned about preserving, say that might be different from a laptop or a desktop computer when you are dealing with these devices? And then number two, if you’re the attorney asking for information, if you’re writing the subpoena, you are writing the discovery request, then are their keywords or key phrases that the civil lawyers aren’t aware of that they need to be including in their discovery requests?

Craig Ball: Well, I think you want to be specific with regard to devices. Usually I would say something different, I would say don’t focus on the devices, focus on the content.

Rocky Dhir: Okay.

Craig Ball: We are at an inflection point with these devices where they’ve been ignored for so long as a consequence of a big lie, and that big lie is, there’s nothing on these phones that we won’t get from the sources that were already collecting, and that is a huge lie.

Rocky Dhir: Got it, okay.

Craig Ball: So, what we need is for lawyers to make clear their intention that they are looking for preservation of mobile devices, and to force that process.

One of the ways I’m advocating it be done, is by providing language exemplar notices for example, that can be served upon your own client for purposes of walking them through a low-cost quick preservation, but more importantly remove the argument of burden and cost from your opponent.

Right now if you go to an opponent and you say, we want you to preserve content on a phone; unless it’s manifestly clear to them that the phone holds evidence you’re likely to get push back. And I think that that push back had some justification in years past when you had to hire an expert to do it. But today, we’ve gotten to a point where ironically the efforts to lock down the phones, to secure them that we saw exemplified, for example, when the San Bernardino terrorists were being investigated by the FBI and the fight, the scuffle between Apple and the FBI ensued based upon the FBI’s efforts to get Apple to defeat certain cybersecurity features.

Now, the fact is that today unlike a few years back, these devices are becoming quite secure and with every new release, the latest release I think is 11.4, it becomes much, much harder for forensic examiners to get to deleted data, to get to forensically significant data.

And my point is that we need to be looking at this with the eyes of an e-discovery practitioner, the eyes of a lawyer. In the run-of-the-mill e-discovery case, it’s not a forensic investigation, you’re not hiring a forensicist in every case involving electronic evidence and that should be the case with regard to these phones.

Now, I don’t wish to take any bread out of my mouth and certainly out of the mouths of my colleagues in terms of being hired as an expert when that’s appropriate. But I believe that in most preservation, Rocky, an e-discovery occurs without the subsequent need to process the data. We have to hold onto a lot more than we actually have to deal with as the litigation does or does not go forward.

So, if you have a way to preserve the data and it’s low cost, and most importantly of all, above all other factors, that the user of the phone doesn’t need to surrender possession of the phone. The fearsome loss of the phone triggers a lot of bad behavior.

I’ve seen situations where when required to surrender their phone for imaging, a large number of people will claim that the reason their phone was wiped when they turned it in was that they were trying to put in their password, they failed 10 times and the phone wiped. O gee, I am really sorry. Well, we know what that’s about.

Rocky Dhir: Right.

Craig Ball: And I’ve seen people say quite rightly, you can’t take my phone, that’s the only way my kids’ school can get in touch with me, that’s the only way I can contact all the people in my life. Nobody remembers phone numbers anymore, nobody remembers e-mail addresses, nobody remembers how to text, it’s all in the phone. You take someone’s phone away you have lobotomized them in terms of modern life. So, I get why they don’t want to let it go.

The methodologies I’ve been promoting that are free, so nobody makes money off of them, are such that you don’t have to let go of your phone.

Rocky Dhir: Can you give us an example or two?

Craig Ball: Well, I mean, one the methodologies involves using for iPhones using iTunes in a way that creates a –

Rocky Dhir: Oh, is it the backup feature?

Craig Ball: The backup feature of iTunes is a good example.

(00:20:00)

You couple that with a couple of other tweaks that I’ve added to the methodology to ensure that there is no reasonable means by which the individual could later alter the information or revise or selectively delete. It’s a way to lock that data down and prevent it from being tinkered with later.

The beauty of this method is, it has a human factor’s side of it. If you are going to allow a client or an employee to retain the backup, and they’re not surrendering the phone to a stranger that they remain in a sense in control of this process, they are much less likely to be triggered to do the kinds of things that complicate lawsuits like delete information, permit spoliation, because they are not being forced to part with the device and because they will remain custodian of the data. That is an empowering thing.

This is does that sort of trust everybody but cut the cards, and by that I mean, it allows the custodian to remain custodian, but it changes the form of the data and takes basically a snapshot of the data and then puts it in a form where the custodian can’t go back functionally and change it. That’s crucial.

Rocky Dhir: Not without somebody knowing about it.

Craig Ball: Not without somebody knowing about it or that’s actually a very difficult practical impossibility to restore that data to the appropriate name and metadata.

So the methodology I outlined provides for compressing the data set. The data set name is a hash value, a digital fingerprint and you provide the lawyer the name of the file and the size and metadata values of the file. That’s just a little bit of information, but having that information means that the attorney can be assured that it’s safe to leave the data with the client. Bad things can still happen. People are people.

Rocky Dhir: Sure.

Craig Ball: But the likelihood of that happening is so significantly reduced that it remains a reasonable and prudent way by which to ask individuals to preserve their phones except in those fairly rare occasions where you would be leaving the fox to guard the henhouse, as we say, where someone who cannot be trusted is left in charge of their own preservation. That kind of so-called custodial-directed preservation is fraught.

But, what I’m talking about guards against it, because quite frankly the way this is structured by the time the individual might start thinking about wanting to destroy the evidence when it is later demanded to be turned over for analysis, it’s already so gelled, if you will, so protected that you have cut them off from any simple ways to destroy evidence or alter evidence.

Rocky Dhir: Wow. Okay, well, there is obviously a lot to this topic. I mean, we could talk for a longtime. For example, I’d want to know even about watches, like say an Apple watch. Is there data in there that would need to be preserved?

Craig Ball: Well, yes and no. I mean, yes, there is some data that can be preserved on Apple watch, but an Apple watch is a little different, it’s designed to work in conjunction with the phone.

Rocky Dhir: Okay. So, it’s kind of mirroring to some extent with the phone.

Craig Ball: Right, and that’s what’s changing about electronic discovery in many instances, emblematic of this was a case a couple years ago in Arkansas where the police came into the scene of a murder and grabbed the Amazon Echo, the Alexa Brace.

Rocky Dhir: Device.

Craig Ball: All right. Their thinking was the stuff that we might want is stored in the Alexa device in the Echo. Point of fact, the information they were likely to want is transferred by the device into the cloud, AWS (Amazon Web Services). And so, what’s changing is whether something is a sensor or it’s a repository and with an Apple watch is sort of an offshoot of your phone. It works in close conjunction with your phone.

So, I’m more likely to go to the Apple Watch app on a phone to gather information that I am going to try to pull the information off the phone itself, and we are going to see that with the Internet of Things.

I’m less likely to go to my Nest Thermostat and much more likely to go to the Nest application which is acting as an aggregator of information from these devices. So, we are going to be going more to the phone, the tablet, and the cloud than to the individual sensor-enabled devices in the Internet of Things.

Rocky Dhir: Wow. Craig, I got to thank you. This is an eye-opener. I think I’d certainly learned something and I think anybody listening to this podcast will have either learned something or possibly at least learned to ask a few more questions, questions that they otherwise may not have asked. So, if they do have questions, they have follow-ups, is there a way they can reach you?

(00:25:03)

Craig Ball: Sure. I am available online. They can go to my website, if they’d like to read many of the articles that I have written on these topics, it’s craigball.com, or I hope they might stop by and read my blog, which is called ballinyourcourt.com.

Rocky Dhir: Very clever.

Craig Ball: I am a special master. I get appointed as Sir.

Rocky Dhir: Yeah, I was going to say, this is what happens when you are a special master.

Craig Ball: Well, I have to be fair. I really need to credit my former editor Monica Bay, who’s creative spark. We work together on that and so I’m always reluctant to take credit for Ball In Your Court alone.

Rocky Dhir: Although you’re enjoying owning it and being able to use it, so that’s good.

Craig Ball: It is my surname.

Rocky Dhir: It is your service. So, can people get in touch with you via email or is there a Twitter handle they need to reach out to you on or?

Craig Ball: My e-mail is [email protected]; so if you get to the Internet early enough in life, you can get your own surname as your domain.

Rocky Dhir: Ball In Your Court, ball.net, you’ve got kind of everything cornered, just the way you wanted.

So, again, Craig, thank you so much for being here.

Craig Ball: Thank you, Rocky.

Rocky Dhir: And I want to thank you for listening and for joining us again for yet another informative podcast here on the State Bar of Texas Podcast in conjunction with legaltalknetwork.com.

So please, if you liked what you heard today, rate us, find us, give us a rating on Apple Podcasts, on Google Play, on your favorite podcast app, and by all means learn more about us on legaltalknetwork.com.

We are learning so much here at the Annual Meeting here in 2018. If you have not come to one of these, you need to come, you need to come join us, and check us out. We will be here next year as well, but we certainly appreciate you tuning in today.

You know, guys, like I always says, life’s a journey, and I want to thank you for tuning in. This is Rocky Dhir signing off.

[Music]

Outro: If you’d like more information about today’s show, please visit legaltalknetwork.com. Go to texasbar.com/podcast. Subscribe via Apple Podcasts and RSS.

Find both the State Bar of Texas and Legal Talk Network on Twitter, Facebook, and LinkedIn, or download the free app from Legal Talk Network, in Google Play and iTunes.

The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by the State Bar of Texas, Legal Talk Network, or their respective officers, directors, employees, agents, representatives, shareholders, or subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.

[Music]