Fitbit, Fun, Forensics, and Foes

Have you tracked your 10,000 steps today? Has anyone else tracked them?

Fitness trackers are big business, helping people get and stay fit, and helping them share their progress with friends – and sometimes with strangers.

Probably the most well-known of these devices (and apps) are the FitBit and apps paired with the Apple Watch, but also include the Moov Now, Samsung Gear Fit, Huawei Band, Tom Tom Spark, and about 350 others. The ability to map your movements is one of the more fun and attractive features about these devices.

FitBit data helps to catch a potential murderer.

Fitness trackers in less light-hearted circumstances can provide evidence in the most serious of cases. At the end of 2015, Richard Dabate told Connecticut law enforcement a tale of a break-in where the robber killed his wife while he was fighting the intruder off. The problem was that subpoenaed records of her FitBit showed her active an hour after the murder was said to have taken place, and that she walked ten times further then what would have taken her into the now-fictional perp’s view. Along with other computer, Facebook, and cellphone evidence, and the fact that Dabate had a pregnant girlfriend he was arrested for the crime. As of this writing, Mr. Dabate is still free on a million dollars bail.

FitBit data helps an innocent man go free

In May of 2016, Nicole Vander Heyder went out on the town in Green Bay, Wisconsin, but never came home. Her bloodied and naked body was found in a farm field nearby. Signs at first pointed to her boyfriend, Doug Detrie, who was arrested but nonetheless seemed shocked at the news and protested his innocence. Detrie was held on a million-dollar bond, but the apparent evidence (blood in the car, in the garage, and a suspicious spot on the sole of his shoe) didn’t hold up (blood in the car wasn’t the victim’s, blood in the garage wasn’t a human’s, and the suspicious spot wasn’t blood) so he was released. Data from Doug’s FitBit showed that he took only about a dozen steps during the time frame in which Nicole died.

DNA evidence from Nicole’s clothes pointed at another man altogether, George Burch. Burch’s Android phone had Google Dashboard data associated with his Gmail account that showed GPS location data leading right to Nicole’s house. Eventually, he was charged, found guilty of first degree murder, and sentenced to life in prison where he still insists he’s innocent.

FitBit data used to try to find a missing person

In July of 2018, Iowa student, Mollie Tibbett went for a jog and hasn’t been seen since. Police have received her FitBit data in an attempt to locate her but haven’t released what they found in that data to the public. It appears that the geolocation information therein wasn’t enough to find her. Additional data from her cell phone and social media accounts has been sifted for clues, but as of August 6, 2018, there are no reports of her being found, although there appear to be people of interest. Hopefully location data from her FitBit will eventually help lead investigators to her current location.

FitBit data banned by the military

You may have heard news stories of late that the Army has expressed concern about military movements and security being compromised by data from fitness trackers and devices like the Apple Watch. A military official was quoted as saying, “The moment a soldier puts on a device that can record high-definition audio and video, take photos, and process and transmit data, it’s very possible for him or her to be tracked or to reveal military secrets… The use of wearables with Internet access, location information, and voice-calling functions should be considered a violation of national security regulations when used by military personnel.” But did you know that this news was from May 2015? And did you know it was a Chinese military official in the Chinese Army newspaper, the Liberation Army Daily?

That’s right, some foreign governments have been banning such devices for years now.

FitBit geolocation data banned by the US Military

In 2013, the DOD distributed 2,500 FitBits to military personnel; in 2015 the Navy planned to run a pilot program to help the enlisted and their superiors keep track of fitness goals, and “allow Army leaders to track their Soldiers’ fitness in real time.”

Aside from military members, Fitbit has a user base of over 10 million people. The information is viewable online, on a mobile device, or through the desktop application. Fitbit logs movement and allows users to log other health information in the app. Fitbit then uses this information to display progress over time.

The manager of a companion app, called Strava, helps to map and display maps of subscribers’ movement using FitBit and other fitness tracking devices. In November 2017, Strava released their Global Heat Map of 3 trillion individual global GPS data points uploaded from the previous two years. Zooming in on the maps, as Australian security student Nathan Ruser did, revealed favored trails used in previously undisclosed bases by military fitness buffs. Heat map trails around and in Mogadishu could have provided potential targets of locations frequented by military personnel for Somalian dissidents.

As one might imagine, the Army on August 7, 2018 banned use of geolocation features in iPhones, Apple Watch, FitBit and other fitness trackers with the following directive: “Effectively immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government and non-government-issued devices, applications, and services while in locations designated as operational areas.” It hasn’t banned the use or possession of the devices altogether.

The (FitBit) Law of Unintended Consequences

There are three types of unintended consequences (according to Wikipedia)

An Unexpected benefit: A positive unexpected benefit – such as an accused murderer going free and shown to be innocent of charges due to his FitBit. Rather than showing the accomplishment of an athletic endeavor it instead showed inaction when the crime would have required much movement, as with Doug Detrie and Nicole Vander Heyder.

An Unexpected drawback: An unexpected detriment occurring in addition to the desired effect of the policy, such as a FitBit showing a purported victim of a crime instead being the perpetrator as with Richard Dabate and his wife.

A Perverse result: A perverse effect contrary to what was originally intended, as when military personnel using a FitBit to keep track of their fitness progress reveal themselves as potential targets to an adversary.

With any luck, none of these occasions will fall into lives of any of my readers.

Keep fit, keep track, but be aware that you may be revealing more than you intend to.

Home-Brewed Data Destruction

Law around the subject of electronically stored information (ESI) and computer forensics is ever-evolving. In a lawsuit, it’s treated just like paper documents. If you shred or burn the paper evidence, you’re in trouble – and if you’re caught deleting or wiping electronic evidence, you’re in the same boat.

But in some cases, it can be easier to get busted for destroying ESI, both because electrons have a way of proliferating as digital copies of files and pictures and documents, and because the process of destroying data usually leaves detectable digital traces.

Just yesterday, a fellow (I decline to call him a gentleman) called me up to ask if he could consult with me on an hourly basis about how to destroy data (evidence) on his computer for an upcoming potential divorce. I actually found myself offended and explained to him (trying to keep the disdain from my voice) that destroying evidence is the exact opposite of the service I offer.

We don’t wreck evidence – we find it.

I further suggested that he might want to look into the Federal Rules of Civil Procedure, Sections 26 & 34 and how they apply in his state. I told him that I am not an attorney (and so can’t advise him on law), but that if he went about destroying evidence, the judge in his case could sanction him in a way that could be devastating to his side of the lawsuit.

But I could be wrong. While there is generally a requirement under common law to preserve evidence, and while some judges will take unkindly to the destruction of any potentially relevant evidence, others have held to a deadline of 20 days after a complaint is filed, or not until the party is served with court papers. This guy hadn’t yet been served, although his interest in the destruction of data would lead a reasonable person to infer that there was something on that computer that would lead his wife to start the process!

In more than twenty years in the computer forensic business, we’ve found that people rarely manage to erase all traces of a file, or of their acts of destruction of files. When a file is deleted, it just remains sitting there for someone with the proper tools and skill set to uncover it. It’s not gone until it has been overwritten by something else. There are utilities designed to overwrite files in order to completely get rid of them, but often references to the file remain in an old directory, the Master File Table, or in shadow volume automated backups. The file-destroying software usually leaves tracks of itself having been used, and may even provide the forensic investigator a log of its activities.

Even if the file is completely overwritten and its attendant directory entries, etc “sanitized,” many files, such as MS-Word, make Autorecovery backup copies while the user is typing away. These are deleted when the user closes his document, but as we have seen, what’s deleted is not gone. Such remnants can be valuable evidence.

So these kinds of activities are detectable and the intended target of data destruction may survive the efforts. Then of course, there is the question of ethics. Even if, in some jurisdictions, the destruction of data before certain other documents are filed is not prosecuted, the idea of destroying evidence and/or lying about it is reprehensible and is certainly unethical.

To misquote a famous sportsware company, just don’t do it.

Federal Rules of Civil Procedure and ESI: The Evolution of E-Discovery and Computer Forensics – Pt1

Nearly all documents start on a computer and discovery for litigation necessarily requires accessing electronically stored information (ESI). Rules regarding ESI in discovery – whether opponents are allowed access to it and who pays – are fast-evolving and differ from state to state. The Federal Rules of Civil Procedure are used as a touchstone and precedent by courts and states to help define their own rules. This series will look at a few of the major cases, opinions and outcomes that have informed this evolution.

Rowe Entertainment v. William Morris Agency – 2002 –

The Back Story:

Leonard Rowe, of Rowe Entertainment, was a promoter of some 30 years experience. He was president of the Black Promoters Association (BPA). The acts he promoted were primarily black musical artists. At the time, William Morris Agency had a near-monopoly on the kind of musical acts Rowe represented, and that he wanted to represent. However, he found noteworthy that he and his fellow black promoters were never able to represent a white artist. He suspected that they were not being allowed to do so for the entire 114-year history of the William Morris Agency.

He and his fellow promoters in the BPA were required to pay a 50% deposit for many artists. He discovered/asserted that white promoters had different requirements – for instance, white promoters were only required to pay deposits of 10% or even less. Furthermore he found that white promoters were able to represent both white and non-white artists. He called foul and, along with several other plaintiffs, sued the William Morris Agency (along with about 30 other defendants) for anticompetitive racial discrimination.

Among Rowe’s discovery demands were production of a broad (“sweeping”) range of emails, which the court found to be less than focused on the subject matter of the case. The judge let the production go forward, but shifted the entire cost of production to Rowe. The judge used eight factors to decide thus. These factors became the touchstone nationally for several years on how to weight the cost and responsibility for production (especially of emails) of ESI, and whether such production should be allowed to move forward.

This set of eight factors became known as the “Rowe Test.” The factors, each of which was considered to be more or less of the same importance, were:

1. The specificity of discovery requests

2. The likelihood of discovering critical information

3. The availability of information from other sources

4. Purposes for which the responding party maintains the requested data

5. Relative benefits to the parties

6. Total cost of production

7. Relative ability and incentive to control costs

8. Resources available to each party.

Only number 3 was found in favor of Rowe, as the information was not available from other sources. The remaining seven factors were found in favor of William Morris, leading the judge to allow the discovery to proceed, but that Rowe would have to pay the entire cost. The cost amounted to about $200,000.00.

What do the eight factors actually mean?

1: The specificity of discovery requests refers to how targeted the requests are. If the requests are closely targeted to the kind of critical electronic documents and emails only from key players and that are most likely to be of relevant subject matter, then the court should favor having the producing party pay. If the requesting parties demands are overbroad, asking for everything in (and out of) sight rather than what is likely to be relevant, then the court should favor the producing party, leaving the requestor to shoulder the majority of the cost of production.

In the Rowe case, the judge found Rowe’s demands to be “sweeping” and found that the this factor then favored having the requestor (Rowe) bear the cost of production.

2: The likelihood of discovering critical information. If there is strong evidence that the data being sought is of near-certain relevance to the case, or better, if there is an admission by the producing party that the requested electronic data is relevant, the court should favor having the producing party pay. On the other hand if the requests appear more or less to be a fishing expedition, the court will be looking to the requesting party to pay.

In the Rowe case, the court wrote, “However, there has certainly been no showing that the e-mails are likely to be a gold mine. No witness has testified, for example, about any e-mail communications that allegedly reflect discriminatory or anti-competitive practices.” Based on this factor, the court favored William Morris again.

3: The availability of information from other sources. Are alternate sources of discovery available – for instance in hard-copy (paper) form, or as individuals files on computers that personnel has already searched for responsive data? If not, the court should find this factor in favor of the requestor, making it more likely for the producer to be told to bear the cost o production.

This was the one factor found to be in Rowe’s favor, as there was little or no evidence the demanded emails could be found or produced, except by searching backup tapes and hard drives for them.

4: Purposes for which the responding party maintains the requested data references the reason the data exists. Is it kept just for disaster recovery or data recovery purposes? Does it exist simply because someone just forgot to discard it – and the producing party can show this to be true? Then the cost of searching this data more likely should be shouldered by the requestor.

Is it kept for ongoing business purposes, which might include accessing backup tapes or hard drives on a regular basis? Then the court should find it more likely that the producing party should pay for production.

The court found that William Morris either kept much of the requested data inadvertently, or had it just for archiving purposes.

5: Relative benefits to the parties: in most cases, the production will favor the requestor – else why would they request the data? This was also true in the Rowe case, and hence this factor would again favor Rowe having to pay for discovery costs.

6: Total cost of production: If the cost is not substantial, or if discovery is more like traditional discovery, the court should be less likely to shift costs, and leave the presumption that the responding party should bear the costs. However, at the time of the Rowe case, email discovery was more an exception than the rule and hence the court found that this factor would favor William Morris, i.e. that this factor should make Rowe more likely to bear the burden of cost of production.

7: Relative ability and incentive to control costs. In general, the requestor determines the scope of its requests, which would have the court favor having the requestor pay. Such was the case with Rowe.

8: Resources available to each party. This factor only comes into account when there is a large disparity between the sizes of the two parties, such as in a case where an individual faces off against a corporation, where the smaller of the parties may not have the ability to pay for production at all. In a case such as Rowe, where the parties are both companies, the factor is unlikely to come into play, to be a neutral factor.

Rowe was one of the formative cases in what has become Civil Rules with regard to electronically stored information (ESI). The 8-factor test was particularly important in informing future cases as to what ESI should be allowable in discovery and who pays for producing it.

The case itself has had several episodes and court opinions as recent as 2012 have raised popular interest in what many see as racist-based court decisions, where others see outcomes based primarily on following (or not following) technical rules.

Next in this series, another important case leading to the current Federal Rules of Civil Procedure, Zubulake v. UBS Warburg