The scandal of Rupert Murdoch, the world’s most powerful media mogul, is essentially a story of e-discovery, the seamy dark side of e-discovery that operates underground and in violation of the law – the world of hackers. Segments of Murdoch’s media empire have been caught in the practice of illegal discovery of voice mail messages, a practice misnamed phone hacking. Murdoch’s over 4,000 victims include the British Royal family, British and world political leaders, celebrities, families of NY 9/11 victims (which the FBI is investigating), parents of a kidnapped child, and pretty much anyone else in the world that Murdoch’s British scandal rags wanted to investigate and exploit. You know the story, just don’t look for it on Fox or the Wall Street Journal or hundreds of other media companies that Murdoch owns. Don’t ask Scotland Yard either; they appear to have buckled under to Murdoch’s immense political influence in Great Britain. This is an important story, for although the power of big media has been diminished by the Internet, decentralization, and individual empowerment, there is still much truth in Learned Hand’s statement:
The hand that rules the press, the radio, the screen and the far-spread magazine, rules the country.
This blog will go into the Murdoch story from the perspective of electronic discovery and explore the legal, technical, and ethical implications of voice mail hacking. I will explain what it is, and some of the most common ways it’s done. All of the bad guy hackers already know how to do it, so you should too. In that way you can protect yourself and your clients. We are not talking about complex Lulzsec type hacks here. You will be astonished to see how easy it is.
Voice Mail is ESI
Voice mail is typically stored on digital computers these days, not audio tapes. It is electronically stored information. It can be fair game for legal e-discovery by subpoena and requests for production in court cases. Due to the negligence and lack of knowledge on the part of most cell phone users, including apparently the British Royal family and many well-known celebrities, voice mail is also an easy target for illegal hacking. Knowing the hackers game is the best way to avoid being a victim yourself.
You may not be a celebrity whom the paparazzi are after, but if you are a lawyer, you’ve got secrets. Those of us in the legal industry keep secrets for a living. It is part of our job. Client confidentiality is not a luxury, it is an ethical imperative. You need to study this explanation carefully and pass on the word. Don’t let reporters of sleazy newspapers, or, even worse, unethical opposing parties in litigation, get easy access to your voice mail messages.You have an ethical duty to protect these secrets from any unscrupulous adverse parties that might benefit by discovering them.
I have been warning about illegal e-discovery for years in the context of litigation, and more recently in the context of criminal hacking outside of litigation. See:
- New 4th Circuit Ruling on Illegal e-Discovery Adds Teeth to Federal Anti-Hacker Email Privacy Law
- “Win-At-All-Costs” Litigation Using Illegal e-Discovery Leads to Dismissal of a Billion Dollar Case
- Does Your Stated Password for a Website Somehow Relate to the Theme of the Website? Who Knows Your Password? Who Are “LulzSec”? Should We Fear Them Or Laugh With Them?
- Lulzsec Disbands After 50 Days of Cyber Mayhem Funny Business;
- Hackers Perfect Indestructible Virus and Assemble Army of Four Million Zombie Computers.
Illegal e-discovery, a/k/a hacking, is a real threat. It is dangerous. Murdoch’s media minions are just the tip of the hacker iceberg. Beware of illegal phone hacking of your client’s or your own voice messages. Also beware of illegal hacking and seizure of email, text messages, and personal computers. As I pointed out recently, there are millions of computers out there infected with viruses that could impact your case and hamper your legitimate investigations.
The Law, Journalism, and the Four Ws
Voice mail can be a good source of information, maybe not as good as email, because it is usually short, but still it can provide valuable clues in some circumstances as to the truth of the Four Ws: who, what, when, where and why. These fundamental questions drive the activities of all discovery by lawyers. The same Four Ws are also the fundamental questions of all news reporters. Journalists and discovery lawyers both search for the truth of what happened.
Lawyers are empowered with legal process to get at these answers. They can serve subpoenas and make requests for production. They can ask a court to compel the answers to their legitimate who, what, when, where and why questions. Journalists have no such legal power. All they can do is ask and hope that you answer. Journalism may be in decline, but it is still big business, even in the 21st Century. It can still bring down governments and billionaires. There is a strong temptation for journalists to use illegal means to get at the truth.
Phone Hacking 101
Phone hacking, which should probably be called voice mail hacking, is often surprisingly easy. See eg. Here’s how easy it is to hack a phone. (CBS News, 2011). For more details from a security expert, see this lengthy article on voice mail hacking by David Rogers of mobilephonesecurity.org. Phone hacking was probably done by Murdoch’s reporters at his paper News of the World in one of these easy ways. Alternatively, they could have used other even more devilish and complex methods that I will not talk about here.
One simple way to illegally access another’s voice mail message is to call their phone number when there is no answer, or it is busy (a partner in crime can take care of that for you). You are then placed into the phone’s voice mail system. From there all you have to do to access voice mails is to hit star * or 3, choose listen to messages, enter the password, a/k/a PIN number (personal identification number) when prompted. Apparently some 30% of phone users never bother to change the default PIN numbers. These default phone PIN numbers are not secret. They are published online. It is common knowledge that for most companies the default PIN is either 0000 or 1234 or the last four digits of the phone number. So you just press the four default numbers, then the # key (that is how you enter them), and voila, you can listen to the phone messages. You can even delete some of them, like Murdoch’s News of the World reporters would sometimes do.
The failure of so many users to take even simple precautions like changing the default passwords is why so many hackers think that most computer users are idiots that deserve to be hacked. They take the well-known demotivational poster as a kind of excuse for intruding on our privacy, maybe even stealing from you. This poster (spelling error and all) now has a double entendre not imagined when it was created.
I know that my AT&T i-phone PIN was set at 0000 when I bought it. Of course, I changed it after I activated the voice mail system to put in my own password. After studying up on phone hacking to prepare this article, I changed it again and made it longer and more complex. You should too.
But what if a hacker finds you have changed the default PIN and can’t guess your password. Then they might try a little “social engineering hacking.” That’s where they call the phone company, say they are you, and have forgotten the password. Often the accommodating phone company will reset the password to its default. If a hacker makes that happen, they then try the usual default numbers.
There are many other “social engineering hacking” methods out there. Phone companies need to better train their operators and set up stronger default procedures and defenses. They also need to abandon the whole default PIN idea, and adopt the procedures used by banks for PIN numbers. How about making the numbers longer and requiring they be more complex? Many phone companies have already done this. By the way, did you know that in Switzerland the bank PIN numbers are six digits in length, not four like in the U.S.? There is a good reason for that.
Another way to hack into your voice mail system is called Caller ID Spoofing. See eg. the how-to video at CellHacker.com. This practice usually involves easy to obtain software that enables your phone to fake, or spoof, another phone number. This spoofing causes the recipient of the call to see another phone number of your choice on caller ID. You could, for instance, make the recipient think they were getting a call from the White House phone number. You could also make a phone think it was receiving a call from itself. Just call a phone number and spoof the number you are calling. When that happens most phones will put you right into the voice mail system and you will not even be prompted for a password to access the email.
The use of spoofing software and gadgets was outlawed in the U.S. with the passage of new legislation in December 2010. Here is the full text of the Truth in Caller ID Act. Spoofing is only illegal if done with the “intent to defraud, cause harm, or wrongfully obtain anything of value.” There are legitimate uses of spoofing, and so the software is still legal and easy to find.
There are many other ways to hack into voice mail, or your phone itself. Another one you may be interested in is Bluetooth hacking, also called Bluesnarfing. (This is not to be confused with Bluejacking, where ESI, usually advertisements, are sent to your phone, not taken from it.) As an avid user of bluetooth to wirelessly connect all sort of devices to my phone, this one scares me, especially when I’m in public places. The fishy looking guy or gal next to me might be a bluesnarfing hacker. They might also be data hacking phones signed-on to public Wi-Fis. They might be trying to get into my phone to discover my financial information, passwords, client emails, whatever else might be on my phone. See Mobile Phone Hacking and How To Prevent It by security specialist, Paul Drury.
Like most people nowadays, my phone carries a lot of ESI, most of it private. Having bluetooth wireless connection enabled on your phone is like having a door open where anyone could enter and look around if they wanted to. Logging on to unprotected public Wi-Fi carries the same risk. The key to protect yourself is to stay alert, and to keep your passwords customized, and not use defaults, and, of course, always be careful what you say. Check your voice mail password and make sure it is not the original default PIN. Delete any sensitive voice mails after you read them (assuming there is not a litigation hold in place that would prevent that). Use virus protection software. In very hostile situations, where an adverse party is suspect, you should be even more careful. For more advice on protecting your cell phone security, see this article by David Rogers along with the mentioned article by Drury.
The Colbert Report
One of the funniest bits I have ever seen Stephen Colbert do is his reporting on the Murdoch scandal. Click here to see the video excerpt. It is a comedy, but still insightful for a number of reasons, including a video excerpt of one of Murdoch’s minions attempting to defend phone hacking as an effective way to get at the truth. It concludes with a fictitious report of Colbert’s following the Murdoch journalist’s recommendation for truth gathering by hacking into the voice mail of Murdoch’s attorney. Take the time to look at this video. It is a good set up for the next section on lawyer ethics and reasonable efforts to preserve confidential client information.
Legal Ethics and the Duty to Preserve Confidentiality
Everyone in e-discovery knows, or should, about the high duty to maintain the confidentiality of client information and client communications. You would not dream of speaking openly to your client about something confidential so that opposing counsel could hear you. You would leave the room so you could speak privately. Or if you were in court and that was not possible, you would whisper. It is just common sense to take reasonable efforts to preserve the secrecy of your confidential communications. This doesn’t mean take every conceivable effort. You don’t have to carry around a cone-of-silence, or encrypt every email. Still, common sense dictates that you should be careful who might be listening when you talk on a cell phone in public. The young lady sitting near you might be an associate that you have never met that works for opposing counsel in the big case you are talking about. Be careful what you say in public, both face-to-face or via phones.
If you give out your cell phone number to your clients, then they may well leave you a voice message. In view of phone hacking revelations uncovered as part of the Murdoch scandal, does ethics now require lawyers to warn clients not to leave confidential information in voice mail? Should we also refrain from saying anything confidential in our client’s voice mail? Do reasonable efforts require using new passwords, not just keeping defaults? These are not easy issues and I suspect that state Bars will struggle with these questions in coming years. See Eg. Draft Changes to Model Rules on Confidentiality, Technology & Globalization (ABA Journal, 2011).
A new provision to ABA Model Rule 1.6 has been proposed by the ABA Commission on Ethics 20/20 to address some of these technology related issues, as well as related clawback, waiver, and privilege review issues:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.
The full ABA will consider this recommendations at the August 2012 ABA Annual Meeting in Chicago. The Commission on Ethics provides this new official comment on the proposed provision:
Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, and the cost of employing additional safeguards. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to electronic information, is beyond the scope of these Rules.
In addition, the Commission let stand the prior comments in Rule 1.6 as to the duties of an attorney to act competently to preserve confidentiality:
When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.
Look for more rule amendments and ethics opinions on the issue of reasonable precautions from the states in which you are admitted to practice. In the meantime, use common sense, and note especially the factors already accepted by the ABA: “the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.” Your voice mail privacy is now protected in the U.S. by the new Truth in Caller ID Act and other laws, so that weighs in favor of allowing the use of cell phone voice mails for sensitive client communications. On the other hand, if the information is very sensitive, then that suggests you should not put it in cell phone voice mail. Maybe you should not even use a cell phone at all.
Illegal hacking is the dark side of e-discovery. The current furor over phone hacking by Rupert Murdoch’s newspapers shows just how prevalent illicit e-discovery has become. It has reached the point that lawyers the world over need to be vigilant and sensitive to the possibility that their cell phone voice mail might be accessed without their permission. Check your voice mail password and make sure it is not the original default PIN. Delete any sensitive voice mails after you listen to them (again, assuming there is no litigation hold in place). Use virus protection software. We all need to be aware of hacking and be sure we take cyber security seriously. In very hostile situations, where an unscrupulous adverse party is suspect, you should be even more careful. The dark side of electronic discovery is real.
Be careful whenever you use or call a cell phone, but especially when leaving a message on cell phone voice mail. Ask your clients to be careful as well.
I had one case years ago where I told the client to always assume that their phone was tapped and their email was being intercepted. I insisted on personal meetings in my office to discuss the case. The information involved was very, very sensitive, and the other side was very powerful, and we suspected, capable of anything. Even within my own law firm disclosure was very limited to a need to know basis. Fortunately, I have not had many cases like that. But the truth is, you never know when a hacker might be intruding, especially when using a cell phone.
So don’t be easy prey for the criminal underground of e-discovery. Criminal hacking is widespread. The Rupert Murdoch story proves it.
SUPPLEMENT: June 18, 2011. Sean Hoare, the whistle-blower who disclosed phone hacking at News of the World, was found dead in his home in Watford, Hertfordshire. The cause of his death is, at present, unexplained. See Eg. Phone-hacking whistle-blower found dead (CNN). He was an entertainment reporter known for a 10-mile high life style and was purportedly ready to tell-all about what he knew.
Also today the N.Y. Times reported, for the first time, that there is evidence of e-discovery spoliation by News of the World:
Even as the company faced a flood of claims over the last several years, News International has acknowledged that it did not take any steps to preserve e-mails that might contain evidence of hacking until late last fall. When The News of the World moved offices late last year, the computer used by Mr. Edmondson was destroyed in what the company describes as a standard procedure.
The company asserted in court that a vast amount of its e-mails from 2005 and 2006 — believed to be the height of the hacking activity — had been lost. Company officials blamed the erasures on bungling, not conspiracy.
News International has subsequently acknowledged that some messages might be recoverable on backup disks, and the police are trying to recover that information now, said Tom Watson, a Labour Party member of Parliament. Last year, a forensic computer specialist the company hired to help it comply with a court order to turn over documents made a surprising discovery: three e-mails sent to Mr. Edmondson containing PIN codes that could allow access to voice mail, as well as names and telephone numbers, one official said.
Becker and Somaiya, Murdoch Aides Long Tried to Blunt Scandal Over Hacking (7/18/11 NY Times).
Finally, we learned today that the Lulzsec hackers decided to come out of retirement to hack into one of Murdoch’s papers in the U.K., The Sun. They redirected The Sun website to another hacked page that falsely reported Rupert Murdoch’s suicide. Lulzsec used Twitter to promise more hacks of Murdoch news company computers in the future and suggested they already have incriminating emails.
I am not sure where this will all end. It seems something like U.K’s Watergate with a dark hacker undertone. Tomorrow Rupert Murdoch and his son James Murdoch will appear before the British Parliament to answer questions, many of which are bound to be hostile. In two days the Prime Minister, David Cameron, returns early from a State visit to Africa to address a special session of Parliament. I bet there will be a lot of booing and shouting in Parliament that day. This drama will probably take several months to play out and corrupt e-discovery will likely remain a central theme. The final outcome is still uncertain, but I suspect it will lead to major changes in the U.K. How far this spills over to the U.S. is another question. Even if the Murdoch family falls from grace in the U.K., they may still remain a strong player in American culture for years to come.
SUPPLEMENT: June 19, 2011.
Project Counsel, a sister company of The Posse List, which is based in Europe and read by e-discovery contract reviewers and other lawyers and vendors world-wide, has picked up on the Murdoch scandal as an e-discovery related story and has begun reporting on it. They note that large teams of Murdoch lawyers from the U.S. and U.K. have begun review of ESI using a variety of document review software.
Rupert Murdoch began his testimony to Parliament today by saying: “This is the most humble day in my life.” A good start to what most conclude was a successful day of denying liability and fielding questions. But the highlight of the testimony came at the end when a comedian attempted a shaving-cream-pie-in-the-face attack of Rupert. It was thwarted by Murdoch’s wife, Wendi Deng. Pretty impressive performance by the entire family, but you have got to wonder about the Brits. They let a guy in the hearing with a shaving cream pie? Below is the video of the attempted pie attack. It is easy to see who you do not want to mess with in this family. Congrats to Wendy Deng Murdoch for fast action under pressure.
The best summary that I read of the Murdochs’ testimony (which I did not see) was by Joe Peyronnin, an NYU Journalism Professor, in his article Murdoch Tastes Humble Pie. Here is an excerpt:
What was most remarkable was how little both men appeared to know. Rupert Murdoch seemed totally detached from the scandal. He appeared old, he’s 80, and was often slow to respond. At one point the chairman admitted, “I am not really in touch… News of the World, I lost sight because it is small.” His son politely offered answers to most of the questions. But the tone of their testimony was, “We don’t know how it happened; we are cooperating; and we will make sure it never happens again.”