Feeds

Websites could be required to retain visitor info

Even if it would break their privacy policies

The Essential Guide to IT Transformation

There has long been an adage in the law that essentially states that "if it exists, it is discoverable". Now, as a result of a lawsuit involving TorrentSpy, the United States District Court for the Central District of California has essentially extended this logic to state that, "if it doesn't exist, we will require that it be created and stored so that it can become discoverable".

The case, Columbia Pictures v. Bunnell (pdf) arose when the movie studios wanted to find out the identity of people using TorrentSpy to download copyrighted works – personal information about TorrentSpy's users. TorrentSpy promised its users that it wouldn't collect such information, and had no legal obligation to do so. As the court noted:

In general, when a user clicks on a link to a page or a file on a website, the website's web server program receives from the user a request for the page or the file. The request includes the IP address of the user's computer, and the name of the requested page or file, among other things. Such information is copied into and stored in RAM.).

RAM is a form of temporary storage that every computer uses to process data. Every user request for a page or file is stored by the web server program in RAM in this fashion. The web server interprets and processes that data, while it is stored in RAM, in order to respond to user requests.

The web server then satisfies the request by sending the requested file to the user. If the website's logging function is enabled, the web server copies the request into a log file, as well as the fact that the requested file was delivered. If the logging function is not enabled, the request is not retained.

In keeping with its stated contractual privacy policy, TorrentSpy did not enable the logging function, did not capture the information in RAM (or more accurately did not store it) and therefore alleged that it could not produce it in litigation.

After TorrentSpy was sued, the question arose about whether or not the information NOT regularly collected by TorrentSpy – the information in RAM – constituted Electronically Stored Information subject to both discovery and what is called a litigation hold. Under a litigation hold, once you become aware that information you may posess is relevant to ongoing or threatened litigation, you must suspend your document destruction policy and stop deleting that relevant information.

Electronically Stored Information is defined under the Federal Rules of Civil Procedure as "information that is fixed in a tangible form and to information that is stored in a medium from which it can be retrieved and examined".

The court rejected TorrentSpy's claims that the information in RAM was never "stored" since logging was never enabled, and that requiring TorrentSpy to enable logging amounted to requiring it to "create"; records that didn' exist. Certainly, the information in RAM was – for a brief time – stored at least transitorily, just as streaming media (like a VOIP call, or videoconference) is stored on your computer for the brief interval it is being displayed.

Thus, the information is (1) electronic; (2) stored; and (3) relevant. The consequence of this is that not only is the information subject to discovery under the TorrentSpy precedent, but the entity must then suspend its document deletion policy, which in the case of TorrentSpy was to delete information in RAM that it never stored.

The potential consequences of this ruling (which is currently on appeal) are frightening. Whenever a company or other entity learns that information that it doesn't collect (or more accurately collects but doesn't store more than briefly) might be relevant to some litigation, it has to undertake affirmative efforts to start collecting and storing this information, in violation of its express privacy policy (creating potential FTC or privacy commission liability) for no purpose other than to create liability.

Thus, when you learn of the possibility of litigation, you may have to START storing streaming media, contents of VOIP calls, contents of videoconferences, webinars, chats, instant messages, logs, scans, or other electronic records that you never stored before.

The court also noted that companies "cannot insulate themselves from complying with their legal obligations to preserve and produce relevant information within their possession, custody or control and responsive to proper discovery requests, by reliance on a privacy policy -- the terms of which are entirely within [their] control". Thus, even if you SAY that the information wont be collected (stored) and you have no reason to collect (store) it, a court could mandate that you do so at your own expense.

Build a business case: developing custom apps

More from The Register

next story
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.