Another great article from Julie Lewis, President, CEO and Founder of Digital Mountain regarding obtaining information from a party’s iPad’s, smart phones and other mobile devices.

Social Media Metadata on Mobile Devices:  Gathering Valuable Crumbs

If you’re a fan of television crime dramas, chances are you’re intrigued by how the smallest bits of evidence are often the very ones that end up closing the case on the identity of the criminal. Be it carpet fiber, a human hair, or the DNA from a single drop of blood, these infinitesimally tiny pieces of evidence can reveal vast amounts of information when handled by the right investigators. The same can be true of the small bits of information hiding underneath the content of social media postings made from mobile devices. In the hands of the right forensic examiner, the metadata behind the content can tell a lot about the briefest post. In this article, we’ll look at the connection between social media apps for mobile devices and metadata collection.

What is Metadata?

In simple terms, metadata is data about data. There’s a variety of metadata types, but for our purposes, we’re going to restrict our discussion of metadata to machine-readable, searchable data that is generated in conjunction with content created on an electronic mobile device. The frontside data includes, but is not limited to, text and images. By way of analogy, if you look at a painting in a museum, the image in the painting your eye sees is the frontside data. The identity of the artist, the year the painting was created, the name of the painting, the type of paint used, and all other associated information are the metadata of the painting. We can’t always read clearly the signature of the artist, but it’s often there in the corner and if we search and squint, we might just make out a scrawled Monet. The placard of metadata placed on the wall next to the painting assures us that the painting is, in fact, a Monet. Similarly, the metadata behind a social media post can add context to content.

In the case of a social media post, frontside data is user-generated content, and often subject to ambiguity. Is that a picture of someone’s actual dinner or is that a stylized meal from a menu or an advertisement? Did a hacker really post vile things on an innocent user’s account, or is the user covering his tracks? The metadata can often clarify content-origin questions as it is not generated by the user but by the device and the app used to post.

What Metadata is created by Social Media Apps?

There’s a surprising amount of metadata created and archived by social media apps running on a mobile device, and the most concerning of which might just be geolocation data. Geotagging is the process of attaching location information to content. Thanks to technology advances, the accuracy of geolocating services is now in the region of fifteen feet for a smartphone with some sources claiming accuracy to within plus or minus a meter (3.28 feet). Other geolocation data includes elevation, distance, bearing, and the names of nearby places, in effect, placing the user on a map with impressive, or perhaps frightening, accuracy.

Geotagging metadata is ubiquitous in social media apps; so much so, that two Columbia University engineers were able to develop an algorithm which compares geotagged posts on Twitter with posts on either Instagram or Foursquare, to identify the owner of the accounts with a high degree of accuracy. One of the darker uses reported with respect to geolocation metadata is that it provides data that tech savvy criminals can use to create profiles of social media users to then physically stalk or commit home burglaries.

In addition to geotagging, social media app metadata can also include the type of device on which the post was created, as well as the operating system in use at the time. For an employer interested in the use of company owned mobile devices or the local law enforcement trying to trace the steps of a suspect, postings on social media which support the capture of device and operating system information is frequently valuable. In fact, in the novel case United States vs Brown et al.,(Case 0:11-cr-60285-CR-ROSENBAUM 2014),the US Government was ordered to respond to a request for cell phone metadata collected by the NSA that might have proven exculpatory of a defendant in a criminal case, in which the NSA was not a party.

If social media metadata can pinpoint location, device type, and operating system, is date and time information out of the question? It most certainly is not, and in fact, to ensure clarity, not only is time part of the usual metadata set, but time zones are often included, as well. Facebook, however, does allow the user to change a post’s date as part of its editing menu, although any editing of posts is recorded in the post’s history on-line.

Rounding out the metadata, social media apps may also include personal information input by the account holder (age, gender), unique identifiers, and subscription information including pages and causes followed by users. By compiling all the metadata, it’s easy to see a fairly complete picture of the user’s identity, location, the date and time, and the type of device used, making the information a valuable commodity.

Messaging apps, whether as add-ons to other social media apps or independent apps, harvest metadata not just from messages sent and received from that app, but can also gather data from mobile device contact directories and other messaging apps, including history. In practice, what users see is a messaging app asking if you’d like to import contacts from your phone, or, suggesting connections to other users of the same app based on entries in a contacts directory. If you enable the Calendar and Contacts settings under Facebook settings on an iPhone, your Facebook friends automatically populate your Contacts lists, which includes profile pictures as well as their email addresses and phone numbers (if the user made them public on Facebook). Birthdays and calendar appointments turn up in the iPhone Calendar app.  This data is synced with the phone, so any changes will be pushed out to the phone. If a contact “de-friends” the user, their information will disappear the next time the phone is connected. Conversely, if the Update All Contacts option is activated within the Facebook settings on the iPhone, Facebook information may be requested for a contact on the phone that may not be part of the user’s Facebook friends. If you’re someone who uses one device for both work and personal communication, this may be a concern.

Each social media app stores different metadata and the data stored may change over time. Additionally, smartphone forensics tools may not parse all the data. For example, within Chats, if you have the Facebook Messenger app downloaded, it will be rich with communication. However, other social media apps may not have communications parsed effectively by commercially available tools, so what you see may not be everything that actually exists. Reviewing applications on the smartphone is an important step in quality control of digital evidence. Additional custom parsing may need to be performed by a software engineer.

Special Considerations for Image Files

Metadata associated with image files often originates with the camera of the mobile device, tying metadata to the image from the moment of capture. This metadata again includes location, date, time, and device identifying information. Often, this data is uploaded to social media apps right along with the image file, a process many photographers have relied upon to protect their creator’s rights. In addition, images can be organized and searched based on their associated metadata. Most mainstream social media sites such as Twitter, Facebook, Instagram and Flickr strip all the metadata out of pictures uploaded. When in doubt, it’s good to perform testing and validate what data is being captured as the social media sites and apps are always morphing.

An Exchangeable Image File Format, known as EXIF, is a standard by which formats for images and sounds captured by electronic devices such as smartphones and digital camera are specified. EXIF metadata includes date and time information, camera settings including the camera model and make, and information that varies with each image such as ISO speed information, a thumbnail for previewing the picture, descriptions of the photo, and copyright information.

Reducing Your Metadata Footprint

If you’re concerned about how much metadata is being stored on social media apps, there are a few things you can do to reduce its generation:

  1. Don’t publish social media posts from a mobile device. If you’re inclined to do so, turn off location tracking and sharing in the device’s settings.
  2. Convert photos to .png files before posting, and upload to social media from a computer as it removes metadata.
  3. Connect to a Virtual Private Network (VPN) which protects privacy by masking the physical location of the devices connected. Be sure to check the VPN’s site for directions on how to ensure that all devices connected to the VPN are fully masked.
  4. Install an EXIF viewer to inspect and edit the metadata associated with photographs you wish to publish.
  5. Practice good device and network security habits by frequently deleting cookies, browsing history, and using encrypted messaging.
  6. Enlist the services of a reputable computer forensics service such as Digital Mountain to examine social media accounts and demonstrate what information is being collected in metadata.

Metadata, like so much of the data and technology with which we engage, has its positive and negative attributes. The key to keeping metadata on the right side is to understand its collection and use, so that we’re not inadvertently leaving tiny crumbs of electronic evidence without our knowledge. Metadata has positive attributes in validating authenticity, and hence, knowing we’re dealing with an original Monet and not a copy.

 

 

Julie Lewis, President, CEO and Founder of Digital Mountain, has over 20 years of experience working in the high technology industry and is a frequent speaker on electronic discovery, computer forensics and cybersecurity. After working on over 1,000 computer forensics and e-discovery cases for over a decade, Julie has provided us with  some simple tips for successful eDiscovery planning:

Continue Reading Ten Tips for Successful eDiscovery Planning

About a year ago I received an inquiry from a lawyer stating:

I’m researching whether the defendant can file a motion for a protective order after my motion to compel was already granted—I’m’ trying to find a case that precludes the protective order motion as a matter of law—res judicata perhaps?

This is a procedural issue and one that you need to be familiar with all the ins and outs of the Code of Civil Procedure as well as current case law because my answer is  “It depends

Continue Reading Can a Motion for Protective Order be Filed after the Court has Issued its Order?

A plaintiff counsel writes in asking for advice:

 “Today is July 7th.  Trial is July 31.  Discovery cut-off was July 1 and expert discovery closes on July 16th.  Well, my client sought additional treatment on June 25thwith a neck, back and spine specialist. The results of the visit were provided to me on June 26th and I immediately mailed the results to opposing counsel that day. Now opposing counsel is stating the discovery is after the cutoff and inadmissible and the doctor  can’t testify because expert disclosure has passed.   I’m really worried about whether I will be able to use the evidence and if so, how I will be able to use the evidence?”

Opposing counsel is blowing smoke at this young lawyer.

Continue Reading Opposing Counsel is Blowing Smoke

 

In this blog I have asked that lawyers write in if there was a topic they would like me to address.  I have received many requests over the years and the next couple of blogs will be responding to some of these requests.  Here is the first one.

“I noticed a few things regarding privilege logs. 1) litigators are not sending them. 2) my opposing counsel tends to argue that there is no obligation to prepare a privilege log unless it is demanded by the requesting party and I don’t think that’s right – I think it’s an affirmative duty arising when someone withholds documents under an objection – is that right?”

Continue Reading Aren’t I Entitled to a Privilege Log?

Effective January 1, 2013 and subject to certain exceptions, the duration of a witness deposition was limited to seven hours of total testimony. (CCP §2025.290(a).) The limitation brought the California statute consistent with existing federal law, which has a similar seven-hour rule. (See FRCP Rule 30(d)(1))

Continue Reading You Don’t Need Exceptional Circumstances to Get More Time to Take a Deposition

The purpose of discovery is to take the “game” element out of trial preparation by enabling the parties to obtain evidence necessary to evaluate and resolve their dispute before a trial is necessary.  Weil and Brown, Cal. Prac. Guide: Civil Procedure Before Trial (TRG 2018) ¶8:1 citing Greyhound Corp. v. Superior Court (1961) 55 C.2d. 335, 376.

Serving “[a]ppropriate written interrogatories are one of the means to accomplish the general goals of the discovery process designed to facilitate a fair trial.” (Juarez v. Boy Scouts of America, Inc. (2000) 81 CA4th 377, 389)

“Interrogatories expedite the resolution of lawsuits … [by detecting] sham claims and defenses … [and] may be employed to support a motion for summary judgment or a motion to specify those issues which are without substantial controversy.”  Deyo v. Kilbourne (1978) 84 CA3d 771, 779

Continue Reading Why You Need to Bring that Motion To Compel Further Responses to Interrogatories

In the case of Victalic Company v American Home Assurance Company the First District Court of Appeal made it very clear that denials to Requests for Admissions are inadmissible.   Here is the court’s reasoning starting at page 23 of the published opinion:

Gonsalves v. Li (2015) 232 Cal.App.4th 1406 (Gonsalves) involved an automobile accident. Plaintiff called defendant as an adverse witness and asked about his qualified denials of plaintiff’s RFAs that he was responsible for the accident. And in closing argument, plaintiff emphasized that the denials were evidence defendant refused to take responsibility for plaintiff’s injuries. (Id. at p. 1413.) The jury returned a verdict for plaintiff for $1,208,642.86. (Id. at p. 1411.) Our colleagues in Division Five reversed, holding it was error for the trial court to allow questions about RFAs.

Continue Reading Denials to Requests for Admissions are NOT Admissible

 

Have you ever wondered how the work product doctrine works when you hire a consultant who may or may not become your expert. Trial Attorney Lee Previant, from Los Angeles, wrote this great article titled “Attorney Work Product Doctrine And Experts for Advocate Magazine that explains how it all works.  Enjoy.

**************************************************************************************************

As any litigator is undoubtedly aware, expert witnesses are necessary whether to offer evidence required to meet your burden of proof or to offer evidence to combat attacks on causation.  Likewise, communications with your expert witnesses are necessary.  This includes communications to 1) retain the expert witness, 2) communications providing them with case specific materials so they may formulate their opinions, and 3) communications providing scientific, technical, professional texts, treatises, journals, or similar publications to assist the expert in forming their opinion.  In addition, an attorney may communicate with an expert for the sole purpose of obtaining advisory opinions.

An expert witness is defined as someone who has “special knowledge, skill, experience, training, or education sufficient to qualify him[/her] as an expert on the subject to which his[/her] testimony relates.”  (Evid. Code § 720.)

Continue Reading An Attorney’s Relationship with their Expert and the Work Product Doctrine

I received a comment about one of my blogs saying:

Many young(er) attorneys abuse discovery as a matter of course – as if they have been taught how to be obstructionists at law school. I also think newer attorneys do the scorched earth route to create more billing.  One dope sent me objections that were over 100 pages.

I have written many blogs regarding how to handle discovery abuse by opposing counsel.  These include filing motions to compel further responses, filing motions for protective orders and how to recover sanctions.

Continue Reading DO YOU KNOW WHAT YOUR OBLIGATIONS ARE IN RESPONDING TO WRITTEN DISCOVERY?